As controller of the processing, we have implemented comprehensive technical and organisational measures to ensure the fullest possible protection of the personal data processed via this website. Nevertheless, internet-based services and data transmissions may in principle involve risks and security gaps, so that absolute protection cannot be guaranteed. You therefore have the right at any time to transmit personal data to us by other means, e.g. by telephone, letter or fax.
a) Personal data
Personal data means all information, which may lead or contribute to the identification of a natural person (hereinafter “the individual concerned” or “data subject”). This includes data such as, for instance, name, address, telephone- or identification number, location data, online identifier or specific features, which are characteristics for the physical, mental, economic, cultural, social, religious, political or genetic identity of this individual concerned.
b) Data subject / individual concerned
“Data subject” or “individual concerned” means any natural person, whose personal data are processed by the controller.
Processing means all processes such as collection, structuring and storing, alteration or adaptation, selection and retrieval, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.
d) Restriction of processing
Restriction of processing is the labelling of personal data with the objective of limiting their future processing. Restriction is, for instance, always necessary when, due to statutory requirements, permanent erasure is not permitted, further processing, however, not desired by the individual concerned.
Profiling means any form of automated processing of personal data, consisting of a valuation of certain personal aspects concerning the natural person by means of assessment of these data. It is thereby possible, for example, to analyse or predict aspects concerning that natural person’s performance at work, personal preferences and interests, reliability and behaviour, economic situation, health, location as well as movement profiles.
Pseudonymisation means the processing of personal data in such a manner that it is insured that the personal data can no longer be attributed to a specific individual concerned without the use of additional information. Additional information must be kept separately and is subject to technical and organisational measures which, as far as possible, prevent fraudulent use by third parties.
g) Controller / party responsible for processing
The party responsible for processing is the natural or legal person, public authority, institution or other body which, jointly with others or by itself, makes decisions on the purpose and means of the processing of personal data. If the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided in accordance with these legal bases.
Processor is a natural or legal person, public authority, institution or other body which processes personal data on behalf of the controller.
Recipient is a natural or legal person, public authority, institution or other body to which personal data are disclosed. It does not matter whether or not this is a third party. Exempt from this are public authorities which receive personal data within the scope of legal bases, as they are not deemed to be recipients.
j) Third party
Third party means a natural or legal person, public authority, agency or other body other than the data subject, controller, processor and the persons who, under the direct authority of the controller or the processor, are authorised to process the personal data.
Consent is any freely given, specific, informed and unambiguous statement of intent by the individual concerned, in the form of a declaration or another unambiguous affirming action or gesture by which the individual concerned intimates that he/she agrees to the processing of the personal data relating to him or her.
2. Name and address of the controller
Controller as defined by GDPR is:
PRO Messe–Service GmbH
Tel.: 08271 / 80 14 - 0
3. Name and address of the data protection officer
The data protection officer for the controller is:
D-86641 Rain am Lech
Tel.: 09090 / 959112
Each data subject may contact our data protection officer directly at any time with any questions and suggestions relating to data protection.
5. Collection of general data and other information
Every time our website is accessed, our website or the server of the provider where our web presence is stored collects a series of general data and information, which is stored in the log files of the server. The following may be collected:
- type and version of browser
- the operating system of the computer accessing the website
- the referrer address of the website from which an accessing system has reached our website.
- the sub-website called via an accessing system on our website,
- the date and time of access to the website,
- the IP address of the accessing system and
- (potentially the internet service provider of the accessing system and
- other comparable data and information, which serve security in case of attacks on our information systems.
When using such general data and information, we do not draw any conclusions about the individual concerned. This information is, however, required to
- correctly deliver the contents of our website
- ensure the permanent functionality of our IT systems and the technology of our website as well as
- to provide law enforcement authorities with information to assist and facilitate criminal proceedings in the event of a cyber attack.
Such anonymously collected data are therefore evaluated by us statistically and with the aim to improve data protection and data security in our company, so that an optimum level of protection for the personal data processed by us can be guaranteed. The anonymous data of the server log files are stored separate from all other data.
6. Duration of retention of personal data
The key criterion for the duration of the retention of personal data is the respective legal retention period. After expiry of this period, the corresponding data will be routinely deleted, provided that they are no longer required for the fulfilment or initiation of the contract.
7. Routine deletion and blocking of personal data
We process personal data of individual concerned only for the period of the restricted use or based on the statutory requirements of the European Union or other legal bases and provisions, to which the controller is subject.
If this restricted use no longer applies or if a storage period prescribed by statutory requirements of the European Union or other legal bases and provisions expires, the personal data will be blocked or deleted routinely and in accordance with the statutory provisions.
8. Rights of the individual concerned
The GDPR provides the following rights for the individuals concerned:
Right to Confirmation:
Each individual concerned has the right to request confirmation from the controller to establish whether personal data relating to him or her. If an individual concerned wishes to exercise this right, he or she may contact our data protection officer or another employee of our company for this purpose at any time.
Right of access:
Each individual concerned has the right to obtain from the controller, free of charge, information on the personal data stored concerning him or her, as well as a copy of this information. This information includes the following:
a) The purpose of the processing
b) The categories of the personal data processed
c) The categories of recipients to which the personal data have been or will be disclosed, in particular in respect of recipients in third countries or international organisations.
In case of recipients of personal data in third countries or international organisations, the individual concerned has a right to be informed of the appropriate safeguards to maintain a reasonable level of protection relating to the transfer.
d) if possible, information on the intended period of the storage or alternatively, information on the criteria for the determination of this period.
e) Reference to a right of rectification or erasure of the personal data relating the individual concerned, or of restriction of processing by the controller, as well as a right of objection against this processing
f) Reference to the right to lodge a complaint with a supervisory authority
g) if the personal data were not collected from the individual concerned: Reference to the right to all available information on the origin of the data
h) in case of the existence of automated decision-making or profiling, in accordance with Art. 22 (1) and (4) GDPR, meaningful information on the logic implemented and the consequences of such processing for the individual concerned must be demonstrated.
If an individual concerned wishes to exercise this right of access, he or she is welcome to contact our data protection officer or another employee of our company at any time.
Right to rectification
Each individual concerned has a right to request immediate rectification of incorrect person date concerning him or her as well as rectification or completion of incomplete personal data, taking into consideration the restriction of processing.
If an individual concerned wishes to exercise this right of access, he or she is welcome to contact our data protection officer or another employee of our company at any time.
Right to erasure and to be forgotten
Each individual concerned has the right to request from the controller immediate erasure of the personal data relating to him or her, if one of the following grounds applies or processing is not necessary:
a) Restriction of processing no longer applies.
b) The individual involved revokes his or her consent to processing in accordance with Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR, and there is no other legal ground for the processing.
c) The individual concerned objects to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate ground for the processing.
d) The individual concerned objects pursuant to Art. 21 (2) GDPR to the processing.
e) The personal data have been unlawfully processed.
f) The personal data have to be erased for compliance with a legal obligation to which the controller is subject.
g) Protection of children / parental consent: The personal data have been collected in relation to the offer of information society services in accordance with Art. 8 (1) GDPR.
If one of the above-mentioned grounds applies and the individual concerned wishes to arrange the deletion of personal data stored with us, he or she may contact our data protection officer or another employee of our company at any time. It will then be arranged that the request for deletion is complied with immediately.
Right to erasure / to be forgotten: If the personal data have been made public by us and our company as the controller is obliged to erase the personal date pursuant to Art. 17 (1) GDPR, we shall take reasonable technical and organisational measures, taking account of economic viability and available technology, to inform other controllers which are processing the personal data that has been made public, that the individual concerned has requested the erasure of such personal data as wall as of any links to such personal data, where their processing is no longer necessary. Our data protection officer or another employee will arrange the necessary steps on a case-by-case basis.
Right to restriction of processing
Each individual concerned has the right to request that the controller restrict the processing if one of the conditions listed below applies:
a) The accuracy of the personal data is contested by the individual concerned. In this case, the processing is restricted until the controller has been able to verify the accuracy of the personal data.
b) The processing is unlawful and the individual concerned opposes the deletion of the personal data, and instead requests the restriction of the use of the personal data.
c) the controller no longer requires the personal data for the purposes of the processing, the individual concerned, however, requires such data for the assertion, exercise or defence of legal claims.
d) The individual concerned has objected to the processing in accordance with Art. 21 (1) GDPR and it has not yet been determined whether the legitimate grounds of the controller override those of the data subject.
If one of the above-mentioned requirements is met and the individual concerned wishes to request the deletion of personal data stored with us, he or she may contact our data protection officer or another employee of our company for this purpose at any time. The data protection officer or another employee will arrange the restriction of the processing immediately.
Right to data portability
Each individual concerned has the right to receive the personal data concerning him or her which the individual concerned has provided to the controller in a structured, commonly used, and machine-readable format. He or she also has the right to transfer these data to another controller. There must not be any hindrance from the controller to which the personal data have been provided by him or her, if this processing was based on consent (Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR) or a contract (Art. 6 (1) (b) GDPR) and the processing is carried out by automated means, except when the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Furthermore, in the exercise of his or her right to data portability pursuant to Art. 20 (1) GDPR, the individual concerned has the right to request to have the personal data transmitted directly from one controller to another controller, where this is technically feasible and the rights and freedoms of others is not adversely affected by this.
To exercise the right to data portability, the individual concerned may contact our data protection officer or another employee at any time.
Right to object
Each individual concerned has the right to object at any time to the processing of his or her personal data, which is based on Art. 6 (1) (e) or (f) GDPR. This also applies to profiling based on these provisions.
In the event of an objection, we will no longer process the personal data, unless it is possible to show compelling legitimate grounds for the processing which outweigh the interests, rights and freedoms of the individual concerned or the processing serves the assertion, exercise or defence of legal claims.
If we are processing personal data for direct marketing purposes, the individual concerned has the right to object at any time to this processing. This also applies to profiling, provided that it is related to the direct marketing. If the data subject objects to our processing for the purpose of direct advertising, the personal data will no longer be processed for these purposes.
The individual concerned also has the right to object to our processing of personal data concerning him for scientific, historical or statistical purposes pursuant to Art. 89 (1) GDPR, unless such processing is necessary for the performance of a task for reasons of public interest.
To exercise the right to object, the individual concerned may directly contact our data protection officer or another employee.
Automated decisions in individual cases including profiling
Decisions based on the processing of personal data in an exclusively automated processing or profiling operation and which produce legal effects vis-à-vis the individual concerned or significantly affect him/her are not lawful, if the decision
a) is not required for the conclusion or fulfilment of a contract between the individual concerned and the controller, or
b) is permitted due to legal provisions to which the controller is subject and these legal provisions include appropriate measures to safeguard the rights and freedoms as well as the legitimate interests of the individual concerned or
c) is made with the express consent of the individual party.
If the decision
- in case a) is required for the conclusion or fulfilment of a contract between the individual concerned and the controller or
- is made in case b) with the express consent of the individual concerned,
we are taking reasonable measures to safeguard the rights and freedoms as well as the legitimate interests of the individual concerned. This also includes the right to express the position of the individual concerned vis-a-vis the controller and to appeal against the decision.
If the individual concerned would like to assert his or her rights in relation to automated decisions, he/she may contact our data protection officer or another employee at any time for this purpose.
Right to withdraw the declaration of consent under the Data Protection Act
Each individual concerned has the right to withdraw consent to the processing of personal data at any time.
If the individual concerned would like to assert his or her right to object, he/she may contact our data protection officer or another employee at any time for this purpose.
9. Legal ground for the processing
Art. 6 (1) (a) GDPR represents the legal basis for processing operations in our company, for which we obtain the consent of the individual concerned for a specific processing purpose.
If the processing of personal data is necessary for the fulfilment of a contract with the individual concerned, Art. 6 (1) (b) GDPR applies. This may, for instance, be the case with a delivery of goods, on-site services, replies to queries or the preparation of offers.
In the case of legal obligations, to which our company may be subject, the processing is carried out on the basis of Art. 6 (1) c GDPR. These obligations may, for instance, be tax obligations or reporting requirements.
In the event that processing of personal data is necessary for safeguarding vital interests of the individual concerned, such processing is based on Art. 6 (1) d GDPR. This would, for instance, be the case when visitors to the company’s premises had an accident. In such case we would have to disclose data such as, for example, name, age, data on health insurance and other insurance data as well as other vital information to a doctor, a hospital or other third parties.
Finally, personal data could also be based on our legitimate interests, whereby Art. 6 (1) (f) GDPR applies. A legitimate interest would be that the individual concerned is a client of the controller and the processing is reasonable and beneficial to the company. In addition, our legitimate interest is the conduct of our business activity for the benefit of the company as well as its owners, shareholders and employees. In doing so, the interests, basic rights and fundamental freedoms of the individual concerned must, however, be sufficiently considered.
10. Provision of personal data pursuant to statutory or contractual provisions
We are hereby informing you that the provision of personal data is partly required by law (e.g. tax regulations and reporting regulations) or may arise from contractual provisions. It thus may happen that an individual concerned provides us with personal data which we subsequently have to process. If you have any questions regarding the necessity of providing personal data, our data protection officer is available at any time to clarify whether a legal or contractual basis exists in individual cases and what the consequences would be if the personal data were not provided.
11. How to reach us using the website
Due to legal regulations, our website contains information that facilitates quick electronic contact with our company, whether by telephone, fax or e-mail. If a data subject contacts the controller via e-mail or a contact form, the personal data provided by the data subject are automatically stored. Such personal data provided by a data subject to the controller are stored for the purpose of processing or for contacting the individual concerned. These personal data are not disclosed to third parties.
When you are using the contact form on our website, we request your name and other personal information. Except for a few mandatory fields, it is your free decision whether you wish to enter these data or not. We store your information on servers in Germany for the purpose of processing the request you have raised.
12. Data protection for applications
We collect and process the personal data of applicants for the purpose of handling the application procedure. This processing may be completely or partially electronic. This applies in particular when an applicant sends his application documents to us for example by e-mail or via a web form on the website.
If a contract of employment is concluded with an applicant, the transmitted data will be stored for the purpose of handling the employment relationship in accordance with the statutory provisions.
Should we be interested in an application although there is currently no vacancy for the qualifications offered, we will obtain the consent of the individual concerned to store the application documents. If this consent is granted, the data is retained for up to 6 years, if the individual concerned does not raise an objection in the meantime. Otherwise, the data is deleted after 2 months.
If we do not conclude an employment contract with the applicant, the application documents will be automatically deleted 2 months after notification of the rejection decision, provided that no other legitimate interests of ours conflict with this deletion. Such interests could, for example, consist in an obligation to provide evidence in proceedings under the General Equal Treatment Act (AGG).
Note: We would request to submit applications electronically by e-mail, if possible - for the sake of the environment. To protect your personal data, we are offering you the option of sending us your application in encrypted form. For encryption (e.g. ZIP file as attachment), you can send us a password in a separate e-mail. After the above-mentioned retention periods have expired, the electronic applications are deleted and paper-based applications are destroyed.
13. Data protection provisions for automated decision making
We do not engage in profiling or automatic decision making.