The protection of your personal data is important to us, no matter whether you visit our website, contact us or, which would of course please us the most, become our customer. Below you will find information about which data is stored during your visit to our homepage, when using our web forms and within an existing contractual relationship:
This privacy statement is based on the terms used by the European legislator and regulator when adopting Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter: "GDPR"). Our privacy statement should fulfil its task, be easy to read and understand for the public as well as for our customers and business partners. To ensure this, we explain the most important terms in advance as follows:
a) Personal Data
Personal data means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The Regulations of the GDPR do not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person.
b) Data Subject
Data subject is any identified or identifiable natural person whose personal data are processed by the controller.
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
d) Restriction of processing
Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future.
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.
j) Third Party
Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
II. Controller und data protection officer
Controller in the sense explained above is
Director: Hannah Bangura
18A Heath Road
Bristol, BS48 1AD
Data protection officer is
Clemens C. Vogelsberg
c/o Office24 Ltd.
E-Mail: [email protected]
III. Data Protection Principles
Our services are based on the trust you place in us. We want to and will justify this trust by taking your data protection concerns very seriously.
Our processes are based on the principles of lawfulness, fairness and transparency as set out in Article 5 para. 1 GDPR. They are subject to strict purpose limitation, the principles of data minimisation and accuracy achieved by storage limitation and establishing integrity and confidentiality.
Only the data required in the respective situation of the person concerned are processed (e.g. as website visitors, interested parties in our services, contractual partners, cf. below III.) and these are only stored as long as they are necessary for achieving the respective purpose or there is a legal obligation to store them.
If the processing of data is not processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6 (1) (b) GDPR) or necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data (Article 6 (1) (f) GDPR), data processing shall only take place if the data subject has expressly consented thereto (Article 6 (1) (a) GDPR).
If we use third parties for the provision of our services, this remains limited to those providers that offer sufficient guarantees that the processing is carried out in accordance with the requirements of the GDPR and guarantees the protection of the rights of the person concerned. This is guaranteed by appropriate agreements (Article 28 para. 3 GDPR).
An essential part of our service is the processing of calls, mailings, etc. third parties for our customers in the way of processing by a processor (Article 28 GDPR). In this context, we regularly process personal data which third parties transmit to our customers (telephone numbers, contact data, contents of telephone calls or mailings, etc.). In this case, our customers remain responsible for the data protection compliant handling of this personal data (Article 24 et seqq. GDPR). It is therefore up to you to ensure that these data are handled in accordance with data protection regulations, e.g. by deleting call notifications/post scans or similar with personal data no longer required from your inbox in the web interface/smartphone app provided to you.
In this context, we primarily see our responsibility as processors (Article 28 GDPR) in processing our data in accordance with legal regulations and in providing our clients with the appropriate technical and organisational means to fulfil their data protection obligations, e.g. by assisting them in fulfilling their duties to provide information about stored data to affected persons and enabling them to be easily and definitively deleted, unless these data may or must remain stored for other reasons.
IV. Data collection and processing
1. Website visitors
a) General data collection
Every access to our website and every retrieval of files stored on the website is logged. The storage serves internal system-related and statistical purposes. In particular, the following data is logged:
- browser types and versions used,
- the operating system used by the accessing system,
- the website from which an accessing system reaches our website (so-called referrer),
- the subwebsites which are accessed via an accessing system on our website,
- the date and time of access to the website,
- an Internet Protocol (IP) address,
- the Internet service provider of the accessing system and
- other similar data and information used for security purposes in the event of attacks on our information technology systems.
The logging of this data does not allow any conclusions to be drawn about the person concerned. These are therefore not personal data in the sense mentioned under I. a), therefore no legal basis according to the GDPR is required for their storage (for the IP address see next paragraph). The data is only required to correctly deliver the contents of our website, to optimize the contents of our website as well as the advertising for them, to guarantee the permanent functionality of our information technology systems and the technology of our website and, if necessary, to provide law enforcement authorities with the information necessary for criminal prosecution in the event of a cyber attack. The anonymous data of the server log files are stored separately from all personal data provided by a person concerned.
Since the IP address of the requesting computer - regardless of whether the user is assigned a fixed ("static") IP address by his provider or a new ("dynamic") IP address" each time he dials in - is now unanimously regarded as a personal date, these are qualified as a precautionary measure and, if necessary, for analysis. and recorded to avoid future misuse, but only up to a period of 14 days in its unabridged version and then at most in a version shortened by the last octet, with which a conclusion on the identity of the requesting computer is also no longer possible. The legal basis for short-term complete storage of the IP address is Article 6 (1) (f) GDPR.
Our website sets "cookies" (small text files with configuration information) which are stored on your computer and enable an analysis of your use of the website. Such cookies contain a so-called cookie ID. A cookie ID is a unique identifier of the cookie. It consists of a string of characters through which Internet pages and servers can be assigned to the specific Internet browser in which the cookie was stored. This enables the visited Internet pages and servers to distinguish the individual browser of the person concerned from other Internet browsers that contain other cookies. A particular Internet browser can be recognized and identified by its unique cookie ID.
The person concerned can prevent the setting of cookies by our website at any time by means of an appropriate setting of the Internet browser used and thus permanently object to the setting of cookies. Furthermore, cookies that have already been set can be deleted at any time via an Internet browser or other software programs. This is possible in all common internet browsers. If the person concerned deactivates the setting of cookies in the Internet browser used, not all functions of our Internet site may be fully usable.
c) Google Analytics
Our website uses Google Analytics, a web analysis service of Google Inc, 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA ("Google"). We have concluded a corresponding contract with Google Inc. for processing by a processor (Article 28 para. 3 GDPR) (see http://www.google.com/analytics/terms/de.pdf).
In both cases, the IP anonymization of Google Analytics is active. This means that your IP address will previously be cut by Google within Member States of the European Union or in other states party to the Agreement on the European Economic Area. Google assures that the IP address transmitted by your browser in the context of Google Analytics will not be merged with other Google data.
Further information on data protection in connection with Google Analytics can be found in the Google Analytics Help (https://support.google.com/analytics/answer/6004245?hl=en).
The legal basis for the use of the cookies required for this is Article 6 (1) (f) GDPR. Since no personal data is passed on to Google with the transmission of the data obtained - as described above - no further legal basis for data protection is required.
d) Google Adwords
Our website uses Google AdWords which is also provided by Google (see c. above). If you accessed our website via a Google ad, a cookie is stored on your computer. These so-called "conversion cookies" lose their validity after 30 days and do not serve your personal identification. If you visit certain pages of our website and the cookie has not yet expired, we and Google may recognize that you as a user have clicked on one of our ads placed on Google and have been redirected to our page.
The information collected with the help of the "conversion cookies" is used by Google to generate visit statistics for our website. These statistics show us the total number of users who clicked on our ad and also which pages of our website were subsequently accessed by the respective user. However, we or others who advertise via "Google-Adwords" do not receive any information with which users can be personally identified. You can prevent the installation of "conversion cookies" by making the appropriate settings in your browser, such as browser settings that generally deactivate the automatic setting of cookies or specifically only block cookies from the "googleadservices.com" domain. You can obtain the relevant data protection declaration from Google under the following link: https://services.google.com/sitestats/en.html.
Since no personal data is processed by us, no legal basis according to the GDPR is required.
e) Google Re-Marketing
Our website uses Google Re-Marketing. Google Re-Marketing is an advertising service of Google (cf. C. above) with which we can provide you with targeted advertising of presumed interest based on your usage behaviour during previous visits to our website. This advertisement appears only on Google advertising spaces, either on advertising spaces of Google Adwords or the Google Display Network.
You can object to Google Remarketing in the Google Ads Preferences Manager or edit your settings. Alternatively, you can prevent re-marketing by deactivating cookies in your browser settings.
Since no personal data is processed by us, no legal basis according to the GDPR is required.
2. Users of our web forms, enquiries via other media (e.g. telephone)
Personal data of those interested in our services who have provided them to us via a web form, by telephone or in any other way (in particular name, address, telephone, fax number, e-mail address) will be stored if and as long as they are necessary to provide the information requested or to provide the services requested and the person concerned has not asked us to delete these data before one of these reasons has occurred.
In accordance with Article 6 (1) (f) GDPR in conjunction with sentences 2 and 7 of recital 47 of the GDPR, we assume that if a data transfer is connected with you testing our services free of charge (e.g. via the "live test") a relevant and appropriate relationship can arise between you and our company, as a result of which we may - subject to other legal provisions - also store and use the aforementioned data for the purpose of further contact within the scope of direct marketing. This does not apply if we know or become aware of concrete indications that your interests or fundamental rights and freedoms, which require the protection of your personal data, outweigh the described use. The legal basis for storage in these cases is Article 6 (1) (f) GDPR.
If these conditions are not met, we obtain the express consent (Article 7 GDPR) for storing the data and for use in the aforementioned sense. The data can then also be used for these purposes without the weighing of interests to be carried out according to Article 6 (1) (f) GDPR. The legal basis for this is Article 6 (1) (a) GDPR.
When personal data is transmitted via our web forms, the IP address is stored as described under 1. a. for a short period of time and then anonymised. The legal basis for this is Article 6 (1) (f) GDPR.
4. Office24 customers
a. Within the scope of contract fulfilment, we store the following personal data:
- Inventory data, i.e. the information required to establish and amend the contract about you and the services you have chosen. This includes, for example, all information provided during registration regarding name, address and contact details, bank details and method of payment, the selected tariff and the commissioning of additional services, such as notification by SMS or 24-hour extension. The legal basis for this is Article 6 (1) (b) GDPR.
- Billing data, i.e. the data that we require for billing our services. These include number, time, duration and tariff of incoming and outgoing calls, post-processing time of the respective call notification, type of connection for call forwarding such as long-distance calls, mobile telephony, abroad, initiated measures such as SMS dispatch, fax or e-mail notification, number of received mailings and any special services provided. The legal basis for this is Article 6 (1) (b) GDPR.
- Processing data, i.e. data which are necessary for the provision of the services and which have arisen while providing these services. This includes in particular the information you provide when registering and, if necessary, any additional or changed information about the desired handling of the calls as well as any wishes and complaints you may have expressed to our company etc. The legal basis for this also is Article 6 (1) (b) GDPR.
- Content data, i.e. the data on the calls themselves, time and duration, name and contact data of the caller, his concerns and the information given to him and other measures arranged by us. The legal basis for this also is Article 6 (1) (b) GDPR. As far as these data contain personal data of third parties, concerning whom the customer is contoller towards his callers (Article 4 No. 7 GDPR), we process these data in the way of the processing by processor. The legal basis for this is Article 28 GDPR.
During these processes, too, the IP address is stored as described under 1. a. for a short period of time and then anonymised. The legal basis for this is Article 6 (1) (f) GDPR.
b. Customer newsletter
We send our customers regular customer newsletters with information about product developments and current offers to the e-mail address provided by them, unless they have objected to this. In this newsletter you will be informed that you can object to the use of the e-mail address provided by you at any time.
Unless explicit consent has been given, the legal basis for this is both Article 6 (1) (f) GDPR and Article 95 GDPR in conjunction with Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector ("ePrivacy Directive").
4. legitimate interests within the meaning of Article 6 para. 1 letter f GDPR
If the processing of personal data is based on Article 6 (1) (f) GDPR, our legitimate interest lies essentially in the conduct of our business activities for the benefit of both our employees and our shareholders. This also includes the interest in direct advertising (cf. sentences 2 and 7 of recital 47 on the GDPR).
V. Location of data storage
All personal data processed by us is stored exclusively on data processing systems located in the European Union. There is no intention to deviate from this. If, exceptionally, this data is accessed by persons outside the European Union, this will only be done under the following conditions:
a) Access takes place via encrypted transmission paths that protect all personal data against access by third parties in accordance with the current state of the art (e.g. VPN connections),
b) access is taken exclusively by employees of Office24 itself or companies of the Office24-group of undertakings (cf. Article 4 Nr. 19 GDPR).
c) all employees are obliged to data secrecy according to Article 4 para. 2 and have been instructed about their data protection obligations.
VI. Routine deletion and blocking of personal data
We process and store personal data of the data subject only for the period necessary to achieve the storage purpose or insofar as this has been provided for by the European legislator and regulator or another legislator in laws or regulations to which the data controller is subject, for example by tax and commercial law retention periods.
If the storage purpose ceases to apply or if a storage period prescribed by the European legislator and regulator or another competent legislator expires, the personal data is routinely blocked or deleted in accordance with the statutory provisions.
VII. Rights of data subjects
a) Right to confirmation
The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed. If a data subject wishes to exercise this right of confirmation, he may contact an employee of the controller at any time.
b) Right of access by the data subject
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
- the purposes of processing,
- the categories of personal data concerned,
- the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations,
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period,
- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing,
- the right to lodge a complaint with a supervisory authority,
- where the personal data are not collected from the data subject, any available information as to their source,
- the existence of automated decision-making, including profiling, referred to in Article 22 (1) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Furthermore, the data subject has a right of access to information as to whether personal data have been transferred to a third country or to an international organisation. If this is the case, the data subject also has the right to obtain information on the appropriate safeguards relating to the transfer.
If a data subject wishes to make use of this right to information, he or she can contact one of our employees at any time at the address [email protected].
c) Right to rectification
The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.
If a data subject wishes to make use of this right to rectification, he or she can contact one of our employees at any time at the address [email protected].
d) Right to erasure („right to be forgotten“)
The data subject has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed,
- • the data subject withdraws consent on which the processing is based according to point (a) of Article 6 (1), or point (a) of Article 9 (2) GDPR, and where there is no other legal ground for the processing,
- the data subject objects to the processing pursuant to Article 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21 (2) GDPR,
- the personal data have been unlawfully processed,
- the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject,
- the personal data have been collected in relation to the offer of information society services referred to Article 8 (1) GDPR.
If one of the above-mentioned reasons applies and a data subject wishes to have personal data stored with us deleted, he or she can contact one of our employees at any time by sending an e-mail to [email protected]. Our employee will arrange for the request for deletion to be complied with immediately if there is a legal obligation to do so.
e) Right to restriction of processing
The data subject has the right to obtain from the controller restriction of processing where one of the following applies:
- the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data,
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead,
- the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims,
- the data subject has objected to processing pursuant to Article 21 (1) pending the verification whether the legitimate grounds of the controller override those of the data subject..
If one of the above-mentioned reasons applies and a data subject wishes to to request the restriction of personal data stored at Office24, he or she can contact one of our employees at any time by sending an e-mail to [email protected], who will arrange for the processing to be restricted if there is a legal obligation to do so..
f) Right to data portability
The data subject has the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and has the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent pursuant to point (a) of Article 6 (1) or point (a) of Article 9 (2) GDPR or on a contract pursuant to point (b) of Article 6 (1) GDPR; and the processing is carried out by automated means.
In exercising his or her right to data portability, the data subject has the right to have the personal data transmitted directly from one controller to another, where technically feasible. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17 GDPR. That right does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The right to data portability may not adversely affect the rights and freedoms of others.
g) Right to object
The data subject has the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6 (1) GDPR, including profiling based on those provisions.
We no longer process personal data in the event of an objection unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Where we have processed personal data for direct marketing purposes, the data subject has the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
To exercise the right to object, the data subject can contact us directly at [email protected]fice24.co.uk. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.
h) Right to withdraw the consent
The data subject has the right to withdraw his or her consent to processing of his or her personal data at any time.
To exercise the right to withdraw his or her consent to processing of his or her personal data, the data subject can contact us directly at [email protected].
VIII. Data protection for applications and in the application process
As far as we process personal data in connection with applications, this happens for the purpose of the completion of the application procedure. Processing may also be carried out electronically. This is particularly the case if an applicant submits corresponding application documents to us by electronic means, for example by e-mail or via a web form on the website. If we conclude an employment contract with an applicant, the data transmitted will be stored for the purpose of processing the employment relationship in compliance with the statutory provisions.
If the controller does not conclude an employment contract with the applicant, the application documents will be automatically deleted six months after notification of the decision of rejection, unless the applicant has consented to longer retention and no other legitimate interests prevent deletion. Other justified interest of the controller in this sense may, for example, be a burden of proof in proceedings under the Equality Act 2010.