Data protection information for customers, suppliers, service providers and other affected parties according to Article 13 of the EU-GDPR
The following is intended to inform you how we process your personal data and to provide you with an overview of the EU General Data Protection Regulation (EU-GDPR). Please note that not all parts of this letter will apply to you because the details of which data will be processed and how it will be used is largely dependent on our business relationship with you and the services that have been agreed between us.
I. Who is responsible for data processing and who is the data protection officer?
The person responsible for data processing is:
C&D Non-Food GmbH
Groner Allee 76
Tel. +49 5451 5000-0
Fax +49 5451 5000-300
Crespel & Deiters has designated the lawyer Mr Sasha Hesse as their external data protection officer. You can contact Mr Hesse at:
Herr Rechtsanwalt Sascha Hesse
Hanauer Landstraße 151-153
60314 Frankfurt am Main
Telephone: +49 69 90437965
Fax: +49 69 90437974
II. Which categories of data do we use and where do they come from?
In particular, we process the following items of your personal data within the scope of our business relationship:
• Personal details such as forename, surname, name affixes, gender
• Contact details such as address, (mobile) phone number, email address
• Company-related data such as your position in your company, area of responsibility
• Characteristics that can possibly be assigned to you e.g car registration number for the collection or delivery of goods
• Log data generated during processing in our IT systems
• as well as other data comparable with the stated categories.
We generally receive your personal data directly from you within the scope of our business relationship. In addition, where it is necessary for the provision of our service, we also process personal data that we acquire from publicly accessible sources (e.g. the press, internet) or from other companies of our corporate group or third parties (e.g. associations) that are authorised to such data.
III. For what purposes and on what legal grounds is data processed?
We process your personal data in compliance with the provisions of the EU General Data Protection Regulation (EU-GDPR) and the Federal Data Protection Act in its latest version.
1. Fulfilment of contractual obligations (Art. 6 para. 1 b EU-GDPR)
Your data is processed within the scope of execution of contracts with our business partners or to execute pre-contractual measures on request. Primarily, these are:
• for the purchase of products, services and advice,
• for the maintenance, servicing and further development of our buildings, plant and machinery,
• for the marketing and sale of products and services manufactured and provided by us.
2. Consent (Art. 6 para. 1 a EU-GDPR)
To the extent that you have consented to our processing of your personal data for particular purposes (e.g. photographs or video recordings in the context of events) the lawfulness of this processing is given on the basis of your consent. A given consent can be revoked at any time. This also applies to the revocation of declarations of consent that have been granted to us prior to the application of the EU-GDPR, i.e. before 25 May 2018. We would point out that the revocation of consent is only effective with respect to the future and does not affect the lawfulness of data processed prior to the revocation.
3. Balancing of legitimate interests (Art. 6 para. 1 f EU-GDPR)
Where necessary, we process your data beyond the actual fulfilment of the contract to protect our own legitimate interests or those of third parties. Examples:
• Consultation and exchange of data with credit bureaux, insurance companies and banks for determining creditworthiness and default risks
• Assertion of legal claims and defence in legal disputes
• Ensuring IT security and IT operations
• Prevention and investigation of criminal offences
• Video recordings on our company premises including for the purposes of controlling our logistic processes and for evidence in insurance cases
• Measures to ensure the security of buildings and plant (e.g. access controls and visitor lists)
• Measures to secure and preserve the right to determine who has access to premises
• Measures for business management and further development of services and products
4. Statutory requirements (Art. 6 para. 1 c EU-GDPR) or public interest (Art. 6 para. 1 e EU-GDPR)
Like many other companies we are subject to various legal obligations. For example, under the European Anti-Terror Regulations 2580/2001 and 881/2002 we are obliged to check your data against the so-called ‘EU terror lists’, in order to ensure that no funds or other economic resources are made available for terrorist purposes.
IV. Who receives your data?
Within our corporate group your data is made accessible to those entities that require it to fulfil our contractual and legal obligations.
Service providers and vicarious agents that we employ may also be able to receive or view your data in the course of their activities. A passing on to or inspection by third parties only takes when required by law, if you have consented to it, or when a legitimate interest exists. The recipients of your personal data may thus include the following categories of enterprises:
• Public offices and institutions in the case of statutory or official obligations,
• other enterprises that we transmit your personal data to in order to carry out the business relationship with you, such as logistics and transport providers or also affiliated distribution partners in various countries
• who we use within the scope of processing contractual relationships e.g. IT service providers, companies for the destruction of files and data media, credit bureaux, insurance companies and banks.
Other data recipients can be those entities for which you have given us your consent for data transmission or for which you have released us from the obligation of confidentiality by accordance with agreement or consent, or those to which we are authorised to transmit personal data on the grounds of a balance of interests.
V. Transfer of data to a third country
A transfer of data to entities in states outside of the European Union (so-called third countries) is permitted, provided it
• is necessary to carry out your enquiry or orders,
• required by law (e.g. legal reporting obligations)
• you have given your consent to do so
Furthermore, a transfer of data to entities in third countries is allowed in the following cases:
• Where necessary in individual cases, your personal data may be transferred to an IT service provider in the USA or another third country to safeguard the IT operations of our corporate group.
• In individual cases personal data is transferred as a consequence of statutory regulations to combat money laundering, the financing of terrorism and other criminal acts
VI. How long will my data be stored?
We process and store your personal data for as long as it is necessary for the fulfilment of our contractual and statutory obligations. As a rule, this results from the commercial and tax retention obligations under the German Commercial Code (HGB), the Fiscal Code (AO), the Banking Act (KWG) and the Money Laundering Act (GwG). The time limits for storage and documentation specified there are generally two to ten years.
If the data is no longer necessary for the fulfilment of contractual or legal obligations, it will be regularly deleted, unless further processing is necessary for the preservation of evidence within the framework of the statute of limitations. According to Section 195 ff of the German Civil Code (BGB) these limitation periods may be up to 30 years, with a regular limitation period of 3 years.
VII. What data protection rights do you have?
As an affected person you have:
• The right of access to information according to Article 15 of the GDPR,
• The right to rectification according to Article 16 of the GDPR,
• The right to erasure (‘right to be forgotten’) according to Article 17 of the GDPR,
• The right to restriction of processing according to Article 18 of the GDPR,
• The right to object to processing according to Article 21 of the GDPR,
• and the right to data portability according to Article 20 of the GDPR.
The right of access to information and the right to erasure are subject to the restrictions of Sections 34 and 35 of the Federal Data Protection Act in its latest version.
Furthermore, there exists a right of complaint to a competent supervisory data protection authority (Article 77 of the GDPR in connection with Section 19 of the Federal Data Protection Act in its latest version.
You can revoke your consent to our processing of your personal data at any time. This also applies to the revocation of declarations of consent that have been granted to us prior to the application of the EU-GDPR, i.e. before 25 May 2018. Please note that the revocation is only effective with respect to the future. It does not affect the processing of data that takes place before the revocation.
VIII. Is there an obligation to provide data?
As part of our business relationship, you must provide the personal information necessary to establish, conduct and terminate a business relationship and for the performance of its associated contractual obligations, or which we are required to collect by law. We would point out that without the provision of this data, we would not normally be able to conclude, execute or terminate a contract with you.
IX. Does automated decision-making take place?
Automated decision-making within the meaning of Article 22 of the GDPR for the establishment and execution of the business relationship is generally not used. Should we use these processes in individual cases, we will inform you separately about this and about your rights in this respect, if this is required by law.
X. Does profiling take place?
We partly process your data automatically with the aim of evaluating certain personal aspects (profiling). For example, we use profiling in the following cases:
• Legal and regulatory requirements oblige us to combat money laundering, the financing of terrorism and asset-endangering crimes. In doing so, we also carry out data analyses. These measures also serve to protect you.
XI. Information about your right to object under Article 21 GDPR
1. Individual right to object
You have the right, for reasons arising from your particular situation, to object at any time to the processing of personal data concerning you carried out pursuant to Article 6 (1)(e) of the GPDR (data processing in the public interest) and Article 6(1)(f) GPDR (data processing on the basis of a balancing of interests). This also applies to profiling based on this provision within the meaning of Article 4 No. 4 of the GPDR.
If you lodge an objection, we will no longer process your personal data, unless we can prove compelling, legitimate reasons for doing so that outweigh your interests, rights and freedoms, or if the processing serves the assertion, exercise or defence of legal claims.
2. Right to object to the processing of data for the purposes of direct advertising
If your personal data is processed for the purposes of direct advertising, you can at any time lodge an objection against the processing of personal data affecting you for the purposes of this kind of advertising. This also applies to profiling if it is in connection with such direct advertising. If an objection has been lodged, no further data processing will take place for direct marketing purposes. unless we can prove compelling, legitimate reasons for doing so that outweigh your interests, rights and freedoms, or if the processing serves the assertion, exercise or defence of legal claims.
3. Addressing an objection
At any time you have the option of lodging an informal complaint with the body responsible for data processing mentioned at the beginning, the data protection officer mentioned above or a data protection supervisory authority.