GDPR

Information required in handling personal data

We are committed to protecting your rights and freedoms, and so we only use your data for the intended purposes. It is important to us that you are fully aware at all times of how we are collecting, using and, if applicable, disclosing your data to third parties. To achieve this, we have put together the following comprehensive information concerning the processing of the personal data we collect and store. We will never process your personal data without your informed consent if we have no legal basis for doing so. When processing your personal data, we strictly adhere to the requirements of the European Union General Data Protection Regulation (GDPR) and, if relevant, other data protection laws.

Name and address of the controller

Lennon.de Language Services
Ludgeristraße 9
48143 Münster
Germany
Telephone: +49 251 484440-0
Fax: +49 251 484440-29
Email: go@lennon.de

Website: www.lennon.de

Name and address of the data protection officer

Joerg ter Beek
Cortina Consult GmbH
Prozessionsweg 403b
48155 Münster
Germany
Email: dsb.lennon@cortina-consult.de
Website: cortina-consult.com

Please contact our data protection officer directly if you have any questions regarding the processing of your personal data or if you wish to assert your rights as a data subject (such as the right to access, rectify or erase data or make data unavailable) or revoke your consent.

Rights of the data subject

Chapter III of the European Union General Data Protection Regulation (GDPR) sets out an extensive range of rights for data subjects, which we would like to explain below in the context of processing your personal data:

1) Right to request access

  • This requirement relates in particular to the following details of data processing:
  • Purposes of processing
  • Categories of personal data
  • Recipients or categories of recipients, if applicable
  • The envisaged storage period and the criteria used to determine this period, if applicable
  • Reference to the right to request the rectification or erasure of data as well as restrictions or objections to data processing
  • The existence of a right to lodge a complaint with a supervisory authority
  • Source of the data, if applicable (if you yourself are not the source)
  • The existence of automated decision-making if applicable, including profiling, including meaningful information about the logic involved, as well as the significance and the envisaged consequences thereof.
  • The (envisaged) transfer to a third country or international organisation if applicable.

2) Right to rectification

We will rectify any incorrect data without undue delay if you notify us accordingly.

3) Right to erasure (right to be forgotten)

If processing is no longer required and one of the following conditions has been met:

  • Purpose of processing no longer applicable
  • Consent withdrawn and no other legal basis for the processing
  • Objection to the processing without any overriding important reason
  • Unlawful processing
  • Requirement for compliance with a legal obligation
  • Data collected in accordance with Article 8 (1) GDPR

As part of your erasure request, we may also pass on your request to third parties to whom we had previously disclosed your data.

4) Right to restriction of processing

If one of the following conditions has been met:

  • You contest the accuracy of your data (restriction can apply for a period that enables us to verify the accuracy)
  • If the processing is unlawful and data is not intended for erasure, processing can be restricted instead.
  • If the purposes of the processing no longer apply and you also require your data to exercise, assert or defend yourself against legal claims.
  • After you have objected to the processing pursuant to Article 21 (1) GDPR and pending verification of whether our legitimate grounds override yours.

5) Right to data portability

We will transfer your personal data to another recipient (controller) at your request, provided this is technically possible and does not impinge on the rights and freedoms of others.

6) Right to object

If we have collected your personal data and are processing it (on the basis of Article 6 (1)(e) or (1(f) or Article 9 (2)(a) GDPR), you have the right to object to all future data processing (including profiling) at any time. In certain cases the objection may not take effect, such as if we can demonstrate compelling legitimate grounds for the processing which override your interests, or the purpose of processing the data is the establishment, exercise or defence of legal claims. If we process your personal data for direct marketing purposes, you have the right to object to this form of processing at any time. This also applies to profiling to the extent that this profiling relates to direct marketing. You also have the right to object to the processing of your personal data for scientific or historical research purposes or for statistical purposes pursuant to Article 89 (1) GDPR, unless such processing is necessary performance of a task carried out in the public interest.

7) Automated individual decision-making, including profiling

If we collect or have collected your personal data and process it, you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This provision does not apply if the decision is necessary for entering into, or the performance of, a contract between you and us or if you have issued your explicit consent to the decision. We will implement suitable measures in all cases to safeguard your rights and freedoms and legitimate interests, including at least the right to obtain human intervention on our part, to express your point of view and to contest the decision.

8) Right to revoke your consent under data protection law.

You have the right to revoke your consent to the processing of your personal data at any time.

9) Right to lodge a complaint with a supervisory authority

A list of supervisory authorities in Germany is available on the website of the Federal Commissioner for Data Protection and Freedom of Information and can be accessed via the following link: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/AufsBehoerdFuerDenNichtOeffBereich/AufsichtsbehoerdenNichtOeffBereich_liste.html

Information on data security

We protect your personal data that is processed at our premises and by us from loss and destruction as well as unauthorised access, modification or disclosure by means of suitable technical and organisational measures. However, despite regular controls, it is not possible to provide comprehensive protection against all potential risks.

Legal basis of processing

We process personal data in accordance with the requirements of the GDPR as follows, depending on the nature and purpose of processing:

Grounds for consent GDPR provision
Informed consent Article 6 (1)(a)
Performance of a contract Article 6 (1)(b)
Implementation of pre-contractual measures Article 6 (1)(b)
Compliance with a legal obligation Article 6 (1)(c)
Protection of vital interests Article 6 (1)(d)
Protection of our legitimate interest Article 6 (1)(f)

Our legitimate interest

Our legitimate interest defined in accordance with Article 6 (1)(f) GDPR is based on the performance of our business activities in order to maintain the operations of the company and continue the employment of our employees.

General notice periods for data erasure

Once the purpose of data storage no longer applies, data is usually subject to retention periods of a minimum of six or ten years. Data is generally erased without undue delay according to our erasure concept, provided that there is no overriding data retention obligation, requirement to perform a contract or legitimate interest.

Individual information by type of processing

Purposes, legal bases and other information can vary depending on the type of processing. The following section provides details regarding the precise attribution of information

Job applications and application processes

Purpose of processingData belonging to job candidates is collected, processed and used for the purpose of selecting potential employees.
Legal basis (under Article 6 / 9 GDPR)Performance of pre-contractual measures (Article 6 (1)(b))
Recipient, if applicable (in case of disclosure)This data is not disclosed to third parties and / or transferred to a third country.
Intention behind transfer to a third country or international organisation, if applicable (incl. information regarding the adequacy decision of the European Commission or suitable guarantees)
If known: Duration of data storagePersonal data belonging to job candidates who we do not recruit is stored for the period of time required for any potential legal claims (e.g. under the German General Act on Equal Treatment (AGG); maximum of six months) and is subsequently destroyed or erased without undue delay.
Obligation to provide personal data (e.g. under legal or contractual requirements) / necessityIn order to ensure a smooth application process, you must provide us with the requested, truthful information.
Consequences of non-compliance (not providing the required data)Non-compliance with this obligation (in other words not providing the required data) may result in us not being able to conclude an employment contract with you.
Existence of any automated decision-making, if applicableWe do not engage in any purely automated decision-making in this context.
Source of the data, if applicable (if not collected from data subject directly)Usually data is collected from the data subject him- or herself, but can also originate from third-party sources in certain circumstances.
Categories of personal data, if applicable (if not collected from data subject directly)Master data, contact details, application details
Change in purpose, if applicableIf, following the conclusion of the application process, you enter into an employment relationship with us, the purpose of processing the data changes. The data is then used to implement and maintain the employment relationship.

Electronic processing via email

Purpose of processingPerformance of internal and external communications, including documentation, office communication.
Legal basis (under Article 6 / 9 GDPR)Safeguarding legitimate interests (Article 6 (1)(f))

Performance of a contract (Article 6 (1)(b))

Performance of pre-contractual measures (Article 6 (1)(b))

Compliance with legal obligations (Article 6 (1)(c))

Recipient, if applicable (in case of disclosure)Ad hoc, transparent transfer within the scope of email communications (e.g. observing BCC and CC rules); to recipients such as existing customers, potential customers, suppliers, authorities, contractual parties, other third parties
Intention behind transfer to a third country or international organisation, if applicable (incl. information regarding the adequacy decision of the European Commission or suitable guarantees)Data is transferred to third countries if the respective communication partner is based in a third country.

In addition, it cannot be ruled out within the scope of email communication that emails are routed via communication systems located in third countries.

If known: Duration of data storageOnce the purpose of data storage no longer applies, the data is subject to the following terms:

Retention period for emails if classified as business communications:  six years; data is routinely erased after six years if it is no longer required to implement or terminate contracts.

Shorter erasure periods in particular contexts (e.g. job applicant data)

Obligation to provide personal data (e.g. under legal or contractual requirements) / necessityNone
Consequences of non-compliance (not providing the required data)Communication via email may not be possible
Existence of any automated decision-makingWe do not engage in any automated decision-making in this context.
Source of the data, if applicable (if not collected from data subject directly)Usually data is collected from the data subject him- or herself, but it can also originate from third-party sources in certain circumstances.
Categories of personal data, if applicable (if not collected from data subject directly)Master data, contact details
Change in purpose, if applicableNone

Invoicing

Purpose of processingInvoicing via direct debit
Legal basis (under Article 6 / 9 GDPR)Safeguarding our legitimate interest (Article 6 (1)(f))

Performance of a contract (Article 6 (1)(b))

Compliance with a legal obligation (Article 6 (1)(c))

Recipient, if applicable (in case of disclosure)Contractor’s bank
Intention behind transfer to a third country or international organisation, if applicable (incl. information regarding the adequacy decision of the European Commission or suitable guarantees)We do not transfer data to third countries, nor do we plan to in future.
If known: Duration of data storageSee General notice periods for erasure
Obligation to provide personal data (e.g. under legal or contractual requirements) / necessityPayment by direct debit is not possible without the data required for the SEPA direct debit.
Consequences of non-compliance (not providing the required data)
Existence of any automated decision-makingWe do not engage in any automated decision-making in this context.
Source of the data, if applicable (if not collected from data subject directly)The data originates from the data subject him- or herself
Categories of personal data, if applicable (if not collected from data subject directly)
Change in purpose, if applicableNone

General administration

Purpose of processingGeneral administration
Legal basis (under Article 6 / 9 GDPR)Safeguarding legitimate interests (Article 6 (1)(f))
Recipient, if applicable (in case of disclosure)None
Intention behind transfer to a third country or international organisation, if applicable (incl. information regarding the adequacy decision of the European Commission or suitable guarantees)We do not transfer data to third countries, nor do we plan to in future.
If known: Duration of data storageSee General notice periods for erasure
Obligation to provide personal data (e.g. under legal or contractual requirements) / necessityCertain business processes cannot be performed without the data required for administrative purposes.
Consequences of non-compliance (not providing the required data)
Existence of any automated decision-makingWe do not engage in any automated decision-making in this context.
Source of the data, if applicable (if not collected from data subject directly)Data is usually provided by the data subject him- or herself, but can also originate from third parties.
Categories of personal data, if applicable (if not collected from data subject directly)First name, surname, title, address, email address, telephone number, role, contact details, contact history, contract details
Change in purpose, if applicableNone

Telephone system

Purpose of processingPerformance of telecommunications services for internal purposes
Legal basis (under Article 6 / 9 GDPR)Safeguarding legitimate interests (Article 6 (1)(f))
Recipient, if applicable (in case of disclosure)Communication data is only used on an ad hoc basis to resolve technical issues or accounting audits, for instance, and is not generally disclosed.
Intention behind transfer to a third country or international organisation, if applicable (incl. information regarding the adequacy decision of the European Commission or suitable guarantees)We do not transfer data to third countries, nor do we plan to in future.
If known: Duration of data storageCommunication data is stored for a maximum of six months. Data can also be stored and used in aggregated form, but only on the condition that no personal references can be derived from the data.

See also General notice periods for erasure

Obligation to provide personal data (e.g. under legal or contractual requirements) / necessityIt is not possible to conduct or manage telecommunications activities without the data required for communication.
Consequences of non-compliance (not providing the required data)
Existence of any automated decision-makingWe do not engage in any automated decision-making in this context.
Source of the data, if applicable (if not collected from data subject directly)Data is usually provided by data subjects themselves, but can also originate from third parties.
Categories of personal data, if applicable (if not collected from data subject directly)Extension; name, if applicable; communication data (as defined in Section 96 German Telecommunications Act)
Change in purpose, if applicableNone

Appointment scheduling

Purpose of processingPlanning and managing appointments
Legal basis (under Article 6 / 9 GDPR)Safeguarding legitimate interests (Article 6 (1)(f))
Recipient, if applicable (in case of disclosure)Customer / service provider or other third party required for coordinating meetings, if applicable
Intention behind transfer to a third country or international organisation, if applicable (incl. information regarding the adequacy decision of the European Commission or suitable guarantees)We do not transfer data to third countries, nor do we plan to in future.
If known: Duration of data storageSee General notice periods for erasure
Obligation to provide personal data (e.g. under legal or contractual requirements) / necessityIt is not possible to plan, manage and coordinate appointments without the data required for appointment scheduling.
Consequences of non-compliance (not providing the required data)
Existence of any automated decision-makingWe do not engage in any automated decision-making in this context.
Source of the data, if applicable (if not collected from data subject directly)The data originates from the data subject him- or herself.
Categories of personal data, if applicable (if not collected from data subject directly)
Change in purpose, if applicableNone

Contact management

Purpose of processingManagement of contact details
Legal basis (under Article 6 / 9 GDPR)Safeguarding our legitimate interest (Article 6 (1)(f))
Recipient, if applicable (in case of disclosure)None
Intention behind transfer to a third country or international organisation, if applicable (incl. information regarding the adequacy decision of the European Commission or suitable guarantees)We do not transfer data to third countries, nor do we plan to in future.
If known: Duration of data storageSee General notice periods for erasure
Obligation to provide personal data (e.g. under legal or contractual requirements) / necessityBusiness communications are not possible without contact details.
Consequences of non-compliance (not providing the required data)
Existence of any automated decision-makingWe do not engage in any automated decision-making in this context.
Source of the data, if applicable (if not collected from data subject directly)The data originates from the data subject him- or herself.
Categories of personal data, if applicable (if not collected from data subject directly)
Change in purpose, if applicableNone

Marketing / lettershop services

Purpose of processingMarketing for goods / services / companies
Legal basis (under Article 6 / 9 GDPR)Safeguarding our legitimate interest (Article 6 (1)(f))
Recipient, if applicable (in case of disclosure)Lettershop service providers
Intention behind transfer to a third country or international organisation, if applicable (incl. information regarding the adequacy decision of the European Commission or suitable guarantees)We do not transfer data to third countries, nor do we plan to in future.
If known: Duration of data storageSee General notice periods for erasure
Obligation to provide personal data (e.g. under legal or contractual requirements) / necessityN/A
Consequences of non-compliance (not providing the required data)
Existence of any automated decision-makingWe do not engage in any automated decision-making in this context.
Source of the data, if applicable (if not collected from data subject directly)The data originates from the data subject him- or herself.
Categories of personal data, if applicable (if not collected from data subject directly)
Change in purpose, if applicableNone

Financial accounting

Purpose of processingRecording and documenting all financial transactions within the company (all sales and fixed assets)

Recording and payment of taxes and duties to tax offices or other public-sector authorities.

Legal basis (under Article 6 / 9 GDPR)Compliance with a legal obligation (Article 6 (1)(c))

Safeguarding our legitimate interest (Article 6 (1)(f))

Recipient, if applicable (in case of disclosure)If required by law: tax offices;

Tax advisers and auditors

In other cases if there is a legal basis for data transfer.

Intention behind transfer to a third country or international organisation, if applicable (incl. information regarding the adequacy decision of the European Commission or suitable guarantees)We do not transfer data to third countries, nor do we plan to in future.
If known: Duration of data storageSee General notice periods for erasure
Obligation to provide personal data (e.g. under legal or contractual requirements) / necessityOn the basis of legal obligations
Consequences of non-compliance (not providing the required data)Derived from statutory provisions, if applicable
Existence of any automated decision-makingWe do not engage in any automated decision-making in this context.
Source of the data, if applicable (if not collected from data subject directly)The data originates from the data subject him- or herself.
Categories of personal data, if applicable (if not collected from data subject directly)
Change in purpose, if applicableNone

Social media marketing

Purpose of processingUse of social media for marketing and communication purposes
Legal basis (under Article 6 / 9 GDPR)Safeguarding our legitimate interest (Article 6 (1)(f))
Recipient, if applicable (in case of disclosure)None
Intention behind transfer to a third country or international organisation, if applicable (incl. information regarding the adequacy decision of the European Commission or suitable guarantees)We do not transfer data to third countries, nor do we plan to in future.
If known: Duration of data storageSee General notice periods for erasure
Obligation to provide personal data (e.g. under legal or contractual requirements) / necessityThere is no obligation to provide personal data.
Consequences of non-compliance (not providing the required data)None
Existence of any automated decision-makingNo automated decision-making takes place.
Source of the data, if applicable (if not collected from data subject directly)The data originates from the data subject him- or herself.
Categories of personal data, if applicable (if not collected from data subject directly)
Change in purpose, if applicableNone
test