Data Privacy Notice for Customers, Interested Parties and Suppliers
1. Who is responsible for the data processing, and whom can you contact?
2. What data are processed, and from what sources do these data originate?
We process personal data that we receive from you during the initiation of business and the business relationship. In addition, we process data that we have legitimately received from other companies of our partners or from other third parties (e.g. for the execution of orders, the performance of contracts or on the basis of consent you have granted) as well as data that we have legitimately obtained from publicly accessible sources, information databases and credit agencies (e.g. land registers, commercial registers, registers of associations, press, media, Internet). Among other personal data, we process the following:
- first name and surname, postal address, email address, telephone number, banking details
- information on the nature and content of the business relationship (e.g. contract/order data, turnover and billing data, customer/supplier history, consultation documents)
- information on your financial status (e.g. creditworthiness data)
- documentation data (e.g. consultation records), image data
- other data that we have received from you during our business relationship (e.g. in talks with customers)
- information from your electronic communication with us
- the documentation of your declaration of consent to receipt of advertising (e.g. newsletter) or to participation in customer surveys
- image data from video surveillance systems
- photos taken at public events
3. For what purposes and on what legal basis are data processed?
We process your data in compliance with the EU General Data Protection Regulation (GDPR), the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) and all other relevant legal provisions. In this connection, we process your data as follows:
3.1. Within the scope of your consent (Art. 6 (1), a) GDPR)
Where you have given us your consent to the processing of your data, processing takes place only for the purposes specified in the declaration of consent and to the extent agreed upon therein.
3.2. To fulfil (pre)contractual duties (Article 6 (1) b) GDPR)
The processing of personal data takes place in order to provide services in the course of the performance of our contracts with our customers or in order to take steps at your request prior to entering into a contract. The purposes of the data processing are primarily based on the requirements of the service and may encompass, among other things, consultancy or the creation and management of a customer or supplier account. The further details for the purpose of data processing can be gathered from the respective contract documents and the terms and conditions of business.
3.3. To fulfil legal obligations (Article 6 (1) c) GDPR)
As a company, we are subject to various legal obligations, i.e. statutory requirements (e.g. tax law, the law on waste). The purposes of the processing include, among other things, fulfilment of monitoring and reporting obligations under tax law as well as fulfilment of verification requirements under the law on waste.
3.4. To safeguard our legitimate interests (Art. 6 (1) f) GDPR)
Based on a balancing of interests, data processing may take place beyond the actual performance of the contract in order to safeguard our legitimate interests or those of third parties.
Data processing for the safeguarding of legitimate interests takes place in the following cases for example:
- testing and optimising procedures for needs analysis and for contacting customers directly
- marketing and advertising activities
- asserting, exercising and defending legal claims
- technical and organisational measures for protecting the sites against conduct that is in breach of the contract or unlawful, e.g. video surveillance and measures to protect our website
- consulting and exchanging data with credit agencies and creditor protection associations for ascertaining creditworthiness data, as well as keeping a Group-wide creditworthiness database for the identification of financial default risks in the case of joint customers
4. Processing of personal data for advertising purposes
We shall also use your data in order to communicate with you about the services that you have ordered or about certain products or marketing campaigns and to recommend services/products that may be of interest to you. You may, at any time, object to the use of your personal data for advertising purposes overall or for individual measures without this giving rise to transmission costs other than those arising according to the basic tariffs.
5. Service/product recommendations by email
Subject to the statutory prerequisites set out under Section 7 (3) of the Act Against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb – UWG), the email address you have given us may be used by us for the direct marketing of our own similar services or goods. You will receive these recommendations regardless of whether you have subscribed to a newsletter. If you do not wish to receive such recommendations by email, you may, at any time, object to the use of your address without this giving rise to transmission costs other than those arising according to the basic tariffs.
6. Processing of creditworthiness information
We carry out a credit check when entering into a contract and in certain cases where there is a legitimate interest, also in the case of existing customers. For this purpose, we may send your name and your contact details to the corresponding entities where necessary. Exchanging data with these credit agencies also serves fraud prevention and identity verification. The legal basis for these transfers is Art. 6 (1) b) and f) GDPR.
The credit agencies process data and use data also for the purpose of profiling (scoring) in order to provide their contractual partners with information, e.g. on the creditworthiness of natural persons.
7. Who receives your data?
Service providers and vicarious agents engaged by us may receive your data if they need these data for the fulfilment of our contractual and statutory obligations. These are companies of our partners or third parties from the categories set out below:
- public bodies and institutions if a statutory or official obligation exists
- subcontractors and companies commissioned by us to carry out tasks in our name
- external auditors, insurance companies, banks, credit agencies
- Processors to whom we transfer data for the implementation of the business relationship with you are engaged by us in the following fields: handling subcontractor services, support/maintenance of electronic data processing/IT applications, archiving, document processing, call-centre services, compliance services, controlling, data destruction, customer administration, lettershops, marketing, media technology, reporting, telephony, video surveillance, website management, payment transactions. Further data recipients may include those entities for which you have given your consent to data transfer.
We conclude with our service providers contracts that meet the requirements of the relevant data protection laws. Service providers must take appropriate technical and organisational measures to protect the data subjects’ rights and freedoms and are not permitted to process personal data contrary to our instructions.
8. Are data transferred to a third country or to an international organisation?
As a rule, we do not transfer data to third countries. Such transfer takes place only in individual cases on the basis of an adequacy decision of the European Commission, standard contractual clauses, appropriate safeguards or according to express consent on your part.
9. For how long are your data stored?
Where no express storage period is specified upon the collection of your data, e.g. in the context of a declaration of consent, your personal data will be deleted when and insofar as they are no longer necessary for the fulfilment of the purpose of the processing, unless statutory retention obligations (e.g. under commercial and tax law) preclude deletion.
10. What data protection rights do you have?
You have the following rights regarding your personal data:
10.1. right to access information about the processing in accordance with Article 15 GDPR
10.2. right to rectification in accordance with Article 16 GDPR
10.3. right to erasure in accordance with Article 17 GDPR
10.4. right to restriction of the processing in accordance with Article 18 GDPR
10.5. right to data portability in accordance with Article 20 GDPR
10.6. Right to object
You may object to the processing of your personal data for direct marketing purposes.
10.7. Withdrawal of consent
You may, at any time, withdraw the consent that you have given us regarding the processing of your personal data. Please note that withdrawal will only take effect for the future. The withdrawal of consent will not affect processing activities conducted prior to withdrawal.
10.8. Right to complain
You also have the option of contacting the competent data protection supervisory authority.
11. Are you obliged to provide data?
Within the framework of our business relationship, you must provide the personal data necessary for establishing and implementing a business relationship and for the performance of the contractual duties associated therewith or the personal data that we are legally obliged to collect. Without these data, we ordinarily have to decline the conclusion of the contract or execution of the order and are unable to continue with the performance of an existing contract and may have to terminate it.
12. Are the data processed by automated means?
We do not use automated decision-making/profiling that produces legal effects concerning you or similarly significantly affects you.
13. Amendments to this Data Privacy Notice
We reserve the right to amend this Data Privacy Notice in order to adapt it where necessary to altered legal situations or in the event of changes to the service or the data processing.
For reasons of better readability, the simultaneous use of the linguistic forms masculine, feminine and diverse (m/f/d) has been dispensed with. All personal designations apply equally to all genders.
As of March 2024