INDIVIDUAL PROCESSING OPERATIONS
1. Setting up and operating a website
a) Nature and extent of data processing
RSU (or its web space provider) collects data on every instance in which the website is accessed (referred to as server log files). The data collected include: domain, IP address, name of website retrieved, file, date and time of retrieval, amount of data transmitted, information on success of retrieval, type and version of browser, user’s operating system, referrer URL (site previously visited) and requesting provider.
RSU only uses the log data for statistical evaluation in support of the operation, protection and optimisation of the website. However, RSU reserves the right to check the log files at a later time if there are specific indications of illegal use.
b) Legal basis
This processing of data is based on Article 6(1)(f) of the GDPR. It is necessary for operating a website and thus for pursuing a legitimate interest of our company.
You may object to this processing at any time for reasons arising from your special situation. If you do, RSU will stop processing these personal data unless it has compelling and legitimate reasons which take priority over the interests, rights or liberties affected or it is necessary to process these data for asserting, exercising or protecting legal claims.
c) Storage period
Recording the data required for operating the website and saving the data in log files is indispensable for operating an Internet page. Your personal data will be erased as soon as they are no longer needed for the aforementioned purpose. If personal data are saved in log files, they are erased after three days. Data may be stored more extensively in individual cases if this is required by law.
2. Enabling people to contact RSU
a) Nature and extent of data processing
If you contact RSU via contact form or by e-mail, the information you provide is stored for the processing of your inquiry and in case further questions arise.
b) Legal basis
This processing of personal data is generally based on Article 6(1)(f) of the GDPR. Our legitimate interest referred to in this provision is to answer inquiries from people interested in RSU. We may even have a legal obligation to do so, in which case the relevant legal basis is Article 6(1)(c) of the GDPR.
c) Storage period
Once the personal data gathered in this context are no longer needed, they will be erased or their processing will be restricted if they must be stored by law. You may object to the future processing of your personal data at any time when contacting RSU.
3. Employment applications
a) Nature and extent of data processing
We process the personal data of applicants during the application process. Applications can be submitted to us via our application portal or by e-mail.
The data that you provide to us during the application process will be processed solely for the purposes of this process and will be made available only to the individuals involved. The application portal is operated by comvaHRo GmbH (85630 Grasbrunn), which acts as a processor on our behalf as referred to in Article 28 of the GDPR.
b) Legal basis
The legal basis for processing personal data for this purpose is Article 6(1)(b) of the GDPR in conjunction with Article 88 of the GDPR and § 26 of the Bundesdatenschutzgesetz as processing the data is necessary for performing an agreement to which the data subject is a party or for carrying out preliminary measures to an agreement upon an inquiry made by the data subject.
c) Storage period
The data will be erased after six months. Applicants may withdraw their application at any time. If they do so, their application documents are disregarded in the further application process and are erased unless they must be stored by law.
4. Direct marketing (such as newsletters and customer surveys)
4.1. Newsletter subscription and event registration
a) Nature and extent of data processing
On our website you can subscribe to receive newsletters by e-mail and register for events. In this context, the data you provided via the input mask and the date and time of registration are transmitted to us. For the processing of the data, your consent is obtained during registration and reference is made to this Privacy Policy.
In order to verify that a registration for the sending of a newsletter is made by the actual owner of an e-mail address, we use the so-called “double opt-in” procedure. After registration, you will receive an email in which you are asked to confirm your subscription. This confirmation is necessary to avoid anyone using others’ email addresses for the registration. Hence, the registration process is only completed once the confirmation link in the confirmation e-mail has been activated. In this context, date and time of activation of the confirmation link are transmitted to us.
You can unsubscribe from the newsletter at any time by using the unsubscribe link contained in each newsletter or by contacting us using the contact details provided above.
If you also provide us with your telephone number as part of your event registration or participation, your consent also extends to being contacted by telephone for marketing and sales purposes. You can also object to this processing at any time.
b) Legal basis
The processing of personal data is based on Art. 6 (1) lit. a) GDPR following the consent given by you.
c) Storage period
Please note that if you withdraw your consent, we will retain the data relating to the consent expiry of the statutory limitation period (three calendar years after the last e-mail newsletter was sent in accordance with Section 195 of the German Civil Code (BGB)) in order to be able to defend ourselves legally if necessary. In this context, the duty of accountability takes precedence over the duty of erasure for this period (Art. 17 (3) lit. e) GDPR). The legal basis for the retention of consent data is Art. 6 (1) lit. c) in conjunction with Art. 5 (1) lit. a), (2), Art. 7 (1) GDPR and Art. 6 (1) lit. f) GDPR.
4.2. E-mail newsletters and customer surveys in the context of an existing customer relationship
a) Nature and extent of data processing
If you are a customer of RSU and provide us with your e-mail address, we may subsequently use it to send you an e-mail newsletter or other marketing messages (such as customer surveys) if you have not objected to such use. In such a case, the email will only be used to send direct advertising for our own similar goods or services (such as surveys pertaining to RSU-services that you have been using). You can object to the use of your e-mail address at any time, without incurring any costs other than the transmission costs according to the basic rates, by using i.e. the unsubscribe link contained in every newsletter or by contacting us at the above-mentioned contact details.
b) Legal basis
The legal basis for sending the newsletter or conducting customer surveys as a result of the sale of goods or services is our legitimate interest pursuant to Art. 6 (1) lit. f) GDPR.
c) Storage period
Please note that if your data has already been used for the sending of email advertising during an existing customer relationship, we will retain the data in the event of an objection to further advertising use until the expiry of the statutory limitation period (based on Section 7 (3) of the German Unfair Competition Act (UWG) in accordance with § 195 BGB, three calendar years after the last advertising email was sent) in order to be able to defend ourselves legally if necessary. The duty of accountability takes precedence over the duty of erasure for this period (Art. 17 para. 3 lit. e) GDPR). The legal basis for the retention of consent data is Art. 6 (1) lit. c) in conjunction with Art. 5 (1) lit. a), (2), Art. 7 (1) GDPR and Art. 6 (1) lit. f) GDPR.
4.3. Newsletter Analytics/Tracking
A statistical analysis of usage data may be carried out for our newsletters. For this purpose, we may record both the openings of the e-mail and the internal clicks. This information serves the purpose of measuring and optimizing the success of our newsletter campaigns by making the newsletter content more relevant to our target group.
The legal basis for this analysis is your consent pursuant to Art. 6 (1) lit. a) GDPR.
4.4. Newsletter Service Provider
The newsletter is sent via the service provider “Brevo”. The provider is Sendinblue GmbH, Köpenicker Str. 126, 10179 Berlin, Germany. The data collected is stored on Brevo’s servers in the EU. Brevo uses this information to send the newsletter on behalf of RSU.
You can find more information about Brevo’s privacy policy here: https://www.brevo.com/legal/privacypolicy/
5. Establishment, exercise or defence of legal claims
a) Nature and extent of data processing
In the context of the establishment, exercise or defence of legal claims, we process your personal data to refute unfounded claims and enforce claims and rights.
b) Legal basis
The legal basis for processing your personal data to establish, exercise or defend legal claims is our legitimate interest as referred to in Article 6(1)(f) of the GDPR.
c) Storage period
Your personal data will be erased as soon as they are no longer needed for the purposes for which they have been collected.
6. Whistleblowing system
a) Nature and extent of data processing
For confidential communication with whistleblowers according to the German Whistleblower Protection Act (HinSchG), RSU uses a digital whistleblower system of the service provider ‘Compliance.One’. This provider also assumes the function of the internal reporting office as ombudsperson.
The whistleblower system enables the submission of anonymous reports for which no personal data of the whistleblower is collected or otherwise processed. However, depending on the content of the submitted report and any accompanying documents, it cannot be ruled out that personal data of the whistleblower or of other persons named in the report will be processed.
b) Legal basis
Art. 6 (1)(c) of the GDPR in conjunction with Section 10 of the German Whistleblower Protection Act (HinSchG) forms the legal basis.
Further information can be found in the privacy policy for the whistleblower system at
https://platform.compliance.one/case/legal/150/7a78fa9a77b2/
7. Electronic Signatures (DocuSign)
a) Nature and extent of data processing
RSU uses DocuSign software for the digital signature of contracts. The provider of this service is DocuSign International (EMEA) Limited, Hanover Quay, Grand Canal Dock, Dublin, Ireland. As part of the service, you will receive an email with a link that enables you to submit a legally valid and binding digital signature on the DocuSign platform.
In connection with the digital signature, the personal data listed in the documents to be signed will be processed. This includes, in particular, the name, e-mail address, device and transaction data.
You can find more information on data protection at DocuSign here: https://www.docusign.com/privacy
b. Legal basis
The legal basis for the processing is our legitimate interest as referred to in Article 6(1)(f) of the GDPR. We have a legitimate interest in digitizing our processes and in offering a digital method to conclude contract. The use of your e-mail address serves to send the relevant information and to facilitate the process of obtaining the necessary signatures and documents.
All personal data remains in data centers in the EU. No personal data leaves the EU; only transaction data required for billing and worldwide access to DocuSign services is transferred to the US. To this end, the transfer takes place on the basis of the certified DocuSign Binding Corporate Rules (BCRs) and the EU Standard Contractual Clauses (SCCs).
c. Storage period
Your personal data will be deleted as soon as it is no longer required for the respective purpose and until the end of the legally regulated retention periods.