How DB Schenker processes your personal data.
What's this notice about?
Acc. to Art. 13, 14 GDPR the (European) Controller, in fact: DB Schenker entities like Schenker AG, shall inform about different topics while processing personal data. This information shall be given at the time of collecting personal data. To be transparent as possible, we decided to keep you up to data every time - not only at the time of collection.
But please note: this information is a description of business processes that contains processing of personal data. If necessary we'll inform you about additional collection or processing of your personal data if special cases occur.
Who is responsible for the processing of your personal data?
Within the meaning of data protection, the “Controller” is the responsible "person" that has to take care about a meaningful processing of your personal data. With respect to your business relationship this would be Schenker AG, another DB Schenker entity or more of them.
Regarding the Schenker AG your contact details would be:
Please find your individual respective contact here on dbschenker.com by choosing your respective country through “Select location”.
As Schenker AG's Chief Privacy Officer, Maik Goehrke and his team will be glad to help you with questions around data protection.
Why do we process your personal data (and what is the legal basis)?
There are different reasons why we may process your personal data. Please find the most relevant ones below (and don't forget: as mentioned above we'll inform you about additional collection or processing of your personal data if special cases occur):
- purposes around a contractual relationship: of course, we have to process your personal data if you have a contractual relationship with one of the DB Schenker entities or, at your request, pre-contractual actions. Legal base is Art. 6 Sec. 1 lit. b) GDPR.
- voluntary additional services, activities or campaigns: sometimes you can profit by using additional services, or if we simply like to keep you updated through newsletters or advertising. Legal basis for this kind of data processing is your consent. Important: admittedly - because your consent was given freely and absolutely voluntary - you are able to withdraw your consent at any time for the future just by contacting the responsible business unit!
- purposes that are required in specific business constellations (and additionally business interest outweigh privacy aspects): while doing business, sometimes we have to process your personal data for general business purposes. For example: facility security requires video surveillance and maybe you are on the video, too. That is your personal data but your right to privacy does not outweigh the interest to safe our building (of course this is very generic and we do our best to safeguard your rights due to technical and organizational measures). Legal basis can be found in Art.6 Sec. 1 lit. f) GDPR. Acc. to Art. 21 GDPR you might be able to object this kind of data processing.
- general legal obligations: sometimes we have to process your personal data acc. to general legal provisions. These provisions can be very different and depend on your national legislation. The most common ones are rules regarding accounting and labor law including social requirements. Legal basis is always Art. 6 Sec. 1 lit. c) GDPR together with the respective national rule.
The processing of special types of personal data within the meaning of Article 9 Sec.1 GDPR ("sensitive" data, in particular health data) is carried out only on the basis named in Art. 9 GDPR; i.e. your consent or if this is necessary for the assertion, exercise or defense of legal rights.
Will we keep your data forever?
Your personal data will only be stored as long as necessary for the fulfillment of the strictly defined purpose and the national statuary obligations.
Do we transfer your data to anyone?
We only share information with third parties if it is required either for the business relationship or it is permitted by law. For the settlement of claims or the handling of compliance processes, it is generally necessary to pass on the information within the DB Schenker or the DB Group to the affected Group companies and organizational units. Even authorities can be among the recipients of data.
Typical service providers that receive data are IT and print service providers or call centers. Of course, internal and external service providers are bound contractually to safeguard data protection at a high level and required by applicable law.
DB Schenker is an international group with entities inside and outside Europe. Therefore, data transmission to a third country outside the EU / EEA may be required in certain cases. We only transfer data to a third country if the legal requirements for this are met, e.g. by concluding so-called standard data protection clauses, which provide for adequate safeguards for the protection of personal data.
Which rights can you claim acc. to your personal data?
The GDPR gives you a wide range of rights that you are able to claim.
- The right to be informed: The information in relation to the processing of personal data relating to an individual should be given to him/ her at the time of collection of such data within a reasonable period. The individual has the right to be made aware about the consequences of providing such data.
- The right of access: The individual should have a right to access to his/her personal information, which he/she might have communicated, in order to enable him/her to verify the processing of such data. However, the exercise of such right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular, the copyright protecting the software.
- Right to rectification: You have the right to have inaccurate personal data rectified, and incomplete personal data completed. A request for rectification may be made verbally or in writing and must be responded to within one calendar month.
- Right of restrict processing: This means that an individual can limit the way that an organization uses their data. This is an alternative to requesting the erasure of their data. Individuals have the right to restrict the processing of their personal data where they have a particular reason for wanting the restriction. This may be because they have issues with the content of the information you hold or how you have processed their data. In most cases you will not be required to restrict an individual’s personal data indefinitely, but will need to have the restriction in place for a certain period of time.
- The right to erasure: The individual should also have the right to get his/her personal data erased and no longer processed where such data are no longer necessary in relation to the purposes for which they were collected or otherwise processed or where he/she has withdrawn his/her consent regarding the processing of the same.
- The right to appeal to a supervisory authority: If your personal data is processed in a way that does not comply with the GDPR, you may lodge a complaint with supervisory authorities, who are obliged to inform you of the progress and outcome of your complaint.
- Right to data portability: This right applies to personal data about you which was provided by you. The right to data portability enables you to obtain and reuse your personal data for your own purposes. It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, and to receive data from one controller and transmit it to a different controller without hindrance to usability.
- Right to object: You may have the right to object to the processing of your personal data in certain circumstances, for example where your data is being processed for direct marketing (including profiling) or for purposes of scientific or historical research and statistics (unless this is in the public interest). You may also have the right to object to the processing of your personal data where your data is being processed based on legitimate interests or the performance of a task in the exercise of official authority. Following an objection, a controller will no longer be allowed to process your personal data unless he can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms.
- Right to be notified of a personal data breach: A controller must inform you without delay of a personal data breach incident affecting you, which is likely to result in a high risk to your rights.
We are going to change this information from time to time if necessary. This version was updated in August 2018.