The protection of your personal data is important to us. We therefore process your personal data (in short “data”) exclusively based on statutory provisions. With this data protection information we want to inform you about the processing of your data in our company and the data protection claims and rights to which you are entitled according to Art. 13 of the European General Data Protection Regulation (EU GDPR).
2. Which data are processed and from which sources do these data originate?
We process the data that we have received from you as part of the contract initiation or processing, based on consent or as part of your application to us or as part of your employment with us.
Personal data includes:
Your master/contact data, for customers this includes e.g. first and last name, address, contact data (e-mail address, telephone number, fax), bank data.
In the case of applicants and employees, this includes, for example, first and last name, address, contact data (e-mail address, telephone number, fax), date of birth, data from curriculum vitae and references, bank data, religious affiliation, photographs.
In the case of business partners, this includes, for example, the designation of their legal representatives, company name, commercial registration number, VAT number, company number, address, contact person contact data (e-mail address, telephone number, fax), bank data.
For visitors to our company, this includes name and signature.
For journalists, this includes first and last name, e-mail address, fax number.
For raffle participants, this includes first and last name, e-mail address.
- In addition, we also process the following other personal data:Information about the nature and content of contract data, order data, sales and document data, customer and supplier history, and consulting records,
- Advertising and sales data,
- Information from your electronic traffic with us (e.g. IP address, log-in data),
- other data that we have received from you in the course of our business relationship (e.g. in customer meetings),
- Data that we generate ourselves from master / contact data and other data, such as by means of customer demand and customer potential analyses,
- the documentation of your declaration of consent to receive e.g. newsletters.
- Photo shoots in the context of events.
Server log files:
The provider of the pages automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These are:
- Date and time of the request
- Name of the requested file
- Page from which the file was requested
- Access status (file transferred, file not found, etc.)
- Web browser and operating system used
- Complete IP address of the requesting computer
- Data volume transferred
This data is not merged with other data sources. The processing is carried out in accordance with Art. 6 para. 1 lit. f GDPR on the basis of our legitimate interest in improving the stability and functionality of our website.
For reasons of technical security, in particular to defend against attempted attacks on our web server, this data is stored by us for a short period of time. It is not possible for us to draw conclusions about individual persons based on this data. After seven days at the latest, the data is anonymized by shortening the IP address at domain level, so that it is no longer possible to establish a link to the individual user. The data is also processed in anonymized form for statistical purposes; it is not compared with other data or passed on to third parties, even in excerpts.
3. For what purposes and on what legal basis are the data processed?
We process your data in accordance with the provisions of the General Data Protection Regulation (GDPR) and the Federal Data Protection Act 2018, as amended:
- For the fulfillment of (pre-) contractual obligations (Art. 6 para. 1 lit. b GDPR):
The processing of your data is carried out for the processing of contracts online or in one of our branches, for the processing of contracts of your employees in our company. In particular, the data is processed when initiating business and executing contracts with you.
- For the fulfillment of legal obligations (Art. 6 para. 1 lit. c GDPR):
Processing of your data is necessary for the purpose of fulfilling various legal obligations, e.g. from the German Commercial Code or the German Fiscal Code.
- For the protection of legitimate interests (Art. 6 para. 1 lit. f GDPR):
Based on a balancing of interests, data processing may take place beyond the actual fulfillment of the contract to safeguard legitimate interests of us or third parties. Data processing for the protection of legitimate interests occurs, for example, in the following cases:
- Advertising or marketing (see No. 4),
- Measures for business management and further development of services and products;
- Maintaining a group-wide customer database to improve customer service
- In the context of legal prosecution
- Sending non-promotional information and press releases.
- Within the scope of your consent (Art. 6 para. 1 lit. a GDPR):
If you have given us consent to process your data, e.g. to send you our newsletter, publication of photos, competitions, etc., we will not use your data for any other purpose.
4. Processing of personal data for advertising purposes
You may object to the use of your personal data for advertising purposes at any time, either in whole or in respect of individual measures, without incurring any costs other than the transmission costs in accordance with the basic rates.
We are entitled under the legal conditions of § 7 Abs. 3 of the Act against Unfair Competition to use the e-mail address that you provided when concluding the contract for direct advertising for our own similar goods or services. You will receive these product recommendations from us regardless of whether you have subscribed to a newsletter.
If you do not wish to receive such recommendations from us by e-mail, you can object to the use of your address for this purpose at any time without incurring any costs other than the transmission costs according to the prime rates. A message in text form is sufficient for this purpose. Of course, an unsubscribe link is always included in every e-mail.
5. Am I obliged to provide data?
The processing of your data is necessary for the conclusion or fulfillment of contractual obligations. If you do not provide us with this data, we will usually have to refuse to conclude the contract or will no longer be able to perform an existing contract and consequently have to terminate it. However, you are not obliged to give your consent to data processing with regard to data that is not relevant for the fulfillment of the contract or that is not required by law.
6. Who receives my data?
If we use a service provider in the sense of commissioned processing, we nevertheless remain responsible for the protection of your data. All commissioned processors are contractually obligated to treat your data confidentially and to process it only in the context of providing the service. The processors we commission receive your data insofar as they require the data to fulfill their respective service. These are, for example, IT service providers that we require for the operation and security of our IT system as well as advertising and address publishers for our own advertising campaigns.
Your data is processed in our customer database. The customer database supports the enhancement of the data quality of the existing customer data (duplicate cleansing, moved/deceased indicators, address correction), and enables the enrichment with data from public sources.
This data is made available to the Group companies to the extent if necessary for contract processing. Customer data is stored separately on a company-by-company basis, with our parent company acting as a service provider for the individual participating companies.
In the event of a legal obligation and in the context of legal prosecution, authorities and courts as well as external auditors may be recipients of your data.
In addition, insurance companies, banks, credit agencies and service providers may be recipients of your data for the purpose of initiating and fulfilling contracts.
7. How long will my data be stored?
We process your data until the termination of the business relationship or until the expiry of the applicable statutory retention periods (such as from the German Commercial Code, German Tax Laws, or the German Working Hours Act); furthermore, until the termination of any legal disputes in which the data is required as evidence.
8. Are personal data transferred to a third country?
We also process data in countries outside the European Economic Area
(“EEA“). This concerns in detail:
- Data transmission to the USA through the Instagram plugin, offered by Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
- Data transmission to the USA through the integration of Youtube with extended data protection, offered by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
In its ruling of July 16, 2020, the European Court of Justice overturned its previously applicable decision, which identified affiliation with the U.S. Privacy Shield as a permissible legal basis. The ECJ thus clarifies that the US Privacy Shield does not provide an equivalent guarantee for the protection of personal data compared to the regulations applicable throughout the EU. Therefore, in order to make a transfer to a third country nevertheless admissible, EU standard contractual clauses must be concluded with the recipient. These standard contractual clauses have been concluded with the service providers. They can be found here:
We have taken technical and administrative security measures to protect your personal data against loss, destruction, manipulation and unauthorized access. All our employees and service providers working for us are bound by the applicable data protection laws.
Whenever we collect and process personal data, it is encrypted before it is transmitted. This means that your data cannot be misused by third parties. Our security measures are subject to a continuous improvement process and our data protection statements are constantly revised. Please make sure that you have the latest version.
10. Contact form/ e-mail contact
If you send us inquiries via contact form or e-mail, your data from the inquiry form, including the contact data you provided there, will be stored by us for the purpose of processing the inquiry and in case of follow-up inquiries. We do not pass on this data without your consent.
The processing of this data is based on Art. 6 para. 1 lit. b GDPR, if your request is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of requests addressed to us (Art. 6 para. 1 lit. f GDPR) or on your consent (Art. 6 para. 1 lit. a GDPR) if this was requested.
The data you enter in the contact form will remain with us until you request us to delete it, withdraw your consent to store it, or the purpose for storing the data no longer applies (e.g. after we have completed processing your request). Mandatory legal provisions – in particular retention periods – remain unaffected.
11. Application/job advertisement
We collect various personal data through the application process. Personal data is any information from which conclusions can be drawn about your personal or factual circumstances or which makes you identifiable. The following data is collected and processed for the automated processing of your application:
- First name, last name, address, e-mail, date of birth, title, telephone number, country of residence and citizenship
- Additional questions depending on the respective tender (e.g. driver’s license)
- Curriculum vitae, especially information on professional experience and education
- Competencies and knowledge for the advertised position
- Application photo
- Qualifications, awards and language skills
- Letter of motivation
- Files and documents that you would like to send or upload in connection with your application
No information that may not be processed under the General Equal Treatment Act (this includes, but is not limited to, race, ethnic origin, gender, disability, religion and belief, or age) will be required to process your application. We ask you not to include any information that is irrelevant to the processing of your application due to the Equal Treatment Act (including illnesses, pregnancy, membership of a trade union and sex life).
Please do not transmit any content that could, for example, violate copyrights or the press law of third parties.
The legal basis for the processing of your personal data in this context is Art. 6 para. 1 lit. f GDPR, our legitimate interest in conducting applications, as well as Art. 6 para. 1 lit. b, Art. 88 para. 1 GDPR in conjunction with § 26 para. 1 of the Federal Data Protection Act (new).
Your application e-mail and the application documents sent will be stored by us for 6 months (Guide to the General Equal Treatment Act). After this period, your documents will be deleted in accordance with data protection law, unless you give us your consent to store them for our applicant pool. In this case, they will be stored for 1 year.
When you visit our website, we may store information on your computer in the form of cookies. Cookies are small files that are transferred from an Internet server to your browser and stored on its hard drive. Only the Internet protocol address is stored – no personal data. This information, which is stored in the cookies, allows us to automatically recognize you the next time you visit our website, making it easier for you to use.
13. Third party services
We use a map section from OpenStreetMap on our website under the menu item “Contact” – sub-item “Directions” in order to display the route to our company for you and to make it easier for you to plan your journey.
This website uses Borlabs cookie, which sets a technically necessary cookie (borlabs-cookie) to store your cookie consents.
Borlabs Cookie does not process any personal data.
The cookie borlabs-cookie stores your consents that you have given when entering the website. If you wish to withdraw these consents, simply delete the cookie in your browser. When you re-enter/reload the website, you will be asked again for your cookie consent.
On this website, the WP Statistics analysis tool (www.wp-statistics.com) is used for statistical evaluation of visitor access. We use the plugin to continuously improve the website and our offer.
Simple statistics are created anonymously from the data collected by the plugin. No usage profiles are created or cookies are stored on your device. All data collected by WP Statistics is stored completely anonymously on this web server, which means that no personal identification of a visitor is possible. The data used for the evaluation is based exclusively on information that is necessarily transmitted for the connection setup between the web browser and the web server.
YouTube in enhanced privacy mode
We use the Facebook Pixel as part of the technologies of Facebook Ireland Ltd [https://de-de.facebook.com/facebookdublin] presented in the following, 4 Grand Canal Square, Dublin 2, Ireland (“Facebook”). With the Facebook Pixel, data (IP address, time of visit, device and browser information, and information on your use of our website by means of predefined events such as visiting a website or signing up for a newsletter) is automatically collected, stored, and used to create pseudonymized usage profiles. To this end, the Facebook Pixel automatically places a cookie when our website is visited. This cookie enables your browser to be recognized when visiting other websites through the use of a pseudonymized cookie ID. Facebook will combine this information with other data from your Facebook account and use it to compile reports about the website activities and to provide additional services in conjunction with the use of the website, in particular personalized and group-based advertisements. We have no influence on the data processing by Facebook and only receive statistics created on the basis of the Facebook Pixel.
Schufa / credit check
The brewery Gebrüder Maisel KG obtains a credit check by means of Schufa information from SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden, Germany, Tel.: +49 (0) 6 11-92 78 0 when concluding contracts with new catering customers.
SCHUFA processes personal data in order to provide authorized recipients with information for assessing the creditworthiness of natural persons and legal entities. For this purpose, score values are also determined and transmitted. It only provides the information if a legitimate interest in this has been credibly demonstrated in the individual case and processing is permissible after weighing up all interests. The legitimate interest is given in particular before entering into transactions with a financial default risk. The creditworthiness check serves to protect recipients from losses in the credit business and at the same time opens up the possibility of protecting borrowers from excessive indebtedness by providing advice. The data is also processed for fraud prevention, creditworthiness checks, money laundering prevention, identity and age checks, address determination, customer care or risk management, and pricing or conditioning. In addition to the aforementioned purposes, SCHUFA also processes personal data for internal purposes (e.g. assertion of legal claims and defense in legal disputes, further development of services and products, research and development, in particular to carry out internal research projects (e.g. SCHUFA Credit Compass) or to participate in national and international external research projects in the area of the aforementioned processing purposes, and to ensure IT security and IT operations). The legitimate interest in this arises from the respective purposes and is otherwise of an economic nature (efficient fulfillment of tasks, avoidance of legal risks). Anonymized data may also be processed. SCHUFA will inform about any changes in the purposes of data processing in accordance with Art. 14 para. 4 GDPR.
The processing of data is based on consents (Art. 6 para. 1 lit. a GDPR) as well as on the basis of Art. 6 para. 1 lit. f GDPR, insofar as the processing is necessary to protect the legitimate interests of the controller or a third party and the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, are not overridden. Consents may be withdrawn at any time from the relevant contractual partner. This also applies to consents already granted before the entry into force of the GDPR. The revocation of consent does not affect the lawfulness of the personal data processed until the revocation. There is a right to information, correction as well as deletion or restriction and a right to object to processing. In addition, there is a right to data portability and the data subject has a right of appeal to the competent supervisory authority.
Personal data includes:
Personal data, e.g., surname (if applicable, also previous names that are provided with information upon separate request), first name, date of birth, place of birth, address, previous addresses | Information on the commencement and contractual performance of a transaction (e.g., current accounts, installment loans, credit cards, garnishment protection accounts, basic accounts) | Information on unfulfilled payment obligations, such as undisputed, due, and repeatedly reminded or titled claims, as well as their settlement | Information on abusive or other fraudulent behavior, such as deception of identity or creditworthiness | Information from generally accessible sources (e.g., debtor directories, insolvency notices) | Data from compliance lists | Information as to whether and in which function an entry exists in generally accessible sources for a public figure with matching personal data | Address data | Score values
Recipients of the data are contractual partners located in the European Economic Area, in Switzerland and, if applicable, in other third countries (provided that a corresponding adequacy decision of the European Commission exists for these countries) in accordance with section 2.3. Other recipients may be external contractors of SCHUFA in accordance with Art. 28 GDPR as well as external and internal SCHUFA offices. SCHUFA is also subject to the statutory powers of intervention of state authorities.
SCHUFA stores information about individuals only for a certain period of time. The decisive criterion for determining this duration is the necessity of processing for the above-mentioned purposes. The storage periods are specified in detail in a Code of Conduct of the association “Die Wirtschaftsauskunfteien e. V.” (can be viewed at www.schufa.de/loeschfristen). Information about inquiries is deleted after 12 months on a daily basis.
Review and deletion periods for personal data
1. Personal data on due, open and undisputed claims:
a) Personal data on due and undisputed claims shall remain stored as long as their settlement has not been announced; the necessity of continued storage shall be reviewed in each case three years (to the day) after the occurrence of the respective event (e.g. initial registration of the claim or balance update).
b) Personal data will be deleted on a daily basis three years after the claim has been settled.
Irrespective of this, an individual check is carried out at the request of data subjects as to whether the storage of the data is still necessary (Art. 17 para. 1 lit. a GDPR).
2. Personal data based on entries in the debtors’ register or publications on (consumer or regular) insolvency proceedings:
a) Data from the debtor lists of the central enforcement courts (entries in accordance with
§ 882c para. 1 sentence 1 nos. 1 – 3 of the Code of Civil Procedure) shall be deleted three years to the day after entry in the debtor list, but earlier if the credit agency is provided with proof/notification of deletion by the central enforcement court.
b) Information on (consumer or regular) insolvency proceedings or residual debt discharge proceedings shall be deleted to the day three years after termination of the insolvency proceedings or granting of residual debt discharge.
the rejection of an insolvency petition for lack of assets,
the lifting of the security measures or
the refusal of the discharge of residual debt
are deleted to the day after three years.
3. Personal data on continuing obligations (contractual data) that involve a financial risk of default due to advance performance:
a) Information on trouble-free contractual data on credit relationships documented with the claim founded therewith (in particular loans, financing aids, installment supply contracts or partial payments) shall remain stored until the outstanding claim founded therewith has been settled; if its settlement is announced, the personal data shall be deleted to the day three years thereafter.
b) Information on trouble-free contract data on accounts that are documented without the claim based on them (e.g. current accounts, credit cards, telecommunication accounts or energy accounts) shall remain stored as long as the accounts exist; if their termination is announced, the information shall be deleted.
c) Information on contracts for which record checks are provided for by law (such as in the case of garnishment protection accounts or basic accounts) shall remain stored for as long as they exist; if their termination is announced, they shall be deleted.
d) Information on guarantees is deleted as soon as the termination of the guarantee is notified.
e) Trade accounts that are kept on the credit side shall be deleted to the day after three years, after all receivables have been repaid.
The aforementioned data shall be deleted immediately after settlement in accordance with the aforementioned regulations at the request of the person concerned.
5. Other data:
a) Personal prior addresses shall be stored for three years to the day; thereafter, the necessity of continued storage shall be reviewed for a further three years. After that, they are deleted to the exact day, unless longer storage is required for the purpose of identification.
b) Information on the misuse of an account or card by the legitimate account holder shall be deleted on a daily basis after three years.
c) Information on doubtful and unusual circumstances that are to be examined and monitored as part of money laundering and fraud prevention and where the examination shows that there is not merely a case of suspicion, but that there are sufficient plausible indications that a money laundering or fraud-relevant circumstance actually exists, shall initially be stored until December 31, 2019 in view of the need to determine meaningful results. Thereafter, the results will be evaluated and the necessity of the future regular period of continued storage will be determined.
d) Information on third-party inquiries shall be stored for at least one year, but no longer than three years, on a day-by-day basis. After one year, information about these inquiries must be deleted at the request of the person concerned.
e) The necessity of the continued storage of data taken from other public/publicly accessible sources that have a personal reference shall be reviewed after three years at the latest. In the event of completion, such as amendment or deletion from the Commercial Register, personal data shall be deleted after three years.
For more information on Schufa’s activities, see:
14. What data protection rights do I have?
You have a right to information, correction, deletion or restriction of the processing of your stored data at any time, a right to object to the processing as well as a right to data portability and to lodge a complaint in accordance with the requirements of data protection law.
Right to information:
You can request information from us as to whether and to what extent we process your data.
Right of rectification:
If we process your data that is incomplete or incorrect, you can request that we correct or complete it at any time.
Right to erasure (‘right to be forgotten’):
You can demand that we delete your data if we process it unlawfully or if the processing disproportionately interferes with your legitimate interests in protection. Please note that there may be reasons that prevent immediate deletion, e.g. in the case of legally regulated retention obligations.
Irrespective of the exercise of your right to erasure (‘right to be forgotten’), we will delete your data immediately and completely, insofar as there is no legal or statutory retention obligation to the contrary.
Right to restriction of processing:
You may request us to restrict the processing of your data if
- you dispute the accuracy of the data for a period of time that allows us to verify the accuracy of the data.
- the processing of the data is unlawful, but you refuse erasure and request restriction of data use instead,
- we no longer need the data for the intended purpose, but you still need this data to assert or defend legal claims, or
- you have objected to the processing of the data.
Right to data portability:
You may request that we provide you with the data you have provided to us in a structured, commonly used and machine-readable format and that you may transfer this data to another controller without hindrance from us, provided that
- we process such data based on your consent, which may be withdrawn, or for the performance of a contract between us; and
- this processing is carried out with the aid of automated procedures.
If technically feasible, you may request that we transfer your data directly to another data controller.
Right to object:
If we process your data for legitimate interest, you can object to this data processing at any time; this would also apply to profiling based on these provisions. We will then no longer process your data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or the processing serves the assertion, exercise or defense of legal claims. You may object to the processing of your data for the purpose of direct marketing at any time without giving reasons.
Right to withdraw:
If we process your data based on given consent, you have the right to withdraw previously given consent at any time.
Right of appeal:
If you are of the opinion that we are violating German or European data protection law in the processing of your data, please contact us so that we can clarify any questions. Of course, you also have the right to contact the supervisory authority responsible for you, the respective state office for data protection supervision.
If you wish to exercise any of the aforementioned rights against us, please contact our data protection officer. In case of doubt, we may request additional information to confirm your identity.