PART ONE: Why is this Notice important to you?
1. Introduction
This Privacy Notice relating to the protection of personal data (hereinafter, the “Privacy Notice”) is designed to inform you about the personal data relating to you processed by WAVES S.à r.l. acting as a data controller (hereinafter, “WAVES”, “we”, “our”, as the case may be), whose registered office is located 9 Rue du Laboratoire, 1911 Luxembourg, and which is registered with the Luxembourg Trade and Companies Register under number B236401.
We attach great importance to the protection of personal data entrusted to us, in particular by the users of WAVES’s website accessible at www.waves-sustainability.com and https://nachhaltige-logistik-rechnen.de (hereinafter, the “website”). That is why we secure and protect your data in accordance with applicable legislation, including the General Data Protection Regulation[1] (hereinafter, the “GDPR”) and the Luxembourg law of August 1st 2018 relating to the organization of the Commission Nationale pour la protection des données and implementation of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), amending the Labour Code and the amended Law of 25 March 2015 laying down the salary system and the conditions and procedures for promotion of civil servants.
Through this Privacy Notice, we wish to inform you about what personal data we process about you via the website, for what purpose we use it, and with whom we share it. We will detail the legal basis on which we process your data and explain your rights and the choices available to you.
PART TWO: What data about you do we process and how?
2.1 What personal data do we process about you?
We have indicated in the table below the categories of personal data that we process about you and how we collect them.
| Categories of data | Description of the data |
| Contact details and messages of users | This is data that is communicated to us by yourself when you decide to get in touch with us (first name, last name, email address, your message). |
| Cookie consent log, Captcha | This data is collected by the website via cookies that are strictly necessary for operating our website. |
| Log files (website usage, user video preferences, preferred language) | This data is collected by the website via cookies that require consent. For more information, see our current cookie policy. |
2.2 For what purposes do we use your personal data and on what legal basis do we use them?
We have indicated in the table below the purposes for which we process your personal data, the associated legal basis on which we legally process your personal data, and the categories of personal data (as identified above) used for those purposes:
| Purpose | Legal basis | Categories of data |
| Allow you to submit requests via our website | Consent | Contact details and messages of users
|
| Registration to marketing services | Consent | Registration details of users |
| Manage cookie consent | legal obligation | Log of cookie consent |
| Understand how visitors interact with websites | Consent | Log files (website usage, preferred language) |
2.3 Who has access to your data?
To pursue the purposes specified above, we will share your personal data with the following recipients:
| Categories of recipients | Reason for sharing |
| Service providers | We collaborate with service providers who work on our behalf and who may need access to some of your personal data to provide us with their services. These include companies we have hired to provide hosting services. |
| Our staff | In some cases, our staff will need access to your personal data to enable us to pursue the purposes indicated above. |
Some of our service providers are located in countries other than ours. When we transfer personal data to countries outside the European Economic Area that are considered by the European Commission as not providing an adequate level of protection for personal data, we use Standard Contractual Clauses approved by the European Commission to ensure adequate protection. For further information, including a copy of the documents used to protect your personal data, please contact us as indicated in section 4.2. below.
2.4 Use of Cookies
Cookies are small text files placed in the browser of your computer (or other digital device used) by websites that you visit. They are widely used to make websites work, or work more efficiently, as well as to provide information to the owners of the website. For more information, see our current cookie policy.
2.5 Links to third party websites
On certain areas of this platform, we may provide links to third parties websites, which are not subject to this Privacy Notice. These links are provided as a convenience to you. Please be aware that we do not control such third parties or their websites and that those third parties will have a different privacy notice applying to information collected from you when you are on those third parties’ websites. We encourage you to read the privacy notices of all websites carefully before providing personal data.
PART THREE: How do we protect your data?
3.1 Storage duration
We retain your personal data in accordance with our data retention policy only for as long as is necessary to fulfill the purposes described in section 2 above or in accordance with statutory limitation periods for claims.
3.2 Security of your data
We have implemented technical and organizational measures in accordance with standard industry practices to ensure an appropriate level of security of the Personal Data processed. Nevertheless, security requires efforts from all actors involved. We thus encourage you to contribute to these efforts by taking appropriate security measures yourself, including using strong passwords and keeping all usernames and passwords (if any) confidential.
3.3 Automated decision making and profiling
No automated decision-making or profiling will be made about you as part of the personal data processing described in this Privacy Notice.
3.4 Children
This Platform is not intended for or directed to children under 13. We do not knowingly or directly collect information from children under the age of 13. If you are under the age of 13, please do not use this Platform and do not provide any personal data. If you are a parent or legal guardian and you believe that your child has provided us with personal information, please contact us using the contact information provided in Section 4 below.
PART FOUR: You can contact us
4.1 What are your rights?
The GDPR grants individuals certain rights with respect to their personal data. Consequently, we are at your disposal to help you to benefit from these rights. Except as limited by applicable law and subject to the applicability, the following rights are granted to individuals:
Right of access: the right to be informed about and to obtain access to the personal data processed about you;
Right to rectification: the right to obtain that we rectify or update your personal data when they are inaccurate or incomplete;
Right to erasure: the right to obtain that we delete your personal data;
Right to restriction of processing: the right to obtain that we limit the processing of all or part of your personal data;
Right to object: the right to object at any time to the processing of your personal data for reasons relating to your particular situation; the right to object at any time to the processing of your personal data for direct marketing purposes;
Right to data portability: the right to receive a copy of your personal data in electronic format and the right to transmit such personal data for use by a third-party service; and
Right to object to automated decision making: the right not to be subject to a decision based exclusively on automated processing, including profiling, producing legal effects concerning you, or significantly affecting you in a similar way.
These rights may be limited, for example, if the execution of your request reveals personal data of another person, or if you ask us to delete information that we are required to retain by law or because of compelling legitimate interests.
Once we have asked for your consent, you may withdraw it at any time without justification. If you request to withdraw your consent, this will not affect the lawfulness of the processing based on consent before its withdrawal.
To exercise your rights, please contact us using the contact information provided in section 4.2 below.
Finally, as a data subject, you have the right to lodge a complaint with a supervisory authority (in particular in the European Union Member State of your habitual residence, or your place of work, or the place of the breach) if you consider that the processing of your personal data violates the applicable legislation on the protection of personal data. For your information, you will find the contact details of the Luxembourg Supervisory Authority on its website: www.cnpd.lu
4.2. How to contact us
If you have any questions about this Privacy Notice or wish to exercise your rights, please contact us by sending an e-mail to privacy@waves.lu or by writing to us at:
WAVES S.à r.l.
9, Rue du Laboratoire
1911 Luxembourg
4.3 Effective date and changes
This Privacy Notice is in effect since 31 January 2021. We reserve the right, at our complete discretion, to change, modify, add, or remove portions of this Privacy Notice at any time. You should check back periodically at this page to read the most recent version of this Privacy Notice as your continued use of this website following the posting of changes to these terms will mean you acknowledge these changes.
Thank you for visiting this website.
[1] REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
PART FIVE: HANDLING OF APPLICANT DATA
We offer you the opportunity to apply to us (e.g., by e-mail, postal mail or via online application form). In the following, we inform you about the scope, purpose and use of your personal data collected during the application process. We assure you that the collection, processing and use of your data will be carried out in accordance with applicable data protection law and all other statutory provisions and that your data will be treated in strict confidence.
SCOPE AND PURPOSE OF DATA COLLECTION
If you send us an application, we will process your associated personal data (e.g. contact and communication data, application documents, notes taken during interviews, etc.) insofar as this is necessary to decide on the establishment of an employment relationship.
The legal basis for this is Art. 6 (1) lit. b DSGVO and – if you have given your consent – Art. 6 (1) lit. a DSGVO. The consent can be revoked at any time. Your personal data will only be passed on within our company to persons who are involved in processing your application.
STORAGE PERIOD OF THE DATA
If we are unable to make you a job offer, if you reject a job offer or withdraw your application, we reserve the right to keep the data you have provided with us for up to 6 months from the end of the application process (after the probationary period of the recruited applicant, rejection or withdrawal of the application) on the basis of our legitimate interests (Art. 6 para. 1 lit. f DSGVO). Subsequently, the data will be deleted and the physical application documents destroyed. This retention serves in particular as evidence in the event of a legal dispute. If it is apparent that the data will be required after the 6-month period has expired (e.g. due to an impending or pending legal dispute), the data will not be deleted until the purpose for continued storage no longer applies.
Longer storage may also take place if you have given your corresponding consent (Art. 6 Para. 1 lit. a DSGVO) or if legal storage obligations prevent deletion.
INCLUSION IN THE APPLICANT POOL
If we do not make you a job offer, there may be the possibility of including you in our applicant pool. If you are accepted, all documents and information from your application will be transferred to the applicant pool in order to contact you in the event of suitable vacancies.
Inclusion in the applicant pool takes place exclusively on the basis of your express consent (Art. 6 para. 1 lit. a DSGVO). The provision of consent is voluntary and is not related to the current application process. The data subject may revoke his/her consent at any time. In this case, the data from the applicant pool will be irrevocably deleted, unless there are legal reasons for retention.
The data from the applicant pool will be irrevocably deleted no later than two years after consent has been given.