Obligation to notify and inform RRPS business partners pursuant to Art. 14 EU-GDPR (General Data Protection Regulation)
Data protection declaration
Our company gives high priority to the protection and security of personal data. The stipulations set out in the following are intended as information to our business partners when, against the background of the prevention of bribery and corruption, their personal data is processed in accordance with the requirements of the General Data Protection Regulation of the European Union (EU-GDPR). The full text of the General Data Protection Regulation of the European Union is available in the Internet under the following link: http://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX%3A32016R0679. If you have any further questions regarding the EU-GDPR, please do not hesitate to contact the Data Privacy Officer at any time.
1. Data controller:
Rolls-Royce Power Systems AG, Maybachplatz 1, 88048 Friedrichshafen
Tel. +49 7541 9091; Fax: +49 7541 90-5000;
Executive Board: Andreas Schell, CEO; Marcus A. Wassenberg, CFO
Registry Court: Ulm, No.: HRB 721 056
2. Supervisory authority:
Baden-Württemberg State Office for Data Protection and Freedom of Information
Königstraße 10A, 70173 Stuttgart
Tel. 0711 6155410;
E-mail: firstname.lastname@example.org; www.baden-wuerttemberg.datenschutz.de
3. Data Privacy Officer:
Tel. +49 (0) 821 90786458
Fax +49 (0) 821 90786459
4. Rights of data subjects
As a person whom the processing of the data concerns, you have the following rights (data subject rights) pursuant to EU-GDPR:
4.1 Right of information:
You have the right to request information on whether the company processes data relating to your person or not. If your personal data is indeed being processed, you have the following rights:
- the right to know the purpose of processing.
- the right to know the category of personal data (data type) that is being processed.
- the right to know the recipient or category of recipient to whom your data has been or is to be disclosed; this particularly applies to data that has been or will be disclosed to recipients in third countries outside the jurisdiction of the EU-GDPR.
- the right to know the planned period of data retention, insofar as possible. If specification of the period of retention is not possible, you are entitled to know the criteria governing the period of retention.
- the right to have the data concerning you corrected or erased, including the right to restrict the processing thereof and/or raise an objection.
- the right to file a complaint with the supervisory authority.
- the right to know the origin of the data, if not collected directly from you.
You furthermore have the right to know whether your personal data has been used for the purpose of making an automated decision pursuant to Art. 22 EU-GDPR and, if this is the case, to know the criteria on which the automated decision was based and the possible consequences and implications of that decision for yourself.
If personal data is transmitted to a third country outside the jurisdiction of the EU-GDPR, you have right of access to information on whether adequate data protection pursuant to Art. 45 and 46 of the EU-GDPR is being provided by the data recipient in the third country, and, if so, on the basis of which guarantees.
You have the right to request a copy of your personal data. The company shall provide data copies in electronic format unless you specify otherwise. The first copy is free-of-charge. For further copies, a reasonable fee may be charged. Provision of the data is subject to any rights and freedoms of other persons who may be affected by its transfer.
4.2 Right to data correction:
You have the right to request that the company corrects your data insofar as it is incorrect, inaccurate and/or inadequate. The right to correct includes the right to have the data completed by further explanations or statements. Correction and/or completion must take place immediately i.e. without culpable delay.
4.3 Right to erasure of personal data:
You have the right to request that we erase your personal data insofar as:
- the personal data is no longer required for the purpose for which it was collected and processed.
- data processing took place on the basis of your declared consent which you have since withdrawn, and provided that no other legal reason exists for the processing of the data.
- you have lodged an objection to processing of the data pursuant to Art. 21 EU-GDPR and provided that there are no overriding legitimate reasons for further processing.
- You have lodged an objection against data processing for the purpose of direct marketing pursuant to Art. 21 Par. 2 EU-GDPR.
- your personal data was processed unlawfully.
- such data concerns a child and was collected in the context of information society services pursuant to Art. 8 Par. 1 EU-GDPR.
The right to erasure of personal data does not obtain insofar as:
- the demand for erasure affects the right to freedom of expression and information.
- the processing of the data is required:
- to meet a legal obligation (such as statutory archiving requirements);
- to perform a task in the public interest or to protect public interests falling under EU law and/or the law of a member state (including interests in the area of public health)
- for archiving and/or research activities;
- to assert, exercise or defend legal rights.
Erasure must take place immediately i.e. without culpable delay. In the event that personal data is placed by the company in the public domain (e.g. in the Internet), the company is responsible for ensuring inasfar as reasonable and technically feasible that third-party data controllers are also informed of the demand for erasure, including the erasure of links, copies or replicates.
4.4 Right to restrict data processing
You have the right to have processing of your personal data restricted in the following cases:
- If you have disputed the correctness of your personal data, you may restrict its further processing by requesting the company not to use the data for other purposes for the duration of the correctness check.
- In the event of unlawful data processing, you can request restriction of the use of the data pursuant to Art. 18 EU-GDPR rather than data erasure pursuant to Art. 17 Par. 1, Point d) EU-GDPR.
- Should you require your personal data for the assertion, exercise or defense of legal rights, and if your personal data is no longer otherwise required, you may request the company to restrict data processing to the aforementioned pursuit of rights.
- Should you have lodged an objection to data processing pursuant to Art. 21 Par. 1 EU-GDPR, whereby it has not yet been established whether the interest of the company in data processing outweighs your own interests, you may restrict data processing to the extent that you request the company not to use your data for other purposes for as long as the above assessment is being made.
Personal data whose processing is being restricted at your request may only – apart from being stored – be processed as follows:
- with your consent
- for the assertion, exercise, or defense of legal rights
- for the purpose of protecting the rights of other natural persons or corporate entities
- for the sake of an important matter of public interest. Should a processing restriction be lifted, you will be informed thereof in advance.
4.5 Right to data portability
You have the right – on condition of the provisions set out below – to request that the data that concerns you be submitted in a commonly used electronic and machine-readable format. The right to data transfer includes the right to transmit the data to another controller. The company will therefore – at your request and as far as technically possible – transmit the data directly to a controller named or to be named by you. The right to data transfer only applies to data provided by you and is subject to the condition that the data was provided at your consent and is to be processed for performing a contract and that data transfer will take place using automated means. The right to data portability pursuant to Art. 20 EU-GDPR does not affect the right to data erasure pursuant to Art. 17 EU-GDPR. Data transfer is subject to the rights and freedoms of other persons in cases where these rights could be affected by transmission of the data.
4.6 Right to object to specific intentions in data processing
When personal data is processed for the performance of a task carried out in the public interest (Art. 6 Par. 1 Point e) EU-GDPR) or for legitimate interests (Art. 6 Par. 1 Point f) EU-GDPR) you may object at any time to the data concerning yourself being processed, with future effect. In the event of an objection, we must refrain from any further processing of your data for the above purposes unless:
- there are compelling, legitimate grounds for processing which override your interests, rights and freedoms
- processing is required for the assertion, exercise, or defense of legal rights.
You may object to the use of your data for direct marketing purposes at any time, with future effect. This also applies to profiling insofar as it is related to such direct marketing. In the event of an objection the company must refrain from any further processing of your data for the purpose of direct marketing.
4.7 Prohibition of automated decision-making/profiling (insofar as relevant)
Decisions which have legal implications for you or otherwise significantly affect you must not be taken solely on the basis of the automated processing of personal data – including profiling. This shall not apply to the extent that the automated decision:
- is required for closing or implementing a contract with you.
- is permissible on the grounds of EU or member state legislation, provided that this legislation includes reasonable provisions to protect the rights, freedoms and legitimate interests of your person.
- takes places with your express consent. Decisions solely based on the automated processing of special categories of personal data are prohibited in principle, unless Art. 22 Par. 4 EU-GDPR applies in conjunction with Art. 9 Par. 2 Point a) or g) and appropriate measures to protect the rights, freedoms and legitimate interests of your person have been taken.
4.8 Exercising of data subject rights
To exercise data subject rights, contact the office named under 3. Inquiries submitted in electronic format will, as a rule, be answered in electronic format, unless otherwise specified in your inquiry. The provision of information and notifications and the taking of action pursuant to EU-GDPR, including the exercising of data subject rights, will, in principle, be free-of-charge. Only in the event of requests that are manifestly unfounded or excessive will the company be entitled to charge a reasonable fee for processing, or to refrain from taking action (Art. 12 Par. 5 EU-GDPR). In the case of justified doubt with respect to your identity, the company is entitled to request additional information from you – as far as is necessary – for the purpose of identification. If identification is not possible for the company, it shall be entitled to refuse to process your inquiry. The company shall – as far as possible – notify you separately if it is not in a position to make identification (Art. 12 Par. 6, Art. 11 EU-GDPR). Information requests are usually processed immediately, within one month of receipt. This period may be extended for another two months as necessary in respect of complexity and/or the number of inquiries received. The company shall inform you of the extension of the time limit within a month of receipt of your inquiry, stating the reasons for the delay. Should the company fail to act in response to an inquiry, it shall inform you thereof immediately, within one month of receiving your inquiry, stating the reasons and shall also inform you of the possibility of lodging a complaint with a supervisory authority or of seeking legal redress (Art. 12 Par. 3 and Par. 4 EU-GDPR). Please note that you may only exercise your data subject rights within the scope of any limits and restrictions imposed by the European Union or its member states.
4.9 Obligation to inform third parties
Should the company have disclosed personal data to other offices or recipients, it is obliged, insofar as technically possible and reasonable, to inform them of any correction, erasure and/or restriction on processing of the said data. The company shall inform you of such data recipients on request (see 4. above).
4.10 Management of data protection infringements
The company shall notify you immediately of data protection infringements that could put your personal rights and freedoms seriously at risk. However, notification might not be made in cases applicable to Art. 34 Par. 3 EU-GDPR. Notification shall particularly contain the following information:
- A description of the data protection infringement
- The name and contact data of the Data Privacy Officer or of another office that will provide information on or a description of the probable consequences of the data protection infringement.
- A description of the measures taken or suggested by us to rectify the data protection infringement including measures to attenuate its negative effects.
4.11 Legal protection
In the event of objections you are entitled at all times to contact the relevant supervisory authority in the European Union or member states. The supervisory authority mentioned under 2. is responsible for our company. For reasons of space, further clauses and provisions which usually form a standard part of data protection regulations and/or works agreements have not been included here.
5. Purpose of data processing
To combat corruption and bribery, the Company has created the conditions for staff to act in a legally compliant way. These conditions also contain an element of surveillance. Gifts or hospitality granted or received must be documented in the IT-based reporting tool in accordance with internal company directives.
The following data are processed:
- Name of business partner
- Company name
- Public official (yes/no)
- Gifts and hospitality given or received
- Description and estimated value of the gift or hospitality
- Date and place of hospitality
- Summary of reasons for gifts and hospitality
- First name and surname of recipient
- Copies of receipts or further statements where relevant.
The source of the data is internal data banks where the data of our business partners has been stored for the purpose of executing contracts.
The aim is monitoring as an integral part of the Compliance Management System to ensure that RRPS group staff on the one hand and business partners on the other are complying with the specifications and value limits contained in the internal directives on compliance. With this Tool, it is possible to bring to light any infringement of internal rules of conduct. This monitoring function can also be performed by the internal auditing section.
Apart from helping to prevent breaches of duty, the Tool also enables compliant conduct to be documented and the required supervisory measures to be implemented within the RRPS group. To this extent, the Compliance Online Tool can be seen as necessary for the prevention of bribery and corruption.
6. Legal basis for data processing
In the case of the data of business partners, a legitimate interest in the sense of Art. 6 Par. 1 Point f) of the EU-GDPR exists. A legitimate interest in processing the personal data of business partners in the scope that is absolutely necessary to prevent corruption, bribery, breaches of trust and fraud, exists.
7. Possible recipients or recipient categories
Recipients of personal data are staff from Ethics & Compliance and RRPS AG internal auditors. It cannot be ruled out at the present juncture that an overview of the data generated will be made available to Rolls-Royce plc (UK). Insofar as necessary, an anonymized data extract of samples that are not incident-related and that are restricted to pre-defined departments shall be put at Rolls Royce's disposal. In the event of suspicious circumstances, a pseudonymized data extract, where possible, will be forwarded to Rolls Royce.
8. Data processing in a third country outside the jurisdiction of the EU-GDPR
Depending on the location of the RRPS subsidiary, data will also be collected in third countries outside the jurisdiction of the EU-GDPR.
9. Information on period of retention
Personal data is to be erased from software if it is no longer needed. The retention period for data sets is five years. The retention period begins at the end of the year in which G+H was either given or received. When the retention period comes to an end, the data is to be kept in anonymized form (name, first name of employees, line managers, business partners) for a period of two years to enable it to be used for statistical purposes. On expiry of this period, the data is then to be erased.
Exceptions to this rule are data sets that upon random examination reveal concrete evidence that a criminal offense has been committed or a directive infringed, thereby necessitating further investigation. These data sets are to be archived separately until the end of the investigation. On completion of the investigation, processing of the data sets shall be restricted for a period of two years. In the event of follow-up investigations, the processing restrictions may be lifted and the data sets processed as appropriate. If two years pass without the introduction of a follow-up investigation, the data sets are to be erased.
Personal data can be erased at the personal request of the business partner concerned insofar as this does not affect the legitimate interests of the company.
Cookies are small data files which are stored temporarily (2 years if they are not deleted) on your hard disk. This simplifies navigation and increases the user-friendliness of a website. Cookies can be used to determine whether any communication has already been sent from your computer to our sites. Cookies make it possible to identify your computer but they cannot establish any link to a particular person.
11. Communication by email
Communication by email can involve security gaps. Expert Internet users may be capable of intercepting, reading or even altering emails on their way from or to Rolls-Royce Power Systems. If we receive an email from you, we assume that we have the right to reply by email. If this is not the case, you must expressly indicate this and designate an alternative means of communication.
12. Google Analytics
This website uses Google Analytics, a web analysis service of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter referred to as: Google). Google Analytics uses various technologies, including so-called cookies that are stored on your computer and allow an analysis of the use of this website by its visitors. The information obtained by Google Analytics regarding your use of this website will be transferred to Google servers which may be located in countries outside of the member countries of the European Union and may also be outside of the signatories of the agreements regarding the European Economic Area. Your IP address will be anonymised by Google through the activation of the IP anonymisation within the Google Analytics tracking code on this internet page prior to transferring. This website uses a Google Analytics tracking code that has been expanded by the operator gat._anonymiselp() in order to ensure that IP addresses can only be stored anonymously (so-called IP masking). On behalf of the operator of this website, Google will use this information in order to evaluate your visit to this internet page, compile reports about the website activities and provide additional services related to the website usage and the internet usage to the website operator. The IP address transferred from your browser by Google Analytics will not be combined with other Google data. You can prevent the storing of Google cookies via corresponding configurations of your browser software. However, we expressly inform you that in this case you may not be able to use all functions of this website to their full extent. You can prevent the recording of your data by Google Analytics by clicking on the following link. This will activate an opt-out cookie that prevents the recording of your data when visiting this website in the future: Deactivate Google Analytics. You can find the security and data protection guidelines of Google Analytics at: https://support.google.com/analytics/answer/6004245?hl=en.
13. Opt-out cookie
You can prevent the recording of your data by Google Analytics by clicking on the following link. This will activate an opt-out cookie that prevents the recording of your data when visiting this website in the future: Deactivate Google Analytics.