Privacy Policy
The purpose of this Privacy Policy is to inform you of the types of your personal data (hereinafter also referred to as "data") that we process, for what purposes and to what extent. The Privacy Policy applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our websites, in mobile applications and within external online presences such as our social media profiles (hereinafter collectively referred to as "Online Offer").
The terms used are not gender-specific.
Status: 3 April 2024
1. Responsible party
Holcim (Deutschland) GmbH
Troplowitzstraße 5
22529 Hamburg, Germany
kommunikation-deu@holcim.com
+49 (0)40 360020
Legal notice: holcim.de
2. Contact Data Protection Officer
Holcim (Deutschland) GmbH
- Data Protection Officer -
Troplowitzstraße 5
22529 Hamburg, Germany
3. Overview of processing operations
The following overview summarizes the types of data processed, the purposes of the processing and the data subjects.
3.1. Types of data processed
Inventory data.
Contact data.
Content data.
Usage data.
Meta, communication and process data.
3.2. Categories of data subjects
Customers.
Employees.
Interested parties.
Communication partners.
Users.
Persons depicted.
Third parties.
3.3. Purposes of the processing
Provision of contractual services and fulfillment of contractual obligations.
Security Measures.
Administrative and organizational procedures.
Manage and respond to requests.
Providing our online services and ease of use.
4. Transfer of personal data
As part of our processing of personal data, it may be transferred or disclosed to other bodies, companies, legally independent organizational units or persons. Recipients of such data may include, for example, IT service providers or providers of services and content integrated into a website. In such cases, we will comply with legal requirements and, in particular, enter into appropriate contracts or agreements with the recipients of your data to protect your data.
4.1. Transfer of data within the group
We may transfer or provide access to personal data to other companies within our group. If this transfer is for administrative purposes, the transfer of data is based on our legitimate business and commercial interests, or is necessary to fulfill our contractual obligations, or if the consent of the data subjects or legal permission has been obtained.
4.2. International data transfers
Processing in third countries: Where we process data in a third country (i.e. outside the European Union (EU), the European Economic Area (EEA)) or where the processing takes place in the context of the use of third party services or the disclosure or transfer of data to other persons, bodies or companies, this will only take place in accordance with the legal requirements.
If the level of data protection in the third country has been recognised by an adequacy decision (Art. 45 GDPR), this serves as the basis for the data transfer. Otherwise, data will only be transferred if the level of data protection is otherwise ensured, in particular through standard contractual clauses (Art. 46 para. 2 lit. c) GDPR), express consent or in the case of a contractually or legally required transfer (Art. 49 para. 1 GDPR). In addition, we will inform you of the basis for transfers to third countries with the individual third country providers, with the adequacy decisions taking precedence. Information on transfers to third countries and existing adequacy decisions can be found in the information provided by the EU Commission: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de.
EU-US transatlantic data protection framework: In the context of the so-called "Data Privacy Framework" (DPF), the EU Commission has also recognised the level of data protection provided by certain companies from the US as adequate in the context of the adequacy decision of 10.07.2023. The list of certified companies and more information about the DPF can be found on the US Department of Commerce website at https://www.dataprivacyframework.gov/. As part of the privacy notice, we will inform you which service providers we use are certified under the Privacy Framework.
5. Data subject rights
As a data subject, you are entitled to various rights under the GDPR, in particular under Art. 15 to 21 GDPR:
5.1. Right to object
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is based on Art. 6 para. 1 lit. e or f GDPR, including profiling based on these provisions. If the personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing purposes, including profiling to the extent that it is related to such direct marketing.
5.2. Right to withdraw consent
You have the right to withdraw your consent at any time.
5.3. Right of access
You have the right to obtain confirmation as to whether or not personal data relating to you are being processed, to obtain information about such data, to obtain further information and to obtain a copy of such data in accordance with the law.
5.4. Right of rectification
In accordance with the law, you have the right to request the completion of data concerning you or the correction of inaccurate data concerning you.
5.5. Right to erasure and restriction of processing
In accordance with the law, you have the right to request that the data concerning you be deleted immediately or, alternatively, that the processing of the data be restricted in accordance with the law.
5.6. Right to data portability
You have the right to receive the data concerning you that you have provided to us in a structured, commonly used and machine-readable format in accordance with the legal requirements or to request that it be transferred to another controller.
5.7. Complaint to the supervisory authority
In accordance with the legal provisions and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, in particular a supervisory authority in the Member State in which you have your habitual residence, the supervisory authority of your place of work or the place of the alleged infringement, if you consider that the processing of personal data relating to you is in breach of the GDPR.
6. Video conferencing, online meetings, webinars and screen sharing
We use platforms and applications from other providers (hereinafter referred to as "Conference Platforms") to conduct video and audio conferences, webinars and other types of video and audio meetings (hereinafter collectively referred to as "Conferences"). We comply with legal requirements when selecting conference platforms and their services.
Data processed by conference platforms: In the context of participation in a conference, the conference platforms process the personal data of the participants listed below. The scope of the processing depends on which data is required in the context of a specific conference (e.g. provision of access data or unique names) and which optional information is provided by the participants. In addition to processing for the purpose of organizing the conference, the conference platforms may also process participants' data for security purposes or to optimize the service.
The data processed includes personal data (first name, surname), contact data (e-mail address, telephone number), access data (access codes or passwords), profile pictures, information on professional position/function, the IP address of the Internet access, information on the participants' terminal equipment, their operating system, the browser and its technical and language settings, information on the content of the communication processes, i.e. entries in chats as well as audio and video data, and the use of other available functions (e.g. surveys). The content of communications is encrypted to the extent technically possible by the conference providers. If the participants are registered as users with the conference platforms, further data may be processed in accordance with the agreement with the respective conference provider.
6.1. Logging and recording
If text entries, participation results (e.g. from polls) and video or audio recordings are recorded, the participants will be informed in advance in a transparent manner and, if necessary, asked for their consent.
6.2. Data protection measures for participants
Please take note of the details on the processing of your data by the conference platforms in their data protection notices and select the optimal security and data protection settings for you in the conference platform settings. Please also ensure data and privacy protection in the background of your recording for the duration of a videoconference (e.g. by informing roommates, locking doors and using the function to make the background unrecognizable, if technically possible). Links to the conference rooms and access data must not be passed on to unauthorized third parties.
6.3. Notes on the legal basis
If, in addition to the conference platforms, we also process user data and ask users for their consent to use the conference platforms or certain functions (e.g. consent to record conferences), the legal basis for the processing is this consent. Furthermore, our processing may be necessary to fulfill our contractual obligations (e.g. in the case of participant lists, processing of discussion results, etc.). Otherwise, user data is processed on the basis of our legitimate interest in efficient and secure communication with our communication partners.
6.4 Types of data processed
Inventory data (e.g. names, addresses); contact data (e.g. e-mail, telephone numbers); content data (e.g. entries in online forms); usage data (e.g. websites visited, interest in content, access times). Meta, communication and process data (e.g. IP addresses, time data, identification numbers, consent status).
6.5. Data subjects
Communication partners; users (e.g. website visitors, users of online services). Persons portrayed.
6.6. Aims of the processing
Provision of contractual services and fulfillment of contractual obligations; contact requests and communication. Administrative and organizational procedures.
6.7. Legal bases
Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
6.8. Further information on processing operations, procedures anf services
Google Hangouts / Meet:
Conferencing and communication software;
Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland;
Legal basis: Legitimate interests (Article 6.1 sentence 1 lit. f) GDPR);
Website: https://hangouts.google.com/;
Privacy Policy: https://policies.google.com/privacy;
Data Processing Agreement: https://cloud.google.com/terms/data-processing-addendum.
Basis for transfers to third countries: Data Protection Framework (DPF).
Zoom:
Conferencing and communication software;
Service Provider: Zoom Video Communications, Inc, 55 Almaden Blvd, Suite 600, San Jose, CA 95113, USA;
Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR);
Website: https://zoom.us;
Privacy Policy: https://explore.zoom.us/docs/de-de/privacy-and-legal.html;
Data Processing Agreement: https://zoom.us/docs/de-de/privacy-and-legal.html (referred to as Global DPA).
Basis for transfers to third countries: Data Protection Framework (DPF).
7. Cloud services
We use software services that are accessible via the Internet and run on the servers of their providers (so-called "cloud services", also referred to as "software as a service") for the storage and management of content (e.g. document storage and management, exchange of documents, content and information with certain recipients or publication of content and information).
In this context, personal data may be processed and stored on the servers of the providers insofar as this is part of the communication processes with us or is otherwise processed by us as described in this Privacy Policy. Such data may include, in particular, master data and contact data of users, data on transactions, contracts, other processes and their content. The cloud service providers also process usage data and metadata, which they use for security purposes and to optimize their services.
If we use the cloud services to provide forms or other documents and content to other users or to publicly accessible websites, the providers may store cookies on the users' devices for the purposes of web analysis or to remember user settings (e.g. in the case of media control).
7.1. Types of data processed
Inventory data (e.g. names, addresses); contact data (e.g. e-mail addresses, telephone numbers); content data (e.g. entries in online forms); usage data (e.g. websites visited, interest in content, access times). Meta, communication and process data (e.g. IP addresses, time data, identification numbers, consent status).
7.2. Data subjects
Customers; employees (e.g. employees, applicants, former employees); interested parties. Communication partners.
7.3. Purpose of the processing
Administrative and organizational procedures. IT infrastructure (operation and provision of information systems and technical equipment (computers, servers, etc.)).
7.4. Legal bases
Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
7.5. Further information on processing operations, procedures and services:
Google Cloud Storage:
Cloud storage, cloud infrastructure services and cloud-based application software;
Service Provider: Google Cloud EMEA Limited, 70 Sir John Rogerson's Quay, Dublin 2, Ireland;
Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR);
Website: https://cloud.google.com/;
Privacy Policy: https://policies.google.com/privacy;
Data Processing Agreement: https://cloud.google.com/terms/data-processing-addendum;
Basis for transfers to third countries: Data Protection Framework (DPF).
Further information: https://cloud.google.com/privacy.
8. Changes and updates to the privacy policy
We encourage you to periodically review the contents of our Privacy Policy.
We will amend the Privacy Policy whenever changes in the way we process data make this necessary. We will inform you as soon as the changes require your cooperation (e.g. consent) or other individual notification.
Where we provide addresses and contact information for companies and organizations in this Privacy Policy, please note that the addresses may change over time and you should check the information before contacting us.