Datenschutz der UTH GmbH

Mandatory information according to article 12 seq. GDPR

for processing Data for online meetings via GoTo-Meeting (LogMeIn)

Contact details of the controller

Company: UTH GmbH
Managing director: Peter J. Uth
Address: Eisenhowerstraße 7-9, 36041 Fulda
Phone:  +49 (0) 661 9741-0
Fax:  +49 (0) 661 9741-30
Email:

Contact details of the external data protection officer

Company: BerIsDa GmbH
Address: Justus-Liebig-Str. 4, 36093 Künzell
Phone: +49 (0)661 29 69 80 90
Email:  

What personal data do we collect and where do we obtain it from?

We process the following data in the course of our online meetings with GoToMeeting:

  • Communication data (your email address, if you provide it on a personal basis)
  • Master data (if you provide this voluntarily)
  • Contents of the online meeting (if you make a personal appearance with spoken and/or written contributions)
  • Authentication data
  • Device identification data and traffic data (MAC address, web protocols, etc.)
  • Profile data (your username if you provide it voluntarily)

 We generally receive your personal data directly from you or your company for the purpose of contacting you and fulfilling or preparing a contract. Additional (technical) data is automatically collected by the platform when you participate in an online meeting with GoToMeeting. If you register with an existing GoToMeeting account (or LogMeIn account), you can also provide additional data.

Purpose and legal basis for processing

The personal data you provide will be processed in accordance with the provisions of the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act-new (BDSG-neu):

 The legal basis we rely on for processing your personal data is article 6(1)(b) of the GDPR, which relates to processing necessary to perform a contract or to take steps at your request, before entering a contract. 

  • Die The purposes of the processing result from the protection of our legitimate interests (article 6(1)(f) GDPR). It may be necessary to process the data you have provided beyond the actual performance of the contract. Our legitimate interest may be used to justify the further processing of the data you have provided, provided that your interests or fundamental rights and freedoms are not overridden. Our legitimate interest in individual cases may be: Assertion of legal claims, defence against liability claims, prevention of criminal offences, ensuring the security and integrity of our systems.
  • Based on consent (pursuant to article 6 para. 1 lit. a GDPR): The purposes of the processing of personal data result from the granting of consent. A given consent can be revoked by you at any time with effect for the future. Consents given before the DS-GVO came into force can also be revoked. Processing that took place before the revocation remains unaffected by the revocation.

Who receives the personal data provided by you?

Within our company, those areas that are involved in the decision to hire you are given access to the personal data you have provided.

As part of our service provision, we commission contract processors who contribute to the fulfilment of contractual obligations, e.g. computer centre service providers, EDP partners, document shredders, etc., to carry out the work. These contract processors are contractually obliged by us to maintain professional secrecy and to comply with the requirements of the GDPR and the BDSG.

Data processing for online meetings via GoToMeeting is outsourced and takes place on the systems of LogMeIn Ireland Unlimited Company, The Reflector 10 Hanover Quay, Dublin 2, D02R573 Ireland (hereinafter “LogMeIn”). In connection with the Terms of Use as well as in the Data Processing Agreement (DPA), data protection regulations are made with LogMeIn in order to ensure the security of the data. These policies and the Data Processing Addendum (DPA) use, among other things, the EU Standard Contractual Clauses and other provisions of the GDPR (https://www.logmein.com/de/trust/privacy ).

If you sign up with an existing GoToMeeting account (or LogMeIn account), the agreements between you and LogMeIn apply.

Will the data you provide be transferred to third countries or international organisations?

A transfer of the data you have provided to us to a third country or international organisation cannot be ruled out, as LogMeIn is an international company with its headquarters in the USA (LogMeIn USA, Inc.333 Summer Street, Boston, MA 02210 U.S.A.) and accordingly access to the data from the USA or other third countries for maintenance or support services may take place. Furthermore, it is possible for U.S. government agencies to legally access personal data on LogMeIn’s systems without our or your knowledge.

Does automated decision making, including profiling, take place?

No fully automated decision making (including profiling) in accordance with article 22 GDPR is used to process the data you provide.

Duration of processing (deletion criteria)

If no explicit storage period is specified at the time of collection (e.g. as part of a declaration of consent), your personal data will be deleted if it is no longer required to fulfil the purpose for which it was stored, unless its further processing for a limited period is necessary for the following purposes in particular:

Fulfilment of retention periods under commercial and tax law, e.g. under the German Commercial Code or the German Fiscal Code. The periods specified there are 2 to 10 years.

Preservation of evidence within the framework of the statute of limitations (e.g. §§ 195ff. BGB).

Your data protection rights

You may request confirmation from the controller as to whether personal data concerning you is being processed by us.

If there is such processing, you can request information from the controller about the following:

  1. the purposes for which the personal data are processed
  2. the categories of personal data which are processed
  3. the recipients to whom the personal data concerning you has been or will be disclosed
  4. the planned duration of the storage of the personal data concerning you
  5. the existence of your rights
  6. all available information about the origin of the data
  7. the existence of automated decision-making including profiling pursuant to article 22(1) and (4)

You have the right to request information about whether the personal data concerning you is transferred to a third country or to an international organization. In this context, you may request to be informed about the appropriate safeguards pursuant to article 46 GDPR in connection with the transfer.

You can challenge the accuracy of personal data held about you by a controller and ask for it to be corrected or deleted. This is known as the ‘right to rectification’. If your data is incomplete, you can ask for the controller to complete it by adding more details.

You can ask a controller that holds data about you to delete that data and, in some circumstances, it must then do so. This is known as the right to erasure. You may sometimes hear it called the ‘right to be forgotten’.

The right to erasure is not absolute. The right only applies in the following circumstances:

  1. The organisation no longer needs your data.
  2. You initially consented to the use of your data, but have now withdrawn your consent
  3. You have objected to the use of your data, and your interests outweigh those of the organisation using it
  4. The organisation has collected or used your data unlawfully
  5. The organisation has a legal obligation to erase your data.
  6. The data was collected from you as a child for an online service.

You can limit the way an organisation uses your personal data if you are concerned about the accuracy of the data or how it is being used. If necessary, you can also stop an organisation deleting your data. Together, these opportunities are known as your ‘right to restriction’.

a) You can ask organisations to temporarily limit the use of your data when they are considering:

  • challenge you have made to the accuracy of your data, or
  • an objection you have made to the use of your data.

b) You may also ask an organisation to limit the use of your data rather than delete it if:

  • the organisation processed your data unlawfully, but you do not want it deleted, or

the organisation no longer needs your data, but you want the organisation to keep it to create, exercise or defend legal claims.

If you have asserted the right to rectification, erasure, or restriction of processing against the controller, the controller is obliged to notify all recipients to whom the personal data concerning you have been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort.

You have the right to be notified about these recipients by the data controller.

You have the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning you or similarly significantly affects you.

You have the right to get your personal data from an organisation in a way that is accessible and machine-readable. You also have the right to ask an organisation to transfer your data to another organisation. They must do this if the transfer is, as the regulation says, “technically feasible”.

You have the right to object to the processing (use) of your personal data in some circumstances. If an organisation agrees to your objection, it must stop using your data for that purpose unless it can give strong and legitimate reasons to continue using your data despite your objections.

You have an absolute right to object to an organisation using your data for direct marketing – in other words, trying to sell things to you. This means it must stop using the data if you object.

You have the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning you or similarly significantly affects you.

You have the right to lodge a complaint with the supervisory authority, if you conclude that the processing of your data violates the GDRP. To do so, please contact the competent supervisory authority:

The supervisory authority responsible for us is:

Der Hessische Beauftragte für Datenschutz und Informationsfreiheit’

If the processing is based on your consent pursuant to art. 6 para. 1 lit. a or art. 9 para. 2 (processing of special categories of personal data), you are entitled at any time to withdraw the purposefully bound consent without affecting the legality of the processing carried out based on the consent until revocation.