General Data Protection Regulation (GDPR)

Name and contact data of controller in accordance with article 4, para. 7 of the GDPR

Traffic Data Systems GmbH
Notkestrasse 13
22607 Hamburg
Germany

Email: info(at)traffic-data-systems.com

Security and protection of your personal data

One of our top priorities is protecting the confidentiality of your Personal Data and the protection of your Personal Data from unauthorised access. Therefore, we guarantee the maximum level of protection for your Personal Data by acting with utmost care and by applying up-to-date security standards.

As a private-law company, we are subject to the provisions contained in the European Data Protection Regulation (GDPR) and in the German Federal Data Protection Act. We have technical and organisational measures in place in order to ensure that both we and our service providers comply with the data protection regulations.

Definitions

The law requires that Personal Data must be processed in accordance with all laws and regulations, in good faith and in a manner comprehensible to the Data Subject (‘lawfulness, fairness and transparency’). Therefore, we inform you of the individual statutory terms which are also used in the GDPR.

1.       Personal data

‘Personal Data’ means any information relating to an identified or identifiable natural person (hereinafter referred to as the ‘Data Subject’). An identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

2.       Processing

‘Processing’ means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

3.       Restriction of processing

‘Restriction of Processing’ means the marking of stored Personal Data with the aim of limiting their Processing in the future.

4.       Profiling

‘Profiling’ is understood to mean the automated processing of personal data which consists of the use of this personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects relating to working capacity, economic situation, health, personal preference, interests, reliability, behaviour, place of residence or change of location of this natural person.

5.       Pseudonymisation

‘Pseudonymisation’ means the Processing of Personal Data in such a manner that the Personal Data can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the Personal Data are not attributed to an identified or identifiable natural person.

6.       Filing system

‘Filing System’ means any structured set of Personal Data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.

7.       Controller

‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data; where the purposes and means of such Processing are determined by Union or Member State law, the Controller or the specific criteria for its nomination may be provided for by Union or Member State law.

8.       Processor

‘Processor’ means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.

9.       Recipient

‘Recipient’ means a natural or legal person, public authority, agency or another body, to which the Personal Data are disclosed, whether a Third Party or not. However, public authorities which may receive Personal Data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as Recipients; the Processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the Processing.

10.   Third party

‘Third Party’ means a natural or legal person, public authority, agency or body other than the Data Subject, Controller, Processor and persons who, under the direct authority of the Controller or Processor, are authorised to process Personal Data.

11.   Consent

‘Consent’ of the Data Subject means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the Processing of Personal Data relating to him or her.

Lawfulness of processing

Processing of Personal Data shall be lawful only if and to the extent there is a legal basis for such Processing. In accordance with Article 6, para. 1, lit. a – f of the GDPR, such legal basis for the Processing of Personal Data may include but not be limited to:

  1. the Data Subject has given Consent to the Processing of his or her Personal Data for one or more specific purposes;
  2. Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
  3. Processing is necessary for compliance with a legal obligation to which the Controller is subject;
  4. Processing is necessary in order to protect the vital interests of the Data Subject or of another natural person;
  5. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
  6. Processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a Third Party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of Personal Data, in particular where the Data Subject is a child.

Information on the collection of personal data

  1. Hereinafter, we would like to inform you of the collection of Personal Data when you visit our website. Personal Data include, without limitation, name, address, e-mail address, user behaviour.
  2. If you contact us via e-mail, we shall store the data you provided (your e-mail address, your name and telephone number, if any) and use them to answer your questions. We shall delete such data if they are not required anymore and/or restrict Processing thereof in case legal retention periods apply.

Collection of personal data when you visit our website

If you browse our website for mere information purposes, i.e. if you do not register or otherwise transmit information, we shall only collect the Personal Data your browser sends to our server. If you visit our website, we shall collect the following data that we require for technical purposes, in order to display and to guarantee the stability and security of our website (the legal basis is Article 6, para. 1, lit f of the GDPR):

  • IP address;
  • date and time of request;
  • time zone difference to Greenwich Mean Time (GMT);
  • content of the request (page);
  • access status / HTTP status code;
  • quantity of data transmitted;
  • website sending the request;
  • browser;
  • operating system and its interface;
  • language and version of browser software.

Cookies

  1. In addition to the above-stated data, cookies will be stored on your computer when you visit our website. Cookies are small text files which are stored on your hard drive and allocated to your browser, which provides certain information to the sender of such cookie. Cookies are not able to execute programmes or to introduce viruses to your computer. Their only purpose is to add user-friendliness and efficiency to the websites.
  2. This website uses the following types of cookies, extent and functions of which will be detailed below:

Transient cookies (see 1. below)

Persistent cookies (see 2. below)

Transient cookies will be deleted automatically when you close your browser. Transient cookies include without limitation session cookies, which store a so-called session ID, by which your browser’s requests can be allocated to the same session. This means our website will be able to recognise your computer when you re-visit our website. Session cookies will be deleted when you log out or close your browser.

Persistent cookies shall be deleted automatically after a fixed period of time which may vary depending on the cookie. You can delete the cookies in your browser settings at any time.

You may adjust your browser settings to your requirements and reject acceptance of third-party cookies or of all cookies, if you like. Third-party cookies are cookies stored by a Third Party and not by the website you visit. However, please be advised that if you de-activate cookies, you might not be able to fully use all of this website’s functions.

Other functions and features of our website

  1. On our website we provide information and various services you may use. For such purpose, additional Personal Data are required, which we use in order to provide the relevant services and which are subject to the data processing principles set out above.
  2. We may outsource the Processing of your data to third-party service providers that we select and employ with due care and diligence and that are subject to our instructions and to regular controls.
  3. Furthermore, we may disclose your Personal Data to Third Parties in case we offer campaigns, raffles, contracts or similar services in cooperation with Third Parties. More detailed information will be provided to you upon disclosure of your Personal Data and is provided hereinafter, as well.
  4. We will inform you in the offer if our service providers or partners are located in a state that is not a member state of the European Economic Area (EEC).

Children

Our services are generally directed at persons aged 18 years or older. Persons under the age of 18 should not transmit any Personal Data to us without their parents’ or legal guardians’ consent.

Rights of data subjects

(1) Withdrawal of consent

To the extent the Processing of Personal Data is based on the Data Subject’s Consent, the Data Subject shall be entitled, at any time, to withdraw such Consent. The withdrawal of your Consent shall not affect the lawfulness of Processing based on Consent before its withdrawal.

Please contact us at any time if you wish to withdraw your Consent.

(2) Right to demand confirmation

You are entitled to demand from the Controller a confirmation of whether we process your Personal Data or not. You may request such confirmation at any time using the contact data stated above.

(3) Right to demand information

To the extent we process your Personal Data, you shall be entitled to demand information on such Personal Data and other information as follows, at any time:

  1. purposes of Processing;
  2. categories of Personal Data that are processed;
  3. the current or future Recipients or categories of Recipients of Personal Data, including without limitation Recipients in third countries or whether such Recipients are international organisations;
  4. to the extent possible, the period for which the Personal Data will be stored, or if that is not possible, the criteria used to determine that period;
  5. the existence of the right to request from the Controller rectification or erasure of your Personal Data or Restriction of Processing concerning the Data Subject or to object to Processing;
  6. the existence of the right to lodge a complaint with a supervisory authority;
  7. any available information on the origin of the data if such Personal Data are not collected from the Data Subject;
  8. the existence of automated decision-making, including Profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such Processing for the Data Subject.

If your Personal Data are transmitted to a third country or to an international organisation, you shall have the right to be informed of the appropriate safeguards as stipulated in Article 46 of the GDPR. We will provide you with a copy of the Personal Data that were processed. For all additional copies you request, we shall be entitled to demand a reasonable compensation based on the administrative costs incurred. If you send such request electronically, you will receive all data in a standard electronic format, unless otherwise stipulated. The right to receive a copy in accordance with para. 3 must not diminish other persons’ rights and freedoms.

(4) Right to rectification   

You are entitled to demand that we immediately correct your Personal Data to the extent they are incorrect. Taking into account the purposes of the Processing, you shall have the right to have incomplete Personal Data completed, including by means of providing a supplementary statement.

(5) Right to erasure (‘right to be forgotten’)

You shall have the right to obtain from the Controller the erasure of your Personal Data without undue delay and we shall have the obligation to erase Personal Data without undue delay where one of the following grounds applies:

  1. the Personal Data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  2. the Data Subject withdraws Consent on which the Processing is based according to lit (a) of Article 6(1), or lit (a) of Article 9(2) of the GDPR, and where there is no other legal ground for the Processing;
  3. the Data Subject objects to the Processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the Processing, or the Data Subject objects to the Processing pursuant to Article 21(2) of the GDPR;
  4. the Personal Data have been unlawfully processed;
  5. the Personal Data have to be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject;
  6. the Personal Data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.

Where the Controller has made the Personal Data public and is obliged pursuant to paragraph 1 to erase the Personal Data, the Controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform Controllers who are processing the Personal Data that the Data Subject has requested the erasure by such Controllers of any links to, or copy or replication of, those Personal Data.

The right to erasure (‘right to be forgotten’) shall not apply if and to the extent Processing of the data is required for the following purposes:

  • for exercising the right of freedom of expression and information;
  • for compliance with a legal obligation which requires Processing by Union or Member State law to which the Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
  • for reasons of public interest in the area of public health in accordance with lit (h) and (i) of Article 9(2) as well as Article 9(3) of the GDPR;
  • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that Processing;
  • for the establishment, exercise or defence of legal claims

(6)  Right to restriction of processing

You shall have the right to obtain from us Restriction of Processing where one of the following applies:

  1. the accuracy of the Personal Data is contested by the Data Subject, for a period enabling the Controller to verify the accuracy of the Personal Data;
  2. the Processing is unlawful and the Data Subject opposes the erasure of the Personal Data and requests the restriction of their use instead;
  3. the Controller no longer needs the Personal Data for the purposes of the Processing, but they are required by the Data Subject for the establishment, exercise or defence of legal claims;
  4. the person affected has lodged an objection to the processing in accordance with Article 21 Paragraph 1 GDPR, as long as it has not yet been established whether the responsible entity has compelling legitimate grounds which outweigh those of the person affected.

If processing in accordance with the above-mentioned assumptions has been restricted, then this personal data – apart from the storage thereof – will only be processed with the agreement of the affected person or for the assertion, exercising or defence of legal rights or for the protection of rights of another natural or legal person or for reasons of important public interest of the union or a member state.

In order to assert his or her right to restrict processing, the affected person can contact us using the contact data specified above at any time.

(7) Right to data portability

You shall have the right to receive your Personal Data, which you have provided to us, in a structured, commonly used and machine-readable format and you have the right to transmit those data to another Controller without hindrance from the Controller to which the Personal Data have been provided, where:

  1. the Processing is based on Consent pursuant to lit (a) of Article 6(1) or lit (a) of Article 9(2) of the GDPR or on a contract pursuant to lit (b) of Article 6(1) of the GDPR; and
  2. the Processing is carried out by automated means.

In exercising your right to data portability pursuant to paragraph 1, you shall have the right to have the Personal Data transmitted directly from one Controller to another, where technically feasible. The exercise of the right to data portability shall be without prejudice to the right to erasure (‘right to be forgotten’). That right shall not apply to Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller.

(8) Right to object

You shall have the right to object at any time, on grounds relating to your particular situation, to Processing of your Personal Data which is based on lit (e) or (f) of Article 6(1) of the GDPR, including Profiling based on those provisions. The Controller shall no longer process the Personal Data unless the Controller demonstrates compelling legitimate grounds for the Processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims.

Where Personal Data are processed for direct marketing purposes, you shall have the right to object at any time to Processing of your Personal Data for such marketing, which includes Profiling to the extent that it is related to such direct marketing. If you object to the Processing of your Personal Data for direct marketing purposes, your Personal Data shall not be processed for such purpose anymore.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.

Where your Personal Data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1) of the GDPR, you, on grounds relating to your particular situation, shall have the right to object to Processing of your Personal Data, unless the Processing is necessary for the performance of a task carried out for reasons of public interest.

You may exercise your right to object at any time by contacting the Controller.

(9) Automated individual decision-making, including profiling

You shall have the right not to be subject to a decision based solely on automated Processing, including Profiling, which produces legal effects concerning you or similarly significantly affects you. This shall not apply if such decision:

  1. is necessary for entering into, or performance of, a contract between the Data Subject and the Controller;
  2. is authorised by Union or Member State law to which the Controller is subject and which also lays down suitable measures to safeguard the Data Subject’s rights and freedoms and legitimate interests; or
  3. is based on the Data Subject’s explicit Consent.

The Controller shall implement suitable measures to safeguard the Data Subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the Controller, to express his or her point of view and to contest the decision.

The Data Subject may exercise such right at any time by contacting the Controller.

(10) Right to lodge a complaint with a supervisory authority

In addition, without prejudice to any other administrative or judicial remedy, you shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if the Data Subject considers that the Processing of Personal Data relating to him or her infringes this regulation.

(11) Entitlement to effective judicial remedies

Without prejudice to any other administrative or extrajudicial remedy, including the right of appeal, every data subject shall have the right to lodge a complaint with a supervisory authority in accordance with Article 77 GDPR if the data subject considers that the processing of personal data relating to him or her infringes this regulation.

Use of Google Analytics

  1. This website uses Google Analytics, a web analysis service of Google Inc. (hereinafter referred to as ‘Google’). Google Analytics uses so-called cookies. Cookies are text files which are stored on your computer and enable us to analyse how you use our website. The data on your visits on this website generated by such cookie shall be transmitted to and stored on one of Google’s servers in the USA. If IP anonymisation is activated on this website, Google shall shorten your IP address within the member states of the European Union or in other countries which are parties to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to one of Google’s servers in the USA and shortened thereafter. Google will use such information in the name of the operator of this website in order to analyse how you use the website, to prepare reports on the website activities and to render other services to the operator of the website in connection with the use of the website and of the internet.
  2. The IP address transmitted by your browser in connection with Google Analytics shall not be combined with other data collected by Google.
  3. You can prevent the storage of the cookies by changing the relevant settings of your browser software; however, please be advised that in such case you might not be able to fully use all of this website’s functions. In addition, you can prevent the collection of your Personal Data in relation to your use of the website as generated by the cookie (incl. your IP address) by Google as well as the Processing of such data by Google by downloading and installing the browser plug-in available at the following link: tools.google.com/dlpage/gaoptout.
  4. This website uses Google Analytics with the add-on ‘_anonymizeIp()’. Based thereon, IP addresses are shortened before Processing, thus excluding any reference to persons. This means, should there any personal reference to the data collected about you, such reference will be excluded and your Personal Data will be deleted immediately.
  5. We use Google Analytics in order to analyse and improve our website experience. The statistics obtained help us improve our website and make it more interesting for our users. In exceptional cases, your Personal Data will be transmitted to the US and therefore, Google subjected itself to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework. The legal basis for the Processing of such data is Article 6, para. 1, clause 1, lit f of the GDPR.
  6. Information of the third-party provider: Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001.

    www.google.com/analytics/terms/de.html, overview of data protection: www.google.com/intl/de/analytics/learn/privacy.html, as well as pricacy notice: http://www.google.de/intl/de/policies/privacy.
  7. In addition, this website uses Google Analytics for a cross-device analysis of the stream of visitors, effected based on user IDs. In order to de-activate the cross-device analysis of your user behaviour, please go to your customer account, ‘My data’, ‘Personal data’.

Use of Google Maps

  1. We use the services of Google Maps on this website, which enables us to show you interactive maps on the website and to provide you with the use of the map function.
  2. Due to your visit on the website, Google will receive the information that you accessed the relevant page of our website. In addition, the data stipulated in section 3 of this privacy notice shall be transmitted, irrespective of whether you have a user account with Google or not and of whether you are logged in or not. If you are logged-in to your Google account, the data will be allocated directly to your account. If you wish to prevent the link between the data and your Google profile, you will have to log out from Google before you click on the button. Google stores your data as user profiles and uses them for marketing, market surveys and to tailor its website to your requirements. Such analysis is made – including without limitation and irrespective of whether you are logged in or not – to show you advertising tailored to your needs and in order to inform other users of the social network of your activities on our website. You have the right to object to the establishment of such user profiles. Please contact Google to exercise such right.
  3. For more information on the purpose and scope of the data collection and Processing by the plug-in provider, please read the privacy notice of the relevant provider, which also contains additional information on your rights and the settings you can make in order to protect your privacy. www.google.de/intl/de/policies/privacy. Google also processes your Personal Data in the USA and is subject to the provisions of the EU-US Privacy Shield: www.privacyshield.gov/EU-US-Framework.

Processor

We employ third-party service providers (Processors), among others for shipping goods, sending newsletters or processing payments. We concluded a separate commissioned data processing contract with any such service provider in order to guarantee the protection of your Personal Data.

We collaborate with the following service providers:

Data centre: Mittwald CM Service GmbH & Co. KG, Königsberger Str. 4-6, 32339 Espelkamp (Germany), Data protection officer: datenschutz(at)mittwald.de