Privacy Policy

Information Obligations in Accordance With Articles 13 and 14 of the GDPR and Section 13 (1) of the Telemedia Act (TMG)

1. Controller

DATEV eG, Nuremberg

Represented by

Dr. Robert Mayr (chairman)
Prof. Dr. Peter Krug (deputy chairman)
Julia Bangerth
Prof. Dr. Christian Bär
Diana Windmeißer

Chairman of the Supervisory Board: Nicolas Hofmann

Contact
Paumgartnerstrasse 6-14
90429 Nuremberg
Phone: +49 (0)911 3190
Email: info@datev.de

2. Data Protection Officer

DATEVeG
Data Protection Officer
Dr Jörg Spilker
Paumgartnerstrasse 6–14
90429 Nuremberg
Phone +49-911-3190
Email datenschutz@datev.de

3. Collecting and Processing of Personal Data When the DATEV Websites Are Visited

a) Public Websites

DATEV logs personal usage data for up to two months to protect website functionality, to optimise the website and to guarantee website security.The legal basis for this processing is DATEV’s legitimate interest (Article 6, paragraph1, letter (f) GDPR).

When you visit our website, anonymised web server logbooks are generated which DATEV stores for statistical purposes (for example the number of page views) and forerror tracking. Your usage data is not evaluated in any other way without your consent.

b) Use of websites and online applications with protected access

The following user information can be collected when the closed section of our websites and online applications is used (business processes between DATEV and its customers):

  • User identification (in the case of SmartCard: SmartCard ID, certificate; SmartLogin; new national ID card; SMS TAN or similar, in the case of DATEV user account: username or similar)
  • Customer identification (consultant number, if available)
  • Time of enquiry and our responses
  • Data volume transmitted
  • Transactions retrieved (URLs)
  • Error messages within the authentication process and applications

The user-specific details are stored for a maximum of two months. This data is evaluated solely for the purposes of error and performance analysis, for customer service and to understand effected transactions.

The legal basis for this processing is DATEV’s legitimate interest (Article 6, paragraph1, letter (f) GDPR).The information aggregated under a consultant number, e.g. which consultant number retrieved which transaction on which day, is retained in accordance with the statutory provisions, e.g. the data retention periods pursuant to the German Commercial Code (HGB) and Germany’s Fiscal Code (AO). The same applies toapplication-specific information collected for billing purposes.

Legal basis: This processing is required for the purposes of contractual performance (Article 6, paragraph 1, letter (b) GDPR) and due to legal obligations (Article 6, paragraph 1, letter (c) GDPR).

c) Personal Input

Your personal data including your email address will additionally only be stored if you yourself provide us with these details, e.g. in a survey or when placing an order. Your data shall also only be used for the purpose stipulated on the page in question, e.g.to process your order.

Legal basis: Depending on the purpose stipulated on the page in question, this processing occurs

  • on the basis of your consent (Article 6, paragraph 1, letter (a) GDPR)
  • for contractual performance (Article 6, paragraph 1, letter (b) GDPR)
  • on the basis of legal obligations (Article 6, paragraph 1, letter (c) GDPR) or
  • to fulfil DATEV’s legitimate interests (Article 6, paragraph 1, letter (f) GDPR).

d) Cookies

DATEV uses temporary and permanent cookies on its own websites. Temporary cookies are time-limited and contain data such as an identification number (known asa session ID). They allow the server to associate consecutive browser enquiries with the same user. They are deleted automatically as soon as the user closes the browser.In contrast, permanent cookies remain in place even after the user has closed the browser. At DATEV, permanent cookies used for preferences and settings serve to make working with the SmartCard easier for you. DATEV additionally uses permanent cookies for non-personalised statistics in order to further develop and improve the services we provide. No personal data is evaluated in the process.

Adobe Analytics

DATEV uses the Adobe Analytics service of the service provider Adobe Systems Software Ireland Ltd., 4–6 Riverwalk, Citywest Business Campus, Saggart Dublin 24,Republic of Ireland. The information collected by the cookies on your device is processed by Adobe Analytics to measure reach.

The data collected for analytics purposes is saved for two years.

You may object to the collection and storage of data for these statistics including reach measurement at any time with effect for the future here .

Legal basis: Cookies are set in order to fulfil DATEV’s legitimate interests (Article 6,paragraph 1, letter (f) GDPR).

You can opt out of cookie storage using your browser settings and delete stored cookies in your browser at any time. However, please note that without cookies, the functions of this online service will be limited.

4. Collection and Processing of the Personal Data of Interested Parties

DATEV collects your personal data when you contact us, in particular if you are interested in our products, wish to position your products with DATEV, register for our online services or contact us my email or phone.

DATEV can process the following data relating to you: contact details, customer group/interest, offer data, quotations, credit rating data, log data, company data.

Legal bases and purposes of processing

a) On the basis of your consent (Article 6, paragraph 1, letter (a) GDPR)

Insofar as you have given your consent to the processing of personal data for specific purposes (e.g. the evaluation of data for marketing purposes), such processing is lawful on the basis of the consent granted by you. You may revoke the consent you have granted at any time.Please note that a revocation is effective for the future only. Data processing performed prior to a revocation is not affected.

b) For the performance of contractual obligations (Article 6, paragraph 1, letter(b) GDPR)

Personal data is processed for us to provide our services, in particular for us to implement pre-contractual measures.

c) On the basis of legal provisions (Article 6, paragraph 1, letter (c) GDPR) or public interest (Article 6, paragraph 1, letter (e) GDPR)

DATEV may process your personal data on the basis of other legal obligations, such as court orders.

d) On the basis of legitimate interests (Article 6, paragraph 1, letter (f) GDPR)

Where required, DATEV processes your data beyond the actual performance of the contract for the purposes of safeguarding our legitimate interests or those of third parties. For instance, for:

  • Better customer service
  • Safeguarding IT security and operation, e.g. transfer protocols
  • Reviewing and optimising processes for needs analysis and direct customercommunication
  • Advertising by DATEV or market research and opinion polling insofar as you have not objected to the use of your data for these purposes
  • Asserting legal claims and defending legal disputes
  • Measures for business management and to further develop services and products

5. Collection and Processing of the Personal Data of Customers

DATEV collects your personal data when you contact us, i.e. in particular when you register for our online services or contact us by email or phone or when you use our products and services on the basis of existing business relations. We additionally process personal data from publicly accessible sources if said data is necessary for our service. We acquire this data in a permissible manner, e.g. from debtors’ lists or commercial registers and registers of associations. We are additionally provided with personal data by other third parties (e.g. credit reference agencies).

DATEV can process the following data relating to you: contact details, customer group/interest, sales data, offer data, quotations, credit rating data, payment data, log data, audit data, billing data, protocols and company data.

If you are the employee of a client, DATEV may have saved your contact details, in particular in your capacity as the contact for a certain process. If you work with DATEV applications/programs, log data from these applications and technical data from the systems with which you work may additionally be saved.

Legal bases and purposes of processing

a) On the basis of your consent (Article 6, paragraph 1, letter (a) GDPR)

Insofar as you have given your consent to the processing of personal data for specific purposes, e.g. the evaluation of data for marketing purposes, such processing is lawful on the basis of the consent granted by you. You may revoke the consent you have granted at any time.Please note that a revocation is effective for the future only. Data processing performed prior to a revocation is not affected.

b) For the performance of contractual obligations (Article 6, paragraph 1, letter(b) GDPR)

Personal data is processed for us to provide our services, in particular to execute our contracts or pre-contractual measures agreed with you and to perform your orders as well as in the course of customer management and care.

c) On the basis of legal provisions (Article 6, paragraph 1, letter (c) GDPR) or public interest (Article 6, paragraph 1, letter (e) GDPR)

DATEV may process your personal data on the basis of other legal obligations, such as court orders.

d) On the basis of legitimate interests (Article 6, paragraph 1, letter (f) GDPR)

Where required, DATEV processes your data beyond the actual performance of the contract for the purposes of safeguarding our legitimate interests or those of third parties. For instance, for:

  • Better customer service
  • Safeguarding IT security and operation, e.g. transfer protocols
  • viewing and optimising processes for needs analysis and direct customercommunication
  • Advertising by DATEV or market research and opinion polling insofar as you have not objected to the use of your data for these purposes
  • Asserting legal claims and defending legal disputes
  • Measures for business management and to further develop services and products

6. Collection and Processing of the Personal Data of Suppliers

DATEV collects your personal data when you contact us. We additionally process personal data from publicly accessible sources. We acquire this data in a permissible manner, e.g. from debtors’ lists or commercial registers and registers of associations.We are additionally provided with personal data by other third parties (e.g. credit reference agencies).

DATEV can process the following data relating to you: contact details, sales data, offer data, quotations, credit rating data, log data, audit data, service provision data, billing data, protocols, company data.

If you are the employee of a supplier, DATEV may have saved your contact details,in particular in your capacity as the contact for a certain process. If you work with DATEV applications/programs, log data from these applications and technical data from the systems with which you work may additionally be saved.

Legal bases and purposes of processing

a) On the basis of your consent (Article 6, paragraph 1, letter (a) GDPR)

Insofar as you have given your consent to the processing of personal data for specific purposes (e.g. the evaluation of data for marketing purposes), such processing is lawful on the basis of the consent granted by you. You may revoke the consent you have granted at any time. Please note that a revocation is effective for the future only. Data processing performed prior to a revocation is not affected.

b) For the performance of contractual obligations (Article 6, paragraph 1, letter(b) GDPR)

Personal data is processed for the execution of and payment for your services and in the course of supplier management.

c) On the basis of legal provisions (Article 6, paragraph 1, letter (c) GDPR) or public interest (Article 6, paragraph 1, letter (e) GDPR)

DATEV may process your personal data on the basis of other legal obligations, such as court orders.

d) On the basis of legitimate interests (Article 6, paragraph 1, letter (f) GDPR)

Where required, DATEV processes your data beyond the actual performance of the contract for the purposes of safeguarding our legitimate interests or those of third parties. For instance, for:

  • Safeguarding IT security and operation, e.g. transfer protocols
  • Consultation with credit reference agencies (to determine credit/default risks)
  • Asserting legal claims and defending legal disputes

7. Collection and Processing of the Personal Data of Applicants

We process personal data which relates to your application. This may be general information about you (such as name, address and contact details), details of your professional qualifications and school education or professional development, or other information with which you provide us in connection with your application.Insofar as we do not collect data directly from you and you have an active profile on XING and LinkedIn or disclose an inactive or only partially active profile to us in the course of the application process, we may also collect personal data from here.

Legal bases and purposes of processing

We process your personal data for the purpose of processing your application for an employment relationship insofar as this is necessary in order to reach a decision regarding the establishment of an employment relationship with us. The legal basis for this is Section 26 (1) in conjunction with Section 8 sentence 2 of the Federal Data Protection Act (BDSG).

Further, we can process your personal data insofar as this is necessary for the defence of legal claims asserted against us on the basis of the application process. The legal basis for this is Article 6, paragraph 1, letter (f) GDPR (safeguarding the legitimate interests of the controller). DATEV’s legitimate interest is, for example, the burden of proof in legal proceedings pursuant to Germany’s General Act on Equal Treatment(AGG).

Insofar as an employment relationship is established between you and us, pursuant to Section 26 (1) BDSG we may continue to process the personal data provided by you for the purposes of the employment relationship if this is necessary for the execution or termination of the employment relationship or to exercise or perform the rights and obligations regarding employee advocacy pursuant to a law or company agreement.

8. Additional Processing Purposes

DATEV may process your personal data on the basis of other legal obligations, such as court orders. The legal basis is legal provisions (Article 6, paragraph 1, letter (c)GDPR) or public interest (Article 6, paragraph 1, letter (e) GDPR). Where required,DATEV processes your data beyond the actual performance of the contract for the purposes of safeguarding our legitimate interests or those of third parties. For instance, for:

  • Safeguarding IT security and operation, e.g. transfer protocols
  • Asserting legal claims and defending legal disputes

The legal basis for this processing is DATEV’s legitimate interest (Article 6, paragraph1, letter (f) GDPR).

9. Objection

You have the right to object to this processing of your personal data at any time for grounds arising from your particular situation provided this data is processed on the basis of legitimate interests (Article 6, paragraph 1, letter (f) GDPR) or in the public interest (Article 6, paragraph 1, letter (e) GDPR). You may object to the use of your personal data for direct marketing at any time without giving grounds at widerspruch@datev.de .

10. Duration of Storage

If your personal data is no longer required for the above purposes, it is deleted on a regular basis, unless its – temporary – retention is still necessary for the purposes of fulfilling contractual or legal obligations. Grounds for this may include:

  • Keeping evidence for legal disputes in the context of legal statutes of limitation: statutory limitation periods under civil law may last up to 30 years,with the standard limitation period being three years.
  • Log data may be stored for up to two years and your enquiries to our customer service may be stored for up to three years.

Once these periods have passed, the data is deleted following a subsequent period of review. For data with a statutory retention period of ten years, this may last up to four years.

11. Recipients of Personal Data

Access to your data is afforded to those within DATEV who need it for the purposes stipulated above. Processors contracted by DATEV (Article 28 GDPR) and other service providers may likewise receive data for the purposes stipulated. These are companies in the areas of IT services, logistics, telecommunications and marketing.DATEV additionally cooperates with universities to develop and improve its services.Data shall only be shared with recipients outside of DATEV if provisions allow for this or mandate this, you have given your consent or we are otherwise authorised to share data. Under these circumstances, the recipients of personal data may be, for example:

  • Public authorities and institutions in the event of a statutory or official obligation.
  • In rare maintenance cases or for malfunction analysis, hardware or software support partners may be contracted. The contractual regulations regarding purpose limitation and confidentiality shall be concluded with these.

12. Third Country

It cannot be ruled out that an IT service provider from a third country (e.g. the USA)may be afforded controlled and limited insight into personal data in rare cases for troubleshooting in the course of the remote maintenance of standard IT components.Personal data is only transmitted to service providers outside of the European Economic Area (EEA) if the third country is confirmed by the European Commission to have an adequate level of data protection or other appropriate data protection guarantees (e.g. binding internal data protection regulations or EU standard contractual clauses) are in place.

13. Automated Decision Making

To a degree, your data is processed by us automatically with the aim of evaluating certain aspects of relevance to customer relations (profiling for, for example, ABC analysis). However, we do not make any automated decisions on this basis which would have a legal impact on you or would otherwise considerably harm you without the involvement of a person.

Should we solely make use of automated decisions in individual cases in the future,we shall notify you of this separately insofar as this is stipulated by law.

14. Subjects’ Rights

If DATEV has saved your personal data, you may obtain information upon request on the saved data pertaining to you. Please inform us if we have saved inaccurate data about you or if you do not agree to parts of the data storage, so we can rectify, erase or restrict processing of said data.You may request a copy in a portable format of the personal data with which you provided DATEV in accordance with the legal provisions.To exercise your subjects’ rights, please contact widerspruch@datev.de stating

  • your contact details and
  • the subjects’ rights you wish to exercise.

15. Right to Lodge a Complaint With a Supervisory Authority

If you have any complaints, you may get in touch with a data protection supervisory authority. The Bayerisches Landesamt für Datenschutzaufsicht (Bavarian State Office for Data Protection) is the competent supervisory authority for DATEV.

16. What Happens if the Data Is not Supplied

We require the following personal data from you in the course of the business relationship:

  • Data required to initiate and execute a business relationship
  • The data necessary for the performance of the related contractual obligations
  • Data which we are legally obliged to collect

Without this personal data, we are unable to enter into or execute a contract with you.

17. Security

DATEV takes suitable technical and organisational measures to ensure a level of protection appropriate to the risk involved and to protect personal data from destruction, loss, alteration or unauthorised disclosure and access. The effectivenessof these measures is reviewed, assessed and evaluated on a regular basis.

18. Links to Other Websites

If you access an external website from our site (external link), the external provider may obtain information from your browser regarding which site you accessed theirs from. The external provider is responsible for this data. Like any other provider, we are unable to influence this process.

19. Video Integration via YouTube

YouTube videos are incorporated into a number of our websites. These are incorporated using what is known as a two-click solution – only when you click on the video will the standard data be transmitted to Google. In individual cases, the data transmitted may be the IP address, the specific address of the page viewed on our website, if applicable the page from which you were redirected to us (link source), thebrowser’s transmitted identifier, and the system date and time of the page view.Google may receive additional data regarding cookies already stored. Google is responsible for this data. No data is transmitted to You Tube/Google if no pages with integrated videos are viewed.

Version dated: March 2021