Privacy Statement – EP Mehrum

Information on data processing to contractors, job applicants and visitors (the “Memorandum”)

Introduction

Dear contractors [1], applicants and visitors,

This Memorandum is to inform you as data subjects on the principles and procedures applicable to the processing of your personal data and on your rights related to the processing of this data, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/ES (General Data Protection Regulation; hereinafter the “GDPR”) and in accordance with Act “Gesetz zum Schutz vor Mißbrauch personenbezogener Daten bei der Datenverarbeitung“ (hereinafter the “BDSG”).

Our company respects transparent and fair processing of your personal data and its appropriate protection according to the applicable legislation to ensure correct and fair processing. We protect your personal data with the highest security to prevent any unauthorized or accidental access to, destruction, loss, unauthorized transmissions, or unauthorized processing of your personal data. For this purpose, we comply with the relevant technical and organisational measures to ensure an appropriate level of security with respect to all possible risks. Persons who handle personal data are obliged to maintain confidentiality of the information obtained in connection with the processing of this data.

As personal data protection terms and abbreviations are used in this Memorandum, we have included an explanation of these terms and abbreviations in section ‘List of selected terms and abbreviations’ in order to make the content of this Memorandum as clear and comprehensible as possible.

Controller

The Controller of your personal data is the company EP Mehrum GmbH, company tax no. 143/134/01600, having its registered office at Grünwald, postcode 82031, entered in the Commercial Register of Amtsgericht München under file No. HRB 261426, with which you are negotiating a contract, have concluded a contract, are involved in the recruitment of new employees (the “Controller”) who is responsible for discharging the obligations under the applicable data protection laws.

List of selected terms and abbreviations

TERM/ABBREVIATION	DEFINITION
Personal data	Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Special categories of personal data	Personal data revealing racial or ethnic origin, political opinions, religion or philosophical beliefs or trade union membership, and processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, and data concerning health or data concerning a natural person’s sex life or sexual orientation.
Data subject	The natural person to which the personal data relates. A data subject is deemed to be identified or identifiable if, based on one or several personal data, the data subject’s identity can be directly or indirectly determined.
Controller	The natural or legal person, public authority, agency or another body, which, alone or jointly with others, determines the purposes and means of processing of personal data.
Processing	Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Purpose of processing	The objection and purpose of the Controller’s activity
Means of processing	The tools and processes selected for specific processing of personal data.
Legal ground	The condition without which the processing of personal data is not in any case possible.
Processor	A natural or legal person, public authority, agency or another body which processes personal data on behalf of the Controller.
Recipient	A natural or legal person, public authority, agency or another body to which the personal data is disclosed, whether a third party or not. The Recipient has the legal, contractual or other authority to process personal data. These are other controllers or processors, such as tax, administrative or regulatory authorities. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with the Member State law shall not be regarded as recipients; the processing of that personal data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
Third party	A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

Processed personal data

The Controller and the processor that processes personal data on behalf of the Controller, process, with regard to the relevant legal ground and purpose of processing, in particular the following categories of personal data:

identification, authentication and address data: name, surname, academic degree(s), date of birth, ID card data, permanent address or temporary address, address for service or other contact address, place and state or birth, place of business, company reg. No., in rare cases the birth number, handwritten signature and digital signature
contact details: telephone number, email address
electronic details: IP address, authentication certificates, digital signature certificates
other personal data related to the contractual relationship: bank account number, transaction value, customer account number; further educational attainment information, details of studies, work experience, specification of the item purchased, easement, tender specifications, etc.
other personal data such as personal data relating to access to the Controller’s premises (entry card number including designation, handover/takeover date), to the subject of performance (such as the specification of the item purchased and services provided), to a request of the data subject (such as the specification of rights exercised under GDPR)
where applicable, specific personal data (such as data relating to the epidemiological situation in society)

Source of the personal data being processed

The Controller obtains your personal data primarily from you when negotiating an contract and in connection with the performance, or from third parties that mediate such negotiations. Also, the Controller obtains your personal data from publicly available sources or from public authorities.

Purpose, duration and legal basis for the processing of personal data

The Controller processes your personal data in particular for the purposes listed below, based on the respective legal ground.

The period for which the Controller is entitled to process your personal data depends on the purpose of processing. Insofar as we are legally obliged to store your data, we will also store it for the period prescribed by law. Legal requirements for storage may arise in particular from the retention periods of the German Commercial Code (HGB) or the German Fiscal Code (AO). The retention period according to these regulations is usually between 6 and 10 years from the end of the year in which the corresponding process was completed, e.g. we have finally processed your enquiry or the contract has ended.

Article 6 GDPR distinguishes six types of legal grounds for the processing of personal data; four legal grounds that are most relevant to the Controller are shown below. TheController processes your personal data as follows:

processing is necessary for the performance of a contract
processing is necessary for compliance with a legal obligation to which the Controller is subject (e.g., processing of personal data for compliance with legal obligations arising from tax and accounting legislation)
processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child
on the basis of your consent, only if no other legal ground for data processing (such as keeping your CV) can be applied.

Purpose of processing	Legal basis
Recruitment and selection of employees	Legitimate interest Contract performance (necessary to implement measures taken before the conclusion of employment (or a similar) contract)
Keeping records of job applicants’ CVs	Consent
Keeping records and control of access to buildings and premises	Legitimate interest
Tenders for providers of services and work	Legitimate interest
Conclusion and registration of contracts and agreements, orders, including related powers of attorney, authorizations and performance of the obligations arising therefrom; contractor records	Contract performance Compliance with a legal obligation
Economic management and asset management	Compliance with a legal obligation Legitimate interest Contract performance
Invoicing documents	Compliance with a legal obligation Legitimate interest
Processing of personal data for archiving purposes	Compliance with a legal obligation Legitimate interest
Processing of personal data for the enforcement of the Controller’s claims	Legitimate interest
Processing of personal data in relation to data protection control activities and data subjects’ requests	Compliance with a legal obligation
Investigating concerns under the Anti-Corruption and Anti-Bribery Policy and the Policy on Reporting of Serious Concerns	Legitimate interest
Processing of personal data during epidemics and in connection with related emergency measures	Compliance with a legal obligation Data processing is necessary to protect vital interests Data processing is necessary in the public interest
Keeping records of data processors	Legitimate interest
Investigation and registration of incidents	Compliance with a legal obligation Contract performance Legitimate interest
Counterparty check	Compliance with a legal obligation

It is not possible to conclude a contract without providing the personal data necessary for the performance of the contract and the fulfilment of legal obligations. You have right to object to the processing of personal data for the purposes of legitimate interests. You have the right to withdraw your consent at any time. Please be informed that the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

Manner and means of processing

The Controller and the processor processing personal data on behalf of the Controller process your personal data by manual means(such as by placing a contract in paper form in the relevant file) and by automated means (by means of ICT, such as a personal computer using Microsoft Office 365 applications, as well as the Controller’s or processor’s systems).

In processing your personal data by automated means, the Controller does not apply automated decision-making, including profiling, that might affect your rights.

Processor

The Controller processes your personal data through its employees who need access to the personal data in order to perform their duties and who are obliged to maintain confidentiality of all facts and information of which they become aware in the course of their employment.

Categories of processors	Activities
Recruitment agencies	Ensuring the recruitment and selection of suitable job applicants
Providers of IT services and software providers	Provision of IT services and software including service support, system administration, development and maintenance as well as analysing security risks
Providers of legal services and counselling	Provision of legal services and counselling
Economic and tax advisors, auditors	Provision of services and counselling

Recipients of personal data

The Controller may, in certain circumstances, transfer your personal data to recipients (other controller, processor) and third parties.

Recipients to whom personal data is routinely transferred, in particular:

Tax Office
Bailiff offices
Courts
Police

However, where public authorities require personal data in the framework of a particular inquiry, they are not considered to be recipients but third parties.

Transfer of personal data to third countries

The Controller and the processors acting on the Controller’s behalf process your personal data primarily in the European Union (EU), where unified data protection is guaranteed in each member state. Quite exceptionally, your personal data may be processed outside the EU, for example, in a computer system whose servers are located outside the EU. In that case, we would select a contractual partner that will meet the conditions for secure data transfer in accordance with the applicable legislation. We will inform you in an appropriate manner about the specific measures and procedures, about to whom and to which countries your personal data is disclosed/transferred, under which conditions, how your data is protected, and about the risks involved.

Rights of data subjects

If the processing of personal data is based on your consent, you have the right to withdraw your consent at any time. In connection with the withdrawal of consent, the Controller informs you that the withdrawal of consent does not affect the lawfulness of the processing of personal data until its withdrawal, nor the processing of data for other legal reasons for which your consent is not required.
You have the right to request access to your personal data and more detailed information about its processing according to the provision the article 15 GDPR and 34 BDSG.
You have the right to have your inaccurate or incomplete personal data rectified.
You have the right to receive your personal data in a commonly used and machine-readable format, allowing it to be transferred to another controller if we have obtained it on the basis of your consent or in connection with the conclusion and performance of a contract and it is processed by automated means.
You have the right to object to the processing of some or all of your personal data.
You have the right to ask us to delete your personal data if there is no other legal ground for the processing according to the provision the article 17 GDPR and 35 BDSG.
You have the right to lodge a complaint with the Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
You have the right not to be subject to automated individual decision making, including profiling.

Finally, we would like to point out that if you make use of your rights pursuant to Articles 15 to 22 of the GDPR, we will process the personal data provided by you in this context for the purpose of implementing these rights and to be able to provide proof thereof. This processing is based on the legal basis of Art. 6 para. 1 lit. c) GDPR in conjunction with Art. 15 to 22 GDPR and Section 34 para. 2 BDSG.

Updates to the Memorandum

As the rules and conditions for the processing and protection of your personal data may change, in particular as a result of changes in legislation, or our terms, procedures and methods of processing and protecting your personal data may change, we will inform you of such changes by updating this Memorandum, unless such change requires contacting you directly.

Exercise of the rights of data subjects

If you exercise your right pursuant to section ‘Rights of data subjects’ by presenting a request, the Controller is always obliged to handle such request of the data subject and is obliged to provide the information without undue delay after receipt of the request, in any case within one month from receipt of the request. In exceptional circumstances, this period may be extended by two months, of which the data subject must be informed by the Controller, including the reasons for such extension.

You can send your request: to the Controller’s registered office to email info@epmehrum.de alternatively, you can use the telephone number: +49 89 25 00 63 41 0

In order to facilitate the exercise of your rights, we have prepared a sample Data Subject Request Form.

If you have reasonable suspicion that there is an infringement of data protection legislation, you have the right to lodge a complaint with the Office for Personal Data Protection: Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen, Kavalleriestr 2-4, 40213 Düsseldorf, Telefon: 0211/38424-0, Fax: 0211/38424-10, E-Mail: poststelle@ldi.nrw.de.

[1] Natural persons, representatives of legal entities

Information on Data Processing to Employees and Board Members (the “Memorandum”)

Introduction

Dear employees,

Dear board members,

Controller

The Controller of your personal data is the company EP Mehrum GmbH, company tax no. 143/134/01600, having its registered office at Grünwald, postcode 82031, entered in the Commercial Register of Amtsgericht München under file No. HRB 261426, with which you have concluded your employment contract (or a similar contract) or your executive service agreement (hereinafter the “Controller”) who is responsible for discharging the obligations under the applicable data protection laws.

List of selected terms and abbreviations

TERM/ABBREVIATION	DEFINITION
Personal data	Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Special categories of personal data	Personal data revealing racial or ethnic origin, political opinions, religion or philosophical beliefs or trade union membership, and processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, and data concerning health or data concerning a natural person’s sex life or sexual orientation.
Data subject	The natural person to which the personal data relates. A data subject is deemed to be identified or identifiable if, based on one or several personal data, the data subject’s identity can be directly or indirectly determined.
Controller	The natural or legal person, public authority, agency or another body, which, alone or jointly with others, determines the purposes and means of processing of personal data.
Processing	Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Purpose of processing	The objection and purpose of the Controller’s activity
Means of processing	The tools and processes selected for specific processing of personal data.
Legal ground	The condition without which the processing of personal data is not in any case possible.
Processor	A natural or legal person, public authority, agency or another body which processes personal data on behalf of the Controller.
Recipient	A natural or legal person, public authority, agency or another body to which the personal data is disclosed, whether a third party or not. The Recipient has the legal, contractual or other authority to process personal data. These are other controllers or processors, such as tax, administrative or regulatory authorities. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with the Member State law shall not be regarded as recipients; the processing of that personal data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
Third party	A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

Processed personal data

identification, authentication and address data: name, surname, academic degree(s), date of birth, ID card data, permanent address, temporary address, address for service or other contact address, nationality, place and state or birth, birth number, handwritten signature and digital signature
contact details: telephone number, email address, data box ID
electronic details: IP address, authentication certificates, digital signature certificates
personal data related to the employment (or any similar) contract: bank account number, payroll details, education, criminal matters, identification data of children and family members, knowledge of foreign languages, personal number
in specific cases special categories of personal data

Source of the personal data being processed

The Controller obtains your personal data primarily from you when negotiating an employment contract or service contract and in connection with their performance, or from third parties that mediate such negotiations. Also, the Controller obtains your personal data from publicly available sources (such as the Commercial and Trade Registers) or from public authorities.

Purpose and duration of the processing of personal data

The Controller processes your personal data in particular for the purposes listed below, based on the respective legal ground.

Non-exhaustive list of processing purposes:

processing of personal data of employees in connection with personnel matters
processing of personal data of employees in connection with payroll matters
processing of personal data in connection with arranging occupational medical examinations
processing of personal data of board members for the purpose of registration in public registers
processing of personal data in the context of archiving documents
processing of personal data in the context of enforcing the Controller’s claims

Legal ground for the processing of personal data

processing is necessary for the performance of a contract
processing is necessary for compliance with a legal obligation to which the Controller is subject (e.g., when preparing data for the calculation of statutory health and social insurance contributions)
processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child
on the basis of your consent, only if no other legal ground for data processing (such as consent to use a photograph) can be applied

Manner and means of processing

The Controller and the processor processing personal data on behalf of the Controller process your personal data by manual means(such as by placing the employment contract in paper form in the employee’s personnel file) and by automated means (by means of ICT, such as a personal computer using Microsoft Office 365 applications, as well as the Controller’s or processor’s systems).

In processing your personal data by automated means, the Controller does not apply automated decision-making, including profiling, that might affect your rights.

Processor

In addition, the processor’s employees have access to your personal data, only to the extent necessary to carry out their work for the Controller. We enter into a written Data Processing Agreement with all our processors, establishing appropriate safeguards for the security of your personal data. These include, for example, companies providing payroll processing for the Controller or providers of IT services and software providers providing programming or other technical support services.

Recipients of personal data

The Controller may, in certain circumstances, transfer your personal data to recipients (other controller, processor) and third parties.

These recipients include, for example, public authorities to whom personal data of employees are routinely transferred for the purpose of keeping tax records or calculating social security or health insurance contributions:

Social Security Administration
health insurance companies
tax authorities and bailiff offices in connection with the employer’s normal reporting and tax obligations

However, where public authorities require personal data in the framework of a particular inquiry, they are not considered to be recipients but third parties.

Transfer of personal data to third countries

Rights of data subjects

If the processing of personal data is based on your consent, you have the right to withdraw your consent at any time. In connection with the withdrawal of consent, the Controller informs you that the withdrawal of consent does not affect the lawfulness of the processing of personal data until its withdrawal, nor the processing of data for other legal reasons for which your consent is not required.
You have the right to request access to your personal data and more detailed information about its processing according to the provision the article 15 GDPR and 34 BDSG.
You have the right to have your inaccurate or incomplete personal data rectified.
You have the right to receive your personal data in a commonly used and machine-readable format, allowing it to be transferred to another controller if we have obtained it on the basis of your consent or in connection with the conclusion and performance of a contract and it is processed by automated means.
You have the right to object to the processing of some or all of your personal data.
You have the right to ask us to delete your personal data if there is no other legal ground for the processing according to the provision the article 17 GDPR and 35 BDSG.
You have the right to lodge a complaint with the OPDP.
You have the right not to be subject to automated individual decision making, including profiling.

Updates to the Memorandum

Exercise of the rights of data subjects

You can send your request: to the Controller’s registered office to email info@epmehrum.de alternatively, you can use the telephone number: +49 89 25 00 63 41 0 or contact your HR manager

In order to facilitate the exercise of your rights, we have prepared a sample Data Subject Request Form.