DATA PROTECTION

Privacy Policy

We sincerely thank you for your interest in our company. Data protection is of particular importance to the management of NOHO GmbH. The use of the NOHO GmbH websites is generally possible without the provision of personal data. However, if a data subject wishes to make use of specific services provided by our company via our website, the processing of personal data may become necessary. If the processing of personal data is required and no legal basis for such processing exists, we generally obtain the consent of the data subject.

The processing of personal data, such as the name, address, email address, or telephone number of a data subject, is always carried out in accordance with the General Data Protection Regulation and in compliance with the applicable national data protection regulations for NOHO GmbH. Through this privacy policy, our company aims to inform the public about the nature, scope, and purpose of the personal data we collect, use, and process. Furthermore, this privacy policy will inform data subjects of their rights.

As the data controller, NOHO GmbH has implemented numerous technical and organizational measures to ensure the highest possible protection of personal data processed through this website. However, internet-based data transmissions may generally have security vulnerabilities, so absolute protection cannot be guaranteed. For this reason, it is at the discretion of each data subject to transmit personal data to us via alternative means, such as by telephone.

1.   Definitions

The privacy policy of NOHO GmbH is based on the terminology used by the European legislator in the enactment of the General Data Protection Regulation (GDPR). Our privacy policy is intended to be easily readable and understandable for both the general public and our customers and business partners. In order to ensure this, we wish to clarify the terminology used in advance.
In this privacy policy, we use the following terms, among others:

a. Personal Data
Personal data refers to any information relating to an identified or identifiable natural person (hereinafter referred to as the “data subject”). A natural person is considered identifiable if they can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that individual.

b. Data Subject
A data subject is any identified or identifiable natural person whose personal data is processed by the data controller.

c. Processing
Processing refers to any operation or set of operations performed on personal data, whether or not by automated means, such as the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or other forms of provision, alignment or combination, restriction, erasure, or destruction.

d. Restriction of Processing
Restriction of processing refers to the marking of stored personal data with the purpose of limiting its future processing.

e. Profiling
Profiling refers to any form of automated processing of personal data, which involves the use of such data to assess certain personal aspects relating to an individual, particularly to analyze or predict aspects regarding that individual’s work performance, economic status, health, personal preferences, interests, reliability, behavior, location, or movements.

f. Pseudonymization
Pseudonymization refers to the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures ensuring that the personal data cannot be assigned to an identified or identifiable natural person.

g. Controller or Data Controller
The controller or data controller is the natural or legal person, authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing personal data. Where the purposes and means of processing are established by Union law or the law of the Member States, the controller or the specific criteria for their designation may be provided for by Union law or the law of the Member States.

h. Processor
A processor is a natural or legal person, authority, agency, or other body that processes personal data on behalf of the controller.

i. Recipient
A recipient is a natural or legal person, authority, agency, or other entity to whom personal data is disclosed, regardless of whether they are a third party. However, authorities that may receive personal data in the course of a specific investigative task under Union law or the law of the Member States are not considered recipients.

j. Third Party
A third party is a natural or legal person, authority, agency, or other entity, other than the data subject, the controller, the processor, or persons who, under the direct authority of the controller or processor, are authorized to process personal data.

k. Consent
Consent refers to any indication of the data subject’s wishes, freely given, specific, informed, and unambiguous, expressed through a statement or other clear affirmative action, by which the data subject signifies their agreement to the processing of personal data concerning them.

2.     Name and Address of the Data Controller

The data controller within the meaning of the General Data Protection Regulation, as well as other applicable data protection laws in the Member States of the European Union and other provisions of a data protection nature, is:

NOHO GmbH
Am Sande 5
21335 Lüneburg
Germany

Tel.: +49 174 – 27 81 455
E-mail: info@we-are-noho.com
Website: www.we-are-noho.com

Name and Address of the Data Protection Officer

The data protection officer of the data controller is:
Mr. Demian Raab

NOHO GmbH
Am Sande 5
21335 Lüneburg
Germany

Tel.: +49 174-27 81 455
E-mail: d.raab@reese-bm.de
Website: www.we-are-noho.com

Any data subject may, at any time, direct any inquiries or suggestions regarding data protection to our data protection officer.

  1. Cookies

The websites of NOHO GmbH make use of cookies. Cookies are text files that are stored and saved on a computer system through an internet browser.

A significant number of websites and servers employ cookies. Many cookies contain what is known as a cookie ID. A cookie ID is a unique identifier assigned to a specific cookie. It consists of a string of characters that allows websites and servers to associate it with the specific internet browser in which the cookie was stored. This enables the websites and servers visited to distinguish the individual browser of the data subject from other internet browsers that contain different cookies. A specific internet browser can be recognized and identified by means of its unique cookie ID.

By utilizing cookies, NOHO GmbH is able to provide users of this website with more user-friendly services that would not be feasible without the use of cookies. Through the use of cookies, the information and offerings on our website can be optimized in accordance with the preferences of the user. As previously mentioned, cookies allow us to recognize the users of our website. The purpose of this recognition is to facilitate the use of our website for the users. For example, a user of a website that uses cookies does not need to re-enter their login credentials on each visit, as this is managed by the website and the cookie stored on the user’s computer system. Another example is the cookie associated with a shopping cart in an online store. The online store retains the items a customer has added to their virtual shopping cart via a cookie.

The data subject may, at any time, prevent the setting of cookies through our website by adjusting the settings of the internet browser used, thereby permanently objecting to the placement of cookies. In addition, any cookies that have already been set may be deleted at any time via the internet browser or other software programs. This can be accomplished in all commonly used internet browsers. If the data subject disables the setting of cookies in the internet browser being used, it is possible that not all functions of our website may be fully accessible.

 

  1. Collection of General Data and Information

The website of NOHO GmbH collects a range of general data and information with each access to the website by a data subject or an automated system. This general data and information are stored in the server’s log files. The information that may be collected includes, but is not limited to, (1) the types and versions of the browsers used, (2) the operating system employed by the accessing system, (3) the website from which the accessing system originates (so-called referrer), (4) the subpages accessed on our website by the accessing system, (5) the date and time of access to the website, (6) an internet protocol address (IP address), (7) the internet service provider of the accessing system, and (8) other similar data and information that are utilized for the purpose of safeguarding against risks in the event of attacks on our information technology systems.

In utilizing this general data and information, NOHO GmbH does not draw any conclusions regarding the data subject. This information is primarily required for the purposes of (1) correctly delivering the content of our website, (2) optimizing the content of our website as well as the advertisements displayed therein, (3) ensuring the continued functionality of our information technology systems and the technology of our website, and (4) providing law enforcement authorities with the necessary information for prosecutorial purposes in the event of a cyberattack. These anonymized data and information are thus statistically evaluated by NOHO GmbH, with the aim of enhancing the level of data protection and data security within our organization, ultimately ensuring an optimal level of protection for the personal data we process. The anonymized data from the server log files are stored separately from any personal data provided by a data subject.

 

  1. Routine Deletion and Blocking of Personal Data

The data controller shall process and store personal data of the data subject solely for the duration necessary to fulfill the purpose of storage, or for as long as it is stipulated by the European legislator or any other competent legislator in applicable laws or regulations to which the data controller is subject.

Once the purpose of storage ceases to apply or the retention period prescribed by the European legislator or any other relevant legislator has expired, the personal data shall be routinely blocked or deleted in accordance with the relevant legal provisions.

  1. Rights of the Data Subject
  1. Right to Confirmation
    Every data subject has the right, as granted by the European legislator, to request from the data controller confirmation as to whether personal data concerning them is being processed. Should a data subject wish to exercise this right of confirmation, they may contact a representative of the data controller at any time.
  2. Right to Access
    Every data subject whose personal data is being processed is entitled, as granted by the European legislator, to obtain from the data controller, at any time and free of charge, information regarding the personal data stored concerning them, as well as a copy of such data. Furthermore, the European legislator has granted the data subject the right to be informed of the following:
  • the purposes of the processing
  • the categories of personal data being processed
  • the recipients or categories of recipients to whom the personal data have been or will be disclosed, particularly in the case of recipients in third countries or international organizations
  • if possible, the intended duration for which the personal data will be stored, or, if this is not feasible, the criteria used to determine this duration
  • the existence of the right to rectification or erasure of personal data concerning the data subject, or the right to restrict processing by the data controller, or the right to object to such processing
  • the existence of the right to lodge a complaint with a supervisory authority
  • if the personal data has not been obtained directly from the data subject: all available information regarding the source of the data
  • the existence of automated decision-making, including profiling, as per Article 22(1) and (4) of the GDPR, and — in such cases — meaningful information regarding the logic involved, as well as the significance and anticipated consequences of such processing for the data subject

Additionally, the data subject has the right to be informed as to whether personal data has been transferred to a third country or an international organization. If this is the case, the data subject is also entitled to obtain information regarding the appropriate safeguards in place concerning the transfer.

Should a data subject wish to exercise this right of access, they may contact a representative of the data controller at any time.

  1. Right to Rectification
    Every data subject whose personal data is being processed is entitled, under the provisions of the European legislator, to request the immediate rectification of any inaccurate personal data concerning them. Furthermore, the data subject has the right, taking into account the purposes of the processing, to request the completion of incomplete personal data, which may include the provision of a supplementary statement.
    Should a data subject wish to exercise their right to rectification, they may, at any time, contact a representative of the data controller.
  2. Right to Erasure (Right to be Forgotten)
    Every data subject whose personal data is being processed has the right, as granted by the European legislator, to request the prompt erasure of personal data concerning them, provided that one of the following grounds applies and the processing is not necessary:
  • The personal data are no longer required for the purposes for which they were collected or otherwise processed.
  • The data subject withdraws their consent on which the processing, pursuant to Article 6(1)(a) of the GDPR or Article 9(2)(a) of the GDPR, is based, and there is no other legal basis for the processing.
  • The data subject objects to the processing under Article 21(1) of the GDPR, and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing under Article 21(2) of the GDPR.
  • The personal data have been processed unlawfully.
  • The erasure of the personal data is necessary for compliance with a legal obligation under Union law or the law of a member state to which the data controller is subject.
  • The personal data were collected in relation to the provision of information society services referred to in Article 8(1) of the GDPR.

If one of the aforementioned grounds applies and a data subject wishes to request the erasure of personal data stored by NOHO GmbH, they may contact a representative of the data controller at any time. The representative of NOHO GmbH will take the necessary actions to ensure that the request for erasure is promptly addressed.
If personal data have been made public by NOHO GmbH, and our company, as the data controller, is required to erase the personal data pursuant to Article 17(1) of the GDPR, NOHO GmbH will, taking into account the available technology and the cost of implementation, take reasonable measures, including technical measures, to notify other data controllers processing the published personal data that the data subject has requested the erasure of all links to, or copies or replications of, such personal data, provided that the processing is not necessary. The representative of NOHO GmbH will, on a case-by-case basis, ensure that the necessary actions are taken.

  1. Right to Restriction of Processing
    Every data subject whose personal data is being processed is granted, under the provisions of the European legislator, the right to request the restriction of processing by the data controller under the following circumstances:
  • The accuracy of the personal data is contested by the data subject, for a period allowing the controller to verify the accuracy of the personal data.
  • The processing is deemed unlawful, and the data subject objects to the erasure of the personal data and instead requests the restriction of its use.
  • The controller no longer requires the personal data for the purposes of processing, but the data subject requires it for the establishment, exercise, or defense of legal claims.
  • The data subject has invoked their right to object to processing under Article 21(1) of the GDPR, and it has yet to be determined whether the legitimate grounds of the controller override those of the data subject.

Should any of the above conditions apply, and the data subject wishes to request the restriction of personal data stored by NOHO GmbH, they may contact a representative of the data controller at any time. A representative of NOHO GmbH will take the necessary steps to ensure that the processing is restricted as requested.

  1. Right to Data Portability
    Every data subject whose personal data is being processed is granted, under the provisions of the European legislator, the right to receive the personal data concerning them, which have been provided to a controller by the data subject, in a structured, commonly used, and machine-readable format. The data subject further has the right to transmit this data to another controller without hindrance from the controller to whom the personal data was provided, provided that the processing is based on the data subject’s consent under Article 6(1)(a) of the GDPR or Article 9(2)(a) of the GDPR, or is based on a contract under Article 6(1)(b) of the GDPR, and that the processing is carried out by automated means, unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Additionally, when exercising their right to data portability under Article 20(1) of the GDPR, the data subject is entitled to request that their personal data be transmitted directly from one controller to another, where technically feasible, provided that the rights and freedoms of other individuals are not adversely affected.

To exercise the right to data portability, the data subject may contact a representative of NOHO GmbH at any time.

  1. Right to Object
    Every data subject whose personal data is being processed is afforded, under the provisions established by the European legislator, the right to object, on grounds related to their particular situation, at any time, to the processing of personal data concerning them, which is carried out pursuant to Article 6(1)(e) or (f) of the General Data Protection Regulation (GDPR). This right extends to profiling carried out under these provisions.
    In the event that a data subject exercises this right to object, NOHO GmbH will cease processing the personal data in question unless we can demonstrate compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject, or where the processing is necessary for the establishment, exercise, or defense of legal claims.

Should NOHO GmbH process personal data for direct marketing purposes, the data subject retains the right to object at any time to the processing of personal data for such purposes. This right also applies to profiling, insofar as it is related to such direct marketing activities. Upon the exercise of this right by the data subject, NOHO GmbH shall cease processing the personal data for these purposes.

Additionally, the data subject has the right to object, on grounds related to their particular situation, to the processing of personal data concerning them that is carried out by NOHO GmbH for scientific or historical research purposes or for statistical purposes, as defined in Article 89(1) of the GDPR, unless such processing is necessary for the performance of a task carried out in the public interest.

To exercise the right to object, the data subject may, at any time, contact any employee of NOHO GmbH directly. Moreover, the data subject has the option to exercise this right in relation to the use of information society services by means of automated procedures, where technical specifications are utilized, irrespective of Directive 2002/58/EC.

  1. Automated Individual Decisions, Including Profiling
    Every data subject whose personal data is being processed is granted the right, under the provisions laid out by the European legislator, not to be subject to a decision based solely on automated processing, including profiling, which has legal effects concerning them or similarly significantly affects them, unless the decision (1) is necessary for the performance of a contract between the data subject and the controller, or (2) is authorized by Union or Member State law to which the controller is subject, and such law provides appropriate safeguards for the rights, freedoms, and legitimate interests of the data subject, or (3) is based on the explicit consent of the data subject.
    Where the decision (1) is necessary for the performance of a contract between the data subject and the controller, or (2) is based on the explicit consent of the data subject, NOHO GmbH will take all reasonable measures to safeguard the rights, freedoms, and legitimate interests of the data subject, which will include at least the right to obtain human intervention from the controller, the right to express their point of view, and the right to contest the decision.

Should the data subject wish to exercise their rights regarding automated decisions, they may contact any employee of the controller at any time.

  1. Right to Withdraw Consent for Data Processing
    Every data subject whose personal data is being processed has, under the provisions established by the European legislator, the right to withdraw their consent to the processing of personal data at any time.

Should the data subject wish to exercise their right to withdraw consent, they may do so by contacting any authorized representative of the data controller at any time.

  1. Data Protection in the Context of Job Applications and the Application Process

The data controller collects and processes the personal data of applicants for the purpose of managing the application process. Processing may also occur through electronic means, particularly when an applicant submits their application documents electronically, for example via email or through an online form available on the website, to the data controller. If the data controller enters into an employment contract with an applicant, the transmitted data will be stored for the purpose of managing the employment relationship, in compliance with the relevant legal provisions. In the event that no employment contract is concluded, the application documents will be automatically deleted two months after the rejection decision has been communicated, unless there are other legitimate interests of the data controller that preclude deletion. An example of such a legitimate interest may be an obligation to retain the data in the context of proceedings under the General Equal Treatment Act (AGG).

  1. Legal Basis for Processing

Article 6(1)(a) of the General Data Protection Regulation (GDPR) serves as the legal basis for processing activities in which consent is obtained for a specific processing purpose. Where the processing of personal data is necessary for the performance of a contract to which the data subject is a party, such as processing operations required for the delivery of goods or the provision of services or other considerations, the processing is based on Article 6(1)(b) of the GDPR. The same applies to processing operations that are necessary for the performance of pre-contractual measures, for example, in cases of inquiries related to our products or services. If our company is subject to a legal obligation that necessitates the processing of personal data, such as to fulfill tax obligations, the processing is based on Article 6(1)(c) of the GDPR. In exceptional cases, the processing of personal data may be required to protect the vital interests of the data subject or another natural person. For example, if a visitor is injured on our premises and their name, age, health insurance details, or other vital information need to be disclosed to a doctor, hospital, or other third parties, the processing will be based on Article 6(1)(d) of the GDPR. Finally, processing activities may be based on Article 6(1)(f) of the GDPR. This legal basis applies to processing operations that are not covered by any of the aforementioned legal bases but are necessary for the protection of a legitimate interest of our company or a third party, provided that the interests, fundamental rights, and freedoms of the data subject do not override such an interest. Such processing operations are permitted, as they have been specifically addressed by the European legislator, who has indicated that a legitimate interest may be presumed where the data subject is a customer of the data controller (Recital 47, Sentence 2 of the GDPR).

  1. Legitimate Interests in the Processing Pursued by the Data Controller or a Third Party

Where the processing of personal data is based on Article 6(1)(f) of the General Data Protection Regulation (GDPR), our legitimate interest lies in conducting our business activities to the benefit of the well-being of all our employees and stakeholders.

  1. Duration of Storage of Personal Data

The criterion for the duration of the storage of personal data is the applicable statutory retention period. Upon the expiration of such period, the relevant data will be routinely erased, unless continued storage is necessary for the fulfillment of contractual obligations or the initiation of a contract.

  1. Legal or Contractual Obligations to Provide Personal Data; Necessity for Contractual Conclusion; Obligation of the Data Subject to Provide Personal Data; Potential Consequences of Non-Disclosure

We wish to inform you that the provision of personal data may, in certain circumstances, be required by law (e.g., tax regulations) or arise from contractual arrangements (e.g., details pertaining to the contracting party). In certain instances, it may be necessary for the data subject to provide personal data to us in order to conclude a contract, which will subsequently require processing. For example, the data subject is obligated to provide us with personal data when entering into a contract with our company. Failure to provide the necessary personal data would result in the inability to enter into the contract with the data subject. Prior to the provision of personal data, the data subject must contact one of our employees. Our employee will provide information on a case-by-case basis as to whether the provision of personal data is required by law or contract, whether there is an obligation to disclose such data, and the potential consequences of failing to provide the requested personal data.

  1. Existence of Automated Decision-Making

As a responsible organization, we do not engage in automated decision-making or profiling.

This privacy policy has been generated using the Privacy Policy Generator provided by DGD Deutsche Gesellschaft für Datenschutz GmbH, which serves as an external Data Protection Officer in Leipzig.