Privacy Policy

§ 1 Introduction

(1) In the following, we inform you as the data subject about the type, scope and purpose of the collection and use of personal data and your rights. You can access this information at any time on our website.

(2) The processing of personal data, for example your name, address, e-mail address or telephone number, is always carried out by us in accordance with the EU General Data Protection Regulation (GDPR, in German: DSGVO) and in accordance with the further legal data protection regulations.

§ 2 Name and Address of the Controller

(1) The person responsible within the meaning of the GDPR and other data protection regulations applicable in the EU is the SPF GmbH Systemberatung.

(2) The contact details are as follows:

    SPF GmbH Systemberatung
    – Datenschutz –
    Augustinusstr. 9a
    50226 Frechen

    E-Mail: datenschutz bei
    Telefonzentrale: +49 2234 53201-0

§ 3 Terms and Definitions

(1) This privacy policy statement uses terms of the GDPR, which are explained below, in places clarified:

(2) “Personal data” means any information relating to an identifiable natural person (“data subject”). An identifiable natural person is one who can be identified in particular by reference to an identifier such as a name, an identification number, or other special characteristics.

(3) “Data subject” means any identifiable natural person whose personal data are processed by us.

(4) “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

(5) “Restriction of processing” means the marking of stored personal data with the aim of limiting their processing in the future.

(6) “Controller” means the natural or legal person, public authority, agency or other body which determines the purposes and means of the processing of personal data.

(7) “Contract Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

(8) “Recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.

(9) “Third party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

(10) “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data.

§ 4 Website: General

(1) A use of our web pages is possible without indication of personal data. Only the technical access data are logged temporarily (see § 6).

(2) If you wish to make use of special services through our website, however, processing of personal data may become necessary. If this processing is necessary and there is no legal basis for this, we will obtain your consent.

(3) Despite technical and organisational measures for the protection of personal data processed via websites, Internet-based data transmissions may have security gaps. For this reason, you are also free to transmit personal data to us by alternative means, for example by telephone.

§ 5 Website: Cookies

(1) Cookies are small fragments of text that a web server can store and retrieve via the user's web browser on his computer in a separate area.

(2) Our websites use cookies, but only to the extent technically necessary and never for the purpose of advertising or even tracking. Only a session cookie is set on our publicly accessible website, i.e. the cookie is automatically removed when the web browser is closed.

(3) Cookies can be used to optimize the information and offers on our website in your interest. Cookies enable us to recognize the users of our websites in order to facilitate their use.

(4) You can technically prevent cookies from being set by our website by means of a corresponding setting in your web browser. In this case, however, you may not be able to use all functions of our website to their full extent.

§ 6 Website: Access Data

(1) Our web servers collect a number of technical information in log files with each access. Recorded are the time, IP address, web browser type, operating system, the name of the web page called up and the name of the web page referring to it (referrer URL).

(2) We do not draw any conclusions about the person concerned from this technical information. Rather, this information is required to correctly deliver the contents of our website, to optimize the contents of our website, to ensure the long-term functionality of our information technology systems and the technology of our website, and to provide law enforcement authorities with the information necessary for criminal prosecution in the event of a cyber attack.

(3) The detailed access data will be automatically deleted after 14 days without extraordinary incidents that require a longer storage.

(4) The technical provision of our websites and thus also the recording of access data is the responsibility of a contract processor in accordance with Art. 28 GDPR.

(5) This personal data will not be passed on to third parties.

§ 7 E-Mail

(1) If you contact us by e-mail, your transmitted data will automatically be stored for processing and contacting.

(2) The technical provision of our e-mail service and thus the temporary storage and transmission of e-mails and the data contained therein is the responsibility of a contract processor in accordance with Art. 28 GDPR.

(3) This personal data will not be passed on to third parties.

§ 8 Application Procedure

(1) We collect and process the personal data of applicants for the purpose of handling the application procedure. Processing may also be carried out electronically. This is particularly the case if an applicant sends us corresponding application documents electronically, for example by e-mail or via a web form.

(2) Currently we do not offer end-to-end encryption of e-mails. In this case, we recommend to send an encrypted Zip container (file type “.zip”) as an attachment and inform us of the password separately, for example by telephone. Otherwise we recommend the transmission via our encrypted web form or the sending by letter post.

(3) By submitting the application to us, candidates agree to their data being processed in the application process in accordance with the conditions set out in this privacy policy statement.

(4) If we conclude an employment contract with an applicant, the transmitted data will be stored for the purpose of processing the employment relationship in compliance with the statutory provisions.

(5) If we do not conclude an employment contract with the applicant, the application documents will be automatically deleted two months after cancellation, provided that deletion is not contrary to any other justified interest on our part. Other legitimate interest in this sense is, for example, a burden of proof in proceedings under the Allgemeines Gleichbehandlungsgesetz (AGG). In principle, this personal data is not passed on to third parties.

(6) If special personal data are voluntarily communicated within the meaning of Art. 9 para. 1 GDPR, e.g. severe disability or ethnic origin, they are additionally processed in accordance with Art. 9 para. 2 letter b GDPR.

§ 9 Routine Deletion and Blocking of Personal Data

(1) We process and store your personal data only for the period necessary to achieve the storage purpose or insofar as this was provided for in laws or regulations to which we are subject. Furthermore, requirements for the initiation or performance of a contract must also be taken into account.

(2) If the storage purpose ceases to apply or a prescribed storage period expires, the personal data will be blocked or deleted routinely and in accordance with the statutory provisions.

§ 10 Your Rights

(1) You have the rights set out below under the EU regulation. To assert these rights and other rights under national law, you can contact our data protection office at any time.

(2) You have the right

(2.1) to obtain confirmation as to whether or not personal data concerning you are being processed (Art. 15 GDPR),

(2.2) to receive information about your stored personal data and get a copy of this information free of charge (Art. 15 GDPR),

(2.3) to request the rectification of inaccurate personal data concerning you and to have incomplete personal data completed (Art. 16 GDPR),

(2.4) to request the deletion of personal data concerning you, if a reason according to Art. 17 GDPR applies,

(2.5) to request the restriction of processing your personal data, if a reason according to Art. 18 GDPR applies,

(2.6) to receive the personal data concerning you and to transmit those data to another controller in accordance with Art. 20 GDPR,

(2.7) to object to the processing of personal data concerning you at any time on the basis of Art. 6 para. 1 letters e or f GDPR (Art. 21 GDPR),

(2.8) to withdraw consent to the processing of personal data at any time (Art. 7 para. 3 GDPR),

(2.9) to file a complaint with the appropriate regulatory authority. This depends on the state in which you live, your job or the alleged infringement. A list of German supervisory authorities can be found on the website of the Bundesbeauftragten für den Datenschutz under “Infothek” → “Anschriften und Links”.

§ 11 Legal Basis of the Processing

(1) Art. 6 para. 1 letter a GDPR serves our company as a legal basis for processing operations for which we obtain consent for a specific processing purpose.

(2) If the processing of personal data is necessary for the fulfilment of a contract of which you are a contracting party, as is the case for example with processing operations which are necessary for the delivery of goods or the rendering of another service or consideration, the processing is based on Art. 6 para. 1 letter b GDPR. The same applies to such processing processes that are necessary to carry out pre-contractual measures, for example in cases of enquiries about our products or services.

(3) If our company is subject to a legal obligation by which a processing of personal data becomes necessary, for example for the fulfilment of tax obligations, the processing is based on Art. 6 para. 1 letter c GDPR.

(4) In rare cases, the processing of personal data may become necessary to protect the vital interests of the data subject or another natural person. This would be the case, for example, if a visitor were injured in our company and his name, age, health insurance data or other vital information had to be passed on to a physician, a hospital or other third parties. Then the processing would be based on Art. 6 para. 1 letter d GDPR.

(5) Ultimately, processing operations could be based on Art. 6 para. 1 letter f GDPR. Processing operations which are not covered by any of the aforementioned legal bases are based on this legal basis if processing is necessary to safeguard a legitimate interest of our company or a third party, provided that the interests, fundamental rights and freedoms of the data subject do not prevail. Such processing procedures are permitted to us in particular because they have been specifically mentioned by the European legislator. In this respect, he took the view that a legitimate interest could be assumed if you are our customer (recital 47 sentence 2 GDPR).

§ 12 Legal or Contractual Regulations for the Provision of Personal Data; Necessity for the Conclusion of a Contract

(1) We inform you that the provision of personal data is partly required by law (e.g. tax regulations) or may also result from contractual regulations (e.g. information on the contractual partner).

(2) Sometimes it may be necessary for the conclusion of a contract that you provide us with personal data, which must subsequently be processed by us. Before you provide personal data, you can contact our data protection office. This will inform you on a case-by-case basis as to whether the provision of personal data is required by law or contract or required for the conclusion of a contract, whether there is an obligation to provide the personal data and the consequences of not providing personal data.