Privacy Policy  Guideline Privacy Policy Directive

The Wirz Transport AG

 Objective of the Privacy Policy Directive

The Wirz Transport AG commits itself to social responsibility within the framework of legal data protection law. This Privacy Policy Directive applies to all Wirz Transport AG branches and is based on accepted basic principles of data protection.

The protection of privacy is a basis for trustworthy business relationships.

We define our own additional data protection objectives as a self-commitment. These include, among other things:

  • Unconditional compliance with the requirements of the EU Data Protection Regulation by the entire workforce
  • Strict obligation to secrecy and confidentiality
  • Data protection compliant workplace design
  • Unconditional protection against data insight by unauthorized persons

Scope and Amendment of the Privacy Policy Directive

 This Privacy Policy Directive is based on the requirements of the EU General Data Protection Regulation and the related national laws.

This Privacy Policy Directive applies to the entire Wirz Transport AG at all locations.

The latest version of the Privacy Policy Directive can be accessed on the website of Wirz Transport AG (www.wirztransport.com).

Principles for the Processing of Personal Data

Fairness and Legality

When processing personal data, the informational self-determination right of the person concerned must be preserved. Personal data must be collected and processed in a lawful manner.

Purpose Limitation

The processing of personal data may only pursue the purposes determined before the collection of the data. Subsequent changes to the purposes are only possible to a limited extent and require justification.

Transparency

The person concerned must be informed about the handling of their data. In principle, personal data must be collected from the person concerned themselves. When collecting the data, the person concerned must be able to recognize or be informed about:

  • The identity of the responsible body
  • The purpose of the data processing
  • The storage periods
  • Third parties or categories of third parties to whom the data will be transmitted

Data Avoidance and Data Economy

Before processing personal data, it must be checked whether and to what extent this is necessary to achieve the purpose of the processing.

Erasure and Storage Limitation

Personal data that are no longer required after the expiry of statutory or business-process-related storage periods must be deleted. If there are indications of legitimate interests or


for a historical significance of these data, the data must be stored further until the legitimate interest is legally clarified.

Material Accuracy and Data Actuality

Personal data are correct, complete and – if necessary – up to date. Appropriate measures must be taken to ensure that non-applicable, incomplete or outdated data are deleted, corrected, supplemented or updated.

Confidentiality and Data Security

Personal data are subject to data secrecy.

They must be treated confidentially in personal dealings and secured by appropriate organizational and technical measures against unauthorized access, unlawful processing or transmission, as well as against accidental loss, alteration or destruction.

Permissibility of Data Processing

The collection, processing and use of personal data are only permissible if one of the following permissibility requirements is met. Such a permissibility requirement is also required if the purpose for the collection, processing and use of personal data is changed compared to the original purpose definition.

Customer and Partner Data

Data processing for a contractual relationship

If data processing serves to fulfill a contract or pre-contractual measures, the processing is permissible.

Consent to Data Processing

Data processing can take place on the basis of the consent of the person concerned. Before giving consent, the person concerned must be informed in accordance with the Privacy Policy Directive.

Data Processing on the Basis of Legal Permission

The processing of personal data is also permissible if state laws require, presuppose or permit data processing. The type and scope of data processing must be necessary for the legally permissible data processing and must be based on these laws.

Data Processing on the Basis of Legitimate Interest

The processing of personal data can also take place if it is necessary for the realization of a legitimate interest of Wirz Transport AG.


Processing of Special Categories of Data

The processing of special categories of personal data may only take place under certain conditions. Special categories of data are data on racial and ethnic origin, on political opinions, on religious or philosophical beliefs, on trade union membership or on the health or sex life of the person concerned.

Data relating to criminal offenses may also be processed only under special conditions set by national law.

The processing must be explicitly permitted or prescribed by national law. In addition, processing may be permitted if it is necessary for the responsible body to fulfill its obligations and rights under labor law. The employee can also give explicit consent to the processing.

Telecommunication and Internet

Telephone systems, email addresses, intranet and internet are provided by the company primarily for the purpose of performing business tasks. They are work equipment and company resources. They may be used within the framework of applicable laws and company-internal guidelines.

A general monitoring of telephone and email communication or intranet and internet use takes place. To defend against attacks on the IT infrastructure or on individual users, protective measures have been implemented at the interfaces to the Wirz network, which block technically damaging content or analyze patterns of attacks. For security and traceability reasons, the use of telephone systems, email addresses, intranet and internet is logged.

Personal data evaluations of these data may only be carried out in the event of a concrete, justified suspicion of a breach of laws or guidelines of Wirz Transport AG. These controls may only be carried out while maintaining the principle of proportionality.


Employee Data

Data Processing for the Employment Relationship

For the employment relationship, personal data may be processed that are necessary for the establishment, implementation and termination of the employment contract.

When initiating an employment relationship, personal data of applicants may be processed. After rejection, the applicant's data must be deleted, taking into account statutory periods of proof, unless the applicant has given consent to further storage for a later selection process or application procedure.

In the existing employment relationship, data processing must always be related to the purpose of the employment contract, unless one of the following permissibility requirements applies to data processing.

If, during the initiation of the employment relationship or in the existing employment relationship, it is necessary to collect further information about the applicant from a third party, the respective national statutory requirements must be taken into account. In case of doubt, the consent of the person concerned must be obtained.


Data Processing on the Basis of Legal Permission

The processing of personal employee data is also permissible if state laws require, presuppose or permit data processing. The type and scope of data processing must be necessary for the legally permissible data processing and must be based on these laws.

If there is a legal scope for action, the legitimate interests of the employee must be taken into account.


Consent to Data Processing

The processing of employee data can take place on the basis of the consent of the person concerned. Declarations of consent must be given voluntarily. Involuntary declarations of consent are ineffective. The declaration of consent is to be obtained in principle in writing or electronically. If the circumstances do not permit this, the consent can be given orally, for example by telephone. If the person concerned voluntarily and informedly provides data, consent can be assumed.


Data Processing on the Basis of Legitimate Interest

The processing of personal employee data can also take place if it is necessary for the realization of a legitimate interest of Wirz Transport AG.

Legitimate interests are usually of a legal or economic nature.

Processing of personal data on the basis of a legitimate interest may not take place if there is an indication in individual cases that the legitimate interests of the employee outweigh the interest in processing. The existence of legitimate interests must be examined for each processing operation.

Control measures that require the processing of employee data may only be carried out if there is a legal obligation to do so or if there is a justified reason. Even if there is a justified reason, the proportionality of the control measure must be examined. The legitimate interests of the company in carrying out the control measure (e.g. compliance with legal provisions and company-internal rules) must be weighed against a possible legitimate interest of the employee concerned in excluding the measure.


and must only be carried out if they are appropriate. The legitimate interest of the company and the possible legitimate interests of the employees must be determined and documented before each measure. Additionally, any existing national laws and company regulations must be observed.


Processing of Special Categories of Data

Special categories of personal data may only be processed under certain conditions. Special categories of data are data on racial and ethnic origin, on political opinions, on religious or philosophical beliefs, on trade union membership or on the health or sex life of the person concerned.

Data relating to criminal offenses may also be processed only under special conditions set by national law.

The processing must be explicitly permitted or prescribed by national law. In addition, processing may be permitted if it is necessary for the responsible body to fulfill its obligations and rights under labor law. The employee can also give explicit consent to the processing.

Telecommunication and Internet

Telephone systems, email addresses, intranet and internet are provided by the company primarily for the purpose of performing business tasks. They are work equipment and company resources. They may be used within the framework of applicable laws and company-internal guidelines.

A general monitoring of telephone and email communication or intranet and internet use takes place. To defend against attacks on the IT infrastructure or on individual users, protective measures have been implemented at the interfaces to the Wirz network, which block technically damaging content or analyze patterns of attacks. For security and traceability reasons, the use of telephone systems, email addresses, intranet and internet is logged.

Personal data evaluations of these data may only be carried out in the event of a concrete, justified suspicion of a breach of laws or guidelines of Wirz Transport AG. These controls may only be carried out while maintaining the principle of proportionality.


Transmission of Personal Data

The transmission of personal data to recipients outside Wirz Transport AG or to recipients within Wirz Transport AG is subject to the permissibility requirements for the processing of personal data. The recipient of the data must be obligated to use the data only for the purposes specified.


In the event of data transmission to a recipient outside Wirz Transport AG in a third country, the latter must ensure a level of data protection equivalent to this Privacy Policy Directive. This does not apply if the data transmission is based on a legal obligation.

In the event of data transmission from third parties to Wirz Transport AG, it must be ensured that the data may be used for the intended purposes.

Contract Data Processing

Contract data processing exists when a contractor is commissioned with the processing of personal data without being entrusted with the responsibility for the associated business process. In these cases, an agreement on contract data processing must be concluded with external contractors.

In doing so, the commissioning company retains full responsibility for the proper implementation of the data processing. The contractor may only process personal data within the framework of the instructions of the client. When awarding the contract, the following requirements must be observed; the responsible department must ensure their implementation.

  • The contractor is to be selected based on its suitability to ensure the necessary technical and organizational measures to protect personal data.
  • The contract is to be awarded in writing. The instructions for data processing and the responsibilities of the client and the contractor are to be documented.
  • The client must convince itself before the start of data processing that the contractor complies with its obligations. The contractor can demonstrate compliance with the data security requirements in particular by presenting a suitable certification. Depending on the risk of data processing, control may need to be repeated regularly during the contract period.
  • Recognition of binding company rules of the contractor for creating an adequate level of data protection by the competent data protection supervisory authorities.

Rights of the Person Concerned

 Every person concerned can assert the following rights. Their assertion is to be processed immediately by the responsible department and may not result in any disadvantages for the person concerned.


  • The person concerned can request information about which personal data of which origin are stored about him for what purpose. If, within the employment relationship, further rights of access to documents of the employer are provided for by the respective labor law, these remain unaffected.
  • If personal data are transmitted to third parties, information must also be provided about the identity of the recipient or the categories of recipients.
  • If personal data are incorrect or incomplete, the person concerned can demand their correction or completion.
  • The person concerned is entitled to object to the processing of their personal data for purposes of advertising or market or opinion research. For these purposes, the data must be blocked.
  • The person concerned is entitled to demand the erasure of their data if the legal basis for the processing of the data is lacking or has ceased to apply. The same applies if the purpose of the data processing has ceased to apply due to the passage of time or for other reasons. Existing retention obligations and legitimate interests that preclude erasure must be taken into account.
  • The person concerned has a general right to object to the processing of their data, which must be taken into account if their legitimate interest, due to a particular personal situation, outweighs the interest in processing. This does not apply if a legal regulation obliges the processing.

Confidentiality of Processing

 Personal data are subject to data secrecy. Unauthorized collection, processing or use is prohibited for employees.


Unauthorized is any processing that an employee carries out without being entrusted with it within the framework of their tasks and being correspondingly authorized. The need-to-know principle applies: employees may only have access to personal data if and to the extent that this is necessary for their respective tasks. This requires the careful division and separation of roles and responsibilities as well as their implementation and maintenance within the framework of authorization concepts.


Employees are not allowed to use personal data for their own private or business purposes, to transmit them to unauthorized persons or to make them accessible to them in any other way.

Security of Processing

Personal data must be protected at all times against unauthorized access, unlawful processing or transmission, as well as against loss, alteration or destruction. This applies regardless of whether the data processing is carried out electronically or in paper form. Before introducing new data processing procedures, in particular new IT systems, technical and organizational measures must be defined and implemented to protect personal data.


The technical and organizational measures for protecting personal data are part of the company-wide information security and data protection management and must be continuously adapted to technical developments and organizational changes.

Data Protection Control

Compliance with the guidelines on data protection and the applicable data protection laws is regularly reviewed through data protection audits and other controls.

The results of the data protection controls are to be communicated to the company management.


Data Protection Incidents

Every employee should report cases of violations of this Privacy Policy Directive or other regulations for the protection of personal data to the management immediately.

In cases of

  • unlawful transmission of personal data to third parties
  • unlawful access by third parties to personal data, or
  • loss of personal data

the company management or the data protection officer must be informed immediately, so that existing reporting obligations for data protection incidents under national law can be fulfilled.

Responsibilities and Sanctions

The company management is responsible for the legally compliant processing of personal data.

It is obliged to ensure that the statutory and the requirements contained in the Privacy Policy Directive are complied with.

The implementation of these requirements lies within the responsibility of the responsible employees. In the event of data protection controls by authorities, the data protection officer is to be informed immediately.


The data protection officer is the local contact person for data protection. He can carry out controls and has to familiarize the employees with the contents of the Privacy Policy Directive. The company management is obliged to support the data protection officer in his activity.


The company management must ensure that its employees are trained in the necessary extent on data protection. Misuse of personal data or other violations of data protection law can be prosecuted under criminal law in many countries and may result in claims for damages.

Violations for which individual employees are responsible can lead to labor law sanctions.

The Data Protection Officer

The data protection officer, as an internally independent, professionally independent body, works towards compliance with the data protection regulations.

He is responsible for monitoring compliance with the data protection guidelines.

The data protection officer must inform the company management in good time about data protection risks.

Every person concerned can contact the data protection officer with suggestions, inquiries, requests for information or complaints in connection with questions of data protection or data security. Inquiries and complaints will be treated confidentially on request.

The data protection officer:

Mr. Giuseppe Sestito Tel. +49 7731 797 140

Email: giuseppe.sestito@wirztransport.com

Enactment

This document is reviewed annually and as needed for completeness and timeliness.

Changes to this document are the responsibility of the person responsible for data protection management.

This document is to be made available to all employees.


Antonio Ruberto

- Managing Director-WIRZ TRANSPORT AG 27.03.2018