Information on the processing of your personal data
Diligence and transparency form the basis for trustful cooperation with our customers and business partners. This is why we are informing you about the processing of your data and your rights pursuant to the General Data Protection Regulation. The personal data to be processed as well as the purpose depend on the respective contractual relationship.
1. Who is responsible for data processing?
Responsible entity pursuant to Art. 4(7) of the GDPR:
Haller Strasse 45-53
Phone.: +49 7951 / 393-0
Fax: +49 7951 / 393-50
2. How can the data security engineer be contacted?
You can contact our data security engineer at:
Firma Schmid Datenschutz
Mr. Torsten Schmid
Am Berghain 5
Tel.: +49 7176 / 44 999 60
Fax: +49 7176 / 44 999 59
Via email: email@example.com
3. Which of your personal data will be used?
Whenever you have an inquiry, would like us to make an offer or enter into a contract with us, we will process your personal data. We also process your personal data, inter alia, to fulfill legal obligations, to protect a legitimate interest or because you have consented to this.
Depending on the legal basis, those pertain to the following categories of personal data:
- General contact details like names or addresses
- Communication data (phone number, email address, fax number)
- Contract master data, particularly contract numbers, terms, periods of notice, contract type
- Invoicing and turnover data
- Creditworthiness data
- Payment information and bank account details
- Information relating to customer accounts, particularly registration and login details
- Dates of birth
- VAT number
- Company registration number
- Advertising and sales data
- Documentation data (e.g. consultation protocols) and image data
- Information we have received from you in connection with our business relationship (e.g. email messages)
- Documentation of your declarations of consent, e.g. regarding receipt of newsletters
- Photos taken at public events
4. What are the sources of the data?
We process personal data we receive from our customers, service providers and suppliers.
In addition, we obtain personal data from the following sources:
- Certain documents, e.g. inquiries or orders
- General business communication
- Credit agencies
- Publicly accessible sources (e.g. business registers, media)
- Other companies we have established long-term business relationships with
- Telemedia we offer (e.g. when you accessed our web pages, which web pages you visited, etc.)
5. What are the purposes and the legal basis of data processing?
We process your personal data in compliance with the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (Bundesdatenschutzgesetz; BDSG) as well as all other relevant laws.
5.1 Data processing following a declaration of consent (Art. 6 subsection 1 a of the GDPR)
If you have voluntarily consented to collection, processing or disclosure of certain personal data, said consent shall constitute the legal basis for the processing of such data.
In the following cases, your personal data will be processed based on your declaration of consent:
- Sending of email newsletters, customer magazines or any other type of advertising
- Market research (e.g. customer satisfaction surveys)
- Personal customer area within our online shop system
- Disclosure of your data to affiliated companies
- Use of images
5.2 Data processing to fulfill a contract (Art. 6 subsection 1 b of the GDPR)
We will process your personal data to execute the contract. Within this contractual relationship, we will primarily use your data for the following activities:
Establishment of contact in the context of the contract, contract management, ongoing customer support, service center, enforcement of warranty claims, receivables management, contract termination management.
For more detailed information on the purposes of data processing, please consult the respective contract documents, our purchasing terms or our terms and conditions.
5.3 Data processing to fulfill legal obligations (Art. 6 subsection 1 c of the GDPR) or in the public interest (Art. 6 subsection 1 e of the GDPR)
As a company, we are subject to various legal obligations. Fulfillment of said obligations may require processing of personal data
- to fulfill monitoring and reporting obligations according to tax law,
- to prevent / counteract criminal offenses and
- to comply with legal retention periods, in particular according to the Regulation of Taxation (Abgabenordnung; AO) and the German Commercial Code (Handelsgesetzbuch; HGB).
5.4 Data processing for the purposes of a legitimate interest (Art. 6 subsection 1 f of the GDPR)
In certain cases, we will process your data to protect a legitimate interest of our company or third parties:
- For direct customer approach
- Direct advertising or market and opinion research if you have not objected to the use of your data
- Measures to ensure building and system safety
- Video surveillance in the context of the domiciliary right
- Ensuring IT safety and proper IT operation
- To enforce legal claims and for defense during legal disputes
- Measures for business management and to improve services and products
In order to guarantee confidentiality when communicating via the internet, we use an SSL (Secure Socket Layer) encryption when transferring personal data, e.g. data from contact forms or online logins.
6 Who do we disclose your data to?
In order to fulfill our contractual and legal obligations, we disclose your personal data to various public bodies and internal departments as well as external service providers.
Within the company, your data are disclosed to the departments where they are needed to fulfill our contractual and legal obligations.
We cooperate with selected external service providers in order to fulfill our contractual and legal obligations:
- IT service providers (e.g. maintenance providers, hosting providers)
- Services to ensure building and system safety
- File and data destruction service providers
- Telecommunications providers
- Payment service providers
- Advising and consulting
- Marketing or sales service providers
- Credit agencies
- Authorized dealers
- Companies which cooperate with us (extended workbench)
- Suppliers (for direct deliveries)
Furthermore, we might be obliged to disclose your personal data to other recipients such as authorities in order to fulfill statutory reporting obligations:
- Financial authorities
- Customs authorities
- Social security bodies
Moreover, we might disclose your data to other parties if you have declared your consent regarding the respective disclosure.
7 Will your data be transferred to countries outside the European Union (so-called third countries)?
Countries outside the European Union (as well as the European Economic Area “EEA“) do not have the same data protection standards as countries within the European Union. For the purpose of processing your data, we might also hire service providers based in third countries outside the European Union. Currently, there is no EU Commission resolution on the general adequacy of data protection in third countries.
Thus, we have taken specific measures in order to ensure your data are processed as securely as within the European Union in those third countries. We enter into a contract provided by the EU Commission with our third-country service providers (standard data-protection clauses). Those clauses lay down appropriate safeguards for protection of your data with third-country service providers.
If service providers based in the USA are hired, some of them are also certified according to the EU-US Privacy Shield agreement.
8 How long will your data be stored?
We will store your personal data as long as required to fulfill our legal and contractual obligations.
If storing of the data is no longer required to fulfill contractual or legal obligations, your data will be deleted unless they need to be processed further for the following purposes:
- Fulfillment of retention obligations according to commercial and tax laws. The respective retention periods are mentioned in the German Commercial Code or the Regulation of Taxation.
- Keeping of evidence according to the statutory limitation rules. According to the limitation rules of the German Civil Code (Bürgerliches Gesetzbuch; BGB), such limitation periods may in some cases be as long as 30 years. However, the regular limitation period is three years.
9 Which rights do you have in the context of data processing?
Each affected person has the right of access to information according to Art. 15 of the GDPR, the right of correction according to Art. 16 of the GDPR, the right of deletion according to Art. 17 of the GDPR, the right of restriction of processing according to Art. 18 of the GDPR, the right of objection according to Art. 21 of the GDPR as well as the right of data portability according to Art. 20 of the GDPR. However, the right of access to information and the right of deletion are restricted by §§ 34 and 35 BDSG.
9.1 Right of objection
You may object to the use of your data for advertising purposes at any time without incurring any costs other than the transmission costs at the basic rates.
Which rights do you have if data are processed due to your legitimate or public interest?
According to Art. 21(1) of the GDPR, you have the right to object to the processing of your personal data pursuant to Art. 6(1)(e) of the GDPR (data processing in the public interest) or pursuant to Art. 6(1)(f) of the GDPR (data processing to protect a legitimate interest) due to reasons resulting from your particular situation at any time. The same applies to profiling pursuant to the same regulation.
If you object, we will no longer process your personal data unless we can prove there are compelling and legitimate reasons for data processing that outweigh your interests, rights and liberties, or if data processing serves to assert, exercise or defend legal claims.
Which rights do you have if data are processed for the purpose of direct advertising?
If we process your personal data for the purpose of direct advertising, you have the right (according to Art. 21 subsection 2 of the GDPR) to object to the processing of your personal data for the purpose of such advertising at any time. The same applies to profiling in the context of such direct advertising.
If you object to data processing for the purpose of direct advertising, we will no longer process your personal data for this purpose.
9.2 Revocation of consent
You can revoke your consent to the processing of personal data at any time. Please note such revocation is only effective for the future.
9.3 Right of access to information
You may request information on the storing of your personal data. If you wish, we will let you know which types of data we have been storing, what the purpose of data processing is, who the data will be disclosed to, how long the data will be stored and which further rights you have with respect to said data.
9.4 Further rights
Furthermore, you have the right of correction of wrong data or of deletion of your data. If there is no reason for us to store your data any longer, we will delete them; otherwise, we will restrict processing. You may also request that we make available either to you or a person or company of your choice all the personal data we have received from you in a structured, common and machine-readable format.
Moreover, you have the right to complain to the responsible data protection authority (Art. 77 of the GDPR in conjunction with § 19 of the BDSG).
9.5 Exercising your rights
In order to exercise your rights, you can contact the responsible entity at firstname.lastname@example.org, phone: +49 7951 / 393-0 or the data security engineer via the given contact information. We will process your inquiry as soon as possible and in accordance with legal requirements and let you know about the measures we have taken.
10 Are you obliged to provide us with your personal data?
In order to enter into a business relationship, you need to provide us with the personal data required for the performance of the contract or the data we are obliged to collect by law. If you do not provide us with said data, we will not be able to perform and execute the contract.
11 Modification of this information
If the purpose or the way of processing your personal data changes significantly, we will update this information promptly and inform you about the changes.
12 Automatic decision making
There will be no automatic decision making.