Data protection information for business partner

Data protection information for business partners and e-mail, telephone and video conference contacts pursuant to Art. 13 and 14 of the General Data Protection Regulation (GDPR)

Preliminary remark

With regard to the processing of personal data, the data subjects of our data processing activities and addressees of this data protection notice are in particular the employees of our (potential) business partners, our (potential) project, cooperation and contractual partners, our (potential) service providers, suppliers and other companies that interact with us, as well as all persons involved in telephone calls, e-mail traffic or video conferences (hereinafter also referred to collectively as "business partners" or "data subjects").

1.          Responsible for data processing & data protection officer

Encavis AG, based at Große Elbstraße 59, 22767 Hamburg, e-mail: info@encavis.com, phone 040 378 562-0, represented by its Management Board Dr Christoph Husmann and Mario Schirru, is responsible for data processing.

You can contact the data protection officer of Encavis AG at the above address with the addition "Attn: Data Protection Officer" or by e-mail at: datenschutz@encavis.com.

2.          Categories of personal data

We mainly process the data that we receive directly from you or your employer in connection with the establishment, implementation and/or termination of the business relationship (e.g. as part of a request for a quote, order placement or contractual relationship, as well as through other contact via our website, by email, phone or video conferencing, at trade fairs or comparable events).

Insofar as we collect data via a third party (e.g. via your employer, who names you as a contact person), we will inform you of the source during the initial communication.

In addition, we process - where necessary - personal data that we legitimately obtain from publicly accessible sources (e.g. commercial and association registers, press, internet) or that is legitimately transmitted to us by other companies of our group members or other third parties (e.g. a credit agency).

The personal data processed by us may include the following in addition to the data you have provided to us yourself:

  • Personal/contact data (e.g. title, first name, surname, company if applicable, (company) address, (mobile) phone number, fax, e-mail, profession, position, title, academic degree)
  • For mandate holders: Information on the mandate, commercial register entry, date of birth, private address
  • Dates of participation in internal Group events
  • Records of business transactions, business partner history, project details and communication data in connection with correspondence (e-mails, correspondence, telephone calls)
  • Contract and billing data (e.g. bank details, credit card information if applicable, tax number/USt ID, invoice data, order data)
  • Data from the fulfilment of our contractual obligations (e.g. sales data in the payment process)
  • Identification data (e.g. identity documents) and authentication data (e.g. specimen signature)
  • Information about your financial situation (e.g. creditworthiness data)
  • Information from publicly available sources and information databases (e.g. extract from the commercial register)
  • Marketing information (contact and product preferences)
  • Depending on the business purpose, possibly also user IDs for protected areas on systems
  • Data in connection with the fulfilment of orders and resulting obligations in order to enforce a possible assertion, exercise or defence of civil law claims.
  • As well as other data comparable to the above categories

 

3.       Purposes and legal bases of processing

We process your personal data to the extent necessary for the purposes listed below and for all other purposes to which we are legally or contractually obliged. For this purpose, we process data in our email server, our telephone system, by means of other IT and in any customer files. The following purposes may apply, for example:

a)       On the basis of your consent (Art. 6 para. 1 lit. a) GDPR)

If you have given us your consent to process your personal data, it will only be processed in accordance with the purposes and to the extent agreed in the declaration of consent. Any consent given can be revoked at any time with effect for the future. You will always receive all other necessary information regarding the processing to which you consent as part of the declaration of consent. This also applies to the revocation of declarations of consent given to us before the GDPR came into force. Please note that the revocation is only effective for the future; processing that took place before the revocation is not affected.

b)       In the context of the fulfilment of a contract or for the implementation of pre-contractual measures (Art. 6 para. 1 lit. b) GDPR)

If you are a sole trader, your personal data will be processed primarily to establish, implement and terminate the business relationship, i.e. to fulfil contractual obligations and provide the associated services or as part of a corresponding contract initiation, e.g. for contract negotiations, to prepare offers, for electronic payment transactions to settle liabilities or to access our systems. The specific purposes depend on the respective service or product to which the business relationship or contract initiation relates, as well as for communication with you.

c)       For the fulfilment of a legal obligation (Art. 6 para. 1 lit. c) GDPR)

We process your data to fulfil legal obligations, e.g. to fulfil tax control and reporting obligations, to fulfil obligations under company, data protection and civil law, for audits by authorities and to comply with statutory retention periods. In addition, the disclosure of personal data may become necessary due to official or judicial measures for the purposes of gathering evidence, criminal prosecution or the enforcement of civil law claims.

d)       In the context of the balancing of interests (Art. 6 para. 1 lit. f) GDPR)

If you are acting on behalf of a legal entity, the legal basis for our cooperation is our legitimate interest in initiating, fulfilling and, if necessary, terminating the contract with this legal entity (Art. 6 para. 1 lit. f GDPR).

Where necessary, we process your personal data within our business relationships on the basis of a balancing of interests, according to which processing is permitted if it is necessary to safeguard the legitimate interests of us or third parties and does not outweigh the interests or fundamental rights and freedoms of the data subject that require the protection of personal data. This concerns:

  • To be able to identify you as our business contact;
  • Communication with you;
  • to fulfil our contractual obligations to your employer;
  • Assertion of legal claims and defence in legal disputes;
  • Measures to optimise our business processes, such as maintaining a supplier or customer relationship management database;
  • Measures to ensure operational safety and business management;
  • Building and facility security measures, property and theft protection through access and entry control;
  • Measures to ensure and safeguard domiciliary rights;
  • Ensuring IT security and IT operations;
  • For the limited storage of your data if deletion is not possible or only possible with disproportionate effort due to the special type of storage.
  • Internal administrative purposes;
  • Measures to improve our internal business processes and optimise our products;
  • Carrying out audits and company inspections;
  • Manage and use customer, supplier and business partner directories
  • Data carrier destruction.

4.       Sources of the personal data

We process personal data that we have received from you or your employer.

In addition, we process - insofar as this is necessary for the employment relationship - personal data that we legitimately obtain from publicly accessible sources (e.g. press, internet) or that is legitimately transmitted to us by other third parties (e.g. information on criminal offences).

In addition, your personal data can be transmitted to us by submitting a report from a whistleblower.

5.       Recipients or categories of recipients of the personal data

At our company, only those persons have access to your data who need it to establish, implement and terminate our business relationship or to fulfil our contractual and legal obligations and to carry out our internal processes (e.g. Investment, Operations, Financial Accounting). This may also involve several departments in our company, depending on which services or products you purchase from us. Furthermore, our IT department has access to your data for exclusively technical processing.

Service providers used by us may also receive data from you for this purpose as part of order processing in accordance with Art. 28 GDPR. The service providers used are:

  • Algorit GmbH & Co. KG: Firewall, spam filter
  • Atlassian. Pty Ltd (Australia): Project and process tracking
  • CSS AG: Accounting software
  • DocuSign Inc. (USA): signing of documents
  • EQS Group AG: Insider Manger, Compliance Cockpit
  • Microsoft Ireland Operations Limited, Ireland: Operation of Microsoft 365 Online
  • Nexory GmbH: Digitisation and archiving software
  • REISSWOLFF Akten- und Datenvernichtung GmbH & Co. KG: Data carrier destruction
  • Telekom Deutschland GmbH: telecommunications services
  • Treasury Intelligence Solutions GmbH: Processing software for payment transactions
  • Trinity Management Systems GmbH: Insurance management

Insofar as electronic payment transactions take place, the responsible financial institution will receive your data required for this purpose.

Any further transfer of data outside the company will only take place if this is required by law, if you have given your consent or if we have a legitimate interest in the transfer that outweighs your interest in not having this data transferred. For example, we may have to disclose certain data to authorised (public) bodies and institutions such as the tax authorities as part of our legal obligations. This may also include lawyers, courts, supervisory authorities, police, public prosecutors, credit agencies or debt collection agencies.

6.       Transfers to a third country

As a rule, data is not transferred to organisations in countries outside the European Economic Area (so-called third countries). Nevertheless, data may be transferred to third countries in individual cases, provided that:

  • it is prescribed by law,
  • the transfer is necessary for the fulfilment of a contract,
  • you have given us your consent.

Standard contractual clauses have been concluded for the service provider Atlassian Pty Ltd (Australia). You can obtain a copy of these from us.

Beyond this, we do not transfer any personal data to bodies in third countries or international organisations.

However, for certain tasks we use service providers who also use service providers who may have their registered office, parent company or data centers in a third country. A transfer is permitted if the requirements of Art. 44 ff GDPR are met. You can obtain a copy of the relevant guarantees from us on request.

We have concluded corresponding contracts with all of our service providers and have also contractually agreed that data protection guarantees must always be in place with their contractual partners in compliance with the European level of data protection.

7.       Duration of data storage

We delete your personal data once the purpose of processing no longer applies and subsequently after expiry of the statutory retention period. This is 7 years for contract-related e-mail correspondence and 10 years for invoices.

If you contact us as a data subject, we will process your data for a period of 3 years in accordance with § 31 OWiG in conjunction with Art. 6 para. 1 lit. c GDPR. We will then retain your data until the expiry of the regular limitation period in accordance with Section 195 BGB. The legal basis for this longer retention period is our legitimate interest (Art. 6 para. 1 lit. f GDPR) in asserting, exercising and defending our legal claims, if and to the extent that this appears necessary to us.

If there is no statutory retention obligation, we delete the personal data if and insofar as we no longer need it within the scope of the legitimate interest described under "Purposes and legal bases", also after expiry of the regular limitation period pursuant to Section 195 BGB (Art. 6 para. 1 lit. f GDPR).

If your data is also required to assert, exercise or defend our legal claims or those of a third party, it will be erased as soon as further storage of the data for these purposes is no longer necessary. In this case, the storage is also based on Art. 6 para. 1 lit. f GDPR. The legitimate interest in this case is the aforementioned processing purpose.

Personal data collected on the basis of consent will be processed until consent is withdrawn. The revocation of consent does not affect the legality of the data processed until the revocation.

8.       Your rights

Every data subject has the right of access under Art. 15 GDPR, the right to rectification and completion or supplementation under Art. 16 GDPR, the right to erasure under Art. 17 GDPR, the right to restriction of processing under Art. 18 GDPR and the right to data portability under Art. 20 GDPR. The restrictions under Sections 34 and 35 BDSG apply to the right of access and the right to erasure. You also have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR in conjunction with Section 19 BDSG).

To assert your rights or if you have further questions about data processing, you can contact us using the contact details provided in section 1 of this data protection notice.

Information about your right to object in accordance with Art. 21 GDPR

 You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Article 6(1)(f) of the GDPR (data processing on the basis of a balancing of interests).

 If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims.

 To exercise your rights, please contact us using the contact details provided in section 1.

 9.       No obligation to provide data

As part of our business relationship, you only need to provide the personal data that is necessary for the realisation of a business relationship or that we are legally obliged to collect. If we do not have this data, we will generally not be able to conduct the business relationship with you. If it is a business relationship with a company that you represent, you must provide us with the personal data that is necessary for the commencement, implementation and termination of a representation/authorisation and the fulfilment of the associated contractual obligations. Without this data, we will generally have to reject you as an authorised representative/authorised representative or cancel an existing authorisation/authorisation.

10.     changes to this data protection notice

Encavis reserves the right to amend this data protection notice at any time. Please therefore refer to the latest version of this data protection notice.