Hamm Footwear Info – Art. 13 / 14 GDPR | Cortina Consult
Hamm Market Solutions GmbH & Co. KG
Information on data handling in accordance with Art. 13 and 14 DSGVO
General information about data handling
The protection of your private rights and freedoms is important to us; we only use your data for the purposes intended. Since it is important to us that you know at all times to what extent we collect, use and, if necessary, forward your data to third parties, we will inform you comprehensively below about the processing of your personal data collected by us or stored by us. We will not process data without a legal basis without your informed consent. When processing personal data, we strictly adhere to the requirements of the EU Data Protection Regulation (GDPR) and, if necessary, other data protection regulations.
Name and Address of the data controller
Hamm Market Solutions GmbH & Co. KG
Moritz Hamm, Carsten Schlüter, David Friedrich
Am Huxmühlenbach 4
49084 Osnabrück
Telefon: 0541 – 200 25-01
Mail: [email protected]
Website: hamm-footwear.com/
Name and address of the data protection officer
Martina Brinkmann
Cortina Consult GmbH
Hafenweg 24
48155 Münster
Telefon: +49 251 95 20 37 – 40
Mail: [email protected]
Website: cortina-consult.com
If you have any questions about the processing of your personal data, if you wish to assert your rights as a data subject (e.g. the right to be informed, correct, block or delete data) or if you wish to withdraw your consent, please contact our data protection officer directly.
The rights of data subjects
Chapter III of the EU Data Protection Regulation (GDPR) provides for extensive rights for data subjects, which we will explain to you below with regard to the processing of your personal data:
1) The right to be informed
This specification applies in particular to the following data processing details:
- The purpose of the processing operation
- Categories of data
- If necessary, recipient or categories of recipients
- If necessary, the planned storage duration or the criteria for determining this duration
- Information on the respective right to correction, deletion, restriction or objection
- Existence of a right of appeal to a supervisory authority
- If necessary, origin of the data (if not collected from you)
- If necessary, existence of automated decision making including profiling, and including meaningful information about the logic involved, the scope and the expected effects
- If necessary, (planned) transfer to a third country or international organisation
2) The right of rectification
If necessary, we will correct faulty data immediately if you inform us about the circumstance accordingly.
3) Right to deletion (right to be forgotten)
If the processing is no longer necessary and one of the following conditions is fulfilled:
- Expiry of the purpose of processing
- Withdrawal of your consent and the absence of any other legal basis for processing
- Opposition to processing without an important reason to the contrary
- Illegal processing
- Required to fulfil a legal obligation
- Data collection in accordance with Art. 8 para. 1 GDPR
As part of the deletion request, we may pass on your request to those third parties to whom your data was previously transferred.
4) The right to restriction of processing
Provided one of the following conditions is met:
- You dispute the accuracy of your data (restriction may be made on our site for the duration of the verification)
- In the event of unlawful processing and provided that the data is not to be deleted, deletion shall be replaced by restriction of processing
- If the processing purposes expire, at the same time you need your data to assert, exercise or defend legal claims
- After your objection pursuant to Art. 21 para. 1 GDPR and for the duration of the examination, whether our justified reasons outweigh yours.
5) The right to data portability
As long as it is technically possible and the rights and freedoms of other persons are not affected, we will – at your request – transfer your data to another recipient (data controller).
6) Right to object
If we collect personal data from you or have it collected and process it (on the basis of Art. 6 Para. 1(e) or (f) or Art. 9 Para. 2(a) GDPR), you have the right to object to data processing (including profiling) at any time (with effect for the future). In exceptional cases, the objection may be invalid, e.g. if we can prove compelling legitimate interests for processing that outweigh your interests, or processing serves to assert, exercise or defend legal claims. If we process your personal data for direct marketing purposes, you have the right to object to such processing at any time. This also applies to any profiling connected with such direct advertising. You also have the right to object to the processing of the data we hold about you, which is carried out by us for scientific or historical research purposes or for statistical purposes in accordance with Art. 89 para. 1 GDPR unless such processing is necessary to fulfil a task in the public interest.
7) Automated individual decision-making including profiling
If we collect personal data from you or have it collected and process it, you have the right not to be subject to decision based exclusively on automated processing – including profiling – which has a legal effect on you or significantly impairs you in a similar manner. Exceptions to this requirement apply if the decision to conclude or fulfil a contract between you and us is necessary or if you have expressly consented to the processing. In any event, we will take reasonable measures to protect your rights and freedoms and your legitimate interests, including at least the right on our part to obtain the intervention of a person to express our position and to challenge the decision.
8) Right to withdraw consent under the data protection laws
You have the right to revoke your consent to the processing of personal data at any time.
9) The right to file a legal complaint with a supervisory authority
A list of supervisory authorities in Germany can be found on the website of the Federal Commissioner for Data Protection or via the following link:
https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/Authorities_for_non-effective_area/Authorities_for_supervision_non-effective_area_list.html
Information on data security
We secure your personal data processed by us against loss, destruction, access, modification or distribution of your data by unauthorised persons by appropriate technical and organisational measures. However, despite regular checks, complete protection against all risks is not possible.
Legal basis for processing
We process personal data according to the specifications of the GDPR, depending on the type and purpose of processing, as follows:
Where allowed by law | Specification of the GDPR |
Informed consent | Art. 6 para. 1(a) |
In performance of a contract | Art. 6 para. 1(b) |
Implementation of pre-contractual measures | Art. 6 para. 1(b) |
Fulfilment of legal obligations | Art. 6 para. 1(c) |
Protection of vital interests | Art. 6 para. 1(d) |
Safeguarding our legitimate interest | Art. 6 para. 1(f) |
Our legitimate interest
Our legitimate interest, as defined in Article 6 para. 1(f) GDPR, is based on the performance of our business activities to maintain our operability and to safeguard the employment of our employees.
General deadlines for data deletion
After elimination of the storage purpose, the retention periods are generally at least six or ten years. As a rule, the deletion of data generally takes place without delay in accordance with our deletion plan, insofar as it does not preclude any obligation to retain data, the need to fulfil a contract or a legitimate interest.
Individual information according to the type of processing
Depending on the processing, the purposes, legal basis and other information may vary. You will find the exact assignment of the information in the following chapter.
Form for new customers
The purpose of the processing operation | Providing access for the use of the online store. Collection of all necessary information required for the provision of the service (sale and shipment of shoes through the online store). |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Implementation of pre-contractual measures (Art. 6 para. 1 (b)) |
If necessary, Recipient (for transfer) | none |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the relevant data, registration on the website and use of the online store is not possible. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Company name, company form, address data, commercial register number, date of foundation, data on the availability of an online store, data on the managing director, invoice address, delivery address, data on the contact person for complaints management, data on the contact person for marketing, data on the contact person for purchasing, data on the contact person for logistics, data on the contact person for accounting, data on the contact person for dunning. |
If necessary, change of purpose | none |
IT security
The purpose of the processing operation | Ensuring the security, integrity, confidentiality and availability of data through protection against unauthorized access from outside and inside. |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Fulfilment of legal obligations (Art. 6 para. 1 (c)) |
If necessary, Recipient (for transfer) | IT service (if required) |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | The data is already available and needed to ensure security. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | People Master Data, IT usage data; various |
If necessary, change of purpose | none |
General network protection
The purpose of the processing operation | Protective measures against unauthorized attacks and protection against electronic mass mailing and unintentional data flow and outflow (DLP). Firewall / Antivirus / Spam Filter / Endpoint Security & Data Encryption |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Fulfilment of legal obligations (Art. 6 para. 1 (c)) |
If necessary, Recipient (for transfer) | IT service (if required) |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | The data is already available and needed to ensure security. The data must be processed to authenticate an authorized access to the network |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Username, IP addresses, timestamps, e-mail addresse |
If necessary, change of purpose | none |
Access controll (not employees)
The purpose of the processing operation | Protection against unauthorized access to the premises or the office building |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Fulfilment of legal obligations (Art. 6 para. 1 (c)) |
If necessary, Recipient (for transfer) | IT service (if required) |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | To ensure only authorized access to the premises or office building, the data subject must authenticate with his personal data. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | First name, name, company, department, date of birth (for clear identification), |
If necessary, change of purpose | none |
User management
The purpose of the processing operation | Management of user accounts and administrative groups to provide authentication and support of authorization concepts in different systems |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Fulfilment of legal obligations (Art. 6 para. 1 (c)) |
If necessary, Recipient (for transfer) | IT service (if required) |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | The personal data has already been collected and is only managed to ensure IT security processes. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Name, first name, e-mail address, telephone number, if applicable, department affiliation |
If necessary, change of purpose | none |
Handling passwords
The purpose of the processing operation | Task management for office communication for human resources, employee administration, customer administration, financial accounting, controlling, marketing. Ensuring administrator access in an emergency. |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Fulfilment of legal obligations (Art. 6 para. 1 (c)) |
If necessary, Recipient (for transfer) | none |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | The personal data has already been collected and is only managed to ensure IT security processes. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Name , first name, user name, password |
If necessary, change of purpose | none |
Logging in IT-systems
The purpose of the processing operation | Ensuring legally required and technically necessary logging: Ensuring the correct functioning of the IT systems, error analysis, detection of resource bottlenecks, tracking of hacker attacks. |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Fulfilment of legal obligations (Art. 6 para. 1 (c)) |
If necessary, Recipient (for transfer) | IT service (if required) |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | The collection of data is done automatically in accordance with the Company’s legally required obligation to ensure and maintain the security of the Company’s data. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Usernames, IP addresses, e-mail addresses, Internet URLs, e-mails, websites |
If necessary, change of purpose | none |
Control of internet usage
The purpose of the processing operation | Random control of Internet usage for compliance with private use rules. |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Fulfilment of legal obligations (Art. 6 para. 1 (c)) |
If necessary, Recipient (for transfer) | IT service (if required) |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | The collection of data is done automatically in accordance with the Company’s legally required obligation to ensure and maintain the security of the Company’s data. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Usernames, IP addresses, Internet URLs, emails, web pages, timestamps |
If necessary, change of purpose | none |
Backup
The purpose of the processing operation | Backup of corporate data to prevent data loss (encryption trojan etc.) Ensure the recovery of business processes in the event of system failure, system failure and emergencies |
Legal basis (in accordance with Art. 6/9 GDPR) | – Fulfilment of legal obligations (Art. 6 para. 1 (c)) – Safeguarding our legitimate interest (Art. 6 para. 1(f)) |
If necessary, Recipient (for transfer) | IT service (if required) |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | The personal data has already been collected and processed to ensure IT security processes. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we refrain from an automatic decision-making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | All company data (billing information, address data, bank details / credit card details, credit history, date of birth, IT usage data / log data / log files, IP address, interests / preferences, contact details, CV, surname / first name / title / title, social security data, contract and contract master data , Payment data, time registration data, payroll data, correspondence, various) |
If necessary, change of purpose | none |
E-Mail archiving
The purpose of the processing operation | Audit-proof archiving of business communication as well as accounting or accounting-relevant documents |
Legal basis (in accordance with Art. 6/9 GDPR) | – Fulfilment of legal obligations (Art. 6 para. 1 (c)) – Safeguarding our legitimate interest (Art. 6 para. 1(f)) |
If necessary, Recipient (for transfer) | IT service (if required) |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | The personal data has already been collected and processed to ensure IT security processes and legal requirements. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we refrain from an automatic decision-making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | All company data (billing information, address data, bank details / credit card details, credit history, date of birth, IT usage data / log data / log files, IP address, interests / preferences, contact details, CV, surname / first name / title / title, social security data, contract and contract master data , Payment data, time registration data, payroll data, correspondence, various) |
If necessary, change of purpose | none |
Emergency concept
The purpose of the processing operation | Ensuring a viable corporate structure, providing a disaster recovery process |
Legal basis (in accordance with Art. 6/9 GDPR) | – Fulfilment of legal obligations (Art. 6 para. 1 (c)) – Safeguarding our legitimate interest (Art. 6 para. 1(f)) |
If necessary, Recipient (for transfer) | IT service (if required) |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | The personal data has already been collected and processed to ensure IT security processes. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Name, first name, address data, contact details |
If necessary, change of purpose | none |
Mobile / cell phone / smartphone usage
The purpose of the processing operation | Mobile communication and task management for human resources, employee administration, customer administration, financial accounting, controlling, marketing, etc. |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Performance of a contract (Art. 6 para. 1 (b)) |
If necessary, Recipient (for transfer) | Applicants, customers, prospects, suppliers, craftsmen, authorities, service providers as well as their contact person, management and employees |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the relevant data, the fulfillment of the tasks or contracts may not be possible. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Name, first name, address data, contact details, E-mail addresses, appointment data, traffic data (§96 TKG), IP addresses, web addresses, website retrieval data |
If necessary, change of purpose | none |
Internet and telephone usage
The purpose of the processing operation | communication and task management for human resources, employee administration, customer administration, financial accounting, controlling, marketing, etc. |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Performance of a contract (Art. 6 para. 1 (b)) |
If necessary, Recipient (for transfer) | Applicants, customers, prospects, suppliers, craftsmen, authorities, service providers as well as their contact person, management and employees |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the relevant data, the fulfillment of the tasks or contracts may not be possible. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Name, first name, extension, address data, contact data, e-mail addresses, appointment data, traffic data (§96 TKG), IP addresses, web addresses, website retrieval data |
If necessary, change of purpose | none |
Intranet usage
The purpose of the processing operation | Ensuring the internal exchange of information, employee motivation, employee information. |
Legal basis (in accordance with Art. 6/9 GDPR) | – Informed consent (Art. 6 para. 1 (a)) – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) |
If necessary, Recipient (for transfer) | IT service (if required) |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Depending on the type of data, deployment / processing is required for the intended operational execution of the task. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Name, first name, company contact details, starting date, department, photos, background, hobbies |
If necessary, change of purpose | none |
Guest WLAN
The purpose of the processing operation | roviding wireless Internet access for guests; Logging and control for protection against misuse and preservation of evidence. |
Legal basis (in accordance with Art. 6/9 GDPR) | – Informed consent (Art. 6 para. 1 (a)) – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) |
If necessary, Recipient (for transfer) | IT service (if required) |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | The processing of said data is necessary for the provision and maintenance of the guest WLAN. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Name, first name, visitor’s business name, Internet protocol data, login data, MAC addresses of the respective device, surfing behavior |
If necessary, change of purpose | none |
Communication systems (such as telephone system)
The purpose of the processing operation | Provision of telecommunication services for own (internal) purposes (internal and external corporate communication) Ensuring proper telecommunications operations in the company and for customers. Provision of log files, evaluations and statistics |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) |
If necessary, Recipient (for transfer) | Traffic data are not passed on in principle, but only as needed used for the elimination of disturbances or for billing checks. |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | Traffic data is stored for a maximum of 6 months. In addition, aggregated data can be stored and used, provided that it is ensured that the personal data can no longer be derived from the data. See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the data required for communication, the implementation and management of telecommunications is not possible. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Extension, telephone number, name, first name, telephone number of the communication partner, duration of the call, date, time; Traffic data (§ 96 TKG), contact data |
If necessary, change of purpose | none |
Office 365
The purpose of the processing operation | Use of Office 365 |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) |
If necessary, Recipient (for transfer) | Depending on the server location, the data will be stored at Microsoft in the US or in the EU. |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | Further data transmission to a third country does not take place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the relevant data, the fulfillment of the tasks or contracts may not be possible. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | various |
If necessary, change of purpose | none |
Electronic processing by e-mail
The purpose of the processing operation | Implementation of internal & external electronic communication including documentation, office communication. |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Performance of a contract (Art. 6 para. 1 (b)) – Implementation of pre-contractual measures (Art. 6 para. 1(b)) – Fulfilment of legal obligations (Art. 6 para. 1 (c)) |
If necessary, Recipient (for transfer) | Event-related and transparent transmission in the context of e-mail communication (eg in compliance with BCC and CC regulations); u. a. Customers, interested parties, suppliers, authorities, contractual partners, other third parties; IT service (if required) |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | Data transfer to third countries takes place when the respective communication partner is located in a third country. In addition, when communicating via e-mail over the Internet, it can not be ruled out that e-mails will be routed via communication systems to third countries. |
Where known: Duration of data retention | After elimination oft he storage purpose: – Retention period for e-mails, insofar as to qualify as business letters: 6 years; after the deadline, the data will be routinely deleted, if no longer required for the execution or termination of contracts – Short-term deletions in special areas (e.g. applicant data: 6 months) See also General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the relevant data, the fulfillment of the tasks or contracts may not be possible. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Only personal data will be processed to secure the corresponding editing process; u. a. Contact details (name, e-mail address), if necessary further (depending on the content of the communication); possibly further header data; “Content data” (contents of emails – “Body”) |
If necessary, change of purpose | none |
CRM
The purpose of the processing operation | Maintenance of customer data and customer relationships; Qualifying customers |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Performance of a contract (Art. 6 para. 1 (b)) – Implementation of pre-contractual measures (Art. 6 para. 1(b)) |
If necessary, Recipient (for transfer) | IT service (if required) |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the relevant data, the fulfillment of the tasks or contracts may not be possible. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Person master data, communication data, contract master data, customer history |
If necessary, change of purpose | none |
ERP
The purpose of the processing operation | Operation of the ERP |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Performance of a contract (Art. 6 para. 1 (b)) – Implementation of pre-contractual measures (Art. 6 para. 1(b)) – Fulfilment of legal obligations (Art. 6 para. 1 (c)) |
If necessary, Recipient (for transfer) | IT service (if required) |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the relevant data, the fulfillment of the tasks or contracts may not be possible. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Personal master data, communication data, customer history, contract settlement data, payment data, planning and control data, if necessary further |
If necessary, change of purpose | none |
DMS – Document management system
The purpose of the processing operation | Operation of the DMS for revision-proof archiving of business documents |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Performance of a contract (Art. 6 para. 1 (b)) – Implementation of pre-contractual measures (Art. 6 para. 1(b)) – Fulfilment of legal obligations (Art. 6 para. 1 (c)) |
If necessary, Recipient (for transfer) | IT service (if required) |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | The personal data has already been collected and processed to ensure IT security processes and legal requirements. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Address data, banking data, contact data, payment data, payroll data, contract data, time registration data, correspondence; various |
If necessary, change of purpose | none |
Print and copy jobs
The purpose of the processing operation | Duplicating information |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Performance of a contract (Art. 6 para. 1 (b)) – Implementation of pre-contractual measures (Art. 6 para. 1(b)) – Fulfilment of legal obligations (Art. 6 para. 1 (c)) |
If necessary, Recipient (for transfer) | IT service (if required) |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | The personal data has already been collected and processed to ensure IT security processes and legal requirements. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Name, first name, IP address, print template with the information to be duplicated |
If necessary, change of purpose | none |
Groupware System
The purpose of the processing operation | Implementation of internal and external correspondence including documentation, office communication, in particular team / cooperation across spatial distances (e-mail, contacts, tasks, calendars) |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Performance of a contract (Art. 6 para. 1 (b)) – Implementation of pre-contractual measures (Art. 6 para. 1(b)) |
If necessary, Recipient (for transfer) | interested parties, suppliers, craftsmen, authorities, service providers, as well as their contact persons, management, employees, trainees, applicants |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the relevant data, it may not be possible to perform the tasks or contracts, in particular over a physical distance. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Name, first name, address data, contact details, E-mail addresses, appointment data |
If necessary, change of purpose | none |
Data Exchange Portal
The purpose of the processing operation | Use of online solutions for data storage and data exchange with suppliers, customers and third parties |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) |
If necessary, Recipient (for transfer) | There are external recipients depending on the occasion (If necessary) |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the relevant data, it may not be possible to perform the tasks or contracts, in particular over a physical distance. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Address data, banking data, contact data, payment data, payroll data, contract data, time registration data, correspondence; various |
If necessary, change of purpose | none |
IT-Support (remote)
The purpose of the processing operation | Maintaining / maintaining software / data by IT service providers, software development |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) |
If necessary, Recipient (for transfer) | external serviceprovider |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the relevant data, it may not be possible to perform the tasks or contracts (support and maintenance of the IT systems), in particular over a physical distance. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) |
The processing of personal data is not
planned, but due to the service access to pb data can not be excluded. Also access to special categories can not be excluded; These include: racial and ethnic origin, religious or philosophical beliefs, health |
If necessary, change of purpose | none |
Ticket system
The purpose of the processing operation | Ensuring IT support in your own company and for customer systems. Recording of faults, errors and inquiries, systematic processing of error messages by users |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) |
If necessary, Recipient (for transfer) | IT service (if required) |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the relevant data, it may not be possible to perform the tasks or contracts (support and maintenance of the IT systems), in particular over a physical distance. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Information on the person responsible (name, first name, contact details), details of the requester (name, first name, address data, contact details), error description |
If necessary, change of purpose | none |
Data media disposal
The purpose of the processing operation | Destruction of media that is no longer required (eg after expiry of the retention period) on which or in which personal data is stored (hard disks, SSD, CD / DVD, USB stick, …) |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Performance of a contract (Art. 6 para. 1 (b)) – Implementation of pre-contractual measures (Art. 6 para. 1(b)) – Fulfilment of legal obligations (Art. 6 para. 1 (c)) |
If necessary, Recipient (for transfer) | external disposal service provider (if required) |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Non-personal data are collected. The data is already available. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | All company data (billing information, address data, bank details / credit card details, credit history, date of birth, IT usage data / log data / log files, IP address, interests / preferences, contact details, CV, surname / first name, title, social security data, contract data, contract master data, payment data, time registration data) |
If necessary, change of purpose | none |
Applications and application process
The purpose of the processing operation | Processing and conducting application procedures, processing unsolicited applications; Selection of potential employees for a suitable occupation. |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Implementation of pre-contractual measures (Art. 6 para. 1(b)) |
If necessary, Recipient (for transfer) | external service providers (recruitment tests)(if necessary) |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention |
Applications will only be saved with the
consent of other authorities, otherwise they will be deleted, returned or
destroyed after 6 months absence See also General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | For a smooth Application procedure, it is necessary that the required information be provided truthfully. |
Consequences of violation (failure to provide the required data) | An infringement would possibly have the consequence that a contract of employment can not be concluded. |
If necessary, Existence of automated decision-making | In this context, we refrain from an automatic decision-making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Data on the person (name, address, date of birth, telephone number, information on religious affiliation, information on marital status / details of children, curriculum vitae, education, qualification, application data, if applicable, information on severe disability) |
If necessary, change of purpose | If we take you into employment after completing the application process, the purpose for processing the data in question will change: in the future, these will be used to conduct and maintain the employment relationship. |
Personnel questionnaire
The purpose of the processing operation | In the application process for a simpler comparison of applicant information, for new hires, to register the employee with the authorities, funds and social security funds |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Implementation of pre-contractual measures (Art. 6 para. 1(b)) – Fulfilment of legal obligations (Art. 6 para. 1 (c)) |
If necessary, Recipient (for transfer) | state agencies, insofar as statutory transfer obligations exist (tax office); Non-public bodies only if there is a legal basis for this (health insurance and social security funds) |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | The personal data has already been collected and will be processed to complete the employment relationship. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we refrain from an automatic decision-making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Name, first name, address data, contact details, Date of birth, religious affiliation (if tax-relevant), marital status, information on children, bank details, information on previous activities, training information, social security information |
If necessary, change of purpose | none |
Protective and work clothing
The purpose of the processing operation | Order of protective and work clothes for the employees |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Fulfilment of legal obligations (Art. 6 para. 1 (c)) |
If necessary, Recipient (for transfer) | if necessary, external occupational safety |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | The personal data are processed to complete the employment relationship necessarily. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we refrain from an automatic decision-making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Name, first name, size, glove size, shoe size, body measurements |
If necessary, change of purpose | none |
Quotation, order and billing
The purpose of the processing operation | Creation of offers, orders and invoices |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Performance of a contract (Art. 6 para. 1 (b)) – Fulfilment of legal obligations (Art. 6 para. 1 (c)) |
If necessary, Recipient (for transfer) | Document receiver; Depending on the request, if necessary, public authorities, if necessary. Tax consultant, possibly insurer. |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Obligation to provide data based on the contractual relationship between the controller and the data subject. It is necessary for order processing. |
Consequences of violation (failure to provide the required data) | An infringement (ie the non-provision of the required data) would possibly result in the fulfillment of the contractual obligations (eg delivery of goods and provision of services). |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Billing data, address data, if necessary bank details, personal data, contact data, contract data, if necessary time recording data, if necessary customer history, payment data, communication data, contract master data |
If necessary, change of purpose | none |
Billing by direct debit
The purpose of the processing operation | Billing by direct debit |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Performance of a contract (Art. 6 para. 1 (b)) – Fulfilment of legal obligations (Art. 6 para. 1 (c)) |
If necessary, Recipient (for transfer) | Bank of the contractor |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | No direct debit is possible without the data required for the SEPA direct debit. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | |
If necessary, change of purpose | none |
Wholesale remittance business
The purpose of the processing operation | Delivery to the wholesale |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Performance of a contract (Art. 6 para. 1 (b)) |
If necessary, Recipient (for transfer) | Wholesale |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the data required for shipping, delivery of the goods is not possible. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | |
If necessary, change of purpose | none |
Invoicing and dunning as well as financial accounting
The purpose of the processing operation | Billing and shipping; Recording open items and reminders (managing and recovering outstanding receivables); Recording and documentation of all financially significant transactions in the company (all sales and fixed assets); Tax, levy and payment to the tax authorities and, where appropriate, other public bodies, control and processing of incoming / outgoing invoices, monitoring of payments, processing of account statements |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Performance of a contract (Art. 6 para. 1 (b)) – Fulfilment of legal obligations (Art. 6 para. 1 (c)) |
If necessary, Recipient (for transfer) | as far as legally required: financial administration; Accountants and auditors Otherwise, if there is a legal basis for the transfer of data |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | There are legal obligations to create the invoice and reminder system. |
Consequences of violation (failure to provide the required data) | If necessary, derive from the respective legislation |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | First, last name, address, contact details contract data, insurance data, date of birth, data on purchased goods / DL, bank details, VAT identification number, patient data; Billing data, sales incl. Invoice numbers, uses, etc. |
If necessary, change of purpose | none |
Business information and credit check
The purpose of the processing operation | Protection against insolvency of customers; Receipt of outstanding incoming payments |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) |
If necessary, Recipient (for transfer) | Service provider (credit check, collection) |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Obligation due to general terms and conditions. |
Consequences of violation (failure to provide the required data) | An infringement (ie the non-provision of the required data) would possibly result in the fact that the chosen method of payment can not be used. |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Person master data, company data, communication data |
If necessary, change of purpose | none |
(Online) banking
The purpose of the processing operation | Management and administration of bank accounts, financial control |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Performance of a contract (Art. 6 para. 1 (b)) – Fulfilment of legal obligations (Art. 6 para. 1 (c)) |
If necessary, Recipient (for transfer) | none |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Obligation to provide data based on the contractual relationship between the controller and the data subject. Necessary for order processing or similar |
Consequences of violation (failure to provide the required data) | An infringement (ie the non-provision of the required data) would possibly result in the fulfillment of the contractual obligations (eg delivery of goods and provision of services). |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | First name, last name, bank details, payment data, contract data, address, date of birth (if necessary) |
If necessary, change of purpose | none |
Credit insurance
The purpose of the processing operation | Protection against failure up to a certain limit |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) |
If necessary, Recipient (for transfer) | credit insurance |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Obligation due to general terms and conditions. |
Consequences of violation (failure to provide the required data) | An infringement (ie the non-provision of the required data) would possibly result in the fact that the chosen method of payment can not be used. |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Person master data, company data, communication data |
If necessary, change of purpose | none |
General Administration
The purpose of the processing operation | General administration (including processing of incoming mail, etc.) |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Performance of a contract (Art. 6 para. 1 (b)) – Fulfilment of legal obligations (Art. 6 para. 1 (c)) |
If necessary, Recipient (for transfer) | none |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the data needed for administration, certain business processes can not be performed |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | First name, last name, title, address, e-mail address, telephone number, position, contact details, contact history, contract data |
If necessary, change of purpose | none |
Office communication
The purpose of the processing operation | ask management for office communication for eg: human resources, employee administration, customer administration, financial accounting, controlling, marketing. |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Performance of a contract (Art. 6 para. 1 (b)) – Fulfilment of legal obligations (Art. 6 para. 1 (c)) |
If necessary, Recipient (for transfer) | Applicants, customers, interested parties, suppliers, craftsmen, authorities, service providers and their contact persons (if necessary) |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the data required for communication, the execution of certain business processes is not possible. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Only personal data will be processed to ensure the corresponding processing. |
If necessary, change of purpose | none |
Ordner management
The purpose of the processing operation | Creating, maintaining and managing orders |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Performance of a contract (Art. 6 para. 1 (b)) – Fulfilment of legal obligations (Art. 6 para. 1 (c)) |
If necessary, Recipient (for transfer) | none |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the data needed for administration, it is not possible to carry out certain business processes. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | First name, last name, title, address, date of birth, patient data, insurance data, data on purchased goods / DL, contract data, telephone number, customer number, e-mail address |
If necessary, change of purpose | none |
Files keeping
The purpose of the processing operation | Data protection compliant storage of documents (invoices, business transactions), as far as required by law. |
Legal basis (in accordance with Art. 6/9 GDPR) | – Fulfilment of legal obligations (Art. 6 para. 1 (c)) |
If necessary, Recipient (for transfer) | none |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Non-personal data are collected, the data are already available. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Customer data, contact data, billing data, contract data, employee data, wage and salary data |
If necessary, change of purpose | none |
Contract management
The purpose of the processing operation | Administration for contracts with customers, affiliates, employees, interns, suppliers, service providers (electronic and paper) |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Performance of a contract (Art. 6 para. 1 (b)) – Fulfilment of legal obligations (Art. 6 para. 1 (c)) |
If necessary, Recipient (for transfer) | external legal advisers (if necessary) |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Obligation to provide data based on the contractual relationship between the controller and the data subject. Without the data, the execution of the agreed contractual service may not be possible. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we refrain from an automatic decision-making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | First name, last name, title, address, e-mail address, telephone number, date of birth, contract data |
If necessary, change of purpose | none |
Appointment management
The purpose of the processing operation | Planning and managing appointments |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Performance of a contract (Art. 6 para. 1 (b)) – Fulfilment of legal obligations (Art. 6 para. 1 (c)) |
If necessary, Recipient (for transfer) | Customers, suppliers / service providers or other third parties for appointment coordination (if necessary) |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the data needed for appointment management, the planning, administration and coordination of appointments is not possible. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | First name, last name, if necessary address, e-mail address, telephone number, position, contact details, appointment data |
If necessary, change of purpose | none |
Key management
The purpose of the processing operation | Access management to office and factory areas |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Performance of a contract (Art. 6 para. 1 (b)) – Fulfilment of legal obligations (Art. 6 para. 1 (c)) |
If necessary, Recipient (for transfer) | none |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | The data is necessarily processed to perform key management. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Name, first name, address data, contact details, issue date, key ID |
If necessary, change of purpose | none |
Processing incoming mail
The purpose of the processing operation | Processing and forwarding of incoming mail |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Performance of a contract (Art. 6 para. 1 (b)) – Fulfilment of legal obligations (Art. 6 para. 1 (c)) |
If necessary, Recipient (for transfer) | none |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | The data already exists and is necessarily processed for subsequent processes. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | First name, last name, address; depending on the content of the message: date of birth, title, customer number, insurance data, patient data, bank details, industry, position, communication data |
If necessary, change of purpose | none |
Post office
The purpose of the processing operation | Processing incoming mail (open, scan, distribute) |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Performance of a contract (Art. 6 para. 1 (b)) – Fulfilment of legal obligations (Art. 6 para. 1 (c)) |
If necessary, Recipient (for transfer) | none |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | The data already exists and is necessarily processed for subsequent processes. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | First name, last name, address; depending on the content of the message: date of birth, title, customer number, insurance data, patient data, bank details, industry, position, communication data |
If necessary, change of purpose | none |
Park space allocation
The purpose of the processing operation | Employee / visitor parking management, maintenance of the house right, detection of unauthorized parking. |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) |
If necessary, Recipient (for transfer) | none |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the data required for the administration, it is not possible to use a staff or visitor parking lot on the company premises. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Name, first name, telephone number, license plate number, usage times |
If necessary, change of purpose | none |
Paper shredding and document destruction
The purpose of the processing operation | Destruction of media and documents that are no longer required in the course of paper and file disposal (for example, after expiration of the retention period) on which or in which personal data are located during ongoing operation and after expiration of the retention period. |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Fulfilment of legal obligations (Art. 6 para. 1 (c)) |
If necessary, Recipient (for transfer) | external disposal service provider |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | The personal data have already been collected and are necessarily processed (destroyed) to fulfill legal obligations. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Customer data, contact data, billing data, contract data, employee data, payroll data; various |
If necessary, change of purpose | none |
External speakers
The purpose of the processing operation | Gaining external speakers for training, seminars and training. |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) |
If necessary, Recipient (for transfer) | none |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | There is no obligation to provide personal information. |
Consequences of violation (failure to provide the required data) | Cooperation is not possible. |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Depending on the content of the communication; Personal master data, communication data, planning and control data |
If necessary, change of purpose | none |
Contact, supplier and customer care
The purpose of the processing operation | Installation, maintenance and updating, management of contacts (creditors, debtors, interested parties and their contact persons) and central administration of all addresses for the company and, if necessary, for the provision of information to the employees, ensuring order processing |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Performance of a contract (Art. 6 para. 1 (b)) |
If necessary, Recipient (for transfer) | none |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | There is no obligation to provide personal information. |
Consequences of violation (failure to provide the required data) | Without the data, proper contact management and maintenance is not possible. |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | Dependent on the process by which the data got into the respective system; usually the data comes from the person concerned. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Personal master data / contact data (first name, last name, date of birth, address, Internet address, e-mail address, telephone number, fax number, position, interests / preferences) Industry, customer number, customer type, contact data, contact history, appointment data, contract data, customer history, payment / billing data , Bank details, credit data, if necessary further depending on the content of the communication |
If necessary, change of purpose | none |
Order entry
The purpose of the processing operation | Acquisition and documentation of procurement orders |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Performance of a contract (Art. 6 para. 1 (b)) |
If necessary, Recipient (for transfer) | none |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | The data already exists and is necessarily processed for subsequent processes. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | First name, last name, address, telephone number, date of birth, relatives |
If necessary, change of purpose | none |
Order processing
The purpose of the processing operation | Commercial and technical processing of orders |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Performance of a contract (Art. 6 para. 1 (b)) |
If necessary, Recipient (for transfer) | none |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | The data already exists and is necessarily processed for subsequent processes. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Name, first name, address data, communication data (e-mail, telephone), bank details, tax data (VAT ID) |
If necessary, change of purpose | none |
Distribution
The purpose of the processing operation | Distribution; order fulfillment |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Performance of a contract (Art. 6 para. 1 (b)) |
If necessary, Recipient (for transfer) | none |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | The data already exists and is necessarily processed for subsequent processes. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | First name, last name, address, paragraphs, date of sale, order data |
If necessary, change of purpose | none |
Prospect management
The purpose of the processing operation | Creation, maintenance and updating, management of contacts Data is managed in the prospect / customer database |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) |
If necessary, Recipient (for transfer) | none |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | There is no obligation to provide personal information. |
Consequences of violation (failure to provide the required data) | Without the data, proper contact management and maintenance is not possible. |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Name, first name, address data, contact details, Interesse-Status |
If necessary, change of purpose | none |
Customer care and CRM
The purpose of the processing operation | Care and maintenance of existing customers, customer acquisition, conducting statistical evaluations for internal purposes, contacting by telephone, letter, e-mail, personal visit to the product presentation and range of services, measures for customer loyalty and customer service |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) |
If necessary, Recipient (for transfer) | none |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | There is no obligation to provide personal information. |
Consequences of violation (failure to provide the required data) | Without the data, proper contact management and maintenance is not possible. |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Name, first name, address data, contact details (telephone, mobile phone, fax, e-mail), appointments, product data, contact reports, sales figures, contact history |
If necessary, change of purpose | none |
Checkout system
The purpose of the processing operation | POS system for billing |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Performance of a contract (Art. 6 para. 1 (b)) – Fulfilment of legal obligations (Art. 6 para. 1 (c)) |
If necessary, Recipient (for transfer) | house bank |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the data required for the desired payment method, only one cash payment is possible. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | First name, last name, bank and payment details |
If necessary, change of purpose | none |
Sales support
The purpose of the processing operation | Customer acquisition |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) |
If necessary, Recipient (for transfer) | none |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | There is no obligation to provide personal information. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | |
If necessary, change of purpose | none |
Orders report
The purpose of the processing operation | Preparation of operative interim reports, orders, overview, planning |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Performance of a contract (Art. 6 para. 1 (b)) |
If necessary, Recipient (for transfer) | none |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | No personal data will be collected. The data is already available. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Personal master data, communication data, customer history, contract settlement and payment data, planning and control data |
If necessary, change of purpose | none |
Ordering
The purpose of the processing operation | Purchase of goods for own use and for resale, ensuring the availability of material and resources on paper – email – telephone – fax, identification of suitable suppliers, conducting price negotiations, handling of returns and incorrect deliveries |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Performance of a contract (Art. 6 para. 1 (b)) – Fulfilment of legal obligations (Art. 6 para. 1 (c)) |
If necessary, Recipient (for transfer) | none |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Obligation to provide data based on the contractual relationship between the controller and the data subject. Necessary for the processing of orders or the like |
Consequences of violation (failure to provide the required data) | An infringement (ie the failure to provide the required data) could result in a situation where the fulfillment of the contractual obligations can not occur (eg receipt of goods or services). |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Name, first name, address data, contact details |
If necessary, change of purpose | none |
Supplier management
The purpose of the processing operation | Ensuring order processing, ensuring the quality of selected suppliers |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Performance of a contract (Art. 6 para. 1 (b)) |
If necessary, Recipient (for transfer) | none |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Obligation to provide the data based on the contractual relationship between the responsible party and the person concerned. Necessary for processing orders or similar |
Consequences of violation (failure to provide the required data) | In the case of infringement, the order processing and the quality of the suppliers can not be ensured. |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Name, first name, address data, contact details, business information, ownership and history of the supplier company, management of the supplier companies, bank details, insurance information (public liability, assembly insurance, transport insurance) |
If necessary, change of purpose | none |
Marketing
The purpose of the processing operation | Marketing of goods / services / companies; Order and send marketing articles |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) |
If necessary, Recipient (for transfer) | advertising agencies (if necessary) |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | There is no obligation to provide personal information. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | There is no automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Depending on the type of processing; First name, last name, address, Internet address, e-mail address, telephone number, fax number, position, sector, customer number, customer type, contact history, appointment data, data on interests, contract data, case data |
If necessary, change of purpose | none |
Online marketing
The purpose of the processing operation | External representation of the company, online marketing; Social Media, Website |
Legal basis (in accordance with Art. 6/9 GDPR) | – Informed consent (Art. 6 para. 1(a)) – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Performance of a contract (Art. 6 para. 1 (b)) |
If necessary, Recipient (for transfer) | Photographer, marketing agency (if necessary) |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | There is no obligation to provide personal information.Ggfs. Obligation to provide the data based on the contractual relationship between the responsible party and the person concerned. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | There is no automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Depending on the type of processing / interaction; If necessary. Personal master data, contact details, photo / film recordings, others |
If necessary, change of purpose | none |
Acquisition
The purpose of the processing operation | Acquiring new customers |
Legal basis (in accordance with Art. 6/9 GDPR) | – Informed consent (Art. 6 para. 1(a)) – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) |
If necessary, Recipient (for transfer) | none |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | There is no obligation to provide personal information. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | There is no automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | First name, last name, title, address (business), address (private), billing address, e-mail address, telephone number, customer number, customer type, contact details, contact history, appointment data, bank details, data on purchased goods or services, contract data, sales data, patient data |
If necessary, change of purpose | none |
Printmailings
The purpose of the processing operation | Shipping of printed documents / information documents / invitations for events, presentation of the product and product portfolio, contact with customers and suppliers, information about new products and discount campaigns, advertising of the company |
Legal basis (in accordance with Art. 6/9 GDPR) | – Informed consent (Art. 6 para. 1(a)) – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) |
If necessary, Recipient (for transfer) | Lettershop, post office, advertising agency, possibly further service providers |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | There is no obligation to provide personal information. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | There is no automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Person master data, contact data, vendor master data |
If necessary, change of purpose | none |
Newsletter
The purpose of the processing operation | Management, organization and sending of personalized newsletters; Providing information |
Legal basis (in accordance with Art. 6/9 GDPR) | – Informed consent (Art. 6 para. 1(a)) |
If necessary, Recipient (for transfer) | Newsletter tool vendors (if necessary) |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | There is no obligation to provide personal information. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | There is no automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | |
If necessary, change of purpose | none |
Customer survey (anonymous)
The purpose of the processing operation | Measurement of customer satisfaction (answers anonymous, participation (if) insight possible) |
Legal basis (in accordance with Art. 6/9 GDPR) | – Informed consent (Art. 6 para. 1(a)) – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) |
If necessary, Recipient (for transfer) | Survey Services (if necessary) |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | There is no obligation to provide personal information. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | There is no automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Only personal data will be processed to secure the corresponding editing process; Personal data will be anonymized; possibly further header data; “Content data” (content of surveys – “Body”) |
If necessary, change of purpose | none |
Events
The purpose of the processing operation | Organization and realization of events and events for customer loyalty, acquisition of new customers and information |
Legal basis (in accordance with Art. 6/9 GDPR) | – Informed consent (Art. 6 para. 1(a)) – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) |
If necessary, Recipient (for transfer) | Lettershop (invitation and information dispatch) |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | There is no obligation to provide personal information. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Name, first name, address data, telephone, e-mail, information on nutrition (food selection), bank details |
If necessary, change of purpose | none |
Taking pictures at events
The purpose of the processing operation | On- and Offline Marketing |
Legal basis (in accordance with Art. 6/9 GDPR) | – Informed consent (Art. 6 para. 1(a)) – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) |
If necessary, Recipient (for transfer) | Photographer, Printing, Social Media |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | There is no obligation to provide personal information. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | There is no automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Pictures, videos, metadata |
If necessary, change of purpose | none |
Customer Photo / Video
The purpose of the processing operation | External representation of the company, online / offline marketing |
Legal basis (in accordance with Art. 6/9 GDPR) | – Informed consent (Art. 6 para. 1(a)) – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) |
If necessary, Recipient (for transfer) | Photographer, marketing agency (if necessary) |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | There is no obligation to provide personal information. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | There is no automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Photo / film shoots, personal data, contact details if required, (if necessary) |
If necessary, change of purpose | none |
Trade fair photos
The purpose of the processing operation | Corporate presentation to the outside; Reference projects for communication with customers and suppliers |
Legal basis (in accordance with Art. 6/9 GDPR) | – Informed consent (Art. 6 para. 1(a)) – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) |
If necessary, Recipient (for transfer) | Photographers, customers, suppliers and third parties |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | There is no obligation to provide personal information. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | There is no automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Photo / film as a portrait or group photo |
If necessary, change of purpose | none |
Trade fair stand management
The purpose of the processing operation | Customer and prospective customer care at trade fairs, and gaining new customers at trade fair stands |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Implementation of pre-contractual measures (Art. 6 para. 1(b)) |
If necessary, Recipient (for transfer) | none |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | There is no obligation to provide personal information. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | There is no automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Name, first name, address data, contact details, Art des Interesses |
If necessary, change of purpose | none |
Press
The purpose of the processing operation | Public Relations / Corporate Presentation |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) |
If necessary, Recipient (for transfer) | none |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | There is no obligation to provide personal information. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | There is no automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Contact details (name, position, telephone, email) |
If necessary, change of purpose | none |
Social media marketing
The purpose of the processing operation | Management of social media accounts and social media marketing; Corporate presentation to the outside; Presentation of reference projects; Use of social media for external presentation and communication with customers and suppliers |
Legal basis (in accordance with Art. 6/9 GDPR) | – Informed consent (Art. 6 para. 1(a)) – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) |
If necessary, Recipient (for transfer) | Publication online (if necessary) |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | There is no obligation to provide personal information. |
Consequences of violation (failure to provide the required data) | In the event of infringement, the use of social media for the external presentation of the company and communication can not be used. |
If necessary, Existence of automated decision-making | There is no automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Depending on the type of processing; First name, last name, contact details, pictures |
If necessary, change of purpose | none |
Controlling
The purpose of the processing operation | Planning, controlling and controlling all divisions |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Performance of a contract (Art. 6 para. 1 (b)) – Fulfilment of legal obligations (Art. 6 para. 1 (c)) |
If necessary, Recipient (for transfer) | none |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the relevant personal data, the implementation of this and possibly further business processes is not possible. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | First name, last name, address, e-mail address, telephone number, customer number, customer type, contact details, contract data, inventory data, usage data, sales data |
If necessary, change of purpose | none |
Project management
The purpose of the processing operation | Leading, controlling, coordinating projects of all kinds, such as the generation of new business, planning of complex IT systems or optimization of business processes, management of any projects in the company |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Performance of a contract (Art. 6 para. 1 (b)) – Fulfilment of legal obligations (Art. 6 para. 1 (c)) |
If necessary, Recipient (for transfer) | Customers, interested parties, suppliers, craftsmen, authorities, service providers and their contact persons |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the relevant personal data, the implementation of this and possibly further business processes is not possible. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | First name, last name, address, e-mail address, telephone number, fax number, industry, position, appointment data, contract data, communication data, sales data |
If necessary, change of purpose | none |
Analysis und reporting
The purpose of the processing operation | Reporting of corporate data to reveal hidden costs, market analysis, preparation of business reports |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Performance of a contract (Art. 6 para. 1 (b)) – Fulfilment of legal obligations (Art. 6 para. 1 (c)) |
If necessary, Recipient (for transfer) | none |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the relevant personal data, the implementation of this and possibly further business processes is not possible. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Financial data, personal data, production data |
If necessary, change of purpose | none |
Tenders
The purpose of the processing operation | Submit appropriate offers to potential customers in public tenders. Successful participation in tenders and placing orders. |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Implementation of pre-contractual measures (Art. 6 para. 1(b)) |
If necessary, Recipient (for transfer) | none |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the relevant personal data, the implementation of this and possibly further business processes is not possible. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Personal master data, communication data, contract master data, planning and control data, if necessary further; Information on the company, previous projects, qualification of employees, fulfillment of legal obligations (eg compliance with the minimum wage), etc. |
If necessary, change of purpose | none |
Data to tax consultants, auditors, customs authorities
The purpose of the processing operation | Data transfer with regard to business evaluation, account assignment, tax data / tax clearance / customs clearance, etc. |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Fulfilment of legal obligations (Art. 6 para. 1 (c)) |
If necessary, Recipient (for transfer) | Authorities, tax consultants, auditors, service providers and their contact persons |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | There is a legal obligation to provide personal information. |
Consequences of violation (failure to provide the required data) | The infringement can lead to sanctions. |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Name, first name, address data, contact details, Bank details, insurance number, date of birth, identity card data |
If necessary, change of purpose | none |
Inquire procedure of data subjects
The purpose of the processing operation | Administration for the information procedure of data subjects, by telephone, E-Mail, letter post |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Fulfilment of legal obligations (Art. 6 para. 1 (c)) |
If necessary, Recipient (for transfer) | external data protection officer (if necessary) |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | There is a legal obligation to provide personal information. |
Consequences of violation (failure to provide the required data) | The infringement can lead to sanctions. |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Name, first name, address data, contact details, Data on the person of the person concerned, data on recipients |
If necessary, change of purpose | none |
Lawyer, court documents
The purpose of the processing operation | Preservation of legal interests of the company, for the professional evaluation of contracts, documents etc. |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Fulfilment of legal obligations (Art. 6 para. 1 (c)) |
If necessary, Recipient (for transfer) | Specialist lawyer, prosecutor, jurisdiction, EU arbitration board |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the relevant personal data, the implementation of this and possibly further business processes is not possible. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Depending on the individual case |
If necessary, change of purpose | none |
Data to business consultants
The purpose of the processing operation | To fulfill the contractually agreed consulting goal. |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Performance of a contract (Art. 6 para. 1 (b)) |
If necessary, Recipient (for transfer) | External business consultants |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the relevant personal data, the implementation of this and possibly further business processes is not possible. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Name, first name, address data, contact details, Salary data, age, sales figures |
If necessary, change of purpose | none |
Claims management
The purpose of the processing operation | Handling of complaints, improvements in the company |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Performance of a contract (Art. 6 para. 1 (b)) – Fulfilment of legal obligations (Art. 6 para. 1 (c)) |
If necessary, Recipient (for transfer) | none |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the relevant personal data, the implementation of this and possibly further business processes is not possible. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Name, first name, address data, contact details, |
If necessary, change of purpose | none |
Warehouse management
The purpose of the processing operation | Management of the warehouse |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Performance of a contract (Art. 6 para. 1 (b)) – Fulfilment of legal obligations (Art. 6 para. 1 (c)) |
If necessary, Recipient (for transfer) | Logistics software manufacturers; Shipping service / forwarding company |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the relevant personal data, the implementation of this and possibly further business processes is not possible. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | First name, last name, if necessary telephone number, address |
If necessary, change of purpose | none |
Logistics
The purpose of the processing operation | Collection and shipping of goods (see delivery and shipping) Order picking, delivery of orders Messenger services (carrying documents) |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Performance of a contract (Art. 6 para. 1 (b)) – Fulfilment of legal obligations (Art. 6 para. 1 (c)) |
If necessary, Recipient (for transfer) | Logistics software manufacturers; Shipping service / forwarding company |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Obligation to provide the data based on the contractual relationship between the responsible party and the person concerned. |
Consequences of violation (failure to provide the required data) | Without the data necessary for the logistics a delivery and the dispatch of goods, as well as the acceptance of goods is not possible. |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Only personal data will be processed to secure the corresponding editing process; Personal master data / communication data (first name, last name, title, address, patient data, telephone number, contact data, customer number, date of birth), contract master data (contractual relationship, product or contract interest) |
If necessary, change of purpose | none |
Delivery and shipping
The purpose of the processing operation | Goods transport / delivery of sample requests Delivery processing (service providers and suppliers); Product shipping to customers. Data transmission to shipping service providers (forwarding / courier parcel express service) |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Performance of a contract (Art. 6 para. 1 (b)) – Fulfilment of legal obligations (Art. 6 para. 1 (c)) |
If necessary, Recipient (for transfer) | Logistics software manufacturers; Shipping service / forwarding company |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Obligation to provide the data based on the contractual relationship between the responsible party and the person concerned. |
Consequences of violation (failure to provide the required data) | Without the data required for shipping a delivery of goods is not possible. |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Only personal data will be processed to secure the corresponding editing process; Personal master data (name, first name, address data), communication data (eg telephone, e-mail), contract master data (contractual relationship, product or contract interest) |
If necessary, change of purpose | none |
Planning and production control
The purpose of the processing operation | Planning and controlling production orders |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Performance of a contract (Art. 6 para. 1 (b)) |
If necessary, Recipient (for transfer) | none |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See also General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the relevant personal data, the implementation of this and possibly further business processes is not possible. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Name, first name, address data, contact details |
If necessary, change of purpose | none |
Customer Support
The purpose of the processing operation | Support for customers via remote desktop software |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Performance of a contract (Art. 6 para. 1 (b)) |
If necessary, Recipient (for transfer) | none |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | The processing of personal data is not planned, but due to the service access to personal data can not be excluded. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | The processing of personal data is not planned, but due to the service access to personal data can not be excluded Also access to special categories can not be excluded; These include: racial and ethnic origin, religious or philosophical beliefs, health |
If necessary, change of purpose | none |
Call center
The purpose of the processing operation | Call center for accepting customer calls, for telephone sales, hotline for answering product questions. Acceptance of customer services, maintenance of existing customers, acquisition of new customers. |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Performance of a contract (Art. 6 para. 1 (b)) |
If necessary, Recipient (for transfer) | external call center service provider |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the relevant personal data, the implementation of this and possibly further business processes is not possible. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Name, first name, address data, contact details |
If necessary, change of purpose | none |
Call processing
The purpose of the processing operation | Troubleshooting customer systems, compiling quality control statistics |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Performance of a contract (Art. 6 para. 1 (b)) |
If necessary, Recipient (for transfer) | none |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the relevant personal data, the implementation of this and possibly further business processes is not possible. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Name, first name, username, telecommunication data |
If necessary, change of purpose | none |
Service
The purpose of the processing operation | Provision of various services |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Performance of a contract (Art. 6 para. 1 (b)) |
If necessary, Recipient (for transfer) | Subcontractor (if necessary) |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Obligation to provide the data based on the contractual relationship between the responsible party and the person concerned. |
Consequences of violation (failure to provide the required data) | Without the relevant data, the provision of various services is not possible. |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | Personal master data, address data, bank data, contact data, payment data, payroll data, contract data, time registration data, correspondence; various |
If necessary, change of purpose | none |
Facility Management
The purpose of the processing operation | Care and maintenance of real estate and buildings used by the company. |
Legal basis (in accordance with Art. 6/9 GDPR) | – Safeguarding our legitimate interest (Art. 6 para. 1 (f)) – Performance of a contract (Art. 6 para. 1 (b)) |
If necessary, Recipient (for transfer) | Service providers who perform services in the area of facility management. Other third parties (if necessary) |
If necessary, Intention to transfer to a third country or international organisation (including information on the Commission’s adequacy decision or appropriate guarantees) | No data transfer to a third country takes place and is not planned. |
Where known: Duration of data retention | See also General deadlines for data deletion |
Obligation to provide personal data (e.g. due to legal or contractual regulations) / necessity | Without the relevant data, the execution of these processes is not possible. |
Consequences of violation (failure to provide the required data) | |
If necessary, Existence of automated decision-making | In this context, we do not use automated decision making. |
If necessary, Origin of data (if not collected directly from the data subject) | The data usually comes from the person concerned, but may come from a third party. |
If necessary, Categories of personal data (if not collected directly from the data subject) | First name, last name, e-mail address, telephone number, contact history, appointment data, contract data, photos |
If necessary, change of purpose | none |