Information on data protection in the context of the mental risk assessment of DEKRA Automobil GmbH

1. General

DEKRA Automobil GmbH (DEKRA) takes the protection of your personal data very seriously. We process your personal data in accordance with the applicable legal data protection requirements for the purposes listed below.
Contact details Controller
DEKRA Automobil GmbH
Handwerkstrasse 15
70565 Stuttgart, Germany
If you have any questions or comments about data protection, you can also contact our data protection officer:
datenschutz​.automobil@​dekra​.com
To conduct the survey and the subsequent evaluation, we work together with DearEmployee GmbH, Bismarckstr. 10-12, 10625 Berlin. To protect your rights and freedoms, a data processing agreement (Art. 28 GDPR) has been concluded with DearEmployee GmbH. DEKRA is the responsible data controller. You therefore also assert your data subject rights directly against DEKRA. Nevertheless, you can contact the data protection department at DearEmployee GmbH with questions regarding the processing of your data ( datenschutz@​dearemployee​.de ).

2. Data processing

2.1 Source and origin of the data

We process personal data that we have received directly from you or your employer to conduct the survey.

2.2 Nature of personal data, purpose and lawfulness of processing

We process personal data in accordance with the provisions of the General Data Protection Regulation (GDPR), the Bundesdatenschutzgesetz (BDSG-neu) and other applicable data protection regulations.

2.2.1 Purposes within the scope of a legitimate interest of us or third parties (Art. 6 para. 1 lit. f GDPR)

Beyond the actual execution of the survey, we process your data only to the extent necessary to protect the legitimate interests of us or third parties.
When visiting the DearEmployee app, temporarily personal data is processed for the purpose of ensuring a smooth connection, a comfortable use of the app and for ensuring and evaluating system security and stability:
  • IP address
  • Date and time of access
  • Website from which the access is made (referrer URL)
  • Browser used
  • Operating system of the computer
  • Name of the access provider
This information is temporarily stored in a so-called log file and automatically deleted after 60 days without your intervention.
We base the data processing on our legitimate interests according to Art. 6 (1) p. 1 lit. f GDPR for the purposes listed above.

2.2.2 Purposes within the scope of your consent (Art. 6 para. 1 lit. a GDPR)

Processing of your personal data for certain purposes may also be based on your consent. As a rule, you can withdraw this consent at any time. You will be informed separately about the purposes and consequences of withdrawing or not giving your consent in the relevant text of the consent. In principle, the withdrawal of consent is only applicable for the future. Processing that took place before the withdrawal is not affected by this and remains lawful.
Participation in the DearEmployee Survey
The DearEmployee Survey is an online questionnaire in which you assess your working conditions as well as your work stress. When you take part in the survey, we process your personal and personal-related data on the basis of the consent you have given us.
The purpose of this data processing is to be able to calculate and report to your employer, with the help of statistical analyses, which working conditions are having a detrimental or beneficial effect on the health, motivation and loyalty of the employees in the company. Thus we can gather important information on appropriate measures to improve working conditions and verify the effectiveness of such measures.
Your personal data processed for this purpose will be pseudonymized as quickly as possible for your protection and also anonymized as far as possible, since a personal reference is irrelevant for the following analysis of the working conditions.
Participation in the DearEmployee Survey is voluntary. Depending on the design of the survey, the following data may be processed by you for participation:
  • Affiliation to the business unit (e.g. location, department, team)
  • Field of activity
  • Length of service
  • Position
  • Whether you have your own management responsibility
  • Whether you report to a manager
  • Whether you have contact with third parties in your daily work (e.g. customers)
In addition, there are also opportunities to provide further voluntary information as part of a survey:
  • Gender
  • Year of birth
  • Employment relationship
  • Working hours model
  • Contractually agreed weekly working time
  • Effective estimated working time per week
  • If applicable, key personnel figures
  • Payment
  • Assessment of working conditions
  • Mention of reasons for a positive or negative assessment
  • Open comments (suggestions for improvement, remarks)
  • Assessment of own health, motivation and commitment to the company
  • Mention of current acute physical and psychosomatic complaints
  • Estimate the number of days you went to work sick
  • Assessment of how high your performance capacity was on these days compared to days when you were/are healthy
  • Use of certain company services and social and additional benefits
The processing of this data is carried out in order to
  • be able to assess the risk potential of various working conditions,
  • be able to assess the potential for promoting the health and performance of various working conditions and offerings,
  • create target group specific guidelines for action within your company (e.g. for your department, your job or your employment relationship),
  • review the success of risk-reducing, health- and performance-promoting measures
  • show the potential savings for your employer through certain measures
  • establish risk and performance profiles for industries and job functions,
  • fulfill your employer's legal obligation to regularly conduct the risk assessment of mental stress and to document it, as well as to document the corresponding measures to reduce identified mental risks (§ 5 and § 6 ArbSchG).
We base the processing of your personal data collected during participation on the consent you have given voluntarily in accordance with Art. 6 para. 1 lit. a, Art. 9 para. 2 lit. a GDPR.

2.3 Existence of automated decision-making in individual cases (including profiling)

We do not use any purely automated decision-making processes pursuant to Article 22 of the GDPR. If we do use such a procedure in individual cases in the future, we will inform you separately, provided this is required by law.

2.4 Consequences of not providing data

There is no legal obligation to provide us with your personal data. If you do not provide us with the data required to start and carry out the survey, we will generally not be able to take your answers into account in the survey and later evaluation.

2.5 Recipients of the data within the EU

Within our company, those internal offices or organizational units receive your data that require it to fulfill our contractual and legal obligations or as part of the processing and implementation of our legitimate interests. Within our corporate group, your data will be transferred to certain companies if they perform data processing tasks centrally for the companies affiliated in the group (e.g. IT support).
Your data will only be passed on to external parties if external service providers process data on our behalf or if we are legally obliged to do so.
To the execution of the mental risk assessment, we work together with the company DearEmployee GmbH, Bismarckstr. 10-12, 10625 Berlin. Within the scope of this data processing, your data is subject to the same security standards there as it is with us.
We will not pass on your data to third parties beyond this, unless we are legally obliged to do so.

2.6 Recipients of the data outside the EU

Your personal data will not be processed outside the European Economic Area (EEA).

2.7 Storage periods

As a matter of principle, your data will be pseudonymized as quickly as possible and, as far as possible, also completely anonymized, since a reference to a person is irrelevant for the subsequent analysis of the working conditions. The evaluations and analyses provided to your employer are completely anonymized. In this respect, your employer will not be provided with any personal data from you at any time. At the latest 12 months after deletion of the DearEmployee Insights user account by your employer, all remaining data will be automatically deleted.
If you withdraw your consent, your personal data will be deleted after withdrawal.
If the data are no longer required for the fulfillment of contractual or legal obligations and rights, they are regularly deleted, unless their - temporary - further processing is required for the fulfillment of the purposes for an overriding legitimate interest.

2.8 Rights concerning the processing of personal data

Under certain conditions, you can assert your data protection rights against us:
  • On request, you have the right to obtain information from us about the personal data concerning you and processed by us, to the extent defined in Art. 15 GDPR.
  • You have the right to require us to rectify any inaccurate personal data concerning you without undue delay (Art. 16 GDPR).
  • Where the legal reasons defined in Art. 17 GDPR apply, you have the right to immediate deletion (“right to be forgotten”) of personal data concerning you. These legal reasons include: the personal data are no longer necessary for the purposes for which they were processed, or you withdraw your consent, and there are no other legal grounds for processing; the data subject objects to the processing (and there are no overriding legitimate grounds for processing––does not apply to objections to direct advertising).
  • If the criteria defined in Art. 18 GDPR are fulfilled, you have the right to restriction of processing as established in the above article of the GDPR. According to this article, restriction of processing may be called for in particular if processing is unlawful and the data subject opposes deletion of the personal data and requests the restriction of their use instead, or if the data subject has objected to processing according to Art. 21 (1) GDPR as long as it is unclear whether our legitimate interest overrides the interest of the data subject.
  • You have the right to data portability as defined in Art. 20 GDPR. This means you have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format, and have the right to transmit those data to another controller, such as another service provider. Prerequisite is that processing is based on consent or a contract, and is carried out using automated means.
  • In addition, you have the right to withdraw your consent to the processing of personal data at any time with effect for the future.
  • If you think that processing of personal data concerning you and carried out by us is unlawful or impermissible, you have the right to file a complaint with the supervisory authority responsible for us.
  • Your requests regarding the exercise of your rights should, if possible, be addressed directly to our data protection officer by e-mail or in writing to the address given above with the suffix "Data Protection".
SPECIAL REFERENCE TO YOUR RIGHT OF OBJECTION ACCORDING TO ART. 21 GDPR
You have the right to object at any time under Art. 21 GDPR to processing of personal data concerning you which is based on Art 6 (1) lit. e or f GDPR, on grounds relating to your particular situation. We will desist from processing your personal data unless we can demonstrate compelling legitimate grounds for processing which override your interests, rights, and freedoms, or unless processing is for the establishment, exercise, or defense of legal claims. For the exercise of the objection there are no other costs than the transmission costs according to the basic tariff.

The objection can be made form-free and should preferably be directed to:

datenschutz@dearemployee.de
or
datenschutz.automobil@dekra.com

Or in writing to the above address with the address addition "data protection".
Status 07.2021