1. Controller

Service provider pursuant to Article 13 of the Telemedia Act (TMG) and controller pursuant to the Federal Data Protection Act (BDSG) as well as the General Data Protection Regulation (GDPR) is:

Hako GmbH
Headquarters
Hamburger Straße 209-239
D-23843 Bad Oldesloe

Phone: 0049-4531-806-0
Fax: 0049-4531-806-338
E-mail: info@hako.com
Web: www.hako.com

Managing directors
Mario Schreiber (chairman)
Joachim Blache
Axel Jensen
Frank Ulbricht

2. Data protection officer

Should any issues on data protection arise, our external data protection officer Astrid Bartel from Vater Solution GmbH will be at your disposal and can be contacted by e-mail under privacy@hako.com.

3. Categories of personal data

We process the following categories of data: master data (such as company, contact(s), address, if applicable), communication data (such as e-mail addresses, telephone & fax numbers, server-log files), contract data, data on claims and receivables as well as payment information and defaults in this respect, where applicable.

4. Data sharing

Your personal data will only be transferred to third parties, if

• you have given your explicit consent to it pursuant to Article 6, sub-section 1, sentence 1a), GDPR;
• it is necessary for the performance of contractual obligations pursuant to Article 6, sub-section 1, sentence 1b), GDPR;
• it is necessary for the compliance with a legal obligation in accordance with Article 6, sub-section 1, sentence 1c), GDPR;
• it is in the public interest in accordance with Article 6, sub-section 1, sentence 1e), GDPR or;
• it is necessary for the purposes of our legitimate interests or legitimate third-party interests pursuant to Article 6, sub-section 1, sentence 1f), GDPR, unless such interests are overridden by your own interests in the protection of your personal data.

5. Third-party recipients

It may well be possible that we have to transfer your personal data to third-party recipients, in order to enable us to deal with your requests in a satisfactory manner. In doing so, we shall always observe the requirements referred to in sub-section 4 hereof. Third-party recipients may be authorised dealers of Hako GmbH, where applicable.

6. Storage duration of personal data

We shall store your data as long as they are required for the purposes on which the relevant processing job is based. Besides, we shall store data only, if we are required to do so by law, e.g. on the basis of statutory retention and documentation obligations (arising from the [German] Commercial Code [HGB], the [German] Criminal Code [StGB] or the Fiscal Code of Germany [AO)] pursuant to Article 6, sub-section 1c, GDPR. We shall inform you about any storage periods deviating therefrom in the sub-sections on the specific processing jobs.

7. Rights of the data subject

In connection with the processing of your data you have the following rights:

(1)  Pursuant to Article 15 GDPR, the right to obtain information about your personal data stored and processed.

(2) Pursuant to Article 16 GDPR, the right to have incorrect personal data immediately rectified and to have incomplete personal data completed;

(3) The right to have stored personal data erased or restrict the processing of your personal data or object to the processing of your personal data (Article 17, 18 and 21 GDPR).      

(4)  If you have given your consent to your personal data being processed or have concluded a data processing contract and your data is processed by means of automated data processing methods, you may have the right to ensure data portability (Article 20 GDPR).

(5) Please address all requests for information, revocation of consent granted or requests to exercise your rights to the data protection officer mentioned under section 2. Should you wish to exercise your above mentioned rights, the responsible data protection officer shall verify the compliance with statutory requirements.

(6) The right to lodge a complaint with a supervisory authority. To do so, you may contact the supervisory authority at your place of residence or at the location of our company headquarters.

8. Automated decision-making

The automated decision-making will not be applied.

9. Information about the right to object

Pursuant to Article 21 GDPR, lodging an objection to the processing of your personal data based on Article 6, sub-section 1e) (data processing in the public interest) or 1f) (data processing for safeguarding legitimate interests on the basis of balancing the interests involved) is possible at any time. In the event of an objection, the personal data will no longer be processed, unless compelling legitimate grounds for the processing override the interests, rights and freedoms of the data subject or the processing of the data is required for establishing, exercising or defending legal claims.

Please address your objection to the e-mail address privacy@hako.com.

If you have given us your consent for the processing of personal data, you can withdraw this consent at any time. This shall, of course, also apply to any declarations of consent given to us before 25 May 2018 (before the GDPR came into effect). An objection can always take effect for the future only. The lawfulness of the data processing cannot be undone with retrospective effect.

Please address your objection to the e-mail address privacy@hako.com.

10. Supervisory authority

Here is the address of our competent supervisory authority:

Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein, Holstenstraße 98, 24103 Kiel,

Phone:            +49 431 988-1200, Fax: +49 431 988-1223

E-mail:             mail@datenschutzzentrum.de

Homepage:   www.datenschutzzentrum.de

The following sections provide information how your personal data are collected, processed and utilized, when you visit these Websites and use the services offered there.

1. Data security

We secure our Website and other systems against loss, destruction, access, modification or dissemination of your data by unauthorized persons with the help of suitable technical and organisational measures. However, the complete protection against all dangers is impossible, despite regular controls.

Our Website uses Secure Sockets Layer (SSL), the industry standard for encrypting data. This will ensure the confidentiality of your personal details when being transmitted via the Internet. You will recognize from the closed key or lock symbols on the display of your browser, whether the data transfer is encrypted or not.

2. Storage of access data

(1) Whenever our Internet presentation is accessed, access data will be stored in a log file on the server of our provider.

(2) This dataset may consist, as an example, of your IP address, the date and time of the request, the name of the file requested, the file set transmitted and the access status, a description of the Web browser and of the operating system used as well as the name of your Internet service provider.

(3) These data will be collected exclusively for technical reasons; they will be evaluated for statistical purposes only and without any reference to persons (number of visitors and page popularity). These data will be automatically erased after 14 days, at the latest.

3. Collection of personal data for informational use (cookies)

(1) If the Website is used for informational purposes only, i.e. if you do not register for the use of the Website or do not otherwise transmit information to us, we shall not collect any personal data, except the ones mentioned in section 2 hereof that have been transmitted by your browser to facilitate the visit of our Website technically.

(2) When using the Website, so-called cookies will be stored on your computer. Cookies are little text files saved on your hard disc as allocated by the browser used, so that certain information can be transmitted to the entity setting the cookie (in this case to us). Cookies can neither run programs nor transmit viruses to your computer. They merely help to make Internet offers more user-friendly and effective. We use cookies to enable us, as an example, to identify you on subsequent visits, should you have an account with us. Otherwise, you would have to log in anew at each visit.

(3) This Website uses cookies to the following extent:

4. Google Analytics (Tracking)

This Website uses Google Analytics, a Web analysis service of Google Inc. („Google“). Google Analytics uses so-called „cookies“, i.e. text files that are stored on your computer and that facilitate an analysis how you use this Website. The information generated by the cookie how you use this Website (including your IP address) will be transmitted to a server of Google in the US and stored there. Google will use this information to evaluate, how you use the Website, to compile reports about the Website activities for the Website operators and to render further services associated with the use of the Website and of the Internet. Google may also transfer this information to third parties, if this is required by law or if third parties process these data on behalf of Google. Under no circumstances will Google relate your IP address to other data of Google.

You can prevent the installation of the cookies by setting your browser software accordingly, although we must advise you that you may not be able to use all functions of this Website in such case to the full extent.

This Website uses Google Analytics with the extension _anonymizeIp(), which means that IP addresses can only be stored in a shortened format. This technique will generally exclude any direct reference to persons. A job processing contract with Google has been concluded in this respect.

Article 6, sub-section 1, sentence 1a, GDPR is the legal basis for the data processing activities. We process your data so as to make our Websites available to you in the most comfortable way, to adapt their functionality to the visitors’ requirements and to improve them continuously.

5. Contact form

When getting in touch with us by e-mail or by using the contact form, we shall store your e-mail address as well as your name and telephone number, if stated, in order to answer your questions.

You can send us an encrypted e-mail by using the contact form on our Website and state your request. This may concern questions about our company, our products or our services.

We would like you to enter certain personal data into our input mask, so that we can deal with your request. These are your name, your e-mail address and further details, such as the subject of your inquiry and your message text. Apart from filling in the mandatory fields, you may also provide additional and optional information, such as a postal address and/or a telephone number.

The information thus collected will enable us to deal with your request in the most comprehensive manner. It is understood that the data you have made available to us in this connection have been provided on a strictly voluntary basis.

The personal data transmitted to us in connection with the above information as well as the time of getting in touch with us will only be used for the purpose, for which you make these data available to us, especially for dealing with your request. The information made available to us will exclusively be used to deal with your request. The data transmitted to us will neither be used for any other purposes nor be passed on to any third parties without your express consent. An exception hereto are partner firms of Hako GmbH if they need to be involved in dealing with your inquiry, i.e. our suppliers, carriers as well as logistic and trading partners. If no statutory retention requirements exist, your personal data will be erased after the matter has been dealt with.

Article 6, sub-section 1, sentence 1b), GDPR is the legal basis for the processing of these data. We shall process your data to answer your inquiries.

6. Liability for links

Our pages contain links to external Websites of third parties, whose contents are beyond our control. We can therefore not be held liable for any such external contents, since only the provider of the linked pages or the page operator is always responsible for these contents. The linked pages have been examined at the time of establishing the link, so as to identify possible infringements of the law. Unlawful contents have not been identified at the time of establishing the link. However, a permanent control of the contents of the linked pages cannot be expected and is unreasonable without tangible evidence of an infringement of the law. If we become aware of such an infringement of the law, we shall immediately remove such links.

You can reach the Web shop of Hako Service GmbH via our homepage. Please refer to our Website http://www.hako-service.com/gmz_eng/index.php for more information about the registration, orders, the customer account and the data protection provisions.

With the following information, we wish to give you as user of our Hako-Fleet-Management Portal (hereinafter referred to as “Portal”) an overview of the processing of your personal data by us and of your rights under data protection law.

Who is responsible for the data processing, and who is my point of contact?

Responsible party in accordance with Art. 4 (7) EU General Data Protection Regulation (GDPR) is Hako GmbH, Hamburger Straße 209-239, 23843 Bad Oldesloe, Tel.: +49-4531-806-0, Telefax: +49-4531-806-338, Internet: www.hako.com (hereinafter referred to as “Hako”). Our external data protection officers can be contacted at privacy@hako.com or via our postal address with the addendum “Data protection officer”.

What sources and data do we use?

We process personal data that we receive during your use of the Portal. In addition, we merge existing contract data received from you with the usage data of the Portal, if necessary, in order to enable a contractual correlation. Data are not collected from any other sources.

As operators of the Portal, we also collect data that are automatically collected by our web servers, including

• IP address
• Date and time of the request
• Time zone difference to Greenwich Mean Time (GMT)
• Content of the request (concrete page)
• Access status / HTTP status code
• Data volume transmitted in each case
• Website from which the request comes
• Browser
• Operating system and its user interface
• Language and version of the browser software

In order to enable user-friendly operation of our portal, we collect “cookies”, small text files that are stored on the user's computer and inform the system about previous website visits when the portal is used again. These cookies are not used for tracking. You can set your browser so that you are informed when cookies are set and can allow cookies only in individual cases, accept cookies for specific cases or generally exclude them, and activate automatic deletion of cookies when the browser is closed. If cookies are deactivated, the functionality of this website may be restricted.

If you contact us by e-mail or via a contact form, the data you provide us with (your e-mail address, possibly your name and telephone number) will be stored by us in order to answer your questions.

We offer two special functions on the Portal. On the one hand the map service OpenStreetMap for location determination and display of the Hako products used, and on the other hand the Google service reCAPTCHA to differentiate between human and computer-controlled users. OpenStreetMap is operated as a map service by the Open Street Map Foundation (OSMF), 132 Maney Hill Road, Sutton Coldfield, West Midlands, B72 1JU, United Kingdom. When using our portal, the user's IP address and other usage data are passed on to OSMF for location purposes. OpenStreetMap may also store cookies in your browser for this purpose. Please refer to the relevant data privacy statement for details of the data processing by OpenStreetMap (https://wiki.osmfoundation.org/wiki/Privacy_Policy). The Google service reCAPTCHA is operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The purpose of reCAPTCHA is to check whether the data input on our portal (e.g. in a contact form) is made by a person or by an automated program. To do this, reCAPTCHA analyses the behaviour of the user on the basis of various characteristics. This analysis begins automatically as soon as the user accesses the Portal. Please refer to the Google Privacy Policy (https://policies.google.com/privacy?hl=de) and the Google terms of use (https://policies.google.com/terms?hl=de) for further information on the scope of functions. Please note when using the above two functions that the user’s IP address recorded when using our portal is regularly that of the customer’s company and not of a natural person, because the login to the portal is password-protected exclusively for our commercial customers.

Data categories: Relevant personal data are name, e-mail address or other identification data of the customer's employees registered as users, usage data with regard to Hako products (location of the vehicle used, travel times, sensor messages etc.), order data for processing via our online shop (object of purchase, price, customer contact person, delivery address, bank details etc.) as well as data on the use of our website (IP address, time of call, etc.).

What do we process your data for (purpose of processing) and on what legal basis?

We process personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG) for purposes of fulfilling the contract vis-à-vis our customers. The provision of the Portal and the processing of the data provided by the customer are performed by a processor in accordance with Art. 28 GDPR. For this purpose, a separate contract for order processing was concluded between Hako and the customer in which the details of the processing are specified. With respect to the automatic collection of usage data via our web server and the use of cookies, OpenStreetMap and reCAPTCHA, the data are collected in accordance with Art. 6 (1) line1 lit. f) GDPR on the grounds of our legitimate interests. Personal data of individual employees of our customers are also collected on the basis of this regulation when orders are placed via our online shop (e.g. in the box “Contact person”).

Who receives my data?

Within the company, departments requiring access to your data for the fulfilment of our contractual and legal obligations receive your data. Service providers and vicarious agents used by us may also receive data for these purposes if they have been specifically obliged to confidentiality and integrity. These are companies in the IT services, logistics or telecommunications categories.

With regard to the transfer of data to recipients outside our company, it should first be noted that we only pass on necessary personal data in compliance with the applicable data protection regulations. We may only pass on information about our customers' employees if this is required by law, if the person concerned has given his/her consent or if we are authorised to provide information. Under these conditions, recipients of personal data may be, for example:

• Public bodies and institutions (e.g. tax authorities, criminal prosecution authorities) where there is a legal or official obligation,
• Companies for risk management on the grounds of legal or official obligations,
• Auditors, or
• Service providers that we use within the framework of contract processing relationships.

Personal data are not passed on to third parties with regard to general use of the Portal, automatic collection via web servers and the use of cookies. When using OpenStreetMap and reCAPTCHA, the specified usage data (e.g. IP address of the customer’s company) are passed on to the respective operators (see above). When orders are placed in our online shop, the forwarding of address data to transport companies is necessary, i.e. possibly also data on the customer's contact person. This disclosure takes place with regard to personal data of the respective users (regularly employees of our customers) on the basis of legitimate interests pursuant to Art. 6 (1) line 1 lit. f) GDPR.

Are data transmitted to a non-member state or to an international organisation?

As a matter of principle, data are not transferred to bodies in countries outside the European Union (non-member states or “third countries”). If OpenStreetMap does not offer any processing within the European Union after Brexit, Hako will receive appropriate guarantees from the operator OSMF in accordance with Article 44 et seq. GDPR (e.g. standard contractual clauses) or will discontinue the service.

How long are my data stored?

We process and store your personal data as long as this is necessary to fulfil our contractual and legal obligations.

If the data are no longer required for the fulfilment of contractual or legal obligations, they are regularly deleted unless their – temporary – further processing is necessary for the following purposes:

• Compliance with commercial and tax retention obligations,
• German Commercial Code (HGB), German Tax Code (AO), German Money Laundering Act (GwG). The time limits for storage and documentation specified there are generally two to ten years.
• Preservation of evidence within the framework of the statutory statute of limitations. According to §§ 195 et seq. of the German Civil Code (BGB), these limitation periods can be up to 30 years, whereby the regular period of limitation is 3 years.

The usage data automatically collected by our web server (IP address, time of access, etc.) are deleted by us within one week. Cookies, including those set by OpenStreetMap, are deleted by you as a user by activating the cookie deletion function under the settings of your browser.

What data protection rights do I have?

Every data subject has the right of access in accordance with Art. 15 GDPR, the right to rectification in accordance with Art. 16 GDPR, the right to erasure in accordance with Art. 17 GDPR, the right to restriction of processing in accordance with Art. 18 GDPR, the right of objection in accordance with Art. 21 GDPR and the right to data portability in accordance with Art. 20 GDPR. The restrictions according to §§ 34 and 35 BDSG apply to the right of access and the right to erasure. In addition, there is a right to lodge a complaint with a competent data protection supervisory authority (Art. 77 GDPR in conjunction with § 19 BDSG). The address can be found under the following link on the Internet: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html

Any consent given in exceptional cases to the processing of personal data may be revoked at any time. Please use our contact details at the top of this document.

Is there an obligation for me to provide data?

As part of our business relationship, you must provide us with the personal data necessary to establish, conduct and terminate a business relationship and to fulfil the associated contractual obligations, or which we are legally obliged to collect. Without these data, we will generally not be in a position to conclude, execute and terminate a contract with you.

To what extent does automated decision-making take place?

As a matter of principle, we do not use fully automated decision-making in accordance with Art. 22 GDPR. Should we use these procedures in individual cases (e.g. to improve our products and services), we will inform you separately about this and about your rights in this regard, insofar as this is required by law. This also applies to profiling.

SSL or TLS encryption 

Our portal uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as orders or inquiries that you send to us as Hako. An encrypted connection can be recognised from the fact that the address line of the browser changes from "http://" to "https://" and from the lock symbol in your browser line. If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

Agreement between

- the Controller – hereinafter referred to as the Client -

and

Hako GmbH

Hamburger Straße 209-239

23843 Bad Oldesloe

- the Processor – hereinafter referred to as the Supplier -

1. Subject matter and duration of the Order of Contract

(1) Subject matter

The subject of the order results from the application for the purchase of Hako-Fleet-Management or the framework agreement from ................... , to which reference is made here.

(2) Duration

The duration of this Order corresponds to the duration of the Service Agreement.

2. Specification of the Order or Contract Details

1. Nature and Purpose of the intended Processing of Data:

Nature and Purpose of Processing of personal data by the Supplier for the Client are precisely defined in the Service Agreement

The undertaking of the contractually agreed Processing of Data shall be carried out exclusively within a Member State of the European Union (EU) or within a Member State of the European Economic Area (EEA). Each and every Transfer of Data to a State which is not a Member State of either the EU or the EEA requires the prior
agreement of the Client and shall only occur if the specific Conditions of Article 44 et seq. GDPR have been fulfilled.

 (2) Type of Data

        The Subject Matter of the processing of personal data comprises the following data types/categories:

• Personal Master Data (Key Personal Data)
• Contact Data
• Key Contract Data (Contractual/ Legal Relationships, Contractual or Product Interest)
• Customer History
• Contract Billing and Payments Data
• Planning and control data

 (3) Categories of Data Subjects

The Categories of Data Subjects are precisely defined in the Service Agreement under:

• Customers
• Stakeholders
• Employees
• Suppliers
• Commercial agents
• Contact person

3. Technical and Organisational Measures

(1) Before the commencement of processing, the Supplier shall document the execution of the necessary Technical and Organisational Measures, set out in advance of the awarding of the Order or Contract, specifically with regard to the detailed execution of the contract, and shall present these documented measures to the Client for inspection. Upon acceptance by the Client, the documented measures become the foundation of the contract. Insofar as the inspection/audit by the Client shows the need for amendments, such amendments shall be implemented by mutual agreement.

(2) The Supplier shall establish the security in accordance with Article 28 Paragraph 3 Point c, and Article 32 GDPR in particular in conjunction with Article 5 Paragraph 1, and Paragraph 2 GDPR. The measures to be taken are measures of data security and measures that guarantee a protection level appropriate to the risk concerning confidentiality, integrity, availability and resilience of the systems. The state of the art, implementation costs, the nature, scope and purposes of processing as well as the probability of occurrence and the severity of the risk to the rights and freedoms of natural persons within the meaning of Article 32 Paragraph 1 GDPR must be taken into account. [Details in Appendix 1]

(3) The Technical and Organisational Measures are subject to technical progress and further development. In this respect, it is permissible for the Supplier to implement alternative adequate measures. In so doing, the security level of the defined measures must not be reduced. Substantial changes must be documented.

4. Rectification, restriction and erasure of data

(1) The Supplier may not on its own authority rectify, erase or restrict the processing of data that is being processed on behalf of the Client, but only on documented instructions from the Client. Insofar as a Data Subject contacts the Supplier directly concerning a rectification, erasure, or restriction of processing, the Supplier will immediately forward the Data Subject’s request to the Client.

(2) Insofar as it is included in the scope of services, erasure, ‘right to be forgotten’, rectification, data portability and access shall be ensured by the Supplier in accordance with documented instructions from the Client without undue delay.

5. Quality assurance and other duties of the Supplier

In addition to complying with the rules set out in this Order or Contract, the Supplier shall comply with the statutory requirements referred to in Articles 28 to 33 GDPR; accordingly, the Supplier ensures, in particular, compliance with the following requirements:

1. The Data Protection Officer at the Suppliers side is Mrs Astrid Bartel [Hako GmbH, Hamburger Straße 209-239, 23843 Bad Oldesloe, Telefon: +49-4531-806-0, Telefax: +49-4531-806-338, privacy@hako.com] is designated as the Contact Person on behalf of the Supplier.
2. Confidentiality in accordance with Article 28 Paragraph 3 Sentence 2 Point b, Articles 29 and 32 Paragraph 4 GDPR. The Supplier entrusts only such employees with the data processing outlined in this contract who have been bound to confidentiality and have previously been familiarised with the data protection provisions relevant to their work. The Supplier and any person acting under its authority who has access to personal data, shall not process that data unless on instructions from the Client, which includes the powers granted in this contract, unless required to do so by law.
3. Implementation of and compliance with all Technical and Organisational Measures necessary for this Order or Contract in accordance with Article 28 Paragraph 3 Sentence 2 Point c, Article 32 GDPR [details in Appendix 1].
4. The Client and the Supplier shall cooperate, on request, with the supervisory authority in performance of its tasks.
5. The Client shall be informed immediately of any inspections and measures conducted by the supervisory authority, insofar as they relate to this Order or Contract. This also applies insofar as the Supplier is under investigation or is party to an investigation by a competent authority in connection with infringements to any Civil or Criminal Law, or Administrative Rule or Regulation regarding the processing of personal data in connection with the processing of this Order or Contract.
6. Insofar as the Client is subject to an inspection by the supervisory authority, an administrative or summary offence or criminal procedure, a liability claim by a Data Subject or by a third party or any other claim in connection with the Order or Contract data processing by the Supplier, the Supplier shall make every effort to support the Client.
7. The Supplier shall periodically monitor the internal processes and the Technical and Organizational Measures to ensure that processing within his area of responsibility is in accordance with the requirements of applicable data protection law and the protection of the rights of the data subject.
8. Verifiability of the Technical and Organisational Measures conducted by the Client as part of the Client’s supervisory powers referred to in item 7 of this contract.

6. Subcontracting

(1) Subcontracting for the purpose of this Agreement is to be understood as meaning services which relate directly to the provision of the principal service. This does not include ancillary services, such as telecommunication services, postal / transport services, maintenance and user support services or the disposal of data carriers, as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing equipment. The Supplier shall, however, be obliged to make appropriate and legally binding contractual arrangements and take appropriate inspection measures to ensure the data protection and the data security of the Client's data, even in the case of outsourced ancillary services.

(2) The Supplier may commission subcontractors (additional contract processors) only after prior explicit written or documented consent from the Client.

The outsourcing to subcontractors of changing the existing subcontractor are permissible when:

• The Supplier submits such an outsourcing to a subcontractor to the Client in writing or in text form with appropriate advance notice; and
• The Client has not objected to the planned outsourcing in writing or in text form by the date of handing over the data to the Supplier; and
• The subcontracting is based on a contractual agreement in accordance with Article 28 paragraphs 2-4 GDPR.

(3) The transfer of personal data from the Client to the subcontractor and the subcontractors commencement of the data processing shall only be undertaken after compliance with all requirements has been achieved.

(4) If the subcontractor provides the agreed service outside the EU/EEA, the Supplier shall ensure compliance with EU Data Protection Regulations by appropriate measures. The same applies if service providers are to be used within the meaning of Paragraph 1 Sentence 2.

(5) Further outsourcing by the subcontractor requires the express consent of the main Client (at the minimum in text form); as well requires the express consent of the Supplier (at the minimum in text form); all contractual provisions in the contract chain shall be communicated to and agreed with each and every additional subcontractor.

7. Supervisory powers of the Client

(1) The Client has the right, after consultation with the Supplier, to carry out inspections or to have them carried out by an auditor to be designated in each individual case. It has the right to convince itself of the compliance with this agreement by the Supplier in his business operations by means of random checks, which are ordinarily to be announced in good time.

(2) The Supplier shall ensure that the Client is able to verify compliance with the obligations of the Supplier in accordance with Article 28 GDPR. The Supplier undertakes to give the Client the necessary information on request and, in particular, to demonstrate the execution of the Technical and Organizational Measures.

(3) Evidence of such measures, which concern not only the specific Order or Contract, may be provided by

• Compliance with approved Codes of Conduct pursuant to Article 40 GDPR;
• Certification according to an approved certification procedure in accordance with Article 42 GDPR;
• Current auditor’s certificates, reports or excerpts from reports provided by independent bodies (e.g. auditor, Data Protection Officer, IT security department, data privacy auditor, quality auditor);
• A suitable certification by IT security or data protection auditing (e.g. according to BSI-Grundschutz (IT Baseline Protection certification developed by the German Federal Office for Security in Information Technology (BSI)) or ISO/IEC 27001).

(4) The Supplier may claim remuneration for enabling Client inspections.

8. Communication in the case of infringements by the Supplier

(1) The Supplier shall assist the Client in complying with the obligations concerning the security of personal data, reporting requirements for data breaches, data protection impact assessments and prior consultations, referred to in Articles 32 to 36 of the GDPR. These include:

1. Ensuring an appropriate level of protection through Technical and Organizational Measures that take into account the circumstances and purposes of the processing as well as the projected probability and severity of a possible infringement of the law as a result of security vulnerabilities and that enable an immediate detection of relevant infringement events.
2. The obligation to report a personal data breach immediately to the Client
3. The duty to assist the Client with regard to the Client’s obligation to provide information to the Data Subject concerned and to immediately provide the Client with all relevant information in this regard.
4. Supporting the Client with its data protection impact assessment
5. Supporting the Client with regard to prior consultation of the supervisory authority

(2)The Supplier may claim compensation for support services which are not included in the description of the services and which are not attributable to failures on the part of the Supplier.

9. Authority of the Client to issue instructions

(1) The Client shall immediately confirm oral instructions (at the minimum in text form).

(2) The Supplier shall inform the Client immediately if he considers that an instruction violates Data Protection Regulations. The Supplier shall then be entitled to suspend the execution of the relevant instructions until the Client confirms or changes them.

10. Deletion and return of personal data

(1) Copies or duplicates of the data shall never be created without the knowledge of the Client, with the exception of back-up copies as far as they are necessary to ensure orderly data processing, as well as data required to meet regulatory requirements to retain data.

(2) After conclusion of the contracted work, or earlier upon request by the Client, at the latest upon termination of the Service Agreement, the Supplier shall hand over to the Client or – subject to prior consent – destroy all documents, processing and utilization results, and data sets related to the contract that have come into its possession, in a data-protection compliant manner. The same applies to any and all connected test, waste, redundant and discarded material. The log of the destruction or deletion shall be provided on request.

(3) Documentation which is used to demonstrate orderly data processing in accordance with the Order or Contract shall be stored beyond the contract duration by the Supplier in accordance with the respective retention periods. It may hand such documentation over to the Client at the end of the contract duration to relieve the Supplier of this contractual obligation.

11. Place of jurisdiction

(1) Place of jurisdiction is the local court of the Client.

__________________________________                    _________________________________

Place, Date, Signature                                                                       Place, Date, Signature

Controller                                                                                            Processor

Appendix – Technical and Organisational Measures

• Employees are contractually bound to observe data protection, as well as where appropriate to the secrecy of telecommunications
• Procedure-independent plausibility and safety tests exist (for example technical supported or from external).

• Physical Access Control

No unauthorised access to Data Processing Facilities, e.g.: magnetic or chip cards, keys, electronic door openers, facility security services and/or entrance security staff, alarm systems, video/CCTV Systems

• Electronic Access Control

No unauthorised use of the Data Processing and Data Storage Systems, e.g.: (secure) passwords, automatic blocking/locking mechanisms, two-factor authentication, encryption of data carriers/storage media

• Internal Access Control (permissions for user rights of access to and amendment of data)

No unauthorised Reading, Copying, Changes or Deletions of Data within the system, e.g. rights authorisation concept, need-based rights of access, logging of system access events

• Isolation Control

The isolated Processing of Data, which is collected for differing purposes, e.g. multiple Client support, sandboxing;

• Pseudonymisation (Article 32 Paragraph 1 Point a GDPR; Article 25 Paragraph 1 GDPR)

The processing of personal data in such a method/way, that the data cannot be associated with a specific Data Subject without the assistance of additional Information, provided that this additional information is stored separately, and is subject to appropriate technical and organisational measures.

• Data Transfer Control

No unauthorised Reading, Copying, Changes or Deletions of Data with electronic transfer or transport, e.g.: Encryption, Virtual Private Networks (VPN), electronic signature;

• Data Entry Control

Verification, whether and by whom personal data is entered into a Data Processing System, is changed or deleted, e.g.: Logging, Document Management

• Availability Control

Prevention of accidental or wilful destruction or loss, e.g.: Backup Strategy (online/offline; on-site/off-site), Uninterruptible Power Supply (UPS), virus protection, firewall, reporting procedures and contingency planning

• Rapid Recovery (Article 32 Paragraph 1 Point c GDPR) (Article 32 Paragraph 1 Point c GDPR)

• Data Protection Management;
• Incident Response Management;
• Data Protection by Design and Default (Article 25 Paragraph 2 GDPR);
• Order or Contract Control

No third party data processing as per Article 28 GDPR without corresponding instructions from the Client, e.g.: clear and unambiguous contractual arrangements, formalised Order Management, strict controls on the selection of the Service Provider, duty of pre-evaluation, supervisory follow-up checks.

Appendix

All information is made available in Hako's web portal via a login. To obtain this login, Hako requires a data processing contract and the application for purchase for Hako Fleet Management. The contract length should be at least 24 months, as a SIM card with attached contract is installed, but this may differ for framework contracts.

Here, the customer can clearly see the costs incurred by the machine individually and cumulatively for his entire fleet. Recurring dates can be set (e.g. main inspections or DGUV 3 tests), these dates are also displayed to the responsible service technician. All service costs carried out by Hako are displayed, the invoice is included, and any legally required photos, e.g. of accident damage or similar, can also be uploaded here. The customer can also create his own service reports if the machine is serviced externally.

If a machine has a damage, this must be reported to the customer by personnel, from the portal then directly a mail with a service request, directly concerning the machine, can be sent. The status of this request is also displayed to the customer.

The status of the entire fleet is presented to the customer on the overview page via a traffic light system, here there is a traffic light for budget overruns (€ traffic light), recurring appointments (wrench traffic light) and reported service codes (i traffic light). If these traffic lights switch to "red", users can be deposited, who then receive an email once a day about the "red" traffic lights. The processing and accumulation as well as filtering takes place via the existing data from the ERP system.

This enables live data to be obtained directly from the machine. This includes the operating hours, live service codes directly from the machine, route data and usage data (e.g. which brush has been active and when). In addition, the operating resources are displayed, e.g. fresh water.

Registered with the machine, the number is displayed in the web portal during use. Two scenarios can be selected, that the I-Button Reader only flashes red when not in use or that the working units do not shut down. Behind the numbers of the access authorizations there can also be different cost centers or similar.

The registration portal https://www.hako-messe.com/en/ can be reached via our homepage, while the relevant data protection information can be found under https://www.hako-messe.com/en/privacy-policy/.

We make public videos available on a channel and they will be embedded there in the “extended data protection mode“. This means that no data will be transmitted to YouTube, before the videos are viewed. Once videos are clicked and viewed, data will be collected at YouTube, which lies beyond the influence of the controller of this Website.

For the data collection conditions when using YouTube please refer to Google's Privacy Policy and Terms of Service.

Our website uses a link to our social media site on Facebook. Facebook receives no information about your visit on our website. However, when you click on the link, you will be forwarded to Facebook. This is also when Facebook knows that you have visited our website.  

We have no knowledge of or any influence on the use or processing of your data by Facebook after using this link. Please refer to Facebook’s Privacy Policy for more information.

Our website uses links to our social media site on Linkedin by LinkedIn Ireland Unlimited Company. Linkedin receives no information about your visit on our website. However, when you click on the link, you will be forwarded to Linkedin. This is also when Linkedin knows that you have visited our website. 

We have no knowledge of or any influence on the use or processing of your data by Linkedin after using this link. Please refer to Linkedin’s Privacy Policy for more information.

Neben den allgemeinen Hinweisen zur Datenverarbeitung und den Hinweisen zur Verarbeitung Ihrer Daten auf der Homepage der Hako GmbH, beschreiben wir Ihnen im Folgenden, wie wir Ihre personenbezogenen Daten bei der Nutzung für Marketingmaßnahmen verarbeiten.

1. Zweck der Verarbeitung:

Verkaufsförderung auch von Produkten, von kooperativen Zusammenschlüssen.

2. Rechtsgrundlage:

•Art. 6, Abs. 1, S. 1, lit. f (wirtschaftliches Interesse) Direktwerbung. Die Verarbeitung personenbezogener Daten zum Zwecke der Direktwerbung wird als eine einem berechtigten Interesse dienende Verarbeitung betrachtet (EG 47 DSGVO)

•Art. 6, Abs. 1, S.1, lit. a Einwilligungen für Newsletterempfang

3. Kategorien personenbezogener Daten: Namen und Kontaktdaten von Kundinnen und Kunden der Hako GmbH, sowie deren Mitarbeitende

4. Empfänger der personenbezogenen Daten:

•interne Empfänger (andere Fachabteilungen, konzerninterne Weitergabe)

•externe Empfänger (z.B. Fa. Weed Concept GmbH, ggf. Werbeagenturen für Mailingaktionen oder andere Marketingmaßnahmen)

5. Regelfrist der Löschung: Ihre Daten werden nach den gesetzlichen Grundlagen zur Aufbewahrung nach den handelsrechtlichen Bestimmungen gespeichert. Interne Löschfristen sind über die zentrale Kundenverwaltung eingerichtet. Auftragsverarbeiter sind vertraglich verpflichtet, Datensätze nach der konkreten Verarbeitung zu löschen. 

Die Verarbeitung der dienstlichen Kontaktdaten ist unter anderem für Vertragsabschlüsse erforderlich. Ein Widerspruch der betroffenen Personen kann auch bei deren Arbeitgebern geltend gemacht werden.

Eine automatisierten Entscheidungsfindung (einschließlich Profiling gemäß Artikel 22 Absätze 1 und 4 DSGVO) kommt nicht zur Anwendung.