Data protection information for contacts, customers and projects

With the following information, we would like to give you an overview of the processing of your personal data by us and your resulting rights in accordance with Articles 13, 14 and 21 of the GDPR. Which data is processed in detail and how it is used depends largely on the services requested or agreed in each case. Therefore, not all of the statements contained here may apply to you. 

In addition, this data protection information may be updated from time to time. You can find the latest version here on our website at any time: www.plant-values.de/dse-kundinnen.de

You will receive information about the data processed by us on behalf of your employer, e.g. when logging access to the systems managed by us on behalf of your employer, from your employer.  

1. Responsible body and data protection officer 

The controller within the meaning of data protection law is 

plant values GbR (Toni Kiel, Steve Grundig, Franziska Kramer, Michael Jenkner, Matthias Damert, Silke Nyvlt)
Bayrische Straße 8
01069 Dresden
Germany 
E-mail: info@plant-values.de 

Data Protection Officer: 

Michael Hengstler  
Address see above 
E-mail: datenschutz@plant-values.de 

2. Type of personal data collected 

We process the following personal data that we receive from you as part of our business relationship: 

  • Master data (e.g. surname, first name, title if applicable, company name, address, sector)  
  • If applicable, data of authorised representatives and other employees (e.g. surname, first name, title and function) 
  • Contact details (e.g. telephone numbers, email addresses) 
  • Contract and billing data (e.g. amount of remuneration, type of service, VAT ID, tax number, account details, time of payment) 
  • Content of funding applications (e.g. surname, first name, address, some CV information, migration background, data on the start-up idea and project result data) 
  • Content of communication by e-mail, telephone, video (e.g. master data, contact details, audio, video and textual content including files, profile picture if applicable, time, duration and location of communication)
  • Content of video recordings (audio, video and shared content)
  • Consent data (name, e-mail, time, client type)
  • Connection data when using digital tools (e.g. IP address, hardware information, encrypted password if applicable, time and duration of use) 
  • Data from surveys and forms (e.g. surname, first name, e-mail address, content of responses) 

3. Legal basis 

We process personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG): 

For the fulfilment of contractual obligations (Art. 6 para. 1 sentence 1 lit. b GDPR) 

The processing of data takes place for the fulfilment of our contracts or for the implementation of pre-contractual measures, insofar as you are a party to the contract.

As part of the balancing of interests (Art. 6 para. 1 . 1 lit. f GDPR) or order processing (Art. 28 GDPR) and due to technical necessity (§ 25 Para. 2 No. 2 TDDDG)

Where necessary, we process your data in addition to or beyond the actual fulfilment of the contract to protect our legitimate interests. Examples of such cases are 

  • Execution of the contract with your employer, whose representative/agent you are,
  • direct postal advertising, e.g. Christmas cards. The legitimate interest lies in maintaining our business relationship,   
  • Use of service providers for project and document management, collaboration, bookkeeping and accounting as well as communication and surveys. In these cases, the legitimate interest lies in ensuring efficient business processes
  • if the storage of information in your end device or access to information already stored in your end device is absolutely necessary so that we can provide a digital service expressly requested by you (e.g. website, video call, online survey, online collaboration)

Please note your right to object to this in accordance with Art. 21 GDPR and further information on this in the corresponding section of this document. 

On the basis of your consent (Art. 6 para. 1 sentence 1 lit. a GDPR)

If you have given us your consent to process your personal data, it will only be processed for the purposes and to the extent specified in the declaration of consent. This applies in particular to the use of your e-mail address for sending newsletters and the recording of video, audio and approved content during video calls and webinars.

Any consent given can be revoked at any time with effect for the future. The revocation of consent is only effective for the future and does not affect the legality of the data processing carried out up to the revocation.

Due to legal requirements (Art. 6 para. 1 sentence 1 lit. c GDPR) 

We are subject to various legal obligations that entail data processing. These include, for example 

  • Tax laws and statutory accounting 
  • Laws on the protection of personal data and trade secrets 
  • the fulfilment of requests and requirements from supervisory or law enforcement authorities 
  • the fulfilment of tax and public procurement control and reporting obligations 
  • Fulfilment of obligations in the context of official/judicial measures for the purpose of gathering evidence, criminal prosecution or enforcement of civil law claims 

4th receiver 

Within our company 

Employees for contact with you and contractual cooperation (including the fulfilment of pre-contractual measures) 

In the context of order processing 

Data will only be passed on to recipients outside our company in compliance with the applicable data protection regulations. 

If necessary, your data will be passed on to service providers who work for us as processors: 

  • Project and document management (Microsoft Ireland Operations Limited, Notion Labs Inc., Slack Technologies, LLC) 
  • Collaboration (awork GmbH, RealtimeBoard, Inc. dba Miro)
  • Bookkeeping and accounting (Haufe-Lexware GmbH & Co. KG) 
  • Email hosting and forms (Microsoft Ireland Operations Limited) 
  • Video telephony and recording, Messenger (Microsoft Ireland Operations Limited) 
  • Surveys (Neue Medien Muennich GmbH) 
  • Newsletter (Sendinblue GmbH)

All service providers are contractually bound and in particular obliged to treat your data confidentially. 

Other third parties 

Recipients of personal data may be, for example 

  • Public bodies and institutions (e.g. financial or law enforcement authorities) in the event of a legal or official obligation 
  • Credit and financial service providers (processing of payment transactions) 
  • Tax consultant or business and payroll tax and tax auditor (statutory audit mandate) 
  • External data protection officers and lawyers 

5. Transfer to a third country or to an international organisation 

Your data will be processed in the European Union and countries within the European Economic Area (EEA) as well as by US providers. The transfer to the USA takes place when using the services of Microsoft, Miro, Notion, Slack . Access from the USA is also not excluded when using sendinblue, awork and lexoffice, as these companies commission service providers based in the USA.

The data transfer takes place on the basis of the adequacy decision of the European Commission pursuant to Art. 45 GDPR in relation to the agreement between the USA and the EU called the "Transatlantic Data Protection Framework", if the service provider is certified accordingly. The adequacy decision is available here:

https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en.

The certified providers can be found here:

https://www.dataprivacyframework.gov/s/participant-search

In the absence of certification or if the adequacy decision no longer applies, the adequate level of data protection for transfers to the USA is generally guaranteed by the conclusion of so-called standard data protection clauses in accordance with Art. 46 para. 2 lit. c GDPR and the additional measures taken by us and the respective provider to protect the data. The standard data protection clauses are available here:

https://eur-lex.europa.eu/legal-content/DE/TXT/PDF/?uri=CELEX:32021D0914&from=DE.

When using Threema, the data is transferred to Switzerland. This is done on the basis of appropriate safeguards in accordance with Art. 45 GDPR and on the basis of the decision of the European Commission of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data in Switzerland. This is available here: 

https://eur-lex.europa.eu/legal-content/DE/TXT/PDF/?uri=CELEX:32000D0518&from=DE.

6. How long will my data be stored? 

We process and store your personal data for as long as this is necessary for the fulfilment of our contractual and legal obligations. If the data is no longer required for the fulfilment of contractual or legal obligations, it is regularly deleted. 

There are exceptions, 

  • insofar as statutory retention obligations are to be fulfilled, e.g. German Commercial Code (HGB) and German Fiscal Code (AO). The retention and documentation periods specified there are generally six to ten years; 
  • for the preservation of evidence within the framework of the statutory statute of limitations. According to Sections 195 et seq. of the German Civil Code (BGB) and Art. 6 para. 1 sentence 1 lit. f. GDPR. GDPR, these limitation periods can be up to 30 years, whereby the regular limitation period is 3 years. 

If the data processing is carried out in the legitimate interest of us or a third party, the personal data will be deleted as soon as this interest no longer exists or we have to comply with your objection. The aforementioned exceptions apply. 

7. Your data protection rights 

You have the right  

  • to confirmation as to whether data concerning them is being processed, to information about the processed data, to further information about the data processing and to copies of the data (cf. Art. 15 GDPR);
  • to immediate rectification or completion of incorrect or incomplete data (cf. Art. 16 GDPR); 
  • to the immediate erasure of the data concerning them (see Art. 17 GDPR) or, alternatively, if further processing is required pursuant to Art. 17 (3) GDPR, to the restriction of processing in accordance with Art. 18 GDPR; 
  • to restriction of processing for other reasons specified in Art. 18 GDPR; 
  • to receive the data concerning them and provided by them in a structured, commonly used and machine-readable format and to transmit those data to other providers/controllers where the processing is based on consent pursuant to Article 6(1)(a) GDPR or Article 9(2)(a) GDPR or on a contract pursuant to Article 6(1)(b) GDPR and the processing is carried out by automated means (see Art. 20 GDPR); 

In addition, you have the right to lodge a complaint with a data protection supervisory authority (Article 77 GDPR in conjunction with Section 19 BDSG). The supervisory authority responsible for us is 

Saxon Transparency and Data Protection Officer, Devrientstraße 5, 01067 Dresden 

8. Obligation to provide data 

As part of the contractual relationship, you must provide the personal data that is required for the commencement, execution and termination of the contractual relationship and for the fulfilment of the associated contractual obligations or that we are legally obliged to collect. Without this data, we will generally not be able to conclude or fulfil the contract. 

9. Information about your right to object in accordance with Article 21 of the General Data Protection Regulation (GDPR) 

Individual right of objection 

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Article 6(1)(f) GDPR (data processing on the basis of a balancing of interests); this also applies to profiling based on this provision within the meaning of Article 4(4) GDPR. 

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims. 

ReceptionäOpposition proceedings 

The objection can be made informally with the subject "Objection", stating your name, address and date of birth, and should be addressed to: 

plant values Gbr
e.g. Data Protection Officer 
c/o Impact Hub Dresden
Bayrische Straße 8
01069 Dresden
Germany 
E-mail: datenschutz@plant-values.de