Data Protection

Privacy statement

We are pleased that you are interested in the important topic of data protection. The protection of your data as well as its security and confidential treatment are an important concern for OBI Group Sourcing. In the following we inform you about the processing (including the collection and storage) of personal data when using our websites at www.obisourcing.de. By personal data we mean all data that can be related to you personally, e.g. name, address, e-mail address, user behaviour. The companies of the OBI Group adhere strictly to the statutory provisions on data protection. Our aim is not only to give you a feeling of security when using our services, but also to ensure that your data is in good hands with OBI.


A. Basic information

  1. Controller
    Those responsible under data protection law pursuant to Art. 4 para. 7 General Data Protection Regulation (GDPR) are:
  • for the entire online offering at www.obisourcing.de: OBI Group Sourcing GmbH Albert-Einstein-Str. 7-9, 42929 Wermelskirchen, Germany, telephone: +49 (0) 2196 76 4000,

e-mail: info@obisourcing.de

Further information and contact details as well as additional legal information can be found at www.obisourcing.de in the legal notice.
 

  1. Data protection officer
    You can reach the data protection officer of OBI Group Sourcing GmbH at:
    OBI – Datenschutz
    Albert-Einstein-Str. 7-9
    42929 Wermelskirchen
    Phone: 02196-761515
    Fax: 02196-762088
    E-Mail: datenschutzbeauftragter@obi.de

 

  1. Data security
    We secure our website and other systems through technical and organisational measures against loss, destruction, access, alteration or distribution of your data by unauthorised persons. In connection with accesses to our website, data which may allow identification (e.g. IP address) is temporarily stored on our servers for the purposes of data and system security, but generally for no longer than 30 days. The processing of possibly personal data for the purposes of data and system security is carried out on the basis of Art. 6 para. 1 sentence 1 lit. f. GDPR and our legitimate interest in securing our systems and preventing abuse.

 

  1. Principles for the storage and erasure of personal data

Personal data will only be processed for the period of time necessary to achieve the respective storage purpose or insofar as this is provided for in laws or regulations applicable to us, e.g. commercial or tax retention obligations. If a storage purpose no longer applies or if a legally prescribed storage period expires, the personal data concerned will be routinely erased in accordance with the statutory provisions or their processing will be restricted, e.g. limited processing in the scope of commercial or tax law storage obligations.

The processing of personal data on the basis of a legal obligation, namely the fulfilment of legal storage obligations, is based on Art. 6 para. 1 sentence 1 lit. c GDPR. Insofar as personal data are processed pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR for the purpose of preserving evidence, these processing purposes shall cease to apply after expiry of the statutory limitation periods;
the regular statutory limitation period is three years.

For more details on specific storage and deletion periods, we refer to individual service descriptions or information in this Privacy Statement
 
B. Visiting our website

When using our website for informational purposes only, we may collect personal data that your browser transmits to our server. For the purposes of web analysis and online marketing, we also use tracking technologies to the extent described below.

 

Technical provision of the website
When you visit our website, we collect the following data, which is technically necessary for us to display our website to you and to ensure the stability and security of our online offering:

  • IP address
  • Date and time of the request
  • Time zone difference to Greenwich Mean Time (GMT)
  • Contents of the request (specific page)
  • Access status/HTTP status code
  • Amount of data transferred in each case
  • Website from which the request originates
  • Browser
  • Operating system and its interface
  • Language and version of the browser software

The legal basis for this collection and processing is Art. 6 para. 1 sentence 1 lit. f GDPR. Our justified interest lies in the provision of a functional website offer and its system security. In addition, we use the aforementioned data in a non-personal form for statistical purposes and to improve our online services.

Your IP address is automatically anonymised by deleting the last 8 digits.
 
C. Contact options
On our website we offer you various possibilities to get in touch with us and to send us news. Contact can be made by telephone or e-mail. If you contact us, we will store and process the data you provide (your e-mail address, your name and telephone number if applicable) and your enquiry in order to answer your questions.
The legal basis in this respect is Article 6(1)(b) and (f) GDPR. Our legitimate interests lie in the efficient and structured recording and processing of customer enquiries and in quality assurance. The resulting data will be deleted after the storage for the aforementioned purposes is no longer required, e.g. after complete processing of a customer inquiry, or we restrict the processing if there are legal storage obligations.
 
D. Rights of data subjects
We will be happy to inform you about your rights under the GDPR as a “data subject”. Afterwards you are entitled to the following rights with regard to the personal data concerning you:

  • Right of access (Art. 15 para. 1, 2 GDPR)
  • Right to rectification (Art. 16 GDPR) or erasure (Art. 17 GDPR)
  • Right to limitation of processing (Art. 18 GDPR)
  • Right to data transferability (Art. 20 GDPR)
  • Right to object to the processing (Art. 21 GDPR)
  • Right of withdrawal (Art. 7 para. 3 GDPR)
  • Right of appeal to a supervisory authority (Art. 77 GDPR)

In addition, we summarise the key points of the rights of data subjects under the GDPR as follows, with this presentation not claiming to be exhaustive, but it merely addresses the main features of the rights of data subjects under the GDPR:
 
Right of access (including the right to confirmation and the right to provide data)

The data subject shall have the right to obtain from the controller confirmation as to whether personal data relating to him or her are being processed. The data subject has the right of access to personal data concerning him or her and to the following information:

  • the processing purposes;
  • the categories of personal data to be processed;
  • the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations
  • if possible, the planned duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration;
  • the existence of a right to the rectification or erasure of personal data concerning him or her or to the limitation of the processing by the controller or of a right to object to such processing;
  • the existence of a right of appeal to a supervisory authority;
  • if the personal data are not collected from the data subject, any available information on the origin of the data;
  • the existence of automated decision-making including profiling in accordance with Article 22(1) and (4) of the DS Block Exemption Regulation and – at least in these cases – meaningful information on the logic involved and the scope and intended effects of such processing on the data subject;
  • if personal data are transferred to a third country or to an international organisation, to be informed of the appropriate safeguards pursuant to Art. 46 GDPR in connection with the transfer.

 

Right to rectification
The data subject shall have the right to obtain from the controller without delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to request the completion of incomplete personal data, including by means of a supplementary statement.

 

Right to limitation of processing
The data subject shall have the right to request the controller to restrict the processing if one of the following conditions is met:

  • the accuracy of the personal data is contested by the data subject for a period of time which enables the data controller to verify the accuracy of the personal data,
  • the processing is unlawful and the data subject refuses to erase the personal data and instead requests the restriction of the use of the personal data;
  • the controller no longer needs the personal data for the purposes of the processing, but the data subject needs them for the assertion, exercise or defence of legal claims, or
  • the data subject has lodged an objection to the processing pursuant to Art. 21 (1) DS Block Exemption Regulation as long as it has not yet been established whether the legitimate reasons of the controller outweigh those of the data subject.

 

Right to erasure
The data subject has the right, basically and subject to the need for data processing as determined by law (cf. the exception in Art. 17 para. 3 GDPR), to require the controller to erase personal data relating to the data subject without delay if one of the following reasons applies:

  • Personal data are no longer necessary for the purposes for which they were collected or otherwise processed.
  • The data subject withdraws his/her consent on which the processing was based pursuant to Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a GDPR and there is no other legal basis for the processing.
  • The data subject objects to the processing pursuant to Art. 21 para. 1 GDPR and there are no overriding legitimate reasons for the processing or the data subject objects to the processing pursuant to Art. 21 para. 2 GDPR.
  • Personal data have been processed unlawfully.
  • The erasure of personal data is necessary to fulfil a legal obligation under Union law or the law of the Member States to which the controller is subject.
  • The personal data were collected in relation to information society services offered pursuant to Art. 8 para. 1 GDPR.

 
Rights to data portability
The data subject shall have the right to obtain the personal data relating to him which he has provided to a controller in a structured, common and machine-readable format and shall have the right to communicate such data to another controller without being hindered by the controller to whom the personal data have been provided, provided that the processing is based on consent or on a contract pursuant to Art. 6 para. 1 lit. b GDPR and the processing is carried out by automated means. In exercising his right to data transfer, the data subject shall have the right to obtain that the personal data be transferred to the extent necessary to enable it to be processed.
Data can be transmitted directly from one controller to another controller, as far as this is technically feasible.

Right of revocation
The data subject shall have the right to withdraw any consent given at any time. The revocation of the consent shall not affect the lawfulness of the processing carried out on the basis of the consent up to the revocation.

 

Right to lodge a complaint with a supervisory authority

Any data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State in which he/she is staying, at his/her place of work or at the place of the suspected infringement, if the data subject considers that the processing of his/her personal data is contrary to this Regulation. The data protection supervisory authority responsible for OBI GmbH & Co. Deutschland KG and OBI E-Commerce GmbH is: LDI – Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen, Kavalleriestr. 2-4, 40213 Düsseldorf, Germany.

Separate reference to rights of objection pursuant to Art. 21 para. 1, 2 GDPR
They have the right to object at any time to the processing of their personal data on the basis of Art. 6 para. 1 lit. e or f GDPR for reasons arising from their particular situation; this also applies to profiling based on these provisions. If you file an objection, your personal data will no longer be processed unless OBI can prove compelling grounds for processing worthy of protection which outweigh your interests, rights and freedoms of the data subject, or the processing serves the assertion, exercise or defence of legal claims. If personal data is processed for the purpose of direct advertising, you have the right to object at any time to the processing of your personal data for the purpose of such advertising; this also applies to profiling, insofar as it is connected with such direct advertising. If and insofar as you make use of your right of objection to the processing of personal data for the purposes of direct marketing, we will regularly implement compliance with your objection by so-called “blacklisting”.

E. Contact

  • You can contact our data protection officer or us at any time for the exercise of data subject rights and for general questions on data protection:
  • For the entire online offering at obisourcing.de: OBI Group Sourcing GmbH Albert-Einstein-Str. 7-9, 42929 Wermelskirchen, Germany, telephone: +49 (0) 2196 76 4000, e-mail: info@obisourcing.de
  • Contact data protection officer: OBI – Datenschutz,
    Albert-Einstein-Str. 7-9, 42929 Wermelskirchen, Germany
    Telephone: 02196-761515, Fax: 02196-762088, e-Mail: datenschutzbeauftragter@obi.de

 

Further information and contact details as well as additional legal information can be found at www.obisourcing.de in the legal notice.