RFR Holding GmbH Privacy Notice as of 22th October 2020
Thank you for visiting our website and for your interest in our company and our services. Data protection and privacy is very important to RFR Holding GmbH. If we need to process Personal Data for reasons other than those provided by statute, we will always seek the consent of the Data Subject.
Personal Data will be processed only in conformity with the EU General Data Protection Regulation (GDPR) and with national data protection laws and regulations applicable to RFR Holding GmbH. For the purposes of this Privacy Notice, “Personal Data” means all data relating to you personally, e.g. your name, address, email address, IP address or user behaviour.
By means of this Privacy Notice, we would like to inform the general public about why and how we collect, use and process what type and amount of Personal Data, and about Data Subjects’ rights relating to the collection and processing of Personal Data.
RFR Holding GmbH, in its capacity as Controller, has implemented numerous technical and organisational measures to ensure the most complete protection of Personal Data processed through this website. However, Internet-based data transmissions may in principle have security gaps, so absolute protection may not be guaranteed. For this reason, every Data Subject is free to transfer Personal Data to us via alternative means, e.g. by telephone.
1. Name and address of the Controller
The “Controller” for the purposes of the General Data Protection Regulation (GDPR), other data protection laws applicable in Member states of the European Union and other provisions related to data protection is:
RFR Holding GmbH
60325 Frankfurt am Main
2. Collection of Personal Data and information
(1) The website of RFR Holding GmbH collects a range of Personal Data and information every time the website is called up by a Data Subject or by an automated system, including if it is used purely for information. These data and information are sent from your browser to our server, where it will be saved in server log files. If you wish to view our website, we will collect the following data, which is a technical necessity for us to display the website and ensure its stability and safety, for example:
- your IP address,
- the date, time and duration of your visit,
- the subject of your request (the exact page you viewed)
- access status/http status code
- the referring website (i.e. the website you came from before visiting our website)
- the name and version of your browser,
- the name and version of your operating system.
(2) When we use these data and information, RFR Holding GmbH does not draw any conclusions about the identity of the Data Subject. Rather, this information is needed to
- deliver the content of our website correctly,
- ensure the long-term viability of our information technology systems and website technology, and
- provide law enforcement authorities with the information necessary for criminal prosecution in case of a cyber-attack.
(3) Therefore, RFR Holding GmbH analyses collected data and information statistically and with the aim of increasing data protection and data security at our company to ensure an optimal level of protection for the Personal Data we process. The data from the server logfiles are stored separately from all Personal Data a Data Subject may have provided.
(4) If you contact us by email, we will store the information you provide (your email address and, if applicable, your first and last name) to process your enquiry. All data created in this context will be deleted when they are no longer needed, or if statutory retention requirements apply to them, we will restrict their processing.
(2) Many cookies contain a “cookie ID”. A cookie ID is a unique identifier of the cookie. It consists of a string of characters that can be used to assign web pages and servers to the specific web browser where the cookie was stored. This makes it possible for the web pages and servers visited to distinguish the specific browser of a Data Subject from other web browsers containing other cookies. A specific web browser can be recognised and identified based on the unique cookie ID.
(4) Most browsers are set to accept cookies by default. However, Data Subjects can change their browser settings to reject cookies from our website at any time and thus object to the placement of cookies permanently. Moreover, cookies already placed can be deleted by a user at any time through a web browser or other software programs. This is possible in all common web browsers. If a Data Subject disables cookies in his or her web browser, he or she may not be able to use all the features of our website.
(5) Such stored information will be retained separately from any other data provided to us. In particular, we will not combine data gathered from cookies with any other data we may have stored about you.
4. Categories of recipients to whom Personal Data may be disclosed
(1) We use service providers (e.g. IT service providers) to carry out some of the processes and provide some of the services described above. The service providers we work with are carefully selected and commissioned in accordance with applicable data protection laws and regulations. These third-party service providers are bound by our instructions and are subject to regular performance reviews. They will not disclose your data to third parties.
(2) We may disclose data about you to other recipients only as required by applicable law, or with your consent, or where such disclosure is authorised. If these conditions are met, recipients of Personal Data may include:
- government agencies or institutions (e.g. fiscal and law enforcement authorities) if we are required to do so by law or regulation, or
- other companies or similar organisations to whom we may transfer Personal Data for the administration of our business relationship with you.
(3) The Recipients may, on their own responsibility, transfer Personal Data to their agents and/or delegates (the "Subrecipients") who will process the Personal Data for the sole purpose of assisting the Recipients in providing their services to the Controller and/or assisting the Recipients in fulfilling their own legal obligations.
Recipients and sub-recipients may be located either inside or outside the European Economic Area (the "EEA"). If recipients outside the EEA are located in a country that does not offer an adequate level of protection for personal data, controllers will conclude a legally binding transfer agreement with the recipients concerned in the form of model clauses approved by the EU Commission. In this context, the data subjects have the right to request copies of the relevant document to enable the transfer of personal data to these countries. The Recipients and Subrecipients can process data as a data processor or as a controller to discharge their own legal liabilities.
5. Legal basis and purpose of processing
We process your Personal Data in compliance with applicable data protection laws and regulations (as amended from time to time). Such processing is lawful if any one of the following conditions applies:
- Consent, Article 6(1)(a) GDPR
The processing of Personal Data is lawful if the Data Subject has given consent to the processing of his or her Personal Data for one or more specific purposes (e.g. to process his or her enquiry, use of data for marketing purposes).The Data Subject has the right to withdraw consent at any time with effect for any further processing.This also applies to consent Data Subjects may have given to us before the GDPR came into force, i.e. before 25 May 2018.
- Performance of a contract, Article 6(1)(b) GDPR
We process Personal Data in order to perform our obligations under a contract with you or in order to take steps at your request prior to entering into a contract. The purpose of such processing depends mainly on the nature of your request.
- Compliance with a legal obligation, Article 6(1)(c) GDPR
RFR Holding GmbH is subject to a range of legal obligations, including, but not limited to
- retention requirements under commercial and tax law, specifically under the German Commercial Code [Handelsgesetzbuch– HGB] and the German Tax Code [Abgabenordnung – AO],
- monitoring and reporting obligations under tax law.
- Legitimate interests, Article 6(1)(f) GDPR
Where necessary, we process your Personal Data not only in order to perform a contract but also for the purposes of legitimate interests pursued by RFR Holding GmbH or third parties, for example
- in order to establish and exercise legal claims or defend litigation,
- to ensure IT security and IT operations,
- to analyse and enhance your use of our website.
6. Criteria used to determine the period of storage of Personal Data
(1) Personal Data are retained in compliance with applicable data processing legislation and statutory record retention requirements. We process and use your data only for purposes for which we have been authorised and only as long as they are needed for those purposes.
(2) If the data we hold about you are no longer needed for the purpose for which they were collected or for compliance with a legal obligation, they are usually deleted, unless further processing is necessary – for a limited time and, if applicable, subject to certain restrictions – for the following purposes:
- To comply with record retention requirements under commercial and tax law:Such requirements are stipulated, for example, in the German Commercial Code (HGB) and the German Tax Code (AO).These laws provide for documentation and record retention periods of up to 10 years.
- To preserve evidence within the statutes of limitation:Pursuant to Secs. 195 et seq. of the German Civil Code [Bürgerliches Gesetzbuch – BGB], the general limitation period is three years, however, in certain circumstances, limitation periods of up to 30 years may apply.
7. Data protection in relation to job applications and during the application process
The Controller collects and processes Personal Data of job applicants for the purpose of processing a job application. Such data may be processed electronically, in particular if an applicant submitted an application to the Controller by electronic means, e.g. by email. If the Controller enters into an employment contract with an applicant, the data provided by the applicant will be stored in compliance with applicable laws and regulations for the purpose of the employment relationship. If the Controller does not enter into an employment contract with an applicant, all documents submitted by the applicant in support of his or her application will be automatically deleted six months after the decision to refuse the application.
8. Data Subject Rights
(1) Every Data Subject has the right of access according to Article 15 GDPR, the right to rectification according to Article 16 GDPR, the right to erasure (“right to be forgotten”) according to Article 17 GDPR, the right to restriction of processing according to Article 18 GDPR, the right to object according to Article 21 GDPR and the right to data portability according to Article 20 GDPR. The right of access and the right to erasure are subject to the restrictions of Secs. 34 and 35 of the German Federal Data Protection Act [Bundesdatenschutzgesetz – BDSG]. In addition, Data Subjects have the right to lodge a complaint with a data protection supervisory authority of competent jurisdiction (Article 77 GDPR in conjunction with Sec. 19 BDSG).
(2) Data Subjects may withdraw consent to the processing of their Personal Data at any time by notice to us with effect for any further processing. This also applies to consent Data Subjects may have given to us before the EU General Data Protection Regulation came into force, i.e. before 25 May 2018.
(3) You have the right to object, on grounds relating to your particular situation, at any time to processing of Personal Data concerning you which is based on Article 6(1e) GDPR (processing for the performance of a task carried out in the public interest) or Article 6(1f) GDPR (processing for the purposes of the legitimate interests pursued by the Controller or by a third party); this also applies to profiling based on those provisions within the meaning of Article 4(4) GDPR.
In some cases, we process Personal Data about you for direct marketing purposes. You have the right to object at any time to the processing of Personal Data about you for such marketing; this also applies to profiling related to direct marketing purposes.
If you object to processing for direct marketing purposes, we will stop processing your Personal Data for this purpose.
If you object, we will no longer process your Personal Data, unless we can demonstrate a compelling legitimate interest in such processing which overrides your interests or fundamental rights and freedoms, or if the processing is necessary for the establishment, exercise or defence of legal claims.
Your objection may be made informally and should be directed, if possible, to the following address:
RFR Holding GmbH
60325 Frankfurt am Main
Telephone: +49(0)69/71 71 299-0
Email: office@ rfr-holding.com
9. Obligation to provide Personal Data and possible consequences of non-provision
To be able to use our offerings, you have to provide the Personal Data required for the purpose concerned or which we are legally obliged to collect. Without these data, we will generally not be able to provide the service you have asked for.
10. Existence of automated decision-making
Being a responsible company, we refrain from using automatic decision-making or profiling within the meaning of Article 22 GDPR.
11. Updates or amendments to this Privacy Notice
We continuously develop and improve our services. Therefore, we may add new features to this website from time to time. If this has consequences for how your Personal Data are processed, we will inform you in this Privacy Notice in due time.