What sources and data do we use?
We process the data that is required in connection with the establishment, implementation and/or termination of our business relationships. We usually collect this data directly from you, e.g. in the context of a quotation request or order placement, as well as through your contact via our website, by e-mail, at trade fairs or comparable events.
Sometimes we may first receive your data from another person, e.g. a colleague in your company who names you as a contact person. If this happens, we will tell you our source when we first communicate with you.
The personal data we process includes:
- Name, first name and gender (for the salutation)
- Company affiliation and company address
- Usually two contact options in your company (e.g. telephone number and e-mail address)
- Records of business transactions and the respective correspondence
What do we process your data for (purpose of processing) and on what legal basis?
We use the data listed above for the preparation and fulfilment of business transactions and to establish and maintain effective business communication. The legal basis for these processing operations is usually Art. 6 (1) lit. f DSGVO if you represent another organisation as our business partner. Our legitimate interest here is to achieve the aforementioned purposes. If you as a person are directly our contractual partner, we process your data instead on the basis of Art. 6 (1) lit b DSGVO, which permits the processing of personal data for the performance of a contract or pre-contractual measures.
It may happen that we wish to collect further data from you at a later date or use it in a different way. Should this occur, we will ask you for your consent in accordance with Art. 6 Para. 1 lit. a in conjunction with Art. 7 DSGVO and inform you accordingly. If you give us this consent, it can be revoked informally at any time. The legality of the use of your data up to the time of the objection remains unaffected by the objection.
If your data is required for legal prosecution, it may be processed to protect our legitimate interests pursuant to Art. 6 (1) lit. f DSGVO. Our interest then lies in the assertion or defence of claims, for example in the context of the duty of proof in proceedings.
Who will get my data?
In our company, only those persons have access to your data who need it for the smooth implementation of our business relationship. This may also involve several specialist departments in our company, depending on which services or products you obtain from us. Furthermore, our IT department has access to your data for exclusively technical processing.
Service providers used by us may also be recipients of your personal data within the scope of commissioned processing pursuant to Art. 28 DSGVO.
Within the scope of processing your orders, it is sometimes necessary for us to transfer certain data to our corresponding suppliers or other business partners who are based in Germany, other European countries or the European Economic Area. This involves, for example, your name, your first name if applicable and your organisational affiliation as well as your contact details in your organisation.
We may be required to disclose certain data to the relevant authorised bodies as part of our legal obligations.
Is data transferred to a third country or to an international organisation?
As a rule, no data is transferred to countries outside the European Economic Area (so-called third countries). Nevertheless, data transfer to third countries may take place in individual cases, insofar as:
- it is required by law,
- you have given us your consent or
- this is legitimised by the legitimate interest under data protection law and no higher interests of the data subject worthy of protection conflict with this.
Furthermore, we do not transfer any personal data to bodies in third countries or international organisations.
However, we use service providers for certain tasks, most of which also use service providers that may have their registered office, parent company or data centres in a third country. A transfer is permitted if the European Commission has decided that an adequate level of protection exists in a third country (Art. 45 GDPR). If the Commission has not made such a decision, we or our service providers may only transfer personal data to a third country if appropriate safeguards are in place (e.g. standard data protection clauses adopted by the EU Commission or the supervisory authority in a specific procedure) and enforceable rights and effective remedies are available.
An example of this is our use of Microsoft Office 365 as a company-wide communication system. While Microsoft also operates servers within the EU, it cannot be ruled out that your data may be transferred to a third country (e.g. the USA) in this context and processed there.
We have concluded an order processing agreement with Microsoft in accordance with Art. 28 DSGVO with EU standard contractual clauses to maintain an appropriate level of data protection. Please feel free to contact us at the above contact details for further information on this if required.
We have concluded corresponding order processing contracts with our service providers and have also contractually agreed that
How long will my data be stored?
We store your data during the entire ongoing business contact between us and your organisation, which includes in particular the existence of a contract or pre-contractual measures.
In addition, we store your data to the extent and insofar as we are obliged to do so due to mandatory legal regulations, such as retention periods under commercial or tax law. This generally applies for a period of ten years. If we no longer need your data for the purposes described above, it will be stored separately during the respective statutory retention period and not processed for other purposes. After expiry of the statutory retention periods, all data that still exists will be securely deleted or destroyed immediately.
Is there an obligation to provide data?
The provision of your personal data is initially neither legally nor contractually required, nor are you obliged to provide this data.
However, if you yourself are in a direct business relationship with us, you must provide those personal data that are necessary for the establishment and execution of a business relationship and the fulfilment of the associated contractual obligations. Without this data, we will usually have to refuse to conclude the contract or execute the order or will no longer be able to perform an existing contract and may have to terminate it.
Insofar as a business relationship with a company represented by you towards us is concerned, you must provide us with those personal data which are necessary for the commencement and execution of a representation/authorisation and the fulfilment of the associated contractual obligations. Without this data, we will usually have to reject you as an authorised representative/authorised agent or cancel an existing authorisation/authorisation.
To what extent is there automated decision-making?
We do not use automatic decision-making pursuant to Article 22 of the GDPR for the establishment, implementation and termination of the business relationship. Should we use these procedures in individual cases, we will inform you separately about this and about your rights in this regard, insofar as this is required by law.
Does profiling take place?
We do not process your data with the aim of automatically assessing certain personal aspects.