1. Who is responsible for data processing and who can you contact?
Our data protection officer Frits Diepen can be contacted at E-Mail:firstname.lastname@example.org
2. What sources and data do we use?
We process personal data that we receive from our suppliers and customers as part of our business relationship. In addition, we process – to the extent necessary for the performance of our duties – personal data that we legitimately gain from publicly available sources (e.g. trade and association registries, press, internet) as well as those of other companies or other third parties (e.g. a credit reference agency).
Relevant personal information includes personal (name, address and other contact information) and credentials. In addition, this also includes purchase order data, data from the fulfillment of our contractual obligations such as turnover data in payment transactions, information about your financial situation (e.g. credit, scoring or rating data), documentation data (e.g. commercial registry) and other information comparable with the mentioned categories.
3. What do we use to process your data (purpose of processing) and on what legal basis?
We process personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR):
a. For the fulfillment of contractual obligations (Article 6 (1) (b) GDPR)
The processing of data takes place to fulfill our obligations from the purchase, works, leasing or rental contract or to carry out pre-contractual measures, which are carried out on request.
b. In the context of balance of interests (Article 6 (1) (f) of the GDPR)
If necessary, we process your data beyond the actual fulfillment of the contract for the protection of legitimate interests of us or third parties.
– Consultation and data exchange with credit bureaus identify credit and default risks in our purchasing processes
– Assert legal claims and defense in legal disputes
– Ensure the IT security and IT operations of the company
– Prevention and investigation of criminal offenses
c. On the basis of your consent (Article 6 (1) (a) of the GDPR)
Insofar as you have given us consent to the processing of personal data for specific purposes, the legality of this processing is based on your consent. A given consent can be revoked at any time. This also applies to the revocation of declarations of consent that were issued to us before the validity of the GDPR, i.e. before May 25th, 2018. The revocation of consent is only effective for the future and does not affect the legality of the data processed until the revocation.
d. On the basis of legal requirements (Article 6 (1) (c) of the GDPR)
In addition, as a company, we are subject to various legal obligations, (e.g. money laundering law, tax law). Processing purposes include, but are not limited to, credit scoring, identity verification, fraud and money laundering prevention, compliance with tax reporting and reporting requirements, and risk assessment.
4. Who gets your data?
Within the organization, entities gain access to your data, only if/when they need to fulfill our contractual and legal obligations, e.g. fulfillment of purchase orders. Our service providers and vicarious agents may also receive data for these purposes. These are companies in the categories of logistics, telecommunications and debt collection.
Regarding the data transfer to recipients outside of our company, it should first be noted that we only pass on necessary personal data in compliance with the applicable data protection regulations. In principle, personal data of our customers and suppliers may only be passed on if required by law, if the data subject has given his consent or if we are otherwise authorized to disclose it. Under these conditions, examples of recipients of personal data are:
– Public bodies and institutions (such as tax authorities, law enforcement agencies) in the presence of a legal or regulatory obligation
– creditors or insolvency administrators requesting foreclosures
– Service providers we use in the context of order processing relationships
Other data recipients may be those for whom you have given us your consent to the transfer of data or to whom we may transfer personal data due to a balance of interests.
5. Are data transmitted to a third country or to an international organization?
A transfer of data to offices in countries outside the European Union (so-called third countries) takes place insofar as:
– it is necessary for the execution of the contractual relationship (e.g. processing of orders)
– it is required by law (e.g. tax reporting obligations) or
– you have given us your consent
Furthermore, a transfer to posts in third countries is foreseen in the following cases:
– If necessary in individual cases, your personal data may be transmitted to an IT service provider in the United States or to another third country to ensure the IT operation of the company, in compliance with the European data protection level.
– In individual cases, personal data (such as legitimacy data) will be transmitted in compliance with the data protection level of the European Union, with the consent of the data subjects or by legislation regulating the fight against money laundering, terrorist financing and other criminal acts, as well as in a balance of interests.
6. How long will your data be stored?
We process and store your personal data as long as this is necessary for the fulfillment of our contractual and legal obligations.
If data are no longer required for the fulfillment of contractual or legal obligations, these are regularly deleted, unless their temporary processing is necessary for the following purposes:
– Fulfillment of commercial and tax retention requirements, which can result from: Commercial Code, Tax Code, and Money Laundering Act. The deadlines for storage and documentation specified there are usually two to ten years.
– Preservation of evidence in accordance with the statutory limitation provisions. According to § 195 (f) of the German Civil Code, these limitation periods can be up to 30 years, whereby the regular period of limitation is 3 years.
7. What are your privacy rights?
Each data subject has the right to information under Article 15 of the GDPR, the right to rectification under Article 16 of the GDPR, the right to a cancellation under Article 17 of the GDPR, the right to limit processing under Article 18 of the GDPR, the right to object to Article 21 of the GDPR and the right to data portability under Article 20 of the GDPR.
8. Is there a duty for you to provide data?
As part of our contractual relationship, you must provide the personal information necessary for the commencement, execution and termination of the contractual relationship and the fulfillment of the contractual obligations associated therewith, or for the collection of which we are legally obliged. Without this data, we will generally be unable to conclude, execute and terminate a contract with you.
If you do not provide us with the necessary information and documents, this may conflict with the inclusion and execution of the contractual relationship.
9. Information about your right of appeal according to Art. 21 of GDPR
Case-specific right of appeal or protest
You have the right, at any time and for reasons of your own particular situation, to prevent the processing of personal data relating to you pursuant to Article 6 (1) (e) of the GDPR (Data Processing in the Public Interest) and Article 6 (1) (f) of the GDPR (data processing on the basis of a balance of interests).
If you object or appeal to our use of your data, we will no longer process your personal information unless we can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights and freedoms. This is required if your data is necessary for the assertion, exercise or defense of legal claims.
Recipient of protests
Any protests or objection to our use of your data can be issued form-free with the subject “objection” stating your name, address and date of birth and should be addressed to:
+423 392 6566
Updated May 1, 2020