We care about your privacy.
The controller as referred to in the EU General Data Protection Regulation (GDPR) and other, national data protection laws of the member states as well as other regulations on data protection is:
RSU GmbH & Co. KG
Karlstraße 35
80333 München
Germany
4HV6+MJ
Tel +49.(0)89.442340-0
Fax +49.(0)89.442340-999
infos@rsu.one
You can reach our data protection officer by e-mail at Datenschutzbeauftragter@rsu.one.de, by regular mail by adding “der Datenschutzbeauftragte” to our postal address or by telephone at +49 89/442340-0.
The present text is to inform users about the nature, extent, and purpose of the processing of personal data by RSU GmbH & Co. KG, Karlstraße 35, 80333 München (hereinafter: “RSU”). The relevant statutory provisions on data protection are contained in the GDPR.
Since changes in legislation or to our internal processes may require us to amend this data protection statement from time to time, we would ask you to check this statement regularly.
“Personal data” as defined in Article 4 of the GDPR means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier or to one or more specific properties. For example, personal data include the name, e-mail address, telephone number or IP address of an individual.
Information which we cannot connect to you (or which we could only connect to you at disproportionate cost), for example because it has been anonymized, is not personal data. Any processed personal data will be erased once the purpose of the processing has been achieved and there is no legal requirement to store the data any more.
RSU will only process personal data if this is legal or the data subject agrees to the collection of the data. In case we process your personal data, the concrete operations, extent and purpose of and legal basis for the processing and the time for which the data are stored are stated below.
1. Setting up and operating a website
a) Nature and extent of data processing
RSU (or its web space provider) collects data on every instance in which the website is accessed (referred to as server log files). The data collected include: domain, IP address, name of website retrieved, file, date and time of retrieval, amount of data transmitted, information on success of retrieval, type and version of browser, user’s operating system, referrer URL (site previously visited) and requesting provider.
RSU only uses the log data for statistical evaluation in support of the operation, protection and optimisation of the website. However, RSU reserves the right to check the log files at a later time if there are specific indications of illegal use.
b) Legal basis
This processing of data is based on Article 6(1)(f) of the GDPR. It is necessary for operating a website and thus for pursuing a legitimate interest of our company.
You may object to this processing at any time for reasons arising from your special situation. If you do, RSU will stop processing these personal data unless it has compelling and legitimate reasons which take priority over the interests, rights or liberties affected or it is necessary to process these data for asserting, exercising or protecting legal claims.
c) Storage period
Recording the data required for operating the website and saving the data in log files is indispensable for operating an Internet page. Your personal data will be erased as soon as they are no longer needed for the aforementioned purpose. If personal data are saved in log files, they are erased after three days. Data may be stored more extensively in individual cases if this is required by law.
2. Enabling people to contact RSU
a) Nature and extent of data processing
If you contact RSU via contact form or by e-mail, the information you provide is stored for the processing of your inquiry and in case further questions arise.
b) Legal basis
This processing of personal data is generally based on Article 6(1)(f) of the GDPR. Our legitimate interest referred to in this provision is to answer inquiries from people interested in RSU. We may even have a legal obligation to do so, in which case the relevant legal basis is Article 6(1)(c) of the GDPR.
c) Storage period
Once the personal data gathered in this context are no longer needed, they will be erased or their processing will be restricted if they must be stored by law. You may object to the future processing of your personal data at any time when contacting RSU.
3. Employment applications
a) Nature and extent of data processing
We process the personal data of applicants during the application process. Applications can be submitted to us via our application portal or by e-mail.
The data that you provide to us during the application process will be processed solely for the purposes of this process and will be made available only to the individuals involved. The application portal is operated by comvaHRo GmbH (85630 Grasbrunn), which acts as a processor on our behalf as referred to in Article 28 of the GDPR.
b) Legal basis
The legal basis for processing personal data for this purpose is Article 6(1)(b) of the GDPR in conjunction with Article 88 of the GDPR and § 26 of the Bundesdatenschutzgesetz as processing the data is necessary for performing an agreement to which the data subject is a party or for carrying out preliminary measures to an agreement upon an inquiry made by the data subject.
c) Storage period
The data will be erased after six months. Applicants may withdraw their application at any time. If they do so, their application documents are disregarded in the further application process and are erased unless they must be stored by law.
4. Direct marketing
a) Nature and extent of data processing
We process your personal data for purposes of direct marketing by regular mail or e-mail. Normally we collect the personal data from you directly. In addition, we process personal data that we have obtained from publicly accessible sources and that we are permitted to process.
b) Legal basis
The aforementioned purpose constitutes our legitimate interest in processing such data in accordance with Article 6(1)(f) of the GDPR. You have a general right to object to the processing of your personal data for direct marketing purposes according to Article 21(3) of the GDPR, with which we will comply without any need for you to invoke special circumstances. You can therefore object to such direct marketing at any time pursuant to Article 21(2) of the GDPR.
c) Storage period
Your personal data will be erased as soon as they are no longer necessary for achieving the purpose for which they were collected, which is the case, in particular, if you object to our processing of your personal data.
5. Establishment, exercise or defence of legal claims
a) Nature and extent of data processing
In the context of the establishment, exercise or defence of legal claims, we process your personal data to refute unfounded claims and enforce claims and rights.
b) Legal basis
The legal basis for processing your personal data to establish, exercise or defend legal claims is our legitimate interest as referred to in Article 6(1)(f) of the GDPR.
c) Storage period
Your personal data will be erased as soon as they are no longer needed for the purposes for which they have been collected.
6. Whistleblowing system
a) Nature and extent of data processing
For confidential communication with whistleblowers according to the German Whistleblower Protection Act (HinSchG), RSU uses a digital whistleblower system of the service provider ‘Compliance.One’. This provider also assumes the function of the internal reporting office as ombudsperson.
The whistleblower system enables the submission of anonymous reports for which no personal data of the whistleblower is collected or otherwise processed. However, depending on the content of the submitted report and any accompanying documents, it cannot be ruled out that personal data of the whistleblower or of other persons named in the report will be processed.
b) Legal basis
Art. 6 (1)(c) of the GDPR in conjunction with Section 10 of the German Whistleblower Protection Act (HinSchG) forms the legal basis.
Further information can be found in the privacy policy for the whistleblower system at https://platform.compliance.one/case/legal/150/7a78fa9a77b2/
We use the open source web analytics service Matomo (previously named Piwik, a service provided by InnoCraft Ltd., 150 Willis St, 6011 Wellington, New Zealand, NZBN 6106769). With this tool we gather and analyze anonymized data about how our website is used. This allows us among other things to find out which web pages have been accessed, when and from which area.
The legal basis for our use of this analytical tool is article 6(1)(f) of the GDPR because we have a legitimate interest in analyzing how people use our website so that we can optimize it and adapt it to the users’ needs on a continuous basis.
Protecting your data matters to us, which is why we perform IP anonymization when using Matomo. This means that your IP address is truncated before any analysis takes place so that it can no longer be clearly linked to you.
Further, we only use our own servers to host Matomo to ensure that all data gathered remain in our possession and are not shared with anyone else.
You can prevent your actions on this website from being analyzed and put into context. This will protect your privacy but will also prevent the operator from learning from your actions and improving your and other people’s user experience.
You may choose to prevent this website from aggregating and analyzing the actions you take here. Doing so will protect your privacy, but will also prevent the owner from learning from your actions and creating a better experience for you and other users.
a) Nature and extent of data processing
We use cookies on our website. Cookies are small files that are sent to and stored in your browser when you visit our website. Some of the functions of our website cannot be provided without using specific cookies.
The following cookies are used on our website:
• Session cookie (JSESSIONID): saves the user’s page request status for the application form
• Language selection cookie (wp-wpml_current_language): indicates the country code inferred from the user’s IP address; this determines the language used
b) Legal basis
The legal basis for the processing of cookies that are necessary for technical reasons is our legitimate interest in the processing of personal data according to article 6(1)(f) of the GDPR.
c) Storage period
The data provided to us through cookies are erased as soon as they are no longer needed for the purposes described above, in particular when the cookies are deactivated. Data may be stored more extensively in individual cases if this is required by law.
d) Browser configuration
You can manage cookies by defining the relevant settings below or by configuring your browser according to your preferences. Most browsers are pre-configured to accept cookies by default. You may, however, configure your browser to accept only certain cookies or even none at all. Note that you may not be able to use all functionalities of our website if cookies are deactivated through your browser settings. Your browser settings also allow you to delete cookies already stored in your browser or check the storage period of cookies. You can also configure your browser to inform you before cookies are stored. Since browsers may differ in their functionalities, we ask you to refer to your browser’s help menu for details. If you would like to get a complete list of all external connections established with your browser, we recommend that you install a dedicated plug-in for this purpose.
e) Refusing cookies
Note that you may not be able to use all functionalities of our website if cookies are deactivated through your browser settings.
Our website contains hyperlinks to RSU’s pages on LinkedIn and XING. The websites of LinkedIn and XING are subject to the data protection provisions of these service providers.
If we process your personal data, you are a data subject and have the following rights with regard to the personal data concerning you:
Pursuant to Article 15 of the GDPR you are entitled to information about the personal data processed by us. In particular, you are entitled to information on the purposes for which the data are processed, the categories of personal data processed, the categories of recipients to which your data are or were disclosed, the period for which the data are intended to be stored, any existing right to rectification, erasure or restriction of processing, right to object or right to lodge a complaint, the source of your data if your data have not been collected at our company, and any transfer made to a third country or an international organisation. You are also entitled to information about whether there is an automated decision-making system, including profiling, and to meaningful details on any such system.
Pursuant to Article 16 of the GDPR you are entitled to have any inaccurate personal data about you that we have stored corrected and to have any incomplete personal data about you that we have stored completed without undue delay.
Pursuant to Article 17 of the GDPR you are entitled to have your personal data stored by us erased unless processing the data is necessary for exercising freedom of speech and information, complying with legal obligations or establishing, exercising or defending legal claims or is in the public interest.
Pursuant to Article 18 of the GDPR you may have the way in which we can process your personal data restricted if you contest the accuracy of the data, the data are processed unlawfully or we do not need the data any more and you object to their erasure because you need them for the establishment, exercise or defence of legal claims. This applies even if you have objected to the processing of your personal data on the grounds set forth in Article 21 of the GDPR.
Pursuant to Article 20 of the GDPR you have the right to receive the personal data that you have provided to us in a structured, commonly used and machine-readable format or to have the data transmitted to a different controller.
Pursuant to Article 21 of the GDPR you have the right to object to the processing of your personal data based on Article 6(1)(e) or (f) of the GDPR for reasons arising from your special situation. If you do, RSU will stop processing these personal data unless it has compelling and legitimate reasons which take priority over the interests, rights or liberties affected or it needs to process these data for asserting, exercising or protecting legal claims. Further, you have a general right to object to the processing of your personal data for direct marketing purposes according to Article 21(3) of the GDPR, with which we will comply without any need for you to invoke special circumstances.
Pursuant to Article 7(3) of the GDPR you may withdraw your consent at any time, in which case we are prohibited from processing the data based on such consent in the future.
Pursuant to Article 77 of the GDPR you have the right to lodge a complaint with a supervisory authority. As a rule, this may be the competent authority at your habitual residence, your place of work or our registered seat. The supervisory authority responsible for RSU in matters of data protection is:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 27
91522 Ansbach
Germany
Telefon: +49 (0) 981 53 1300
Telefax: +49 (0) 981 53 98 1300
E-Mail: poststelle@lda.bayern.de
We undertake to protect your privacy and treat your personal data as confidential. To prevent any manipulation, loss or abuse of the data stored in our systems we take extensive technical and organisational precautions, which we check and update in line with technological progress on a regular basis. This includes the use of acknowledged encryption methods (SSL or TLS). However, please be aware that due to the structure of the Internet there may be persons or institutions outside our area of responsibility which disregard data protection rules or fail to observe the aforementioned precautions. In particular, third parties may have access to data that are made available unencrypted, for example via e-mail. We have no way of preventing this by technical means. Users are responsible for protecting the data they make available, for example by means of encryption.
Munich, 26.09.2022
