Solutions

Dropdown Software Brückenbau N E U
Software for Bridge Design
Dropdown Menu Software Konstruktion
Software for Design and Reinforcement
Dropdown Software Hochbau
Software for Building Design
Dropdown Projektsupport N E U
All-round project support
Dropdown Software Bim
Software for your
BIM workflow
Products

Finite Elemente

CAD

BIM

Analytical Model Generator

FEM - Packages

Further Products

Services

Dropdown Technischer Support N E U
Tech. Support
Dropdown Training Und Projektsupport N E U
Training & Project Support
Dropdown Kundenservice N E U
Customer Service
Downloads

Dropdown Trialversion N E U
Trial Version
Dropdown Educational Version N E U
Educational Version
Dropdown Aktuelle Downloads N E U
Current Downloads
Infocenter

Dropdown Webinare N E U
Webinars
Dropdown Anwenderbericht N E U
User Reports
Dropdown Infocenter Überblick N E U
Overview
Company

Dropdown Über Uns N E U
About Us
Dropdown Referenzen N E U
References
Dropdown Karriere N E U
Career

Choose language

Choose region
Header Datenschutzerklärung Intern 2200 X 750 Px

Data protection declaration - SOFiSTiK intern

Information pursuant to Art. 13 GDPR on the processing of personal data in the employment relationship

1. General information on the linguistic structure of the document

For better readability and for reasons of linguistic simplification, the masculine form is predominantly used in this document. Of course, all personal designations refer equally to all genders (male, female, diverse). The abbreviated form is used solely for editorial reasons and does not imply any judgment.

2. Data controller and responsible contact

2.1 Data controller:

SOFiSTiK AG

Flataustr. 14

90411 Nuremberg

Tel.: + 49 911 399010

E-Mail: info@sofistik.de

2.2 Internal DPO:

Projekt 29 GmbH & Co. KG

Ostengasse 14

93047 Regensburg

Tel.: 0941-2986930

E-Mail: info@projekt29.de

3. Personal data that is processed and its origin

We process the data that we have received from you in the context of contract initiation or processing, on the basis of consent or in the context of your application to us or in the context of your employment with us or that we need for the performance of the employment relationship. Processing is generally carried out within the scope of legal admissibility or necessity.

  • Salutation and gender.
  • First name and surname.
  • E-Mail address(es).
  • Address(es).
  • Telephone number(s).
  • Employment contract and other related documents, such as amendments, supplements or accompanying documents or other correspondence. This also includes documentation on employee and annual appraisals, which may include bonuses, salary negotiations or commissions and loan agreements.
  • Proof of school, university or professional qualifications (certificates).
  • Records of absence, overtime, hours worked and projects assigned to them, and vacation days.
  • Health insurance details required for identification purposes.
  • Characteristics relevant to social security and/or tax law, such as date of birth, any religious affiliation, marital status, statutory maintenance obligations, tax identification number, information as to whether the employment relationship is primary or secondary, information as to whether and to what extent a wage tax allowance is to be claimed.
  • If applicable, relevant information on creditors in the context of wage tax garnishments.
  • Parental status, including name(s), date(s) of birth of the children and the contents of the birth certificate(s).
  • Health data within the meaning of Art. 9 GDPR, such as absences due to illness, medical certificates of incapacity for work, proof of pregnancy and childbirth, records of long-term illnesses, proof of any existing severe disability.
  • Wage tax documents and annual wage tax certificates.
  • Wage and salary statements, social security notifications and annual reports or annual certificates.
  • Letters of dismissal, warnings, termination agreements, interim references and certificates issued by the employer, social security registration and deregistration data.
  • Information on parental leave or sabbatical.
  • Documents and information similar to those mentioned above.
  • Personal images.
  • First and last names of employees in your specific functions (job title, first aid officer or fire safety officer).
  • Personal data stored by the IT system, such as user accounts and authorizations for certain systems, IT usage data / log data.

4. For what purposes and on what legal basis is the data processed?

We process your data in accordance with the provisions of the General Data Protection Regulation (GDPR) and the Federal Data Protection Act 2018 as amended:

4.1 Purpose of processing:

  • in order to be able to identify the employee,
  • in order to properly implement the employment relationship and to document the proper implementation,
  • for correspondence with the employee,
  • for correspondence with health insurance companies, private health insurance companies, pension insurance companies, tax offices, integration offices, professional liability insurance companies and other bodies and authorities in connection with the employment relationship,
  • for the preparation of current payroll accounting for the employee, for the preparation of social security reports and ongoing contribution reports for the collection agencies, for the preparation of annual social security reports, for the preparation of ongoing advance wage tax returns, for the preparation of annual wage tax statements, for the calculation and reporting of contributions to statutory accident insurance, and for the purpose of documenting these and similar social security, tax or duty-related processes in connection with the employment relationship,
  • to process the employment relationship, even after its legal termination, in particular if letters are received from health insurance companies, private health insurance companies, pension insurance companies, accident insurance companies, tax offices, liability insurance companies or other bodies, authorities or courts and are to be forwarded to the (former) employee, and/or if wage and salary statements are subsequently to be made and/or corrected, and/or if salaries or other payments are to be made to the (former) employee, as well as for the purpose of documenting these and similar processes in connection with the employment relationship to be wound up
  • for the processing of any existing claims against the (former) employee, in particular for the surrender of objects, documents or information, for the reimbursement of overpayments and similar claims
  • to safeguard the legitimate interests of the employer, in particular in connection with any claims asserted against the employer for payment of wage and salary arrears, vacation pay, damages, monetary compensation or other claims in connection with the (former) employment relationship.

4.2 Legal basis

  • within the scope of your consent (Art. 6 para. 1 lit. a GDPR):

If you have given us your consent to process your data, e.g. for the use of employee photos. 

  • Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Art. 6 para. 1 lit. b GDPR, § 26 Federal Data Protection Act): Data processing for employment-related purposes
  • Processing is necessary for compliance with a legal obligation to which the controller is subject (Art. 6 para. 1 lit.c GDPR):
    • in connection with the primary and secondary obligations under employment contracts,
    • in connection with the statutory and unwritten legal provisions of individual employment law, including occupational health and safety law (e.g. German Civil Code - BGB, Act on the Continuation of Remuneration- EFZG, Maternity Protection Act - German Maternity Protection Act, Federal Parental Allownace and Parental Leave Act- BEEG, Working Hours Act - ArbZG, Federal Leave Act - BUrlG),
    • in connection with the statutory provisions of social law and the law on social security notifications, contribution notifications and the payment of social security contributions (in particular the Fourth Book of the German Social Code – German Social Code IV), and
    • in connection with the statutory tax regulations on the withholding and payment of taxes (in particular Income Tax Act - German Tax Law, Wage Tax Implementation Ordinance - German Wage Tax Implementation Regulation). 

      According to the aforementioned legislation, the employer is obliged in particular
      • to correctly determine the employee's salary in accordance with the employment contract,
      • to correctly calculate and pay the employee's salary in cases of sickness, vacation or pregnancy-related absences,
      • to determine the legally and arithmetically correct amount of social security contributions on the basis of the employee's gross salary, to withhold the share attributable to the employee and to report and pay it to the collection agencies together with the employer's share, and
      • to calculate and withhold the legally and arithmetically correct amount of taxes to be borne by the employee on the basis of the employee's gross salary and to pay these to the tax office at the place of business
  • Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (Art. 6 para. 1 lit.f GDPR):

Insofar as the processing of the data is necessary to safeguard the legitimate interests of the employer, such as for the defense against claims of any kind arising from the employment relationship or due to related circumstances, insofar as such claims are asserted by the employee against the employer as allegedly not fulfilled. This legal basis for data processing does not exist if the interests or fundamental rights and freedoms of the employee as the data subject, which require the protection of personal data, prevail.

5. Am I obliged to provide data?

The processing of your personal data is necessary for the execution and organization of the employment relationship. We require certain personal data in order to fulfill our and your legal obligations. 

In the case of additional personal data that we process on the basis of your consent, the provision of such data is voluntary and we will look for an adequate alternative if you do not give your consent in certain cases.

6. Who receives my data?

  • If we use a service provider in the sense of order processing, we nevertheless remain responsible for the protection of your data. All processors are contractually obliged to treat your data confidentially and to process it only in the context of providing the service. The processors commissioned by us will receive your data if they require the data to fulfill your respective service. These are, for example, IT service providers that we need for the operation and security of our IT system as well as advertising and address publishers for our own advertising campaigns.
  • Personal data will be transferred to the following parties in order to comply with legal obligations:
    • Health insurance funds and private health insurers, employment agencies, statutory pension insurance providers, statutory long-term care insurance providers, statutory accident insurance providers, tax offices.
    • Providers of company pension schemes, professional chambers, liability insurers and other damage and property insurers who insure company risks or risks associated with the employment relationship.
    • Other bodies, service providers, courts and authorities that perform tasks in connection with employment law, wage tax law, medical or health care or social security law, such as parental benefit offices, integration offices, occupational health and safety authorities, data protection authorities, medical facilities such as doctors' surgeries and hospitals.
    • In addition, insurance companies, banks, credit agencies and service providers may be recipients of your data for the purpose of contract initiation and fulfillment.
  • In the course of the employment relationship and to safeguard legitimate interests, applications and systems are selected internally that are subject to a security check and that may also collect personal data. In particular, these are currently the systems Lobo DMS, Microsoft, Wice, Autodesk.

7. How long will my data be stored?

  • Your data will be stored for the statutory retention periods. The specific retention obligations can be found in the company's internal deletion concept. The following periods in particular currently apply to the employer:
    • The retention obligation that employers have under tax and duty law with regard to the payroll account to be kept for each employee (Section 41 (1) German Tax Law in conjunction with Section 4 German Wage Tax Implementation Regulation, Section 28 f (1) German Social Code IV) is currently six years in accordance with Section 41 (1) sentence 9 German Tax Law. The period begins at the end of the calendar year in which the last payroll accounting was carried out, i.e. the payroll accounts must be kept until the end of the sixth calendar year following the last recorded wage payment. The data to be recorded in the payroll account includes, in particular, the first name, surname, date of birth, place of residence, place of residence and the general tax characteristics of the employee entered in a certificate issued by the tax office for wage tax deduction (§ 4 Para. 1 No. 1 German Wage Tax Implementation Regulation) as well as the wages, separated into cash wages and benefits in kind, and the wage tax withheld therefrom (§ 4 Para. 2 No. 3 Sentence 1 German Wage Tax Implementation Regulation). This retention obligation applies to all employee data mentioned above under point 3.) as well as to any original documents on file, but only to the extent that these data and documents are relevant to the amount of wages or salary settled, i.e. for the correct calculation of the gross salary under labor law and the related, correctly determined deductions under wage tax and social security law.
    • The retention obligation, which the employer must observe due to income tax regulations, is currently ten years in accordance with Section 147 (1) no. 1 and no. 4, (3) sentence 1, (4) sentence 1 of the German Tax Code (German Fiscal Code). The period begins at the end of the tax or calendar year in which the last entry relating to the employment relationship is made or a payroll is prepared. This retention obligation only applies to the above-mentioned data and documents to the extent that they are relevant for the employer's financial accounting (annual financial statements, balance sheets, etc.) or for the postings and financial transactions associated with this accounting. This includes, in particular, employment contract wage and salary agreements, pay slips, contribution reports for social insurance, company pension schemes and liability insurance, as well as settlement agreements, credit notes and reminder letters, information on and documents relating to cost reimbursements and letters in connection with any enforcement of claims as well as other letters relating to financial aspects of the employment relationship, insofar as these documents are part of the books and records or accounting documents within the meaning of Section 147 (1) No. 1 and No. 4 German Fiscal Code.
    • The retention obligation, which the employer must observe due to social security law audits to be carried out by the pension insurance institutions every four years in accordance with Section 28p (1) German Social Code IV, is currently one calendar year. The calendar year period begins at the end of the calendar year in which the last company audit was carried out in accordance with Section 28p (1) German Social Code IV (Section 28f (1) sentence 1 German Social Code IV). As a result of the dependence of the one-year period on the date of the last tax audit, the retention obligation may be extended compared to the six-year period mentioned above. The remuneration documents to be retained within the meaning of Section 28f para. 1 sentence 1 German Social Code IV include, in particular, the employee's individual payroll data, i.e. their master data such as health insurance affiliation, the calculation or composition of monthly gross and net remuneration, contribution notifications and other social security notifications as well as similar data that is relevant to the company audit.
  • Insofar as the processing of the above-mentioned personal data of the employee is based on the justification of safeguarding the legitimate interests of the employer, the data will be processed until the expiry of the longest possible limitation period for conceivable claims that may be asserted against the employer and then deleted immediately.
    • This retention period is normally three calendar years. The period begins at the end of the year in which the employee left the employment relationship. At the end of this regular limitation period, claims arising from the employment relationship, e.g. for outstanding wages, vacation pay, etc., expire in accordance with Section 195 German Civil Code in conjunction with Section 199 (1) German Civil Code.
  • In deviation from this, the retention period for the above-mentioned employees who carry out activities with increased liability risks for the employer is 30 years, starting from the date on which the employee leaves the employment relationship. This period corresponds to the longest possible limitation period to which liability claims by third parties against the employer are subject. It is currently 30 years in accordance with Section 199 (3) sentence 1 no. 2 GERMAN CIVIL CODE, whereby the period begins on the date of the breach of duty by the employee who caused or is alleged to have caused damage to the third party who later asserts claims for damages against the employer. In order to enable the orderly processing of such claims for damages relating to (alleged) breaches of duty that occurred a long time ago, in addition to proper notification of any existing liability insurance policies, the personal data and documents of the employees contained in the personnel files must be retained for 30 years insofar as these data and documents provide information about the work performed by these employees. These are in particular the order or customer-related contracts, project documentation and invoices.
  • Documents and paper files will be properly destroyed immediately after expiry of the above-mentioned retention periods; data stored in electronically managed personnel files will be deleted immediately.
  • Personal data without statutory or contractual retention periods will be deleted immediately after the purpose has been fulfilled.
  • Personal data for which you have given your consent within the meaning of Art. 6 para. 1 lit. a GDPR will be deleted immediately after revocation of consent.

8. Is personal data transferred to a third country?

In principle, we do not transfer any data to a third country. In individual cases, data is only transferred on the basis of an adequacy decision by the European Commission, standard contractual clauses, suitable guarantees or your express consent.

Currently, this takes place in particular in the context of the use of Microsoft 365. An order processing contract has been concluded with Microsoft. 

9. Security

We have taken technical and administrative security precautions to protect your personal data against loss, destruction, manipulation and unauthorized access. All our employees and service providers working for us are obliged to comply with the applicable data protection laws.

Whenever we collect and process personal data, it is encrypted before it is transmitted. This means that your data cannot be misused by third parties. Our security precautions are subject to a continuous improvement process and our data protection declarations are constantly being revised. Please ensure that you have the latest version.

10. What data protection rights do I have?

You have the right to information, correction, deletion or restriction of the processing of your stored data, a right to object to the processing and a right to data portability and to lodge a complaint at any time in accordance with the requirements of data protection law.

10.1 Right of Access:

You can request information from us as to whether and to what extent we process your data.

10.2 Right to Rectification:

If we process your data incompletely or incorrectly, you can request that we correct or complete it at any time.

10.3 Right to Erasure:

You can request that we erase your data if we process it unlawfully or if the processing disproportionately interferes with your legitimate protection interests. Please note that there may be reasons that prevent immediate erasure, e.g. in the case of statutory retention or processing obligations.

Irrespective of the exercise of your right to erasure, we will erase your data immediately and completely, provided that there is no legal or statutory retention obligation to the contrary.

10.4 Right to Restriction of processing:

You can request that we restrict the processing of your data if

  • you contest the accuracy of the data, for a period enabling us to verify the accuracy of the data
  • the processing of the data is unlawful, but you refuse to have it erased and instead wish to restrict the use of the data
  • we no longer need the data for the intended purpose, but you still need this data to assert or defend legal claims, or
  • you have objected to the processing of the data.


10.5  Right to Object:

If we process your data on the basis of legitimate interest, you can object to this at any time. This would also apply to profiling based on these provisions. We will then no longer process your data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing serves the establishment, exercise or defense of legal claims. You can object to the processing of your data for the purpose of direct advertising at any time without giving reasons.

10.6 Right to Data Portability:

You may request that we provide you with the data you have provided to us in a structured, commonly used and machine-readable format and that you may transmit this data to another controller without hindrance from us, provided that

  • we process this data on the basis of your revocable consent or to fulfill a contract between us, and this processing is carried out using automated procedures.

If technically feasible, you can request that we transfer your data directly to another controller.

10.7 Right to Lodge a Complaint with a Supervisory Authority:

If you are of the opinion that we are violating German or European data protection law when processing your data, please contact us so that we can clarify any questions. Of course, you also have the right to contact the supervisory authority responsible for you, the respective state office for data protection supervision.

If you wish to assert one of these rights against us, please contact our data protection officer. In case of doubt, we may request additional information to confirm your identity.

10.8 Right to Withdraw Consent

If we process your data on the basis of consent, you can withdraw this consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

10.9 Automated individual decision-making, including profiling

You have the right not to be subject to a decision based solely on automated processing - including profiling - which produces legal effects concerning you or similarly significantly affects you. Exceptions to this only apply under the legally applicable conditions.