Data privacy information for suppliers

pursuant to Art. 13, 14 and 21 of the General Data Privacy Regulation GDPR

To us, data privacy is paramount. We will here inform you about how we process your data and the rights you have in this respect.

1. Who is responsible for data processing and whom may you contact in this regard?
BOSIG Holding GmbH & Co. KG
Legally represented by BOSIG Holding Beteiligungs-GmbH
These are legally represented by the Managing Director Oliver Schmid
Brunnenstraße 75-77
73333 Gingen

2. Contact details for the Data Privacy Officer
This email address is being protected from spambots. You need JavaScript enabled to view it.

3. Purposes of processing and legal basis
Your personal data will be processed in accordance with the provisions of the General Data Privacy Regulation (GDPR), the Bundesdatenschutzgesetz BDSG [Federal Data Privacy Act] and other relevant data privacy regulations. The processing and use of individual data depends on the service agreed to or applied for. You may find further details and amendments on the purposes of processing in our contract documents, forms, declarations of consent and other information made available to you (e.g. on the website or terms and conditions).

3.1 Consent (Art. 6 (1) (a) GDPR)
Your consent to the processing of personal data will serve as the legal basis for processing. You may revoke your consent at any time, with effect into the future.

3.2 Performance of contractual obligations (Art. 6 (1) (b) GDPR)
We will process your personal data to perform our contracts with you, especially in the context of processing orders and utilising services. Your personal data will furthermore be processed for purposes of implementation of measures and activities in the context of pre-contractual relationships.

3.3 Compliance with legal obligations (Art. 6 (1) (c) GDPR)
We will process your personal data as required under statutory obligations (e.g. commercial or tax laws).

This may be the case if, among other:

  • Reference is required to European and international counter-terrorism lists
  • Compliance is required with tax control and reporting obligations and where data must be archived for data privacy and data security purposes and for examination by fiscal and other authorities.

 

Disclosure of personal data may also be required in the context of official/judicial measures for evidentiary purposes or law enforcement or the assertion of civil claims.

3.4 Our own legitimate interests or those of third parties (Art. 6 (1) (f) GDPR)
We may also use your personal data to assess interests in ensuring that our own or third party legitimate interests will be maintained. This may be required for the following purposes:

  • for obtaining information and exchanging data with credit agencies, should our economic risk be excessive
  • for limited retention of your data should deletion be impossible or require unreasonably high effort due to special storage methods
  • for comparison to European and international counter-terrorism lists should this surpass legal obligations
  • for ensuring and exercising our domestic authority through corresponding action (e.g. video surveillance)

 

We will if necessary also process personal data available from public sources (e.g. Internet, media, press, trade and club registries, registration records, debtor directories, land registers). To the extent required for provisioning of our service we will process personal data we lawfully receive from third parties (e.g. address publishers, credit agencies).

4. Categories of personal data we will process
The following data are processed:

  • Personal data (first name, surname, occupation/industry and similar data)
  • Contact details (mailing address, e-mail address, telephone number and the like)
  • Supplier history

 

We will if necessary also process personal data available from public sources (e.g. Internet, media, press, trade and club registries, registration records, debtor directories, land registers). To the extent required for provisioning of our service we will process personal data that we lawfully receive from third parties (e.g. address publishers, credit agencies).

5. Who will obtain your data?
We will forward your personal data to internal departments that need the data for contractual and legal purposes or to protect our legitimate interests.

The following bodies may also receive your data:

  • • Our commissioned order processors (Art. 28 GDPR) especially in the fields of: IT services, logistics services, external data centres, controlling, auditing service, credit institutes, courier services and logistics
  • • Public bodies and institutions in cases where we may be under legal or regulatory obligation to provide information, notification or disclosure of data, or should the latter be in the public interest
  • • Bodies and institutions, based on our legitimate interest or that of the third party in the context of the purposes set out in Point 3.4 (e.g. to authorities, credit agencies, debt collection, lawyers, courts, appraisers, group companies and committees and supervisory bodies)
  • • Other entities that you agreed may receive your data

 

6. Transmission of your data to a third country or an international organisation
No data will be processed outside the EU or the EEA.

7. How long will we store your data?
We will to the extent necessary process your personal data for the duration of our business relationship, including also the initiation and execution of contracts.

We are also subject to various obligations of storage and documentation based, among other, on the Commercial Code (HGB) and the Revenue Code (AO). The deadlines for such storage and documentation are up to ten years beyond the end of the business relationship or of the pre-contractual legal relationship.

Storage periods will also depend on statutory periods of limitation which will normally be three years, but up to thirty years in some cases, pursuant to §§ 195 et. seq. of the Civil Code (BGB).

8. To what extent will automated decision-making be applied in individual cases (including profiling)?
We are not using automated decision-making procedures as per Article 22 GDPR. We will specifically inform you should we resort to this in individual cases, provided this is required by law.

9. Your data privacy rights
You have the right to information under Art. 15 GDPR, the right to correction under Art. 16 GDPR, the right to deletion under Art. 17 GDPR, the right to limit processing under Art. 18 GDPR and the right to data transferability under Art. 20 GDPR. You also have the right to lodge a complaint with a supervisory data privacy authority (Art. 77 GDPR). Article 21 GDPR also grants you the basic right to object to our processing of your personal data. This right to objection will, however, be prerequisite upon your special personal circumstances; our domestic authority may oppose your right of objection. Please contact our Data Privacy Officer This email address is being protected from spambots. You need JavaScript enabled to view it. should you intend to assert such a right.

10. Extent of your obligations to provide us with your data
You only need to provide the information necessary to enter into a business or a pre-contractual relationship with us, or information we are required to collect by law. We will generally not be able to conclude or execute a contract with you unless we have this information. This may also apply to data required in a later phase of the business relationship. You will be separately informed of the voluntary nature of any additional information we may request.

11. Information about your right to object Art. 21 GDPR
You have the right at any time to object to the processing of your data as per Art. 6 (1) (f) GDPR (data processing based on weighing of interests) or Art. 6 (1) (e) GDPR (data processing in the public interest) should you have reasons related to your particular situation. This will also apply to profiling in terms of Art. 4 (4) GDPR, based on this provision.
We will cease processing your personal data should you lodge an objection, unless we can demonstrate compelling legitimate reasons for processing to overrule your interests, rights and freedoms or unless processing serves a purpose of enforcing, pursuing or defending legal claims.
The objection may be informal, addressed to the address given under Point 1.

12. Your right to lodge a complaint with the competent supervisory authority
You have the right to lodge a complaint with the supervisory data privacy authority (Art. 77 GDPR). The supervisory authority responsible for us is:

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit [State Commissioner for Data Privacy and Freedom of Information]
Königstrasse 10 a
70173 Stuttgart