Privacy Notice
Data protection at a glance
The Bilfinger group of companies ("Bilfinger") takes the protection of your personal data very seriously. Bilfinger treats your personal data confidentially and in accordance with the statutory data protection regulations as well as this privacy notice.
This privacy notice contains information on (i) what happens to your personal data when you visit this website, (ii) how Bilfinger processes your personal data when you interact with Bilfinger via social media and (iii) how Bilfinger processes personal data of business partners. You can find the data processing notice for the Bilfinger Job Portal here.
I. Who we are, how to contact Bilfinger and your rights
The controller with respect to the processing of personal data is
Bilfinger Engineering & Maintenance Nordics OY
Nybyntie 88
06850 Kullo
(in this privacy notice: "we", "us")
If you have any questions about this privacy notice or the processing of your personal data in general, please contact us by email at dataprivacy. @bilfinger.com
If you have any questions about this privacy notice or the processing of your personal data in general, please contact us by email at dataprivacy. @bilfinger.com
You have the following rights, provided that the relevant legal requirements are met:
3.1 Right of access (Art. 15 of the General Data Protection Regulation ("GDPR")). You may request information about the processing of your personal data and a copy of the personal data that is the subject of the processing, provided that such copy does not adversely affect the rights and freedoms of others.
3.2 Right to rectification (Art. 16 GDPR). You may request the rectification of your personal data that are inaccurate and/or the completion of such data that are incomplete.
3.3 Right to erasure ("right to be forgotten") (Art. 17 GDPR). You may request the erasure of your personal data in particular if (i) the personal data is no longer necessary for the purposes for which it was collected or otherwise processed, (ii) you have objected to the processing and there are no overriding legitimate interests for the processing, (iii) your personal data has been processed unlawfully or (iv) your personal data must be erased in order to comply with a legal obligation to which we are subject. However, the right to erasure does not apply in particular if the processing of your personal data is necessary for compliance with a legal obligation or for the establishment, exercise or defense of legal claims.
3.4 Right to restriction of processing (Art. 18 GDPR). You may request the restriction of theprocessing of your personal data (i) for the period during which we verify the accuracy of your personal data if you have contested the accuracy of such data, (ii) if the processing of your personal data is unlawful and you request the restriction of processing instead of erasure of the data, (iii) if we no longer need the personal data but you need the data to establish, exercise or defend legal claims; or (iv) if you have objected to the processing until it has been verified whether our legitimate grounds override your interests, rights and freedoms.
If processing has been restricted, we will only process the data concerned - apart from storage - with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or a member state of the European Union.
3.5 Right to data portability (Art. 20 GDPR).You may request that we provide you with your personal data that you have provided to us in a structured, commonly used and machine-readable format, insofar as the processing of your personal data is based on your consent or a contract and the processing is carried out by automated means; in these cases, you may also request that the personal data be transferred directly to another controller, if this is technically feasible.
3.6 Right to withdraw consent at any time (Art. 7 (3) sentence 1 GDPR). You may withdraw your consent at any time with effect for the future, insofar as the processing is based on your consent, without affecting the lawfulness of the processing based on the consent prior to its withdrawal.
3.7 Right to object (Art. 21 GDPR).
Right to object You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data based on our legitimate interests or those of a third party. We will then no longer process your personal data for the purpose to which you have objected, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is necessary for the establishment, exercise or defense of legal claims. To the extent that your personal data is processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing. If you object to the processing of your personal data for direct marketing purposes, we will no longer process the personal data for these purposes. |
3.8 France - right to digital legacy. If you are a resident of France, you have the right to set directives (general or specific) on the fate of your personal data after your passing.
3.9 Right to lodge a complaint with a supervisory authority. You may lodge a complaint with a supervisory authority, in particular in the member state of your habitual residence, your place of work or the place of the alleged infringement, if you believe that the processing of your personal data infringes the GDPR. You can view the contact details of the European data protection authorities here.
If you believe that the processing of your personal data infringes the GDPR, you can also contact us first using the email address below.
Please direct your requests to exercise these rights (other than the right to complain to a supervisory authority) to dataprivacy. @bilfinger.com
II. Special information for website visitors
Below you will find information on how we process the personal data of website visitors.
We collect your personal data when you use the website, navigate it, use the search function and/or contact us via the website. This concerns in particular the following categories of personal data:
- Identification data (if you contact us through the website): such as your first and last name;
- Contact information (if you contact us through the website): such asyour email address and phone number;
- Communication data (if you contact us through the website): such as the company you work for or on whose behalf you are contacting us, the country you are in, and the content of your message;
- Server Log Data: Browser type and browser version of the browser you are using, the operating system you are using, address of the website from which you accessed the website (referrer URL), the host name of the accessing device, the time of your visit to the website and your IP address;
- Website activity data, such as your IP address, your behavior on the Website, information about the device you are using, the browser language, the date, time and duration of your visit to the Website, the names of the pages visited and the address of the website from which you accessed the Website;
- Location information, such asgeneral information about your location (e.g. time zone, city/state and/or zip code in conjunction with your IP address).
2.1 General
We process your personal data for the purposes listed in the table below. In doing so, we rely on the legal bases listed in the table. Where relevant, the legitimate interest we pursue with the processing is also listed. In principle, the following legal bases are relevant:
- performance of a contract (including processing necessary to take steps at your request prior to entering into a contract) (Art. 6 (1) (b) GDPR;
- Compliance with legal obligations (Art. 6 (1) (c) GDPR);
- Legitimate interests (Art. 6 (1) (f) GDPR);
- Consent (Art. 6 (1) (a), Art. 7 GDPR).
For some specific purposes of processing (e.g. server logs), you can find additional information below the table.
Processing purposes | Legal basis | Legitimate interests (as far as relevant) | Categories of personal data |
Provision and maintenance of the website | Legitimate interest | There is a legitimate interest in providing and maintaining a (legally compliant) website in order to present the Bilfinger Group and its services and content on the Internet. | Server log data |
Contacting you and providing you with information you have requested | Fulfillment of a contract or, if you are not our contractual partner, legitimate interests | There is a legitimate interest in responding to your communication. | Identification data, contact data, communication data |
Improving our services, products and website | Legitimate interests | There is a legitimate interest in improving our services, products and website in order to further develop our business. | Website activity data, location information |
Collection and use of statistical information about the use of the website | Legitimate interests | There is a legitimate interest in analyzing the use of the website in order to improve it. | Website activity data, location information |
Detecting faults and ensuring the security of the website and associated systems, including the detection and tracking of (attempted) unauthorized access to web servers | Fulfillment of legal obligations related to data security or, in the absence of such an obligation, legitimate interests. | There is a legitimate interest in rectifying faults and ensuring the security of the website and associated systems. | Server log data, website activity data, identification data |
Marketing communications (such as newsletters) | Consent or, to the extent permitted by law, legitimate interests | There is a legitimate interest in advertising products and/or services. | Contact data, identification data |
Safeguarding our rights | Legitimate interests | There is a legitimate interest in establishing, exercising and/or defending legal claims. | Identification data, contact data, communication data, server log data, website activity data, location information |
Compliance with legal obligations (e.g. from tax law) | Fulfillment of legal obligations | - | Identification data, contact data, communication data, server log data, website activity data, location information |
Execution of corporate transactions (e.g. reorganization, merger, sale, sale of assets, joint venture) | Legitimate interests | There is a legitimate interest in effectively disposing of our assets and making commercially reasonable decisions about the development of our business. | Identification data, contact data, communication data, website activity data, location information. |
For the processing purposes listed above it may be necessary to transfer data to other companies of the Bilfinger group | Consent, insofar as consent is used as a legal basis for the relevant processing activity, otherwise legitimate interests | There is a legitimate interest in transferring data within the Bilfinger group for internal administrative purposes. | The categories of personal data correspond to those listed for the respective processing purpose. |
2.2 Server logs
As indicated in the table above, we store server logs, which contain server log data, in order to detect and correct malfunctions and to ensure the security of the website and related systems.
2.3 Customer relationship management Tool
Information that you provide to us when contacting us via contact forms available on the website (possibly identification data, contact data and communication data) is usually stored and managed in our customer relationship management tool. This tool accepts the data from the contact forms via API interface.
2.4 Consent management
We use a service to obtain - where necessary - your consent(s) for the inclusion of services on our website and to ensure that services which require consent are only carried out where such consent has been given. In this context, the processing of your personal data, i.e. whether you have given one (or more) corresponding consent(s), is based on our legitimate interests in providing a legally compliant website.
2.5 Representation of the share prices
For the display of share prices, we integrate a service of EQS Group AG, which enables the display of these prices via iFrame.
The provider may process website activity data in this context. The basis for such processing is your consent.
More information on the handling of user data can be found in the data protection notice of EQS Group AG: https://www.eqs.com/about-eqs/data-protection/.
2.6 Website analysis and advertising
This website uses the open-source web analytics service Matomo. Matomo uses technologies that enable cross-page recognition of the user to analyze user behavior (e.g. cookies or device fingerprinting). The information collected by Matomo about the use of this website is stored on our server. The IP address is anonymized (2 byte masked) before storage.
The use of cookies (and comparable technologies) for this purpose is based on your consent. Otherwise, the use of this analysis tool is based on our legitimate interests in analyzing user behavior in order to optimize both our website and advertising.
The information collected by Matomo about the use of this website is not shared with third parties.
2.7 YouTube (with enhanced privacy)
This website embeds videos from YouTube. The operator of the pages is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.
We use YouTube in extended privacy mode. According to YouTube, this mode means that YouTube does not store any information about visitors to this website before they watch the video. However, the disclosure of data to YouTube partners is not necessarily excluded by the extended data protection mode. Thus, YouTube - regardless of whether you watch a video - establishes a connection to the Google DoubleClick network.
As soon as you start a YouTube video on this website, a connection to the YouTube servers is established. This tells the YouTube server which of our pages you have visited. If you are logged into your YouTube account, you enable YouTube to assign your surfing behavior directly to your personal profile. You can prevent this by logging out of your YouTube account.
Furthermore, after starting a video, YouTube may store various cookies on your end device or use comparable recognition technologies (e.g. device fingerprinting). In this way, YouTube can obtain information about visitors to this website. This information is used, among other things, to collect video statistics, improve the user experience, and prevent fraud attempts.
If necessary, further data processing operations may be triggered after the start of a YouTube video, over which we have no control.
The use of YouTube and the associated processing of personal data is based on our legitimate interest in an appealing presentation of our website. If consent has been given for the processing of your personal data in this context, the processing is based on this consent.
For more information about privacy at YouTube, please see their privacy notice at: https://policies.google.com/privacy?hl=en.
2.8 Google Maps
This site uses the map service Google Maps via an API. Provider is Google.
To use the functions of Google Maps, it is necessary to store your IP address.
The use of Google Maps and the associated processing of personal data is based on our legitimate interest in an attractive presentation of our website and in making it easy to find the places we indicate on the website. If consent has been given for the processing of your personal data in this context, the processing is based on this consent.
You can find more information on the handling of user data in Google's privacy notice: https://policies.google.com/privacy?hl=en.
2.9 Cookies
Our website uses so-called "cookies". Cookies are small text files and do not cause any damage to your end device. They are stored either temporarily for the duration of a session ("Session Cookies"), or for a specific duration beyond the session ("Permanent Cookies") on your end device. Session Cookies are automatically deleted at the end of your visit. Cookies that are stored for a specific duration beyond the session are automatically deleted after this duration has expired.
In some cases, cookies from third-party companies may also be stored on your terminal device when you use our website ("Third-Party Cookies"). These enable us or you to use certain services of the third-party company.
Cookies have various functions. Many cookies are technically necessary, as certain website functions would not work without them. Other cookies are used to evaluate user behavior or to display advertising.
The legal basis in connection with cookies (and comparable technologies), which are required to carry out the electronic communication process or to provide certain functions requested by you, are the legitimate interests in the secure and trouble-free provision of the website.
Otherwise, we will only use cookies (and comparable technologies) with your consent. You can adjust or withdraw your consent at any time with effect for the future in the "Privacy Setting"; you can access this by clicking on the checkmark icon displayed at the bottom left of the browser on the website. There you will also find further information on the cookies (and comparable technologies) used. The legal bases for any processing of personal data collected with the aid of cookies are shown in the table in section 2.1 Above.
You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or in general and activate the automatic deletion of cookies when closing the browser. When deactivating cookies, the functionality of this website may be limited.
3.1 We may share your personal data with service providers who process personal data on our behalf and based on our instructions as so-called processors in order to provide their services to us:
- Website hosting provider (in the EU)
- Customer relationship management tool provider (in the EU)
- Consent management provider (in the EU)
- Provider for sending newsletters (in the EU)
- EQS Group AG (presentation of share prices) (in the EU)
- Google Ireland Limited (Youtube with enhanced privacy, GoogleMaps) (in the EU)
3.2 We may share your personal information with the following third parties:
- Other Bilfinger group companies to the extent necessary for internal administrative purposes;
- Authorities, courts and consultants (e.g. lawyers, auditors), insofar as we are legally obliged to do so, or this is necessary to safeguard our rights
- Relevant third parties in the context of a corporate transaction, to the extent required for a transaction
The recipients of your personal data (see section 3) may be located in a country outside the European Union / European Economic Area. To the extent that the relevant country has not been recognized by the European Commission - by means of an adequacy decision - as a country where personal data are adequately protected, we will only transfer your personal data to such countries to the extent that another mechanism of Art. 44 et seq. GDPR justifies the transfer (e.g. standard contractual clauses) or an exception under Art. 49 GDPR applies. Additional measures are taken / agreed upon to the extent necessary to ensure adequate protection for the personal data. A list of adequacy decisions can be found here.
If there is no adequacy decision, the standard contractual clauses of the European Commission (from the implementing decision (EU) 2021/914 of June 4, 2021) are regularly the basis for the transfer. Insofar as the transfer in this context is made to a service provider acting as a processor for us, Module Two (transfer from controllers to processors) of the standard contractual clauses is relevant; insofar as the transfer is made to other third parties, Module One (transfer from controllers to controllers) is relevant.
For more details about these transfers and the transfer mechanisms used with respect to them, please contact us at dataprivacy. @bilfinger.com
5.1 In general
Your personal data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected.
Exceptionally, we may store your personal data longer than shown in this section to the extent necessary to comply with a legal obligation or to establish, exercise or defend legal claims.
5.2 Server logs
We store server logs, including server log data, to investigate incidents and to ensure the security of the website and related systems for a period of 7 to 10 days, after which they are deleted; server logs that must be retained for evidentiary purposes are exempt from deletion until the incident in question is resolved.
5.3 Customer Relationship Management Tool and Contact Forms
We store information that you have provided to us via contact forms on our website and that is fed into our customer relationship management tool for up to 2 years from the point in time at which no further interaction (e.g. sending of mails, further contact) has taken place.
If, exceptionally, information from contact forms is not fed into our customer relationship management tool via API interface, the information provided is usually deleted in a cycle of 6 months.
5.4 Consent Management
We store information about whether you have consented to the provision of certain services on our website (where required) for up to 365 days.
5.5 Newsletter
In connection with newsletters, your personal data that you actively provided when subscribing to the newsletter is regularly stored for as long as the newsletter subscription is active. Documentation regarding your consent to receive newsletters is usually stored for up to three years after the calendar year in which the consent was withdrawn.
5.6 Website analysis
The data generated via the website analysis is stored by us exclusively in a non-personal manner.
5.7 Cookies
Cookies that you do not delete yourself expire after the period of time specified in the "Privacy Setting"; this can be accessed by clicking on the checkmark icon displayed on the website at the bottom left of the browser.
III. Special information for people who interact with Bilfinger via social media
The following provides information about how we process the personal data of individuals who interact with us through social media.
We have a presence on (i) LinkedIn, (ii) YouTube, (iii) Twitter, (iv) Instagram, (v) Xing and (vi) Facebook.
The providers of these social media process information about how you interact with our corporate presence on the respective network and data that you provide in your respective profile. The providers aggregate this data and provide it to us as statistics; however, you are not identifiable from these statistics. These statistics help us better understand trends and demographics of the groups of people who interact with our corporate presence.
The social network providers are the following companies:
- LinkedIn: LinkedIn Ireland Unlimited Company ("LIUC"), Wilton Place, Dublin 2, Ireland
In connection with the processing of your personal data to produce the statistics, we and LIUC are joint data controllers. In this context, we and LIUC have entered into a joint controllership arrangement (available here). Pursuant to this arrangement, LIUC assumes compliance with the data protection obligations that exist in connection with the provision of the statistics. This includes the fulfillment of all rights you have as a user of LinkedIN. These are, for example, your rights to information, disclosure, deletion and objection. LIUC will also ensure that any existing notification obligations due to personal data breaches (such as towards authorities or you) are fulfilled. LIUC will therefore also ensure that LinkedIn members are informed about the processed data.
Information about LIUC's processing of your personal data when using LinkedIn can be found in LIUC's privacy notice, which is available here. You can view the user agreement for LinkedIn here.
- YouTube: Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland
Information about Google's processing of your personal data when using YouTube can be found in Google's privacy notice, which is available here. You can view the terms of service for YouTube here.
- Twitter: Twitter International Unlimited Company ("TIUC"), One Cumberland Place, Fenian Street Dublin 2, Ireland
Information about TIUC's processing of your personal data when using Twitter can be found in Twitter's privacy notice, which is available here. You can view the Twitter user agreement here.
- Instagram: Meta Platforms Ireland Limited ("Meta"), 4 Grand Canal Square, Dublin 2, Ireland
Information about Meta's processing of your personal data when using Instagram can be found in Meta's privacy notice, which is available here. You can view the terms of use for Instagram here.
- Xing: New Work SE, Am Strandkai ("NW"), 20457 Hamburg, Germany
Information on the processing of your personal data by NW when using Xing can be found in NW's privacy notice, which is available here. You can view the general terms and conditions for the use of XING here.
- Facebook: Meta Platforms Ireland Limited ("Meta"), Block J, Serpentine Avenue, Dublin 4, Ireland
In connection with the processing of your personal data to produce the statistics, we and Meta are joint controllers. In this context, we and Meta have entered into a joint controllership arrangement (available here). Thereafter, we and Meta have agreed that Meta is obligated to enable data subjects' rights under Articles 15 to 20 of the GDPR (in particular, the right of access, the right of rectification, the right of erasure, the right to restrict processing and the right to object) with respect to personal data stored by Meta after joint processing. You may exercise your rights in relation to the processing of your personal data towards Meta.
Under this arrangement, we are also required to inform you of the following: Meta relies on the legal basis of "legitimate interests" (Art. 6 (1) (f) GDPR) for the processing of your personal data in connection with the statistics.
Information about Meta's processing of your personal data when using Facebook, in particular Meta's contact details and the contact details of Meta's designated data protection officer, as well as your rights vis-à-vis Meta, can be found in Meta's privacy notice, which is available here. You can view the terms of service for Facebook here.
We collect your personal data when you interact with us via social media. The categories of personal data we process in the course of such interaction depend on the platform used. Among others, this may involve the following categories of personal data:
- Identification data (if you contact us via social media): such as your first and last name;
- Contact details (if you contact us via social media): such asyour email address and phone number;
- Communication data (if you contact us via social media): such as the company you work for or on whose behalf you are contacting us, the country you are in, and the content of your message;
- Social media activity data, such as your IP address, your behavior on social media, information about the device you are using, browser language, the date, time and duration of your visit to social media;
- Location information, such asgeneral information about your location (e.g. time zone, city/state and/or zip code in conjunction with your IP address).
2.1 General
We process your personal data for the purposes listed in the table below. In doing so, we rely on the legal bases listed in the table. Where relevant, the legitimate interest we pursue with the processing is also listed. In principle, the following legal bases are relevant:
- performance of a contract (including processing necessary to take steps at your request prior to entering into a contract) (Art. 6 (1) (b) GDPR;
- Compliance with legal obligations (Art. 6 (1) (c) GDPR);
- Legitimate interests (Art. 6 (1) (f) GDPR);
- Consent (Art. 6 (1) (a), Art. 7 GDPR).
Processing purposes | Legal basis | Legitimate interests (as far as relevant) | Categories of personal data |
Provision of a corporate presence in social media | Legitimate interest | There is a legitimate interest in providing and maintaining (legally compliant) presences in social media in order to present the Bilfinger group and its services and content on the Internet. | Social media activity data |
Contacting you and providing you with information you have requested | Fulfillment of a contract or, if you are not our contractual partner, legitimate interests | There is a legitimate interest in responding to your contact. | Identification data, contact data, communication data |
Improving our services, products and our corporate presences in social media | Legitimate interests | There is a legitimate interest in improving our services, products and social media presence in order to further develop our business. | Social media activity data |
Collection and use of statistical information on the use of company presences in social media | Legitimate interests | There is a legitimate interest in analyzing the use of the social media presences in order to improve them. | Social media activity data, location information |
Marketing communications (such as newsletters) | Consent or, to the extent permitted by law, legitimate interests | There is a legitimate interest in advertising products and/or services. | Contact data, identification data |
Interaction via social media | Legitimate interests | There is a legitimate interest in interacting with followers and other interested parties via social media in order to present the Bilfinger group and its services on the Internet. | The categories of personal data depend on the platform used. In particular, the following categories are concerned: Contact data, identification data, other information that you provide to us as part of the interaction via social media. |
Implementation of sweepstakes | Performance of a contract | - | Personal data necessary for the implementation of the sweepstake and provided by the user, as well as data collected by the social network (identification data, location information, other information relevant to the implementation of the sweepstake). |
Safeguarding our rights | Legitimate interests | There is a legitimate interest in asserting, exercising and/or defending legal claims. | Identification data, contact data, messaging data, social media activity data, location information. |
Compliance with legal obligations (e.g. from tax law) | Fulfillment of legal obligations | - | Identification data, contact data, communication data, social media activity data, location information. |
Execution of corporate transactions (e.g. reorganization, merger, sale, sale of assets, joint venture) | Legitimate interests | There is a legitimate interest in effectively disposing of our assets and making commercially reasonable decisions about the development of our business. | Identification data, contact data, messaging data, social media activity data, location information. |
For the processing purposes listed above, it may be necessary to transmit data to other companies of the Bilfinger Group | Consent, insofar as consent is used as a legal basis for the relevant processing activity, otherwise legitimate interests | There is a legitimate interest in transferring data within the Bilfinger group for internal administrative purposes. | The categories of personal data correspond to those listed for the respective processing purpose. |
2.2 Analysis of usage behavior in social media
The social media providers process information about how you interact with our corporate presence on the respective network and data that you provide in your respective profile. The providers aggregate this data and provide it to us as statistics; however, you are not identifiable from this aggregated data. These statistics help us better understand trends and demographics of the groups of people who interact with our company presence. Details about our corporate presences on social media and the respective providers can be found in section 1.
Processing purposes | Legal basis | Legitimate interests (as far as relevant) | Categories of personal data |
Placement of advertisements | Legitimate interests | There is a legitimate interest in evaluating the use of the presences on social media in order to play out advertising as targeted as possible. Furthermore, there is a legitimate interest in advertising products and/or services. | The categories of personal data depend on the platform used. In particular, the following categories are concerned: social media activity data, identification data, contact data, communication data, location information. |
2.3 Social media
The connection with our channels on social media and those of other companies of the Bilfinger group, we ask you to consult the privacy notices of the respective platform if you would like to learn more about the processing of your personal data on these platforms.
3.1 We may share your personal data with service providers who process personal data on our behalf and based on our instructions as so-called processors in order to provide their services to us:
Consent management provider (in the EU)
Provider for sending newsletters (in the EU)
3.2 We may share your personal information with the following third parties:
Other Bilfinger group companies to the extent necessary for internal administrative purposes;
Authorities, courts and consultants (e.g. lawyers, auditors), insofar as we are legally obliged to do so, or this is necessary to safeguard our rights
Relevant third parties in the context of a corporate transaction, to the extent required for a transaction
The recipients of your personal data (see section 3) may be located in a country outside the European Union / European Economic Area. To the extent that the relevant country has not been recognized by the European Commission - by means of an adequacy decision - as a country where personal data are adequately protected, we will only transfer your personal data to such countries to the extent that another mechanism of Art. 44 et seq. GDPR justifies the transfer (e.g. standard contractual clauses) or an exception under Art. 49 GDPR applies. Additional measures are taken / agreed upon to the extent necessary to ensure adequate protection for the personal data. A list of adequacy decisions can be found here.
If there is no adequacy decision, the standard contractual clauses of the European Commission (from the implementing decision (EU) 2021/914 of June 4, 2021) are regularly the basis for the transfer. Insofar as the transfer in this context is made to a service provider acting as a processor for us, Module Two (transfer from controllers to processors) of the standard contractual clauses is relevant; insofar as the transfer is made to other third parties, Module One (transfer from controllers to controllers) is relevant.
For more details about these transfers and the transfer mechanisms used with respect to them, please contact us at dataprivacy. @bilfinger.com
Your personal data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected.
Exceptionally, we may store your personal data longer than shown in this section to the extent necessary to comply with a legal obligation or to assert, exercise or defend legal claims.
5.1 Newsletter
In connection with newsletters, your personal data that you actively provided when subscribing to the newsletter is regularly stored for as long as the newsletter subscription is active. Documentation regarding your consent to receive newsletters is usually stored for up to three years after the calendar year in which the consent was withdrawn.
5.2 Analysis of usage behavior in social media
The data generated via the analysis is collected and stored by us exclusively in a non-personal manner.
IV. Special information for business partners
The following provides information about the processing of personal data of business partners, i.e. for persons who have a business relationship with us, including but not limited to representatives and employees of customers, suppliers, service providers and external consultants.
We collect personal data either directly from you or may receive it from your employer/client, who provides it to us for the purpose of handling the business relationship with them (e.g. for contacting you).
In particular, these are the following categories of personal data:
- Identification data: such as your first and last name;
- Contact and administrative data: such asyour professional email address and professional telephone number; the company you work for, your position and activity in such company, your business relationship with us, the country in which you are located;
- Communication data such as the content of communications between you and us
- Payment data such as payment targets, bank details and other information required to process payments.
We process your personal data for the purposes listed in the table below. In doing so, we rely on the legal bases listed in the table. Where relevant, the legitimate interest we pursue with the processing is also listed. In principle, the following legal bases are relevant:
- performance of a contract (including processing necessary to take steps at your request prior to entering into a contract) (Art. 6 (1) (b) GDPR;
- Compliance with legal obligations (Art. 6 (1) (c) GDPR);
- Legitimate interests (Art. 6 (1) (f) GDPR);
- Consent (Art. 6 (1) (a), Art. 7 GDPR).
Processing purposes | Legal basis | Legitimate interests (as far as relevant) | Categories of personal data |
Performance of a contract (or for the performance of pre-contractual measures) with (i) you or (ii) your employer/client (including management of the relevant business relationship, contacting and communication). | (i) performance of a contract; or (ii) legitimate interests (if your employer/client has entered into or intends to enter into a contract with us). | There is a legitimate interest in efficiently and productively executing the contract between us and your employer/client. | Identification data, contact and administrative data, communication data |
Payment processing if you are our contractual partner and receive payments from us | Performance of a contract | - | Identification data, contact and administrative data, payment data |
Fraud prevention | Legitimate interests | There is a legitimate interest in preventing fraud to protect our assets and those of our (other) business partners. | Identification data, contact and administrative data, communication data |
Marketing communications (such as newsletters) | Consent | - | Identification data, contact and administrative data |
Safeguarding our rights | Legitimate interests | There is a legitimate interest in establishing, exercising and/or defending legal claims. | Identification data, contact and administrative data, communication data, payment data |
Compliance with legal obligations (e.g. from tax law) | Fulfillment of legal obligations | - | Identification data, contact and administrative data, communication data, payment data |
Execution of corporate transactions (e.g. reorganization, merger, sale, sale of assets, joint venture) | Legitimate interests | There is a legitimate interest in effectively disposing of our assets and making commercially reasonable decisions about the development of our business. | Identification data, contact and administrative data, communication data, payment data |
For the processing purposes listed above, it may be necessary to transfer data to other companies of the Bilfinger group. | Consent, insofar as consent is used as a legal basis for the relevant processing activity, otherwise legitimate interests | There is a legitimate interest in transferring data within the Bilfinger group for internal administrative purposes. | The categories of personal data correspond to those listed for the respective processing purpose. |
If your personal data is not made available to us, we may not be able to (fully) carry out the business relationship with you or your employer or client.
3.1 We may share your personal data with service providers who process personal data on our behalf and based on our instructions as so-called processors in order to provide their services to us:
- Customer relationship management tool provider (in the EU)
- Provider for sending newsletters (in the EU)
3.2 We may share your personal information with the following third parties:
- Other Bilfinger group companies to the extent necessary for internal administrative purposes;
- Authorities, courts and consultants (e.g. lawyers, auditors), insofar as we are legally obliged to do so, or this is necessary to protect our rights
- Relevant third parties in the context of a corporate transaction, to the extent required for a transaction
The recipients of your personal data (see section 3) may be located in a country outside the European Union / European Economic Area. To the extent that the relevant country has not been recognized by the European Commission - by means of an adequacy decision - as a country where personal data are adequately protected, we will only transfer your personal data to such countries to the extent that another mechanism of Art. 44 et seq. GDPR justifies the transfer (e.g. standard contractual clauses) or an exception according to Art. 49 GDPR applies. Additional measures are taken / agreed upon to the extent necessary to ensure adequate protection for the personal data. A list of adequacy decisions can be found here.
If there is no adequacy decision, the standard contractual clauses of the European Commission (from the implementing decision (EU) 2021/914 of June 4, 2021) are regularly the basis for the transfer. Insofar as the transfer in this context is made to a service provider acting as a processor for us, Module Two (transfer from controllers to processors) of the standard contractual clauses is relevant; insofar as the transfer is made to other third parties, Module One (transfer from controllers to controllers) is relevant.
For more details about these transfers and the transfer mechanisms used with respect to them, please contact us at dataprivacy. @bilfinger.com
Your personal data is regularly deleted as soon as it is no longer required to achieve the purpose for which it was collected. The personal data is therefore usually deleted at the latest when the contractual relationship with you or your employer/client has ended, and the applicable limitation periods have expired.
The personal data of new leads that we have entered into our Customer Relationship Management tool will initially be checked within 28 days to determine whether it is still required for the purposes set out in section 2 above. If this check does not lead us to the conclusion that the personal data is required for this purpose, it will be deleted within four weeks of the expiry of these 28 days. This review will be repeated every three years thereafter and if we do not conclude within 28 days during this review that the personal data is still necessary, it will be deleted.
The personal data of contacts that we have entered into our customer relationship management tool are reviewed every ten years to determine whether they are still required for the purposes described in section 2 above. If we do not conclude within 28 days during this review that the personal data is still necessary, it will be deleted.
We retain e-mails for as long as they are needed for our operational purposes.
Insofar as personal data is processed on the basis of consent, we generally delete this data when the consent is withdrawn. The documentation relating to such consent is regularly stored for up to three years after the calendar year in which the consent was withdrawn.
Exceptionally, we may store your personal data for a longer period of time to the extent necessary to comply with a legal obligation or to establish, exercise or defend legal claims.
V. Amendment of this privacy notice
We reserve the right to amend or change this privacy notice at any time to ensure compliance with applicable laws. Please check regularly to see if this privacy notice has changed.
This privacy notice was last amended in June 2023.