Data Privacy Information
pursuant to the EU General Data Protection Regulation (GDPR) for Customers and Suppliers
Valid as of: September 2018
The following information aims to provide an outline of how we process your personal data and of your rights under the General Data Protection Regulation and the German Data Protection Act (BDSG).
1. Who is responsible for data processing and who can I talk to about it?
a) The Controller is:
Boschert GmbH & Co. KG
Mattenstr. 1
79541 Lörrach
Tel: +49 7621 9593-45
Fax: +49 7621 5518-4
Email:
hereinafter referred to as “Boschert”, “we” or “us”.
b) Data Protection Officer
You can contact our Data Protection Officer by email:
2. Why do we process personal data and what is the legal basis for doing so?
We process personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR) and national data protection legislation:
a) Inordertocomplywithcontractualobligations
Particularly in connection with customer orders and with purchase orders placed with suppliers and service partners (Art. 6 (1), sentence 1 (b) GDPR)
b) To protect legitimate interests in the context of a balancing of interests
Where necessary, our data processing goes beyond actual performance of the contract in order to protect our legitimate interests or those of third parties (Art. 6 (1), sentence 1 (f) GDPR), namely:
-
Advertising, provided you have not objected to the use of your data
-
Asserting and defending legal claims in case of legal disputes
-
Ensuring the company’s security of information and IT operations
-
Video surveillance for enforcing house rules
-
Measures to ensure building and plant safety
c) Withyourconsent
Where you give us your consent to process personal data for specific purposes (e.g. videos, photographs and newsletters) your consent constitutes the legal basis for such processing (Art. 6 (1), sentence 1 (a) GDPR). Consent may be revoked at any time.
d) Tocomplywithalegalobligation
The reasons for processing include compliance with monitoring and reporting obligations under tax and social-security law (Art. 6 (1), sentence (c) DSGVO).
3. Who receives my data?
Within Boschert, access to your personal data is given to those persons who need it in order to ensure compliance with our contractual and statutory obligations or to protect legitimate interests.
In addition, our service providers and agents involved in contractual performance, may receive data for these purposes. We are only permitted to share information about you where required by law to do so; where you have given consent; where we are authorized by statute to issue or share information and/or where our commissioned order processors likewise guarantee to comply with a duty of confidentiality and with the requirements of the General Data Protection Regulation and the German Data Protection Act.
Subject to these conditions, the following may receive data
-
order processors, particularly cloud and ASP service providers
-
subcontractors for the fulfilment of orders
-
credit-rating agencies
-
public bodies for compliance with statutory reporting
requirements, e.g. tax authorities, social insurance agencies, prosecution authorities
-
data destruction providers
-
lawyers, accountants and auditors
-
leasing companies
-
debt recovery services
-
card payment processors (credit cards) and payment
transactions with banks
-
telephone service providers
-
website management (hosting/maintenance)
-
insurance companies
4. Will data be sent to a third country or an international organization?
Data transfer to countries outside the EU or the EEA (known as third countries) only takes place where it is necessary in order to execute your orders (e.g. procurement of materials, manufacture, logistics); where it is required by law (e.g. reporting requirements under tax law); where you have given us your consent or
!1
where it forms part of order processing. Where service providers are deployed in third countries, in addition to written instructions, they are also bound by the EU standard contractual clauses to comply with the level of data protection in the EU.
5. How long will my data be stored?
We process and store your personal data for as long as necessary in order to meet our contractual and statutory duties. We delete your personal data as soon as it is no longer necessary for the aforementioned purposes. In this regard, it may be the case that personal data is stored for the period in which claims can be made against our company (statutory limitation periods of between three and thirty years). In addition, we store your personal data insofar as we are under a statutory duty to do so. Such obligations regarding evidence and storage arise from commercial, tax and social security regulations.
6. To what extent do you use automated decision making (including profiling)?
In principle, we do not use fully automated decision- making pursuant to Article 22 DSGVO to establish and carry out the business relationship. No profiling takes place.
7. What are my data privacy rights?
You have the following rights against us as the controller. If you wish to assert your rights or require further information, please contact us or our Data Protection Officer:
a) RightsunderArt.15etseq.GDPR
(1) You have the right of access pursuant to Article 15 GDPR. Under certain circumstances, you have the right to rectification under Article 16 GDPR, the right to restriction of processing under Article 18 GDPR and the right to erasure (“right to be forgotten”) pursuant to Article 17 GDPR. In addition, you have the right to receive the data which you have provided in a structured, machine-readable format (right to data portability) pursuant to Article 20 GDPR, insofar as the processing is carried out by automated means and based on consent under Art. 6 (1) (a) or Art. 9 (2) (a) or on a contract under Art. 6 (1) (b) GDPR. In the case of the right of access and the right to erasure, the restrictions under Sections 34 and 35 German Data Protection Act (BDSG) apply.
b) Withdrawalofconsent
Where processing is based on consent you can withdraw your consent to the processing of personal data at any time (Art. 7 (3) GDPR).
c) RightofComplaint
You have the right to lodge a complaint with us or with a data protection supervisory authority (Article 77 GDPR
in conjunction with Section 19 German Data Protection Act (BDSG)).
d) Right to object under Article 21 GDPR
In addition to the foregoing rights you have the following rights to object:
Right to object based on your particular situation
You have the right to object, on grounds relating to your particular situation, at any time, to processing of personal data concerning you which is based on Article 6 (1) (e) GDPR (Data processing in the public interest), or on Article 6 (1), sentence 1, (f) GDPR (Data processing for the purposes of legitimate interests); this also applies to profiling based on these provisions within the meaning of Article 4 (4) GDPR where applicable. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or if processing serves the establishment, exercise or defense of legal claims.
Right to object to the processing of data for marketing purposes
In certain cases, we process your personal data in order to carry out direct marketing. You have the right to object at any time to the processing of personal data concerning you, for the purpose of such marketing; this also applies to profiling to the extent that it is connected to such direct marketing. If you object to processing for direct marketing purposes, we will cease to process your personal data for such purposes. Objection can be made informally to the address indicated under Clause 1.
!2