- With this Transparency Statement we, Strategy Engineers, being part of the AVL group of companies, (hereinafter SE, we or us), describe how we collect and further process personal data. According to Article 13 and 14 GDPR, companies need to meet specific information requirements when collecting personal data (directly from the data subjects or from thirds). With this Transparency Statement, we respond to these obligations.
- This Transparency Statement is not necessarily a comprehensive description of our data processing activities. It is possible that other data protection statements, specific privacy notices, general terms and conditions or similar documents are applicable to specific circumstances. For example, please check our Online Privacy Notice for data we collect from users when visiting and operating our online channels like our websites, apps, etc.
- If you provide us with personal data of other persons (such as work colleagues, network contacts, family members etc.), please make sure the respective persons are aware of this Transparency Statement and only provide us with their data if you are allowed to do so and such personal data is correct.
2. Who Is Responsible for Data Processing and How Can I Contact Them?
- Generally, the data controller is responsible for collecting and processing of your personal data. To comply with data protection legislation, the data controller will be SE. You can notify us of any data protection related concerns using the following contact details:
Strategy Engineers GmbH & Co. KG
Phone: +49 89 4161 7235
Fax: +49 89 4161 7237
3. What Sources and Data Do We Use?
- We process personal data that we obtain from our business clients, suppliers, other business partners as well as individuals in the context of business relationships with them or their employers
- For data we collect from users when operating our websites, apps and other applications, please also note their respective specific privacy statements (see our Online Privacy Notice).
- We also process -- insofar as necessary to provide our services and organize our procurement of services -- personal data that we obtain from publicly accessible sources, (e.g. debt registers, commercial and association registers, press, internet) or that is legitimately transferred between AVL group entities, from authorities or from other third parties.
- Apart from data you provided to us directly, the categories of data we receive about you from third parties include, but are not limited to:
- information in connection with your professional role and activities (e.g. in order to conclude and carry out contracts with you or your employer);
- information about you in correspondence and discussions with third parties (e.g. if someone recommends you specifically);
- information about you given to us by individuals associated with you (family, consultants, legal representatives, etc.) in order to conclude or process contracts with you or with your involvement (e.g. references, delivery-address, powers of attorney, emergency contacts);
- information regarding legal regulations (e.g. export restrictions);
- information from our business partners for the purpose of ordering or delivering services to you or by you;
- information about you found publicly in the media or internet (insofar as indicated in the specific case, e.g. in connection with job applications, media reviews, marketing/sales, etc.);
- data in connection with your use of our websites, apps, and other applications (e.g., IP address, MAC address of your smartphone or computers, information regarding your device and settings, cookies, date and time of your visit, sites and content retrieved, applications used, referring website, localization data; see our Online Privacy Notice),
- information from public registers;
- data received in connection with administrative or court proceedings.
4. What Do We Process Your Data for (Purpose of Processing) and On What Legal Basis?
We process personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the local law applicable to SE:
- For fulfillment of contractual obligations (Art. 6 para. 1b GDPR)
Primarily, data is processed in order to provide and receive services in the context of carrying out our core business activities, i.e. to contract with our clients and suppliers or to carry out pre-contractual measures that occur as part of a request. The purposes of data processing are primarily in compliance with the specific services provided or received. You can find more specific details about the purposes of data processing in the relevant contract documents and terms and conditions.
- In the context of balancing interests (Art. 6 para. 1f GDPR)
Where required and in line with applicable law, we process your data beyond the actual fulfilment of the contract for the purposes of the legitimate interests pursued by us or a third party, such as:
- Consulting and exchanging data with third parties (e.g. recruiters);
- Reviewing and optimizing procedures for needs assessment for the purpose of direct customer approach as well as obtaining personal data from publicly accessible sources for customer acquisition;
- Processing your personal data in connection with your capacity as an employee of one of our clients, business partners or suppliers (in the context of our purchasing operations, when engaging with our company (e.g. phone requests));
- Marketing interaction, market and opinion research (e.g. interactions during events/trade fairs, filling of questionnaires and other forms);
- Collaboration with business partners and suppliers in the context of joint projects (organization, process and project management);
- Asserting legal claims and defence in legal disputes and official proceedings;
- Guarantee of our company's IT security and IT operation (including access rights management);
- Prevention and clarification of crimes;
- Measures for building and site security as well as protection of our employees and other individuals and assets (including digital assets) owned by or entrusted to us (e.g. access controls, visitor logs, network and mail scanners, telephone recordings);
- Measures for business management (e.g. client and vendor relationship management), business development, development of services and products.
- Acquisition and sale of business divisions, companies or parts of companies and other corporate transactions and the transfer of personal data related thereto.
- As a result of your consent (Art. 6 para. 1a GDPR)
As long as you have granted us consent to process your personal data for certain purposes (e.g. analysis of certain activities for marketing purposes, filing a job application, when taking photos or videos at events, etc.), the processing will be within the scope of and based on such consent, unless we have another legal basis, provided that we require one. Consent given can be withdrawn at any time, but this does not affect the legality of data processed prior to withdrawal.
- Due to statutory provisions (Art. 6 para. 1c of the GDPR) or in the public interest (Art. 6 para. 1e GDPR)
Furthermore, as a company in the field of consultancy services we are subject to various legal obligations, meaning statutory and regulatory or self-regulatory requirements. Purposes of processing may therefore include assessment and fulfilling control and reporting obligations under fiscal laws, and measuring and managing various legal and regulatory risks within SE.
- Necessary in order to protect the vital interests of the data subject or of another natural person (Art. 6 para. 1d GDPR)
In rare cases, the processing of personal data may be necessary to protect the vital interests of the data subject or of another natural person. This would be the case, for example, if a visitor were injured in our company and his name, age, health insurance data or other vital information would have to be passed on to a doctor, hospital or other third party.
5. Who Receives My Data?
In the context of our business activities and in line with the purposes of the data processing set out above, we may transfer data to third parties, insofar as such a transfer is permitted and we deem it appropriate, in order for them to process data for us or, as the case may be, their own purposes. In particular, the following categories of recipients may be concerned:
- affiliates of the AVL group of companies;
- our service providers (within the AVL group of companies or externally, such as e.g. banks, insurances, consultants), including processors (such as e.g. IT providers, logistics providers, telecommunications providers, marketing agencies);
- suppliers, subcontractors and other business partners;
- domestic and foreign authorities or courts;
- the public, including users of our websites , apps, applications, and social media (e.g. pictures and videos with your consent);
- acquirers or parties interested in the acquisition of business divisions, companies or other parts of the AVL group of companies;
- other parties in possible or pending legal proceedings;
6. Will Data Be Transferred to a Third Country or an International Organization?
- Certain of those recipients may be within the European Economic Area (EEA) but they may also be located in any country worldwide. In particular, you must anticipate your data to be transmitted to any country in which we are represented by affiliates, branches or other offices (e.g. inside the AVL Group, see here), as well as to other countries where our service providers are located. If we transfer data to a country without adequate legal data protection, we ensure an appropriate level of protection as legally required by way of using appropriate measures (in particular on the basis of the standard contract clauses of the European Commission, which can be accessed here) or we rely on the statutory exceptions of consent, performance of contracts, the establishment, exercise or enforcement of legal claims, overriding public interests, published personal data or because it is necessary to protect the integrity of the persons concerned.
7. Security of Processing
- Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we make reasonable efforts to protect personal data against accidental and illegal destruction and loss. We strive to ensure that personal data is used properly and protected from unauthorized access, use or disclosure. We use a combination of process, technology and physical security controls to protect personal data from unauthorized access, use or disclosure.
- In addition, access to personal data is restricted to employees, contractors and agents who need such information to perform their assigned functions and to develop or improve our services.
8. For How Long Will My Data Be Stored?
- We will process and store your personal data for as long as it is necessary in order to fulfil our contractual and statutory obligations. It should be noted here that our business relationships usually are long-term obligations, which are set up on the basis of periods of years.
- If the data is no longer required in order to fulfil contractual or statutory obligations, it is deleted or anonymized, to the extent possible, unless its further processing is required -- for a limited time -- e.g. for the following purposes:
- Fulfilling obligations to preserve records according to commercial and tax law;
- Retaining data for the period during which claims can be asserted against our company;
- Legitimate business interests require further retention (e.g. for evidence and documentation purposes).
9. Do I have an Obligation to Provide Personal Data to You?
In the context of certain of our business relationships you may be obliged to provide us with personal data that is necessary for the conclusion and performance of a business relationship and the performance of our contractual obligations (as a rule, however, there is no statutory requirement to provide us with data). Without this information, we will usually not be able to enter into or carry out a contract with you (or the entity or person you represent).
10. What Data Privacy Rights Do I Have?
- In accordance with and as far as provided by applicable law (as in the case where the GDPR is applicable), you have the right to access (Article 15 GDPR), the right to rectification (Article 16 GDPR), the right to erasure (Article 17 GDPR), the right to restrict processing (Article 18 GDPR), the right to object (Article 21 GDPR), and if applicable -- the right to data portability (Article 20 GDPR). Furthermore, if applicable on you, there is also a right to lodge a complaint with an appropriate data privacy regulatory authority (Article 77 GDPR).
- On grounds relating to your particular situation, you shall have the right of objection, at any time to processing of your personal data which is based on Article 6 para 1e GDPR (data processing in the public interest) and Article 6 para 1f GDPR (data processing based on balancing interests). If you submit an objection, we will no longer process your personal data unless we can give evidence of mandatory, legitimate reasons for processing, which outweigh your interests, rights, and freedoms, or processing serves the enforcement, exercise, or defence of interests. Please note, that in such cases we may not be able to continue to provide services and maintain a business relation.
- Please note that the exercise of these rights may be in conflict with your contractual obligations and this may result in consequences such as premature contract termination or involve costs. If this is the case, we will inform you in advance unless it has already been contractually agreed upon.
- You can withdraw consent granted to us for the processing of personal data at any time. Please note that the withdrawal only applies to the future. Processing that was carried out before the withdrawal is not affected by it.
- In general, exercising these rights requires that you are able to prove your identity (e.g., by a copy of identification documents where your identity is not evident otherwise or can be verified in another way).
- The objection or withdrawal does not need to be made in a particular form and should ideally be addressed to the contact details given above.
11. Right to lodge a complaint with a supervisory authority
- As the controller, we are obliged to notify you of the right to lodge a complaint with a supervisory authority. The right to lodge a complaint with a supervisory authority is in particular regulated by Article 77 para 1 GDPR. According to this provision, without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the EU/EEA Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes the GDPR.
12. To What Extent Is There Automated Decision-Making or Profiling?
- We may partially process your personal data automatically with the aim of evaluating certain personal aspects (profiling, market and opinion research, etc.). In particular, profiling allows us to inform and advise you about products or services possibly relevant for you more accurately. For this purpose, we may use evaluation tools that enable us to communicate with you as required.
- In establishing and carrying out a business relationship, we generally do not use any automated decision-making nor any profiling pursuant to Article 22 GDPR. If we use this procedure in individual cases, we will inform you of this separately, as long as this is a legal requirement.
13. Amendments of this Transparency Statement
We may amend this SE Transparency Statement at any time without prior notice. The current version published on our website shall apply.