Data Protections Notices under the EU General Data Protection Regulation (GDPR) – for Customers
Last updated: May 2018
With the information that follows we are providing for you an overview of the way we process your personal data and of your rights under data protection law.
1. Who is responsible for the data processing and whom can I contact?
The body that is the controller of the data file is:
Care 4 Cargo GmbH, represented by the managing director Ivar Tillemans
Cargo City Süd 534,
60549 Frankfurt am Main
TEL: +49 (0)69 96 86 40 91
You can reach our corporate data protection officer at:
Care 4 Cargo GmbH
Data Protective Officer
Cargo City Süd 534,
60549 Frankfurt am Main
TEL: +49 (0)69 96 86 40 91
2. What sources and what data do we use?
We process personal data we obtain from our customers and their vicarious agents within the scope of the business relationship. Relevant personal data received from contractual relationships may include:
Name, address, telephone number, email address, employer, position, motor vehicle registration/licence plate number, ID card data, photo material
3. Why are we processing your data (purpose of the processing) and on what legal basis?
We process the above-mentioned personal data in conformity with the provisions of the EU General Data Protection Regulation/GDPR (EU-Datenschutz-Grundverordnung/DSGVO) and the German Federal Data Protection Act (Bundesdatenschutzgesetzt/BDSG):
a. For the performance of contractual obligations (Article 6 paragraph 1 (b) of the GDPR)
The processing of personal data is carried out for the purpose of providing cargo handling services within the scope of the performance of the contracts we conclude with our customers or for the performance of precontractual measures necessitated by your inquiry. For the specific purpose of the data processing, please refer to the respective contract documents.
b. Within the scope of balancing the interests (Article 6 paragraph 1 (f) of the GDPR)
To the extent required, we process your data beyond the specified limits of the contractual performance in order to protect the legitimate interests pursued by us or by third parties:
- Marketing and market and opinion research, as long as you have not objected to the use of your data
- Exercise of legal claims and defense in the case of legal disputes
- Ensuring IT security
- Prevention of criminal offences (e.g., information relating to the collector/person picking up, or person sending of/shipping the goods, etc.)
- Video surveillance for the preservation of the house rules/the right to determine who shall be allowed or denied access, for the collection of evidence in cases of fraud or to provide proof of delivery/incoming goods and collection of goods
- Measures undertaken for the safety of buildings and facilities (e.g., access control)
- Measures for business management purposes and for further development of services and products (distribution of product information, service specifications etc.)
- Risk management within the Group
c. Based on your consent (Article 6 paragraph 1 (a) of the GDPR)
As long as you have granted us your consent for the processing of personal data for specific purposes (e.g., the passing on of data within the affiliated companies/Group, newsletter mailing), the lawfulness of this processing on the basis of your consent does exist. Consent that has been granted can be freely revoked at any time. This shall also apply to the revocation of declarations of consent we received prior to the applicability of the EU General Data Protection Regulation, in other words, prior to 25 may 2018. Please note that the revocation takes effect for the future only. You may send us the revocation using the contact information we have provided in number 1. You may ask us at any time for a status overview of all the consent you have given us.
d. Based on compliance with statutory provisions (Article 6 paragraph 1 (c) of the GDPR) or for the performance of a task carried out in the public interest (Article 6 paragraph 1 (e) of the GDPR)
In addition, as a cargo forwarding company, we are subject to diverse legal obligations at Frankfurt Airport, including legal requirements such as the Aviation Security Act and customs regulations.
Purposes for the processing of customer data also include identify verification, fraud prevention, compliance with inspection and reporting duties as well as the assessment and management of risks for the company and within the Group, to the extent that data processing is involved.
4. Who will obtain my data?
Within Care 4 Cargo GmbH, your data can be accessed only by employees for whom they are necessary in the performance of our contractual and legal obligations. Service providers and vicarious agents we employ may also obtain data for these purposes as long as they comply with our written instructions relating to data protection law. For the most part, these are companies included in the categories listed below.
With respect to the forwarding of data to recipients outside of C4C it should be noted first of all that information about you can be passed on only if doing so is mandated by statutory regulations, is based on a contractual agreement, if you have provided your consent and/or data processing companies we have commissioned guarantee compliance with the provisions of the EU General Data Protection Regulation/the German Federal Data Protection Act.
Based on these conditions, receipts of personal data may include:
- Public authorities and institutions (the German federal Air Transportation Safety Board/Luftfahrtbundesamt, the customs office, the police) in the event of a legal or official obligation
- Other entities within the Group companies of Care 4 Cargo GmbH and data processing companies to whom we disclose your personal data for the purpose of conducting the business relationship with you. More specifically: Support and maintenance of EDP/IT applications, archiving, document processing, compliance services, controlling, property management, customer management, letter ships, marketing, media technology, registration/reporting systems, research, risk management, telephony, expense accounts, video legitimation, website management, auditing services, payment transactions.
Other data recipients may include the authorities to whom you have given your consent for data transfer pursuant to Article 6 paragraph 1 (a) of the GDPR.
5. Will data be transmitted to a third country or to an international organization?
Data transmission to countries outside the EU or the EEA (the so-called third states) will take place only if it is prescribed by law or you have given us your consent.
6. For how long are my data stored?
Once your personal data are no longer required for the performance of contractual obligations they will be erased at once, unless their temporary further processing is required for the following purposes:
- Compliance with statutory retention periods under commercial and fiscal legislation. The above-mentioned retention deadlines consist of between two and then years.
- Receipt of evidence within the scope of the stature of limitations, to the extent that it is necessary for the establishment, exercise and defence of legal claims. According to Sections 195 ff. of the German Civil Code (Bürgerliches Gesetzbuch – BGB), these limitation periods can consist of 30 years whereby the regular limitation period consists of three years.
7. What data protection rights do I have?
As a data subject (an involved/natural person), you have the right to information pursuant to Article 15 of the GDPR, the right to the rectification of inaccurate personal data pursuant to Article 16 of the DGPR, the right to erasure pursuant to Article 17 of the GDPR, the right to restriction of the processing pursuant to Article 18 of the GDPR, the right to data portability deriving from Article 20 of the GDPR as well as the right to objection deriving form Article 21 of the GDPR relating to data processing which is based on Article 6 paragraphs 1 (e) or (f) of the GDPR as long as there are reasons that are the result of your specific situation in the event that we are unable to provide evidence of compelling and legitimate grounds for the data processing which override your rights and interests, or if the processing serves purposes relevant to the establishment, exercise or defense of legal claims. If and when your data are processed for direct marketing purposes, you shall have the general right to an objection which we will honor without you providing a statement of grounds that result from your specific situation (Article 21 paragraph 2 GDPR). As far as the right to information and the right to erasure are concerned, the limitations pursuant to Sections 34 and 35 of the German Civil Code (BDSG) shall apply.
In addition, there is the right of complaint/appeal to the responsible data protections supervisory authority if you believe that the processing of your data violates data protections legislation (Article 77 of the GDPR in conjunction with Section 19 of the German Civil Code (BDSG).
You may at any time freely withdraw the consent you granted us for the processing of your personal data by using the contact information have provided in number 1. This shall also apply to the withdrawal of declarations of consent we received prior to the applicability of the EU General Data Protection Regulation, that is, prior to 25 May 2018. Please note that the revocation of consent takes effect for the future only. It does not affect processing that has taken place prior to the withdrawal.
8. Do I have an obligation to provide data?
Within the scope of the business relationship, you are obligated to provide the personal data which are necessary for the establishment and the conducting of a business relationship and for the performance of contractual obligations connected with it. Without these data, we are, as a rule, obligated to refuse the conclusion to refuse the conclusion of a contract or its execution or we may be unable to continue with its performance and possibly have to terminate it.