Dear Ladies and Gentlemen,
This data protection declaration applies to us, OTC global GmbH, Managing Director: Arash Wahedi, Helmholtzstr. 2-9, B.04.010, D-10587 Berlin, Tel. +49 (0) 30 639 686 44, Fax +49 (0) 30 639 697 44, E-Mail: firstname.lastname@example.org, as the responsible body. OTC global, is at present the operator of the website www.otc-global.com andresponsible in the sense of the data security basic regulation (DSGVO). Insofar as this data protection declaration refers to “we” or “ours”, this always refers to OTC global GmbH as the responsible party.
In addition to the classic contact options, we also offer our customers the opportunity to communicate with us digitally. This requires data to be collected and processed. The principle that applies to us here is: where data is stored and sent, a high level of data protection and data security must be guaranteed. This applies to the data of customers and applicants, interested parties and business partners as well as to our employee data.
It is our claim that OTC global GmbH not only stands for high-quality services and mediation, but also complies with the statutory requirements of data protection. For us, safeguarding the personal rights and privacy of every individual is the basis for trustful business relationships.
We have created strict requirements for the processing of personal data of customers, interested parties, business partners and employees. These comply with the requirements of the European Data Protection Directive and ensure compliance with applicable national data protection laws. In the following we present our data protection guidelines. Our employees are obliged to comply with data protection and the respective data protection laws.
Objective of the Data Protection Directive
The OTC global GmbH commits itself, within the scope of its social responsibility, to the observance of data protection rights. This data protection guideline applies to OTC global GmbH and is based on basic principles of data protection. The protection of data privacy is a basis for trustful business relationships and the reputation as an attractive employer or service provider in the logistics industry.
The data protection guideline creates one of the necessary framework conditions for data transfer between partners, customers and employees. It ensures the adequate level of data protection required by the European Data Protection Directive and national laws for data traffic even with countries where there is no adequate level of data protection by law.
Area of Application
- Purpose limitation
The purpose limitation is an essential component of the law. If data is collected or stored for a specific purpose, then this data may only be used for this purpose. Data stored, for example, for the performance of a contract may only be used for this contract. The use of the data for any other purpose is prohibited! OTC global GmbH pays very close attention to this purpose.
- Prohibition subject to permission
The collection or storage of personal data is fundamentally prohibited. Unless you have the permission of the person or company concerned. Permission is granted, for example, if data must be stored for the execution of a contract. The data storage is always bound to the purpose (see above: purpose limitation).
- Direct survey
Data should always be collected directly from the data subject. This means that, as a rule, personal data must be requested directly from the data subject. We do not use data from other “sources”.
- Data saving
We store data only as long as they are tied to the purpose or other overriding laws prevent deletion. Once the legal retention period has expired, data will be released for deletion in any case.
- Data avoidance
We only store data that is necessary for the stated purpose. Additional databases are avoided here.
Each data subject should know what data is stored about him or her. This means that data will not be passed on. (see above: Direct survey). If the passing on of data is necessary, the person concerned will be informed of the passing on of the data and a declaration of consent will be obtained. Furthermore, there is always a right to information for data subjects. With the help of this right to information, one can demand access to the stored data.
Data may only be stored if the storage of the data is necessary for achieving the purpose (see above: Purpose limitation).
As you can see, these seven basic principles are closely interlinked and complement or condition each other. In the following, we explain in detail the principles and processing guidelines of data protection in its current legal version.
Principles for the Processing of Personal Data
The processing of personal data must respect the personal rights of the data subject. Personal data must be collected and processed lawfully. The processing of personal data may pursue only the purposes established before the collection of the data. Subsequent changes to the purposes are only possible to a limited extent and require justification.
The data subject may at any time request to be informed about the handling of his data and to have his data deleted. Before processing personal data, it must be ascertained whether and to what extent they are necessary in order to achieve the purpose for which they are processed. If it is possible to achieve the purpose and the effort is proportionate to the intended purpose, anonymous or statistical data shall be used.
Personal data may not be retained for potential future purposes unless required, permitted or authorized by state law or by the right holder of the personal data.
Personal data that is no longer required after the expiry of legal or business process related retention periods must be deleted. If, in individual cases, there are indications of interests worthy of protection or of a historical significance of this data, the data must remain stored until the interest worthy of protection has been legally clarified or the company archives have been able to assess the archivability of the data for historical purposes. Personal data must be stored correctly, completely and, if necessary, up to date. Appropriate measures shall be taken to ensure that inaccurate, incomplete or outdated data are erased, corrected, supplemented or updated.
Data secrecy applies to personal data. They must be treated confidentially in personal dealings and protected by appropriate organizational and technical measures against unauthorized access, unlawful processing or disclosure, as well as accidental loss, alteration or destruction.
Admissibility of Data Processing
The collection, processing and use of personal data is only permitted if one of the following reasons for permission exists. Such an authorisation is also necessary if the purpose for which the personal data are to be collected, processed and used is to be changed from the original purpose.
Customer, Prospect and Partner data
- Data processing for a contractual relationship
Personal of the interested party, customer or partner concerned may be processed for the purpose of establishing, implementing and terminating a contract. This also includes the support of the contractual partner, insofar as this is in connection with the purpose of the contract. In the run-up to a contract, i.e. in the contract initiation phase, the processing of personal data is permitted for the preparation of offers, purchase applications or for the fulfilment of other wishes of the interested party relating to the conclusion of a contract. Interested parties may be contacted during the preparation of the contract using the data they have provided. Any restrictions expressed by the interested party must be observed.
- Data processing for placement
Personal data of the interested party or applicant concerned are collected and processed for the purpose of obtaining documents necessary for successful placement. This includes documents and data, such as:
A residence permit, a work permit, application documents or the recognition of certificates and diplomas, the tax and social security number, a residence registration certificate, etc..
For this purpose, it is necessary to forward the data to authorities and offices, as well as potential employers. This is done with the consent of the person concerned and is entirely in his or her interest.
- Data processing for advertising purposes
If the person concerned contacts OTC global GmbH with a request for information (e.g. request for information material on a product or company), data processing is permissible for the fulfilment of this request.
Customer loyalty or advertising measures require further legal requirements. The processing of personal data for purposes of advertising or market and opinion research is permitted provided that this is compatible with the purpose for which the data were originally collected. The person concerned must be informed about the use of his/her data for advertising purposes. If data are collected exclusively for advertising purposes, their disclosure by the data subject is voluntary. The data subject shall be informed of the voluntary nature of the provision of data for these purposes. In the context of communication with the data subject, the consent of the data subject for the processing of his/her data for advertising purposes shall be obtained. The data subject should be able to choose between the available contact channels such as post, electronic mail and telephone within the scope of the consent (see below 4. Consent to data processing).
If the data subject objects to the use of his/her data for advertising purposes, further use of his/her data for these purposes is not permitted and must be blocked for these purposes. In addition, existing restrictions in some countries regarding the use of data for advertising purposes must be observed.
- Consent to data processing
Data processing may take place on the basis of the consent of the data subject. Before the consent is given, the data subject must be informed in accordance with this data protection guideline. For reasons of proof, the declaration of consent must always be obtained in writing or electronically. Under certain circumstances, e.g. when giving advice by telephone, consent can also be given orally. Their issuance must be documented.
- Data processing based on legal permission
The processing of personal data is also permitted if state legislation requires, presupposes or permits data processing. The type and scope of data processing must be necessary for the data processing permitted by law and comply with these legal provisions.
- Processing of Personal Data
The processing of personal data can also take place if this is necessary for the realization of a justified interest of OTC global GmbH. Legitimate interests are usually legal (e.g. enforcement of open claims) or economic (e.g. avoidance of breaches of contract). Processing of personal data on the basis of a legitimate interest may not take place if there is evidence in an individual case that the data subject’s legitimate interest in the processing outweighs any other legitimate interest. The interests worthy of protection must be examined for each processing operation.
- Processing of sensitive personal data
The processing of sensitive personal data, such as personal information about racial and ethnic origin, political opinions, religious beliefs, trade union membership, health, sexual life, genetic or biometric data, may only take place if required by law or with the explicit consent of the data subject. The processing of these data is also permitted if it is absolutely necessary in order to assert, exercise or defend legal claims against the data subject. If the processing of particularly sensitive data is planned, the company data protection officer must be informed in advance.
- User data and internet
If personal data is collected, processed and used on websites, the persons concerned must be informed of this in data protection notices and, if applicable, cookie notices. The data protection notices and any cookie notices must be integrated in such a way that they are easily recognisable, immediately accessible and permanently available to the persons concerned.
If usage profiles are created (tracking) to evaluate the usage behaviour of websites, the persons concerned must always be informed of this in the data protection information. Personal tracking may only take place if national law permits this or if the data subject has consented. If the tracking is carried out under a pseudonym, the data subject shall be given the opportunity to object in the data protection information (optout). If access to personal data is made possible on websites or apps in an area requiring registration, the identification and authentication of the persons concerned must be designed in such a way that appropriate protection is achieved for the respective access.
- Data processing for the employment relationship
For the employment relationship, the personal data required for the conclusion, execution and termination of the employment contract may be processed. When initiating an employment relationship, personal data of applicants may be processed. After rejection, the applicant’s data must be deleted, taking into account time limits under the law of evidence, unless the applicant has consented to further storage for a later selection process. In the existing employment relationship, data processing must always be related to the purpose of the employment contract, unless one of the following conditions of permission for data processing applies.
If it is necessary to collect further information about the applicant from a third party during the initiation of the employment relationship or in the existing employment relationship, the respective national legal requirements must be taken into account. In case of doubt, the consent of the person concerned must be obtained.
For the processing of personal data in the context of the employment relationship, but which do not originally serve to fulfil the employment contract, a legal legitimation must exist in each case. These can be legal requirements, collective regulations, employee consent or the legitimate interests of the company.
- Data processing on the basis of legal permission
The processing of personal employee data is also permitted if state legislation requires, presupposes or permits for data processing. The type and scope of data processing must be necessary for the data processing permitted by law and comply with these legal provisions. If there is legal room for manoeuvre, the interests of the employee worthy of protection must be taken into account.
- Processing of particularly sensitive data
Particularly sensitive personal data may only be processed under certain conditions. Particularly sensitive data is data on racial and ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health or sexual life. Due to state law, other data categories may be classified as particularly worthy of protection or the content of the data categories may be filled in differently. Similarly, data relating to criminal offences may often only be processed under specific conditions laid down by national law.
Processing must be expressly authorised or required by national law. In addition, processing may be permitted if it is necessary to enable the controller to comply with its rights and obligations in the field of labour law. The employee may also voluntarily give his or her express consent to the processing. If the processing of particularly sensitive data is planned, the company data protection officer must be informed in advance.
- Collective regulations for data processing
If processing goes beyond the purpose of contract execution, it is also permissible if it is permitted by a collective regulation. Collective agreements are collective agreements or agreements between employers and employee representatives within the framework of the possibilities offered by the respective labour law. The regulations must extend to the concrete purpose of the desired processing and can be designed within the framework of state data protection law.
- Data processing due to legitimate interest
The processing of personal employee data may also take place if this is necessary to realize a legitimate interest of OTC global GmbH. As a rule, legitimate interests are justified either legally (e.g. asserting, exercising or defending legal claims) or economically (e.g. valuing companies).
Personal data may not be processed on the basis of a legitimate interest if, in an individual case, there is an indication that the interests of the employee worthy of protection outweigh the interest in the processing. The existence of interests worthy of protection must be checked for each processing operation.
Control measures that require the processing of employee data may only be carried out if there is a legal obligation to do so or if there is a justified reason to do so. The proportionality of the control measure must also be examined if there is a justified reason for doing so. The legitimate interests of the undertaking in the implementation of the control measure (e.g. compliance with legal provisions and internal rules) must be weighed against any legitimate interest of the employee concerned by the measure in the exclusion of the measure and may only be implemented if they are reasonable. The legitimate interest of the company and the possible interests of the employees worthy of protection must be determined and documented before every measure is taken. In addition, other requirements existing under state law (e.g. employee representation rights of co-determination and information rights of the persons concerned) may have to be taken into account.
- Consent to data processing
- Telecommunication and internet
Telephone systems, e-mail addresses, Internet as well as internal networks are primarily provided by the company within the scope of the operational tasks. They are work equipment and a company resource. They may be used within the framework of the applicable legal provisions and the company’s internal guidelines. There is no general monitoring of telephone and e-mail communication or internet use.
To prevent attacks against the IT infrastructure or individual users, protective measures can be implemented at the transitions into the corporate network that block technically harmful content or analyze the patterns of attacks. For security reasons, the use of telephone systems, e-mail addresses, the internet and internal networks can be logged for a limited period of time. Personal evaluations of this data may only be carried out in the event of a concrete, justified suspicion of a violation of laws or guidelines of OTC global GmbH. Such checks may be carried out only by investigating departments and in accordance with the principle of proportionality. The respective national laws are to be observed as well as the existing company regulations.
Transmission of Personal Data
A transmission of personal data to recipients outside OTC global GmbH or to recipients within OTC global GmbH is subject to the permissibility requirements of the processing of personal data. The recipient of the data must be obliged to use them only for the specified purposes.
In the case of data transfer to a recipient outside OTC global GmbH in a third country, the recipient must guarantee a data protection level equivalent to this data protection guideline.
This does not apply if the transmission is based on a legal obligation. Such a legal obligation may arise from the law of the member state in which the company transferring the data has its registered office or the law of the member state in which the company has its registered office recognises the objective of the transfer of data pursued by the legal obligation of a third country. In the case of data transfer from third parties to OTC global GmbH it must be ensured that the data may be used for the intended purposes.
If personal data of a company domiciled in the European economic area is transferred to a company domiciled outside the European economic area (third country), the data-importing company is obliged to cooperate with the supervisory authority responsible for the data-exporting company in all inquiries and to observe the findings of the supervisory authority with regard to the transferred data. The same applies to data transfers by companies from other countries. If they take part in an international certification system for binding company regulations on data protection, they must ensure the cooperation with the relevant auditing bodies and authorities provided for there. Participation in such certification schemes shall be coordinated with the corporate privacy officer.
Order Data Processing
Order data processing exists when a contractor is commissioned with the processing of personal data without being assigned responsibility for the associated business process. In such cases, an agreement on order data processing shall be concluded with external contractors. In this case, the contracting company retains full responsibility for the correct execution of the data processing.
The contractor may only process personal data within the scope of the instructions of the client. When placing the order, the following specifications must be observed. The commissioning department must ensure their implementation.
- The contractor shall be selected according to his suitability to guarantee the necessary technical and organisational protective measures.
- The order shall be in text form. The instructions for data processing and the responsibilities of the client and the contractor shall be documented.
- The contractual standards provided by the data protection officer of OTC global GmbH must be observed.
- The customer must satisfy himself of the compliance with the obligations of the contractor before commencing data processing. A contractor can prove compliance with the data security requirements in particular by submitting a suitable certification. Depending on the risk of the data processing, checks shall be carried out at regular intervals during the term of the contract, if necessary.
- In the case of cross-border order data processing, the respective national requirements for the transfer of personal data abroad must be fulfilled. In particular, the processing of personal data from the European cconomic area may take place in a third country only if the contractor can be an equivalent level of data protection to this data protection directive:
- Agreement of the EU standard contractual clauses on contract data processing in third countries with the contractor and possible
- Participation of the contractor in a certification system recognised by the EU for the creation of an appropriate
- Recognition by the competent data protection supervisory authorities of the contractor’s binding company rules to establish an adequate level of data protection.
Any person concerned may exercise the following rights. Their assertion must be processed immediately by the responsible department and must not lead to any disadvantages for the person concerned. The contractor shall be selected according to his suitability to guarantee the necessary technical and organisational protective measures.
- The person concerned can request information about which personal data of which origin about him for which purpose is stored If in the employment relationship according to the respective labor law further inspection rights in documents of the employer (e.g. personnel file) are provided, these remain unaffected.
- Where personal data are transferred to third parties, the identity of the recipient or the categories of recipients must also be disclosed.
- Should personal data be inaccurate or incomplete, the data subject may have their rectification or supplementation.
- The data subject may consent to the processing of his personal data for purposes of advertising or market and opinion research. For these purposes, the data must be blocked.
- The data subject is entitled to demand the deletion of his/her data if the legal basis for the processing of the data is missing or no longer applies. The same applies if the purpose of the data processing has ceased due to the passage of time or for other reasons. Existing storage obligations and interests worthy of protection that conflict with deletion must be observed.
- The data subject has a fundamental right of objection to the processing of his data, which must be taken into account if his legitimate interest outweighs the interest in the processing due to a particular personal situation. This does not apply if a legal provision for the implementation of the processing
Confidentiality of Processing
Personal data are subject to data secrecy. The employees are prohibited from unauthorized collection, processing or use. Any processing carried out by an employee without being entrusted with it in the course of the performance of his duties and without being authorised to do so is unauthorised. The need-to-know principle applies:
Employees may only have access to personal data if and insofar as this is necessary for their respective tasks. This requires the careful division and separation of roles and responsibilities as well as their implementation and maintenance within the framework of authorization concepts.
Employees may not use personal data for their own private or commercial purposes, transmit them to unauthorized persons or make them accessible in any other way. Superiors must inform their employees of the obligation to maintain data secrecy at the beginning of the employment relationship. This obligation continues to exist even after the termination of the employment relationship.
Security of Processing
Personal data must be protected at all times against unauthorised access, unlawful processing or disclosure, and against loss, falsification or destruction. This applies regardless of whether the data processing is carried out electronically or in paper form. Technical and organisational measures for the protection of personal data must be defined and implemented before new data processing procedures, in particular new IT systems, are introduced. These measures shall be based on the state of the art, the risks posed by the processing and the need to protect the data (identified by the information classification process).
Data Protection Monitoring
Compliance with the data protection guidelines and the applicable data protection laws is checked regularly by controls. The implementation is the responsibility of the company data protection officer or commissioned external auditors. The results of the data protection checks shall be communicated to the management. Upon request, the results of data protection checks shall be made available to the competent data protection supervisory authority. The competent data protection supervisory authority may also carry out its own checks on compliance with the provisions of this directive within the limits of its powers under national law.
Data Breach Incidents
Responsibilities and Sanctions
The management of the company is responsible for data processing in its company. It is thus obliged to ensure that the legal and data protection requirements contained in the Data Protection Directive are taken into account (e.g. national reporting obligations). It is a management task of the executives to ensure proper data processing by organisational, personnel and technical measures in compliance with data protection regulations. The implementation of these requirements is the responsibility of the responsible employees. In the event of data protection controls by public authorities, the data protection officer of the company must be informed immediately.
The Corporate Data Protection Officer
The Data Protection Officer, as an internal body independent of technical instructions, works towards compliance with national and international data protection regulations. He is responsible for the data protection guidelines and monitors compliance with them. The data protection officer is appointed by the management. Anyone concerned can contact the data protection officer with suggestions, enquiries, requests for information or complaints in connection with questions of data protection or data security. Enquiries and complaints will be treated confidentially on request. Requests from supervisory authorities must always be brought to the attention of the data protection officer. If OTC global GmbH has not appointed a data protection officer, the management is deemed to be the data protection officer.
Some of the Internet pages use so-called cookies. Cookies do not damage your computer and do not contain viruses. Cookies serve to make our offer more user-friendly, more effective and safer. Cookies are small text files which are stored on your computer by your browser.
Most of the cookies we use are so-called “session cookies”. They are automatically deleted at the end of your visit. Other cookies remain stored on your device until you delete them. These cookies enable us to recognize your browser on your next visit.
You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, accept cookies for certain cases or generally exclude them and activate the automatic deletion of cookies when closing the browser. If cookies are deactivated, the functionality of this website may be restricted.
OTC global GmbH
Helmholtzstr. 2-9, B.04.010D-10587
Managing Director: Arash Wahedi Yeganeh
Registered office of the company: Berlin
Register court: Local court Charlottenburg HRB 156703Ust-IdNr.
- An adequate level of data protection in third countries will be recognised by the EU Commission if the core of privacy, as understood in a consistent way in the EU Member States, is essentially protected. The EU Commission takes into account in its decision all circumstances that play a role in a data transfer or a category of data transfers. This includes the assessment of state law as well as the applicable rules of professional conduct and security measures.
- Data is anonymised if a personal reference can be established permanently and by no one else if the personal reference can only be restored with a disproportionately large expenditure of time, cost and labour.
- Data that are particularly worthy of protection are data on racial and ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health or sex life. Due to state law, other data categories may be classified as particularly worthy of protection or the content of the data categories may be filled in differently. Similarly, data relating to criminal offences may often only be processed under specific conditions laid down by national law.
- Data protection incidents are all events in which there are reasonable grounds to suspect that personal data are being unlawfully spied on, collected, altered, copied, transmitted or used. This may relate to actions by third parties as well as employees.
- Third parties are any persons outside the data subject and the contract data processors responsible for data processing are not third parties within the meaning of data protection law within the EU, as they are legally assigned to the data controller.
- Third countries within the meaning of the Data Protection Directive are all countries outside the European Union/EEA. Excluded are states whose level of data protection has been recognised as adequate by the EU Commission.
- Consent is a voluntary, legally binding declaration of consent to data processing.
- The processing of personal data is necessary if the permissible purpose or legitimate interest cannot be achieved without the respective personal data or can only be achieved with a disproportionately high effort.
- The European Economic Area (EEA) is an economic area associated with the EU to which Norway, Iceland and Liechtenstein belong.
- Personal data is any information about a specific or identifiable natural identifiable is a person, for example, when the personal reference can be established by a combination of information with even randomly available additional knowledge.
- Transfer is any disclosure of protected data by the responsible body to
- Processing of personal data means any operation, carried out with or without the aid of automated procedures, to collect, store, organise, store, modify, retrieve, use, transmit, transmit, distribute or combine and reconcile personal data, including the disposal, erasure and blocking of data and data media.
- The responsible body is the legally independent company of OTC global GmbH, whose business activity includes the respective processing measure.