Privacy Policy of Ladenburger GmbH

With this policy, the management assumes overall responsibility for data protection at Ladenburger GmbH and outlines the associated objectives. This policy becomes effective upon the signature of the management and internal publication within the company.

Ladenburger GmbH is obligated to comply with data protection laws and operates based on the principle of corporate self-regulation. Consequently, at Ladenburger GmbH, it is part of the corporate culture to ensure adequate, economically viable, and technically and organizationally feasible implementation of legal regulations on data protection—especially the requirements of the EU General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG).

All managing directors and senior executives at Ladenburger GmbH, whose areas involve the processing of personal data, as well as all employees who regularly handle personal data, bear personal responsibility for achieving the data protection requirements. The realization of data protection requirements is carried out within a data protection management system, for which this data protection policy sets the framework and includes further data protection guidelines. Additionally, Ladenburger GmbH has appointed a Data Protection Officer. This officer reports directly to the management and acts on its behalf. In the exercise of his expertise, he operates independently. His tasks arise from the GDPR and the BDSG. His contact details have been reported to the relevant data protection supervisory authority for Ladenburger GmbH.

Any member of the company can directly approach the Data Protection Officer regarding data protection matters and rely on his confidentiality (Art. 38 Para. 4 and Para. 5 GDPR). The contact details are provided on the last page of this document.

The Data Protection Officer is legally obliged to monitor processes and applications involving the processing of personal data for compliance with data protection laws. The same applies when personal data is processed non-automatically (files, index cards, microfilms, etc.) (Art. 39 Para. 1 lit. b). For this purpose, he has the right to access all premises and workspaces where personal data is collected, processed, or used. In the case of identified deficiencies, he collaborates with the relevant manager to rectify them.

Furthermore, the Data Protection Officer is legally obliged to oversee compliance with the GDPR in processes and applications involving the processing of personal data (Art. 39 Para. 1 lit. b). To this end, he must be informed about new applications arising from in-house or external development or purchases, during the formulation of the task assignment (specifications), and be given the opportunity to comment. Before the commencement of use of processes and applications, the Data Protection Officer must be included in the approval process to verify the implementation of his recommendations. The release is to be granted by the responsible manager only after the Data Protection Officer has given his approval.

In case of processing activities posing a high risk to the rights and freedoms of natural persons, Ladenburger GmbH conducts a data protection impact assessment (Art. 35 Para. 1 GDPR). Supervisory authorities compile lists of processing activities that require an impact assessment. If such processing activities are implemented at Ladenburger GmbH, conducting a data protection impact assessment is mandatory. Upon request, the Data Protection Officer advises on the data protection impact assessment and monitors its implementation (Art. 39 Para. 1 lit. c).

The Data Protection Officer is to be included in IT risk management. Particularly, he should be involved in the development and updating of IT security concepts (policies) or IT security guidelines. Adherence to the principles of data protection by design and by default must be ensured (Art. 25 GDPR). Moreover, the company guarantees the security of processing personal data through the implementation and continuous improvement of technical and organizational measures in accordance with Art. 32 GDPR.

Employees who regularly process personal data are obligated to maintain confidentiality and data protection, as well as any associated confidentiality requirements when commencing their duties. This obligation persists beyond their tenure at Ladenburger GmbH. A copy of the commitment statement is to be added to the personnel file. This commitment contributes to raising awareness among the workforce regarding data protection matters and serves the purpose of compliance with accountability (Art. 5 Para. 2 GDPR).

Affected employees should be adequately informed about their data protection responsibilities (Art. 39 Para. 1 lit. b). This should be done through regular training sessions. The affected employees are required to attend these sessions. Participation is to be documented.

The management (legal representatives of the company) are responsible for compliance with data protection laws; therefore, a separate commitment is unnecessary. The Data Protection Officer is specifically responsible for informing the management about new developments in data protection laws and their enforcement when required.

Ladenburger GmbH maintains a record of all processing activities. The heads of departments responsible for automated personal data processing applications and other processing activities involving personal data are obliged to provide the Data Protection Officer with an overview of processing activities in accordance with Art. 30 Para. 1 GDPR for all relevant applications and processes. For this purpose, the Data Protection Officer provides a corresponding form and supports the responsible individuals upon request in completing it.

If personal data is collected, processed, or used by entities outside of Ladenburger GmbH, or if these entities perform maintenance or auditing activities for Ladenburger GmbH where access to personal data cannot be excluded, a contract must be established with the respective entity to safeguard the rights of the affected individuals (Art. 28 GDPR for data processing agreements, additionally Art. 44 - 49 GDPR for data transfers to countries outside the European Union). The Data Protection Officer should be involved in drafting the contracts and has appropriate standard contracts available. The data processing agreements should ensure that the Data Protection Officer has the right, if necessary, to control the proper execution of the contract on-site (Art. 28 Para. 3 lit. h).

To ensure the rights of the affected individuals (Art. 12-22), all related inquiries (requests for information, access, rectification, erasure or restriction/blocking, data portability, objection; complaints or reports) are to be directed through the Data Protection Officer (Single Point of Contact - SPOC). He is responsible for overseeing proper handling. If the Data Protection Officer determines, based on clear and unambiguous legal regulations, that the requests from the affected individuals are unfounded, he communicates this to the individual; otherwise, he forwards the inquiry to the respective responsible entity for processing. If there could be legal consequences for the company arising from the concerns of the affected individuals, the Data Protection Officer must involve the company management.

The Data Protection Officer collaborates with the supervisory authority and serves as a point of contact for any questions related to data processing (Art. 39 Para. 1 lit. d and e). In exceptional circumstances, the Data Protection Officer also has a direct right to report to the designated management in charge.

Please note that translations might require context-specific adjustments for legal compliance and accuracy in accordance with local laws and regulations.