Privacy notices

TÜV Rheinland Group takes the protection of your personal data very seriously and always processes your personal data in harmony with the statutory data protection regulations. This privacy notice is designed to provide you with an overview of how we process your data and of your rights in this connection. Your relationship to our organization mainly determines which data in particular are processed or used by us. For this reason, some parts of this privacy notice may not apply to you.

Data Controller and Data Protection Officer

Responsibility for the processing of your personal data lies with

TÜV Rheinland Service GmbH, Management Board, Am Grauen Stein, 51105 Köln

You can reach our data protection officer at

TÜV Rheinland Service GmbH,

FAO Data Protection Officer

Am Grauen Stein,

51105 Köln,

datenschutz@de.tuv.com.

How we collect your personal data

We process personal data that we receive from you when you contact us.

We also process personal data that we legally acquire from public domain sources (e.g. debtor lists, land registers) or that are legally transmitted to us by other organizations of TÜV Rheinland Group or third parties (e.g. registration office, trade office, network providers, apartment owners, landlords, previous tenants, facility managements, list brokers and commercial credit agencies).

Relevant personal data include:

• Personal identification and contact details (e.g. title, name, address, date of birth, email address, telephone number);
• Payment data (e.g. account data);
• Data arising from the fulfillment of our contractual obligations;
• Information about your financial situation (e.g. credit history data);
• Data about your online behavior and preferences (e.g. IP addresses, identifying features of mobile end devices, data about access to our websites and apps, geolocalization data);
• Data for communication with you (e.g. via our service center, by letter, email or website);
• Advertising and sales data (e.g. information on consents you have granted or objections you have lodged).
• In some cases, we also process legitimation data (e.g. ID data), registration, relocation, residence data and audiovisual data (e.g. material from video surveillance, recordings of your calls).

Purpose and Legal Basis of Data Processing

We process personal data in line with the EU General Data Protection Regulation (EU GDPR) and the German Federal Data Protection Act (BDSG)

• in order to fulfill contractual obligations (Article 6, Paragraph 1 Letter b of the EU GDPR)

Processing is performed to fulfill our contract with you and to perform pre-contractual measures, instigated on your initiative.

Please refer to the relevant contractual documents and Terms and Conditions of Business for further details of the data processing purposes.

• within the context of weighing up interests (Article 6, Paragraph 1, Letter f EU GDPR)

Processing is performed to protect our legitimate interests or those of third parties unless overridden by your interests which require protection of personal data.

• on the basis of your consent (Article 6, Paragraph 1, Letter a of the EU GDPR)

Provided you have consented to us processing your personal data for specific purposes (e.g. for advertising calls, participation in competitions), processing is legal on this basis. Consent may be revoked at any time. This also applies to the revocation of declarations of consent that were granted to us before the EU GDPR came into effect, thus before 25 May 2018. Revocation of consent is only effective for the future and does not affect the legality of data processing up to the date of the revocation

• on the basis of legal requirements (Article 6, Paragraph 1, Letter c of the EU GDPR)

Recipients of Personal Data

Within our organization, departments with access to your data are those which require them to fulfill their respective duties in the organization and to fulfill our contractual and legal obligations.

Service providers deployed by us and TÜV Rheinland partners may also receive data. Firstly, they are other organizations of TÜV Rheinland Group and organizations in the category of post and printing service providers, IT service providers, telecommunication service providers (call centers), sales partners, TÜV service partners, web service providers, credit agencies, collection agencies whom we deploy in processing orders.

In certain circumstances, personal data may also be forwarded to public departments (e.g. tax authorities, job centers), judicial and law enforcement authorities (e.g. police, district attorney's offices, courts), attorneys, notaries and chartered accountants.

Transmission to Third Countries or International Organizations

We transmit personal data to organizations outside the European Economic Area when we process orders. Transmission of your personal data to the USA is performed in line with the relevant data protection regulations in Germany (EU GDPR).

Period of Retention

We always delete your personal data when the purpose of processing expires; all mutual claims are fulfilled and no further legal retention obligations or legal basis for justifying retention exist. Legal retention obligations arise in particular from the German Commercial Code (HGB) and General Fiscal Law (AO). The retention periods laid down by the latter are generally six to ten years. Insofar as it is necessary, for instance to secure evidence, customer data are stored up to the expiry of the statutory period of limitation. According to Section 195 of the German Civil Code (BGB), the standard limitation period is three years.

Your Data Protection Rights

In line with the statutory provisions, you hold the following data protection rights:

1. the right to access to information about data stored by the TÜV Rheinland Service GmbH (Article 15 EU GDPR) and
2. the right to correction (Article 16 EU GDPR),
3. the right to erasure (Article 17 EU GDPR),
4. the right to restriction of processing (Article 18 EU GDPR),
5. the right to data portability (Article 20 EU GDPR),
6. and the right to object (Article 21 EU GDPR)

In addition, you hold the right to lodge a complaint with the responsible supervisory authority:

Die Landesbeauftragte für den Datenschutz Nordrhein-Westfalen, Kavalleriestraße 2-4,

40213 Düsseldorf

Obligation to Provide Data

As part of our business relationship, you must provide the personal data required to commence, perform and terminate a business relationship and to fulfill the contractual obligations it entails or those data that we are required by law to collect. Without these data we will generally be unable to enter into a contract with you and to perform it. Furthermore, in both our contract forms and on our websites, it is clearly indicated when the entry of details is optional or mandatory.

 Automated Decisions in Individual Cases

As a matter of principle we do not use automated decision-making processes within the meaning of Article 22 of the EU GDPR for establishing and performing business relationships.

Profiling

However, in some cases we use so-called profiling so we can provide you with information on specific products. This means that we process your data to assess certain personal aspects. This is designed to enable tailored communication and advertising, market research and opinion polling.

 Right to object

• Right to object in individual cases

You are entitled to object to processing of your personal data at any time, for reasons resulting from your particular personal situation, if processing is conducted on the legal basis of Article 6, Paragraph 1, Letter e of the EU GDPR (processing in the public interest) and Article 6, Paragraph 1, Letter f of the EU GDPR (data processing based on the weighing up of interests). This also applies to profiling based on this provision.

If you lodge an objection we will stop processing your personal data, with the exception of cases in which we can prove compelling justified grounds for the necessity of processing that override your interests, rights and freedoms, or processing serves the assertion, exercising or defense of legal claims.

• Right to object against processing of data for the purpose of direct advertising

In individual cases, it may be that we process your personal data for direct advertising purposes. You are entitled to object to processing of your personal data for the purpose of said advertising. This also applies to profiling in relation to said direct advertising.

• Recipient of the objection

You can send your objection to us informally with the subject "Objection", stating your name, address and date of birth:

TÜV Rheinland Service GmbH, Am Grauen Stein, 51105 Köln