Scope of application
This data protection declaration explains to the user the nature, scope, purposes and use of the personal data collected by the provider responsible for this website: POS TUNING – Udo Voßhenrich GmbH & Co. KG, Am Zubringer 8 – 32107 Bad Salzuflen, Germany – Email: info(at)postuning.com – Tel.: 05222-36965-0. The legal bases of data protection are contained in the EU General Data Protection Regulation, the Federal Data Protection Act (BDSG) and the Teleservices Data Protection Act (TMG).
Access data / server log files
The provider (or his webspace provider) collects data about every access of the website (server log files). Access data includes: the name of the accessed webpage, the file, date and time of the access, the volume of data transmitted, notification of successful access, browser type and version, the user’s operating system, IP address and the requesting provider. The provider only uses the log data for statistical evaluations for the purpose of operation, security and optimization of the website. The provider reserves the right to subsequently inspect the log data if there are specific indications for reasonable suspicion of illegal use of the website.
Processing of personal data
Personal data is information which can help identify a person, i.e. details which can be traced back to an individual. This includes not only name, email address or telephone number, but also data about preferences, hobbies, memberships or which websites someone has viewed. Personal data is only collected, used and further transmitted where this is permitted by law or when users consent to such data collection.
Contacting the provider
When contacting the provider, e.g. by email or phone, user data is stored to process the request and in case supplementary questions should arise.
Revocation, modifications, corrections and updates
The user is entitled to receive on request and without charge, information about the personal data stored about him or her. The user is also entitled to have incorrect personal data corrected, and the blocking or deletion of their personal data, insofar as there is no legal obligation to retain such information.
For questions regarding data protection please contact us via this email address: firstname.lastname@example.org.
Guideline on data protection and information security
The POS Tuning Udo Voßhenrich GmbH & Co. KG hereby adopts this guideline on data protection and information security in our company.
As a company, we process a large amount of (including personal) data in order to fulfil our tasks and obligations towards our customers, contractual partners, service providers, public authorities and other third parties.
We process data with different protection requirements. The security of information processing and the protection of personal data plays an essential role in our company. This guideline is intended to present the strategy, organization and goals of data protection and information security in our company in a clear form.
The management has a high interest in the collection, processing and use of personal data, in particular of employees and customers, in accordance with data protection regulations. It is clearly committed to compliance with legal data protection regulations. It therefore supports and supports the companies’ data protection policy. The company has appointed an external data protection officer.
- Scope of application
The guideline applies to POS Tuning Udo Voßhenrich GmbH & Co. KG. It extends to all locations of POS Tuning Udo Voßhenrich GmbH & Co. KG.
This guideline also applies to the following affiliated companies:
- POS Verwaltungs GmbH
- POS Tuning Global GmbH
- POS Tuning International GmbH
- POS TUNING Raf Teşhir Sistemleri
- POS Tuning France SARL
- POS Tuning UK Limited
This guideline commits all employees of POS Tuning Udo Voßhenrich GmbH & Co. KG and the companies listed above to comply with the obligations specified here.
The aim of this guideline is to ensure data protection and information security in the company. For this purpose, the company will consider the following objectives during the planning, introduction and flow of processes:
- Data minimization
- Memory limitation
- Availability, Integrity and Confidentiality
- Intervensibility and processing in good faith (“fairness”)
- Accountability principle
Separate guidelines specify how these objectives are to be taken into account.
In the concrete implementation of the objectives, the protective measures taken must be in an economically justifiable relationship to the need to protect the data and information processed.
This guideline, together with the references to corresponding documents and other applicable documents, forms a complete description of all technical and organisational measures and thus not only represents a complete and comprehensive source of information for all employees, but is also a test basis for auditors, quality managers and auditors.
- Organization of data protection and information security
The management is responsible for the security organisation. The Information Security Officer advises the management on the planning and implementation of information security in the company. In its function, it reports directly to the Board of Management on a case-by-case basis, but at least once a year.
Management provides the Information Security Officer with sufficient financial and time resources for regular further training and information.
The Information Security Officer must be involved in all projects at an early stage in order to take security-related aspects into account as early as the planning phase.
In the area of processing personal data, it must be ensured that the data protection officer is involved at an early stage in the planning and introduction of new processes in the context of which personal data is also processed. The same applies to changes to existing processes.
The data protection officer and the information security officer shall inform and support each other through mutual comparison of information, provided there are no legal or contractual obligations to the contrary.
The company is setting up a management system for both information security and data protection. To this end, a process of continuous improvement is implemented in the company with the aim of coordinating the individual measures in the areas of data protection and information security in such a way that the objectives of this guideline are achieved.
A data protection and information security team is formed to accompany and support the planning, implementation and evaluation of data protection in the company.
The measures for implementing these guidelines can take the form of technical and organisational measures. This also includes guidelines, company regulations or company instructions. These are to be followed by the employees.
This is the case:
- Working instructions on data protection
- Work instructions for specific processes and procedures
- training documents
The company management assumes overall responsibility for information security and data protection in the company.
The Information Security Officer is responsible for initiating, planning, implementing and controlling the information security process in the company. He is the contact person for information security in the company.
The data protection officer is the contact person for data protection in the company. It advises, controls and supports the management and employees with regard to the processing of personal data in the company. Its tasks result from the data protection regulations of the Federal Republic of Germany.
The data protection and information security team supports the data protection officer and the information security officer in the planning, coordination and implementation of data protection and information security in the company. This team meets with the data protection and information security officer at regular intervals to ensure the process of continuous improvement.
The IT manager implements the guidelines and other specifications on data protection and information security in his area of responsibility. It coordinates measures that have an impact on information security with the Information Security Officer.
The administrators carry out the technical measures in coordination with the IT manager and contribute to the optimization of information security through suggestions for improvement.
Supervisors with personnel responsibility have the task of ensuring that the technical and organisational measures taken for information security are implemented with regard to the persons working in their area of responsibility.
Each employee’s conduct contributes to ensuring data protection and information security. All employees are obliged to comply with this guideline and the guidelines on data protection and information security. Employees may be personally liable to the employer or the persons concerned in the event of data protection violations and may be the addressee of fines imposed by the data protection supervisory authority and possible perpetrators in the area of data protection criminal law.
In order to ensure data protection and information security in the company, every employee is obliged to report disturbances, security incidents and emergencies in the area of information security immediately and directly to the information security officer. Incidents in the area of data protection must be reported by all employees to the data protection officer as soon as they become known. If employees have doubts as to whether an incident should be reported to the Information Security Officer or the Data Protection Officer, the Data Protection Officer should be notified in these cases. The Data Protection Officer may forward the report to the Information Security Officer.
Project or process owners must consult the Data Protection Officer on all projects that have an impact on the processing of personal data to ensure that data protection regulations can be complied with. Furthermore, all project or process managers are obliged to consult the information security officer on all projects that have an impact on information security in the company.
Specialist departments have process responsibility; this includes in particular the definition of interfaces (including data protection) and the fulfilment of documentation obligations (e.g. list of processing activities, data protection impact assessment, proof of consent).
Suppliers, external service providers and other contractors are to be obliged by separate agreements to comply with the data protection and information security requirements concerning them, if these data are processed on behalf or have the possibility of taking note of personal data or information of the company that is not classified as public.
- Data protection impact assessment
Where a form of processing, in particular where new technologies are used, is likely to entail a high risk to the rights and freedoms of natural persons because of the nature, scope, circumstances and purposes of the processing, the controller shall carry out a prior assessment of the consequences of the proposed processing operations for the protection of personal data. A single estimation can be made for the investigation of several similar processing operations with similarly high risks.
The Data Protection Officer checks each time the data is processed whether a data protection impact assessment is necessary and carries it out if necessary. The data protection impact assessment is documented with the respective procedure.
The data protection impact assessment shall contain at least:
a systematic description of the processing operations envisaged and the purposes of the processing, including, where appropriate, the legitimate interests pursued by the controller;
an assessment of the necessity and proportionality of the processing operations in relation to the purpose;
an assessment of the risks to the rights and freedoms of the persons concerned, and
the remedial measures planned to address the risks, including guarantees, safeguards and procedures to ensure the protection of personal data and to demonstrate compliance with this Regulation, taking into account the rights and legitimate interests of data subjects and other data subjects.
Where appropriate, the controller shall seek the views of the data subjects or their representatives on the processing envisaged, without prejudice to the protection of commercial or public interests or the security of the processing operations.
Where necessary, the Data Protection Officer shall carry out a review to assess whether the processing is carried out in accordance with the PIA, at least when there have been changes in the risk associated with the processing operations.
- Data transfer
Information to third parties is only permitted if required to do so by law, if the party concerned has consented or if there is a legitimate interest on the part of the party requesting the information or the company and if the party concerned has no interests worthy of protection. The party providing the information within the company must obtain evidence of the legal basis for the information. Information is only given in writing. In the case of verbal information, the identity of the entitled party shall be established, if necessary, by means of a suitable check; in the case of telephone enquiries, if necessary, by means of a callback. In cases of doubt, the supervisor or the data protection officer must be consulted.
- Obligation to data secrecy
Every employee commissioned with the collection, processing or use of personal data must be bound to data secrecy (§ 5 BDSG, §88 TKG, §35 SGB) by the company management (possibly by personnel management, superiors or data protection officers). Afterwards it is forbidden to collect, process or use personal data without authorization. This obligation also applies to other employees who work unattended in rooms where personal data is accessible, e.g. for cleaning staff. If personnel from external companies are used, e.g. external cleaning personnel, security services etc., these personnel are also obliged or the obligation of these persons is contractually agreed with the commissioned companies.
Interns, temporary workers and other external employees (consultants, etc.) are also obligated if they can take note of personal data within the scope of their activities. Due to their high level of authorization, IT administrators are also obliged to maintain data confidentiality and telecommunications secrecy.
The obligation must be documented for the employees in the personnel file and for all external persons in the respective contract documents.
A violation of this guideline and the guidelines, company regulations or company instructions in force can constitute a breach of duty under an employment contract and be sanctioned accordingly.
Contractual penalties should be agreed for suppliers, external service providers and other contractors for special risks.
Version May 24th, 2018