Data protection statement under the EU General Data Protection Regulation
The following information provides an overview about our processing of personal data and our customers’ rights under data protection law. What specific data are processed and how they are used largely depends on the specific services that are utilized.
Please also share the information with current and future authorized representatives and those with financial authority, as well as any others obligated under business relationships with us.
I. Controller for data protection and Data Protection Officer
The controller is:
BALT GERMANY GmbH
Telephone: +49 211/ 58 58 81-0
You can reach our Data Protection Officer at:
BALT GERMANY GmbH
Telephone: +49 211/ 58 58 81-0
II. Sources and data used
1. Personal data
We process personal data which we receive from our customers in the course of our business relationship. Where necessary, we also process personal data which we have lawfully received from other companies or other third parties (e.g., to carry out orders, satisfy agreements, or based on consent given). In addition, we process personal data which we have lawfully received from publicly available sources (e.g., land registers, commercial registers, business registers, press, media, Internet) and are permitted to process.
Relevant personal data may include:
Name, address and other contact information (telephone, e-mail address), date of birth, place of birth, sex, nationality, marital status, legal competence, professional group key, type of partner (dependent/independent), residential status (rent/own, identification information, authentication information, taxpayer ID, SCHUFA score.
In addition to the data named above, other personal data may be collected, processed, and stored when concluding agreements and using our products or services. Such data essentially include:
2. Anonymized data
For statistical analysis purposes information is collected, stored, and utilized when visiting this website regarding your IP address, time and date of access, the previously visited website (referrer URL), the type and version of browser used, and operating system version. This collected data are anonymized and used exclusively to optimize our website as well as analyzed for statistical purposes. We reserve the right to create pseudonymized usage profiles.
3. Cookies and access data
Cookies are text files that are stored on your hard drive for a certain length of time when visiting a website or accessing a service (such as a plug-in). If you visit the website again, the cookie notifies the server that there was already a connection with that PC, along with other data stored in the cookie (such as a unique cookie ID). The server can exploit the information so obtained. Cookies are intended to control ad displays or improve navigation on the website.
By using our website you give your consent for the collection, processing, and utilization of your data in the described manner and for the named purpose, including by the indicated third-party providers.
4. Third-party services and content
It is possible for third-party content to be integrated, for instance videos on YouTube, map information from Google Maps, or graphics from other websites.
This always requires that the providers of that content (referred to hereinafter as “third-party providers”) perceive the user’s IP address since without the IP address the content cannot be sent to the particular user’s browser. The IP address is therefore required for presentation of this content. We have no control over whether the third-party providers store your IP address and other information (e.g., for statistical purposes). Please see the data protection information of the various listed third-party providers for this information.
Third-party providers may be replaced over the course of time; likewise, third-party providers may be removed or added. The respective published version of the data protection statement applies at all times.
We refer by hyperlink to the content of our Facebook profiles on the Facebook social network (provider: Facebook Inc., 1 Hacker Way, Menlo Park, California 94025, USA).
You can identify our links to content concerning the Facebook service by the corresponding label. When you click the link a connection is established between your browser and the Facebook server. This gives Facebook the information that you visited our site with your IP address. If you click the Like button on the Facebook site while logged in with your Facebook account, the relevant content on our website becomes linked to your Facebook profile and matched to your account. According to information from Facebook, only an anonymized IP address is stored in Germany. Additional information can be found in Facebook’s data protection statement (http://de-de.facebook.com/policy.php).
If you do not want Facebook to be able to match the visit to our Facebook page to your Facebook user account, please log out of your Facebook user account beforehand.
More information on Facebook’s collection and use of the data, your related rights, ways to protect your privacy can be found in Facebook’s data protection information at http://de-de.facebook.com/privacy/explanation.php.
There are also various tools by third-party producers that can block Facebook content using a browser add-on. More information is available online at http://webgraph.com (click on “Facebook Blocker”).
BALT GERMANY GmbH utilizes the functions of the short-message service provided by Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103 U.S.A. The controller for processing the data of persons living outside the United States is Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland.
Please note that you use the Twitter short-message service offered here and its functions on your own responsibility. This applies especially to use of the interactive functions (e.g., share, rate).
Information about what data twitter processes and what purposes it is used for can be found in Twitter’s data protection statement: https://twitter.com/de/privacy.
By using Twitter your personal data are collected, transferred, stored, revealed, and used by Twitter Inc., and regardless of your place of residence are transferred to the United States, Ireland, and every other country in which Twitter Inc. does business, and are stored and utilized there.
Twitter processes the data you voluntarily enter, such as name and user name, e-mail address, telephone number, or contacts in your address book if you upload or sync it. At the same time, however, Twitter also analyzes the content shared by you to determine what subjects you are interested in, stores and processes confidential messages you send directly to other users, and can determine your location using GPS data, information concerning wireless networks, or via your IP address in order to send you advertising or other content.
We wish to inform you that in some circumstances Twitter uses analysis tools such as Twitter or Google Analytics to analyze this information. BALT GERMANY GmbH has no control over the use of such tools by Twitter Inc., nor was it informed of any such potential use. Furthermore the information gained by Twitter from the analysis is not made available to BALT GERMANY GmbH . Only certain nonpersonal information about Tweet activity, such as the number of profile or link clicks through a certain Tweet, is visible for BALT GERMANY GmbH through your account.
Twitter also receives information from you when you view content, for instance, even if you have not created an account. These so-called log data may consist of the IP address, browser type, operating system, information on the previously accessed website and the pages accessed by you, your location, your mobile telephony provider, the device you use (including device ID and application ID), the search terms you use, and cookie information.
You can restrict the processing of your data in the general settings for your Twitter account and in the section, “Data protection and security.” In addition, you can limit Twitter’s access to contact and calendar data, photographs, location data, etc. in the settings of mobile devices.
More information on these topics is available on the following Twitter support pages:
Information on the available possibilities for personalization and data protection settings can be found here: https://twitter.com/personalization
We wish to inform you that the data you enter on Twitter, particularly your username and the content published under your account, is processed by us inasmuch as we may retweet your Tweets, reply to them, or write Tweets for our part that refer to your account. In this way the data you freely publish and distribute on Twitter are integrated into the content by BALT GERMANY GmbH and made available to the followers. More information on Twitter and other social networks and how you can protect your data is also available at www.youngdata.de.
III. Purpose of data processing and legal basis
We process the personal data named above in conformance with the provisions of the EU General Data Protection Regulation (GDPR) and the German Data Protection Law (BDSG):
1. To satisfy contractual obligations (GDPR Art. 6  [b])
Personal data are processed in order to provide goods and services in connection with implementing our agreements with our customers or to carry out pre-contractual steps in response to inquiries by our customers.
The purpose of the data processing depends on the concrete contractual conditions concerning goods and services, and may include needs analysis, consulting, and performing contractually agreed services, among other things. Further details on the purpose of the data processing can also be found in the particular contractual documents and terms and conditions.
2. In the course of weighing different interests (GDPR Art. 6  [f])
If necessary, we also process data beyond actual fulfillment of the agreement in order to preserve our justified interests or those of third parties. For example:
• Consultations from and exchange of data with information bureaus
• Procedures for needs analysis and direct customer messaging
• Advertising or market and opinion research, unless the customer objects
• Asserting claims and defense in legal disputes
• Ensuring IT security and IT operations in our company
• Preventing criminal activity
• Building and plant security measures (e.g., access controls)
• Steps to enforce property rights
• Steps for business control and further development of services and products
• Risk control in the corporate group
3. Based on consent given (GDPR Art. 6  [a])
Where we have been given consent to process personal data for certain purposes (e.g., sharing data within the corporate group), the lawfulness of such processing is based on the consent. Once given, consent may be revoked at any time. This also applies to revoking statements of consent given to us before the EU General Data Protection Regulation took effect, i.e., before May 24, 2018. Note that the revocation is only effective for the future. It does not affect processing that occurred before the revocation. A status summary of consent statements given to us can be requested at any time.
4. Based on legal requirements (GDPR Art. 6  [c]) or in the public interest (GDPR Art. 6  [e])
We also process personal data where required by law. This includes such requirements as age and identity verification, fraud and money laundering prevention, fulfilling tax controlling and reporting requirements, and evaluating and controlling risks in our own company.
IV. Data access and sharing
Within our company, offices have access to data that need it in order to satisfy our contractual and legal obligations. Service providers and agents we use may also receive data for these purposes if they conform to our written data protection instructions. These are largely companies in the categories listed below.
We fundamentally treat the data we collect as confidential. We will share information about our customers and their data only if legal regulations require it, the customer has given consent, or commissioned processors we hire guarantee compliance and conformity with the specifications of the EU General Data Protection Regulation/the German Data Protection Law.
On these conditions recipients of personal data may, for instance, include:
• Public offices and institutions such as financial regulatory agencies if there is a legal or regulatory requirement
• Affiliated enterprises, comparable institutions, and commissioned processors with whom we share personal data to conduct the business relationship with our customers. Specifically: support/maintenance of data processing/IT applications, archiving, document processing, call-center services, compliance services, controlling, data screening, data destruction, purchasing/procurement, collection, customer management, lettershops, marketing, media technology, reporting, research, risk controlling, billing, telephony, website management, financial auditing services, payment processing.
Data recipients may also include offices for which we have received consent to share data.
V. Sending data to third countries or international organizations
Data are transmitted to countries outside the EU or EEA (so-called third countries) only when this is necessary in order to carry out orders we receive, when it is legally required (e.g., tax reporting requirements), when we were given consent, or as part of commissioned data processing. If service providers are used in the third country, they are required to conform to the level of data protection in Europe through agreement of the EU standard contracting clauses in addition to written instructions.
VI. Length of data storage
We process and store personal data as long as necessary for fulfillment of our contractual and legal obligations. That may be a period of several years in case of long-term obligations.
If the data are no longer needed for fulfilling contractual or legal obligations, they are regularly deleted unless it is necessary to continue processing them for a limited time for the following purposes:
• To satisfy storage requirements under commercial or tax law, for instance the commercial code, fiscal code, money laundering law, etc. The storage and documentation periods specified there range from two to ten years.
• To preserve evidence within the bounds of time limitation regulations. Under Sections 195ff. of the German Civil Code, these limitation periods can be as long as 30 years, though the regular limitation period is three years.
VII. Data protection rights of data subjects
Each data subject has a right of information under GDPR Art. 15, the right of correction under GDPR Art. 16, the right of deletion under GDPR Art. 17, the right to restrict processing under GDPR Art. 18, the right to object under GDPR Art. 21, and the right of data portability under GDPR Art. 20. The rights of information and deletion are governed by the limitations set forth in BDSG Sections 34 and 35. In addition there is a right to file grievances with a data protection authority (GDPR Art. 77 in conjunction with BDSG Section 19).
Once given to us, consent to process personal data may be revoked at any time. This also applies to revoking statements of consent given to us before the EU General Data Protection Regulation took effect, i.e., before May 24, 2018. Note that the revocation is only effective for the future. It does not affect processing that occurred before the revocation.
VIII. Duty to make data available
As part of a business relationship, the customer must make the personal data available which we need to begin and implement a business relationship and meet the associated contractual obligations, or which we are legally required to collect. Without such data we must reserve the right to decline to conclude the agreement and carry out an order, or to stop implementing and possibly terminate an existing agreement.
Particularly under legal regulations to combat money laundering, there may be a requirement to identify our customers and business partners before establishing a business relationship, for instance using the personal ID card, and to collect and record the name, date and place of birth, nationality, and home address. To satisfy this type of legal obligation, our customers are required by Section 4 (6) of the Money Laundering Act to make the necessary information and documents available to us and to promptly notify us of any changes occurring in the course of the business relationship.
IX. Automated decision-making
Pursuant to GDPR Art. 22 we fundamentally do not use a fully automated decision-making process when establishing and implementing the business relationship. If we use such methods in an individual case, we will give separate notice in advance where required by law.
We process data in a partially automated process with the goal of rating certain personal aspects (profiling). For instance, we use profiling in the following cases:
• Based on legal requirements, for instance to combat money laundering and fraud. Data analysis may also be performed in the process (including payment transactions); such steps also serve to protect our customers.
• We use analysis instruments to provide targeted information about products and for consulting. These allow communication and advertising appropriate for the need, including market and opinion research.
XI. Right of objection under GDPR Art. 21
1. Right of objection for an individual case
You have the right to object, due to reasons resulting from your special situation, to the processing of personal data relating to you that is performed on the basis of GDPR Art. 6 (1) (e) (Data processing in the public interest) and GDPR Art. 6 (1) (f) (Data processing on the basis of weighing different interests); this also applies to profiling based on this provision within the meaning of GDPR Art. 4 (4).
If you lodge an objection, we will no longer process your personal data unless we can demonstrate compelling reasons requiring protection for the processing that outweigh your interests, rights, and freedoms, or unless the processing serves the purpose of asserting, exercising, or defending legal rights and claims.
2. Right of objection to data processing for advertising purposes
In individual cases we process your personal data in order to conduct direct advertising. You have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising; this also applies to profiling insofar as it is connected with such direct advertising.
If you object to the processing for direct advertising purposes, we will no longer process your personal data for those purposes.
The objection does not require a specific form and should be lodged by telephone if possible at telephone number +49 211/ 58 58 81-0, or alternatively may be filed in our offices.