Mandatory information according to GDPR for the operation and management of the headquarters building

Names and contact details of the controller 

Heidelberg Materials AG ("HMAG") or the Heidelberg Materials Group company where you work or which you visit, in joint controllership with HMAG, Berliner Straße 6, 69120 Heidelberg, phone: +49 6221-481-0, fax: +49 6221-481-13217, email:  info@heidelbergmaterials.com (hereinafter acting as Joint Controllers and referred to as "Controllers").

Contact details of the data protection officer 

HMAG or the Heidelberg Materials Group Company, in joint controllership with HMAG:

Heidelberg Materials AG, Group Data Protection Officer,  
Berliner Straße 6, 69120 Heidelberg, Germany, Phone: +49 6221-481-39603

Email: info.dataprotection@heidelbergmaterials.com   

Description of the joint controllership 

The joint controllership lies in the introduction of the systems described below as part of the operation and management of the joint headquarters building of HMAG and the Heidelberg Materials Group company. HMAG is responsible for the introduction, further development and support of the corresponding systems, which are mandatory for the operation and use of the main administration building (Hauptverwaltung). As the rights' holder of the systems, HMAG has access to the respective personal data.

Within the framework of shared controllership, the Heidelberg Materials Group company is responsible for collecting the personal data of its employees and visitors, as described in more detail below. 

Categories of personal data processed 

A: Access to the building

• For employees: transponder number and authorizations from the building chip of the controller  
• For visitors: contact details of the data subject including company information (name, phone number, e-mail address, address)
• Licence plate number (recorded in the underground car park)

B: Time Tracking

• Transponder number and data from the company directory/Active Directory (name, position in the company, personnel number) of the controller  
• Working hours

C: Office and room bookings

• Data from the company directory/Active Directory (name, position in the company, phone number, e-mail address, address) of the controller  
• For visitors: contact details of the data subject including company information (name, phone number, e-mail address, address)
• Presence in the building
• Desks and meeting rooms used in the building

D: Canteen use

• Transponder number and data from the company directory/Active Directory (name, position in the company, personnel number) of the controller
• Billing data of food consumption

E: Video surveillance

Video recordings

Source of personal data 

A: Access to the building and C: Office and room bookings

Data subject or employee of the controller

B: Time recording, D: Canteen use and E: Video surveillance

Data subject

The processing of personal data is carried out for the purpose of: 

A: Access to the building and E: Video surveillance

• Exercising domiciliary rights/ensuring occupational and operational safety/access control and entry management
• Ensuring effective emergency management (e.g. in the event of evacuation of the building)
• Prevention and investigation of crimes
• Prevention and mitigation of hazards and damages  

B: Time Tracking

• Compliance with legal and (employment) contractual obligations  
• Verification of compliance with occupational safety regulations

C: Office and room bookings

Maintaining efficient and continuous business operations

D: Canteen use

Billing of food consumption and verification of its correctness

E: Video surveillance (see above and additionally)

• Protection of reception staff and particularly critical parts of the building
• Monitor physical access systems (e.g., turnstiles and emergency exits) to ensure compliance with safety protocols, prevent unauthorized access, burglary, and vandalism, and document incidents to preserve evidence for potential legal or insurance claims

Legal bases for the processing of the aforementioned purposes 

A: Access to the building

• A.A. The legal basis for the data processing is Art. 6 para. 1 sentence 1 lit. b) GDPR in order to grant the employees of the controller access to the contractual place of employment accordingly.
• A.a. & A.b. Furthermore, the data processing is based on Art. 6 para. 1 sentence 1 lit. f) GDPR. The legitimate interest of the controller lies in compliance with authorization levels and security requirements in the building and in detecting and remedying violations. This applies to employees as well as to guests and visitors.
• A.c. Licence plate recognition and storage is carried out at the request of the data subject in accordance with Art. 6 (1) sentence 1 lit. a) GDPR.

B: Time Tracking

• In accordance with Art. 6 para. 1 sentence 1 lit. b) GDPR, data processing is necessary to keep the working time account of employees bound by collective bargaining agreements up to date and to ensure that the hours worked correspond to the hours specified in the employment contract.  
• A legitimate interest of the controller in data processing pursuant to Art. 6 (1) sentence 1 lit. f) GDPR is to detect and remedy violations of occupational safety requirements.

C: Office and room bookings

The legitimate interest of the controller pursuant to Art. 6 para. 1 sentence 1 lit. f) GDPR lies in ensuring and optimising efficient and continuous business operations.  

D: Canteen use

• According to Art. 6 para. 1 sentence 1 lit. b) GDPR, the data processing is necessary in order to book the lunches consumed to the internal salary account of the respective employee so that compensation can be made as part of the salary payment.  
• In addition, the billing can be reviewed at the request of the employee in accordance with Art. 6 (1) sentence 1 lit. a) GDPR.

E: Video surveillance

The data processing is based on Art. 6 para. 1 sentence 1 lit. f) GDPR. The legitimate interest of the controller lies in compliance with authorization levels and security requirements in the building and in detecting and remedying violations. Furthermore, the controller has a legitimate interest in ensuring the safety of reception staff, certain parts of the building and operational processes. The controller has a legitimate interest in pursuing legal claims against perpetrators and in using the investigative and evidentiary function of the video recordings.

Recipients or categories of recipients of the personal data 

• Controller
• Internal and external service providers (e.g. IT service providers, Heidelberg Materials Shared Services DE GmbH, security forces, etc.)
• Authorities and law firms, event-related 

Necessity of data collection 

There is no legal obligation to provide the personal data. The provision of personal data is necessary for the performance of the above-mentioned purposes.

A: Access to the building and E: Video surveillance

Without the provision of personal data, data subjects cannot stay on or enter the company premises.

B: Time Tracking

Without the provision of personal data, a comparison between hours worked and contractually owed hours is not possible.

C: Office and room bookings

Without the provision of personal data, it is not possible to optimise the use of the business premises for the organisational units of the Controller.  

D: Canteen use

Without the provision of personal data, no process-oriented billing can take place in the canteen.

Place of processing and transfer to third countries 

A: Access to the building, B: Time recording, D: Canteen use and E: Video surveillance

The data is processed in Germany, it is not transferred to third countries.

C: Office and room bookings

The data is processed in the EU, there is no transfer to third countries.

Duration for which the personal data will be stored

A: Access to the building  

The data will be stored for a period of 30 days.

B: Time recording and D: Canteen use

The data is stored for a period of 10 years, as it is subject to a retention obligation as part of the payroll documents.

C: Office and room bookings

The data will be stored for a period of 28 days.

E: Video surveillance

• The video recordings are stored for a duration of 72 hours.
• In individual cases, the data will be stored for a longer period of time if the controller has a legitimate interest in storing the data beyond the aforementioned periods (e.g. in the defence or prosecution of legal claims, compliance with official requirements, etc.).