Privacy Notices for Customers, Service Providers, Suppliers and Other Data Subjects
Pursuant to the EU General Data Protection Regulation (GDPR) applicable as from 25 May 2018, these privacy notices are to inform you of the processing of your personal data by us and of the rights you have. These notices will be updated, where necessary.
- Who controls data processing and who can I contact?
btf Innovationen für den Bau GmbH, Rüdiger Turtenwald, Fahrenheitstraße 3, D-86899 Landsberg am Lech
- What sources and data do we use?
We process personal data we obtain from our customers or other data subjects within the framework of our business relationship.
Moreover, where required to attend to our contractual duties, we process personal data permissibly acquired by us from publicly accessible sources (e.g. debtor registers, land registers, commercial and association registers, press, Internet) or legitimately transferred to us by other companies or by further third parties (e.g. a public authority, credit bureaus).
In concrete terms, we process the following relevant personal data:
- master data of the customer or other data subjects and the points of contact stated by the customer (e.g. name, business e-mail address, business phone number)
- data in connection with the implementation of contracts and agreements
- advertising and sales data (e.g. products of potential interest to the customer or other data subjects)
- data from meeting our contractual obligations
- documentation data (e.g. quality management, audits)
- other data comparable to the categories above
Accordingly, we basically process personal data of our customers and of other data subjects only where this is necessary to implement the business relationship and for the agreed contents and services.
- For what purposes do we process your data (purpose of processing)?
We process personal data in line with the provisions of the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG). The following is to inform you of our data processing purposes:
- For compliance with contractual obligations (point (b) of Art. 6(1) GDPR): data is processed for the performance of our contracts with our customers or in order to take steps at the request of the data subject prior to entering into a contract. In detail, the data processing purposes are geared to the specific product and the contractual documents as well as the terms & conditions.
- As part of the balancing of interests (point (f) of Art. 6(1) GDPR): where necessary, we process your data beyond the actual performance of the contract to safeguard our or third parties’ legitimate interests. This is based on the following purposes:
- consultation of and data exchange with credit bureaus to identify credit or default risks in credit operations and requirements relating to the account exempted from attachment or basic account
- examination and optimisation of processes for needs analysis ensuring direct customer approach
- measures for building and facility security, measures to ensure the domiciliary right
- measures for business management and further development of services and products, risk management within the Group
- to ensure effective complaints management in order to cater for the needs of our customers in the long term while improving our standards
- measures for quality management purposes and to customise products to our business partners and further customers of the supply chain
Our interests in the relevant processing is determined by the specific purposes and, in other respects, of an economic nature (efficient fulfilment of tasks, sales, avoiding legal risks).
Where permitted by the specific purpose, we process customer data in a pseudonymised or anonymised form.
- Based on your consent (point (a) of Art. 6(1) GDPR): Where you have given us consent to the processing of personal data for specific purposes (e.g. evaluations for marketing purposes, photographs during events, newsletter dispatch), the lawfulness of such processing is based on your consent. Any consent given may be withdrawn at any time. This also applies to the withdrawal of declarations of consent given to us prior to the entry into force of the GDPR, i.e. before 25 May 2018. The withdrawal of consent will be effective only for the future and does not affect the lawfulness of the data processed up to such withdrawal.
- Based on legal stipulations (point (c) of Art. 6(1) GDPR) or in the public interest (point (e) of Art. 6(1) GDPR)
Moreover, we are subject to various legal obligations, i.e. statutory requirements and regulatory stipulations. Processing purposes include, but are not limited to, risk assessment and management.
- Who receives your data?
Within btf Innovationen für den Bau, your data is accessible to any bodies that require such data to perform our contractual and legal obligations. Service providers and vicarious agents engaged by us may receive data for these purposes as well, especially if they observe the bank secrecy. This includes companies from the following categories: production-technical and production-securing services, IT services, logistics, printing services, telecommunications, debt collection, consultancy as well as distribution and marketing. Regarding data forwarding to recipients outside btf Innovationen für den Bau, it must be noted in the first place that we are obliged to maintain secrecy about all customer-related facts and valuations that become known to us. Basically, we may forward information about our customers only if this is required by legal provisions, the customer has given consent or we are authorised to provide information. In the light of the above, recipients of personal data may include
- processors engaged by us (Art. 28 GDPR), especially in the areas of IT services, logistics and printing services, who process your data for us while being bound to instructions;
- partners, e.g. in credit card operations, and service providers involved by us within the framework of processing relationships.
- Is data transferred to a third country or an international organisation?
Where we transfer personal data to service providers or Group companies outside the European Economic Area (EEA), such transfer will be effected only to the extent that the EU Commission confirmed the third country an adequate level of data protection or where other data protection safeguards (e.g. binding company-internal data protection regulations or EU standard contractual clauses) exist. Data is transferred to countries outside the EU or EEA (‘third countries’) only where this is necessary to complete our tasks or prescribed by law, the user has given us consent or within the framework of order processing. The transfer of the data to the third countries of the service providers or third parties is based either on an existing adequacy decision of the EU Commission or on EU standard contractual clauses for compliance with the data protection level by suitable and reasonable safeguards.
- How long will your data be retained?
We will erase your personal data once it is no longer required for the purposes referred to above. After termination of the contractual or service relationship, your personal data will be retained as long as we are obliged to do so by law. This regularly results from legal record-keeping and retention obligations governed, inter alia, in the German Commercial Code and the Fiscal Code of Germany. Accordingly, the retention periods are up to ten years. Moreover, it may be the case that personal data will be retained for the period in which claims may be asserted against us (statutory period of limitation of three or up to thirty years). Besides, purposes for us may result from retention obligations under commercial and tax law, such as the German Commercial Code (HGB), Fiscal Code of Germany (AO), German Banking Act (KWG), German Money Laundering Act (GwG) and the German Securities Trading Act (WpHG). The retention or documentation periods stipulated there are usually between two and ten years.
- What data protection rights to you have?
Every data subject has the right of access pursuant to Art. 15 GDPR, the right to rectification pursuant to Art. 16 GDPR, the right to erasure pursuant to Art. 17 GDPR, the right to restriction of processing pursuant to Art. 18 GDPR, the right to object from Art. 21 GDPR as well as the right to data portability from Art. 20 GDPR. The rights of access and erasure are governed by the restrictions acc. to Sections 34 and 35 BDSG. Furthermore, there is a right to lodge a complaint with a competent data protection supervisory authority (Art. 77 GDPR i. c. w. Section 19 BDSG). You can withdraw any consent given to the processing of personal data towards us at any time. This also applies to the withdrawal of declarations of consent given to us prior to the entry into force of the GDPR, i.e. before 25 May 2018. Please note that the withdrawal will be effective only for the future. This does not affect any processing prior to the withdrawal.
- Do you have any obligation to provide data?
Within the context of our business relationship, you must provide personal data that is required to initiate, implement and terminate a business relationship and to meet the associated contractual obligations or which we are legally obligated to collect. Without such data, we will usually not be able to conclude, perform and terminate a contract with you.
- To what extent is automated decision-making in place?
To establish and implement the business relationship, we do basically not use fully automated decision-making pursuant to Art. 22 GDPR. Where we
use this procedure in individual cases, we will inform you separately about this and your relating rights where this is stipulated by law.
- Is there any profiling?
We do not process your data in automated form with the aim of assessing specific personal aspects (profiling).
Information on Your Right to Object Pursuant to Article 21 GDPR
Right to Object on a Case-by-Case Basis
You have the right to object at any time, on grounds relating to your particular situation, to any processing of personal data concerning you based on point (e) of Article 6(1) GDPR (data processing in the public interest) and point (f) of Article 6(1) GDPR (data processing based on a weighing of interests); this also applies to any profiling based on this provision within the meaning of Article 4(4) GDPR.
If you file an objection, we will no longer process your personal data, unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or processing serves the establishment, exercise or defence of legal claims.
Right to Object Against Data Processing for Direct Marketing Purposes
In individual cases, we process your personal data for direct marketing purposes. You have the right to object at any time to the processing of personal data concerning you for such marketing purposes. Where you object to processing for direct marketing purposes, we will no longer process your personal data for such purposes.
The objection may be lodged informally with the subject “Objection”, stating your company’s name, your name and your e-mail address, and should be addressed to:
btf Innovationen für den Bau GmbH