We (Tengelmann Twenty-One KG) take data protection and especially the protection of your personal data very seriously. Therefore, we are happy to inform you in the following sections in accordance with Art. 13 of the EU General Data Protection Regulation (GDPR), or Art. 14 GDPR, if there is no direct collection.

In the following, we would like to explain to you which data we process, for what purpose and what rights you have in this regard.

The controller within the meaning of Art. 4 No. 7 GDPR is the

Tengelmann Twenty-One KG
Mies-van-der-Rohe-Straße 6 80807 Munich
E-Mail: info@tengelmann21.com

The management and further information about the company can be found in our imprint.

If you have any questions or suggestions about data protection, please feel free to contact our data protection officer:

Tengelmann Audit GmbH
Data protection supervisor
An der Pönt 45
40885 Ratingen
E-Mail: datenschutz@t-audit.de

Our website contains links to websites of other providers. Tengelmann Twenty-One KG is not responsible for compliance with the statutory data protection regulations on the websites of other providers. You should therefore always check the privacy policy of the other providers.

We process personal data on the basis of legal requirements. In principle, processing can be carried out on the basis of the following legal bases, among others:

• Art. 6 (1) (a) GDPR (consent of the data subject) or Art. 9 (2) (a) GDPR (if consent to the processing of special categories of data pursuant to Art. 9 (1) GDPR has been obtained)
• Art. 6 (1) (b) GDPR (performance of a contractual relationship with the data subject, pre-contractual measures at the request of the data subject)
• Art. 6 (1) (c) GDPR (fulfilment of a legal obligation)
• Art. 6 (1) (f) GDPR (safeguarding a legitimate interest of the controller or a third party, unless the interests, fundamental rights and freedoms of the data subject which require the protection of personal data prevail)
• Art. 49 (1) (a) GDPR (explicit consent to the transfer of personal data to third countries).

If consent serves as the legal basis for the processing, you can withdraw your consent at any time without giving reasons. In principle, the revocation only applies to the future. This means that the revocation of the declaration of consent does not render the previous processing unlawful until the receipt of the withdrawal of consent.

Information about the relevant (or additional) legal bases in each individual case is provided in the following paragraphs of this data protection declaration.

Unless otherwise stated by us, all the following data will not be passed on to third parties, unless it is a matter of technical necessity, so that the service providers commissioned by us with the technical processing process the data on our behalf.

When you visit our website, personal data is also processed. This section provides you with an overview of which data is processed, for what purpose and on the basis of which legal basis in this context.

When our website is accessed, information such as the IP address on your end device can be accessed, but information can also be stored on your end device (e.g. in the form of cookies). If this is necessary for the technically error-free and secure provision of the website and the associated services, this is generally done on the basis of § 25 para. 2 TTDSG. Otherwise, this will be done on the basis of your consent in accordance with § 25 para. 1 TTDSG.

If access to or storage of information involves the processing of personal data, the processing is usually carried out on the appropriate legal basis in accordance with Art. 6 (1) GDPR. Further details can be found in the following passages:
When you access our website, your internet browser automatically transmits data to our web server for technical reasons. This includes, among other things, the date and time of access, URL of the referring website, file accessed, amount of data sent, browser type and version, operating system and your IP address.

The purpose of processing this data is to deliver the website to the user’s computer/browser and to ensure the functionality of the page and to optimize it for the respective user, which can also be done with the help of so-called session cookies. Without the processing, the provision of the homepage would not be technically possible. These purposes also constitute the legitimate interest in data processing pursuant to Art. 6 (1) lit. f GDPR on the part of Tengelmann Twenty-One KG. The standard also represents the legal basis for the processing.
The data will be deleted and therefore no longer stored on our servers as soon as it is no longer necessary to achieve the purpose for which it was collected, which is usually the case at the end of your session. It is not possible for us to assign this data to a specific person.

No further cookies will be set.

SSL or TLS encryption

This site uses SSL or TLS encryption for security reasons and to protect transmission. You can recognize an encrypted connection by the fact that the address bar of the browser changes from [http://]http:// to [https://]https:// and by the lock symbol in your browser line.

If SSL or TLS encryption is activated, the data you transmit to us cannot usually be read by third parties.

We have provided information on how to contact us via various means (e.g. on this homepage, on business cards or in e-mail signatures). In the most common cases, the indication of the contact options serves to enable (potential) business partners to better address their concerns to us. If you would like to apply for an advertised position, we will provide you with a separate privacy policy in the course of the application process.

If the purpose of contacting you directly is to initiate a contract prior to a contract or to perform a contract, the legal basis for the processing is Art. 6 (1) (b) GDPR. In addition, Art. 6 (1) (f) GDPR can be used as a legal basis with regard to data that is also transmitted: The personal data you enter will only be used to contact you or to process you. To deal with your request adequately. Therefore, we also have the necessary legitimate interest in the processing.

If you are not a contractual partner yourself, but e.g. an employee of a (potential/current/former) business partner, personal data will be processed – if necessary – for the initiation, fulfilment or termination of a business relationship on the basis of the legitimate interest in accordance with Art. 6 (1) (f) GDPR. Efficient communication for the economic fulfilment of our business purpose as well as for the mutual fulfilment of (pre-)contractual obligations arising from (potential) business relationships represents both our legitimate interest and – at least in part – the legitimate interest of our business partners.

If the contact is based on your consent, the legal basis for the processing is Art. 6 (1) (a) GDPR. You have the right to withdraw your consent at any time without giving reasons.

Access to the personal data obtained in the course of communication is only granted to those persons who need it to fulfil the lawful purposes of the processing. External third parties will only receive personal data that we have received in the course of communication with you if this is either technically necessary (e.g. telecommunications providers or IT service providers) or for the adequate processing of the process (e.g. postal or parcel service providers). We select and use external service providers in accordance with internal data protection standards and the corresponding legal requirements (e.g. the conclusion of corresponding contracts in accordance with Art. 28 GDPR for processors, if necessary).

As a matter of principle, we do not regularly transfer personal data to a third country (countries outside the European Union or the European Economic Area) or an international organisation. However, depending on the respective location of the subscribers at the time of communication and the selected telecommunications service, a data transfer to a third country (e.g. the USA) cannot be ruled out.

After the purpose has ceased to exist, your data will be deleted, unless there are legitimate reasons to the contrary, e.g. statutory retention periods (Art. 6 para. 1 lit. c GDPR) or a legitimate interest according to Art. 6 para. 1 lit. f GDPR (e.g. processing of any queries or examination, assertion, exercise or defence of legal claims).

Communication via Microsoft Teams
We use the Microsoft Teams tool to conduct video conferences or, in some cases, telephone calls and, if necessary, to exchange documents and other content. The following categories of personal data may be processed when using Microsoft Teams, among others:

• Information about the user (e.g. name/display name, e-mail address)
• Communication metadata (e.g., date, time, meeting ID, IP address, phone number)
• Content data from text, audio and video data and other transmitted files.

For the processing of personal data in the context of electronic communications, Microsoft Corporation with Microsoft Teams as an OTT service (over-the-top service or interpersonal telecommunications service) is subject to data protection and protection of privacy in telecommunications (“telecommunications secrecy”) in accordance with Part 2 of the TTDSG and is accordingly responsible for it.

We are responsible for any further processing resulting from communication via Microsoft Teams (e.g. via the invitation function, video recordings or document exchange). Accordingly, Microsoft acts as a processor for us in this regard. Therefore, we would like to draw your attention to the following functions and possibilities:

You can decide whether you want your camera and/or microphone to be on or off at any time during a Teams session. Furthermore, it is up to you whether or not to share content, although you can cancel the sharing at any time.

If you use the chat function, your personal data contained in the chat texts will be processed and the other participants will also be aware of this content. It is technically possible for participants to make a recording via Teams of this meeting during an online meeting. In such a case, you will be notified immediately of the recording and can object to the recording with the meeting participants. After the online meeting, the recording will be saved in Microsoft Teams. The recording can then be shared with other participants.

Processing of personal data in the context of the use of Teams in third countries (countries outside the European Union and the European Economic Area) is generally not intended, as we have obliged Microsoft Corporation to limit the storage location to data centers in the European Union. However, we cannot rule out the possibility that data is routed via Internet servers located outside the EU. This may be the case in particular if participants in a meeting are in a third country.

Microsoft Corporation uses EU standard contractual clauses to ensure an adequate level of data protection when processing/transferring personal data to third countries (e.g. USA). Microsoft’s parent company, Microsoft Corporation, is based in the United States. For the USA, there is an adequacy decision of the European Commission on the EU-U.S. Data Privacy Framework, provided that the respective companies are certified accordingly. The US Microsoft parent company has been certified accordingly. We have no influence on the scope of the data processed by Microsoft on its own responsibility, the type of processing and use or the disclosure of this data to third parties. We also have no effective control options in this respect.

If you do not want to use Microsoft Teams, please let us know by e-mail so that we can agree on other communication channels together.

For more information about Microsoft’s privacy policy, please visit the homepage of Microsoft Corporation (external link): https://privacy.microsoft.com/de-de/privacystatement