Information Obligations Pursuant to Art. 13 GDPR

The protection of your personal data is a matter of special concern to us. Consequently, we process your personal data (in short: “data”) solely and exclusively in conformity with legal provisions. We have issued this privacy statement for your information; it describes in detail the processing of your data in our company and the claims and rights to which you are entitled in accordance with data protection laws within the sense of Art. 13 of the European General Data Protection Regulation (EU GDPR).

1. Who is responsible for data processing (controller) and who can you contact as needed?

The controller is:

Confiserie Burg Lauenstein GmbH
Thomas Luger, Managing Director
Lauensteiner Strasse 41
96337 Ludwigsstadt
Phone: 0 92 63 / 9 45 – 0
Fax: 0 92 63 / 9 45 – 45

The company’s data protection officer is

Gerald Lill
Projekt 29 GmbH & Co. KG
Ostengasse 14
93047 Regensburg
Phone: 0941 -2986930

2. What data are processed, and from what sources are these data obtained?
We process the data that we have obtained from you during initiation or performance of contracts, on the basis of your consent or in relation to your job application or employment with us.

 Personal data include:

 Your master data; such data include (for example) for customers first name and surname, address, contact data (email address, phone number, fax), bank account information.
For job applicants and employees, these data include (for example) first name and surname, address, contact data (email address, phone number, fax), date of birth, information from your CV and letters of reference, bank account information, religious affiliation.
For business partners, these data include (for example) the designation of your legal representative, company name, Commercial Register number, VAT ID no., company number, address, contact data for contact person at your company (email address, phone number, fax), bank account information.

Moreover, we also process other personal data as shown below:

-             Information about the type and content of contract data, order data, revenue and voucher data, customer and supplier history and consultation documents
-             Advertising and marketing data
-             Information from your electronic correspondence with us (e.g. IP address, login data)
-             Other data that we have received within the scope of our business relationship (e.g. during meetings with customers)
-             Data that we have generated ourselves from master/contact data and other data such as data obtained from analyses of customer requirements and customer potential
-             The documentation of your declaration of consent for the receipt of newsletters, for example

3. For what purposes and on what legal grounds do we process the data?
We process your data in compliance with the provisions of the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG) 2018 as most recently revised:

•             For performance of (pre-)contractual obligations (point (b) of Art. 6 (1) GDPR):

Your data for the performance of contracts are processed either online or in one of our branches; your data for performance of your employment contract are processed in our company. Data are processed in particular during the initiation of business transactions and the performance of contracts with you.

•             For compliance with legal obligations (point (c) of Art. 6 (1) GDPR):

The processing of your data is required for the purpose of complying with various legal obligations, e.g. from the Commercial Code or the Tax Code.

•             In the pursuit of legitimate interests (point (f) of Art. 6 (1) GDPR):

Data processing beyond the scope of the performance of the contract itself may take place in the pursuit of our legitimate interests or of the legitimate interests of third parties if a weighing of the interests of the parties determines this is lawful. Data processing in the pursuit of legitimate interests takes place in the following (exemplary) cases (non-exhaustive):

-             Advertising or marketing (see no. 4)

-             Measures for business management and advanced development of services and products

-             Maintenance of a corporate-wide customer database for the improvement of customer service

-             Within the scope of prosecution proceedings

•             On the basis of your consent (point (a) of Art. 6 (1) GDPR):

If you have given us your consent to the processing of your data (e.g. for receipt of our newsletter)

4. Processing of personal data for marketing purposes
You may object to the use of your personal data for marketing purposes, whether in general or for specific instances, at any time without incurring any costs other than the transmission costs of the basic rate plans.

Subject to the statutory regulations of Section 7 (3) UWG [Act Against Unfair Competition], we are permitted to use the email address you gave us at the time of the conclusion of the contract for direct marketing of our own similar goods or services. You will receive these product recommendations from us regardless of whether you have subscribed to a newsletter.

If you do not wish to receive any recommendations of this type from us by email, you can use your address at any time to object to this use without incurring any costs other than the transmission costs of the basic rate plans. Notification in text form is sufficient. Naturally, there is a link in every email that can quickly and easily be used to submit the objection.

5. Who receives my data?
Even if we use a service provider to perform contract processing for us (processor), we remain responsible for the protection of your data. All processors are obligated by contract to treat your data confidentiality and to process them solely within the scope of the service performance. The processors we have contracted receive your data insofar as they require the data for the performance of their respective services. Such processors include (for example) IT service providers we require for the operation and security of our IT systems and advertising and address publishers for our own marketing activities.

Your data are processed in our customer database. The customer database supports the enhancement of the data quality of stored customer data (elimination of duplicates, labelling of customers who have moved/are deceased, address corrections) and enables their supplement with data from public sources.

These data are made available to group companies insofar as necessary for the performance of contracts. Customer data are stored separately and with a specific company relationship, whereby our parent company acts as the service provider for the individual participating companies.

If there is a legal obligation as well as within the scope of prosecution proceedings, public authorities and courts as well as external auditors may be the recipients of your data.

Moreover, insurance companies, banks, credit agencies and service providers may become recipients of your data for the purposes of initiating and performing contracts.

6. How long will my data be stored?
We process your data until the termination of the business relationship or until expiration of the applicable legal retention periods (as required, for example, by the Commercial Code, Tax Code, Care Home Act or Act Regulating Working Hours); in addition, they may be stored until any legal disputes during which the data are required as evidence have been concluded.

7. Are personal data transferred to a third country?
We generally do not transfer any data to a third country. In individual cases, a transfer may be made on the basis of an adequacy decision of the European Commission, standard contract clauses, appropriate guarantees or your express consent.

8. What data protection rights do I have?
You have at any time a right to access, rectification, erasure or restriction of the processing of your stored data, a right to object to the processing and a right to data portability, and the right to lodge a complaint in accordance with the provisions of data protection law.

Right of access:

You may obtain information from us as to whether and in what scope we process your data.

Right to rectification:

If any of your data we process are incomplete or inaccurate, you may request their rectification or completion at any time.

Right to erasure:

You may request that we erase your data insofar as we process them unlawfully or the processing intervenes unduly in your legitimate interest for protection. Please note that there may be grounds preventing the immediate erasure, e.g. in the event of legally regulated retention obligations.

Regardless of the exercise of your right to erasure, we will erase your data completely and without undue delay insofar as this is not prevented by related retention obligations resulting from the legal transaction or dictated by law.

Right to restriction of processing:

You may request restriction of the processing of your data if and when:

-             You dispute the accuracy of the data, in which case their processing will be restricted for the period of time we require to verify the accuracy of the data;

-             The processing of the data is unlawful, but you oppose their erasure and request instead the restriction of the use of the data;

-             We no longer require the data for the original purpose, but you need the data for the establishment or defence of legal claims; or

-             You have objected to the processing of the data.

Right to data portability:

You have the right to receive the data concerning you that you have provided to us in a structured, commonly used and machine-readable format and have the right to transmit the data to another controller without hindrance from us insofar as:

-             We have processed the data on the basis of the revocable consent you have given to us or for the performance of a contract between us; and

-             This processing is carried out by automated means.

If technically feasible, you have the right to request from us the direct transmission of your data to another controller.

Right to object:

If we process your data in pursuit of our legitimate interests, you may object to this data processing at any time; this right to object also applies to any profiling based on these provisions. We will no longer process these personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or the processing serves the establishment, exercise or defence of legal claims. You may object to the processing of your data for direct marketing purposes at any time without giving your reasons.

Right to lodge a complaint:

If you believe that we have infringed on German or European data protection law during the processing of the data, we ask that you contact us for the clarification of your questions. Of course, you also have the right to contact the supervisory authority competent for you, the relevant State Office for Data Protection Supervision [Landesamt für Datenschutzaufsicht].

Insofar as you wish to exercise any of the aforementioned rights with respect to us, please contact our data protection officer. In case of doubt, we may request additional information confirming your identity.
9. Am I required to provide data?
The processing of your data is required for the conclusion of a contract or the performance of a contract you have entered with us. If you do not provide these data, we will, as a rule, have to refuse the conclusion of the contract or will no longer be able to perform an existing contract and will consequently be forced to terminate it. You are not, however, obligated to give your consent to the processing of data that are not relevant for the performance of the contract or that are not legally required.

Privacy statement: (IT GDPR Declaration of Obligation Article 13 P) as PDF file for downloading or printing

current status: