The information outlined below is intended to provide you as the “data subject” with an overview of how we process your personal data and to inform you of your rights under data protection legislation. It is possible to use our website without entering personal data. However, if you would like to make use of particular services of our company via the website, processing of personal data may be necessary. If processing of personal data is necessary and if there is no legal basis for such processing, we will always request your consent for this.
As the controller, we have implemented numerous technical and organisational measures in order to ensure the most complete protection possible for the personal data processed through this website. Nevertheless, there may be security loopholes in web-based data transmission so that absolute protection cannot be guaranteed. For this reason, you may provide us with personal data by alternative methods, such as by telephone or post, if you wish.
The controller within the meaning of the GDPR is:
Volkswagen Motorsport GmbH
Telephone: +49 511 67494 0
Heads of the controller: Sven Smeets, Lukasz Urban and François-Xavier Demaison
3. DATA PROTECTION OFFICER
You can contact the Data Protection Officer as follows:
Mr. Tobias Hoffmann
audatis Consulting GmbH
Datenschutz und Informationssicherheit (Data Protection and Information Security)
Leopoldstr. 2-8, 32051 Herford
Telephone: +49 5221 87292-06
You can contact our Data Protection Officer directly at any time with any questions and suggestions relating to data protection.
a. Personal data
Personal data means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
b. Data subject
A data subject is every identified or identifiable natural person whose personal data are processed by the controller (our company).
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
d. Restriction of processing
Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future.
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.
i. Third party
Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
5. LEGAL BASIS OF PROCESSING
Article 6 (1) point (a) GDPR serves as the legal basis for our company for data processing where we obtain consent for a specific processing purpose.
If processing of personal data is necessary for the performance of a contract to which you are party, such as is necessary for processing operations that are required for delivery of goods or in order to provide another performance or counter-performance, then processing is based on 6 (1) point (b) GDPR. The same applies to processing operations that are necessary to perform steps prior to entering into a contract, such as for requests relating to our products or services.
If our company is subject to a legal obligation that makes processing of personal data necessary, such as compliance with tax obligations, then processing is based on Article 6 (1) point (c) GDPR.
In rare cases, processing of personal data may be necessary to protect the vital interests of the data subject or another natural person. This would be the case, for example, if a visitor were injured in our company and their name, age, health insurance details or other vital information had to be passed on to a doctor, hospital or other third parties. Processing would then be based on 6 (1) point (d) GDPR.
Finally, processing could be based on 6 (1) point (f) GDPR. This provides the legal basis for processing that is not covered by any of the above legal principles, when processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. We are permitted to perform such processing in particular because this was specifically mentioned by the European legislator. The legislator stated the opinion that a legitimate interest could be assumed if you are a client of our company (recital 47, sentence 2 GDPR).
6.1 SSL/TLS encryption
This website uses SSL or TLS encryption to guarantee the security of data processing and to protect the transmission of confidential content such as orders, login data or contact requests that you send to us as the website operator. You can recognise an encrypted connection by the fact that the address bar contains “https://” instead of “http://” and by the padlock symbol in your browser bar.
If SSL or TLS encryption is activated, third parties cannot read the data that you send to us.
6.2 Data collection when you visit the website
If you use our website for information purposes only, i.e. if you do not register or send us other information, we will collect only the data that are sent to our server by your browser (in what are termed “server log files”). Our website collects various general data and information each time a page is visited by you or an automated system. These general data and information are stored in the server log files. The stored information can include
1. the types of browser used and their versions,
2. the operating system used by the system accessing our website,
3. the website from which a system accesses our website (referrer),
4. the subpages accessed by a system on our website,
5. the date and time our website was accessed,
6. a truncated Internet Protocol address (anonymised IP address), and
7. the Internet service provider of the system accessing our website.
We do not draw any conclusions in relation to your person from use of these general data and information. This information is required instead to
1. deliver our website’s content correctly,
2. to optimise our website’s content and advertising for it,
3. to ensure that our IT systems and our website’s technology keep running properly, and
4. to provide the law-enforcement authorities with the information required to prosecute any cyberattacks that occur.
The collected data and information are therefore evaluated by us statistically and also with the goal of increasing data protection and data security in our company in order to thus provide optimum protection for the personal data processed by us. The anonymous data of the server log files are stored separately from all personal data provided by a data subject.
The legal basis for data processing is Article 6 (1) sentence 1 point (f) GDPR. Our legitimate interest is based on the above-listed purposes of data collection.
7.1 General information on cookies
Information is stored in the cookie that is related to the specific device used. However, this does not mean that we directly obtain knowledge about your identity.
The data processed by cookies are necessary for the purposes of our legitimate interests and of third parties in accordance with Article 6 (1) sentence 1 point (f) GDPR.
Most browsers accept cookies automatically. However, you can configure your browser so that no cookies are stored on your computer or so that a message is always displayed before a new cookie is created. However, complete deactivation of cookies may mean that you cannot use all the functions of our website.
8. CONTENT OF OUR WEBSITE
8.1 Contacting us / contact form
Personal data are collected when you contact us (e.g. by contact form or e-mail). The data collected with a contact form are visible from the respective contact form. These data are stored and used exclusively for the purpose of answering your request or for making contact and the associated technical administration. The legal basis for processing is our legitimate interest in answering your request in accordance with Article 6 (1) point (f) GDPR. If you have the intention of concluding a contract when making contact, the additional legal basis for processing is Article 6 (1) point (b) GDPR. Your data will be deleted after final processing of your request. This is the case when it is evident from the circumstances that the matter in question has been finally concluded and if there are no statutory retention obligations that stand in the way of that.
8.2 Application management / job board
We collect and process the personal data of applicants for the purpose of carrying out the application process. Processing can take place electronically. This is the case in particular if an applicant sends us relevant application documents electronically, e.g. by means of e-mail or via an online form on the website. If we conclude an employment contract with an applicant, the transferred data will be stored for the purpose of conducting the employment relationship in compliance with the applicable legal regulations. If we do not conclude an employment contract with the applicant, the application documents will be deleted automatically two months after the decision to reject him/he, unless we have other legitimate interests for not erasing them. Another legitimate interest here is, for example, the requirement to furnish proof in the event of legal action under the German General Act on Equal Treatment (AGG).
Data processing thus takes place solely on the basis of our legitimate interest in accordance with Article 6 (1) point (f) GDPR.
9. YOUR RIGHTS AS DATA SUBJECT
9.1 Right to confirmation
You have the right to request confirmation from us whether personal data concerning you are processed.
9.2 Right to access (Article 15 GDPR)
You have the right to obtain information from us about the stored personal data relating to your person as well as a copy of these data at any time free of charge.
9.3 Right to rectification Article (16 GDPR)
You have the right to request rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, the data subject also has the right to have incomplete personal data completed.
9.4 Right to erasure (Article 17 GDPR)
You have the right to obtain from us erasure of personal data concerning you without undue delay if one of the legally defined reasons applies and if processing is not necessary.
9.5 Right to restriction of processing (Article 18 GDPR)
You have the right to obtain restriction of processing from us if one of the legal prerequisites applies.
9.6 Right to data portability (Article 20 GDPR)
You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format. You also have the right to transmit those data to another controller without hindrance from us if the processing is based on consent pursuant to Article 6 (1) point (a) GDPR or Article 9 (2) point (a) GDPR or on a contract pursuant to Article 6 (1) point (b) GDPR and processing is carried out by automated means, in so far as processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.
In addition, when exercising your right to data portability in accordance with Article 20 (1) GDPR, you have the right to have the personal data transmitted directly from one controller to another, where technically feasible, if this does not adversely affect the rights and freedoms of others.
9.7 Right to object (Article 21) GDPR
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Article 6 (1) point (e) (data processing in the public interest) or point (f) (data processing for the purpose of legitimate interests) GDPR.
This also applies to profiling based on these provisions within the meaning of Article 4 (4) GDPR.
If you submit an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for processing them which override your interests, rights and freedoms, or unless processing your data serves the establishment, exercise or defence of legal claims.
In individual cases, we process your personal data to carry out direct marketing. You can object at any time to processing of your personal data for the purpose of such marketing. The same applies to profiling to the extent that it is related to such direct marketing. If you object to us about processing for purposes of direct marketing, we will no longer use the personal data for these purposes.
In addition, you have the right to object, on grounds relating to your particular situation, to processing of data concerning you for scientific or historical research purposes or statistical purposes pursuant to Article 89 (1) GDPR, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.
9.8 Right to withdraw data protection-related declaration of consent
You have the right to withdraw your consent for processing of personal data at any time with future effect.
9.9 Right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint with a supervisory authority about our processing of personal data.
FURTHER INFORMATION ON OTHER DATA PROCESSING
As a company, we do not just process personal data on our website but in many other processes. In order to provide you as the data subject with the most detailed information possible about these processing purposes, we have compiled this information for the following processing activities and thus meet our legal information obligations in accordance with Articles 12 to 14 GDPR: