GDPR Compliance: Mandatory Information for Clients and Employees

Jump to navigation

Mandatory information according to Art. 13 und 14 General Data Protection Regulation (“GDPR”) for clients

 1. Process-specific information 

Name and contact details of the controller (first joint controller)

Cardno TEC GmbH (Cardno TEC), Frankfurter Strasse 92, 65760 Eschborn, Germany, phone: +49 (0)6196 773 0754; email:

Contact details of the data protection officer (first joint controller)

A data protection officer is not required by law.

Purposes of the processing and legal basis

- Pursuing the controller’s business purposes such as the sale of his products and services (Art. 6 para 1 lit. b) GDPR; Art. 6 para. 1 lit. f) GDPR, the legitimate interest is to be able to fulfill his contractual obligations)

-  Outsourcing IT services and other services to other group companies or service providers (Art. 6 para 1 lit f) GDPR, the legitimate interest is to implement cost- and resource-efficient business processes)

- Compliance with statutory obligations such as tax and documentation (Art. 6 para 1 lit c) GDPR)

Categories of personal data processed

- Contract relevant data (surname, name, contact information of the company's authorized contracts representative)

Categories of personal data not collected from the data subject and sources

- Other Cardno group companies

Recipients or categories of recipients of personal data

  • - Other Cardno group companies (e.g. Cardno GS, Inc.)
  • - Joint Ventures Partners
  • - IT-service providers (Hardware/Software)
  • - In case of a merger with a different entity, the different entity, in case of a sale or transfer of some or all of its business, the acquiring entity

Transfers to a third country, including measures to ensure an adequate level of data  protection at the recipient (including the possibility of information)

We transfer some of the above-mentioned personal data to the US. We provide the adequate level of data protection for your personal data by: EU Standard Contractual Clauses (SCC) or certificates under the EU-US Privacy Shield Agreement. At any time you may obtain a copy of the contracts concerning you by contacting the controller.

Joint Control with Cardno GS Inc.

When using or delivering administrative, operational, strategic, management, business development, finance and accounting, contract management, legal support, HR, IT, low margin, ad hoc and Project related Services Cardno TEC may process the clients personal data jointly with Cardno GS Inc., 2496 Old Ivy Road, Suite 300 Charlottesville, VA 22903, USA, phone +1-434-295-4446. In these cases Cardno TEC and Cardno GS jointly determine the purposes and means of the processing. Therefore, Cardno TEC and Cardno GS are joint controllers and have concluded an agreement pursuant to Art. 26 GDPR.

The relevant provisions of this agreement with regard to the data subject are:

  • - Each Party shall ensure compliance with the legal provisions of the GDPR and shall keep its own records of processing activities
  • - The Parties provide the data subject with the mandatory information referred to in Articles 13 and 14 of the GDPR The information shall be provided free of The Parties agree that each Party shall provide the mandatory in- formation for their employees and clients.
  • - The data subject may exercise his or her rights under Articles (12), 15 to 22 GDPR against each Party. The Parties agree that each Party shall handle the requests of their employees and clients.
  • - The Parties are entitled to conclude contracts with processors and subprocessors
  • - The Parties shall inform each other immediately if there has been a personal data breach; Each Party is responsible for handling the data breach and fulfilling the notification obligations to the competent supervisory authority pursuant to Article 33 GDPR and to the data subject affected by the data breach pursuant to Article 34 GDPR.

Period for which the personal data is stored

Please see the retention period table


2. The necessity of data collection

You are not required by operation of law or contract to provide to us your personal data, however, your personal data is necessary to enter into and administer the contractual relationship with you and in order to meet statutory as well as group-internal obligations. Without the provision of your personal data, we are not able to enter into the contract with you.

3.  Consent

If you have provided your consent for the processing of your personal data, the following applies:

You have the right to entirely or partially withdraw your consent to process your personal data at any time. The withdrawal of your consent shall not affect the lawfulness of processing based on your consent before its withdrawal.

4.  Right of objection, Art. 21 GDPR

You have the right to object, on grounds relating to your particular situation, at any time, when the processing is based on Art. 6 para. 1 lit. f) GDPR. We will then no longer process your personal data unless we can provide compelling reasons which outweigh your interests, rights, and freedoms, or the processing serves to assert, exercise, or defend legal claims.

5.  Right to lodge a complaint with a supervisory authority, Art. 77 GDPR

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the EU- or EEA-Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating you infringes the GDPR.

Of course, you can also contact us first.

6.  Your further rights

You also have the following rights and claims against the controller:

  • The right of access (Art. 15 GDPR)
  • The right to rectification (Art. 16 GDPR)
  • The right to erasure (Art. 17 GDPR)
  • The right to restriction of processing (Art. 18 GDPR)
  • The right to data portability (Art. 20 GDPR)