Table of Contents
1 General Details
1.1 Objectives and responsibilities
1.2 Legal bases
1.3 Data subject rights
1.4 Erasing data and storage period
1.5 Processing security
1.6 Forwarding data to third parties, sub-contractors and third party providers
2 Processing as Part of Our Online Services
2.1 Collecting information about use of the online services
2.2 Contact form and establishing contact by e-mail
2.3 Career portal
2.4 Google Tag Manager
2.5 Content management system (CMS)
2.6 Consent management via Usercentrics
2.7 Google Analytics
2.8 YouTube
2.9 DoubleClick
2.10 Google Fonts
2.11 Hosting
3 Processing in our Stationary Shops
3.1 Video monitoring
3.2 Compliance with customs and tax regulations in sales
3.3 Processing payments
3.4 Crew Shop orders
4 Application Process
4.1 Job portal
4.2 Direct applications
4.3 Incorporation in the applicant pool
5 Cookie Policy
5.1 General information
5.2 Cookie overview
5.3 Objection options
6 Amendments to the Data Protection Policy
1 General Details
1.1 Objectives and Responsibilities
1. This Data Protection Policy informs you about the type, scope and purpose of the processing of personal data in relation to our online services and the associated websites, functions and content (hereinafter jointly referred to as the “Online Services” or “Website”). Details of these processing activities can be found in Section 2.
2. Details of data processing activities in our bricks-and-mortar shops are described in Section 3. The application process is described in Section 4.
3. The provider of the Online Services and party responsible for data protection is Frankfurt Airport Retail GmbH & Co. KG (Flughafen Frankfurt, Frankfurt Airport Center 1, PO Box 507, D-60549 Frankfurt, Germany) - hereinafter referred to as the “Provider,” “We” or “Us.”
4. Our Online Services are rendered by Gebr. Heinemann SE & Co. KG (Koreastraße 3 - 5, D-20457 Hamburg).
5. Our data protection officer can be contacted via the following e-mail address: dataprotection@gebr-heinemann.de.
6. The term “User” includes all Online Services customers and visitors.
1.2 Legal Bases
We collect and process personal data based on the following legal bases: a) Consent in accordance with Article 6(1), point (a), of the General Data Protection Regulation (GDPR). Consent is any voluntary, specific, informed and unambiguous expression of will in the form of a statement or other unambiguous affirmative act by which the data subject indicates his or her agreement to the processing of personal data relating to him or her. b) Necessity of executing a contract or adopting preparatory measures in accordance with Article 6(1), point (b), GDPR, i.e. we require the data to honour our contractual obligations to you or we require the data to prepare entering into a contract with you. c) Preparing to honour a legal obligation in accordance with Article 6(1), point (c), GDPR, i.e. processing the data is required by law or other requirements. d) Preparing to safeguard justified interests in accordance with Article 6(1), point (f), GDPR, i.e. processing is necessary to protect our legitimate interests or the legitimate interests of others, except where such interests are overridden by your interests or fundamental rights and freedoms that require the protection of personal data.
1.3 Data Subject Rights
You have the following rights with regard to data processing by us: a) Right to complain to a supervisory authority in accordance with Article 13(2), point (d), GDPR, and Article 14(2), point (e); GDPR. b) Right of access in accordance with Article 15, GDPR; c) Right of rectification in accordance with Article 16, GDPR; d) Right to erasure (“Right to be forgotten”) in accordance with Article 17, GDPR; e) Right to restriction of processing in accordance with Article 18, GDPR; f) Right to data portability in accordance with Article 20, GDPR and g) Right to object in accordance with Article 21, GDPR. Notice: Users may object to the processing of their personal data in accordance with the legal requirements at any time with effect for the future. You may, in particular, object to processing for direct marketing purposes. Irrespective of any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of your personal data infringes on GDPR.
1.4 Erasing Data and Storage Period
The data subject’s personal data shall be deleted or blocked as soon as the purpose for the storage becomes inapplicable. Storage may apply beyond this if this was proposed by the European or national legislator in Union law orders, laws or other requirements to which the controller is subject. Blocking or deleting the data shall also apply if a storage period specified by the stated standards expires unless there is a necessity for further storage of the data for entering into or executing a contract.
1.5 Processing Security
1. We have implemented appropriate and state-of-the-art technical and organisational security measures (TOMs). Therefore, the data we process are protected against accidental or intentional manipulation, loss, destruction and unauthorised access.
2. The security measures include, in particular, the encrypted forwarding of data between your browser and our server.
1.6 Forwarding Data to Third Parties, Sub-Contractors and Third Party Providers
1. Data shall only be forwarded to third parties as part of the legal requirements. We only forward users’ data to third parties if this is necessary, for example, for billing purposes or for other purposes if the forwarding is necessary to honour contractual obligations to users.
2. Insofar as we commission subcontractors for the processing of personal data or if it cannot be excluded that subcontractors can access personal data, we have taken appropriate contractual precautions as well as corresponding technical and organisational measures in dealings with these companies.
3. Insofar as we use content, tools or other means from other companies (hereinafter jointly described as “Third Party Providers”) and their stated registered office is located in a third country, it is to be assumed that forwarding data to the Third Party Providers’ countries of domicile takes place. The forwarding of personal data to third countries by us shall only occur if there is an adequate level of data protection, user consent or other legal permission.
2 Processing as Part of Our Online Services
2.1 Collecting Information About Use of the Online Services
1. When using the Online Services, information is automatically forwarded to us by the user’s browser. This includes the name of the website accessed, file, date and time of access, amount of data forwarded, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page), IP address and the requesting provider.
2. This information is processed on the basis of legitimate interests in accordance with Article 6(1), point (f), GDPR (e.g. optimisation of the Online Services) and to ensure the security of the processing in accordance with Article 5(1), point (f), GDPR (e.g. to defend against and clarify cyber attacks).
3. The information is automatically deleted 4 weeks following the end of the connection - i.e. use of the Online Services - provided no other storage periods to the contrary apply.
4. Collecting data and storing data in log files are absolutely necessary to render the Online Services. Therefore, the user has no right to erase, object or correct the data.
2.2 Contact Form and Establishing Contact by E-Mail
1. When establishing contact with us (via online form or email), the data provided by the user are processed exclusively for the purpose of handling and processing the enquiry.
2. The data shall only be used for other purposes on the basis of the user’s consent.
3. The user’s data shall be stored in our customer relationship management system (“CRM System”) or a comparable software/database. The statutory storage periods for business letters apply.
2.3 Career Portal
1. When using our career portal, automatic forwarding to https://www.gebr-heinemann.de/de/Karriere/Jobsuche occurs.
2. The portal is operated by Gebr. Heinemann SE & Co. KG (Koreastraße 3 - 5, D-20457 Hamburg). Please note the Data Protection Policy applicable there.
2.4 Google Tag Manager
1. This website uses the Google Tag Manager. This service allows website tags to be managed via an interface. The Google Tool Manager only implements tags, does not set any Cookies and does not collect any personal data. The Google Tag Manager triggers other tags that may collect personal data. However, the Google Tag Manager does not access such data.
2. Were a deactivation implemented at domain or Cookie level, it remains in place for all tracking tags, insofar as these are implemented via the Google Tag Manager.
2.5 Content Management System (CMS)
1. We also use the services of Contentful GmbH, Ritterstraße 12 - 14, D-10969 Berlin, for our website. Contentful is a content management system (CMS) hosted in the cloud (AWS). All content and documents that are displayed on the website are stored in the CMS. When you access the website, the system also accesses the Contentful server. Contentful does not store any user data in the log file.
2. The legal basis for using the CMS is our legitimate interest (Article 6(1), point (f), GDPR). Contentful ensures that our Online Services are presented optimally for our users.
3. For more information on the purpose and scope of data collection and its processing by Contentful, please visit the website of the provider https://www.contentful.com and view its Data Protection Policy at https://www.contentful.com/legal/de/privacy/.
2.6 Consent Management via Usercentrics
1. We use the Usercentrics Consent Management Platform as a consent management tool as part of the analytics activities on our website. The Usercentrics Consent Management Platform collects log file and consent data using JavaScript. This JavaScript makes it possible to inform users about their consent to certain tags on our website and obtain, manage and document such consent. 2. We process the following data in that regard:
Consent data or data of consent (anonymised logbook data (Consent ID, Processor ID, Controller ID), Consent Status and Timestamp).
Device data (e.g. abbreviated IP addresses (IP v4, IP v6), device information and timestamp)
User data (e.g. email, ID, browser information, SettingIDs and Changelog)
The ConsentID (contains the above-mentioned data), the Consent status including timestamp are stored in the local memory of your browser and simultaneously on the used cloud servers. Further processing only occurs if you submit a request for information or withdraw your consent. In such a case, the corresponding information is made available to us in a compact data format in an easily readable text form for the purpose of data exchange (JSON file). 3. No user information is stored for the statistics of the use of the consent granted or not. Only the frequency and locations of clicks are stored. 4. Personal data are stored on a Google Cloud server located in the EU (Brussels and Frankfurt am Main). 5. The purpose of the data processing is the analysis and management of the consent granted to comply with our obligation of GDPR-compliant consent management. Use of Usercentrics serves the purpose of proving granted and non-granted consent as well as managing these. 6. The legal basis for the management of your consent for the processing of your personal data is Article 6(1), point (f), GDPR. Our legitimate interest lies in the legally secure documentation and verifiability of consent, the control of marketing measures on the basis of the consent granted as well as the optimisation of consent rates. 7. The data are deleted as soon as they are no longer required. The associated Cookie has a term of 60 days. The withdrawal document regarding previously granted consent is stored for a period of three years. This storage is based on the one hand on our accountability in accordance with Article 5(2), GDPR.
2.7 Google Analytics
1. On the basis of your consent, we use Google Analytics, a web analytics service of Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) - hereinafter “Google”, for the analysis, optimisation and economic operation of our Online Services in accordance with Article 6(1), point (a), GDPR. Google uses Cookies and other technologies. The information generated by the service about use of the Online Services by the users is forwarded to a Google server in the USA and processed there.
2. Google acts on our behalf as part of order processing in accordance with Article 28, GDPR. We have entered into a data protection agreement with Google that contains the EU standard data protection clauses.
3. We use Google Analytics with IP anonymisation activated.
4. Google Analytics stores Cookies in your web browser for a period of two years since your last visit. These Cookies contain a randomly generated user ID by way of which you can be recognised during future website visits. Users can prevent the storage of the Cookies by way of a corresponding setting in their browser software.
5. The recorded data are stored with the randomly generated user ID, which facilitates the evaluation of pseudonymous user profiles. Such user-related data are automatically deleted after 26 months. Other data remain stored in aggregated form indefinitely.
6. Further information about data use by Google, setting and revocation options can be found on Google’s websites: https://policies.google.com/technologies/partner-sites?hl=de ((“Data use by Google when you use our partners’ websites or apps”) https://policies.google.com/technologies/ads (“Data use for advertising purposes”) https://adssettings.google.com/authenticated (“Manage information Google uses to display ads to you”).
2.8 YouTube
1. We use YouTube for the integration of videos. The videos have been embedded in extended data protection mode.
2. YouTube’s website uses Cookies to collect information about website users. YouTube uses them, among other things, to compile video statistics, prevent fraud and improve the user experience.
3. By using YouTube, a connection is established with the Google DoubleClick network. Starting the video may trigger further data processing. We exert no influence on this.
4. You can find more information about data protection at YouTube in the Data Protection Policy at: http://www.youtube.com/t/privacy_at_youtube
5. The processing of such information is based on your consent in accordance with Article 6(1), point (a), GDPR.
2.9 DoubleClick
1. Doubleclick by Google is a service of Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”).
2. Doubleclick by Google uses Cookies to display advertisements that are relevant to you. In that respect, a pseudonymous identification number (ID) is assigned to your browser to check which advertisements were displayed in your browser and which advertisements were called up. The Cookies do not contain any personal information. Use of DoubleClick Cookies only enables Google and its partner websites to display ads based on previous visits to our website or other websites on the internet. Google forwards the information generated by the Cookies to a server in the USA for evaluation and storage there. Under no circumstances will Google combine your data with other data collected by Google.
3. Doubleclick is automatically reloaded once you grant your consent to the use of YouTube. You consent to the processing of data about you by Google in the manner and for the purposes set out above.
4. You can prevent the storage of the Cookies by way of a corresponding setting in your browser software. In addition, you can prevent the collection of the data generated by the Cookies and related to your use of the websites to Google as well as the processing of such data by Google by downloading and installing the browser plugin available under the following link under the item “Extension for DoubleClick deactivation.”
5. More information about DoubleClick by Google and data protection can be found here: https://policies.google.com/technologies/ads?hl=de
2.10 Google Fonts
1. To make the visit to our website attractive, we use fonts from Google, the so-called Google Fonts.
2. We have integrated the Google Fonts locally, i.e. in our web server. This means that there is no connection to Google servers and, therefore, no forwarding of your data to Google.
2.11 Hosting
1. Our website uses Microsoft Azure. The provider is Microsoft Corp., One Microsoft Way, Redmond, WA 98052-6399, USA.
2. The web server and a database of the website are operated in the Azure cloud - as is our e-mail system. The cloud server is located in the Netherlands.
3. The legal basis for use of Microsoft Azure is our legitimate interest (Article 6(1), point (f), GDPR) in efficiently hosting the systems.
3 Processing in our Bricks-and-Mortar Shops
3.1 Video Monitoring
1. Video recordings are processed on the basis of Article 6(1), point (f), GDPR (balancing of interests) for the following purposes:
a. Safeguarding house rights b. Prevention and investigation of criminal offences (in particular theft, robberies, fraud, damage and vandalism). The video recordings may be forwarded to the competent law enforcement authorities as part of a potential criminal prosecution.
2. Our legitimate interests are: a. Protection of property and assets b. Protection of customers, visitors and employees 3. The video recordings are erased 10 days after recording. A longer storage period shall only apply if this is necessary for the enforcement of legal claims or the prosecution of criminal offences in a specific individual case.
3.2 Compliance with Customs and Tax Regulations in Sales
1. The sale of goods to travellers is exempt from excise duty and VAT under certain conditions. The tax exemption allows goods to be offered to travellers at favourable prices. To obtain the tax exemption, appropriate proof must be furnished to the tax and customs office and necessary measures must be taken to prevent tax evasion, avoidance or abuse (Section 6(4), UStG (German Turnover Act) and Article 14(3), VerbrStSystRL (2008/118/EC) (COUNCIL DIRECTIVE 2008/118/EC concerning the general arrangements for excise duty and repealing Directive 92/12/EEC)). The transaction data of the underlying sale (name and number of the airport shop, date of the transaction, quantity and price of the goods sold, number of the cash register and the receipt) must, therefore, be supplemented by proof of export in accordance with Section 4, No. 1, point (a), Section 6(1), No. 2, UStG, Sections 8(1), 9(1) UStDV (German Turnover Tax Enforcement Regulation) as well as a proof of receipt in accordance with Section 6(3a), No. 1, UStG, Section 17, UStDV, Article 147(2), sub-section 1, MwStSystRL (Common System of Value Added Tax). The accounting proof also requires that the conditions for tax exemption are clear and easily verifiable (Section 13, UStDV). The tax regulations are taken into account with the three-stage data processing described below. The legal basis is Article 6(1), point (c), GDPR (legal obligation), in conjunction with Article 6(1), point (f), GDPR (weighing of interests).
2. Scanning the boarding pass
Scanning the boarding pass is aimed at checking whether the goods sold are exported to a third country (proof of export). In that respect, no personal data are processed. The “Check-in sequence no.,” “Flight no.” and “Destination” fields are read.
3. Scanning proof of identity
The term “Proof of identity” is used in this context as a synonym for any border crossing document / identity document; i.e. passport, ID card, identity card (Switzerland), among others. Scanning a proof of identity is aimed at proving that the customer’s place of residence is in a third country (proof of customer). The proof of identity is only scanned if the customer presents a proof of identity from a non-EU country and a third country has previously been identified as the destination. As a rule, only the MRL (machine-readable line) of the proof of identity is read; if this is not possible, a pictorial copy is made. Case 1: Storing the following machine-readable data of the proof of identity: “Number of the proof of identity,” “First name and surname” and “Country of issue.” Case 2: Storing the proof of identity as a JPG file (image storage) if the scanner does not recognise the MRL (machine-readable line). If it becomes apparent at the end of the checkout transaction that the minimum tax exemption amount of 50 euros is not reached, the data collected in this step are discarded and not stored.
4. Completing the resident receipt
The purpose of the so-called resident receipt as a further part of the proof of purchase and security measure against tax evasion is to confirm the customer’s residence outside the EU. This is only to be completed if a non-EU passport has been presented. The customer confirms this electronically using a signpad; if this is not possible (e.g. due to technical problems), a receipt is printed. Both on the signpad and on the paper receipt, residence in the EU must be selected “Yes / No” and confirmed with the signature. While the electronically generated receipt is directly archived, the paper receipt must be scanned beforehand. For the above-mentioned processing, we use the service providers Payone GmbH and ALPHA COM Deutschland GmbH within the framework of order processing in accordance with Article 28, GDPR. 5. Erasing data As a rule, personal data are erased within ten years of entering into a purchase contract at the end of a financial year in accordance with the storage period under tax law (Section 147, AO (German Tax Code), in conjunction with section 14b UStG, Section 63, UStDV).
3.3 Processing Payments
1. On the basis of Article 6(1), point (b), GDPR (necessity for the performance of the contract), we process personal data to execute payment processes.
2. Recipients of personal data in the context of the payment process are the company Ingenico Payment Services GmbH (Daniel-Goldbach-Str. 17-19, D-40880 Ratingen, Germany) as well as banks and auditors. Data are not forwarded to third countries.
3. Further recipients of personal data in the context of payment defaults are, if necessary for verification, service providers for establishing identity. The legal basis for this is Article 6(1), point (f), GDPR. Our legitimate interest lies in the prevention of fraud attempts and payment defaults at our expense.
4. As a rule, personal data are deleted within ten years after entering into a sales contract to take effect at the end of a financial year. The legal basis for this is Section 147, AO.
3.4 Crew Shop Orders
1. In the context of orders in the Crew Shop, we process the following information of our customers: Name, company and e-mail address as well as order data; i.e. item number(s) and quantity/quantities).
2. The data are processed exclusively on the basis of Article 6(1), point (b), GDPR (necessity for entering into a contract); i.e. to process an order.
3. The data are erased 35 days after the order has been recorded.
4 Application Process
For reasons of better readability, the simultaneous use of masculine and feminine and various forms of language is dispensed with - as part of the following explanations. All personal designations apply to all genders: m/f/d.
4.1 Job Portal
1. We use our Group’s job portal to receive and manage applications and thus for the purpose of (potentially) establishing an employment relationship. The portal is operated by Heinemann SE & Co. KG (Koreastraße 3, D-20457 Hamburg, Germany).
2. You can find the operator’s Data Protection Policy here: https://www.gebr-heinemann.de/heu/de/privacy. We draw attention to the fact that - despite the use of the platform itself - we remain responsible for the processing operations.
3. Insofar as you apply to us via the job portal, the operator of the job portal collects your application data on our behalf.
4. We can then access an internal area of the job portal and view your application data. We then also have the following options: Making notes that are linked to your application data; internal company communication about your application (if applicable, with the specialist departments concerned); documentation of the decision about the further processing of the application, invitation to one or more job interviews, invitation to one or more trial workdays, forwarding of an employment contract certificate, creation of a rejection and up to and including the implementation of onboarding measures.
4.2 Direct Applications
1. We give you the option of filing an application with us (e.g. by e-mail, post or via the Job Portal). Below are details about the scope, purpose and use of your personal data collected as part of the application process. We assure that the recording, processing and use of your data comply with the valid data protection law and all additional statutory provisions and that your data are treated in absolute confidence.
2. Scope and purpose of the data collection: When you send us an application, we process your associated personal data (e.g. contact and communication data, application documents and notes taken during interviews etc.) to the extent that this is necessary to decide whether or not to establish an employment relationship. The legal basis in this respect is Section 26 BDSG (German Data Protection Act), (initiating an employment relationship), Article 6(1), point (b), GDPR (General contractual initiation) and, provided you have granted consent, Article 6(1), point (a), GDPR. The consent may be withdrawn at any time. Your personal data shall be forwarded within our company exclusively to persons who are involved in processing your application.
3. Provided the application is successful, the data you have submitted shall be stored in our data processing systems on the basis of Section 26, BDSG, and Section 6(1), point (b), GDPR, for the purpose of implementing the employment relationship.
4. Data storage period: Where we do not make an offer to you, you reject the offer or withdraw your application, we reserve the right to store at our company the data forwarded by you based on our justified interests (Article 6(1), point (f), GDPR) for up to 6 months from the end of the application procedure (rejection or withdrawal of the application). The data shall subsequently be deleted and the physical application documents shall be destroyed. The storage is aimed, in particular, at purposes involving furnishing proof in the event of a legal dispute. Where it is evident that the data will be required following expiry of the 6-month storage period (e.g. as a result of a threatened or pending legal dispute), the data shall only be deleted if they have become irrelevant in respect of continued storage. In addition, storage may also occur for a longer period if you have granted corresponding consent (Article 6(1), point (a), GDPR) or if statutory storage periods conflict with the deletion.
4.3 Incorporation in the Applicant Pool
1. Insofar as we do not make you a job offer, it may be possible to include you in our applicant pool. In the event of inclusion, all documents and details from the application shall be forwarded to the applicant pool to contact you in the event of suitable vacancies.
2. Inclusion in the applicant pool is based exclusively on your express consent (Article 6(1), point (a), GDPR). Granting consent is voluntary and is not related to the current application process. The data subject may withdraw his/her consent at any time. In such a case, the data shall be irrevocably erased from the applicant pool unless legal reasons for the storage apply.
3. The data from the applicant pool shall be irrevocably erased no later than two years after consent has been granted.
5 Cookie Policy
5.1 General Information
1. Cookies are pieces of information that are forwarded from our web server or third-party web servers to the users’ web browsers and stored there for subsequent retrieval. Cookies may be small files or other types of information storage.
2. If users do not want Cookies to be stored on their computer, they are asked to deactivate the corresponding option in the system settings of their browser. Stored Cookies can be deleted in the system settings of the browser. The exclusion of Cookies can lead to functional restrictions of these Online Services.
5.2 Cookie Overview
_gid
Provider: Google
Purpose; registers a unique ID that is used to generate statistical data about how a visitor uses the website.
Term: 1 day
_ga
Provider: Google
Purpose: registers a unique ID that is used to generate statistical data about how a visitor uses the website.
Term: 1 Month
_gat_#
Provider: Google
Purpose: Used by Google Analytics to limit the request rate.
Term: Browser session
Access:
Provider: Gebr. Heinemann
Purpose: Used to manage the browser session.
Term: Session duration
5.3 Objection Options
Once you have granted your consent, you can object at any time to the use of Cookies for range measurement and advertising purposes via Click here to open.
6 Amendments to the Data Protection Policy
We reserve the right to amend this Data Protection Policy with regard to data processing to adapt it in line with amendments to the law, changes in the Online Services or data processing.
Insofar as user consent is required or components of the Data Protection Policy contain provisions of the contractual relationship with the users, the amendments shall only be made with the consent of the users.
Users are requested to obtain information regularly about the content of this Data Protection Policy.
Status September 2023