Information on Data Protection for Customers, Suppliers and other Business Partners
(Last revised: 1 February 2019)
The protection of your personal data and your right to informational self-determination have always been of great importance to us at STAHLGRUBER GmbH. In the following we would like to inform you about how your personal data is processed by us and what rights you have as the data subject pursuant to Articles 13, 14 and 21 of the European General Data Protection Regulation (GDPR). The following general information is valid as of May 25, 2018, and may replace any previously published information or versions. If a special situation arises regarding processing, you will receive separate or supplementary information. This includes, for example, the data protection statements on our websites, terms of participation concerning events, and information regarding consent. The following general information will be updated as needed. The current version can be viewed at https://www.stahlgruber.de/en/privacy.
1. Who is responsible for the processing of personal data and how can you contact the Data Protection Officer?
As per Art. 4 No. 7 of the GDPR, the party responsible is:
Gruber Str. 65
Andrej Jerman, Werner Maier, John S. Quinn, Frank Schöller
Tel.: +49 (0) 8121 707-0
Contact details of the Data Protection Officer:
Gruber Str. 65
Tel.: +49 (0) 8121 707-0
Which categories of personal data are processed by us and where does the data come from?
A large part of the personal data that we collect directly from you arises directly from the respective business relationship. However, as part of the processing activities referred to in Point 3, it may be necessary to use personal data from other sources. Of course, this takes place in compliance with applicable data protection regulations. In such cases, personal data may come from publicly available sources (e.g. commercial registers, registers of associations, civil registers, land registers, record of debtors, press releases and internet searches), affiliated companies or other third parties (e.g. credit bureaus, address publishers and governmental authorities). Depending on the processing activity and its purpose, data from the following categories in particular are processed:
- Personal master data, such as name, date of birth, place of birth, nationality, marital status, job title and industry affiliation
- Contact details and addresses, e.g. residential address, registration address if different, e-mail address, telephone and fax numbers
- Bank details, other account information and payment data
- Tax information, such as tax ID and/or VAT ID
- Order data, such as type and quantity of goods ordered or services used
- Credit information and payment conditions
- Data concerning complaints
- Authentication data, such as ID card data, signature, company stamps and passwords
- Image and video data
- Historical data on any business relationship with STAHLGRUBER GmbH and affiliated companies
- Advertising and sales data including target group-specific information
- Data concerning the maintenance of contacts or the initiation of a relationship, such as data on communications that have already taken place, including date and time as well as purpose and content of the communications
- Copies of correspondence, if made in writing, by email or by fax
If you access the websites of STAHLGRUBER GmbH or use other electronic services provided by us, we will process various IT-specific information. In addition to the type, time and duration of access, such processing also includes the IP addresses that you use, as well as data about the devices that you use, such as: operating system, browser and amount of transmitted data. As part of the processing activities referred to in Point 3, so-called “cookies” are also used. Further information can be found in the specific information concerning data protection for each respective website or electronic service. The information for the website “stahlgruber.de” is available at the end of this document.
3. For what purposes is your personal data processed and on which legal basis is such processing based?
The processing of your personal data is carried out in accordance with the provisions of the European General Data Protection Regulation (GDPR), the Federal Data Protection Act as amended on June 30, 2017, and any other applicable data protection regulations.
a) Processing for the execution and fulfilment of a contract or for pre-contractual measures
A large part of the personal data is processed by us in order to be able to fulfil contracts with you or to carry out pre-contractual measures at your request. The legal basis for this is Article 6 (1) Sent. 1 (b) of the GDPR. The processing activities, which include any associated purpose, arise in particular from the respective contract and include, above all, the provision of our catalogues and ordering systems, the preparation of offers, the acceptance of orders, the commissioning of goods, delivery, and if necessary assembly and/or operationalisation and/or maintenance activities, as well as the provision of other services, such as training sessions and invoicing, which includes order-related payments, payment reminders/warnings and tax assessments. Also required in this context are order-related communications, the documentation of transactions, the booking of business transactions and the processing of claims, including fulfilment of any warranty claims.
b) Processing as it relates to the fulfilment of legal obligations or to the performance of a task carried out in the public interest
Like any other company, STAHLGRUBER GmbH has to fulfil and comply with a wide variety of legal obligations. To do this, personal data must also be processed. The legal basis for this is Art. 6 Para. 1 Sent. 1 (c) of the GDPR. Furthermore, personal data may have to be processed during the performance of a task carried out in the public interest. The legal basis for this is Art. 6 Para. 1 Sent. 1 (e) of the GDPR. The requirements and the resulting processing activities and purposes arise, in particular, from commercial and tax law but also from other supervisory or regulatory requirements. The retention periods for business documents require, for example, that a large number of documents, including the personal data that such documents contain, are stored on a long-term basis.
Other regulatory-related processing activities may include the implementation or support of recall actions, the prevention of money laundering, the prevention, combating and resolution of terrorist financing, the fulfilment of tax inspection and reporting obligations, as well as identity verification and reconciliation with anti-terror lists. Judicial or regulatory measures may require that personal data be processed and, in particular, disclosed. Such measures include law enforcement activities, evidence gathering activities, enforcement or defence of civil claims or audits by tax and/or regulatory authorities. The legal requirements for data protection and data security also require certain processing activities. This includes record keeping with the framework of data security measures, e.g. when visiting our websites, when using other electronic services provided by us, or when communicating via e-mail, fax or telephone, as well as making inquiries with regard to data protection.
c) Processing for the protection of the legitimate interests of STAHLGRUBER GmbH or a third party
As a customer or business partner of STAHLGRUBER GmbH, you are accustomed to having a trusting relationship with us. In addition to the execution and fulfilment of contracts with you, the implementation of pre-contractual measures, the fulfilment of legal obligations, and the preservation of public interests, we process personal data in order to safeguard our legitimate interests or those of third parties. The legal basis for this is the first sentence of art. 6 para. 1 sentence 1 letter f) GDPR. The processing activities comprise in particular:
- General contact maintenance within the framework of an existing business relationship
- General internal and external communication
- Compliance measures, including internal and external investigations to prevent and, if necessary, detect criminal offences or other violations
- Data exchange with affiliated companies to optimise the range of goods and services and to improve processes and structures
- Limited storage of personal data instead of deletion according to Section 35 FDPA
- Obtaining offers for credit insurance and taking out credit insurance to reduce the economic risk for STAHLGRUBER GmbH
- Obtaining information and exchanging data with credit agencies, among other things to reduce the economic risk for STAHLGRUBER GmbH and to grant payment terms
- Enforcement, exercise or defence of legal claims
- Ensuring IT and data security, including measures to safeguard the confidentiality, integrity and availability of data
- Measures for corporate management, e.g. recording of costs, controlling, internal and external reporting, internal auditing
- In individual cases, monitoring of telephone calls during order acceptance for training purposes or as part of quality control
- Quality management, monitoring and optimisation of business processes,
- Risk and emergency management as well as various security measures including measures for the protection of domiciliary rights
- Statistical evaluations and demand analyses to optimise the offer, availability of goods and services and to enable direct customer approach
- Statistical evaluations for measuring the reach of newsletters (e.g. opening rate)
- Activities in the interest of building and system security, including access control and logging
- Video surveillance in the context of the protection of domiciliary rights, for the prevention and prosecution of criminal offences as well as for the protection of the property of STAHLGRUBER GmbH and of third parties
- Video surveillance of technical equipment for the safety of the persons present and for the detection of technical defects
In order to safeguard our own legitimate interests, we may supplement the data stored by us with data stored in publicly accessible sources or with data collected from third parties (e.g. credit agencies, address publishers or authorities).
Furthermore, we process personal data for the purpose of advertising as well as market or opinion research. Approaches for advertising purposes are made personally, by telephone and by post. If you have purchased goods or services from us, we may use your e-mail address to send you information about similar products and services by e-mail. If the legislator requires consent for this, we will obtain it. We also exchange personal data with affiliated companies within the framework of legal regulations. Processing within the framework of a weighing of interests will only take place if you have not objected to it and if the legislator does not require explicit consent. We will inform you separately below about your right of objection pursuant to art. 21 GDPR.
d) Processing on the basis of your explicit consent
Certain processing operations may require us to obtain your consent. The legal basis for such processing activity is art. 6 para. 1 sentence 1 letter a) GDPR. Consents granted before 25.05.2018 generally remain valid. If we need your consent, we will inform you about the planned use before you grant your consent. You can revoke both new consents and consents granted in the past at any time with effect for the future. However, the revocation of consent does not affect the legality of the processing until the time of revocation.
4. Which categories of recipients have access to your personal data or to whom is this data transmitted?
Within STAHLGRUBER GmbH, the departments have access to personal data which they require for their professional activities and for carrying out the processing described under point 3. Your personal data will only be passed on to entities outside STAHLGRUBER GmbH if this is legally permitted and is necessary as part of the processing mentioned under point 3.
The legal basis for this is the following:
- You have given us or a third party your explicit consent. Art. 6 para. 1 sentence 1 letter a) GDPR
- The transfer is necessary for the performance of a contract which you have concluded with STAHLGRUBER GmbH or a third party or for the implementation of pre contractual measures. Art. 6 para. 1 sentence 1 letter b) GDPR
- The transfer is necessary for the fulfilment of legal obligations to which STAHLGRUBER GmbH is subject.
Art. 6 para. 1 sentence 1 letter c) GDPR
- Such disclosure is necessary for safeguarding public interests. Art. 6 para. 1 sentence 1 letter e) GDPR
- The transfer is necessary to protect the legitimate interests of STAHLGRUBER GmbH or a third party. Art. 6 para. 1 sentence 1 letter f) GDPR
- It involves order processing within the meaning of art. 28 GDPR.
a) Transmission to service providers
Like most other companies, STAHLGRUBER GmbH works together with service providers. These vicarious agents are obliged to comply with data protection regulations. If the order processing is within the meaning of art. 28 GDPR, the service provider may only process personal data in accordance with the instructions and within the narrow limits of the respective order. The service providers and contractors that STAHLGRUBER GmbH makes use of come from the following categories in particular:
- Credit agencies
- Banks, credit institutions and other payment service providers
- Consulting, including legal advice, tax advice, management consulting and auditing
- Security companies and security service providers
- Printing services
- Waste-disposal companies
- Debt collectors
- IT service providers Logistics and transport
- Marketing and sales
- Training companies
- Technical service providers
- Telecom companiesInsurance companies
These service providers may also be affiliated companies.
In addition to the purposes mentioned under point 3 c), transmission takes place in one or more of the following contexts in particular:
- Conclusion of credit insurance,
- Processing of receipts and other documents,
- Procurement and purchasing,
- Data and data carrier destruction,
- Obtaining credit information,
- Creation of personalised print products,
- Preparation and evaluation of expert opinions,
- Debt collection,
- Marketing, including the implementation of advertising measures and market and opinion researchk,
- Media and communication technology,
- Legal and tax advice
- Risk management,
- Screening of data in the context of the fight against money laundering,
- Security management,
- Training services,
- Statistical evaluations,
- Telephony and/or other electronic communication,
- Management consulting,
- Dispatch and delivery of goods and/or documents,
- Management of customers and suppliers,
- Maintenance and support for IT systems (hardware and software),,
- Monetary transactions
b) Transmission to other recipients
Apart from service providers who act on behalf of STAHLGRUBER GmbH, other categories of recipients may be taken into consideration:
- third parties with whom you have a contractual relationship,
- third parties, provided that you have consented to the disclosure of your data,
- STAHLGRUBER GmbH suppliers,
- public offices and institutions, such as tax and financial authorities, law enforcement authorities, courts of law, supervisory authorities, etc.,
- companies associated with STAHLGRUBER GmbH for the purpose of joint administration, risk management, controlling and/or statutory obligations
How long does STAHLGRUBER GmbH store your personal data?
STAHLGRUBER GmbH processes your personal data as long as is necessary to conduct the business relationship, including pre-contractual measures, and to comply with statutory obligations.
Furthermore, STAHLGRUBER GmbH is obligated to observe retention periods under commercial and tax law. These are defined, in particular, in the German Commercial Code, the German Tax Code and the German Prevention of Money-Laundering Act and can be up to 10 years after the business relationship or contract formation phase has ended.
Due to other statutory provisions, it may be necessary to retain the data for longer periods in order to preserve evidence. Section 195 of the German Civil Code stipulates limitation periods of up to 30 years, whereby the standard limitation period is three years.
Where the aforementioned periods have expired, the personal data shall be deleted on a regular basis. Exceptions to this rule apply only where further processing is necessary to safeguard a legitimate interest pursuant to 3 c). According to Section 35 of the German Federal Data Protection Act (FDPA) (amended version), such an interest can also be deemed to exist where, due to the specific method of storage, the deletion of data is not possible or only possible with an unreasonable amount of effort, and the interest of the data subject in having the data deleted is considered negligible. Data deletion shall be superseded by the restriction on data processing by means of suitable technical and organisational measures.
6. Will your personal data be forwarded to a third country or to an international organisation?
Personal data is processed by STAHLGRUBER GmbH solely in Germany or the European Union. Such data shall only be forwarded to service providers, associated companies or other third parties outside the European Union in accordance with statutory provisions, if:
a) you have given us your express consent to do so,
b) this is necessary for the purpose of performing a contract with you or for pre-contractual measures (e.g. delivery to an address outside the European Union),
c) this is necessary for the purpose of concluding or performing a contract in your interest,
d) there is a statutory obligation to this effect or a substantial public interest in doing so,
e) this is necessary to assert, exercise or defend legal claims,
f) this is necessary to safeguard the legitimate interests of STAHLGRUBER GmbH or an associated company, or
g) contract processing is involved.
In cases f) and g), an adequate level of data protection shall be ensured by way of at least one of the following measures:
- Adequacy decision of the European Commission,
- binding in-house data protection regulations,
- standard data protection clauses adopted by the European Commission,
- approved Codes of Conduct pursuant to Article 40 GDPR,
- approved certification mechanism or
- contractual clauses approved by the supervisory authorities.
Upon request, we shall provide you with detailed information in this regard. This shall also include information on suitable or adequate safeguards and how to obtain a copy of these. Please address your inquiry to the company Data Protection Officer.
7. What data protection rights do you have?
As a data subject, you have various rights that you can assert against STAHLGRUBER GmbH under certain conditions. These include the right to information (Article 15 GDPR), the right to correction (Article 16 GDPR), the right to deletion (Article 17 GDPR), the right to restricted processing (Article 18 GDPR) and the right to data portability (Article 20 GDPR). Restrictions in accordance with Sections 34 and 35 FDPA (amended version) shall apply to the rights to information and deletion. You have the right to object to the processing of data on grounds of a legitimate interest (Article 21 (1) GDPR). In such cases, we shall cease processing the data unless compelling legitimate reasons exist for processing, or if processing is necessary for asserting, exercising or defending legal claims. This shall apply analogously for the processing of your personal data for direct marketing purposes (Article 21 (2) GDPR). You may withdraw your consent at any time pursuant to Article 7 (3) GDPR. This shall also apply for any consent given prior to 25.05.2018. The withdrawal of consent shall not affect the lawfulness of any processing for which consent was given and which was carried out prior to the withdrawal thereof.
You also have the right to lodge a complaint with the competent supervisory authority for data protection (Article 77 GDPR in connection with Section 19 FDPA).
Competent supervisory authority for the non-public sector in Bavaria:
Bayerisches Landesamt für Datenschutzaufsicht
If you would like to exercise your rights, please contact the STAHLGRUBER GmbH Data Protection Officer, preferably in writing. The contact details are listed under 1 above.
8. Are you obligated to provide personal data?
You are required to provide any and all personal data that is necessary for entering into and conducting a business relationship, for implementing pre-contractual measures and for fulfilling the contractual obligations related thereto. You are also required to provide any and all data that STAHLGRUBER GmbH is legally obligated to process. Without this data, we shall not be able to conclude or perform the respective contract with you. Such an obligation to provide personal data may only arise at a later stage of the business relationship. Any other personal data provided is done so on a voluntary basis.
9. Will an automated individual decision-making process (including profiling) be used?
STAHLGRUBER GmbH uses automated individual decision-making processes pursuant to Article 22 GDPR for the performance of contracts. If the buyer is repeatedly in default of payment, the option of making a purchase with a specific payment target shall be automatically blocked. This measure aims to reduce payment defaults. The data subjects shall have the right to obtain human intervention on the part of the controller, to express their own point of view and to contest the decision.
To some extent, personal data is also processed automatically, thereby enabling the analysis of particular personal aspects (so-called profiling). In order to provide you with specific information about products and services and make offers that are appropriate to your needs, we use evaluation mechanisms which take into account, among other things, your industry affiliation and past sales for specific product groups.
STAHLGRUBER GmbH evaluates the creditworthiness of business partners. For these purposes, scoring can be used. In this process, the probability that a business partner will meet their payment obligations is calculated on the basis of mathematical and statistical procedures. The values are included in the assessment of creditworthiness, in the granting of payment terms and in risk management. The computation can include industry affiliation, company size, information from credit agencies, information about the history of the company, experience gained from the business relations and payment history.
No use is made here of special categories of personal data pursuant to Art. 9 GDPR or of data concerning your nationality.
Information about your right to object in accordance with Art. 21 GDPR
1. Individual right to object
You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning your person, provided that the processing is based on Art. 6 (1) (1) (e) GDPR (processing in the public interest) or on Art. 6 (1) (1) (f) GDPR (processing in the interest of STAHLGRUBER GmbH or a third party). This applies also to profiling based on this regulation within the meaning of Art. 4 (4) GDPR.If you object, STAHLGRUBER GmbH will no longer process the personal data concerning your person unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing is for the assertion, exercise or defence of legal claims.
2. Right to object to processing of personal data for direct marketing purposes
STAHLGRUBER GmbH uses your personal data for direct marketing purposes. You have the right to object at any time to the processing of personal data concerning your person for such marketing purposes. This includes profiling to the extent that it is related to such direct marketing. If you object to processing for direct marketing purposes, STAHLGRUBER GmbH will no longer process your personal data for such purposes.
You can exercise your right to object without the need to comply with any formal requirements, if possible by addressing your objection to:
Gruber Str. 65