Data Privacy Statement

for the Company Register

This Data Privacy Statement informs you about the processing of personal data in the Company Register and when visiting our website pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (henceforth referred to as "GDPR"), Section 25 of the German Telecommunications Digital Services Data Protection Act (henceforth referred to as "TDDDG") and other data protection regulations.

1. Description of how we process data

We process personal data in the scope of performing statutory tasks and providing the information, content and services of the Company Register. This includes, in particular, keeping and providing the register, enabling public retrieval and search functions, and other services and transactions that require prior identification or registration.

In addition to this, we process personal data to provide the services of the Company Register, in particular the execution, receipt and electronic submission of documents subject to disclosure, as well as the provision of other, in some cases chargeable, register-related services. This processing is performed on the basis of the relevant legal provisions of the German Commercial Code (henceforth referred to as "HGB") and the German Company Register Regulation (henceforth referred to as "URV") and can be utilised through various communication and access channels, in particular electronically.

2. Controller

Bundesanzeiger Verlag GmbH
Amsterdamer Str. 192
50735 Köln (Germany)

Telephone: +49 (0)221 / 97668-0
Fax: +49 (0)221 / 97668-278
Email: service@bundesanzeiger.de

3. Purposes and legal basis of data processing

3.1. Purpose of processing

3.1.1. Keeping the Company Register / performing public tasks

We process personal data in order to receive, review, process and properly document transactions in the scope of keeping the Company Register. This includes, in particular, assigning transactions to the relevant persons or organisations, communicating during the process (e.g. in the event of follow-up queries and status and procedural information) and ensuring consistent processing, for instance to avoid multiple entries.

3.1.2. Meeting other legal obligation

In addition to this, we process personal data as required to meet legal obligations. This includes, in particular, statutory retention and documentation obligations, as well as processing for the purpose of complying with and meeting data protection requirements, for instance when processing requests from data subjects and implementing corresponding rights under GDPR.

3.2. Legal basis for processing

The legal basis for data processing is Article 6(1), lit. e) GDPR in conjunction with Section 9a(1) HGB and Section 1 of the Regulation on the Transfer of the Management of the Company Register (henceforth referred to as "eBAnzV") in conjunction with URV.

4. Recipients or categories of recipients

4.1. First, personal data are transferred to internal recipients. These are the responsible organisational units that process transactions in the Company Register, as well as areas that, where necessary, are entrusted with technical operation, administration, support and IT security.

4.2. One of the main purposes of the Company Register is to make company and register information accessible to the public as defined by law. In this context, personal data that are part of register content that is subject to publication are made publicly available in line with the legal requirements and can be inspected, accessed and used by anyone. Public access is provided solely on the basis of the relevant register regulations and is limited to the content and data categories specified therein.

4.3. In addition to this, we may transfer personal data to processors working on our behalf who process data solely in accordance with our instructions (Article 28 GDPR). These are, in particular, IT service providers for hosting, operation, maintenance and support and, where applicable, service providers for identity verification (e.g. a video/online identification procedure).

4.4. Depending on the payment method selected, the data required to execute the payment transaction are transferred to the relevant payment or verification service providers. These providers process the data autonomously and solely for the purpose of processing or technically verifying the payment. Further billing and processing take place within our systems, where relevant.

4.5. The legal basis for processing is Article 6(1), sentence 1, lit. e) GDPR in conjunction with Section 9a HGB.

5. Third country transfer

We generally process personal data inside the European Union.

If persons based or residing in a third country access register information within the scope of the legally prescribed use of the Company Register, this may constitute disclosure of personal data to a third country.

This disclosure takes place solely on the basis of the relevant legal access and usage regulations for the Company Register.

6. Storage period

Your personal data are only stored for as long as is necessary to meet said purposes or as long as retention periods require further storage.

7. Type and source of personal data

7.1. Origin of the data

7.1. Origin of the data

In addition to being collected directly from you, personal data may originate from the following sources:

a)  Information submitted by companies subject to publication requirements as part of their disclosure obligations

b)  Data from the Commercial or Cooperative Register

c)  Data from submissions

d)  Communication data from voluntary contact with involved parties

The legal basis is Article 6(1), sentence 1, lit. e) GDPR in conjunction with Section 9a(1) HGB and Section 1 eBAnzV in conjunction with Section 1(1) URV.

7.2. Provision of the website and creation of log files

When you first visit the website of the Company Register and when you navigate across it, the following personal data are collected for the purposes of error analysis and operation (troubleshooting) or IT security and attack detection.

• IP address
• Date and time of access (time stamp)
• Request details and destination address (protocol version, HTTP method, referrer, user agent string)
• Name of the file accessed and volume of data transferred (requested URL including query string, size in bytes)
• Message as to whether retrieval was successful (HTTP status code)

Legal basis: Article 6(1), sentence 1, lit. e) GDPR in conjunction with Section 9a(1) HGB and Section 1 eBAnzV in conjunction with Section 1(3) URV.

Storage period: maximum of 14 days; longer storage for evidence purposes on.

7.3. Use of cookies

Use of the web content of the Company Register requires technical cookies.

These serve the following purposes:

• To recognise your browser when you are navigating between different pages of the Company Register's web content using a session ID (session cookies).
• For authentication (authentication cookies). These cookies are additionally encrypted.

User consent is not required for technical cookies, cf. Section 25(2), no. 2 TDDDG. The services of the Company Register cannot be provided without the use of these technically necessary cookies.

The following table lists all cookies we use and their purpose:

Legal basis: Article 6(1), sentence 1, lit. e) GDPR in conjunction with Section 9a(1) HGB in conjunction with Section 1 eBAnzV in conjunction with Section 1(3) URV.

7.4. Registration and identification

7.4.1. Under Section 3 URV, you have the option of registering on our website and therewith creating a user profile. When you register on our website, in addition to the data that your Internet browser automatically transmits to us, we collect and use the following data, which are marked as mandatory or voluntary depending on the purpose of the processing:

• Date and time of registration
• Your first name and surname or company name
• Date of birth
• Your email address
• Your telephone number

Legal basis: Article 6(1), sentence 1, lit. e) GDPR in conjunction with Section 9a(1) HGB in conjunction with Section 1 eBAnzV in conjunction with Section 3(1) URV.

7.4.2. For registration for data transmission pursuant to Section 11(2), sentence 1 URV (data transmission by persons obligated to publish or commissioned third parties) for companies entered in the Commercial or Cooperative Registers, the following minimum information is required in addition to the information specified in Section 3(1) URV pursuant to Section 3(2) URV:

• Legal name or name of the company
• Court of registry
• Register type
• Register number

Legal basis: Article 6(1), sentence 1, lit. e) GDPR in conjunction with Section 9a(1) HGB in conjunction with Section 1 eBAnzV in conjunction with Section 3(2) URV.

7.4.3. For registration pursuant to Section 3(2) URV, the user must also undergo electronic identification as per Section 3a URV. User is deemed to mean the natural person who is actually to transmit data pursuant to Section 11(2) URV for persons subject to publication and disclosure obligations. Identity is checked on the basis of the means of identification laid down in Section 3a(1), nos. 1 to 3 URV. The identification data collected in the course of the identification procedure will be processed exclusively to ensure proper performance of the tasks of the Company Register and will be deleted as soon as the purpose of the storage no longer applies and no conflicting storage obligations or rights exist.

For this purpose, we use, inter alia, an external identification service provider as a processor within the meaning of Article 28 GDPR, which conducts the identification procedure on our behalf. In the course of identification, in particular identification evidence is processed (e.g. photos/images of the person and images/copies of the identity document).

The data processed during the identification procedure are stored for different lengths of time depending on the outcome:

• Successful identification: The data collected during the identification process are deleted by the identification service provider after 90 days. If proof of identification is subsequently sent to us, we store it for 8 years in accordance with the applicable legal requirements.
• Unsuccessful or aborted identification: Personal data from aborted or invalid identification attempts are stored by the identification service provider for 7 days and then deleted.

Legal basis: Article 6(1), sentence 1, lit. e) GDPR in conjunction with Section 9a(1) HGB in conjunction with Section 1 eBAnzV in conjunction with Sections 1(2), 3a URV.

7.4.4. If users desire to make transmissions for themselves or as authorised representatives for third parties, they are to specify an identifier and password upon registration by which they authenticate themselves as authorised users of the Company Register.

8. Chatbot

For service enquiries, you have the option of using the chatbot on our website to obtain information.

No further data are required from you to use the chatbot. However, if you do provide personal data, these will be anonymised. To optimise the algorithm, which enables the chatbot to autonomously categorise enquiries according to the subject matter using the keywords contained therein, log files and chat histories are stored anonymously for 90 days. We would like to stress that you do not need to provide any personal data.

If you have any questions regarding your customer account, you can contact us directly by telephone or e-mail, as automatic assignment is not possible.

Data processing is performed without the use of cookies ("cookieless") on the basis of Article 6(1), sentence 1, lit. e) GDPR in conjunction with Section 9a(1) HGB and the Regulation on the Transfer of the Management of the Company Register. It is necessary for the performance of a task that is in the public interest.

9. Your rights under GDPR

9.1. You have the following rights:

• Article 13, 14 GDPR – Rights to information
• Article 15 GDPR – Access
• Article 16 GDPR – Rectification
• Article 17 GDPR – Erasure
• Article 18 GDPR – Restriction of processing
• Article 20 GDPR – Data portability
• Article 21 GDPR – Objection
• Article 22 GDPR – No purely automated decisions
• Article 77 GDPR – Right to lodge a complaint with a supervisory authority

You may revoke your consent at any time with effect for the future.

Contact for exercising your rights: dsb@bundesanzeiger.de

Note: We endeavour to take technical and organisational steps allowing us to store your personal data in a way to render them inaccessible to third parties. Since we cannot guarantee complete data security during communication by e-mail, we recommend mailing confidential information by post.

9.2. Supervisory authority

Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) (The Federal Commissioner for Data Protection and Freedom of Information)
Graurheindorfer Straße 153, 53117 Bonn (Germany)
Telephone: +49 (0)228-997799-0

Email: poststelle@bfdi.bund.de

10. Automatic processing

There is no automated decision-making or profiling within the meaning of Article 22 GDPR.

11. Data protection officer

You can contact our data protection officer at:

Datenschutzbeauftragte der Bundesanzeiger Verlag GmbH
c/o Bundesanzeiger Verlag GmbH
Amsterdamer Str. 192
50735 Köln (Germany)

Email: dsb@bundesanzeiger.de

12. Scope

This Data Privacy Statement is applicable to the domain www.unternehmensregister.de.