- Definitions set out in art. 4 GDPR
- Name and contact details of the responsible authority (art. 13 paragraph 1 lit. a GDPR)
- Which data do we use?
- Legal basis and purpose of data processing
- How long will my data be retained?
- Who gets my data?
- Encryption of personal data (SSL- or TLS-encryption)
- Special data protection advice on the use of data collection, analysis tools and advertising in our online offers
- Privacy protection for applications and in the application progress
- Rights of the data subject (art. 12 ff. GDPR)
- Exercise of the rights of the data subject
Thank you for your interest in the company websites and other online offers of Rolling Turtles GmbH, Haasstr. 4, 64293 Darmstadt, Germany; hereafter referred to as “RT”.
We take the issues of data protection and confidentiality very seriously and follow applicable European and national data protection rules; In particular, these are the General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG), the Telemedia Act (TMG) and the Hessian Data Protection and Freedom of Information Act (HDSIG).
For this reason, with the following information we would like to give you an overview of the processing of your personal data by us and of your rights under data protection law, in particular set out in articles 13, 14 and 21 GDPR.
Which data will be processed in detail and in which way it will be used depends on the requested or agreed services. Therefore, not all parts of this information will apply to you.
2.Definitions set out in art. 4 GDPR
a) Personal data
„Personal data“ means any information referring to an identified or identifiable natural person(hereinafter the “data subject”). A natural person is considered to be identifiable, who, directly or indirectly can be identified, in particular by association with an identifier such as a name, an identification number, location data, an online identifier or one or more special features, which expresses the physical, physiological, genetic, mental, economic, cultural or social identity of this natural person.
„Processing“ is any operation or set of operations performed upon personal data with or without the aid of automated procedures, such as specification, collection, organization, ordering, storage, adaptation or modification, reading, querying, use, disclosure through submission, dissemination or any other form of provision, reconciliation or association, restriction, erasure or destruction.
c) Restriction of processing
„Restriction of Processing “is the marking of personal data retained with the aim of limiting its future processing.
„Profiling“ is any kind of automated processing of personal data that consists in using this personal information to evaluate certain personal aspects relating to a natural person, and in particular to analyze or predict aspects related to job performance, economic situation, health, personal preferences, interests, reliability, behavior, whereabouts, or relocation of that natural person.
“Pseudonymization” means the processing of personal data in such a way that personal data can no longer be attributed to a specific data subject without the help of additional information, provided that such additional information is kept separate and subject to technical and organizational measures to ensure that that personal data information is not assigned to an identified or identifiable natural person.
f) The person concerned
„The person concerned” means any identified or identifiable natural person whose personal data is processed by the controller.
g) File system
“File system” means any structured collection of personal data accessible by specific criteria, whether that collection is centralized, decentralized or organized according to functional or geographical considerations.
„Controller“ is a natural or legal person, public authority, agency or other entity, who decides alone or jointly with others on the purposes and means of processing personal data. If the purposes and means of such processing are determined by Union law or the law of the Member States, the controller or the specific criteria for his designation may be provided for under Union or national law.
“Processor” means a natural or legal person, public authority, agency or other entity that processes personal data on behalf of the controller.
“Receiver” is a natural or legal person, public authority, agency or other entity to which personal data is disclosed, whether or not it is a third party. However, authorities which may receive personal data under Union or national law in connection with a particular mission are not considered to be beneficiaries.
k) Third party
“Third party” means a natural or legal person, public authority, agency or other entity than the data subject, the controller, the processor and the persons empowered under the direct responsibility of the controller or the processor to process the personal data
“Consent” means any expression of will voluntarily and unambiguously delivered by the data subject in the form of a statement or other unambiguous confirmatory act by which the data subject indicates that they agree with the processing of the personal data concerning them.
3. Name and contact details of the responsible authority (art. 13 paragraph 1 lit. a GDPR)
The responsible position for the data processing is:
Rolling Turtles GmbH
Tel: +49 1734903333
VAT identification number.: DE325737455
Registry Court: Local court Darmstadt
Registry Number: HRB 99127
Representatives managing directors: Dipl.-Ing. Benjamin Wawra; Dipl.-Ing. Konstantinos Kotalakidis
4. Which data do we use?
We only process personal data that we have received from you as part of our contractual or other business relationship.
In addition, we process personal information that we have legitimately gained from publicly available sources (such as debtor directories, land registers, trade and association registers, press, media) and have permission to process.
Finally, we also work with personal information that we have legitimately received from other third parties (such as Schufa); for example, on the basis of your consent. These are used to execute orders or to fulfill contracts.
Below is an example of some data that we process in cooperation with our customers, suppliers and employees:
- Personal and standard data (name, address, birthday and place, nationality, pension insurance number, bank details, telephone, fax, Mail);
- Credentials and authentication data (ID data, signature sample);
- Business data (documentation and advice logs, payment order, payment transactions).
5. Legal basis and purpose of data processing
We process personal data only for the fulfillment of contractual obligations, due to legal requirements, for our own advertising purposes and for the protection of legitimate interests. The lawfulness of the processing is based on the provisions listed under no. 1 (see above), in particular on art. 6 GDPR.
Depending on the nature of the contract, we process personal data as listed below:
a. Based on your consent
(art. 6 paragraph 1 (a) GDPR)
Insofar as you have given us consent to the processing of personal data for specific purposes (for example, disclosure of personal data to tax consultants as processors within the meaning of art. 28 GDPR or to financial and social authorities, etc.; evaluation of customer data for internal marketing purposes, for example, to Schufa), the legality of this processing is based on your consent.
A given consent can be revoked at any time; see art. 7 para. 3 GDPR. This also applies to the revocation of declarations of consent, which – such as the SCHUFA declaration – were granted to us before the validity of the GDPR, that is before 25 May 2018.
Please note that the revocation only works for the future. Processing that occurred before the revocation is not affected.
b. For the fulfillment of contractual obligations
(art. 6 paragraph 1 (b) GDPR)
The processing of personal data is done, for example
- to carry out any pre-contractual measures;
- to enter into, execute or otherwise fulfill our contracts (leases and sales contracts with RT customers, contracts for work and services with third parties such as suppliers, etc.);
Further details on the purpose of data processing can be found in the respective contract documents and the terms and conditions.
c. Due to legal requirements, for the protection of vital interests or in the public interest
(art. 6 paragraph 1 (c, d, e) GDPR)
In addition, as RT we are subject to various legal obligations, which means legal requirements that may also be justified in the public interest:
The processing of personal data may therefore be necessary, for example, to fulfill tax control and reporting obligations, to prevent fraud and money laundering and / or to verify identity and age; such arise among others from the banking act, money laundering act and / or various tax laws.
In rare cases, the processing of personal data may be required even if the vital interests of the data subject or another natural person are to be protected. This would be the case, for example, if a visitor (for example customer) would be injured in our company in Darmstadt (Haasstr 4, 64293 Darmstadt, Germany), on one of our exhibition stands, transfer areas of the motorhomes or in our rented seminar facilities and then his data (including name, age, health insurance data or other vital information) would have to be forwarded to a doctor, hospital or other third party.
d. In the context of the balance of interests
(art. 6 paragraph 1 (f) GDPR)
In the end, processing of your personal data can be based on art. 6 I lit. f GDPR.
Processing operations are based on this legal basis if processing is necessary to safeguard the legitimate interests of our company or a third party, unless the interests, fundamental rights and fundamental freedoms of the person concerned prevail.
An overriding legitimate interest can also be accepted according to the second sentence of recital 47 GDPR if the person concerned is a customer of the person responsible.
Therefore, we process your data in addition to the actual fulfillment of the contract for the protection of legitimate interests of us or third parties. Examples are:
- the further development and marketing of RT products and own services;
- the offered marketing of products or product parts of our contractual partners;
- the legally permissible documentation of business contacts;
- advertising, as long as you have not objected to the use of your data;
- asserting legal claims and defense in legal disputes;
- ensuring the IT security and the IT operations of RT;
- prevention and investigation of criminal offenses;
- Video surveillance (as permitted by law) is used to collect evidence of crime. They hereby serve the protection of customers and employees as well as the exercise of the house right; building security measures (such as access controls);
- measures to prevent the unauthorized use of RT products;
- measures for business management and further development of services and products
6. How long will my data be retained?
If necessary, we process and store your personal data at least for the period required by applicable law.
The respective legal storage and documentation obligations serve the fulfillment of legal claims; they result from the Commercial Code (HGB), the Tax Code (AO), the Banking Act (KWG) or the Money Laundering Act (GwG).
However, the storage period is also judged by the statutory limitation periods, which, for example, after §§195 ff. of the Civil Code (BGB) can generally be 3 years, but in certain cases up to 30 years.
Longer retention periods are possible as far as operational needs (for example: proper administration of customer, supplier and personal data) or the compliance with official regulations require this.
For example, we at RT retain most customer data for the duration of the contract and for a period of 11 years after the end of the contract.
This is due to the 10-year limitation period pursuant to §199 paragraph 3 sentence 1 no. 1 and paragraph 4 BGB.
For interested parties without subsequent contract conclusion, depending on the intensity of the contract initiation, a retention period of six to 14 months applies; in special cases up to 3 years (limitation of claims for damages due to culpa in contrahendo in accordance with § 311 paragraph 2 BGB i.V.m. § 195 BGB).
7. Who gets my data?
Within the company RT, those entities receive your data, which they need to fulfill our contractual and legal obligations. External processors (within the meaning of article 28 GDPR) employed by us may also receive data for these purposes. These are companies in the categories of credit-related services, IT services, logistics, printing services, telecommunications, debt collection, tax consultancy and sales and marketing.
With regard to the data transfer to recipients outside of RT, it should first be noted that we are bound to secrecy about all customer-related facts and valuations of which we become aware.
We may only disclose information about you if statutory provisions require it, if you have consented to it or if we are otherwise authorized to do so. Under these conditions, recipients of personal data may be, for example: tax authorities; social funds and authorities; employment agencies; bureaus; Schufa; other public entities and institutions.
8. Encryption of personal data (SSL- or TLS-encryption)
For security reasons and to protect the transmission of confidential content, our company homepage uses a transmission method based on the SSL protocol (Secure Sockets Layer) or on a TLS (Transport Layer Security) encryption.
These protocols allow encryption of all traffic between your browser and our servers. This protects your data during transmission against manipulation and unauthorized access by third parties as far as possible.
An encrypted connection is indicated by the browser’s address bar changing from “http: //” to “https: //” and by the lock icon in your browser bar. If SSL or TLS encryption is enabled, the data you submit to us can basically not be read by third parties
9. Special data protection advice on the use of data collection, analysis tools and advertising in our online offers
(1) Description and scope of data processing
(2) Legal basis for data processing
The legal basis for the processing of personal data using cookies is Article 6 (1) lit. F GDPR.
(3) Purpose of the data processing
The purpose of using technically necessary cookies is to simplify the use of websites for users.
Among other things, we need cookies for the following applications:
aa) simplification of the login process (storage subdomain, if necessary username)
bb) if necessary assignment of a registration to a cooperation partner (affiliate)
cc) permanent storage of UI settings (here: preferred language)
The user data collected by technically necessary cookies will not be used to create user profiles.
For these purposes, our legitimate interest in the processing of personal data pursuant to art. 6 paragraph 1 lit. f GDPR.
(4) Duration of retention, objection and disposal
So you have the option to allow or block the setting of cookies only for individual cases or to exclude them in general and to delete already set cookies. In such a case, we must point out that certain features on our website no longer work, or not properly or only partially. If needed you can deactivate the storage of cookies in the corresponding settings for “third party cookies” of your web browser. The settings can be found for the respective common browsers under the following links:
b. Data protection advice on the use of so-called “server log data”
(1) Description and scope of data processing
Each time our website is accessed, our system automatically collects data and information from the computer system of the calling computer.
The following data is collected here:
aa) information about the browser type and version used
bb) the operating system of the user
cc) the internet service provider of the user
dd) the IP address of the user
ee) date and time of access
ff) websites from which the system of the user gets to our website
gg) websites that are accessed by the user’s system through our website
The data is also stored in the log files of our system. A storage of this data together with other personal data of the user does not take place.
(2) Legal basis for data processing
The lawfulness of the processing (temporary storage of data and log files) is based – in order to safeguard our legitimate interest in improving the functionality and stability of our website – on Art. 6 (1) lit. f GDPR.
(3) Purpose of the data processing
The temporary storage of the IP address by the system is necessary to allow delivery of the website to the computer of the user. To do this, the user’s IP address must be kept for the duration of the session.
Storage in log files is done to ensure the functionality of the website. In addition, the data is used to optimize the website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context. For these purposes, we have our legitimate interest in the processing of data according to art. 6 paragraph 1 lit. f GDPR.
(4) Duration of retention
The data will be deleted as soon as it is no longer necessary to achieve the purpose of its collection. In the case of collecting the data for providing the website, this is the case when the respective session is completed.
(5) Contradiction and removal option
The collection of the data for the provision of the website and the storage of the data in log files is essential for the operation of the website. There is consequently no contradiction on the part of the user.
c.Contact form and e-mail contact
On our website is a contact form available, which can be used for electronic contact:
Alternatively, contact via the provided e-mail address is possible. In this case, the user’s personal data transmitted by e-mail will be stored. There is no disclosure of data to third parties in this context.
The data is used exclusively for processing the conversation.
(1) Legal basis for data processing
Legal basis for the data processing is in the presence of the consent of the user art. 6 paragraph 1 lit. a GDPR.
The legal basis for the data processing, which is transmitted by sending an e-mail, is article 6 (1) lit. f GDPR.
If the e-mail contact aims to conclude a contract, then additional legal basis for the processing is art. 6 pararaph 1 lit. b GDPR.
(2) Purposes of the data processing
The processing of the personal data from the input mask serves us only to process the contact.
In the case of contact via e-mail, this also includes the required legitimate interest in the processing of the data.
The other personal data processed during the sending process serve to prevent misuse of the contact form and to ensure the security of our information technology systems.
(3) Duration of retention
The data will be deleted as soon as it is no longer necessary to achieve the purpose of its collection.
For the personal data from the input form of the contact form and those sent by e-mail, this is the case when the respective conversation with the user has ended. The conversation ends when it can be inferred from the circumstances that the matter in question has been finally clarified.
The additional personal data collected during the sending process will be deleted after a period of thirty days at the latest.
(4) Contradiction and removal option
The user has the opportunity to revoke his consent to the processing of personal data at any time.
If the user contacts us by e-mail, he may object to the storage of his personal data at any time. In such a case, the conversation cannot continue. All personal data stored in the course of contacting will be deleted in this case.
d. Data protection advice on the use of Google Maps / Google Earth
Our website uses the online mapping service “Google Maps API” for the interactive display of the company headquarters of RT, for the easy locating of our company location as well as for the description of a route to and from the company address (Haasstr. 4, 64293 Darmstadt, Germany).
The lawfulness of the processing is based on Art. 6 paragraph 1 lit. f DS-GVO.
The online map services are operated by the US company “Google LLC”, located at: 1600 Amphitheater Parkway, Mountain View, CA 94043, California, USA.
By using these interactive maps, information about the use of the RT website, including your IP address, is transmitted to Google’s servers in the United States and stored there.
You have the option of turning off the online map service and preventing data from being sent to Google.
Sie haben die Möglichkeit, den Online-Kartendienst auszuschalten und eine Datenübermittlung an Google zu unterbinden. Deactivate the Java script in your browser. The corresponding services (route planner, etc.) and possibly other services / functions are then no longer available for you in this case.
e. Data protection advice on the use of Instagram
On our website we use the “social bookmark” of the social network Instagram. This is just a link and not a so-called “social plugin”.
If you do not use the button, no information will be transmitted to Instagram and no Instagram cookie will be placed on your computer.
As soon as you click on the button without being logged in to Instagram, the following login window opens in a new window:
At the same time Instagram places cookies on your hard drive. If you click the button as an already logged in Instagram user, Instagram can assign the visit to your Instagram account.
Information about RT via the social network Instagram is made in the interest of an appealing presentation of our online offers. This constitutes a “legitimate interest” within the meaning of art. 6 (1) lit. f GDPR.
Sites within Instagram are operated exclusively by the company Instagram LLC, located at: 1601 Willow Road, Menlo Park, CA 94025, California, USA.
f. Data protection advice on the use of Facebook
On our website we use the “Social Bookmark” of the social network Facebook. This is just a link and not a so-called “social plugin”.
If you do not use the button, no information will be transmitted to Facebook and no Facebook cookie will be placed on your computer.
As soon as you click on the button without being logged in to Facebook, the following login window opens in a new window: https://www.facebook.com/ rolling-turtles.de
At the same time Facebook places cookies on your hard drive. If you click the button as an already logged in Facebook user, Facebook can assign the visit to your Facebook account.
Information about RT via the social network Facebook is made in the interest of an appealing presentation of our online offers. This constitutes a “legitimate interest” within the meaning of art. 6 (1) lit. f GDPR.
Sites within Instagram are operated exclusively by the company “Facebook Inc.”, located at: 1601 S. California Ave, Palo Alto, CA 94304, California, USA.
g. Data protection advice on the use of Twitter
On our website we use the “Social Bookmark” of the online short message service Twitter. This is just a link and not a so-called “social plugin”.
If you do not use the button, no information will be transmitted to Twitter and no Twitter cookie will be placed on your computer.
As soon as you click on the button without being logged in to Twitter, the following login window opens in a new window: https://twitter.com/ …. rolling-turtles.de
At the same time Twitter places cookies on your hard drive. If you click the button as an already logged in Twitter user, Twitter can assign the visit to your Twitter account.
Information about RT via the social network Twitter is made in the interest of an appealing presentation of our online offers. This constitutes a “legitimate interest” within the meaning of art. 6 (1) lit. f GDPR.
Sites within Twitter are operated exclusively by the company “Twitter Inc.“, located at: 1601 S. California Ave, Palo Alto, CA 94304, California, USA.
h. Data protection advice on the use of Google Plus / Google+
We include “Google Plus” services on our websites and “Google Analytics”, a web analytics service provided by the US company “Google LLC” at: 1600 Amphitheater Parkway, Mountain View, CA 94043, California, USA.
If you use Google Plus and the Share feature, the sites you visit will be linked to your Google Plus user account, and will be shared with other Google Plus users, with data also being transmitted to Google’s servers in the United States and stored there. We have no knowledge of the content of the data transmitted and their use by Google Plus.
The additional Google Plus terms of service can be found here:
There you will also find information about how to change your privacy settings, e.g. in your Google Plus user account.
i. Other links to external providers
10. Privacy protection for applications and in the application progress
We collect and process personal data of applicants for the purpose of proceeding with the application process.
The processing can also be done electronically. This is particularly the case if an applicant submits the corresponding application documents to us electronically, for example by e-mail. To this end, we reserve the right to offer on our website the possibility to send an application by e-mail to us via a click of a corresponding e-mail address listed there
If there is a contract of employment with an applicant, we store the data transmitted to us for the purpose of processing the employment relationship in accordance with the legal regulations.
However, if no contract of employment is concluded with the applicant, the application documents will be automatically deleted seven months after notification of the rejection decision, unless we claim any other legitimate interests in deletion. Another legitimate interest in this sense is, for example, a burden of proof in a procedure under the General Equal Treatment Act (AGG).
11. Rights of the data subject (art. 12 ff. GDPR)
Your rights as a “data subject” are fully guaranteed by RT. With regard to your stored personal data, you are entitled to the following listed rights that you can assert against us.
To exercise these rights, please refer to the following chapter (“Exercise of the rights of the affected person”).
a) Right to information (art. 15 GDPR)
In principle, you have the right to request confirmation from us as to whether personal data relating to you is being processed. However, this right to information is subject to certain restrictions under § 34 BDSG.
b) Right to rectification (art. 16 GDPR)
If, in your opinion, your personal information is incorrect or incomplete, you may request that such information be changed accordingly.
c) Right to delete (art. 17 GDPR)
You may request that your personal information be (immediately) deleted, to the extent permitted by applicable law. Restrictions are provided for in § 35 BDSG.
d) Right of restriction of processing (art. 18 GDPR)
Each data subject is entitled to a restriction of the processing of his data (under the further requirements of art. 18 paragraph 1 of the GDPR).
f) Right of data transferability (art. 20 GDPR)
As far as legally possible, you can have the personal data provided to us reclaimed or have it transmitted to a third party, if this is technically feasible.
g) Right of withdrawal (art. 7 paragraph 3 GDPR)
You have the right to revoke your consent to data collection at any time. This right applies with effect for the future; the data collected up to the legal force of the revocation remain unaffected.
g) Right to object (art. 21 GDPR)
aa) Individual right of objection
You have the right at any time, for reasons arising from your particular situation, to object against the processing of personal data concerning you, e.g. based on art. 6 para. 1 lit. f GDPR (“data processing on the basis of a balance of interests”; this also applies to a profiling based on this provision (in the sense of article 4 No. 4 GDPR), which we use, for example, for advertising purposes.
If you object, we will no longer process your personal information unless we can demonstrate compelling legitimate grounds for the processing that outweigh your interests, rights and freedoms, or the processing is for the purpose of enforcing, pursuing or defending legal claims. This also applies to profiling based on these provisions.
bb) Right to object against the data processing for direct marketing purposes
In individual cases, we process your personal data in order to operate direct marketing. You have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising or market and opinion research; this also applies to profiling insofar as it is associated with such direct marketing.
If you object to the processing for direct marketing purposes, we will no longer process your personal data for these purposes; for this purpose, the data must then be blocked.
h) Right to complain to a data protection supervisory authority (art. 77 GDPR in connection with 19 BDSG)
Without prejudice to any other administrative or judicial remedy, you shall have the right to complain to a supervisory authority, in particular in the Member State of its place of residence, employment or the place of the alleged infringement, if you believe that the processing of the personal data concerning you is against the GDPR violates.
The addresses of the respective supervisory authorities can be found in the following link:
The supervisory authority responsible for us is:
The Hessian Commissioner for Data Protection and Freedom of Information
Gustav-Stresemann-Ring 1, 65189 Wiesbaden
tel: 0611 – 1408 0
Fax: 0611 – 1408 611
12. Exercise of the rights of the data subject
To claim your rights listed in No. 11, please contact us in writing or by e-mail:
Rolling Turtles GmbH
Please understand that we may have to verify your identity before any information. Please enclose a (scanned) copy of your identity card (front and back) or of a corresponding official ID or passport.