This data protection notice provides you with information about the processing of your personal data by Zeppelin Power Systems GmbH in the course of your work as an employee of a business partner of the Zeppelin Power Systems GmbH.
Business partners, hereinafter also referred to as contractual partners, are, for example, service providers, suppliers, or contractors.
The controller is the person named under Section 1 of this data protection notice. The controller processes your personal data in accordance with the provisions of the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and other relevant data protection regulations.
I. Name and contact details of the controller
The Zeppelin company responsible for processing your personal data is:
Zeppelin Power Systems GmbH
Tel: +49 40 853151-0
Fax: +49 40 853151-39
II. Contact details of the Data Protection Officer
If you have any questions about data protection, the assertion of your data protection rights (data subject rights) or general questions about this data protection notice or the processing of your personal data by the controller, you can contact our Group Data Protection Officer at any time:
Group Data Protection Officer
85748 Garching near Munich
Tel: +49 89 32 000-0
Fax: +49 89 32 000-482
III. Sources and categories of personal data
We process personal data that the data subject lawfully provides to us within the framework of business and contractual relationships or that we receive from the respective business and contractual partners lawfully, for example in the context of processing a request or an order. If necessary, we process further personal data that we obtain about you from publicly available sources (e.g. commercial register, credit agencies, publications) in a lawful manner.
Relevant personal data includes in particular:
- Professional contact data as well as work and organizational data (e.g., first name, surname, title, gender, address, e-mail address, telephone number)
- Data on personal and professional circumstances and characteristics (e.g., job title, company affiliation)
- IT usage data (e.g., IP address, user-specific settings, log files)
- Data from permissible monitoring systems (e.g., data from IT security programs, video surveillance systems)
- Access data to the company premises and to company/business buildings as well as stay data (e.g., vehicle registration number, date, and duration)
- Information about work equipment and allocation plans received (e.g., hardware/software, access authorization)
IV. Purpose of processing and legal bases
We process your personal data only for the specified purpose and only to the extent necessary to fulfill the purpose.
Your personal data may be processed on the following legal bases:
- You have given your consent to the processing of personal data concerning you for one or more purposes. (Art. 6 (1) (a) GDPR)
- Such processing is necessary for fulfillment of a contract to which you and/or your employing company are party, or for the performance of pre-contractual measures taken in response to your request and/or the request of your employing company. (Art. 6 (1) (b) GDPR)
This includes contact for the purpose of preparing, implementing, and terminating a business and/or contractual relationship between the responsible party and the business partner for whom you are working or with yourself (e.g., processing and reviewing relevant offers and inquiries, authenticating business and contractual partners, preparing and supporting contractual documents, processing payments, and sending information letters).
- Processing is necessary for compliance with a legal obligation to which the controller is subject. (Art. 6 (1) (c) GDPR)
These include, among other things, the processing, storage, and archiving based on tax and commercial law obligations; the fulfillment of control and reporting obligations under tax law; the archiving of data for the purposes of data protection and data security; implementation of the German Supply Chain Due Diligence Act (Lieferkettensorgfaltspflichtengesetz - LkSG), in particular the due diligence requirements laid down therein (e.g. risk management and analysis, preventive and remedial measures, complaints procedures), the prevention, combating, and clarification of the fight against terrorism and property-endangering criminal offenses, as well as for the comparison with European and international anti-terror lists; for the prevention of fraud and money laundering; the disclosure of personal data becomes necessary in the context of official or judicial measures or proceedings for the purposes of gathering evidence, prosecution and for the enforcement of civil law claims.
- The processing of your personal data is necessary to protect your vital interests or those of another natural person. (Art. 6 (1) (d) GDPR)
It may be necessary for the business partner to immediately report accidents involving persons, damage to property or the environment, as well as accidents with public impact (e.g., use of emergency vehicles) to the responsible party or a person or body designated by the responsible party.
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. (Art. 6 (1) (e) GDPR)
- The processing of your personal data is necessary for the protection of the legitimate interests of the controller or a third party, unless your interests or fundamental rights and freedoms that require the protection of personal data outweigh this. (Art. 6 (1) (f) GDPR)
The legitimate interests of the controller include, among other things, the cooperation with the business partner and the efficient and pragmatic design of the processes within the framework of the business relationship, in particular the communication with designated contact persons; also the protection of our business and trade secrets as well as our corporate rights; the control of access authorizations to our land and buildings; guaranteeing the security and integrity of our IT systems, in particular the detection and tracking of unauthorized access attempts or access as well as the elimination of disruptions; the assertion and defense of our rights; the fulfillment of official and/or legal provisions.
V. Provision of personal data
As part of the business relationship between you and us, only the personal data that is required for the business relationship and/or that we are legally obligated to collect must be provided. If you do not provide us with the corresponding personal data, it may not be possible to provide services – at least individual services.
VI. Recipients of personal data
As part of the business relationship between you and us, other Zeppelin companies and service providers (processors) working on our behalf may receive your personal data for the agreed purposes. If necessary, your personal data may also be passed on to recipients who act as their own data protection controllers (e.g., authorities, courts).
VII. Data transfers to third countries
Transferring your personal data to recipients in third countries (countries that are neither members of the European Union nor of the European Economic Area) or to international organizations is not foreseen.
In case of data transfer to a third country, please note that not every third country has a level of data protection deemed adequate by the European Commission. Where such an adequate level of data protection does not exist, we have taken appropriate measures to protect your personal data; for example, by entering into what are known as standard contractual clauses.
VIII. Processing duration
If necessary, your personal data will be processed and stored for the duration of the business relationship with you or the business partner for whom you work.
In addition, we are subject to various storage and documentation obligations, e.g., under the German Commercial Code (HGB) and the German Fiscal Code (AO); the retention and documentation periods defined there are up to ten years. The provisions on limitation periods pursuant to Sections 195 of the German Civil Code (BGB) may also have an influence on the storage period; the regular limitation period is three years, whereby limitation periods of up to 30 years are also provided for by law. In individual cases, longer storage periods may also be necessary (e.g., storage for the duration of official or judicial proceedings).
IX. Data subject rights
As a data subject, you have the following data protection rights:
- Data subject's right to access information (Art. 15 GDPR)
You have the right to request information as to whether and to what extent we process personal data concerning you. Upon your request, we will provide you with a copy of the personal data stored about you.
- Right to rectification (Article 16 GDPR)
You have the right to request the immediate rectification of incorrect personal data concerning you and the completion of incomplete personal data stored about you.
- Right to erasure ("right to be forgotten") (Art. 17 GDPR)
You have the right to request the immediate deletion of personal data stored about you. Please note that your right to deletion may be precluded by statutory regulations in particular.
- Right to restriction of processing (Art. 18 GDPR)
You have the right to request the restriction of the processing of your personal data under the conditions specified in Art. 18 (1) GDPR. If processing is restricted, we shall process the relevant personal data – apart from their storage – only with your consent or for the assertion, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State.
- Right to data portability (Art. 20 GDPR)
You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format and you have the right to transfer this data to another controller without hindrance on our part. Insofar as this is technically feasible, you can request that the personal data concerning you be transferred directly from us to another controller.
- Right to object (Art. 21 GDPR)
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you that is carried out pursuant to Art. 6 (1) (e) or (f) GDPR. In the event of an objection, and unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the assertion, exercise or defense of legal claims, we will no longer process your personal data.
- Withdrawal of consent (Art. 7 (3) GDPR)
You have the right to withdraw your consent at any time. Please note that the withdrawl is only effective for the future. Processing of your personal data that took place before your revocation is not affected by the withdrawl.
- Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you are of the opinion that the processing of your personal data violates this regulation.
Last updated: May 2023