SAMCO Autotechnik GmbH
Managing Directors: Cevdet Colakoglu, Monika Colakoglu, Egon Hafner
Link to the imprint: https://samco.com.de/impressum
The controller’s data protection officer can be contacted at:
Type of data processed:
– Inventory data (e.g. names, addresses).
– Contact data (e.g. email, phone numbers).
– Content data (e.g. text input, photos, videos).
– Use data (e.g. websites visited, interest in content, access times).
– Meta data/communications data (e.g. device information, IP addresses).
Categories of data subjects
Visitors and users of the website (we hereinafter also refer to data subjects collectively as ‘users’).
Purpose of processing
– To make the website, its functions and content available.
– To respond to contact requests and communication with users.
– Security measures.
– Reach measurement/marketing.
‘Personal data’ means any information relating to an identified or identifiable natural person (hereinafter ‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
‘Processing’ is any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means. The term is used broadly and includes practically any kind of data handling.
‘Pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
‘Profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Relevant legal bases
In accordance with Article 32 of the GDPR, taking into account the state of technological knowledge, implementation costs and the type, scope, circumstances and purposes of processing, as well as the varying likelihood and severity of the risks to the rights and freedoms of natural persons, we take appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
These measures particularly include securing the confidentiality, integrity and availability of data through controls for physical access to data, as well as access, input, sharing, securing availability and separation that relate to it. We have also established a procedure that ensures that data subject rights are observed, data is deleted and threats to data are responded to. Furthermore, we already observe the protection of personal data in the development and/or selection of hardware, software and processes, in accordance with the principle of data protection using technology design and data protection by default (Article 25 of the GDPR).
Working with contract processors and third parties
If, within the context of processing, we disclose data to other persons or companies (contract processors or third parties), send such data to these parties or otherwise grant them access to data, this is exclusively based on a statutory permission (e.g. if the data must be shared with third parties in order to fulfil a contract, for example a payment service provider pursuant to Article 6 (1) (b) of the GDPR), your consent, a legal obligation, or our legitimate interests (e.g. when using contractors, web hosts, etc.).
If we engage third parties to process data based on a ‘data processing agreement’, this is based on Article 28 of the GDPR.
Transfers to third countries
If we process data in a third country (i.e. outside the European Union [EU] or the European Economic Area [EEA]), or if this takes place as part of us engaging third-party services or as part of the disclosure or transfer of data to third parties, this only takes place in order to fulfil our (pre-)contractual duties based on your consent, a legal obligation or our legitimate interests. Subject to statutory or contractual permissions, we only process data in a third country, or allow data to be processed in a third country, if the particular conditions of Article 44 et seq. of the GDPR have been met. This means, for example, that processing takes place based on certain guarantees, such as the officially recognised level of data protection in accordance with the EU (e.g. through the ‘Privacy Shield’ for the USA) or in compliance with officially recognised special contractual obligations (‘standard contractual clauses’).
Data subject rights
You have the right to request confirmation of whether your data is processed and to request information about this data, other information and copies of data in accordance with Article 15 of the GDPR.
In accordance with Article 16 of the GDPR, you also have the right to request that your data is completed or that incorrect data is rectified.
Pursuant to Article 17 of the GDPR, you have the right to request that your data is immediately erased, or alternatively, that data processing is restricted in accordance with Article 18 of the GDPR.
You have the right to request that your data, which you have provided to us, is sent to you in accordance with Article 20 of the GDPR, and/or that it is transferred to another controller.
Pursuant to Article 77 of the GDPR, you also have the right to submit a complaint to the relevant supervisory authorities.
Right of withdrawal
You have the right to withdraw consent with future effect, pursuant to Article 7 (3) of the GDPR.
Right to object
Pursuant to Article 21 of the GDPR, you can object to the future processing of your data at any time. You can object to processing specifically for the purposes of direct marketing.
Cookies and right to object for direct marketing
‘Cookies’ are small files that are saved on users’ machines. Various different information can be saved in the cookies. A cookie is mainly used to store information about the user (or the device on which the cookie is stored) during or after a website visit. Temporary cookies, also known as ‘session cookies’ or ‘transient cookies’, are cookies that are deleted after the user leaves the website and closes the browser. For example, such a cookie can save the content of the shopping cart in an online shop, or a login status. ‘Permanent’ or ‘persistent’ cookies are cookies that are stored even after the browser has been closed. As such, the login status can be saved, for example, if the user visits again after a number of days. The user’s interests can also be saved in such a cookie, which can be used for reach measurement or marketing. ‘Third-party cookies’ are cookies that are supplied by providers other than the controller that operates a website (if only the operator’s cookies are used, these are called ‘first-party cookies’).
If users don’t want cookies to be stored on their machine, they have the option of deactivating cookies in their browser’s settings. Stored cookies can be deleted in the browser’s settings. Deactivating cookies can restrict the functions on this website.
Erasure of data
In accordance with legal provisions in Germany, data is stored in particular for 10 years pursuant to Section 147 (1) of the German Tax Code (Abgabenordnung, AO), Section 257 (1) No. 1 and No. 4, and Section 257 (4) of the German Commercial Code (Handelsgesetzbuch, HGB) (accounts, records, management reports, accounting records, trading accounts, documents relevant for tax purposes, etc.) and 6 years pursuant to Section 257 (1) No. 2 and No. 3, Section 257 (4) of the HGB (commercial letters).
In accordance with legal provisions in Austria, data is stored in particular for 7 years pursuant to Section 132 (1) of the Austrian Federal Fiscal Code (Bundesabgabenordnung, BAO) (accounting documents, records/invoices, accounts, records, business papers, statement of revenue and expenditure, etc.), for 22 years if related to property and for 10 years for documents relating to electronically provided services, telecommunications services, broadcasting services and television services that are provided to non-business persons in EU member states and for which the Mini One Stop Shop (MOSS) is used.
We also process
– Contract data (e.g. object of the contract, term, customer category).
– Payment details (e.g. bank details, payment history)
of our customers, interested parties and business partners to fulfil contractual performance, provide services and for customer care, marketing, advertising and market research.
Administration, accounting, office organisation, contact management.
We process data within the scope of administrative tasks, the organisation of our business, accounting and compliance with legal duties, such as archiving. In doing so, we process the same data that we process within the scope of providing our contractual services. The legal bases for processing are Article 6 (1) (c) of the GDPR and Article 6 (1) (f) of the GDPR. Customers, interested parties, business partners and website visitors are affected by processing. The purpose of and our interests in processing include administration, accounting, office organisation and data archiving, i.e. tasks that allow us to maintain our business, carry out our duties and provide our services. The erasure of data relating to contractual services and contractual communication corresponds with the information set out in these contractual activities.
We disclose or send data to tax authorities, advisers, such as tax advisers or auditors, other fee-requesting bodies and payment service providers.
We also store information about suppliers, organisers and other business partners on the basis of our business interests, e.g. for later contact. The majority of this information is business-related data, which we store on a permanent basis.
Privacy notice for the application process
We only process applicant data for the purpose of, and as part of, the application process and in compliance with legal provisions. Applicant data is processed to fulfil our (pre-)contractual obligations as part of the application process within the meaning of Article 6 (1) (b) of the GDPR and Article 6 (1) (f) of the GDPR, provided that we are required to process data, e.g. within the scope of legal procedures (in Germany, Section 26 of the Federal Data Protection Act [Bundesdatenschutzgesetz, BDSG] also applies).
The application process presupposes that applicants share applicant details with us. If we provide an online form, the required applicant data is indicated, and can otherwise be found in the job description, and mainly includes information relating to personal, postal and contact addresses and documents associated with the application, such as cover letters, CVs and certificates. Applicants may also provide us with additional information on a voluntarily basis.
If, as part of the application process, specific categories of personal data within the meaning of Article 9 (1) of the GDPR are shared voluntarily, this data is also processed pursuant to Article 9 (2) (b) of the GDPR (e.g. health-related data such as pregnancy, or ethnic origin). If, as part of the application process, specific categories of personal data within the meaning of Article 9 (1) of the GDPR are requested from applicants, this data is also processed pursuant to Article 9 (2) (b) of the GDPR (e.g. health-related data, if this is required for the job).
If available as an option, applicants can send their applications via an online form on our website. Data is sent encrypted in accordance with the level of current technology.
Applicants can also send their applications by email. However, if doing so, please note that emails are not sent encrypted and the applicant must ensure that they are encrypted. We can therefore assume no responsibility for the transmission of the application between the sender and recipient on our server, and recommend sending the application via an online form or the post. The applicant still has the option of sending the application by post instead of applying via the online form or by email.
If an applicant is successful, data provided by the applicant may be further processed by us with respect to the employment relationship. Otherwise, if the applicant is unsuccessful in applying for a vacancy, his/her data will be erased. The applicant’s data is also erased if the application is withdrawn, and the applicant is entitled to do this at any time.
Subject to the applicant’s legitimate withdrawal, the data is erased after a period of six months so that we are able to respond to any follow-up questions about the application and can meet our duties to provide evidence pursuant to the Equal Treatment Act (Gleichbehandlungsgesetz). Invoices or receipts for the reimbursement of any travel costs are archived in accordance with tax provisions.
If you contact us (e.g. via the contact form, by email, telephone or via social media), user information is processed in order to process the contact request and to resolve it, pursuant to Article 6 (1) (b) of the GDPR. User information may be stored in our customer relationship management system (‘CRM system’) or a comparable request management system.
We delete requests if they are no longer required. We review whether they are required every two years; statutory retention periods also apply.
Collecting access data and log files
Based on our legitimate interests within the meaning of Article 6 (1) (f) of the GDPR, we, or our hosting provider, collect(s) data that relates to each time the server, on which this service is located, is accessed (‘server log files’). Access data includes the name of the website accessed, the file, date and time of access, the volume of data transferred, notification of successful access, browser type including version, user operating system, referrer URL (the site previously visited), IP address and requesting provider.
For security reasons (e.g. to clarify any misuse or fraud proceedings), log file information is stored for a maximum of 7 days and is then deleted. Data that must be stored for the purpose of providing evidence must be excluded from erasure until each incident has been resolved.
Embedding third-party services and content
We use content and service offerings from third-party providers on our website based on our legitimate interests (i.e. interests in analysing, optimising and economically operating our website within the meaning of Article 6 (1) (f) of the GDPR) to integrate their content and services, such as videos or fonts (hereinafter referred to collectively as ‘content’).
This presupposes that the third-party providers of this content use the user’s IP address, as it would not be possible to send content to the user’s browser without an IP address. The IP address is therefore required in order to display this content. We endeavour to only use such content where the respective provider merely uses the IP address to supply content. Third-party providers may also use ‘pixel tags’ (hidden images, also known as ‘web beacons’) for statistical or marketing purposes. Information such as the visitor traffic for this website’s pages can be evaluated using ‘Pixel tags’. Pseudonym information can also be stored in cookies on the user’s device and may contain technical information about the browser and operating system, referring web pages, the time of the visit and other information about the use of the website, etc., and be linked to such information from other sources.