Data protection notice for employees (H_TE_DE)

August 2025 

 

This data protection notice applies to the processing of your personal as an employee with us. 

 

1  Data Controller 

The data controller is  

Technoform Caprano + Brunnhofer GmbH 
Friedrichsplatz 8 
34117 Kassel, Germany 

Phone: +49 561-9583-200 
Email: info [at] technoform [dot] com (info[at]technoform[dot]com) 

For any questions regarding data protection, feel free to contact us at any time using the contact details mentioned above. 

 

2. Purpose and legal basis 

We process your data on the basis of the EU General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG) and all other laws relevant to us in terms of data protection. 

2.1 Employment relationship 

We store information about our employees that is necessary for the HR administration and remuneration process: 

  • master data and contact details, 
  • health data,
  • remuneration data,
  • social security data,
  • family related information,
  • job application data,
  • contract data,
  • time recording information,
  • training and qualification information,
  • travel data. 

The data is processed on the basis of Art. 6 (1) lit. b GDPR. Without the provision of the required data, it is not possible to carry out and manage the employment relationship. In addition, we may also be legally obliged to process personal data. In this case, data processing is carried out on the basis of Art. 6 (1) lit. c GDPR. If special categories of personal data within the meaning of Art. 9 GDPR are processed (e.g., health data), the legal basis is § 26(3) BDSG or Art. 9(2)(b) GDPR in conjunction with Art. 6(1)(b) GDPR. 

Data processing may also be necessary to ensure occupational safety, to defend against breaches of employment contract obligations or to carry out occupational reintegration management. If you use our corporate pension scheme, personal data will also be processed for this purpose. 

Personal data of employees is generally stored for the duration of the employment relationship and with respect to all existing statutory retention periods. Special regulations may apply to certain processing areas.  

Provided statutory retention obligations do not apply, personal data may be deleted if its further processing is no longer necessary to carry out and to manage the employment relationship. 

2.2 Microsoft 365 

We use Microsoft 365 for internal data processing and management, as well as for communication with customers and business partners. In this context, the credentials and professional contact details of employees are stored in this system. The legal basis for this is our legitimate interest in accordance with Art. 6 (1) (f) GDPR to organize the data management and collaboration within the company.  

On a voluntary basis and at your discretion, you have the option to provide a profile picture, further contact details and private information in your Microsoft Profile. If you do this, we will consider this to be your consent in accordance with Art. 6 (1) (a) GDPR. You can revoke this consent at any time. To do so, you can delete the data provided by yourself. Feel free to contact us for support.  

Please note, that apart from your direct colleagues, employees of other group companies, customers, and business partners will also have access to the above data. 

2.3 IT-Security 

As part of our security measures, we maintain various log protocols in IT systems. These are used for troubleshooting purposes and to provide evidence of data collection, modification, and deletion. The following data is logged here for: 

  • device data,
  • access data,
  • user data. 

The legal basis for this processing is, on the one hand, our legitimate interest pursuant to Art. 6 (1) (f) GDPR in the secure operation of IT systems and, on the other hand, legal requirements pursuant to Art. 6 (1) (c) GPDR to ensure the integrity, confidentiality, and availability of data (accountability obligation). 

Log data for IT security is generally deleted after 90 days at the latest. Log data in connection with accountability evidence is deleted in accordance with the applicable statutory requirements. In cases of reasoned concern, data may also be retained until the matter has been clarified. 

In this context, please also refer to our Data protection notice for Falcon Complete from Crowdstrike. 

2.4 Access control 

As part of our security measures, the office premises are equipped with an automatic access control system. The following data is logged for this purpose: 

  • transponder data,
  • names,
  • arrival and departure times. 

The legal basis for this processing is, on the one hand, our legitimate interest pursuant to Art. 6 (1) (f) GDPR in securing our office premises and, on the other hand, legal requirements pursuant to Art. 6 (1) (c) GDPR to ensure the integrity, confidentiality, and availability of data (accountability). 

2.5 Publications 

We process the following categories of personal data as part of our internal and external corporate communications: 

  • credentials,
  • contact details,
  • image and video recordings,
  • any other information you may provide. 

The personal data concerning you will be processed for the purpose of public relations and advertising Technoform products and services on the basis of your voluntary consent in accordance with Art. 6 (1) (a) GDPR. Your images and videos or other information about you may be used in internal or external communications on our website, intranet, in publications, brochures and information folders, on posters, at trade fairs and on the internet, including the social media channels of the Technoform Group.  

Data that we use for public relations and advertising purposes is generally only processed for as long as it is necessary for the purposes stated. Although we actively distribute the data to a limited extent only, the content may remain available online after the end of the advertising campaign (e.g., on social media). We also archive the content and delete it after the end of the statutory retention periods. Furthermore, deletion will take place if you revoke your consent. 

2.6 Health promotion 

As part of our employee welfare program, we work with various partners, such as gyms, bicycle leasing companies, etc. The following data is processed for this purpose: 

  • names,
  • addresses,
  • contact details,
  • birth dates,
  • contract details. 

The legal basis for this processing is Art. 6 (1) (b) GDPR. The data will be deleted after the expiry of the statutory retention obligations. 

In this context, we cooperate with Hansefit GmbH for gym memberships. We process personal data in joint responsibility in accordance with Art. 26 GDPR. Hansefit GmbH acts as an intermediary for gym memberships and take over billing with the gym providers. For further information on joint responsibility with Hansefit GmbH please refer to https://hansefit.de/datenschutz/kunde/

 

3  Recipients of personal data 

We will only pass on your data to third parties if this should become necessary for the fulfilment of the purpose. Furthermore, data may be transferred to authorities and social security institutions on the basis of legal provisions in accordance with Art. 6 (1) (c) and (e) GDPR. Data may also be transferred to customers and other business partners to the extent necessary for operational purposes. 

For the purposes of our bookkeeping, payroll accounting, balancing, and other tax-related matters, the data relevant and necessary for operational purposes is transferred to our external tax advisor. In various cases we engage processors in accordance with Art. 28 GDPR, who may receive data from us or have access to your data in connection with their service. In this context, data transfers outside the EU may also take place. In doing so, we make sure that there is either an EU adequacy decision for the destination country in question in accordance with Art. 45 GDPR or that we have concluded a contract with the service providers concerned on the basis of the standard data protection clauses in accordance with Art. 46 (2) (c) GDPR (https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en). 

 

4  Your rights 

You have the following rights against us in relation to personal data concerning you: 

  • Right to information (Art. 15 GDPR).
  • Right to rectification (Art. 16 GDPR).
  • Right to erasure (Art. 17 GDPR).
  • Right to restriction of processing (Art. 18 GDPR).
  • Right to data portability (Art. 20 GDPR).
  • Right to object to processing (Art. 21 GDPR).
  • Right to withdraw consent (Art. 7 para. 3 GDPR).
  • Right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). 

 

5  Data protection officer 

We have appointed an external data protection officer: 

Stefan Pietsch 

Contact data: 

Pietsch IT GmbH 
Wilhelmshöher Straße 1 
34590 Wabern 

Phone: +49 5683-923440 
Email: datenschutz [at] pietsch-it [dot] de (datenschutz[at]pietsch-it[dot]de)  
Internet: www.pietsch-it.de 

 

6  Validity and modification of this data protection notice 

This data protection notice is currently valid (see status in the heading). Due to the further development of our offers or due to changes in legal or official requirements, it may become necessary to change this data protection notice.