Data privacy statement for customers and suppliers

The processing of personal data takes place as the reason for, for carrying out, and, if necessary, for ending our contracts with you as well as for conducting measures and activities within the scope of precontractual relationships. In particular, the processing serves to fulfil our contractual duties and rights in accordance with our service relationships with you and includes the services, measures, and activities necessary for this. We collect and process your personal data particularly for the following purposes:

• Submission of an offer and the necessary dissemination of information required for preparation of the overall bid.
• Conclusion of the contract, performance of the contract, and customer service.
• Credit assessment before initiating a customer contractual relationship.
• For information about our products and services.
• Measures for business management and further development of services and products.
• Statistical reporting or market analysis.
• Verifiability of orders and other agreements as well as quality control.
• Quality control, testing, and optimizing procedures for needs analysis and communication with you.
• Fulfilment of legal obligations or governmental requirements.

The processing of personal data takes place as the reason for, for carrying out, and, if necessary, for ending our contracts with you as well as for conducting measures and activities within the scope of precontractual relationships. In particular, the processing serves to fulfil our contractual duties and rights in accordance with our service relationships with you and includes the services, measures, and activities necessary for this (Article 6 Section 1 Letter b General Data Protection Regulation, GDPR). If you voluntarily provide us with data beyond what is necessary, the data protection law allows us this within the scope of consent in accordance with Article 6 Section 1 Sentence 1 Letter a) GDPR. Beyond the actual fulfilment of the preliminary contract or contract, we process your data if it is necessary in order to protect our legitimate interests or those of third parties (Article 6 Section 1 letter f GDPR).

We ensure that your personal data are processed in a manner that guarantees the protection of your data. The data are processed by electronic means and in paper form. In the process, we adhere to the security standards to protect your privacy and the risk of unauthorised access to this data. We have taken extensive technical and organisational precautions to protect the data you make available to us from loss, manipulation, destruction, and unauthorised access. Our security measures are continuously improved in line with technological developments and legal requirements.

As a person affected by data processing, in accordance with the GDPR, you have, among others, the following rights (hereafter referred to as “rights of the persons affected”):

Right to information (Article 15 GDPR)

You have the right to request information as to whether or not we process personal data about you. The first copy is free of charge. For further copies, a reasonable fee may be charged. A copy can only be provided if as the rights of other persons are not affected by this.

Right to rectification of data (Article 16 GDPR)

You have the right to request us to rectify your data when these are incorrect, incomplete, or both. This right also includes the right of completion through supplementary explanations or statements.

Right to erasure of personal data (Article 17 GDPR)

You have the right to request the erasure of your personal data when:

• The personal data are no longer necessary for the purposes for which they were collected and processed.
• The data processing is based on consent given by you and you have revoked the consent. This does not apply, however, if another legal permission for the data processing exists.
• You have filed an objection to data processing, the legal permission of which lies in the so-called “legitimate interest” (according to Article 6 Section 1 Letter e or f GDPR). However, erasure need not take place if there are overriding legitimate reasons for further processing.
• You have filed an objection to processing for the purpose of direct marketing.
• Your personal data have been processed unlawfully.
• It is data of a child collected for information society services (= electronic service) on the basis of consent (according to Article 8 Section 1 GDPR).

A right to erasure of personal data does not exist when:

• The right to freedom of expression and information precludes the request for erasure.
• The processing of personal data is necessary to fulfil a legal obligation (for example, legal obligations to preserve business records).
• The processing of personal data is necessary to carry out public functions and interests in accordance with applicable law (this also includes “public health”).
• The processing of personal data is necessary for the purposes of archiving, research, or both.
• The personal data are necessary to assert, exercise, or defend legal claims.

If personal data have been made public by us (e.g., on the Internet), we must, to the extent technically feasible and reasonable, ensure that other data processors are also informed of the request for erasure, including the erasure of links, copies, and/or replications.

Right to restriction of data processing (Article 18 GDPR)

You have the right to have the processing of your personal data restricted in the following cases:

• If you have disputed the accuracy of your personal data, you can request that we do not use your data for other purposes for the duration of the verification and thus limit their processing.
• In the case of unlawful data processing, instead of erasure of the data, you can request the restriction of the use of the data.
• If you need your personal data to assert, exercise, or defend legal claims, but we no longer need your personal data, you can request us to restrict processing to the purposes of legal proceedings.
• If you have objected to data processing (pursuant to Article 21 Section 1 GDPR) and it has not yet been determined whether our interests in processing override your interests, you can request that your data are not used for other purposes during the duration of the verification and thus limit their processing.

Personal data, the processing of which has been restricted at your request, may, provided that they are stored, only be processed – with your consent, for the assertion, exercise, or defence of legal claims, for the protection of the rights of another natural or legal person, or for reasons of important public interest. Should a processing restriction be revoked, you will be informed of this in advance.

Right to data portability (according to Article 20 GDPR)

You have the right to request the data which you have provided to us in a commonly used electronic format (e.g., as a PDF or Excel document). You can also request that these data are transmitted by us directly to another company (determined by you) provided that this is technically feasible for us. The prerequisite that you have this right is that:

• The processing is carried out on the basis of consent or for the execution of a contract and is carried out by means of automated procedures.
• The exercise of the right of data portability does not infringe on the rights and freedoms of other persons.

When you exercise the right of data portability, you also continue to have the right to the erasure of data pursuant to Article 17 GDPR.

Exercise of the rights of the persons affected

To exercise your rights of the persons affected, please contact the above office. Requests that are submitted electronically will as a rule be answered electronically. The information, notifications, and measures to be made available under the GDPR, including “the exercise of the rights of the persons affected”, are generally provided free of charge. Only in the case of manifestly unfounded or excessive requests are we entitled to charge an appropriate fee for processing or to refrain from taking action (pursuant to Article 12 Section 5 GDPR).

Should reasonable doubts as to your identity exist, we are permitted for the purpose of identification to request additional information from you. If an identification is not possible for us, we have the right to deny the processing your request. We will as far as possible inform you separately of a missing possibility for identification (see Article 12 Section 6 and Article 11 GDPR).

Requests for information are usually processed immediately, within one month of the receipt of the request. The period may be extended by an additional two months as long as this is necessary given the complexity and/or the number of requests. In the event of an extension, we will inform you of the reasons for the delay within one month of receipt of your request. If we do not act on a request, we will inform you immediately within one month of receipt of the request of the reasons for this and inform you of the possibility of lodging a complaint with a supervisory authority or seeking legal redress. (See Article 12 Section 3 and Section 4 GDPR).

Please note that you may exercise your rights as an affected person only within the framework of restrictions and limitations provided for by the Union or one of its member states (Article 23 GDPR).

In the context of processing, your data may be transmitted to:

• Persons and internal departments within our company that are involved in data processing in order to fulfil our contractual and legal obligations or in the course of processing and implementing our legitimate interests, in order to fulfil our contractual and legal obligations, or in the course of processing and implementing our legitimate interest.
• Service providers that are contractually bound and bound to secrecy and who carry out partial tasks of data processing in connection with execution of the contract.
• External companies, when this is necessary. Examples of this are postal service providers for delivering letters and/or logistics and mail order companies in connection with the execution of the contract.
• External service companies, provided that these data are processed on our behalf as contractors or function holders (e.g., external data centers, print shops, or companies for data disposal, etc.).
• Public authorities, when we are obliged to comply with legal requirements for information, reporting, or disclosure of data or if the disclosure of data is in the public interest.

Data transfer to third countries is not planned. This only arises within the framework of the existing contractual requirements, necessary communication, and other exceptions expressly provided for in Articles 44-49 GDPR. No further transmission to third countries is currently taking place.

We process and save your data for the duration of our business relationship. This also includes the initiation of a contract (precontractual legal relationship) and the execution of a contract.

In addition, we are subject to various storage and documentation obligations which result from the German Commercial Code (Handelsgesetzbuch, HGB) and the Fiscal Code of Germany (Abgabenordnung, AO), among others. The periods of storage or documentation specified there are up to ten years beyond the end of the business relationship or the precontractual legal relationship.

Furthermore, special legal regulations may require a longer storage period. For example, the preservation of evidence within the framework of the legal statute of limitations. According to §§ 195 ff. of the German Civil Code (Bürgerliches Gesetzbuch, BGB), the regular limitation period is three years, but limitation periods of up to 30 years may also apply.

If the data are no longer required for the fulfilment of contractual or statutory obligations and rights, these will be erased on a regular basis, unless their – limited – further processing is necessary for fulfilling the purposes listed under “Item 5”. In these cases, we may store and, if necessary, use your data for a period compatible with the purposes even after termination of our business relationship or our precontractual legal relationship.

We process your data on our own server. This is protected against access by unauthorized persons through technical and organisational measures taken in accordance with Article 32 GDPR. An authorisation concept ensures that only authorised staff members may receive access to these data. Our security measures are continuously improved in line with technological developments and legal requirements.

This English translation of the German original is a courtesy translation. Only the German version is binding and shall prevail.