2. WHICH DATA IS COLLECTED BY DO-Professional Services AND HOW IS IT PROCESSED?
2.1 PERSONAL DATA
Personal data means any information that can be assigned to an identified natural person or to one who can be identified, directly or indirectly.
Personal data includes general personal data (e.g. name, address, data of birth, telephone number, e-mail address, etc.), bank details (account number, etc.), and data issued by authorities (e.g. driving license number, identity card number, passport number), evaluations (e.g. school reports and references from employers, etc.), online data (IP address, location data, etc.), customer data and supplier data and so forth.
2.2 COLLECTION, PROCESSING AND USE OF YOUR PERSONAL DATA
Data protection is very important to us. That is why, when processing your personal data, we adhere strictly to the statutory provisions of the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (new) (FDPA (new)), German Telemedia Act (TMA) and the other data protection legislation in the European Economic Area (EAA) and in Switzerland.
DO-Professional Services GmbH is a personnel service provider operating throughout Germany. We are specialized in aerospace technology and work together with the major manufacturers. Furthermore, we are currently building up a competence centre for supply chain management / logistics, and we provide and place specialists in this field across all industries.
As part of the globally operating ALTEN Group, of which we are a majority shareholder, our employees work on practically all major international aviation projects in the fields of aircraft development, production and support, as well as in leading companies in the logistics sector. Data processing by DO-Professional Services is carried out for the purpose of performing consulting, personnel leasing and personnel placement activities for or on behalf of the customers of DO-Professional Services and its affiliated companies and all associated ancillary business.
Your personal data will only be used for the purposes of advertising / market research and for the configuration of our services if you have explicitly granted us your consent thereto.
2.2.1 DESCRIPTION OF THE CATEGORIES OF PERSONS CONCERNED
In general, the only data collected is that needed for the fulfilment of the corporate purpose and contractual agreements. In essence, personal data is collected, processed and used in relation to the following categories of persons:
* Customer data: Personal identification data, and communication data are processed in order to fulfil the company purpose. Also in order to initiate business contacts and provide information to customers.
* Supplier data: Personal identification data, communication data are as well as payment data and bank details, are processed in order to fulfil the company purpose.
* Employee data: Personal identification data, Performance data (references e.g.), contract master data, insurance data, data on absences (due to illness), payment and bank details, tax and social insurance data, login data, communication data, data on travel bookings and expenses and the booking of vehicles are processed to implement and process the respective employment relationship.
* Applicant data: Personal identification data, performance data (information on knowledge and skills, certificates) of applicants are processed in order to initiate employment relationships.
* Website visitors: Usage data (pseudonymised profiles pursuant to section 15 TMA) is processed for statistical purposes and to improve the information provided on our website.
* Interested parties: Personal identification data, communication data and, where appropriate, commercial and financial information of parties interested in DO-Professional Services is only processed in order to fulfil the business purpose.
* Other personal data: Personal data of other business partners (e.g. system partners, chambers, associations, banks and authorities) is also processed in order to fulfil the business purpose.
2.2.2 RECIPIENTS OR CATEGORIES OF RECIPIENTS OF DATA
In general, the only data shared internally and externally is that needed for the fulfilment of the corporate purpose and the contractual agreements. These are mainly the following recipients:
* Service providers commissioned to assist in the correct performance of business (e.g. Suppliers to support administrative processes, including travel service providers for the execution of employees’ business trips, landlords for employee accommodation, the “Verwaltungs-Berufsgenossenschaft” (Administrative Professional Association) and company doctor as part of occupational health care and health & safety, insurers in relation to claims arising from the employment relationship). The legal basis is either Art. 28 GDPR in the case of order processing or, where appropriate, § 26 FDPA (in conjunction with Art. 88 GDPR) for the purposes of initiating or executing a business relationship with you
* External bodies for the fulfilment of the purposes mentioned under 2 (e.g. customers or affiliated companies of DO-Professional Services within the meaning of sections 15 et seqq. of the German Stock Corporation Act at which the employee is, or the employee or applicant is to be, deployed as part of their employment, customers and suppliers for the implementation of projects, banks for the payment of salaries, tax consultants and auditors). The legal basis is generally § 26 FDPA (in conjunction with Art. 88 GDPR) for the initiation or implementation of an employment relationship with the employees or Art. 6(1) letter f GDPR in relation to the Group’s general obligations such as tax returns, audits of annual accounts, etc.
* Public authorities in the event of overriding statutory provisions (e.g. social security institutions, financial authorities). The legal basis for this is Art. 6(1) letter c GDPR in conjunction with the respective legislation, in particular employment legislation and social welfare law.
No personal data is transmitted to third countries. Should this be necessary for project reasons, we will adhere strictly to the statutory requirements for appropriate guarantees as a precondition for the transmission of data to third countries pursuant to Art. 46 GDPR. The measures adopted by us are (in this sequence), (i) data is transmitted to a third country recognised by the EU Commission in accordance with Art. 45 GDPR, (ii) in the case of the USA, data is transmitted to a company certified under the EU-US Privacy Shield (www.privacyshield.gov), or (iii) otherwise data is transmitted to companies in accordance with the standard data protection clauses recognised by the EU Commission pursuant to Art. 46(2) letter c GDPR.
2.3 COLLECTION OF DATA WHEN YOU VISIT OUR WEBSITE
When you access our website, information of a general nature is automatically collected. This information (server log files) includes the browser type, the operating system used, the domain names of your internet service provider, and similar. This is exclusively information that permits no conclusions to be drawn regarding you as an individual. This information is needed for technical reasons in order to correctly delivery website content requested by you and is an integral component of internet usage. Anonymous information of this type analysed statistically in order to optimise our website and the technology behind it. The legal basis is our legitimate interest in providing the services of our website pursuant to Art. 6(1) letter f GDPR.
2.4 CONTACT FORM
Should you contact us by e-mail or using a contact form, the information you provide is stored for the purposes of processing your enquiry and responding to possible follow-on questions. The legal basis is our legitimate interest in providing the services of our website pursuant to Art. 6(1) letter f GDPR, and in responding to an enquiry made by you within the meaning of Art. 6(1) letter b GDPR.
2.5 DATA PROTECTION INFORMATION FOR APPLICANTS
Should you apply to DO-Professional Services in the hope of entering an employment relationship with DO-Professional Services, DO-Professional Services processes your personal data, provided by you to us as part of your application, in order to initiate and, where appropriate, execute the contract. The legal basis for this in each case is § 26 FDPA (in conjunction with Art. 88 GDPR) for the purposes of initiating or executing an employment relationship.
Of necessity, this is the data provided by you, such as the title, name, address, e-mail address and telephone number as well as information regarding your training and further education, professional experience, knowledge in the sense of additional qualifications, preferences in relation to employment by DO-Professional Services including your occupational field, preferred work location and working hours, etc.
The following categories of data are collected:
- Personal identification data and contract master data (e.g. name, postal address, e-mail address, telephone number)
- (Work) preferences (e.g. occupational field, form of employment)
- Training, professional experience, knowledge
- Application documents (e.g. certificates, references, CV, photo)
- Usage and inventory data (e.g. IP address, name of the file retrieved, data and time of retrieval, data volume transferred, notification of successful retrieval, browser, original domain).
Furthermore, we use your e-mail address to contact you when we conduct internal surveys with a view to improving quality at DO-Professional Services. Participation in the surveys is voluntary and the results are only used once they have been rendered anonymous.
2.5.1 ONLINE APPLICATION FORM
Should you apply using our online form, you will be asked for personal information. The data you provide will be used exclusively within the application process and stored in our personalised database and used for that purpose. Other declarations made by you that are not necessarily required, but made voluntarily, are only processed by us if you provide us with them explicitly and voluntarily.
2.5.2 APPLICATION OR CONTACT AT TRADE FAIRS
Should you contact us in person at trade fairs with your application and provide us with personal data in your application documents for that purpose, we will use the data provided by you exclusively within the application process and only then store it in our personalised database.
2.5.3 APPLICATION BY OTHER MEANS (E.G. BY E-MAIL):
Should you contact us in another way (e.g. by e-mail) with your application and provide us with personal data in your application documents for that purpose, we will use the data provided by you exclusively within the application process.
2.6 Information on data protection for customers and suppliers
We process personal data as part of our business relationship with customers and suppliers, or prospective customers and suppliers. If you have a business relationship with DO-Professional Services or are involved in negotiations regarding a possible business relationship with DO-Professional Services, DO-Professional Services processes your personal data, which you have provided us with, for the purposes of initiating and, where appropriate, executing contracts.
Data is also processed for the purposes of invoicing, accounting, project management and the maintenance of the ongoing business relationship. In each case, the legal basis is Art. 6(1) letter b GDPR.
The following categories of data are collected:
- Personal identification data and contract master data (e.g. name, postal address, e-mail address, phone number) of business partners and their contact persons
- Order and invoice data
- Payment data and bank details
- Data for and about advertising and direct marketing
Data is also processed for the purposes of invoicing, accounting, project management and the maintenance of the ongoing business relationship, including for advertising and direct marketing. The legal basis for this is, in each case, Art. 6(1) letter b GDPR in relation to the conclusion, execution and handling of contracts as well as Art. 6(1) letter f GDPR in relation to our legitimate interests, for example in bookkeeping and direct marketing.
On our website we use social media plugins of the social networks Facebook, Xing, LinkedIn and kununu. The social media plugins can be identified from the logo of the respective social media network.
Facebook Inc. (1601 S. California Ave – Palo Alto – CA 94304 – USA)
XING AG (Gänsemarkt 43 – 20354 Hamburg – Germany)
LinkedIn Corp. (2029 Stierlin Court – Mountain View – CA 94043 – USA)
Kununu GmbH (Neutorgasse 4-8, Top 3.02 – 1010 Vienna – Austria)
The social media plugins on our website are deactivated unless you activate them. To be able to use the social media plugins you must activate them by clicking the corresponding button. No data will be transferred to the social network if the social media plugin is not activated. After it has been activated, the social media plugin established a connection with the social media network’s servers and remains active until you deactivate it again or delete your corresponding cookies. Activation establishes a direct connection with the servers of the respective social media network. The content of the social media plugin is transmitted by the social media network directly to your browser, which integrates it into the website visited. We therefore have no influence on the scope of the data collected by the social media plugin.
More information about the purpose and scope of data collection as well as the further processing and use of the data by the respective social media network, your rights in respect of this and the possibilities to alter settings in order to protect your privacy can be found in the data protection policies of the social media networks.
Reporting a data protection incident
The new basic data protection regulation (DSGVO) provides that data protection violations must be reported in certain cases. The violation of the protection of personal data must be notified to the competent data protection authority within 72 hours if the violation poses a risk to the rights and freedoms of data subjects. Data subjects must be notified immediately if a high risk to the rights and freedoms of data subjects is to be expected.
Any suspected incident must be reported to the data protection key person, Stephanie Scherer, as soon as possible. This person will examine the report and initiate further steps.
1.1 Definition of an incident
An incident is an occurrence where the basic values of information security or data protection are violated with regard to
- Confidentiality (protection of information against unauthorised disclosure)
- Availability (protection against loss and failure)
- Integrity (protection against manipulation or falsification)
are violated by data or IT systems in an inadmissible manner.
1.2. Detection of an incident
Incidents relating to data protection and valid legal regulations (e.g. DS-GVO, BDSG, UWG, TMG, TKG) may be, among others:
- Improper handling of confidential information
- Unlawful storage and analysis of personal data
- Loss of personal data
- Unauthorised use, processing, modification or deletion of personal data
- Listening in on conversations
Incidents relating to internal policies and procedures may include:
- passing on passwords, working with foreign user IDs
- Manipulation or loss of IT equipment
- Violation of access and access rights
- Inadequate protection of rooms or information in need of protection
- Connecting private devices to company hardware
Incidents relating to the security of data, networks and IT systems may include:
- occurrence of malicious programs
- Unauthorized copying of data sets
- Incorrectly set up access to information
Incidents relating to the availability of systems and information may include:
- failure of the uninterruptible power supply (UPS)
- Failure of system components
- Bypassing firewalls or filter systems
- Deactivation of virus scanners
Incidents related to changes in daily routines may include:
- Unexplained system behavior of IT equipment and software
- Suspicious entries in log files
1.3. Reporting an incident
Incidents must be reported to the DO-Pro DS key person as soon as possible.
When reporting via e-mail, it is imperative that the sender starts the subject of the e-mail with "INVENT" and that the e-mail is sent with high priority to ensure that the incident is processed as quickly as possible!
The DO-Pro DS key person then forwards the incident to the data protection officer for evaluation and further processing.
In the event of a data protection incident, the Data Protection Officer, in conjunction with the Legal Department, directs and coordinates appropriate measures to deal with it. The measures are implemented with the assistance of the departments concerned.
Insofar as an incident has an impact on third parties and is subject to reporting, communication to the public always takes place only after information and coordination with the management.
The relevant staff unit is responsible for informing the authorities.