Privacy Notice
This Privacy Notice applies to the processing of personal data concerning business customers and contractors by NGN Fiber Network GmbH & Co. KG and other companies operating in the Eurofiber group (hereafter collectively: “NGN”, “we” and/or “us”). We are the controller for the processing of these personal data as referred to in the General Data Protection Regulation.
We can be contacted at NGN Fiber Network GmbH & Co. KG, Hauptstraße 15, D-97633 Aubstadt and by email via datenschutz@ngn-fibernetwork.de.
Personal data
Personal data means any information relating to an identified or identifiable natural person. The data concerned include the names and contact details of representatives of customers (existing or prospective customers in the form of a company or government organization), as well as other information on visits to our website(s). The processing of personal data is governed by special statutory provisions. Where we process the personal data of (prospective) customers or website visitors, we comply with all applicable legislation and regulations, including the General Data Protection Regulation (hereafter: ‘GDPR’).
We process personal data lawfully, fairly and transparently.
We process the following types of personal data concerning business customers:
- Contact and address details of (representatives of) the (prospective) Customer, including the contact representative’s business email address and telephone number;
- The content of written or oral contacts with (various departments of) NGN, including information shared by the Customer or the Customer’s representative in connection with the preparation for or execution of an agreement;
- Agreement(s) with NGN;
- Payment information, such as invoices and payment details, including name details, a creditor’s position and bank account number;
- Notes made by engineers and contractors, including photos of the location where a fiber-optic line is provided;
- The Customer’s replies to additional questions, such as surveys concerning our services;
- Details about visits to our website(s), including IP addresses and navigation history.
We process the following types of personal data concerning (personnel) of contractors:
- Contact and address details of (representatives of) the contractor, including the contact representative’s business email address and telephone number;
- Notes made by engineers and contractors concerning the work;
- Required qualifications of executing contractors, such as necessary diplomas, and disqualifications, if any.
We do not process any sensitive personal data concerning our customers or contractors.
Purposes and bases of data processing
We process the personal data of customers for two main purposes: business operations and marketing.
These two main purposes include various specific sub-purposes. The GDPR specifies various grounds, or bases, for the processing of personal data. In addition to the basis of consent, we apply three other bases for the various sub-purposes, as follows: necessary for the formation or performance of the agreement, necessary in order to comply with a legal obligation and necessary to satisfy a legitimate interest.
Basis: consent
- For the purpose of newsletter distribution
- Storing answers to customer satisfaction survey questions in your name for two years
- In order, based on downloaded content, to offer customers and prospective customers of NGN by email content which is (more) relevant to their interests. These persons can also be approached by our sales department with the aim of providing them with more detailed information about our services.
- For the purpose of installing and reading tracking cookies and similar techniques via the website(s).
Basis: necessary for agreement
- In order to facilitate the formation of an agreement
- In order to provide the service, including matching the service to the needs and wishes of the customer
- In order to manage the (security and continuity of the) services and infrastructure
- In order to carry out (necessary) repairs
- In order to implement digital as well as analogue security measures.
- In order to enable communication with existing customers, including the distribution of service messages and communication for a commercial purpose
- For the detection or prevention of loss and/or damage or fraud
Basis: legal obligation
- In order to comply with legal and regulatory requirements, including, where necessary, meeting lawful requests by law enforcement or investigating authorities
- To deal with disputes
- To submit to inspection and auditing, including of a financial nature
Basis: necessary for legitimate interest
- In order to administer the customer database, including details of prospective customers and former customers
- In order to conduct or commission market and customer satisfaction research
- For the purpose of product and service development as well as to assist in defining strategy
- In order to make targeted offers to existing customers
- In order to monitor the use of our website(s) and to analyze, maintain, optimize and secure the website(s). Optimization also refers to the use of techniques for remembering visitors’ data which ensure that they no longer need to enter the same data multiple times when downloading content. This is only done where the visitor has first given consent for the installation or reading of tracking cookies.
- In order to facilitate the exchange of personal data between the different companies operating in the Eurofiber group. In this way personal data may, for instance, be combined with other data that have been collected in connection with the use of our products or services (and/or products or services of other group companies). These data enable us to draw up a business customer profile so that we can be of better service to a customer and can match our products and services even more closely to their wishes and needs.
We process the personal data of (personnel of) the contractors only insofar as necessary for business operations, and only based on the necessity for performance of the agreement with the contractor, or based on the necessity for satisfying our legitimate interest [on the termination of a relationship in connection with disqualification].
Sharing and provision of personal data
We may, insofar as necessary for our operations or in order to comply with a legal obligation, provide personal data to third parties in connection with the investigation of loss and/or damage or detection of fraud, or the prevention of loss and/or damage or fraud, as well as in order to guarantee the security and continuity of our network and our services. Where possible (if the party is not designated by law to perform a particular task independently), these parties will be bound by a data processing agreement, or NGN will enter into a joint responsibility agreement.
We can also engage third parties to assist in the performance of our work and marketing activities. We have concluded data processing agreements with these organizations. These processors may only process the personal data according to our instructions and under our supervision, solely for purposes determined by us and subject to strict confidentiality. We actively monitor compliance with the security obligations of our processors.
Where we use processors established outside the European Economic Area (EEA), or processors that use sub-processors outside the EEA, we implement appropriate safeguards as referred to in article 46 of the GDPR, including the use of standard data protection clauses adopted by the European Commission (so-called Standard Contractual Clauses).
Confidentiality
We guarantee that all persons who process personal data under our responsibility, including employees, temporary workers, casual or on-call workers and agency workers, as well as (staff of) contractors, have a duty of confidentiality.
As explained above under ‘purposes and bases’, NGN may be obliged to provide personal data to third parties. NGN takes care to ensure personal data are only provided if and insofar as is necessary pursuant to a judgment of a court, a legal requirement or on the basis of a duly authorized order issued by a public authority.
All access and/or identification codes, certificates, information on access and/or password Notice provided to customers by us and all information provided to customers by us detailing the technical and organizational security measures set out in the Privacy Notice are confidential. Customers must treat these data as such and only notify them to authorized employees. Customers are responsible for ensuring that their employees comply with the obligations set forth in this article.
Security measures
We take steps to maintain an adequate level of security, by implementing technical and organizational security measures. In implementing the security measures, we take into account the state of the art, the costs of implementing the security measures, the nature, scope and context of the processing, the purposes and the intended use of our products and services, the risks involved by the processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects which they might expect given the intended use of our services.
Customers are responsible themselves for taking appropriate technical and organizational protection measures to protect the personal data they process via our services. We advise customers to encrypt the transmission of personal data. If customers purchase active services from us, using active equipment supplied by us (such as Ethernet), we can provide encryption as an optional service.
Personal data breaches (data breach protocol)
We implement measures aimed at preventing data breaches. These include digital and analogue security measures on our infrastructure, careful selection of processors, contractual agreements and continuous employee training.
We also have procedures in place for the steps to take in case of a data breach. This ensures that swift and effective action can be taken to minimize any loss or damage. The top priority following the discovery of a data breach is to stop the breach.
Where we are legally obliged to do so, we notify the Data Protection Authority, unless the personal data breach is unlikely to result in a risk to data subjects. Where the data breach is likely to result in a high risk to the privacy of data subjects, we also inform the data subjects. No notification is required where:
- the personal data have been rendered unintelligible to any person who is not authorized to access them, e.g. because effective and up-to-date encryption has been applied and the key enabling decryption has not also been leaked;
- the nature of the data, combined with our protection measures, mean that the breach does not result in a high risk to data subjects;
- the communication to the data subjects involves disproportionate effort because we do not have contact details. For instance, if we only have IP addresses of website visitors. In such a case, we will make a public communication or similar effective communication of the data breach.
Retention periods
We do not retain data for longer than necessary for the legitimate purposes for which we process the data, including in order to comply with tax-related retention obligations. We have laid down all the retention periods in a retention period Notice. In determining the retention periods we took into consideration the nature of the personal data (sensitive or rapidly obsolete), the purpose (once only or structural), the purpose for which we collected the data and what customers or contractors may reasonably expect in terms of a retention period.
Cookies
We place cookies via our websites. More information on the processing of personal data which we have collected via the cookies is provided in our cookie statement (Now: cookie policy.)
Rights of data subjects
Users, customers and contractors (summarized as: data subjects) can exercise their privacy rights with us as referred to in Articles 15 to 22, inclusive, of the GDPR. This may concern a request to access personal data relating to them, for instance. Following a request to access personal data, data may be found to be inaccurate or incomplete. We will rectify or supplement inaccurate or incomplete data on request.
Data subjects can also request us to erase data, to restrict the processing of data, or (if the processing is based on consent or a contract) to transmit their data (data portability). We will comply with such requests provided that there is no legal obligation or other well-founded reasons requiring us to retain the data. Data subjects may object to the processing of personal data for marketing purposes at any time and may withdraw their consent at any time.
Requests that concern processing by a NGN group company can also be notified to us at any time. These requests can be notified to: datenschutz@ngn-fibernetwork.de or by post, stating ‘personal data’, to
NGN Fiber Network GmbH & Co. KG
Hauptstraße 15
D-97633 Aubstadt
Contact
If you have any questions about this Privacy Notice or the processing of personal data by NGN, you can contact us via datenschutz@ngn-fibernetwork.de. We can also be contacted by post at:
NGN Fiber Network GmbH & Co. KG
Hauptstraße 15
D-97633 Aubstadt
Complaint
If we do not respond to your request or complaint regarding data processing in a timely or satisfactory manner, you can lodge a complaint with a data protection supervisory authority. The responsible supervisory authority is the Bavarian State Commissioner for Data Protection (BayLfD) with the following contact details:
Postal address: PO Box 22 12 19, 80502 Munich
Address for visitors: Wagmüllerstraße 18, 80538 Munich
Telephone: +49 89 212672-0
Email: poststelle@datenschutz-bayern.de
Miscellaneous
We may amend this Privacy Notice from time to time. We will announce any amendment on our website. If we wish to substantially alter the purposes of processing, and the processing is based on your consent, we will first request your consent again for the new purposes.
As of October, 2022