2. Data protection officer
You can contact our company data protection officer at:
Phone: +49 (0)7151 36900 0
Email: [email protected]
3. Purpose and legal basis of processing
We process the above-mentioned personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG)
3.1. On the basis of your consent (Article 6(1)(a) GDPR)
Where you have given us your consent to process your personal data for specific purposes, the processing is deemed to be lawful on the basis of your consent. You may withdraw your consent at any time. This also applies to the withdrawal of consent given prior to the GDPR coming into force, i.e. before 25 May 2018. Please note that the withdrawal of consent only applies to future processing. Any processing that took place before consent was withdrawn is not affected by this. You may request an overview of the current status from us at any time.
3.2. In order to fulfil contractual duties (Article 6(1)(b) GDPR)
The processing of personal data takes place as part of the performance of our contracts with our customers and suppliers, as well as for the purpose of taking steps at your request prior to entering into a contract, and for the purpose of conducting all the necessary activities associated with the operation and management of our company. The purposes of the data processing are primarily dependent on the specific product and/or service in question.
3.3. On the basis of legal requirements (Article 6(1)(c) GDPR) or where it is in the public interest to do so (Article 6(1)(e) GDPR)
We are also subject to legal obligations and statutory requirements such as The Fiscal Code of Germany (AO) § 147 Formal rules on the retention of documents or The Commercial Code of Germany (HGB) § 257 retention of documents / retention periods.
3.4. Within the context of balancing interests (Article 6(1)(f) GDPR)
Where necessary, we conduct further processing of your data beyond the level required for fulfilment of the contract in order to safeguard our legitimate interests or those of third parties.
Consultation of and data exchange with credit agencies (e.g. Schufa) to determine credit and default risks
Reviewing and optimising procedures for demand analysis and for directly addressing customers, including customer segmentation, and determining the likelihood that a transaction will be concluded
Advertising or market research and opinion polling, unless you have objected to the use of your data for this purpose
Assertion of legal claims and defence in legal disputes
Ensuring IT security
Measures for business management and further development of products and services
4. Data transfer
Within our company, the departments that require your data in order to fulfil our contractual and legal obligations shall have access to your data. Service providers and agents used by us may also receive data for these purposes if they comply with our written data protection instructions or are subject to professional secrecy. These are mainly companies in the following categories:
Public bodies and institutions (e.g. tax authorities, auditors, customs authorities, lawyers) in the event of a legal or official obligation
Affiliated subsidiaries, sales partners, sales representatives
Order processors or service providers to whom we transfer personal data in order to fulfil our business relationship with you. More specifically, these are as follows: Maintenance/support services for IT applications, archiving, document processing, call centre services, compliance services, (risk) controlling, data screening, data destruction, purchasing/procurement, space management, debt collection, customer administration, lettershops, marketing, media technology, registration systems, research, expense management, telephony, video identity verification, website management, audit services
Other data recipients may be those for whom you have consented to the transfer of your data.
5. Data transfer to a third country or an international organisation
Data is only transferred to countries outside the EU or the EEA (so-called "third countries") where this is necessary in order to fulfil our business relationship or is required by law, or if you have given us your consent to this.
If service providers in a third country are used for the purpose of order processing, they shall be obligated to comply with the level of data protection in Europe on the basis of the agreement on the EU standard data protection clauses, in addition to written instructions, if no adequacy decision on the level of data protection has been made by the EU Commission (Article 45 GDP).
An adequacy decision means that the EU commission has, following a corresponding review, decided whether a level of protection exists in the third country that is equivalent to the level of protection afforded by the GDPR, on the basis of its national laws and their application, the existence and effective functioning of one or more independent supervisory authorities, and the international commitments it has entered into ("safe third countries"). Adequacy decisions currently exist for Andorra, Argentina, The Faroe Islands, Israel, the Isle of Man, Canada, Guernsey, Jersey, New Zealand, Uruguay and the USA, within the context of the Privacy Shield framework.
The EU standard data protection clauses are a standard set of agreements on data protection that are concluded between service providers and their customers in order to ensure that personal data that leaves the EEA is transmitted in compliance with the European level of data protection and the requirements of the GDPR, and that enforceable rights and effective remedies are available for the data subjects.
6. Data storage
We process and store your personal data where this is necessary in order to meet our contractual and legal obligations. Please note that our business relationship is a continuing obligation which is intended to last for several years.
If the data is no longer needed to fulfil contractual or legal obligations, it is erased at regular intervals unless – limited – further processing of the data is necessary for the following purposes:
Compliance with retention periods required under commercial and tax law: Relevant laws include the German Commercial Code and the Fiscal Code of Germany. The retention and/or documentation periods stipulated in these laws range from six to ten years.
Preservation of evidence under the statute of limitations: According to Sections 195 et seqq. of the German Civil Code (Bürgerliches Gesetzbuch, BGB), these limitation periods may be up to 30 years, with the ordinary period being three years.
7. Your rights in relation to data protection
Every data subject has the right of access in accordance with Article 15 GDPR, the right to rectification according to Article 16 GDPR, the right to erasure based on Article 17 GDPR, the right to restriction of processing according to Article 18 GDPR, the right to object in accordance with Article 21 GDPR and the right to data portability based on Article 20 GDPR. The restrictions set out in Sections 34 and 35 of the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) apply to the right of access and the right to erasure. Furthermore, the data subject has the right to lodge a complaint with a data protection supervisory authority (Article 77 GDPR in conjunction with Section 19 BDSG).
You have the right to withdraw your consent to the processing of personal data by us at any time. This also applies to the withdrawal of consent given prior to the EU General Data Protection Regulation coming into force, i.e. before 25 May 2018. Please note that the withdrawal of consent only applies to future processing. Any processing that took place before consent was withdrawn is not affected by this.
8. Your obligation to provide data
As part of our business relationship, you have to provide the personal data that is required in order to initiate and conduct a business relationship and to fulfil the associated contractual obligations, or the data that we are legally required to collect. Without this data, we will normally have to refuse to conclude the contract or execute the order, or we will be unable to continue executing an existing contract and may have to terminate it.
9. Automated decision-making (including profiling)
As a general rule, we do not use any automated decision-making as per Article 22 GDPR in order to establish or conduct a business relationship. Should we use this procedure in individual cases, we will notify you of this separately where we are legally required to do so.