Sources and data categories
We process personal data that we receive from you as part of our business relationship.
We process personal data that we have received with permission from other companies and that we need in order to provide our services (for example to implement orders, for the performance of contracts or on the basis of the consent given by you).
We process personal data that we have obtained from public sources (for example the press and the media) and that we are allowed to process. The relevant personal data include master data (name, address and other contact details, date and place of birth and nationality) and identification data (for example ID card details). They also include order data (for example details of orders, product data), data resulting from the performance of our contractual obligations (for example sales figures), creditworthiness data, credit scoring/rating data, marketing and sales data (including advertising scores), documentation data (for example from documented conversations), data concerning your use of our online media (for example the time that you accessed our website, apps or newsletter, our pages and entries that you clicked on) and other data equivalent to the categories referred to here.
Purpose of processing and legal basis
We process personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG) and in particular:
For the performance of contractual obligations (Article 6(1)(b) of the GDPR)
We process personal data (Article 4(2) of the GDPR) in order to fulfil our obligations under the terms of customer contracts concluded with you and, in particular, for the performance of our contracts and pre-contractual measures with you and the implementation of your orders and all the necessary activities associated with the operation and management of our company in the development services industry.
The purposes of processing the data are related primarily to the specific product or service (for example, the order or framework agreement).
You can find further details on the purposes of the data processing in the relevant contract documents and general terms and conditions.
As part of the process of balancing our interests (Article 6(1)(f) of the GDPR)
Your data can also be used by us and by third-parties as part of the process of balancing our legitimate interests.
This is done for the following purposes:
- Support for customer consultancy, customer services and sales
- General management of the business and development of services, systems and products
- Fulfilment of internal requirements and of the requirements of associated companies
- Ensuring IT security and safeguarding IT operations
- Advertising and market and opinion research
- Making legal claims and defence in legal Disputes
- Preventing and investigating crimes, together with risk management and fraud prevention
Our interests and those of other controllers in the processing of the data are based on the relevant purposes and are also of a commercial nature (the efficient implementation of orders, sales, avoiding legal risks).
If the specific purpose allows for this, we and the other controllers will process your data in a pseudonymised or anonymised form.
On the basis of your consent (Article 6(1)(a) of the GDPR
If you consent to us processing your personal data for specific purposes (for example passing on the data within the group, using your e-mail address for business partners and for advertising that goes beyond similar products and services), the lawfulness of the processing is based on your consent. Your consent is the legal basis for the processing of the data. You can withdraw your consent at any time. This also applies to the withdrawal of consent granted to us before 25 May 2018. Please note that the withdrawal of consent takes effect in the future. It does not affect the processing of data before the consent was withdrawn.
Use of the data
Your data will only be disclosed to the following recipients and categories of recipients:
- Service providers for the fulfilment and invoicing of the contract
- Banks and providers of payment services for invoicing and processing payments
- Service providers for the operation of the IT infrastructure
- Service providers for printing invoices and customer information letters
- Service providers for storing and destroying files
- Public bodies in legitimate cases (for example social security agencies, financial authorities, the police, the public prosecution service, supervisory authorities)
- Credit agencies and credit scoring companies for information on creditworthiness and assessment of the credit risk
- Debt collection service providers and lawyers for the purpose of collecting debts. We will inform you before we transfer the data.
Your data will be transferred to the departments within our company and within the other controllers' organisations that need the data to fulfil contractual and legal obligations or to do their work (for example sales and marketing).
The following bodies may also receive your data:
- Processors that we use (Article 28 of the GDPR) in particular for IT services, logistics and printing services which process your data on our behalf and on our instructions
- Public bodies and institutions if there is a legal or official Obligation
- Our agents, employees and representatives
- Auditors, service providers and our subsidiaries and group companies (and their agents, employees, consultants and representatives)
- Specialist companies as part of contractual agreements for cloud solutions that can use processing centres inside and outside the European Union (in particular in the United States)
- Other bodies if you have give us your consent for them to receive your data
Storage of the data
If necessary, we will process and store your personal data for the duration of our business relationship, which also includes the preparation for and implementation of contracts.
The data can also be stored in our customer relationship management system (SAP CRM system) or equivalent systems and applications.
It is important to understand that our business relationship is a continuing obligation that can last for years.
We are also subject to a variety of storage and documentation requirements under the terms of the German Commercial Code (HGB) and the Fiscal Code (AO). The storage and documentation periods specified in this legislation are between two and ten years. The storage period also depends on the legal periods of limitation which are generally three years under the terms of Sections 195 ff. of the German Civil Code (BGB), but in some cases can be up to thirty years. If necessary, we will process your personal data for the duration of our business relationship, which also includes the preparation for and implementation of contracts. We are also subject to a variety of storage and documentation requirements. The storage and documentation periods are implemented in accordance with the provisions of the legislation.
Transferring data to a third country or an international organisation
Data will be transferred to third countries (countries outside the European Economic Area (EEA)) only if this is necessary in order for us to implement your order or for the purposes of our contractual relationship, if it is required by law or if you have given us your consent. We will send you specific information about the details if this is required by law.
Your data will be transferred to countries outside the European Economic Area (EEA) (third countries) only if this is necessary in order for us to implement your order, if it is required by law or if you have given us your consent.
Marketing and, in particular, sending newsletters to existing customers and Partners
We are permitted to send newsletters to existing customers and partners if the newsletters contain only marketing material about products and services that serve a similar purpose. Existing customers and partners are customers and partners that we have an active business relationship with, but not prospects, for example. We are also required to inform our customers when they place their first order about the possibility that they will receive marketing material and to give them the right to withdraw free of charge. If this is not the case, we will at the very least use the opt-in process to remain in online contact with customers for marketing purposes. These marketing purposes include providing information about our products and services and about the latest news from our company, together with invitations to events.
Data protection rights
Every data subject has the right of access under Article 15 of the GDPR, the right to rectification under Article 16 of the GDPR, the right to erasure under Article 17 of the GDPR, the right to restriction of processing under Article 18 of the GDPR and the right to data portability under Article 20 of the GDPR. In the case of the right of access and the right to erasure, the restrictions in Sections 34 and 35 of the German Federal Data Protection Act (BDSG) apply. In addition, there is a right to lodge a complaint with a data protection supervisory authority (Article 77 of the GDPR in conjunction with Section 19 of the German Federal Data Protection Act (BDSG)).
The relevant data protection supervisory authority is:
Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg
Postfach 10 29 32, 70025 Stuttgart
Königstraße 10a, 70173 Stuttgart
Tel.: +49 711 61 55 41 0
Fax: +49 711 61 55 41 15
We process your data in some cases using an automated procedure with the aim of assessing certain personal aspects (this is known as profiling, as described in Article 4(4) of the GDPR). Profiling is used, for example, to identify your potential interest in products and services. This evaluation uses statistical procedures to process current and past customer data. The results allow us to make a more targeted approach to you, which meets your needs, and to provide support for consultancy, customer service and sales.
Right to object (Article 21 of the GDPR)
a. The right to object in individual cases
You have the right to object at any time for reasons relating to your personal situation to your personal data being processed on the basis of Article 6(1)(f) of the GDPR (data processing for the purposes of legitimate interests). This also applies to profiling under the terms of this provision as described in Article 4(4) of the GDPR, which may be taking place for reasons of customer consultancy and customer service or for sales purposes.
If you make an objection, your personal data will no longer be processed, unless we can demonstrate compelling legitimate grounds for processing the data which override your interests, rights and freedoms or unless we are processing the data to establish, exercise or defend legal claims.
b. The right to object to data processing for direct marketing purposes
We and the other controllers can process your data for direct marketing purposes under the provisions of the legislation. You have the right to object at any time to your personal data being processed for marketing purposes of this kind. This includes profiling if it is related to direct marketing.
If you object to your personal data being processed for direct marketing purposes, we will no longer process them for these purposes. Your objection can be made in any form. Our contact details are:
Phone + 49 7034 656 0
Fax + 49 7034 656 4151