Hamm Footwear Info – Art. 13 / 14 GDPR | Cortina Consult

Hamm Market Solutions GmbH & Co. KG

Information on data handling in accordance with Art. 13 and 14 DSGVO

General information about data handling

The protection of your private rights and freedoms is important to us; we only use your data for the purposes intended. Since it is important to us that you know at all times to what extent we collect, use and, if necessary, forward your data to third parties, we will inform you comprehensively below about the processing of your personal data collected by us or stored by us. We will not process data without a legal basis without your informed consent. When processing personal data, we strictly adhere to the requirements of the EU Data Protection Regulation (GDPR) and, if necessary, other data protection regulations.

Name and Address of the data controller

Hamm Market Solutions GmbH & Co. KG
Moritz Hamm/ Claus Gese
Am Huxmühlenbach 4
49084 Osnabrück

Telefon: 0541 – 200 25-01
Mail: [email protected]
Website: hamm-footwear.com/

Name and address of the data protection officer

Martina Brinkmann
Cortina Consult GmbH
Hafenweg 24
48155 Münster

Telefon: 02 51 – 29 79 47 40
Mail: [email protected]
Website: cortina-consult.com

If you have any questions about the processing of your personal data, if you wish to assert your rights as a data subject (e.g. the right to be informed, correct, block or delete data) or if you wish to withdraw your consent, please contact our data protection officer directly.

The rights of data subjects

Chapter III of the EU Data Protection Regulation (GDPR) provides for extensive rights for data subjects, which we will explain to you below with regard to the processing of your personal data:

1) The right to be informed
This specification applies in particular to the following data processing details:

  • The purpose of the processing operation
  • Categories of data
  • If necessary, recipient or categories of recipients
  • If necessary, the planned storage duration or the criteria for determining this duration
  • Information on the respective right to correction, deletion, restriction or objection
  • Existence of a right of appeal to a supervisory authority
  • If necessary, origin of the data (if not collected from you)
  • If necessary, existence of automated decision making including profiling, and including meaningful information about the logic involved, the scope and the expected effects
  • If necessary, (planned) transfer to a third country or international organisation

2) The right of rectification
If necessary, we will correct faulty data immediately if you inform us about the circumstance accordingly.

3) Right to deletion (right to be forgotten)
If the processing is no longer necessary and one of the following conditions is fulfilled:

  • Expiry of the purpose of processing
  • Withdrawal of your consent and the absence of any other legal basis for processing
  • Opposition to processing without an important reason to the contrary
  • Illegal processing
  • Required to fulfil a legal obligation
  • Data collection in accordance with Art. 8 para. 1 GDPR

As part of the deletion request, we may pass on your request to those third parties to whom your data was previously transferred.

4) The right to restriction of processing
Provided one of the following conditions is met:

  • You dispute the accuracy of your data (restriction may be made on our site for the duration of the verification)
  • In the event of unlawful processing and provided that the data is not to be deleted, deletion shall be replaced by restriction of processing
  • If the processing purposes expire, at the same time you need your data to assert, exercise or defend legal claims
  • After your objection pursuant to Art. 21 para. 1 GDPR and for the duration of the examination, whether our justified reasons outweigh yours.

5) The right to data portability
As long as it is technically possible and the rights and freedoms of other persons are not affected, we will – at your request – transfer your data to another recipient (data controller).

6) Right to object
If we collect personal data from you or have it collected and process it (on the basis of Art. 6 Para. 1(e) or (f) or Art. 9 Para. 2(a) GDPR), you have the right to object to data processing (including profiling) at any time (with effect for the future). In exceptional cases, the objection may be invalid, e.g. if we can prove compelling legitimate interests for processing that outweigh your interests, or processing serves to assert, exercise or defend legal claims. If we process your personal data for direct marketing purposes, you have the right to object to such processing at any time. This also applies to any profiling connected with such direct advertising. You also have the right to object to the processing of the data we hold about you, which is carried out by us for scientific or historical research purposes or for statistical purposes in accordance with Art. 89 para. 1 GDPR unless such processing is necessary to fulfil a task in the public interest.

7) Automated individual decision-making including profiling
If we collect personal data from you or have it collected and process it, you have the right not to be subject to decision based exclusively on automated processing – including profiling – which has a legal effect on you or significantly impairs you in a similar manner. Exceptions to this requirement apply if the decision to conclude or fulfil a contract between you and us is necessary or if you have expressly consented to the processing. In any event, we will take reasonable measures to protect your rights and freedoms and your legitimate interests, including at least the right on our part to obtain the intervention of a person to express our position and to challenge the decision.

8) Right to withdraw consent under the data protection laws
You have the right to revoke your consent to the processing of personal data at any time.

9) The right to file a legal complaint with a supervisory authority
A list of supervisory authorities in Germany can be found on the website of the Federal Commissioner for Data Protection or via the following link:
https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/Authorities_for_non-effective_area/Authorities_for_supervision_non-effective_area_list.html

Information on data security

We secure your personal data processed by us against loss, destruction, access, modification or distribution of your data by unauthorised persons by appropriate technical and organisational measures. However, despite regular checks, complete protection against all risks is not possible.

Legal basis for processing

We process personal data according to the specifications of the GDPR, depending on the type and purpose of processing, as follows:

Where allowed by law Specification of the GDPR
Informed consent Art. 6 para. 1(a)
In performance of a contract Art. 6 para. 1(b)
Implementation of pre-contractual measures Art. 6 para. 1(b)
Fulfilment of legal obligations Art. 6 para. 1(c)
Protection of vital interests Art. 6 para. 1(d)
Safeguarding our legitimate interest Art. 6 para. 1(f)
Our legitimate interest

Our legitimate interest, as defined in Article 6 para. 1(f) GDPR, is based on the performance of our business activities to maintain our operability and to safeguard the employment of our employees.

General deadlines for data deletion

After elimination of the storage purpose, the retention periods are generally at least six or ten years. As a rule, the deletion of data generally takes place without delay in accordance with our deletion plan, insofar as it does not preclude any obligation to retain data, the need to fulfil a contract or a legitimate interest.

Individual information according to the type of processing

Depending on the processing, the purposes, legal basis and other information may vary. You will find the exact assignment of the information in the following chapter.

IT security
The purpose of the processing operation Ensuring the security, integrity, confidentiality and availability of data through protection against unauthorized access from outside and inside.
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Fulfilment of legal obligations (Art. 6 para. 1 (c))
If necessary, Recipient (for transfer) IT service (if required)
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity The data is already available and needed to ensure security.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) People Master Data, IT usage data; various
If necessary, change of purpose none
General network protection
The purpose of the processing operation Protective measures against unauthorized attacks and protection against electronic mass mailing and unintentional data flow and outflow (DLP). Firewall / Antivirus / Spam Filter / Endpoint Security & Data Encryption
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Fulfilment of legal obligations (Art. 6 para. 1 (c))
If necessary, Recipient (for transfer) IT service (if required)
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity The data is already available and needed to ensure security. The data must be processed to authenticate an authorized access to the network
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Username, IP addresses, timestamps, e-mail addresse
If necessary, change of purpose none
Access controll (not employees)
The purpose of the processing operation Protection against unauthorized access to the premises or the office building
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Fulfilment of legal obligations (Art. 6 para. 1 (c))
If necessary, Recipient (for transfer) IT service (if required)
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity To ensure only authorized access to the premises or office building, the data subject must authenticate with his personal data.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) First name, name, company, department, date of birth (for clear identification),
If necessary, change of purpose none
User management
The purpose of the processing operation Management of user accounts and administrative groups to provide authentication and support of authorization concepts in different systems
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Fulfilment of legal obligations (Art. 6 para. 1 (c))
If necessary, Recipient (for transfer) IT service (if required)
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity The personal data has already been collected and is only managed to ensure IT security processes.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Name, first name, e-mail address, telephone number, if applicable, department affiliation
If necessary, change of purpose none
Handling passwords
The purpose of the processing operation Task management for office communication for human resources, employee administration, customer administration, financial accounting, controlling, marketing. Ensuring administrator access in an emergency.
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Fulfilment of legal obligations (Art. 6 para. 1 (c))
If necessary, Recipient (for transfer) none
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity The personal data has already been collected and is only managed to ensure IT security processes.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Name , first name, user name, password
If necessary, change of purpose none
Logging in IT-systems
The purpose of the processing operation Ensuring legally required and technically necessary logging: Ensuring the correct functioning of the IT systems, error analysis, detection of resource bottlenecks, tracking of hacker attacks.
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Fulfilment of legal obligations (Art. 6 para. 1 (c))
If necessary, Recipient (for transfer) IT service (if required)
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity The collection of data is done automatically in accordance with the Company’s legally required obligation to ensure and maintain the security of the Company’s data.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Usernames, IP addresses, e-mail addresses, Internet URLs, e-mails, websites
If necessary, change of purpose none
Control of internet usage
The purpose of the processing operation Random control of Internet usage for compliance with private use rules.
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Fulfilment of legal obligations (Art. 6 para. 1 (c))
If necessary, Recipient (for transfer) IT service (if required)
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity The collection of data is done automatically in accordance with the Company’s legally required obligation to ensure and maintain the security of the Company’s data.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Usernames, IP addresses, Internet URLs, emails, web pages, timestamps
If necessary, change of purpose none
Backup
The purpose of the processing operation Backup of corporate data to prevent data loss (encryption trojan etc.) Ensure the recovery of business processes in the event of system failure, system failure and emergencies
Legal basis (in accordance with Art. 6/9 GDPR) – Fulfilment of legal obligations (Art. 6 para. 1 (c))
– Safeguarding our legitimate interest (Art. 6 para. 1(f))
If necessary, Recipient (for transfer) IT service (if required)
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity The personal data has already been collected and processed to ensure IT security processes.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we refrain from an automatic decision-making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) All company data (billing information, address data, bank details / credit card details, credit history, date of birth, IT usage data / log data / log files, IP address, interests / preferences, contact details, CV, surname / first name / title / title, social security data, contract and contract master data , Payment data, time registration data, payroll data, correspondence, various)
If necessary, change of purpose none
E-Mail archiving
The purpose of the processing operation Audit-proof archiving of business communication as well as accounting or accounting-relevant documents
Legal basis (in accordance with Art. 6/9 GDPR) – Fulfilment of legal obligations (Art. 6 para. 1 (c))
– Safeguarding our legitimate interest (Art. 6 para. 1(f))
If necessary, Recipient (for transfer) IT service (if required)
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity The personal data has already been collected and processed to ensure IT security processes and legal requirements.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we refrain from an automatic decision-making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) All company data (billing information, address data, bank details / credit card details, credit history, date of birth, IT usage data / log data / log files, IP address, interests / preferences, contact details, CV, surname / first name / title / title, social security data, contract and contract master data , Payment data, time registration data, payroll data, correspondence, various)
If necessary, change of purpose none
Emergency concept
The purpose of the processing operation Ensuring a viable corporate structure, providing a disaster recovery process
Legal basis (in accordance with Art. 6/9 GDPR) – Fulfilment of legal obligations (Art. 6 para. 1 (c))
– Safeguarding our legitimate interest (Art. 6 para. 1(f))
If necessary, Recipient (for transfer) IT service (if required)
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity The personal data has already been collected and processed to ensure IT security processes.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Name, first name, address data, contact details
If necessary, change of purpose none
Mobile / cell phone / smartphone usage
The purpose of the processing operation Mobile communication and task management for human resources, employee administration, customer administration, financial accounting, controlling, marketing, etc.
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Performance of a contract (Art. 6 para. 1 (b))
If necessary, Recipient (for transfer) Applicants, customers, prospects, suppliers, craftsmen, authorities, service providers as well as their contact person, management and employees
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity Without the relevant data, the fulfillment of the tasks or contracts may not be possible.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Name, first name, address data, contact details, E-mail addresses, appointment data, traffic data (§96 TKG), IP addresses, web addresses, website retrieval data
If necessary, change of purpose none
Internet and telephone usage
The purpose of the processing operation communication and task management for human resources, employee administration, customer administration, financial accounting, controlling, marketing, etc.
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Performance of a contract (Art. 6 para. 1 (b))
If necessary, Recipient (for transfer) Applicants, customers, prospects, suppliers, craftsmen, authorities, service providers as well as their contact person, management and employees
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity Without the relevant data, the fulfillment of the tasks or contracts may not be possible.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Name, first name, extension, address data, contact data, e-mail addresses, appointment data, traffic data (§96 TKG), IP addresses, web addresses, website retrieval data
If necessary, change of purpose none
Intranet usage
The purpose of the processing operation Ensuring the internal exchange of information, employee motivation, employee information.
Legal basis (in accordance with Art. 6/9 GDPR) – Informed consent (Art. 6 para. 1 (a))
– Safeguarding our legitimate interest (Art. 6 para. 1 (f))
If necessary, Recipient (for transfer) IT service (if required)
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity Depending on the type of data, deployment / processing is required for the intended operational execution of the task.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Name, first name, company contact details, starting date, department, photos, background, hobbies
If necessary, change of purpose none
Guest WLAN
The purpose of the processing operation roviding wireless Internet access for guests; Logging and control for protection against misuse and preservation of evidence.
Legal basis (in accordance with Art. 6/9 GDPR) – Informed consent (Art. 6 para. 1 (a))
– Safeguarding our legitimate interest (Art. 6 para. 1 (f))
If necessary, Recipient (for transfer) IT service (if required)
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity The processing of said data is necessary for the provision and maintenance of the guest WLAN.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Name, first name, visitor’s business name, Internet protocol data, login data, MAC addresses of the respective device, surfing behavior
If necessary, change of purpose none
Communication systems (such as telephone system)
The purpose of the processing operation Provision of telecommunication services for own (internal) purposes (internal and external corporate communication) Ensuring proper telecommunications operations in the company and for customers. Provision of log files, evaluations and statistics
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
If necessary, Recipient (for transfer) Traffic data are not passed on in principle, but only as needed used for the elimination of disturbances or for billing checks.
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention Traffic data is stored for a maximum of 6 months. In addition, aggregated data can be stored and used, provided that it is ensured that the personal data can no longer be derived from the data. See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity Without the data required for communication, the implementation and management of telecommunications is not possible.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Extension, telephone number, name, first name, telephone number of the communication partner, duration of the call, date, time; Traffic data (§ 96 TKG), contact data
If necessary, change of purpose none
Office 365
The purpose of the processing operation Use of Office 365
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
If necessary, Recipient (for transfer) Depending on the server location, the data will be stored at Microsoft in the US or in the EU.
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) Further data transmission to a third country does not take place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity Without the relevant data, the fulfillment of the tasks or contracts may not be possible.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) various
If necessary, change of purpose none
Electronic processing by e-mail
The purpose of the processing operation Implementation of internal & external electronic communication including documentation, office communication.
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Performance of a contract (Art. 6 para. 1 (b))
– Implementation of pre-contractual measures (Art. 6 para. 1(b))
– Fulfilment of legal obligations (Art. 6 para. 1 (c))
If necessary, Recipient (for transfer) Event-related and transparent transmission in the context of e-mail communication (eg in compliance with BCC and CC regulations); u. a. Customers, interested parties, suppliers, authorities, contractual partners, other third parties; IT service (if required)
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) Data transfer to third countries takes place when the respective communication partner is located in a third country. In addition, when communicating via e-mail over the Internet, it can not be ruled out that e-mails will be routed via communication systems to third countries.
Where known: Duration of data retention After elimination oft he storage purpose:
– Retention period for e-mails, insofar as to qualify as business letters: 6 years; after the deadline, the data will be routinely deleted, if no longer required for the execution or termination of contracts
– Short-term deletions in special areas (e.g. applicant data: 6 months) See also General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity Without the relevant data, the fulfillment of the tasks or contracts may not be possible.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Only personal data will be processed to secure the corresponding editing process; u. a. Contact details (name, e-mail address), if necessary further (depending on the content of the communication); possibly further header data; „Content data“ (contents of emails – „Body“)
If necessary, change of purpose none
CRM
The purpose of the processing operation Maintenance of customer data and customer relationships; Qualifying customers
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Performance of a contract (Art. 6 para. 1 (b))
– Implementation of pre-contractual measures (Art. 6 para. 1(b))
If necessary, Recipient (for transfer) IT service (if required)
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity Without the relevant data, the fulfillment of the tasks or contracts may not be possible.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Person master data, communication data, contract master data, customer history
If necessary, change of purpose none
ERP
The purpose of the processing operation Operation of the ERP
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Performance of a contract (Art. 6 para. 1 (b))
– Implementation of pre-contractual measures (Art. 6 para. 1(b))
– Fulfilment of legal obligations (Art. 6 para. 1 (c))
If necessary, Recipient (for transfer) IT service (if required)  
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity Without the relevant data, the fulfillment of the tasks or contracts may not be possible.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Personal master data, communication data, customer history, contract settlement data, payment data, planning and control data, if necessary further
If necessary, change of purpose none
DMS – Document management system
The purpose of the processing operation Operation of the DMS for revision-proof archiving of business documents
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Performance of a contract (Art. 6 para. 1 (b))
– Implementation of pre-contractual measures (Art. 6 para. 1(b))
– Fulfilment of legal obligations (Art. 6 para. 1 (c))
If necessary, Recipient (for transfer) IT service (if required)  
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity The personal data has already been collected and processed to ensure IT security processes and legal requirements.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Address data, banking data, contact data, payment data, payroll data, contract data, time registration data, correspondence; various
If necessary, change of purpose none
Print and copy jobs
The purpose of the processing operation Duplicating information
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Performance of a contract (Art. 6 para. 1 (b))
– Implementation of pre-contractual measures (Art. 6 para. 1(b))
– Fulfilment of legal obligations (Art. 6 para. 1 (c))
If necessary, Recipient (for transfer) IT service (if required)
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity The personal data has already been collected and processed to ensure IT security processes and legal requirements.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Name, first name, IP address, print template with the information to be duplicated
If necessary, change of purpose none
Groupware System
The purpose of the processing operation Implementation of internal and external correspondence including documentation, office communication, in particular team / cooperation across spatial distances (e-mail, contacts, tasks, calendars)
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Performance of a contract (Art. 6 para. 1 (b))
– Implementation of pre-contractual measures (Art. 6 para. 1(b))
If necessary, Recipient (for transfer) interested parties, suppliers, craftsmen, authorities, service providers, as well as their contact persons, management, employees, trainees, applicants
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity Without the relevant data, it may not be possible to perform the tasks or contracts, in particular over a physical distance.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Name, first name, address data, contact details, E-mail addresses, appointment data
If necessary, change of purpose none
Data Exchange Portal
The purpose of the processing operation Use of online solutions for data storage and data exchange with suppliers, customers and third parties
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))  
If necessary, Recipient (for transfer) There are external recipients depending on the occasion (If necessary)
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity Without the relevant data, it may not be possible to perform the tasks or contracts, in particular over a physical distance.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Address data, banking data, contact data, payment data, payroll data, contract data, time registration data, correspondence; various
If necessary, change of purpose none
IT-Support (remote)
The purpose of the processing operation Maintaining / maintaining software / data by IT service providers, software development
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
If necessary, Recipient (for transfer) external serviceprovider
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity Without the relevant data, it may not be possible to perform the tasks or contracts (support and maintenance of the IT systems), in particular over a physical distance.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) The processing of personal data is not planned, but due to the service access to pb data can not be excluded.
Also access to special categories can not be excluded; These include: racial and ethnic origin, religious or philosophical beliefs, health
If necessary, change of purpose none
Ticket system
The purpose of the processing operation Ensuring IT support in your own company and for customer systems. Recording of faults, errors and inquiries, systematic processing of error messages by users
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))  
If necessary, Recipient (for transfer) IT service (if required)
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity Without the relevant data, it may not be possible to perform the tasks or contracts (support and maintenance of the IT systems), in particular over a physical distance.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Information on the person responsible (name, first name, contact details), details of the requester (name, first name, address data, contact details), error description
If necessary, change of purpose none
Data media disposal
The purpose of the processing operation Destruction of media that is no longer required (eg after expiry of the retention period) on which or in which personal data is stored (hard disks, SSD, CD / DVD, USB stick, …)
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Performance of a contract (Art. 6 para. 1 (b))
– Implementation of pre-contractual measures (Art. 6 para. 1(b))
– Fulfilment of legal obligations (Art. 6 para. 1 (c))
If necessary, Recipient (for transfer) external disposal service provider (if required)
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity Non-personal data are collected. The data is already available.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) All company data (billing information, address data, bank details / credit card details, credit history, date of birth, IT usage data / log data / log files, IP address, interests / preferences, contact details, CV, surname / first name, title, social security data, contract data, contract master data, payment data, time registration data)
If necessary, change of purpose none
Applications and application process
The purpose of the processing operation Processing and conducting application procedures, processing unsolicited applications; Selection of potential employees for a suitable occupation.
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Implementation of pre-contractual measures (Art. 6 para. 1(b))
If necessary, Recipient (for transfer) external service providers (recruitment tests)(if necessary)
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention Applications will only be saved with the consent of other authorities, otherwise they will be deleted, returned or destroyed after 6 months absence
See also General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity For a smooth Application procedure, it is necessary that the required information be provided truthfully.
Consequences of violation (failure to provide the required data) An infringement would possibly have the consequence that a contract of employment can not be concluded.
If necessary, Existence of automated decision-making In this context, we refrain from an automatic decision-making.  
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Data on the person (name, address, date of birth, telephone number, information on religious affiliation, information on marital status / details of children, curriculum vitae, education, qualification, application data, if applicable, information on severe disability)
If necessary, change of purpose If we take you into employment after completing the application process, the purpose for processing the data in question will change: in the future, these will be used to conduct and maintain the employment relationship.
Personnel questionnaire
The purpose of the processing operation In the application process for a simpler comparison of applicant information, for new hires, to register the employee with the authorities, funds and social security funds
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Implementation of pre-contractual measures (Art. 6 para. 1(b))
– Fulfilment of legal obligations (Art. 6 para. 1 (c))
If necessary, Recipient (for transfer) state agencies, insofar as statutory transfer obligations exist (tax office); Non-public bodies only if there is a legal basis for this (health insurance and social security funds)
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity The personal data has already been collected and will be processed to complete the employment relationship.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we refrain from an automatic decision-making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Name, first name, address data, contact details, Date of birth, religious affiliation (if tax-relevant), marital status, information on children, bank details, information on previous activities, training information, social security information
If necessary, change of purpose none
Protective and work clothing
The purpose of the processing operation Order of protective and work clothes for the employees
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Fulfilment of legal obligations (Art. 6 para. 1 (c))
If necessary, Recipient (for transfer) if necessary, external occupational safety
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity The personal data are processed to complete the employment relationship necessarily.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we refrain from an automatic decision-making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Name, first name, size, glove size, shoe size, body measurements
If necessary, change of purpose none
Quotation, order and billing
The purpose of the processing operation Creation of offers, orders and invoices
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Performance of a contract (Art. 6 para. 1 (b))
– Fulfilment of legal obligations (Art. 6 para. 1 (c))
If necessary, Recipient (for transfer) Document receiver; Depending on the request, if necessary, public authorities, if necessary. Tax consultant, possibly insurer.
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity Obligation to provide data based on the contractual relationship between the controller and the data subject. It is necessary for order processing.
Consequences of violation (failure to provide the required data) An infringement (ie the non-provision of the required data) would possibly result in the fulfillment of the contractual obligations (eg delivery of goods and provision of services).
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Billing data, address data, if necessary bank details, personal data, contact data, contract data, if necessary time recording data, if necessary customer history, payment data, communication data, contract master data
If necessary, change of purpose none
Billing by direct debit
The purpose of the processing operation Billing by direct debit
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Performance of a contract (Art. 6 para. 1 (b))
– Fulfilment of legal obligations (Art. 6 para. 1 (c))
If necessary, Recipient (for transfer) Bank of the contractor
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity No direct debit is possible without the data required for the SEPA direct debit.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject)
If necessary, change of purpose none
Wholesale remittance business
The purpose of the processing operation Delivery to the wholesale
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Performance of a contract (Art. 6 para. 1 (b))
If necessary, Recipient (for transfer) Wholesale
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity Without the data required for shipping, delivery of the goods is not possible.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject)
If necessary, change of purpose none
Invoicing and dunning as well as financial accounting
The purpose of the processing operation Billing and shipping; Recording open items and reminders (managing and recovering outstanding receivables); Recording and documentation of all financially significant transactions in the company (all sales and fixed assets); Tax, levy and payment to the tax authorities and, where appropriate, other public bodies, control and processing of incoming / outgoing invoices, monitoring of payments, processing of account statements
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Performance of a contract (Art. 6 para. 1 (b))
– Fulfilment of legal obligations (Art. 6 para. 1 (c))
If necessary, Recipient (for transfer) as far as legally required: financial administration; Accountants and auditors Otherwise, if there is a legal basis for the transfer of data
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity There are legal obligations to create the invoice and reminder system.
Consequences of violation (failure to provide the required data) If necessary, derive from the respective legislation
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) First, last name, address, contact details contract data, insurance data, date of birth, data on purchased goods / DL, bank details, VAT identification number, patient data; Billing data, sales incl. Invoice numbers, uses, etc.
If necessary, change of purpose none
Business information and credit check
The purpose of the processing operation Protection against insolvency of customers; Receipt of outstanding incoming payments
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
If necessary, Recipient (for transfer) Service provider (credit check, collection)
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity Obligation due to general terms and conditions.
Consequences of violation (failure to provide the required data) An infringement (ie the non-provision of the required data) would possibly result in the fact that the chosen method of payment can not be used.
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Person master data, company data, communication data
If necessary, change of purpose none
(Online) banking
The purpose of the processing operation Management and administration of bank accounts, financial control
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Performance of a contract (Art. 6 para. 1 (b))
– Fulfilment of legal obligations (Art. 6 para. 1 (c))
If necessary, Recipient (for transfer) none
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity Obligation to provide data based on the contractual relationship between the controller and the data subject. Necessary for order processing or similar
Consequences of violation (failure to provide the required data) An infringement (ie the non-provision of the required data) would possibly result in the fulfillment of the contractual obligations (eg delivery of goods and provision of services).  
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) First name, last name, bank details, payment data, contract data, address, date of birth (if necessary)
If necessary, change of purpose none
Credit insurance
The purpose of the processing operation Protection against failure up to a certain limit
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
If necessary, Recipient (for transfer) credit insurance
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity Obligation due to general terms and conditions.
Consequences of violation (failure to provide the required data) An infringement (ie the non-provision of the required data) would possibly result in the fact that the chosen method of payment can not be used.
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Person master data, company data, communication data
If necessary, change of purpose none
General Administration
The purpose of the processing operation General administration (including processing of incoming mail, etc.)
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Performance of a contract (Art. 6 para. 1 (b))
– Fulfilment of legal obligations (Art. 6 para. 1 (c))
If necessary, Recipient (for transfer) none
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity Without the data needed for administration, certain business processes can not be performed
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) First name, last name, title, address, e-mail address, telephone number, position, contact details, contact history, contract data
If necessary, change of purpose none
Office communication
The purpose of the processing operation ask management for office communication for eg: human resources, employee administration, customer administration, financial accounting, controlling, marketing.
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Performance of a contract (Art. 6 para. 1 (b))
– Fulfilment of legal obligations (Art. 6 para. 1 (c))
If necessary, Recipient (for transfer) Applicants, customers, interested parties, suppliers, craftsmen, authorities, service providers and their contact persons (if necessary)
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity Without the data required for communication, the execution of certain business processes is not possible.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Only personal data will be processed to ensure the corresponding processing.
If necessary, change of purpose none
Ordner management
The purpose of the processing operation Creating, maintaining and managing orders
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Performance of a contract (Art. 6 para. 1 (b))
– Fulfilment of legal obligations (Art. 6 para. 1 (c))
If necessary, Recipient (for transfer) none
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity Without the data needed for administration, it is not possible to carry out certain business processes.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) First name, last name, title, address, date of birth, patient data, insurance data, data on purchased goods / DL, contract data, telephone number, customer number, e-mail address
If necessary, change of purpose none
Files keeping
The purpose of the processing operation Data protection compliant storage of documents (invoices, business transactions), as far as required by law.
Legal basis (in accordance with Art. 6/9 GDPR) – Fulfilment of legal obligations (Art. 6 para. 1 (c))
If necessary, Recipient (for transfer) none
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity Non-personal data are collected, the data are already available.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Customer data, contact data, billing data, contract data, employee data, wage and salary data
If necessary, change of purpose none
Contract management
The purpose of the processing operation Administration for contracts with customers, affiliates, employees, interns, suppliers, service providers (electronic and paper)
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Performance of a contract (Art. 6 para. 1 (b))
– Fulfilment of legal obligations (Art. 6 para. 1 (c))
If necessary, Recipient (for transfer) external legal advisers (if necessary)
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity Obligation to provide data based on the contractual relationship between the controller and the data subject. Without the data, the execution of the agreed contractual service may not be possible.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we refrain from an automatic decision-making.  
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) First name, last name, title, address, e-mail address, telephone number, date of birth, contract data
If necessary, change of purpose none
Appointment management
The purpose of the processing operation Planning and managing appointments
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Performance of a contract (Art. 6 para. 1 (b))
– Fulfilment of legal obligations (Art. 6 para. 1 (c))
If necessary, Recipient (for transfer) Customers, suppliers / service providers or other third parties for appointment coordination (if necessary)
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity Without the data needed for appointment management, the planning, administration and coordination of appointments is not possible.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) First name, last name, if necessary address, e-mail address, telephone number, position, contact details, appointment data  
If necessary, change of purpose none
Key management
The purpose of the processing operation Access management to office and factory areas
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Performance of a contract (Art. 6 para. 1 (b))
– Fulfilment of legal obligations (Art. 6 para. 1 (c))
If necessary, Recipient (for transfer) none
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity The data is necessarily processed to perform key management.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Name, first name, address data, contact details, issue date, key ID
If necessary, change of purpose none
Processing incoming mail
The purpose of the processing operation Processing and forwarding of incoming mail
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Performance of a contract (Art. 6 para. 1 (b))
– Fulfilment of legal obligations (Art. 6 para. 1 (c))
If necessary, Recipient (for transfer) none
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity The data already exists and is necessarily processed for subsequent processes.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) First name, last name, address; depending on the content of the message: date of birth, title, customer number, insurance data, patient data, bank details, industry, position, communication data  
If necessary, change of purpose none
Post office
The purpose of the processing operation Processing incoming mail (open, scan, distribute)
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Performance of a contract (Art. 6 para. 1 (b))
– Fulfilment of legal obligations (Art. 6 para. 1 (c))
If necessary, Recipient (for transfer) none
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity The data already exists and is necessarily processed for subsequent processes.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) First name, last name, address; depending on the content of the message: date of birth, title, customer number, insurance data, patient data, bank details, industry, position, communication data
If necessary, change of purpose none
Park space allocation
The purpose of the processing operation Employee / visitor parking management, maintenance of the house right, detection of unauthorized parking.
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
If necessary, Recipient (for transfer) none
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity Without the data required for the administration, it is not possible to use a staff or visitor parking lot on the company premises.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Name, first name, telephone number, license plate number, usage times
If necessary, change of purpose none
Paper shredding and document destruction
The purpose of the processing operation Destruction of media and documents that are no longer required in the course of paper and file disposal (for example, after expiration of the retention period) on which or in which personal data are located during ongoing operation and after expiration of the retention period.
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Fulfilment of legal obligations (Art. 6 para. 1 (c))
If necessary, Recipient (for transfer) external disposal service provider
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity The personal data have already been collected and are necessarily processed (destroyed) to fulfill legal obligations.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Customer data, contact data, billing data, contract data, employee data, payroll data; various
If necessary, change of purpose none
External speakers
The purpose of the processing operation Gaining external speakers for training, seminars and training.
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
If necessary, Recipient (for transfer) none
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity There is no obligation to provide personal information.
Consequences of violation (failure to provide the required data) Cooperation is not possible.
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Depending on the content of the communication; Personal master data, communication data, planning and control data
If necessary, change of purpose none
Contact, supplier and customer care
The purpose of the processing operation Installation, maintenance and updating, management of contacts (creditors, debtors, interested parties and their contact persons) and central administration of all addresses for the company and, if necessary, for the provision of information to the employees, ensuring order processing
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Performance of a contract (Art. 6 para. 1 (b))
If necessary, Recipient (for transfer) none
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity There is no obligation to provide personal information.
Consequences of violation (failure to provide the required data) Without the data, proper contact management and maintenance is not possible.
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) Dependent on the process by which the data got into the respective system; usually the data comes from the person concerned.
If necessary, Categories of personal data (if not collected directly from the data subject) Personal master data / contact data (first name, last name, date of birth, address, Internet address, e-mail address, telephone number, fax number, position, interests / preferences) Industry, customer number, customer type, contact data, contact history, appointment data, contract data, customer history, payment / billing data , Bank details, credit data, if necessary further depending on the content of the communication
If necessary, change of purpose none
Order entry
The purpose of the processing operation Acquisition and documentation of procurement orders
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Performance of a contract (Art. 6 para. 1 (b))
If necessary, Recipient (for transfer) none
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity The data already exists and is necessarily processed for subsequent processes.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) First name, last name, address, telephone number, date of birth, relatives
If necessary, change of purpose none
Order processing
The purpose of the processing operation   Commercial and technical processing of orders
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Performance of a contract (Art. 6 para. 1 (b))
If necessary, Recipient (for transfer) none
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity The data already exists and is necessarily processed for subsequent processes.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Name, first name, address data, communication data (e-mail, telephone), bank details, tax data (VAT ID)
If necessary, change of purpose none
Distribution
The purpose of the processing operation Distribution; order fulfillment
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Performance of a contract (Art. 6 para. 1 (b))
If necessary, Recipient (for transfer) none
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity The data already exists and is necessarily processed for subsequent processes.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) First name, last name, address, paragraphs, date of sale, order data
If necessary, change of purpose none
Prospect management
The purpose of the processing operation Creation, maintenance and updating, management of contacts Data is managed in the prospect / customer database
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
If necessary, Recipient (for transfer) none
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity There is no obligation to provide personal information.
Consequences of violation (failure to provide the required data) Without the data, proper contact management and maintenance is not possible.
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Name, first name, address data, contact details, Interesse-Status
If necessary, change of purpose none
Customer care and CRM
The purpose of the processing operation Care and maintenance of existing customers, customer acquisition, conducting statistical evaluations for internal purposes, contacting by telephone, letter, e-mail, personal visit to the product presentation and range of services, measures for customer loyalty and customer service
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
If necessary, Recipient (for transfer) none
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity There is no obligation to provide personal information.
Consequences of violation (failure to provide the required data) Without the data, proper contact management and maintenance is not possible.  
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.  
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Name, first name, address data, contact details (telephone, mobile phone, fax, e-mail), appointments, product data, contact reports, sales figures, contact history
If necessary, change of purpose none
Checkout system
The purpose of the processing operation POS system for billing
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Performance of a contract (Art. 6 para. 1 (b))
– Fulfilment of legal obligations (Art. 6 para. 1 (c))
If necessary, Recipient (for transfer) house bank
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity Without the data required for the desired payment method, only one cash payment is possible.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) First name, last name, bank and payment details
If necessary, change of purpose none
Sales support
The purpose of the processing operation Customer acquisition
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
If necessary, Recipient (for transfer) none
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity There is no obligation to provide personal information.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject)
If necessary, change of purpose none
Orders report
The purpose of the processing operation Preparation of operative interim reports, orders, overview, planning
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Performance of a contract (Art. 6 para. 1 (b))
If necessary, Recipient (for transfer) none
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity No personal data will be collected. The data is already available.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Personal master data, communication data, customer history, contract settlement and payment data, planning and control data
If necessary, change of purpose none
Ordering
The purpose of the processing operation Purchase of goods for own use and for resale, ensuring the availability of material and resources on paper – email – telephone – fax, identification of suitable suppliers, conducting price negotiations, handling of returns and incorrect deliveries
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Performance of a contract (Art. 6 para. 1 (b))
– Fulfilment of legal obligations (Art. 6 para. 1 (c))
If necessary, Recipient (for transfer) none
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity Obligation to provide data based on the contractual relationship between the controller and the data subject. Necessary for the processing of orders or the like
Consequences of violation (failure to provide the required data) An infringement (ie the failure to provide the required data) could result in a situation where the fulfillment of the contractual obligations can not occur (eg receipt of goods or services).
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Name, first name, address data, contact details
If necessary, change of purpose none
Supplier management
The purpose of the processing operation Ensuring order processing, ensuring the quality of selected suppliers
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Performance of a contract (Art. 6 para. 1 (b))
If necessary, Recipient (for transfer) none
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity Obligation to provide the data based on the contractual relationship between the responsible party and the person concerned. Necessary for processing orders or similar
Consequences of violation (failure to provide the required data) In the case of infringement, the order processing and the quality of the suppliers can not be ensured.
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Name, first name, address data, contact details, business information, ownership and history of the supplier company, management of the supplier companies, bank details, insurance information (public liability, assembly insurance, transport insurance)
If necessary, change of purpose none
Marketing
The purpose of the processing operation Marketing of goods / services / companies; Order and send marketing articles
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
If necessary, Recipient (for transfer) advertising agencies (if necessary)
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity There is no obligation to provide personal information.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making There is no automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Depending on the type of processing; First name, last name, address, Internet address, e-mail address, telephone number, fax number, position, sector, customer number, customer type, contact history, appointment data, data on interests, contract data, case data
If necessary, change of purpose none
Online marketing
The purpose of the processing operation External representation of the company, online marketing; Social Media, Website
Legal basis (in accordance with Art. 6/9 GDPR) – Informed consent (Art. 6 para. 1(a))
– Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Performance of a contract (Art. 6 para. 1 (b))
If necessary, Recipient (for transfer) Photographer, marketing agency (if necessary)
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity There is no obligation to provide personal information.Ggfs. Obligation to provide the data based on the contractual relationship between the responsible party and the person concerned.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making There is no automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Depending on the type of processing / interaction; If necessary. Personal master data, contact details, photo / film recordings, others
If necessary, change of purpose none
Acquisition
The purpose of the processing operation Acquiring new customers
Legal basis (in accordance with Art. 6/9 GDPR) – Informed consent (Art. 6 para. 1(a))
– Safeguarding our legitimate interest (Art. 6 para. 1 (f))
If necessary, Recipient (for transfer) none
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity There is no obligation to provide personal information.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making There is no automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) First name, last name, title, address (business), address (private), billing address, e-mail address, telephone number, customer number, customer type, contact details, contact history, appointment data, bank details, data on purchased goods or services, contract data, sales data, patient data
If necessary, change of purpose none
Printmailings
The purpose of the processing operation Shipping of printed documents / information documents / invitations for events, presentation of the product and product portfolio, contact with customers and suppliers, information about new products and discount campaigns, advertising of the company
Legal basis (in accordance with Art. 6/9 GDPR) – Informed consent (Art. 6 para. 1(a))
– Safeguarding our legitimate interest (Art. 6 para. 1 (f))
If necessary, Recipient (for transfer) Lettershop, post office, advertising agency, possibly further service providers
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity There is no obligation to provide personal information.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making There is no automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Person master data, contact data, vendor master data
If necessary, change of purpose none
Newsletter
The purpose of the processing operation Management, organization and sending of personalized newsletters; Providing information
Legal basis (in accordance with Art. 6/9 GDPR) – Informed consent (Art. 6 para. 1(a))
If necessary, Recipient (for transfer) Newsletter tool vendors (if necessary)
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity There is no obligation to provide personal information.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making There is no automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject)
If necessary, change of purpose none
Customer survey (anonymous)
The purpose of the processing operation Measurement of customer satisfaction (answers anonymous, participation (if) insight possible)
Legal basis (in accordance with Art. 6/9 GDPR) – Informed consent (Art. 6 para. 1(a))
– Safeguarding our legitimate interest (Art. 6 para. 1 (f))
If necessary, Recipient (for transfer) Survey Services (if necessary)
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity There is no obligation to provide personal information.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making There is no automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Only personal data will be processed to secure the corresponding editing process; Personal data will be anonymized; possibly further header data; „Content data“ (content of surveys – „Body“)
If necessary, change of purpose none
Events
The purpose of the processing operation Organization and realization of events and events for customer loyalty, acquisition of new customers and information
Legal basis (in accordance with Art. 6/9 GDPR) – Informed consent (Art. 6 para. 1(a))
– Safeguarding our legitimate interest (Art. 6 para. 1 (f))
If necessary, Recipient (for transfer) Lettershop (invitation and information dispatch)
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity There is no obligation to provide personal information.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.  
If necessary, Categories of personal data (if not collected directly from the data subject) Name, first name, address data, telephone, e-mail, information on nutrition (food selection), bank details
If necessary, change of purpose none
Taking pictures at events
The purpose of the processing operation On- and Offline Marketing
Legal basis (in accordance with Art. 6/9 GDPR) – Informed consent (Art. 6 para. 1(a))
– Safeguarding our legitimate interest (Art. 6 para. 1 (f))
If necessary, Recipient (for transfer) Photographer, Printing, Social Media
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity There is no obligation to provide personal information.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making There is no automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Pictures, videos, metadata
If necessary, change of purpose none
Customer Photo / Video
The purpose of the processing operation External representation of the company, online / offline marketing
Legal basis (in accordance with Art. 6/9 GDPR) – Informed consent (Art. 6 para. 1(a))
– Safeguarding our legitimate interest (Art. 6 para. 1 (f))
If necessary, Recipient (for transfer) Photographer, marketing agency (if necessary)
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity There is no obligation to provide personal information.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making There is no automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Photo / film shoots, personal data, contact details if required, (if necessary)
If necessary, change of purpose none
Trade fair photos
The purpose of the processing operation Corporate presentation to the outside; Reference projects for communication with customers and suppliers
Legal basis (in accordance with Art. 6/9 GDPR) – Informed consent (Art. 6 para. 1(a))
– Safeguarding our legitimate interest (Art. 6 para. 1 (f))
If necessary, Recipient (for transfer) Photographers, customers, suppliers and third parties
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity There is no obligation to provide personal information.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making There is no automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Photo / film as a portrait or group photo
If necessary, change of purpose none
Trade fair stand management
The purpose of the processing operation Customer and prospective customer care at trade fairs, and gaining new customers at trade fair stands
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Implementation of pre-contractual measures (Art. 6 para. 1(b))
If necessary, Recipient (for transfer) none
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity There is no obligation to provide personal information.  
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making There is no automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Name, first name, address data, contact details, Art des Interesses
If necessary, change of purpose none
Press
The purpose of the processing operation Public Relations / Corporate Presentation
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
If necessary, Recipient (for transfer) none
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity There is no obligation to provide personal information.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making There is no automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Contact details (name, position, telephone, email)
If necessary, change of purpose none
Social media marketing
The purpose of the processing operation Management of social media accounts and social media marketing; Corporate presentation to the outside; Presentation of reference projects; Use of social media for external presentation and communication with customers and suppliers
Legal basis (in accordance with Art. 6/9 GDPR) – Informed consent (Art. 6 para. 1(a))
– Safeguarding our legitimate interest (Art. 6 para. 1 (f))
If necessary, Recipient (for transfer) Publication online (if necessary)
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity There is no obligation to provide personal information.
Consequences of violation (failure to provide the required data) In the event of infringement, the use of social media for the external presentation of the company and communication can not be used.  
If necessary, Existence of automated decision-making There is no automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Depending on the type of processing; First name, last name, contact details, pictures
If necessary, change of purpose none
Controlling
The purpose of the processing operation Planning, controlling and controlling all divisions
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Performance of a contract (Art. 6 para. 1 (b))
– Fulfilment of legal obligations (Art. 6 para. 1 (c))
If necessary, Recipient (for transfer) none
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity Without the relevant personal data, the implementation of this and possibly further business processes is not possible.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) First name, last name, address, e-mail address, telephone number, customer number, customer type, contact details, contract data, inventory data, usage data, sales data
If necessary, change of purpose none
Project management
The purpose of the processing operation Leading, controlling, coordinating projects of all kinds, such as the generation of new business, planning of complex IT systems or optimization of business processes, management of any projects in the company
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Performance of a contract (Art. 6 para. 1 (b))
– Fulfilment of legal obligations (Art. 6 para. 1 (c))
If necessary, Recipient (for transfer) Customers, interested parties, suppliers, craftsmen, authorities, service providers and their contact persons
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity Without the relevant personal data, the implementation of this and possibly further business processes is not possible.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) First name, last name, address, e-mail address, telephone number, fax number, industry, position, appointment data, contract data, communication data, sales data
If necessary, change of purpose none
Analysis und reporting
The purpose of the processing operation Reporting of corporate data to reveal hidden costs, market analysis, preparation of business reports  
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Performance of a contract (Art. 6 para. 1 (b))
– Fulfilment of legal obligations (Art. 6 para. 1 (c))
If necessary, Recipient (for transfer) none
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity Without the relevant personal data, the implementation of this and possibly further business processes is not possible.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Financial data, personal data, production data
If necessary, change of purpose none
Tenders
The purpose of the processing operation Submit appropriate offers to potential customers in public tenders. Successful participation in tenders and placing orders.  
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Implementation of pre-contractual measures (Art. 6 para. 1(b))
If necessary, Recipient (for transfer) none
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity Without the relevant personal data, the implementation of this and possibly further business processes is not possible.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Personal master data, communication data, contract master data, planning and control data, if necessary further; Information on the company, previous projects, qualification of employees, fulfillment of legal obligations (eg compliance with the minimum wage), etc.
If necessary, change of purpose none
Data to tax consultants, auditors, customs authorities
The purpose of the processing operation Data transfer with regard to business evaluation, account assignment, tax data / tax clearance / customs clearance, etc.
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Fulfilment of legal obligations (Art. 6 para. 1 (c))
If necessary, Recipient (for transfer) Authorities, tax consultants, auditors, service providers and their contact persons
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity There is a legal obligation to provide personal information.
Consequences of violation (failure to provide the required data) The infringement can lead to sanctions.
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Name, first name, address data, contact details, Bank details, insurance number, date of birth, identity card data
If necessary, change of purpose none
Inquire procedure of data subjects
The purpose of the processing operation Administration for the information procedure of data subjects, by telephone, E-Mail, letter post
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Fulfilment of legal obligations (Art. 6 para. 1 (c))
If necessary, Recipient (for transfer) external data protection officer (if necessary)
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity There is a legal obligation to provide personal information.
Consequences of violation (failure to provide the required data) The infringement can lead to sanctions.
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Name, first name, address data, contact details, Data on the person of the person concerned, data on recipients
If necessary, change of purpose none
Lawyer, court documents
The purpose of the processing operation Preservation of legal interests of the company, for the professional evaluation of contracts, documents etc.
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Fulfilment of legal obligations (Art. 6 para. 1 (c))
If necessary, Recipient (for transfer) Specialist lawyer, prosecutor, jurisdiction, EU arbitration board
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity Without the relevant personal data, the implementation of this and possibly further business processes is not possible.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Depending on the individual case
If necessary, change of purpose none
Data to business consultants
The purpose of the processing operation To fulfill the contractually agreed consulting goal.
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Performance of a contract (Art. 6 para. 1 (b))
If necessary, Recipient (for transfer) External business consultants
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity Without the relevant personal data, the implementation of this and possibly further business processes is not possible.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Name, first name, address data, contact details, Salary data, age, sales figures
If necessary, change of purpose none
Claims management
The purpose of the processing operation Handling of complaints, improvements in the company
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Performance of a contract (Art. 6 para. 1 (b))
– Fulfilment of legal obligations (Art. 6 para. 1 (c))
If necessary, Recipient (for transfer) none
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity Without the relevant personal data, the implementation of this and possibly further business processes is not possible.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Name, first name, address data, contact details,
If necessary, change of purpose none
Warehouse management
The purpose of the processing operation Management of the warehouse
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Performance of a contract (Art. 6 para. 1 (b))
– Fulfilment of legal obligations (Art. 6 para. 1 (c))
If necessary, Recipient (for transfer) Logistics software manufacturers; Shipping service / forwarding company
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity Without the relevant personal data, the implementation of this and possibly further business processes is not possible.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) First name, last name, if necessary telephone number, address
If necessary, change of purpose none
Logistics
The purpose of the processing operation Collection and shipping of goods (see delivery and shipping) Order picking, delivery of orders Messenger services (carrying documents)
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Performance of a contract (Art. 6 para. 1 (b))
– Fulfilment of legal obligations (Art. 6 para. 1 (c))
If necessary, Recipient (for transfer) Logistics software manufacturers; Shipping service / forwarding company
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity Obligation to provide the data based on the contractual relationship between the responsible party and the person concerned.
Consequences of violation (failure to provide the required data) Without the data necessary for the logistics a delivery and the dispatch of goods, as well as the acceptance of goods is not possible.
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Only personal data will be processed to secure the corresponding editing process; Personal master data / communication data (first name, last name, title, address, patient data, telephone number, contact data, customer number, date of birth), contract master data (contractual relationship, product or contract interest)
If necessary, change of purpose none
Delivery and shipping
The purpose of the processing operation Goods transport / delivery of sample requests Delivery processing (service providers and suppliers); Product shipping to customers. Data transmission to shipping service providers (forwarding / courier parcel express service)
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Performance of a contract (Art. 6 para. 1 (b))
– Fulfilment of legal obligations (Art. 6 para. 1 (c))
If necessary, Recipient (for transfer) Logistics software manufacturers; Shipping service / forwarding company
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity Obligation to provide the data based on the contractual relationship between the responsible party and the person concerned.
Consequences of violation (failure to provide the required data) Without the data required for shipping a delivery of goods is not possible.
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Only personal data will be processed to secure the corresponding editing process; Personal master data (name, first name, address data), communication data (eg telephone, e-mail), contract master data (contractual relationship, product or contract interest)
If necessary, change of purpose none
Planning and production control
The purpose of the processing operation Planning and controlling production orders
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Performance of a contract (Art. 6 para. 1 (b))
If necessary, Recipient (for transfer) none
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See also General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity Without the relevant personal data, the implementation of this and possibly further business processes is not possible.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Name, first name, address data, contact details
If necessary, change of purpose none
Customer Support
The purpose of the processing operation Support for customers via remote desktop software
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Performance of a contract (Art. 6 para. 1 (b))
If necessary, Recipient (for transfer) none
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity The processing of personal data is not planned, but due to the service access to personal data can not be excluded.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) The processing of personal data is not planned, but due to the service access to personal data can not be excluded Also access to special categories can not be excluded; These include: racial and ethnic origin, religious or philosophical beliefs, health  
If necessary, change of purpose none
Call center
The purpose of the processing operation Call center for accepting customer calls, for telephone sales, hotline for answering product questions. Acceptance of customer services, maintenance of existing customers, acquisition of new customers.
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Performance of a contract (Art. 6 para. 1 (b))
If necessary, Recipient (for transfer) external call center service provider
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity Without the relevant personal data, the implementation of this and possibly further business processes is not possible.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Name, first name, address data, contact details
If necessary, change of purpose none
Call processing
The purpose of the processing operation Troubleshooting customer systems, compiling quality control statistics
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Performance of a contract (Art. 6 para. 1 (b))
If necessary, Recipient (for transfer) none
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity Without the relevant personal data, the implementation of this and possibly further business processes is not possible.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Name, first name, username, telecommunication data
If necessary, change of purpose none
Service
The purpose of the processing operation Provision of various services
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Performance of a contract (Art. 6 para. 1 (b))
If necessary, Recipient (for transfer) Subcontractor (if necessary)
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity Obligation to provide the data based on the contractual relationship between the responsible party and the person concerned.
Consequences of violation (failure to provide the required data) Without the relevant data, the provision of various services is not possible.  
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) Personal master data, address data, bank data, contact data, payment data, payroll data, contract data, time registration data, correspondence; various
If necessary, change of purpose none
Facility Management
The purpose of the processing operation Care and maintenance of real estate and buildings used by the company.
Legal basis (in accordance with Art. 6/9 GDPR) – Safeguarding our legitimate interest (Art. 6 para. 1 (f))
– Performance of a contract (Art. 6 para. 1 (b))
If necessary, Recipient (for transfer) Service providers who perform services in the area of facility management. Other third parties (if necessary)
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) No data transfer to a third country takes place and is not planned.
Where known: Duration of data retention See also General deadlines for data deletion
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity Without the relevant data, the execution of these processes is not possible.
Consequences of violation (failure to provide the required data)
If necessary, Existence of automated decision-making In this context, we do not use automated decision making.
If necessary, Origin of data (if not collected directly from the data subject) The data usually comes from the person concerned, but may come from a third party.
If necessary, Categories of personal data (if not collected directly from the data subject) First name, last name, e-mail address, telephone number, contact history, appointment data, contract data, photos
If necessary, change of purpose none