Information on data protection regarding our processing of customer and prospect data pursuant to Articles 13, 14 and 21 of the General Data Protection Regulation (GDPR)
Dear Customer, Dear Prospective Customer,
In accordance with the provisions of Art. 13, 14 and 21 of the General Data Protection Regulation (GDPR), we hereby inform you of the processing of the personal data collected about you and your rights under data protection law in this regard. Which data is processed in detail and how it is used depends largely on the requested or agreed services. In order to ensure that you are fully informed about the processing of your personal data within the framework of the performance of a contract or the implementation of pre-contractual measures, please take note of the following information.
1. Controller in accordance with the data protection law
2. Contact data of our Data Protection Officer
3. Purposes and legal basis of the processing
We process your personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR)and the Federal Data Protection Act (subsequently referred to as BDSG 2018), insofar as these are necessary for the establishment, execution and performance of a contract and for the implementation of pre-contractual measures. If the disclosure of personal data is necessary for the initiation or execution of a contractual relationship or in the context of the execution of pre-contractual measures, processing in accordance with Art. 6 Para. 1 lit. b GDPR is lawful.
If you give us your express consent to process personal data for specific purposes (e.g. disclosure to third parties, evaluation for marketing purposes or advertising), the lawfulness of this processing is given on the basis of your consent pursuant to Art. 6 para. 1 lit. a GDPR. Any consent given may be withdrawn at any time with effect for the future (see section 9 of this data protection information).
If necessary and legally permissible, we process your data beyond the actual contractual purposes to fulfil legal obligations in accordance with Art. 6 Para. 1 lit. c GDPR. In addition, processing may be carried out to safeguard legitimate interests of us or third parties in accordance with Art. 6 Para. 1 lit. f GDPR. If necessary, we will inform you separately, stating the legitimate interest, insofar as this is required by law.
4. Categories of personal data
We process only such data which are connected with the contract initiation or the pre- contractual measures. This can be general data about your person or persons of your company (name, address, contact data etc.) as well as further data, if necessary, which you transmit to us in the context of the initiation of the contract.
5. Sources of data
We process personal data which we receive from you within the framework of establishing contact or a contractual relationship or within the framework of pre-contractual measures.
6. Recipient of the data
We transfer on your personal data within our company exclusively to those areas and persons who need this data to fulfil their contractual and legal obligations or to implement our legitimate interest.
We may transfer your personal data to companies affiliated with us to the extent permitted by the purposes and legal bases set out in Section 3 of this Data Protection Information Sheet.
Your personal data will be processed on our behalf on the basis of data processing agreements in accordance with Art. 28 GDPR. In these cases, we ensure that the processing of personal data is carried out in accordance with the provisions of the GDPR. The categories of recipients in this case are providers of Internet services and providers of customer management systems and software.
Data will otherwise only be transferred to recipients outside the company if this is permitted or required by law, if it is necessary for the processing of the contract or, at your request, for the implementation of pre-contractual measures, if we have your consent or if we are authorized to provide information. Under these conditions, recipients of personal data may be, for example:
- External tax consultants
- Public bodies and institutions (e.g. public prosecutor’s office, police, supervisory authorities, tax office) where there is a legal or official obligation,
- Recipients to whom the transfer is directly necessary for the purpose of establishing or performing the contract
7. Transfer to a third country
Personal data will only be transferred to countries outside the EEA (European Economic Area) or to an international organization if this is necessary for the performance of the contract or, at your request, for the implementation of pre-contractual measures, if the transfer is required by law or if you have given us your consent.
Your data can be transferred to the USA and Canada. For Canada, the EU Commission has established an adequate level of data protection (EU adequacy decision on the Canadian Personal Information Protection and Electronic Documents Act). US recipients are required to use the Privacy Shield.
8. Duration of data storage
If necessary, we process and store your personal data for the duration of our business relationship or for the fulfilment of contractual purposes. This also includes the initiation and execution of a contract.
In addition, we are subject to various storage and documentation obligations, including those arising from the German Commercial Code (HGB) and the Fiscal Code (AO). The periods prescribed there for storage and documentation are between two and ten years.
Finally, the storage period also depends on the statutory limitation periods, which, for example, according to §§ 195 et seq. of the German Civil Code (BGB) can generally be three years, but in certain cases also up to thirty years.
9. Your rights
Every data subject has the right of access pursuant to Art. 15 GDPR, the right to rectification pursuant to Art. 16 GDPR, the right to erasure pursuant to Art. 17 GDPR, the right to restriction of processing pursuant to Art. 18 GDPR, the right to notification pursuant to Art. 19 GDPR and the right to data portability pursuant to Art. 20 GDPR.
In addition, you have the right to lodge a complaint with a data protection supervisory authority pursuant to Art. 77 GDPR if you are of the opinion that the processing of your personal data is not lawful. The right to lodge a complaint with shall be without prejudice to any other administrative or judicial remedy.
Please feel free to contact us using the contact details given in section 1 to protect your rights.
10. Necessity of providing personal data
The provision of personal data for the purpose of deciding whether to conclude a contract, perform a contract or take pre-contractual measures is voluntary. However, we can only make a decision within the framework of contractual measures if you provide personal data necessary for the conclusion of the contract, the performance of the contract or pre- contractual measures.
11. Automated decision-making
In principle, we do not use fully automated decision-making pursuant to Art. 22 GDPR for the establishment, performance or execution of the business relationship or for pre-contractual measures. Should we use these procedures in individual cases, we will inform you of this separately or obtain your consent if this is required by law.