Responsible
The controller responsible for processing personal data is:
THI Investments GmbH & Co. KG
Eberhardstraße 65
70173 Stuttgart
Germany
T: +49(0)711 49050 580
E: info@thi-investments.com
This privacy policy also applies to the following group companies (collectively referred to as THI) in joint responsibility. There is a group agreement on data protection between the group companies that regulates compliance with legal obligations.
THI Holdings GmbH
Eberhardstraße 65
Germany
70173 Stuttgart
T: +49(0)711 49050 580
E: info@thi-investments.com
THI Investments U.K. Ltd.
17 Grosvenor Street
London W1K 4QG
United Kingdom
T: +44(0)20 7661 3200
E: info@thi-investments.com
Data Protection Officer
The THI companies have appointed a joint Data Protection Officer:
systemzwo GmbH
Magirus-Deutz-Straße 17
89077 Ulm
Germany
T: +49 (0) 731 141160 22
E: DG.SZG.DSB-THI@datagroup.de
A contact person has also been appointed for the British data protection authority (ICO). This person is based at THI Investments U.K. Ltd.
Data subjects
The privacy policy is aimed at the following categories of natural persons:
- Visitors to our websites
- Contact persons for business customers, interested parties or other communication partners
- Employees
- Visitors to our offices
- Job applicants
Our business activities are not directed at consumers. We therefore do not conclude any contracts with consumers for services provided by our company or for our company.
Minors
Our offers are also not directed at minors. We do not collect any personal data from minors. If persons under the age of 16 transmit personal data to us, this is only permitted if the legal guardian has given their consent or has agreed to the consent of the minor. For this purpose, the contact details of the legal guardian must be provided to us in accordance with Art. 8 (2) GDPR in order to convince us of the consent or agreement of the legal guardian. This data and the data of the minor will then be processed in accordance with this privacy policy. If we discover that a minor under the age of 16 has sent us personal data without the legal guardian having given their consent or having agreed to the minor’s consent, we will delete the data immediately.
Data protection rights
Every data subject has the right to obtain information free of charge about their stored personal data, its origin and recipients, and the purpose of processing, the right to rectification, the right to erasure, and the right to restrict processing. Legal restrictions may apply to the right to information and erasure in individual cases.
The data subject also has the right to data portability. This means that you have the right to have data that we process automatically on the basis of your consent or in fulfilment of a contract transferred to you or to a third party in a common, machine-readable format. If you request the direct transfer of the data to another controller, this will only be done if it is technically possible.
Any consent given to THI for the processing of personal data can be revoked informally at any time.
You also have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of our legitimate interest and a balancing of interests. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims. If your objection is directed against the processing of your data for direct marketing purposes, we will no longer process your personal data for these purposes. The objection can be made informally and should be addressed to the responsible body or the data protection officer.
To exercise your rights, you can send us an informal message to datenschutz@thi-investments.com, contact us in another way or contact our data protection officer.
Right to lodge a complaint with a supervisory authority
You also have the right to lodge a complaint with a supervisory authority if you believe that THI’s processing of your data violates data protection regulations. The right to lodge a complaint can be exercised in particular with a supervisory authority in the Member State of your place of residence, your place of work or the place of the alleged infringement.
The supervisory authority responsible for THI in Germany is:
The State Commissioner for Data Protection and Freedom of Information Baden-Württemberg
Königstraße 10
70173 Stuttgart
Germany
T: +49(0) 711 6155 41 0
E: poststelle@lfd.bwl.de
The British data protection authority can be contacted as follows:
Information Commissioner’s Office (ICO)
Wycliff House, Water Lane
Cheshire, SK9 5AF
Great Britain
T: +44(0)303 123 1113
E: dpo@ico.org.uk
Website and services offered through it
Below you will find an overview of the processing of personal data associated with the use of our website www.thi-investments.com and the services offered on it.
Server log files
The provider of our websites automatically collects and stores information in so-called server log files, which your browser automatically transmits. This includes the following data:
- Referrer (previously visited website)
- Requested website or file
- Browser type and browser version
- Operating system used
- Device type used
- Time of access
- Anonymised IP address (used only to determine the location of access)
This data cannot be readily attributed to specific individuals. This data is not merged with other data sources.
The legal basis for the processing of this data is Art. 6 (1) (f) GDPR. The legitimate interest lies in the function and security of the websites against unauthorised access.
The recipient of the data is the provider IONOS SE, Eigendorfer Straße 57, 56410 Montabaur, which hosts the website. The privacy policy of IONOS SE can be found at https://www.ionos.de/datenschutzerklaerung. We have concluded a data processing agreement with IONOS for data protection.
Data is also collected for statistical purposes and technical optimisation via the WebAnalytics service from IONOS. However, only anonymised data is used for this purpose. The data is determined either by a pixel or a log file. WebAnalytics does not use cookies to protect personal data.
The data is stored for a period of 8 weeks. This does not apply if legal violations are detected. In this case, the data required for legal prosecution may be shared with authorities and courts. Processing takes place until the legal prosecution measures have been legally concluded, and deletion takes place one month thereafter.
Use of cookies
Cookies are used on our website. A cookie is a small data file that is stored on your device. We only use technically necessary cookies that are required for the operation of the cookie consent tool provided by CookieYes.
Please refer to the cookie consent tool on our website for details of the specific technically necessary cookies used. The legal basis for the processing of personal data in connection with cookies is our legitimate interest in providing functional and secure websites and in complying with legal obligations in connection with cookies.
For additional information on data processing, in particular the purpose and storage period, please also refer to the information in the cookie settings.
We have concluded an data processing agreement with the provider of the cookie consent tool, CookieYes Limited, 3 Warren Yard, Warren Park, Wolverton Mill, Milton Keynes, MK12 5NW, United Kingdom. For details on data processing by CookieYes, please refer to the privacy policy at https://www.cookieyes.com/privacy-policy/.
Contact form, getting in touch
If you use the contact options offered on our websites via contact form, email, telephone or post, we will process your personal data in order to fulfil your request.
All personal data that you send us will be deleted no later than 90 days after the final reply has been sent to you. The 90-day retention period is due to the fact that, in isolated cases, you may contact us again about the same matter after receiving a reply, and we need to be able to establish the connection to the previous correspondence.
Microsoft Teams
We use Microsoft Teams for corporate communications. Microsoft Teams is a service provided by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA. We use the Microsoft Teams tool to hold online meetings, voice or video conferences and webinars, and to exchange documents with participants where necessary.
If you participate in an online meeting via Teams as an external participant, you will receive an access link from the meeting host by email. When you register for the online meeting, your IP address will be transmitted and you will also be required to provide your name, although you have the option of using an alias.
Microsoft Teams can also be used to process special categories of personal data in accordance with Art. 9 GDPR, such as biometric data if you use the camera function or data within documents that you make available. However, you are free to prevent the processing of special categories of personal data at any time by leaving the Teams camera function switched off and not sharing such data yourself.
In individual cases, Teams sessions may also be recorded by us. In this case, however, we will notify you before the recording begins so that you have the opportunity to object to the recording or adjust your usage behaviour accordingly.
The legal basis for the processing of personal data is your consent. If special categories of personal data are processed, the legal basis is also consent. Our legitimate interest is the legal basis for data processing relating to contact persons at external organisations. Our interest lies in improving organisation and communication with our contact persons and reducing the number of tools used to date. If our contact person is a direct contractual partner and a natural person, the legal basis is the fulfilment of the contract.
You can revoke your consent at any time with effect for the future without any formal requirements. In the event of revocation, the documents will also be deleted from Microsoft Teams.
Access to the data is granted to the controller’s employees who need the data for the above-mentioned purposes. Personal data processed in connection with the storage of documents in Microsoft Teams is generally not passed on to third parties unless it is specifically intended for disclosure. Please note that, as with face-to-face meetings, the content of the stored documents is often used to communicate information to customers, interested parties or third parties and is therefore intended for disclosure.
Insofar as Microsoft processes data not only on servers within the scope of the GDPR, but also on servers in the USA, processing is permitted on the basis of the EU-US Data Policy Framework, for which Microsoft has certified itself. Microsoft now stores non-productive data on servers in the EU. Microsoft has also announced plans to relocate its servers for productive data to the EU. For more information about how Microsoft processes your data when you use Teams software, please visit: https://privacy.microsoft.com/de-de/privacystatement and https://news.microsoft.com/de-de/datenschutz-und-sicherheit-in-microsoft-teams-nutzer and in the Data Protection Agreement (DPA), which you can view at https://www.microsoft.com/licensing/docs/view/microsoft-products-and-services-data-protection-addendum-dpa?lang=14. We have concluded the data protection agreement with Microsoft.
Business contacts
THI processes the names and contact details of contact persons at customers, interested parties, suppliers and other business partners for communication by e-mail, digital communication services, telephone, fax and post. The legal basis for data processing is generally our legitimate interest. THI’s legitimate interest arises from its interest in conducting or initiating business relationships with customers, prospects, suppliers and other business partners and maintaining personal contact with contact persons in this context. Where there is a legitimate interest or a legal obligation, THI will also check business partners against so-called sanctions lists. In this case, the legal basis is the existing legal obligation.
Personal data will be stored for the purpose of initiating or conducting business relationships for as long as there is a legitimate interest in doing so. Otherwise, our general deletion policy applies.
Visitors to our offices
When you visit the THI offices, we process personal data. This usually includes your name, contact details, contact person at THI and the times of your visit.
The legal basis for the processing of personal data is our legitimate interest, unless you have given your express consent. This lies in the protection of personal data, trade and business secrets, and IT security, which the controller must ensure through, among other things, this measure of access and entry control (logging).
Only employees of the controller who need this data to perform their tasks have access to visitor data. No data is transferred to third parties or third countries. The data is stored for 30 days and then deleted, unless individual data is required for legal proceedings by the controller or there is a legal basis for initiating or fulfilling a contract.
Guest Wi-Fi
As a visitor, you can use the guest Wi-Fi offered by THI. To do so, you will need access data from us. You will only receive this if you give us your consent to process the necessary personal data. In this case, the purpose is to protect our security interests and obligations.
The server log files (see above) are processed, in particular your complete IP address. The data is deleted after 72 hours, unless we detect a legal violation and the data is required for legal prosecution.
Applications
If you apply to THI for a job or internship, we collect personal data for the application process from various sources in order to determine your suitability for an open position. We first process personal data that you provide to us as part of the application process or as a speculative application. Where necessary, we also process personal data that we have received from third parties (e.g. an employment agency) in a manner that is permissible under data protection law. This also applies to publicly accessible sources (e.g. social or professional networks), insofar as this is necessary for to determine your suitability for filling a vacant position. This processing may concern the following data or data categories, among others:
- Personal details and contact information, such as name, email address, telephone number, home address, date of birth, national identification number, gender, marital status and nationality
- Education, performance and employment data, such as information on school and university degrees, professional experience and skills, and performance reviews
- Other application documents that you provide to us, such as cover letters, references, CVs, passport photos or other information, e.g. hobbies or voluntary work
If you provide information in your application documents that contains special categories of personal data (e.g. information on your marital status, information that may allow conclusions to be drawn about your sexual orientation, information about your health, attachment of a photo that allows conclusions to be drawn about your ethnic origin and, if applicable, your eyesight and/or religion), we will also only process this data within the legally permissible framework.
The processing of personal data in the context of application procedures is carried out for the purpose of selection and decision-making regarding the establishment of an employment relationship. If you provide us with special categories of personal data, we will only process this data with your consent. In individual cases, we process your data in order to protect our legitimate interests. A legitimate interest exists, for example, if your data is necessary to defend legal claims within the scope of the application process (e.g. claims under the General Equal Treatment Act).
Within our company, only those departments entrusted with the preparation and implementation of the application process will receive your data. This includes employees of the human resources department and the management of the department in which a vacancy is to be filled. Your data will not be transferred to third parties, especially outside our company. Likewise, your data will not be transferred to or processed in third countries or international organisations. We do not use automated processing for decision-making as part of the application process.
We will process your personal data in accordance with the legal requirements. Where necessary, we will store your data for the duration of the application process. If we establish an employment relationship with you following the application process, we will transfer your data to your personnel file and store it for as long as required by law.
If no employment relationship is established between you and us, the application process will end with the receipt of a rejection letter. In this case, we will delete your data no later than 6 months after receipt of the rejection letter. This does not apply if the processing and storage of your personal data is necessary in a specific case to defend legal claims within the framework of the application process for the duration of a legal dispute, or if you have expressly consented to longer storage for the purpose of future job vacancies, whereby this consent is only granted by you for a limited period of time, up to a maximum of one year.
Fulfilment of our duty of care
When first aid kits are used, the personal data of the employee or visitor who has been injured is processed. We request this data directly from the injured person. The following personal data is collected from you: name of the injured person, name of the first aider, address, nationality, result of a data comparison including time details.
The provision of a first aid log by the responsible person is necessary and required by the employers’ liability insurance association. The legal basis for the processing of this personal data is the fulfilment of a legal obligation.
The purpose of data processing is to fulfil the obligation to provide evidence to the employers’ liability insurance association. Only human resources management employees have access to your data if it concerns their own employees, as well as employees who are responsible for occupational safety. In the event of inspections by the employers’ liability insurance association or authorities, they also have access to the data.
No data is transferred to third countries. Your data will only be stored for as long as it is necessary to provide evidence to the employers’ liability insurance association. The association register must be kept available for a period of 5 years.
Transfer of personal data to third parties or third countries
We generally exclude the transfer of personal data to third parties. In exceptional cases, data is processed on our behalf by contract processors. These are carefully selected, audited by us and contractually bound.
Your personal data is usually processed on servers within the scope of the GDPR (EU/EEA). As a matter of principle, no data is transferred to third countries unless this is expressly stated in our privacy policy.
Automated decision-making
THI does not use personal data for profiling or other automated decision-making.
Deletion of data
Personal data is deleted in accordance with our general deletion policy no later than 30 days after the expiry of the shortest statutory or other period listed below. If this privacy policy specifies a shorter deletion period, this deletion period takes precedence over the general deletion policy. If no longer retention period is applicable, the data will be deleted after the shortest period has expired; if, in particular, a longer period specified by law is applicable, the data will be deleted after this period has expired. Special deletion rules, even after this privacy policy, take precedence over the general rules.
- The data will be deleted if you request us to do so or revoke your consent.
- The data will be deleted once the purpose of processing no longer applies.
- Deletion takes place after the end of the contractual relationship.
- If a person has expressly consented to longer data storage, deletion will take place after 12 months.
- Furthermore, data will be deleted no later than 1 month after the failure of a contract initiation.
- Furthermore, deletion will take place 12 months after the last contract was concluded.
- Data will be deleted after the expiry of a warranty or limitation period.
- Data will be deleted after the expiry of a statutory liability period.
- If a legal dispute between you and us is pending, the data will be deleted after its legally binding conclusion.
- After expiry of the commercial law period for business letters, deletion will take place after 6 years.
- If it is necessary to retain the data for commercial, tax or social security purposes, the deletion period is up to 10 years.
