Dear interested party,

In accordance with the provisions of Articles 13, 14 and 21 of the General Data Protection Regulation (GDPR), we hereby inform you about the processing of your personal data and your rights under data protection law. The specific data processed and how it is used depends largely on the services requested or agreed upon. To ensure that you are fully informed about the processing of your personal data in the context of the performance of a contract or the implementation of pre-contractual measures, please take note of the following information.

1. RESPONSIBLE BODY WITHIN THE MEANING OF DATA PROTECTION LAW AND CONTACT DETAILS
Aumund Foundation
Katja Jüngst
Grosser Markt 8
47495 Rheinberg

Telephone: +49 (0) 2843 1692-720
Further information and contact details can also be found on our website: https://aumund-foundation.de/

2. PURPOSES AND LEGAL BASIS OF PROCESSING
We process your personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG), insofar as this is necessary for the establishment, implementation and fulfilment of a contract and for the implementation of pre-contractual measures. Insofar as personal data is required for the initiation or execution of a contractual relationship or in the context of the implementation of pre-contractual measures, processing is lawful in accordance with Art. 6 (1) lit. b GDPR.

If you give us your express consent to process personal data for specific purposes (e.g. disclosure to third parties, evaluation for marketing purposes or advertising by e-mail), the lawfulness of this processing is based on your consent in accordance with Art. 6 (1) lit. A GDPR. Consent that has been given can be revoked at any time with effect for the future (see section 9 of this privacy policy).
Where necessary and legally permissible, we process your data beyond the actual contractual purposes in order to fulfil legal obligations in accordance with Art. 6 (1) (c) GDPR ( ). In addition, processing may take place to safeguard our legitimate interests or those of third parties, as well as to defend and assert legal claims in accordance with Art. 6 (1) (f) GDPR. Where applicable, we will inform you separately, stating the legitimate interest, insofar as this is required by law.

3. CATEGORIES OF PERSONAL DATA
We only process data that is related to the establishment of the contract or pre-contractual measures. This may include general data about you or persons in your company (name, address, contact details, etc.) as well as any other data that you provide to us in the course of establishing the contract. This includes, for example, information that you yourself have provided to us in the course of communication (e.g. by telephone or email) or via our website, or information that you yourself have provided to us in the course of product use or delivery, that was provided to us in the course of providing our services, by placing an order, subscribing to a newsletter or sending us an enquiry. This information is collected both when you do this for yourself and when you do this for your employer.
We also process data that you provide during your visit or that we may obtain elsewhere (such as your name in the visitor list, your image on our surveillance video or your vehicle registration number if you use one of our car parks).

4. SOURCES OF DATA
We process personal data that we receive from you when you contact us or enter into a contractual relationship with us, or in the context of pre-contractual measures, or that you provide via our other contact options.

5. RECIPIENTS OF THE DATA
Within our company, we only pass on your personal data to those departments and individuals who need this data to fulfil contractual and legal obligations or to implement our legitimate interests. We may transfer your personal data to affiliated companies, insofar as this is permissible within the scope of the purposes and legal bases set out in section 3 of this data protection information sheet.

Your personal data will be processed on our behalf on the basis of order processing agreements in accordance with Art. 28 GDPR. In these cases, we ensure that the processing of personal data is carried out in accordance with the provisions of the GDPR. In this case, the categories of recipients are providers of internet services and providers of customer management systems and software.
Otherwise, data will only be passed on to recipients outside the company if this is permitted or required by law, if the transfer is necessary for the execution and thus for the fulfilment of the contract or, at your request, for the implementation of pre-contractual measures, if we have your consent or if we are authorised to provide information. Under these conditions, recipients of personal data may include, for example:

• • External tax advisor
  • Public authorities and institutions (e.g. public prosecutor’s office, police, supervisory authorities, tax office) in the event of a legal or official obligation
  • Recipients to whom the transfer is directly necessary for the establishment or fulfilment of a contract.

6. TRANSFER TO A THIRD COUNTRY
Transfer to a third country is generally not intended.

Personal data will only be transferred to countries outside the EEA (European Economic Area) or to an international organisation if this is necessary for the processing and thus for the fulfilment of the contract or, at your request, for the implementation of pre-contractual measures, if the transfer is required by law or if you have given us your consent.

For recipients based outside the EEA, we have taken appropriate measures to ensure compliance with the requirements of the Data Protection Act, e.g. the conclusion of appropriate model contract clauses of the EU Commission, recognised codes of conduct or recognised certification mechanisms (Article 42 ff. GDPR). In addition, where necessary, we carry out careful assessments of the legal systems of the third countries concerned and take additional measures in accordance with the ECJ ruling on the transfer of personal data to third countries (“Schrems II”).

7. DURATION OF DATA STORAGE
Where necessary, we process and store your personal data for the duration of our business relationship or for the fulfilment of contractual purposes. This also includes the initiation and execution of a contract.

In addition, we are subject to various storage and documentation obligations, which arise from the German Commercial Code (HGB) and the German Fiscal Code (AO), among others. The periods for storage and documentation prescribed therein are two to ten years.
Finally, the storage period is also based on the statutory limitation periods, which, for example, according to Sections 195 et seq. of the Civil Code (BGB), are generally three years, but in certain cases can also be up to thirty years.

8. YOUR RIGHTS
Every data subject has the right to information in accordance with Art. 15 GDPR, the right to rectification under Art. 16 GDPR, the right to erasure under Art. 17 GDPR, the right to restriction of processing under Art. 18 GDPR, the right to notification under Art. 19 GDPR and the right to data portability under Art. 20 GDPR.

In addition, you have the right to lodge a complaint with a data protection supervisory authority pursuant to Art. 77 GDPR if you believe that the processing of your personal data is not lawful. The right to lodge a complaint exists without prejudice to any other administrative or judicial remedy. You can lodge your complaint with the competent data protection supervisory authority. The competent data protection authority is:

State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia:
Postfach 20 04 44
40102 Düsseldorf
Telefon: +49 211 38424-0
E-Mail: poststelle(at)ldi.nrw.de

If data is processed on the basis of your consent, you are entitled under Article 7 of the GDPR to withdraw your consent to the use of your personal data at any time. Please note that the withdrawal only applies to the future. Processing that took place before the withdrawal is not affected. Please also note that we may be required to retain certain data for a specific period of time in order to comply with legal requirements (see section 7 of this privacy policy).

Right to object
Insofar as the processing of your personal data is carried out in accordance with Art. 6(1)(f) GDPR to safeguard legitimate interests, you have the right, in accordance with Art. 21 GDPR, to object to the processing of this data at any time for reasons arising from your particular situation. We will then no longer process this personal data unless we can demonstrate compelling legitimate grounds for the processing. These must outweigh your interests, rights and freedoms, or the processing must serve to assert, exercise or defend legal claims.

In individual cases, we process your personal data for direct marketing purposes. You have the right to object to processing for such advertising purposes at any time. This also applies to profiling insofar as it is related to this direct marketing. If you object to processing for direct marketing purposes, we will no longer process your personal data for these purposes.

To protect your rights, you can contact us using the contact details provided in section 1.

9. NECESSITY OF PROVIDING PERSONAL DATA
The provision of personal data for the decision to conclude a contract, the fulfilment of the contract or the implementation of pre-contractual measures is voluntary. However, we can only make a decision within the framework of contractual measures if you provide the personal data necessary for the conclusion of the contract, the fulfilment of the contract or pre-contractual measures.

10. AUTOMATED DECISION-MAKING
We do not use fully automated decision-making in accordance with Art. 22 GDPR for the establishment, fulfilment or implementation of the business relationship or for pre-contractual measures. Should we use these procedures in individual cases, we will inform you separately or obtain your consent, if required by law.