Privacy Policy
1 Introduction
The protection of personal data is an important issue for our company. That is why we process the personal data of our employees, customers, business partners, service providers, public bodies and other third parties exclusively in accordance with the applicable legal provisions for protecting personal data and ensuring data security.
In order to enforce the importance of this issue, the company’s management has adopted this privacy policy for our company. This policy is intended to outline the organization, the responsibilities and objectives in the area of data protection in our company in a clear manner.
2 Scope
The policy applies to the entire TECHNE KIROW GmbH and extends to all current and future locations of the company. It is intended for all current and future employees of the company. This policy requires all employees of the company to independently adhere to the rules and obligations set out here and to implement the specified responsibilities in their area of work.
3 Organization of data protection
Company management bears the overall responsibility for data privacy and protection as well as processing of personal data. Company management provides sufficient time, financial and personal resources for fulfilling the requirements of data protection and privacy legislation.
This includes designating a data protection officer for the company. The data protection officer carries out the tasks according to Art. 39 of GDPR and advises the company’s management as well as the employees involved in the planning and implementation of data protection and processes complying with privacy protection regulations in the company.
It is necessary to make sure that the data protection officer is included early on in the planning and introduction of new processes, in connection with which personal data is also processed. The same applies to changes to existing processes.
The data protection officer shall be directly supported by a data protection coordinator as contact person. He or she is in charge of the data protection team, which acts as the first point of contact for data protection matters and which internally accompanies, supports and promotes the planning, implementation and evaluation. The data protection officer advises the data protection team and, if requested, participates in its meetings.
4 Responsibilities
4.1 Company management
The company management assumes the overall responsibility for data protection in the company. It ensures that there are sufficient time, financial and personnel resources available. It also authorizes the members of the data protection team to plan and implement, after consultation, corresponding measures to attain, maintain and improve the level of data protection.
4.2 Data protection officer
The data protection officer is the point of contact for data protection issues in the company. He or she performs his or her duties according to Art. 39 of GDPR and advises, controls and supports the company’s management, the data protection team and the employees with regard to processing personal data in the company.
4.3 Data protection coordinator
The data protection coordinator acts as the primary contact person for the data protection officer and presides over the data protection team.
4.4 Data protection team
The data protection team represents the first point of contact for data protection matters. It advises employees on data protection matters and answers questions from those affected. At the same time, it relies on the support of the data protection officer.
The data protection team moreover supports the planning, coordination, implementation and evaluation of data protection in the company and promotes the appropriate measures. The team shall meet with the data protection officer at regular intervals to ensure the process of continuous improvement.
4.5 All employees
Every employee independently contributes to ensuring data protection in the company by complying with data protection regulations when working. All employees are obligated to follow and comply with this policy and the other data protection regulations. If there are questions or any ambiguities pertaining to individual topics, employees should consult the data protection team. The regulations stipulated there also apply to employees with special tasks listed below.
If there are any uncertainties or doubts relating to the legality of individual processing measures, in particular the transfer or disclosure of data, the data protection team or the data protection officer must be informed and consulted for advice prior to processing.
If there are any obvious or at least possible violations of data privacy protection noted in every day work processes, every employee is obligated to report these incidents and even other irregularities in data processing immediately and directly to the data protection team.
4.6 IT manager
The IT manager ensures the security of electronic data processing systems by planning, procuring, implementing and monitoring appropriate technical security measures. To this end, the necessary budget shall be made available by the company management. He or she shall coordinate measures that have an impact on the security of data processing with the data protection officer and ensure that the existing protective measures are sufficiently documented.
4.7 Administrators
The administrators shall carry out technical measures in coordination with the IT manager, document their activities and contribute to optimizing the security of data processing and data protection by making suggestions for improvements.
4.8 Supervisors with personnel responsibility
Supervisors with personnel responsibility shall make sure that the persons working in their area of responsibility are adequately briefed about the concerns of data protection and privacy-compliant approach to work that affect them and are obligated to practice data protection and confidentiality. Measures are moreover taken to enable the persons working in their area of responsibility to work in compliance with data protection regulations.
4.9 Project or process manager or area manager
Project or process manager or area manager must include the data protection officer early on in the planning of projects that affect the processing of personal data in order to ensure that the data protection regulations are complied with.
Project or process manager or area manager are obligated when commissioning external service providers or suppliers to carefully select such with regard to data protection. Moreover, it is necessary to check the existence of order processing during commissioning and, if necessary, to enter a corresponding order processing contract. Even if it does not involve an order processing, provisions for ensuring data protection, privacy and confidentiality must be included in the contract. The assistance of the data protection team can also be consulted during these checks.
4.10 Suppliers, external service providers and other contractors
Suppliers, external service providers and other contractors must be obligated by means of separate agreements to comply with the applicable data protection stipulations and provide proof thereof. If they process data on behalf of the company’s management (order processing), an order processing contract must be agreed upon before the order is placed.
4.11 Lessees of premises on the company grounds
Contractual agreements on ensuring data protection and confidentiality must be entered into with lessees of premises on the company grounds.
5 Principles of processing of personal data
The objective of this policy is to ensure data protection and privacy in the company. To this end, the company must consider the following principles of data processing during the planning, introduction and the course of processes.
5.1 Legality
When processing personal data, the fundamental rights and freedoms of the data subjects must be maintained to the greatest extent possible. As a result, personal data may only be collected and processed in a lawful manner, i.e. only if there is a clear legal basis.
5.2 Permissible access
Personal data may only be processed for the purposes that have been specified and documented prior to collection of the data. These purposes must correspond with the reasonable expectations of the data subjects with regard to the corresponding processing activity. Subsequent changes to the purposes are generally not provided for. If a change in purpose should arise in individual cases, this is only possible to a limited extent and requires a documented consideration of interests after consulting with the data protection officer and approval by the company’s management.
5.3 Transparency
Persons or data subjects affected by processing must be informed about the planned processing activities in good time. When collecting data, the data subjects must be able to recognize at least the following information or be informed accordingly:
- The identity of the controlling body, i.e. our company
- The contact information of the data protection officer
- The purpose and legal basis of the data processing
- Intended recipients of data, in particular if the data should be transferred to a third country
Moreover, personal data is to be collected directly from the data subjects themselves. Collecting data from third parties should be avoided if possible.
5.4 Data avoidance and minimization
Prior to collecting personal data, it is always necessary to check whether and to what extent this is necessary for achieving the intended purpose of processing. Only data that is identified as essential may be collected and stored. All other data may not be collected. Moreover, personal data may not be retained for potential future purposes, unless this is prescribed or permitted by national law.
Access to stored personal data should always be reserved only to those employees who need it to complete their assigned work tasks. The necessity for continued existence of access authorizations must be checked on a regular basis.
5.5 Deletion
Personal data may only be stored until the purpose of collection and processing has been attained and there are no mandatory statutory provisions that prevent a deletion. This data must be deleted or destroyed immediately after the statutory or business-process-related retention periods have expired or at the request of the data subjects. It is important to make sure that corresponding secure destruction measures are used when deleting or destroying data in accordance with the sensitive nature of data.
If there are in individual cases indications of legitimate interests on part of our company in certain data, such data shall be retained in a separate area outside of active user access, until the legitimate interest could be checked and legally clarified if necessary.
5.6 Correctness and up-to-dateness of data
Stored personal data must always be correct, complete and up-to-date. As a result, suitable measures must be taken to ensure that non-applicable, incomplete or obsolete data is deleted, corrected, amended or updated.
5.7 Confidentiality and data security
When processing personal data, maintaining the confidentiality and integrity of the data plays a particularly important role. As a result, personal data must be treated confidentially and protected in daily use against unauthorized access, unlawful processing or disclosure and accidental loss, modification or destruction by undertaking appropriate organizational and technical measures.
For realizing specific objectives, the implemented protective measures must be in an economically justifiable relationship to the protection requirements of the data and information being processed.
6 Sanctions
A violation of this policy may constitute a neglect of duty under a work agreement and can thus be sanctioned accordingly.
In case of particular risks, contractual penalties should be agreed upon for suppliers, external service providers and other contractors.
Stand from 10/2021