Data Protection Notice

Data Protection Policy

1. General

Data protection is of particular importance to us. The processing of personal data, such as the name, address, e-mail address or telephone number of a data subject, is always carried out in accordance with the General Data Protection Regulation (GDPR) and with the country-specific data protection regulations applicable to us. 
By means of this privacy policy, we are informing you, in accordance with Art. 12, 13 and 21 of the GDPR, about how we handle your personal data when using our website. Likewise, we hereby inform you about your rights.

2. Name and address of the controller

Controller within the meaning of the GDPR:


GBB-Rating Gesellschaft für Bonitätsbeurteilung mbH
Kattenbug 1
50667 Köln

Telephone: +49 221 91 28 97 - 211
Fax : +49 221 91 28 97 - 270

3. Name and address of the data protection officer

Our data protection officer can be reached via:


GBB-Rating Gesellschaft für Bonitätsbeurteilung mbH
- Data Protection Officer -
Telephone: +49 221 91 28 97 - 300


4. Scope of your obligations to provide data

As a matter of principle, you are not obliged to provide us with any personal data. Without certain personal data, however, it is not possible for us to make our website available without errors, to answer your inquiries or to process applications which are not received in paper form.

5. Data collection on our website

5.1 Server log files

Each time our website is accessed, our system automatically collects a series of general data and information and stores this data in so-called server log files:

The following data can be recorded:

(1)   date and time of server request

(2)   IP adress

(3)   host name of the accessing computer

(4)   operating system used

(5)   browser type and browser version

(6)   internet page from which you accessed our website

             (7) other similar data and information used for security purposes in the event of attacks on our information technology systems.

The processing of this data is based on Art. 6 (1) f GDPR, which permits the processing of personal data in order to safeguard the legitimate interest under certain conditions.

This stored information is used to optimize and to correctly deliver the contents of our website as well as to ensure the long-term functionality of our IT systems. This data will not be combined with any of your personal data.

5.2  Cookies

Our Websites sometimes use so-called cookies. Cookies do not harm your computer and do not contain viruses. Cookies are small text files that are stored on your computer and serve to make our website more user-friendly and secure. The cookies remain stored on your device until you delete them. These cookies enable us to recognize your browser the next time you visit our website.

By using the appropriate settings in your browser, you can ensure you are informed about the setting of cookies. Settings can be changed to only allow cookies in individual or specific cases as well as to generally exclude the setting of cookies or activate the automatic deletion of cookies when closing the browser. When you disable cookies, the functionality of this website may be limited.

Cookies required to carry out the electronic communication process or to provide certain desired functions are stored on the basis of Art. 6 (1) f GDPR. Our legitimate interest lies in the storage of cookies for the technically error-free and optimized provision of our services.

5.3 User requests

You are able to contact us using the provided email addresses. In this case, the personal data you provide in the e-mail will be stored. The data will only be stored for the purpose for which you have submitted it to us (answering inquiries, sending documents, etc.). They will be deleted when the respective contact with you has been completed, which means we can assume the original matters have been resolved.

The processing of this data is based on Art. 6 (1) a GDPR.

5.4 Sending application documents

We collect and process personal data of applicants for the purpose of handling the application process. The processing can also be done electronically. This is particularly the case if an applicant submits corresponding application documents to us electronically (e.g. by email). The legal basis for the processing of this personal data arises from Article 88 (1) GDPR in conjunction with Article 26 (3) in Germany's Federal Data Protection Act (BDSG-neu). If the personal data transmitted to us is also partly special personal data (information on religious affiliation, health data, etc.), we will store it on the basis of your consent in accordance with Art. 88 (1) GDPR in conjunction with § 26 (3) BDSG-neu.

If the application leads to a contract of employment with an applicant, the transmitted data will be stored for the purpose of executing the employment relationship in compliance with legal requirements. If no employment contract is concluded with the applicant, the application documents will be deleted three months after notification of the rejection decision, provided that no other legitimate interests of ours are in conflict (e.g. due to a burden of proof in proceedings under the General Equal Treatment Act (AGG).


6. Categories of recipients of your data

In principle, only our employees are aware of your personal data. In addition, other recipients may also gain knowledge of your personal data as far as this is permitted or prescribed by law. These are service providers who perform tasks for us regarding the provision and administration of information technology systems and the website.


7. Third country transfer

A transfer of your personal data to countries outside the European Union (EU) or the European Economic Area (EEA) or to international organizations does not take place.


8. Your rights regarding your data

8.1 Rights of the data subject

If personal data from you is processed, you are a data subject within the meaning of the GDPR and can assert the following rights against us.

8.2 Right to be informed

You are at any time entitled to request confirmation from us as to whether personal data relating to you is being processed by us. If this is the case, you are also entitled to receive information from us pursuant to Art. 15 GDPR about this data and a copy of the data as well as to request the following information regarding your personal data:

(1)       the purposes for which the personal data is processed;

(2)        the categories of personal data being processed;

(3)        the recipients or categories of recipients to whom the personal data relating to you has been or is still being disclosed;

(4)        the planned duration of the storage of your personal data or, if specific information is not available, criteria for determining the duration of storage;

(5)        the existence of a right to rectification or erasure of personal data concerning you, a right to restriction of processing by the controller or a right to object to such processing;

(6)        the existence of a right of appeal to a supervisory authority;

(7)        all available information on the source of the data if the personal data is not collected from the data subject;

(8)        the use of automated decision-making including profiling in accordance with Article 22 (1) and (4) of the GDPR and, where appropriate, other relevant information;

(9)        the transmission to a third country or to an international organization and the appropriate guarantees in connection with the transfer pursuant to Article 46 of the GDPR.

8.3 Right to rectification

You have the right to rectify and / or complete the personal data stored about you, as far as this information is inaccurate or incomplete.

8.4 Right to erasure

You are entitled to request the deletion of personal data concerning you, if one of the following reasons apply:

(1)        Personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.

(2)        You revoke your consent, on which the processing was based according to Art. 6 (1) a or Art. 9 (2) a GDPR, and there is no other legal basis for processing.

(3)        In accordance with Art. 21 (1) GDPR, you object to the processing and there are no overriding legitimate reasons for the processing, or you object to the processing pursuant to Art. 21 (2) GDPR.

(4)        Your personal data has been processed unlawfully.

(5)        The deletion of your personal data is required to fulfill a legal obligation under Union law or the law of the Member States to which the controller is subject.

(6)        The personal data concerning you was collected in relation to information society services offered pursuant to Article 8 (1) of the GDPR.

The right to erasure does not exist if the processing is necessary

(1)        to exercise the right of freedom of expression and information;

(2)        to fulfill a legal obligation required by the law of the Union or of the Member States to which the controller is subject, or to carry out a task which is in the public interest or in the exercise of official authority that has been granted to the controller;

(3)        for reasons of public interest in the field of public health pursuant to Art. 9 (2) h and i as well as Art. 9 (3) GDPR;

(4)        for archival purposes of public interest, scientific or historical research purposes or for statistical purposes according to Article 89 (1) of the GDPR, in so far as the aforementioned law is likely to render it impossible or seriously impair the attainment of the objectives of this processing, or

(5)        to assert, exercise or defend legal claims.

8.5 Right to restriction of processing

You are entitled to request us to restrict the processing of your personal data if any of the following conditions apply:

(1)         The accuracy of your personal data is contested by you for a period of time that enables us to verify the accuracy of your personal data.

(2)         The processing is unlawful and you oppose erasure of the personal data and instead request that the use of your personal data be restricted.

(3)         We no longer need the personal data for the purposes of processing; however, you need the information to assert, exercise or defend a legal claims.

(4)         You have filed an objection to the processing pursuant to Art. 21 (1) GDPR and it is not yet clear whether our legitimate reasons prevail over yours.

If the processing of personal data concerning you has been restricted, this data may only be processed - apart from storage, with your consent or for the assertion, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or on the grounds of important public interests of the Union or of a Member State.

8.6 Right to data portability

You have the right to receive all data concerning you that you provided us with, in a structured, conventional and machine-readable format. In addition, you are entitled to transfer this data to another controller without hindrance by us if

(1)           the processing is based on consent in accordance with Art. 6 (1) a GDPR or
Art. 9 (2) a GDPR or on a contract pursuant to Art. 6 (1) b GDPR and

(2)           the processing is carried out by means of automated methods.

In exercising this right, you also have the right to request that your personal data is transmitted directly from us to another controller, insofar as this is technically feasible. Freedoms and rights of other persons must be respected and are not to be affected by this.

8.7 Right to object

You have the right to object at any time, based on compelling legitimate grounds related to your particular situation, to the processing of your personal data, pursuant to Art. 6 (1). e GDPR (data processing in the public interest) or Art. 6 (1) f GDPR (data processing on the basis of a balance of interest); this also applies to profiling based on these provisions.

We will no longer process your personal data in the event of an objection, unless we can verify compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of this personal data for the purpose of such advertising; this also applies to profiling insofar as it is associated with such direct marketing.

If you object to processing for direct marketing purposes, your personal data will no longer be processed for these purposes.

Regardless of Directive 2002/58 / EC, you have the possibility, in connection with the use of information society services, to exercise your right to object by means of automated procedures using technical specifications.

8.8 Right to revoke the data protection declaration of consent

You have the right to revoke your given consent to the processing of personal data at any time with effect for the future. The revocation shall not affect the legality of the processing carried out on the basis of the consent until revocation.


9 Right to appeal to a supervisory authority

If you believe that the processing of your personal data is contrary to the GDPR, you have the right to lodge a complaint to a supervisory authority, in particular in the Member State of your place of residence, employment or the location of the alleged infringement. This right to appeal is without prejudice to any other administrative or judicial remedy.

The supervisory authority responsible for our company can be reached at

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
Kavalleriestr. 2-4
Postfach 20 04 44
40102 Düsseldorf  
Telephone: 0211 / 38424-0
Fax: 0211 / 38424-10


10 Automated decision-making / profiling

Automated decision-making or profiling (automated analysis of personal data in light of personal aspects) does not take place.

11 Amendments

We reserve the right to make amendments to this Data Protection Policy at any time. Notification of any changes made in this context will be made by the publication of the amended data protection policy on our website. Unless explicitly stated otherwise, the amended data protection policy shall take immediate effect.

Last updated: May 24, 2018