Data protection information to our business partners
Processing of business partner data
We are committed to protect your personal data and comply with applicable data protection law, in particular the EU General Data Protection Directive ("GDPR") and Bundesdatenschutzgesetz ("BDSG"), and we only process your personal data on the basis of a statutory provision or if the data subject has declared consent.
In this data protection information we inform you which information we process from our business partners. For the purpose of this data protection information business partners are to be those companies, function of persons, with which we do not have a contractual relationship regarding the delivery of our goods or the rendering of services, but with which we conduct nevertheless business contacts and relationships. These business contacts may be used for providing information about goods and services in single cases or also regularly. Business partners are for us i.a. official or private house builder, project developer, investors, architects, construction engineers, craftsmen and authorizes experts, who are involved in building projects or other projects, for which our products ans services may be relevant (“projects”).
Who is responsible for the processing of personal data?
The controller responsible for the processing of personal data is Xella International GmbH, Düsseldorfer Landstraße 395, 47259 Duisburg, +49 203 60880 00, email@example.com. Any reference to "we" or "us" in this data protection information is a reference to the aforementioned entity.
Our data protection officer may be contacted via the aforementioned means or via firstname.lastname@example.org.
Which data do we process?
For the purposes of our business - namely for information about our products and services - we process data of our business partners. Insofar as these data allow conclusions to be drawn about a natural person (for example, if we process information about sole traders as business partners), these are personal data. Regardless of the legal form of our business partners, we also process data on the contact persons at our business partners.
Please make this data protection information available to the persons within your organization that are involved in the business relationship with us ("contact persons")
Basic data: We process certain general data concerning our business partners and the contact persons as well as the business relationship with us, collectively "basic data". Basic data include
- all information about our business partner, which we ourselves or third parties can extract from publicly available sources about our business partner (such as name, address, other contact details and information about projects involving the respective business partner);
- the information provided to us by you or third parties working with you, if any, through a contact person (such as the details given on a business card given to us and the information provided to us in addition, such as a telephone call or telephone call) Meeting); as
- any information collected and processed by us in connection with the establishment of the business relationship (e.g., the details of the agreements entered into)
We process personal data collected in the course of the business relationship other than by merely updating basic data and that we refer to as "performance data". Performance data include
- information about the activities of our business partner (e.g. projects under involvement of our business partner), which we may extract ourselves or through third parties from publicly available sources;
- information about the activity of our business partner, communicated to us by them or by third parties who work with them, possibly through a contact person
- Information about the projects planned or carried out with the participation of the respective business partner with regard to our products and services or the products and services of third parties.
For which purposes and on which legal basis do we process your personal data?
The processing of basic, performance and usage data is done in order to safeguard our legitimate interest in informing about our products and services, communicating with our business partners and their contacts, maintaining business contacts with our business partners and their contacts, and preserving our legitimate interest regarding our business partners in exchanging information on possible future business relationships in connection with the sale of goods and services on the basis of Article 6 (1) (f) GDPR.
We may process basic, performance and usage data also for compliance with legal obligations to which we are subject; this processing is based on Article 6 para 1 c) GDPR. Legal obligations may in particular include the mandatory disclosure of personal data to (tax) authorities.
To extent necessary, we process personal data (in addition to the processing for the purposes of the business relationship or to comply with legal obligations) for the purposes of our justified interests or the justified interests of a third party on the basis of Article 6 para 1 f) GDPR. Justified interest may include
group-wide processes for internal administration of customer data
the establishment of or defence against legal claims
the prevention and investigation of criminal offences
maintenance of security for our information technology systems
the maintenance of security of our premises and infrastructure management and further development of our business operations including risk management
If we provide to a natural person the option to declare a consent in the processing of personal data, we process the personal data covered by the consent for the purposes specified in such consent on the basis of Article 6 para 1 a) GDPR.
Please note that
- the declaration of consent is voluntarily,
- that failure to declare consent or the withdrawal of a consent may, nevertheless, have consequences, and we will inform about such consequences before you are given the option to declare your consent
- consent may be withdrawn at any time with effect for the future, e.g. by providing notice to us via mail, fax, email using the contact information specified on the first page of this data protection notice
Is there an obligation to provide personal data?
The provision of the basic and performance data specified in section II above is necessary for entering into and maintaining a business relationship with us, unless specified otherwise before or at collection of the data. Without the provision of these data, were are not able to enter into and maintain a business relationship.
Please also note our advice on the right to object to the processing of personal data in order to safeguard legitimate interests in para. IX.
If we collect additional data, we will indicate if the provision of such information is based on a legal or contractual obligation or necessary for the performance of an agreement. We usually indicate which information may be provided voluntarily and is neither based on a legal or contractual obligation nor necessary for the purposes of an agreement.
Who has access to personal data?
Personal data are generally processed within our company. Depending on the categories of personal data, only dedicated departments / organizational units are granted access to your personal data. Such units include in particular the [#Sale department#] and – if data are processed via our IT infrastructure – also our IT department. Based on a role / rights management concept, access to personal data is limited to the functions and the extent necessary for the respective purpose of the processing.
If and to the extent permitted by law, we may transfer your personal data to recipients outside of our company. Such external recipients may include
- affiliated companies within Xella-group, to which we may transfer personal data for the purpose of internal administration of employee data;
- other business partners to whom we may transfer personal information in order to safeguard the legitimate interests of the business partner to whom the data transmitted relates;
- service providers that – on the basis of separate agreements with us – provide certain services possibly including the processing of personal data, as well as approved subcontractors of our service providers;
- private or public bodies, to the extent we are obliged to transfer your personal data on the basis of a legal obligation to which we are subject;
Do we use automated decision-making?
In the course of the business relationship we generally do not use automated decision-making (including profiling) within the meaning of Article 22 GDPR. If we apply such processes in the future, we will inform data subjects separately in accordance with the applicable statutory provisions.
Are data transferred to countries outside the EU / the EEA?
Personal data is processed only within the European Union or the European Economic Area; we do not intend to transfer personal data to other countries ("third countries").
How long are your data stored?
We generally store personal data as long as we have a justified interest in the retention of such data and there the interest of the data subject in refraining from the further processing do not prevail.
Even without a justified interest, we may continue to store the data if there is a legal obligation (e.g. to comply with statutory retention obligations). We delete personal data even without an action by the data subject as soon as further retention is no longer necessary for the purposes for which the data were collected or otherwise processed or if further retention is not permitted by law otherwise.
In general, basic data and the additional data collected in the course of the business relationship at least until the end of the respective business relationship. The data are deleted in any case if the purposes for the collection or processing were achieved. This point in time may be after the end of the business relationship with us. If personal data need to be stored to comply with a legal obligation, such data is retained until the end of the respective retention period. If personal data are only processed to comply with a statutory retention obligation, the access to such data is usually restricted so that the data are only accessible if needed for the purpose of the retention obligation.
Welche Rechte hat eine betroffene Person?
Right of objection according to Art. 21 GDPR
An data subject has the right, at any time for reasons arising from your particular situation, to object to the processing of his/ her personal data relating pursuant to Article 6 (1) (e) or (f) GDPR; this also applies to a profiling based on these provisions. In the event of such objection, we will no longer process the personal data concerning that person, unless we can demonstrate compelling legitimate reasons for processing that outweigh the interests, rights and freedoms of the data subject, or the processing is for assertion, exercise or defense of legal claims.
When we process personal data to operate direct marketing, you have the right to object at any time to the processing of your personal data for the purposes of such advertising; this also applies to a profiling insofar as it is associated with such direct mail. If you object to processing for direct marketing purposes, your personal data will no longer be processed for these purposes.
A data subject may
request access to his/her personal data, Article 15 GDPR;
request the rectification of incorrect personal data, Article 16 GDPR;
request the erasure of his/her personal data, Article 17 GDPR;
request the restriction of the processing of his/her personal data, Article 18 GDPR;
exercise the right to data portability, Article 20 GDPR;
object the processing of his/her personal data, Article 21 DSGVO.
The aforementioned rights may be asserted against us, e.g. by providing notice to us via the contact details specified on the first page of this data protection information.
In case of further questions, the data subject may also approach our data protection officer.
In addition, the data subject is entitled to lodge a complaint regarding the handling of personal data with the competent supervisory authority, Article 77 GDPR.