Data protection
Privacy statement
I. Name and address of the data controller
The data controller within the meaning of the European General Data Protection Regulation, other national data protection laws and other statutory data protection requirements is:
thyssenkrupp Steel Europe AG (abbreviation: SE AG)
Kaiser-Wilhelm-Strasse 100
47166 Duisburg
Germany
Tel.: +49 203 52-0
Website: www.thyssenkrupp-steel.com
II. You can reach the data protection officer at
thyssenkrupp Steel Europe AG
Kaiser-Wilhelm-Strasse 100
47166 Duisburg
Germany
Tel.: +49 203 52-0
Email: [email protected]
III. General
1. Extent of processing of personal data
We, thyssenkrupp Steel Europe AG, collect and use your personal data only insofar as this is necessary to provide a functioning website, content and services. The collection and use of personal data takes place only with your consent. An exception applies where prior consent cannot be obtained for factual reasons and the processing of data is permitted by law.
2. Legal basis for the processing of personal data
If we have received your consent to the processing of your personal data, the legal basis for processing personal data is Art. 6 (1) a) of the EU General Data Protection Regulation (GDPR).
Where the processing of personal data is necessary for the performance of a contract to which the data subject is party, the legal basis is Art. 6 (1) b) GDPR. This also applies to the processing of personal data which is necessary to take steps prior to entering into a contract.
Where the processing of personal data is necessary for compliance with a legal obligation to which our company is subject, the legal basis is Art. 6 (1) c) GDPR.
If the processing of personal data is necessary in order to protect the vital interests of the data subject or of another natural person, the legal basis is Art. 6 (1) d) GDPR.
If the processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, the legal basis is Art. 6 (1) f) GDPR.
3. Data deletion and duration of storage
Personal data will be deleted or blocked as soon as the purpose of storage no longer applies. Data can be stored beyond this time if this is provided for by the European or national legislator in regulations, laws or other rules to which SE AG is subject.
The data will also be blocked or deleted when a maximum storage period prescribed by the above legal norms expires, unless further storage is necessary to enter into or perform a contract.
IV. Provision of the website and creation of logfiles
1. Description and extent of the data processing
Each time our website is visited our system automatically collects data and information from the system of the visiting computer.
The following data are collected:
(1) Information about the browser type and version used
(2) The user’s operating system
(3) The user’s IP address
(4) Date and time of access
(5) Websites accessed by the user’s system via our website
2. Legal basis for data processing
The legal basis for the temporary storage of the data and logfiles is Art. 6 (1) f) GDPR.
3. Purpose of data processing
The temporary storage of the IP address by the system is necessary to allow delivery of the website to the user’s computer. For this the user’s IP address needs to be stored for the duration of the session.
The data are stored in logfiles to ensure the functioning of the website. In addition, the data enable us to optimize the website and ensure the security of our IT systems. The data are not analyzed for marketing purposes in this context.
These purposes also constitute our legitimate interest in processing the data pursuant to Art. 6 (1) f) GDPR.
4. Duration of storage
The data will be deleted as soon as they are no longer needed to achieve the purpose of their collection. In the case of collection of data for the provision of the website this is the case when the respective session is ended.
5. Possibility of objection and deletion
The collection of data for the provision of the website and the storage of data in logfiles is essential for the operation of the website. Consequently there is no possibility of objection on the part of the user.
V. Use of cookies
a) Description and extent of data processing
Our website uses cookies. Cookies are text files stored by the browser on the user’s computer system. When a user accesses a website a cookie can be stored on the user’s operating system. This cookie contains a characteristic string of characters allowing unique identification of the browser when the website is visited again.
We use cookies to make our website more user-friendly. Some elements of our website require that the accessing browser can be identified even after a change of page.
The following data are stored and transmitted in the cookies:
(1) Language settings
(2) Articles in basket
b) Legal basis for data processing
The legal basis for the processing of personal data using cookies is Art. 6 (1) f) GDPR.
c) Purpose of data processing
The purpose of using technically necessary cookies is to simplify the use of websites for users. Some functions of our website cannot be provided without the use of cookies. For these it is necessary for the browser to be re-identified even after a change of page.
The user data collected by technically necessary cookies are not used to create user profiles.
We need cookies for the following:
(1) To retain language settings
The user data collected by technically necessary cookies are not used to create user profiles.
d) Duration of storage, possibility of objection and deletion
Cookies are placed on the user’s computer and transmitted from there to our website. You as a user therefore have full control over the use of cookies. By changing the settings in your browser you can disable or limit the transmission of cookies. Previously stored cookies can be deleted at any time. This can also be made to take place automatically. If cookies are disabled for our website, it might not be possible to use all the functions of the website in full.
Cookie declaration
VI. Web analysis services
Use of Google AdWords
If you have reached our site via a Google ad, Google AdWords will place a cookie on your computer. This cookie loses its validity after 30 days. It cannot be used to identify you personally. The information collected using the conversion cookie enables us to prepare statistics about our conversion rate. This means we learn how many users come to us from a Google ad and learn about our products within 30 days. If you do not wish to take part in the tracking process, you can disable cookies for conversion tracking by setting your browser to block cookies from the corresponding domain: Google Adwords: googleadservices.com
Use of Google Maps
We use functions of Google Maps on our website. Google Maps is a service operated by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. If you visit one of our pages containing Google Maps, a connection to Google’s servers is set up. In addition to your IP address the servers can also tell which of our pages you are currently visiting.
If you are logged in with your Google account, Google can combine these data with your profile. We do not have any further information regarding the data transmitted or their use by Google. For more details on this, please consult Google’s privacy statement.
Use of Google Remarketing
This website uses the remarketing function of Google Inc. This function is used to display interest-related ads to website visitors within the Google ad network. A cookie is placed in the browser of the website visitor which makes it possible to recognize the visitor when he/she accesses websites belonging to the Google ad network. On these sites ads can be displayed which relate to content that the visitor has previously accessed on websites using the Google remarketing function. According to its own information, Google does not collect personal data during this process. However, if you do not wish to have the Google remarketing function, you can disable it by updating the corresponding settings at http://www.google.com/settings/ads.
Use of Matomo
This website uses the open source web analytics service Matomo. Matomo uses so-called "cookies". These are text files that are stored on your computer and allow an analysis of your use of the website. For this purpose, the information generated by the cookie about the use of this website is stored on our server. The IP address is anonymized before storage.
Matomo cookies remain on your terminal device until you delete them.
The storage of Matomo cookies is based on Art. 6 para. 1 lit. f DSGVO. The website operator has a legitimate interest in the anonymized analysis of user behavior in order to optimize both its web offering and its advertising.
The information generated by the cookie about the use of this website will not be disclosed to third parties. You can prevent the storage of cookies by selecting the appropriate settings on your browser software or cookie pop banner.
If you do not agree to the storage and use of your data, you can deactivate the storage and use.
Use of SalesViewer® technology
This website uses SalesViewer® technology from SalesViewer® GmbH on the basis of the website operator’s legitimate interests (Section 6 paragraph 1 lit.f GDPR) in order to collect and save data on marketing, market research and optimisation purposes.
In order to do this, a javascript based code, which serves to capture company-related data and according website usage. The data captured using this technology are encrypted in a non-retrievable one-way function (so-called hashing). The data is immediately pseudonymised and is not used to identify website visitors personally.
The data stored by Salesviewer will be deleted as soon as they are no longer required for their intended purpose and there are no legal obligations to retain them.
The data recording and storage can be repealed at any time with immediate effect for the future, by clicking on https://www.salesviewer.com/opt-out in order to prevent SalesViewer® from recording your data. In this case, an opt-out cookie for this website is saved on your device. If you delete the cookies in the browser, you will need to click on this link again.
Use of Talkwalker
thyssenkrupp Steel Europe uses Talkwalker for brand monitoring and to optimise our social media performance. Brand monitoring involves the monitoring, collection and analysis of brand-related mentions, perceptions and statements about thyssenkrupp Steel Europe across all social media sites. The processing of your personal data constitutes a legitimate interest under Article 6(1)(f) of the GDPR. We have a legitimate interest in keeping up to date with what is being published or said about thyssenkrupp Steel Europe and having this information available to respond to issues, including security issues or 'fake news'. When a particular purpose ceases to exist and Talkwalker is no longer used, we will delete any data collected in relation to that purpose.
VII. Registration
1. Description and extent of data processing
On our website we offer users the opportunity to register with personal data. The data are entered on an entry screen and transmitted to us and stored. The data are not passed on to third parties. The following data are collected in the registration process:
At the time of registration the following data are also stored:
(1) The IP address of the accessing computer
(2) Date and time of registration
During the registration process the consent of the user to the processing of these data is obtained.
2. Legal basis for data processing
If the user has given consent, the legal basis for the processing of the data is Art. 6 (1) a) GDPR.
If registration is necessary for the performance of a contract to which the user is party or to take steps prior to entering into a contract, the additional legal basis for the processing of the data is Art. 6 (1) b) GDPR.
3. Purpose of data processing
Registration by the user is necessary for the performance of a contract with the user or to take steps prior to entering into a contract.
4. Duration of storage
The data are deleted as soon as they are no longer necessary to achieve the purpose for which they were collected.
During the registration process for the performance of a contract or to take steps prior to entering into a contract this is the case when the data are no longer necessary for the performance of the contract. Once the contract has been entered into there may still be a need to save personal data of the contract partner in order to fulfill contractual or statutory obligations.
5. Possibility of objection and deletion
As a user you have the possibility to cancel registration at any time. You can have the data stored about you amended at any time.
If the data are necessary for the performance of a contract or to take steps prior to entering into a contract, early deletion of the data is only possible if not opposed by contractual or statutory obligations.
VIII. Contact form and email contact
1. Description and extent of data processing
Our website features a contact form which can be used to contact us electronically. The user can also use a separate form to subscribe to our newsletter. If you use it, the information you enter in the form is transmitted to us and stored.
When the message is sent the following data are also stored:
(1) The IP address of the accessing computer
(2) Date and time of registration
When you send the form your consent to the processing of the data is requested and your attention is drawn to this privacy statement.
Alternatively users can contact us via the email address provided. In this case the user’s personal data transmitted with the email are stored.
The following data will be stored when you subscribe to the newsletter:
(1) The IP address of the server on which the form is stored, as well as the IP address of the computer or server from which the form is accessed.
(2) Date and time of registration.
Your consent will be obtained for the processing of your data during the registration process and reference will be made to this data privacy statement.
None of the data are passed on to third parties in this connection. The data are used exclusively for processing the conversation.
2. Legal basis for data processing
If the user has given consent, the legal basis for the processing of the data is Art. 6 (1) a) GDPR.
The legal basis for the processing of data transmitted while sending an email is Art. 6 (1) f) GDPR. If the email contact is aimed at entering into a contract, the additional legal basis for processing is Art. 6 (1) b) GDPR.
3. Purpose of data processing
The processing of the personal data from the form is used solely to process your contact. In the case of contact by email, this is also our legitimate interest in processing the data.
The other personal data processed during the sending of the form serve to prevent misuse of the contact form and to ensure the security of our IT systems.
We will use the personal data from the subscription form for the newsletter exclusively for the dispatch of newsletters.
4. Duration of storage
The data are deleted as soon as they are no longer necessary to achieve the purpose for which they were collected. For the personal data from the contact form and those sent by email this is the case when the respective conversation with the user is over. The conversation is over when the circumstances indicate that the matter concerned has been definitively dealt with.
Regarding the personal data from the newsletter subscription, this is the case if you unsubscribe from the newsletter using the following link.
5. Possibility of objection and deletion
The user has the possibility at all times to withdraw his/her consent to the processing of personal data. If the user contacts us by email, he/she can object to the storage of his/her personal data at any time. In this case the conversation cannot be continued.
In this case all personal data stored in the contact procedure are deleted.
IX. Rights of the data subject
If your personal data are processed, you are the data subject within the meaning of the GDPR and you have the following rights vis-à-vis the data controller:
1. Right of access
You can demand confirmation from the data controller as to whether or not personal data concerning you are being processed by us.
If this is the case, you can demand the following information from the data controller:
(1) the purposes of the processing;
(2) the categories of personal data concerned;
(3) the recipients or categories of recipient to whom the personal data have been or will be disclosed;
(4) the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
(5) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
(6) the right to lodge a complaint with a supervisory authority;
(7) where the personal data are not collected from the data subject, any available information as to their source;
(8) the existence of automated decision-making, including profiling, referred to in Art. 22 (1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
You have the right to be informed of whether your personal data are transferred to a third country or to an international organization. In this connection you can demand to be informed of the appropriate safeguards pursuant to Art. 46 GDPR relating to the transfer.
2. Right to rectification
You have the right to obtain from the controller rectification and/or completion if the processed personal data concerning you are incorrect or incomplete. The controller must carry out the rectification without undue delay.
3. Right to restriction of processing
You have the right to demand restriction of processing of personal data concerning you where one of the following applies:
(1) you contest the accuracy of the personal data, for a period enabling the controller to verify the accuracy of the personal data;
(2) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
(3) the controller no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defense of legal claims, or
(4) you have objected to processing pursuant to Art. 21 (1) GDPR pending the verification whether the legitimate grounds of the controller override your grounds.
Where processing of the personal data concerning you has been restricted, such personal data may, with the exception of storage, only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
Where restriction of processing under the above conditions has been obtained, you will be informed by the controller before the restriction of processing is lifted.
4. Right to erasure
a) Obligation to erase
You have the right to obtain from the controller the erasure of personal data concerning you without undue delay and the controller is obligated to erase personal data without undue delay where one of the following grounds applies:
(1) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
(2) you withdraw your consent on which the processing is based according to Art. 6 (1) a) or Art. 9 (2) a) GDPR, and where there is no other legal ground for the processing.
(3) you object to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 (2) GDPR.
(4) the personal data concerning you have been unlawfully processed.
(5) the personal data concerning you have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
(6) the personal data concerning you have been collected in relation to the offer of information society services referred to in Art. 8 (1) GDPR.
b) Information to third parties
Where the controller has made the personal data concerning you public and is obliged pursuant to Art. 17 (1) GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, will take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you as the data subject have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
c) Exceptions
The right to erasure does not apply to the extent that the processing is necessary
(1) for exercising the right of freedom of expression and information;
(2) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(3) for reasons of public interest in the area of public health in accordance with Art. 9 (2) h) and i) as well as Art. 9 (3) GDPR;
(4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89 (1) GDPR in so far as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing, or
(5) for the establishment, exercise or defense of legal claims.
5. Right to notification
If you have asserted the right to rectification, erasure or restriction of processing vis-à-vis the controller, the controller is obligated to communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.
You have the right to obtain information from the controller about those recipients.
6. Right to data portability
You have the right to receive the personal data concerning you, which you have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where
(1) the processing is based on consent pursuant to Art. 6 (1) a) GDPR or Art. 9 (2) a) GDPR or on a contract pursuant to Art. 6 (1) b) GDPR and
(2) the processing is carried out by automated means.
In exercising this right, you also have the right to have the personal data transmitted directly from one controller to another, where technically feasible. This must not adversely affect the rights and freedoms of others.
The right to data portability does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
7. Right to object
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Art. 6 (1) e) or f) GDPR, including profiling based on those provisions.
The controller will no longer process the personal data concerning you unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.
Where personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for such purposes.
8. Right to withdraw consent to data processing
You have the right to withdraw your consent to data processing at any time. Your withdrawal of consent will not affect the lawfulness of the processing carried out on the basis of the consent before it was withdrawn.
9. Automated individual decision-making including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision
(1) is necessary for entering into, or performance of, a contract between you and the data controller,
(2) is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests, or
(3) is based on your explicit consent.
However such decisions must not be based on special categories of personal data referred to in Art. 9 (1) GDPR, unless Art. 9 (2) a) or g) applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.
In the cases referred to in (1) and (3), the data controller will implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.
10. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.
The supervisory authority with which the complaint is lodged must inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 GDPR.
X. More services
Walls.io
Our website is embedding social media plugins or widgets which are provided by Walls.io. When loading these widgets, your IP-address and cookie information is transferred to Walls.io. Walls.io is operated by "Walls.io GmbH, based in Vienna, Austria.
Data protection – events/trade fairs/customer evenings and WebSeminars
We, thyssenkrupp Steel Europe AG, are pleased that you would like to participate in our events/trade fairs/customer evenings. We attach great importance to protecting your privacy and we are pleased to provide detailed information on how we process your data in the following.
I. Name and address of the controller
The data controller within the meaning of the European General Data Protection Regulation, other national data protection laws and other statutory data protection requirements is:
thyssenkrupp Steel Europe AG (abbreviation: SE AG)
Kaiser-Wilhelm-Strasse 100
47166 Duisburg
Germany
Tel.: +49 203 52-0
Website: www.thyssenkrupp-steel.com
II. You can reach the data protection officer at
thyssenkrupp Steel Europe AG
Kaiser-Wilhelm-Strasse 100
47166 Duisburg
Germany
Email: [email protected]
III. General information on data processing
1. Extent of processing of personal data
We, thyssenkrupp Steel Europe AG, collect and use your personal data only insofar as this is necessary to plan, organize, host and follow up events. In detail, the following personal data are processed:
- Form of address
- First name
- Last name
- Street
- Zip code
- Town/city
- Email address
- Food intolerances, if any
2. Legal basis for the processing of personal data
Pursuant to Art. 6 a) GDPR we require your consent to the collection and use of personal data.
3. Purpose of data processing
The data are used to organize the event, both to ensure entry to the location/the plant site and to produce letters, confirmation notifications or name badges. We also use your data for the purpose of contact maintenance within the framework of event management.
4. Recipient of the data
The recipient of the data is thyssenkrupp Steel Europe AG in Duisburg. Within our company group your data will be forwarded to specific companies responsible for centralized data processing tasks for the companies in the group (e.g. event organization, catering).
To meet our contractual and legal obligations we also use various external service providers. In addition we may communicate your data to further recipients outside the company where necessary to meet our contractual and legal obligations as the host of the event. These may include:
- IT service providers for the operation of software used
- Security service providers/agencies for visitor and parking management
- External caterers for the provision of catering services.
5. Data deletion and duration of storage
Personal data will be deleted or blocked as soon as the purpose of storage no longer applies and at the latest after a period of two years. Data can be stored beyond this time if this is provided for by the European or national legislator in regulations, laws or other rules to which SE AG is subject.
The data will also be blocked or deleted when a maximum storage period prescribed by the above legal norms expires, unless further storage is necessary to enter into or perform a contract.
IV. Rights of the data subject
If your personal data are processed, you are the data subject within the meaning of the GDPR and you have the following rights vis-à-vis the data controller:
1. Right of access
You can demand confirmation from the data controller as to whether or not personal data concerning you are being processed by us.
If this is the case, you can demand the following information from the data controller:
(1) the purposes of the processing;
(2) the categories of personal data concerned;
(3) the recipients or categories of recipient to whom the personal data have been or will be disclosed;
(4) the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
(5) the existence of the right to request from the controller rectification or erasure of your personal data or restriction of processing or to object to such processing;
(6) the right to lodge a complaint with a supervisory authority;
(7) where the personal data are not collected from the data subject, any available information as to their source;
You have the right to be informed of whether your personal data are transferred to a third country or to an international organization. In this connection you can demand to be informed of the appropriate safeguards pursuant to Art. 46 GDPR relating to the transfer.
2. Right to rectification
You have the right to obtain from the controller rectification and/or completion if the processed personal data concerning you are incorrect or incomplete. The controller must carry out the rectification without undue delay.
3. Right to restriction of processing
You have the right to demand restriction of processing of personal data concerning you where one of the following applies:
(1) you contest the accuracy of the personal data, for a period enabling the controller to verify the accuracy of the personal data;
(2) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
(3) the controller no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defense of legal claims, or
(4) you have objected to processing pursuant to Art. 21 (1) GDPR pending the verification of whether the legitimate grounds of the controller override your grounds.
Where processing of the personal data concerning you has been restricted, such personal data may, with the exception of storage, only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. Where restriction of processing under the above conditions has been obtained, you will be informed by the controller before the restriction of processing is lifted.
4. Right to erasure
a) Obligation to erase
You have the right to obtain from the controller the erasure of personal data concerning you without undue delay and the controller is obligated to erase these personal data without undue delay where one of the following grounds applies:
(1) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
(2) you withdraw your consent on which the processing is based according to Art. 6 (1) a) or Art. 9 (2) a) GDPR, and where there is no other legal ground for the processing.
(3) you object to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 (2) GDPR.
(4) the personal data concerning you have been unlawfully processed.
(5) the personal data concerning you have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
(6) the personal data concerning you have been collected in relation to the offer of information society services referred to in Art. 8 (1) GDPR.
b) Information to third parties
Where the controller has made the personal data concerning you public and is obliged pursuant to Art. 17 (1) GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, will take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you as the data subject have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
c) Exceptions
The right to erasure does not apply to the extent that the processing is necessary
(1) for exercising the right of freedom of expression and information;
(2) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(3) for reasons of public interest in the area of public health in accordance with Art. 9 (2) h) and i) as well as Art. 9 (3) GDPR;
(4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89 (1) GDPR insofar as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing, or
(5) for the establishment, exercise or defense of legal claims.
5. Right to notification
If you have asserted the right to rectification, erasure or restriction of processing vis-à-vis the controller, the controller is obligated to communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort (Art. 19 GDPR). You have the right to obtain information from the controller about those recipients.
6. Right to data portability
You have the right to receive the personal data concerning you, which you have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where
(1) the processing is based on consent pursuant to Art. 6 (1) a) GDPR or Art. 9 (2) a) GDPR or on a contract pursuant to Art. 6 (1) b) GDPR and
(2) the processing is carried out by automated means.
In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. This must not adversely affect the rights and freedoms of others.
The right to data portability does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
7. Right to object
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Art. 6 (1) e) or f) GDPR.
The controller will no longer process the personal data concerning you unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.
Where personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing.
If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for such purposes.
8. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.
The supervisory authority with which the complaint is lodged must inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 GDPR.
You can reach the supervisory authority responsible for the controller (the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia) at:
Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
Postfach 20 04 44
40102 Düsseldorf
Germany
Information on the processing of personal data in con-nection with a plant tour at thyssenkrupp Steel Europe AG
thyssenkrupp Steel Europe AG (“we“) offers you the opportunity to visit production facilities on our premises during a plant tour. If you are an employee of one of thyssenkrupp Steel Europe AG’s competitors, we will also perform a compliance check before the plant tour.
We ensure that we meet the requirements of the applicable data protection laws. In the following we will give you a detailed overview of how we handle your data and rights.
I. Who is responsible for the processing and who is Data Protection Officer?
Responsible for the processing is
thyssenkrupp Steel Europe AG
Kaiser-Wilhelm-Straße 100
47166 Duisburg
Telephone: +49(0) 203 52-0
Email: [email protected]
You can contact our Data Protection Officer at
Datenschutzbeauftragt(e)
thyssenkrupp Steel Europe AG
Kaiser-Wilhelm-Straße 100
47166 Duisburg
Email: [email protected]
II. What data categories do we process and where do they come from?
We process personal data that you provide to us in the context of a plant tour. If we have a business relationship with your employer or client, we will also collect the personal data from you or from your employer or client. The data resp. data categories processed include in particular:
- General details (e. g. name and title, function/position)
- Date of birth
- Contact details, if necessary (e. g. email address, phone number)
III. For what purposes and on what legal basis are data processed?
We process your data in compliance with the provisions of the EU General Data Protection Regulation (GDPR) and all other relevant laws.
We process personal data primarily for the purpose of the plant tour and, as the case may be, to fulfill our internal compliance policies as well as occupational safety regulations as le-gitimate interests pursuant to GDPR, Art. 6 (1) (f).
If necessary, we also process personal data to fulfill statutory requirements (GDPR, Article 6 paragraph 1 (c) for the following purposes:
- Observance of statutory storage requirements
- Observance of legal reporting obligations
Furthermore, we process personal data in order to safeguard the following legitimate inter-ests (GDPR, Article 6 paragraph 1 (f):
- Event organization and management (e.g. security check)
IV. Who will get your data?
Your data will be processed within thyssenkrupp Steel Europe AG by the employees organiz-ing the plant tour or involved in the compliance check
To meet our contractual and legal obligations we also use various external service providers who are bound by data protection law under order processing agreements, GDPR, Art. 4 no. 8. These may include:
- IT services
We may also transfer your data to other recipients outside the company who process your data under their own responsibility, GDPR, Art. 4 no. 7. These may be, for example, the fol-lowing categories of responsible parties:
- Controllers in accordance with legal regulations (e. g. public authorities)
- Notary and law offices
V. How long are your data stored?
We process your personal data for as long as they are required for the above-mentioned purposes. After the plant tour, your data will be stored as long as we are legally obliged to do so; usually for a period of three months.
If we perform a compliance check, the storage period is regularly determined by legal obli-gations to provide evidence and to retain records, which result, among other things, from the applicable antitrust law. The storage periods are seven years, including an appropriate transition period. Moreover, it may be necessary to store personal data for the period during which claims can be asserted against us (statutory limitation period of up to thirty years).
VI. Are you obliged to provide your data?
There is no contractual or legal obligation to provide personal data. However, without pro-cessing your personal data, we are not in a position to conduct the plant tour or the neces-sary compliance checks and documentation, and we may exclude you from taking part in the plant tour in individual cases.
VII. What data protection rights can you assert as person concerned?
You have the right to request information about the data stored about you, GDPR, Art. 15. Moreover, you can request the correction or deletion of your data, GDPR. Art. 16, 17. You may also have the right to restrict the processing of your data and the right to re-ceive the data you have provided in a structured, commonly used and machine-readable format, provided that this does not adversely affect the rights and freedoms of oth-ers, GDPR, Art. 18, 20.
If you have given us your consent to the processing of your personal data, you may revoke such consent at any time. Your revocation of consent will not affect the lawfulness of the processing carried out on the basis of the consent before it was revoked.
To exercise these rights, please contact the Controller or Data Protection Officer named in section 2.
In addition, you have a right of objection, which is explained in more detail at the end of this privacy notice.
You also have the right to lodge a complaint with a data protection supervisory au-thority, GDPR, Art. 77. The right of complaint is without prejudice to any other administra-tive or judicial remedy. Our relevant data protection supervisory authority is:
Die Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
Kavalleriestraße 2-4,
40213 Düsseldorf
http://www.ldi.nrw.de/
Information on your right of objection in accordance with General Data Protection Regulation (GDPR), Article 21
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you under GDPR, Article 6(1) (f) (Data processing on the basis of a balance of interests); this also applies to profiling based on this provision within the meaning of GDPR, Article 4 no 4.
If you lodge an objection, we will no longer process your personal data unless we can demon-strate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims.
The objection can be lodged without any formalities and should, if possible, be addressed to the Controller or Data Protection Officer named in the data protection statement under section 2.