Name and contact details of the controller:
The controller (hereinafter “Controller”) within the meaning of Article 4 ( 7) GDPR is:
pbo Ingenieurgesellschaft mbH
Dipl.-Ing. Thomas Bergedieck,
Dr.-Ing. Dipl.-Wirt.-Ing. Marcel Grünbein
M.Sc. Dennis Wegkamp
Email address: firstname.lastname@example.org
Data protection officer
HEGO Informationstechnologie GmbH,
Mr Patrizio Ziino, M.Sc (FH)
Types of data, purposes of processing and categories of data subjects
In the following document, we provide you with information about the nature, scope and purpose of the collection, processing and use of personal data and your rights in connection with this.
1. Types of data which we process
- Inventory data (name, address etc.),
- Contact data (telephone, email, fax etc.),
- Communication data (IP address etc.),
- Date and time of the request Time difference to Greenwich Mean Time (GMT)
- Content of the request (specific page)
- Access status/http status code of the respective transmitted data quantity
- Website from which the request originates
- Language and version of the browser software
2. Purposes of processing pursuant to Article 13 (1) c) GDPR
- Conclusion of contracts,
- Technical and commercial optimisation of the website,
- Making the website easy to access,
- Fulfilling contractual obligations,
- Making contact in the event of a legal objection by third parties,
- Fulfilling statutory retention obligations,
- Optimisation and statistical evaluation of our services,
- Supporting commercial use of the website,
- Improving the user experience,
- Designing the website to be user-friendly,
- Preparing statistics,
- Carrying out an application process,
- Customer service and customer support,
- Processing contact requests,
- Providing websites with functions and content,
- Security measures,
- Operation of our website in a secure manner without interruptions
3. Categories of data subjects pursuant to Article 13 (1) e) GDPR
- Visitors/users of the website,
- Customers, suppliers,
- Interested parties, applicants
The data subjects will be referred to together as “users”.
4. Legal bases of the processing of personal data:
In the following section, we provide you with information about the legal bases of the processing of personal data:
1. If we have collected your consent to the processing of personal data, the legal basis is Article 6 (1) Sentence 1 a) GDPR.
2. If the processing is necessary for the performance of a contract or the implementation of pre-contractual measures which take place at your request, the legal basis is Article 6 (1) Sentence 1 b) GDPR.
3. If the processing is necessary for the fulfilment of a legal obligation to which we are subject (e.g. statutory retention obligations), the legal basis is Article 6 (1) Sentence 1 c) GDPR.
4. If the processing is necessary to protect the vital interests of the data subject or another
natural person, the legal basis is Article 6 (1) Sentence 1 d) GDPR.
5. If the processing is necessary to protect our legitimate interests or the legitimate interests of a third party and your interests or fundamental rights and fundamental freedoms do not outweigh these, the legal basis is Article 6 (1) Sentence 1 f) GDPR.
5. Transfer of personal data to third parties and processors
In principle, we do not pass any data on to third parties without your consent. However, if this does take place, then the data is transmitted on the basis of the abovementioned legal bases, e.g. in the event of the passing on of data to processors for the performance of a contract, due to a court order or a legal obligation to disclose the data for the purposes of public prosecution, to avert danger or to assert rights in intellectual property. We also use processors (external service providers, e.g. for web hosting of our websites and databases) for the processing of your data. If data is passed on to processors within the framework of a processing contract, this always takes place in accordance with Article 28 GDPR. We select our processors carefully, review them regularly and have been granted the right to issue instructions with regard to the data. In addition, the processors are required to have taken suitable technical and organisational measures and to comply with data protection provisions pursuant to the Federal Data Protection Act (new version), Teleservices Data Protection Act and the GDPR.
6. Data transmission to third countries
A unified basis for data protection in Europe was created thanks to the adoption of the European General Data Protection Regulation (GDPR). Therefore, your data is predominantly processed by companies to which GDPR applies. However, should the processing take place using third-party services outside the European Union or the European Economic Area, these third parties are required to meet the special requirements set out in Article 44 et seq. GDPR. This means that the processing takes place on the basis of special guarantees, for example the establishment of a level of data protection equivalent to the EU recognised by the EU Commission or the establishment of officially recognised special contractual duties, known as standard contractual clauses. Insofar as we, on the basis of the invalidity of the “Privacy Shield”, pursuant to Article 49 (1) Sentence 1 a) GDPR, collect your express consent to data transmission to the USA, in this regard we refer to the risk of secret access by US authorities and the use of the data for monitoring purposes, potentially without opportunities for legal remedy by EU citizens.
7. Erasure of data and storage period
8. Existence of automated decision-making
We do not use any automated decision-making or profiling.
9. Provision of our website and creation of log files
If you use our website for information purposes only (i.e. no newsletter registration and no other transmission of information), we only collect the personal data which your browser transmits to our server. If you wish to view our website, we collect the following data:
• IP address;
• Internet service provider of the user;
• Date and time of the access instance;
• Browser type;
• Language and browser version;
• Content of the access instance;
• Time zone;
• Access status/HTTP status code;
• Quantity of data;
• Websites from which the request originates;
• Operating system.
This data is not stored together with other personal data concerning you. This data serves the purpose of displaying our website in a user-friendly, functional and secure manner to you with functions and content and the optimisation and statistical evaluation thereof. The legal basis for this is our legitimate interest, which also lies in the above purposes, in data processing pursuant to Article 6 (1) Sentence 1 f) GDPR. For security reasons, we store this data in server log files for the storage period of 365 days. On expiry of this period, this data is automatically erased unless we are required to retain it for purposes of proof in the event of attacks on the server infrastructure or other legal violations.
10.1. We distinguish between the following types of cookies:
• Necessary, essential cookies: Essential cookies are cookies which are absolutely essential for the operation of the website in order to save certain functions of the website, e.g. logins or user entries, such as relating to the language of the website.
• Session cookies: Session cookies are required to identify multiple instances of use of a service by the same user (e.g. if you have logged in to establish your login status). If you visit our webpage again, these cookies provide information to automatically recognise you. The information obtained in this manner serves to optimise our web content and make it easier for you to access our website. The session cookies are erased when you close your browser or log out.
• Persistent cookies: These cookies are still stored after you close your browser.
They serve to measure reach and are used for marketing purposes. These are automatically erased after a specified period, which may vary depending on the cookie. You can erase the cookies at any time in the security settings on your browser.
• Third-party cookies, in particular by advertisers: You can configure your browser settings according to your wishes and, for example, reject third-party cookies or all cookies. However, we would take this opportunity to point out that this may mean that you are unable to use all the functions of this website. You can read more about these cookies in the respective privacy policies of the third-party providers.
10.2. Data categories:
- User data,
10.3. Purposes of processing:
The information obtained in this manner serves to optimise our web services from a technical and commercial perspective and make it easier and more secure for you to access our website.
10.4. Legal bases:
If we process your personal data using cookies on the basis of your consent (opt-in), then the legal basis is Section 25 (1) Teleservices Data Protection Act in connection with Article 6 (1) Sentence 1 a) GDPR. Otherwise, we have a legitimate interest in the effective functionality, improvement and profitable operation of the website, meaning that the legal basis is Article 6 (1) Sentence 1 f) GDPR in this case. The legal basis is also Article 6 (1) Sentence 1 b) GDPR if the cookies are placed for contract initiation.
11. Storage period/erasure:
You can find information about the erasure of cookies for each browser here:
Microsoft Edge: https://support.microsoft.com/de-at/help/4027947/windows-delete-cookies
12. Objection and opt-out:
13. Making contact via the contact form/email/fax/post
If you make contact with us via the contact form, fax, post or email, your data will be processed for the purpose of handling the contact request. If you have provided your consent, the legal basis for the processing of data is Article 6 (1) Sentence 1 a) GDPR. The legal basis for the processing of data which is transmitted in the course of a contact request or email, letter or fax is Article 6 (1) Sentence 1 f) GDPR. The Controller has a legitimate interest in the processing and storage of the data in order to respond to enquiries from users, for the preservation of evidence for liability reasons and, where applicable, to fulfil its statutory retention obligations for business correspondence. If the aim of the contact is the conclusion of a contract, the additional legal basis for the processing is Article 6 (1) Sentence 1 b) GDPR. We may store the information you provide and your contact request in our customer relationship management system (“CRM system”) or a comparable system. The data will be erased when it is no longer necessary for the purpose for which it was collected. For personal data from the input screen of the contact form and data sent by email, this applies once the respective conversation with you has ended. The conversation is deemed to have ended when the circumstances indicate that the matter in question has been conclusively clarified. We store enquiries from users who have a contractual relationship with us for two full years after termination of the contract. In the event statutory archiving obligations apply, erasure takes place when such obligations cease to apply: End of the retention period under commercial law (6 years) and tax law (10 years). You have the option to withdraw your consent to the processing of your personal data pursuant to Article 6 (1) Sentence 1 a) GDPR. Contact us by email email@example.com to withdraw your consent to the storage of personal data at any time.
14. Telephone contact
In the event you contact us by telephone, your telephone number will be stored for the purpose of processing the contact request and handling the matter and temporarily stored and displayed in the RAM/cache of the telephone device/display. The storage takes place for liability reasons and security reasons in order to provide proof of the call and for business reasons in order to allow us to return the call. We block telephone numbers when we receive unauthorised advertising calls. The legal basis for processing telephone numbers is Article 6 (1) Sentence 1 f) GDPR. If the aim of the contact is the conclusion of a contract, the additional legal basis for the processing is Article 6 (1) b) GDPR. The device cache stores the calls for days and gradually overwrites and/or erases old data. In the event of the disposal of the device, all data is erased and the memory is destroyed where applicable. Blocked telephone numbers are reviewed on an annual basis to determine whether the blocking is necessary. You can prevent the telephone number from being displayed by hiding your caller ID.
15. Google Maps
On our website, we use maps by “Google Maps” (Provider: Google Ireland Limited, Register no.: 368047, Gordon House, Barrow Street, Dublin 4, Ireland).
Data category and description of the data processing: Usage data (e.g. IP, location, page which is accessed). Using Google Maps enables us to display the location of addresses and directions on our website via interactive maps and to enable you to use this tool. When you access our website on which Google Maps is integrated, a connection to Google servers in the USA is established. Your IP and location may be transmitted to Google in this manner. In addition, Google is informed that you have accessed the respective web page. This also takes place if you do not have a user account with Google. If you are logged into your Google account, Google can assign the above data to your account. If you do not wish this to happen, you must log out of your Google account. Google uses such data to create user profiles and uses this data for the purpose of advertising, market research or optimising its website.
15.1. Purpose of processing: Provision of a user-friendly, profitable and optimised website.
15.2. Legal bases: If you have provided your consent to the processing of your personal data using “Google Maps” by the third-party provider (opt-in), the legal basis is Article 6 (1) Sentence 1 a) GDPR. The legal basis for this is also our legitimate interest, which lies in the above purposes, in data processing pursuant to Article 6 (1) Sentence 1 f) GDPR.
15.3. Data transmission/categories of recipients: Third-party providers in the USA.
15.4. Retention period: Cookies up to 6 months or until you erase them. Otherwise, as soon as they are no longer required for processing purposes.
16. Data protection for applications and in application processes
Applications which are sent to the Controller electronically or by post are processed electronically or manually for the purpose of carrying out the application process.
We expressly refer to the fact that application documents containing “special categories of personal data” pursuant to Article 9 GDPR (e.g. a photo which allows conclusions to be drawn about your ethnic background, religion or marital status), with the exception of any serious disabilities, which you are at liberty to disclose at your discretion, are unwanted.
You should submit your application without such data. This does not affect your chances as an applicant. The legal bases for the processing are Article 6 (1) Sentence 1 b) GDPR and Section 26 Federal Data Protection Act (new version). If, after the completion of the application process, an employment relationship is entered into with the applicant, the applicant’s data is stored in compliance with the valid data protection provisions. If you are not offered a role after the completion of the application process, the covering letter you submitted plus all documents will be erased 6 months after the rejection letter was sent in order to be sufficient for any claims and proof obligations pursuant to the General Equal Treatment Act.
17. Rights of the data subjects
17.1. Objection to or withdrawal of consent to the processing of your data
Insofar as the processing is based on your consent pursuant to Article 6 (1) Sentence 1 a), Article 7 GDPR, you have the right to withdraw your consent at any time. This does not affect the lawfulness of the processing carried out up to the point in time of the withdrawal of your consent. Insofar as we base the processing of your personal data on the balancing of interests pursuant to Article 6 (1) Sentence 1 f) GDPR, you may object to the processing. This applies in the event the processing is, in particular, not required for the performance of a contract with you, which is explained by us in the following description of the functions. In the event you exercise such objection rights, we ask you to specify the reasons for which we should not continue to process your personal data in the same manner. In the event you submit a justified objection, we will review the case and will either suspend or amend the data processing or specify to you our mandatory justified reasons on the basis of which we are continuing the processing. You may object to the processing of your personal data for the purposes of advertising and data analysis at any time. You can exercise your right to object free of charge.
You can inform us about your advertising objection using the following contact data:
pbo Ingenieurgesellschaft mbH
Dipl.-Ing. Thomas Bergedieck,
Dr.-Ing. Dipl.-Wirt.-Ing. Marcel Grünbein,
M.Sc. Dennis Wegkamp
Email address: firstname.lastname@example.org
17.2. Right of access
Pursuant to Article 15 GDPR, you have the right of access to your personal data stored by us. This includes, in particular, information about the purposes of processing, the category of personal data, the categories of recipients to whom your data was or is disclosed, the planned storage period, the origin of your data insofar as the data was not collected directly from you.
17.3. Right to rectification
You have the right to the rectification of incorrect data or to the completion of correct data pursuant to Article 16 GDPR.
17.4. Right to erasure
You have the right to the erasure of your personal data stored by us pursuant to Article 17 GDPR unless statutory or contractual retention periods or other statutory obligations or rights prevent the further storage of this data.
17.5. Right to restriction
You have the right to require the restriction of the processing of your personal data in the event one of the prerequisites set out in Article 18 (1) a) to d) GDPR has been fulfilled: If you object to the correctness of the personal data concerning you for a period which enables the Controller to review the correctness of the personal data;
• the processing is unlawful and you reject the erasure of the personal data and, instead, require the restriction of the use of the personal data;
• the Controller no longer requires the personal data for the purposes of processing but you require the data for the assertion, exercise or defence of legal claims, or
• you have objected to the processing in accordance with Article 21 (1) GDPR and it has not yet been established whether the legitimate reasons of the Controller outweigh your reasons.
17.6. Right to data portability
Pursuant to Article 20 GDPR, you have the right to data portability, which means you can receive the personal data stored by us concerning you in a structured, commonly used and machine-readable format or require it to be transmitted to another controller.
17.7. Right to object
You have the right to lodge a complaint with a supervisory authority. Generally, you can contact the supervisory authority, in particular in the member state of your place of residence, your place of work or the location of the suspected violation, for this purpose.
18. Data security
In order to protect all personal data which is transmitted to us and to ensure that we and our external service providers comply with data protection provisions, we have implemented suitable technical and organisational security measures. Therefore, all data is transmitted between your browser and our server encrypted via a secure SSL connection, for example.
Last updated: 01.2022