Data protection declaration for business partner
I. Name and address of the responsible person
II. Name and address of the data protection officer
The data protection officer of the person responsible is:
III. Purpose and legal basis of the processing
We process the aforementioned personal data in accordance with the provisions of the EU Data Protection Basic Regulation (DSGVO) and the Federal Data Protection Act (BDSG).
1. Based on your consent (Article 6 para. 1a DSGVO)
If you have given us your consent to process personal data for specific purposes, the lawfulness of the processing is based on your consent. A given consent can be revoked at any time. This also applies to the revocation of declarations of consent that were issued to us prior to the validity of the DSGVO, i.e. before 25 May 2018. Please note that the revocation is only effective for the future. Processing that took place before the revocation is not affected. You can request a status overview from us at any time.
2. To fulfil contractual obligations (Article 6 (1b) DSGVO)
The processing of personal data is carried out within the framework of the execution of our contracts with our customers and suppliers, as well as for the implementation of pre-contractual measures taken at your request, and for all activities necessary for the operation and management of our company. The purposes of data processing are primarily based on the specific product and/or service.
3. Due to legal requirements (Article 6 para. 1c DSGVO) or in the public interest
(Article 6 para. 1e DSGVO)
- Not applicable –
4. As part of the balancing of interests (Article 6 (1f) DSGVO)
As far as necessary, we process your data beyond the actual fulfilment of the contract in order to protect legitimate interests of us or third parties. Examples:
- advertising or market and opinion research, unless you have objected to the use of your data
- Assertion of legal claims and defense in legal disputes
- Guarantee of IT security
- prevention of crime
- Video surveillance for the protection of the right to the house and for the collection of evidence in the event of criminal offences as well as measures for building and plant security (e.g. access controls)
- Measures for business management and further development of services and products
IV. Data transmission
Within our company, access to your data is granted to those entities that need it to fulfil our contractual and legal obligations. Service providers and vicarious agents employed by us may also receive data for these purposes if they comply with our written data protection instructions or are subject to professional secrecy. These are mainly companies from the following categories:
- - Public bodies and institutions (e.g. authorities, banks, insurance companies, ...) in the event of a legal or official obligation
- - Processors or service providers to whom we transfer personal data in order to carry out the business relationship with you. In detail:
- - Support/maintenance of EDP/IT applications, telephony, compliance services, (risk) controlling, data destruction, purchasing/procurement, customer administration, marketing
Other data recipients may be those entities for which you have given your consent to data transfer.
V. Transfer of data to a third country or international organisation
Data will only be transferred to countries outside the EU or the EEA (so-called third countries) if this is necessary or legally required for the execution of our business relationship or if you have given us your consent.
If service providers in the third country are used within the scope of an order processing, they are obliged to comply with the level of data protection in Europe in addition to written instructions by the agreement of the EU standard data protection clauses, unless there is a so-called adequacy decision of the EU Commission with regard to the level of data protection (Art. 45 DSGVO).
Adequacy decision means that the EU Commission has determined, after appropriate examination, whether and that a level of protection exists in the third country which is equivalent to the level of protection granted in the DS Block Exemption Regulation (so-called safe third countries) on the basis of its national legislation and its application, the existence and effective functioning of one or more independent supervisory authorities and its international obligations. Decisions on adequacy are currently in place for the countries of Andorra, Argentina, the Faroe Islands, Israel, the Isle of Man, Canada, Guernsey, Jersey, New Zealand, Uruguay and the USA under the Privacy Shield Agreement.
The EU Standard Privacy Clauses are a standardized set of agreements on data protection that applies between service providers and their customers to ensure that personal data leaving the EEA is transferred in compliance with the European level of data protection and the requirements of the DS Block Exemption Regulation and that enforceable rights and effective remedies are available to data subjects.
VI. Data storage
We process and store your personal data as long as it is necessary for the fulfilment of our contractual and legal obligations. It should be noted that our business relationship is a continuing obligation which is scheduled for several years.
If the data is no longer necessary for the fulfilment of contractual or legal obligations, it will be regularly deleted, unless its - temporary - further processing is necessary for the following purposes:
- Fulfilment of commercial and tax law retention periods: The commercial code, the tax code, ... . The periods for storage and documentation provided for there are between six and ten years.
- Preservation of evidence within the scope of the statute of limitations: According to §§ 195 ff. of the German Civil Code (BGB), these periods of limitation can be up to 30 years, whereby the regular period of limitation is three years.
VII. Your privacy rights
Every data subject has the right of access under Article 15 DSGVO, the right of rectification under Article 16 DSGVO, the right of deletion under Article 17 DSGVO, the right to restrict processing under Article 18 DSGVO, the right of objection under Article 21 DSGVO and the right of data transferability under Article 20 DSGVO. With regard to the right to information and the right of deletion, the restrictions under Articles 34 and 35 BDSG apply. In addition, there is a right of appeal to a data protection supervisory authority (Article 77 DSGVO in conjunction with Article 19 BDSG). Eine erteilte Einwilligung in die Verarbeitung personenbezogener Daten können Sie jederzeit uns gegenüber widerrufen. Dies gilt auch für den Widerruf von Einwilligungserklärungen, die vor der Geltung der EU-Datenschutz-Grundverordnung, also vor dem 25. Mai 2018, uns gegenüber erteilt worden sind. Bitte beachten Sie, dass der Widerruf erst für die Zukunft wirkt. Verarbeitungen, die vor dem Widerruf erfolgt sind, sind davon nicht betroffen.
VIII. Your data provision obligation
Within the scope of our business relationship, you must provide us with the personal data that is necessary for the commencement and execution of a business relationship and the fulfilment of the associated contractual obligations or that we are legally obliged to collect. Without this data, we will usually have to refuse to conclude the contract or execute the order, or we will no longer be able to execute an existing contract and may have to terminate it.
IX. Automated decision making
As a matter of principle, we do not use a fully automated decision-making process in accordance with Article 22 of the DSGVO to establish and conduct the business relationship. Should we use these procedures in individual cases, we will inform you of this separately if this is required by law.