Data protection information for suppliers and service providers

Last updated: 20.07.2018

 

We would like to provide you with an overview of how your personal data is processed by us and your rights arising from data protection law. Which individual data is processed, and how it is used, largely depends on whether you or your company are already a supplier or service provider (supplier) with us, or whether we stored your data when you made contact with us. For this reason, not all parts of this information will apply to you.

Who is responsible for processing the data and whom can I contact?
Responsible is
Gütermann GmbH
Landstr. 1
79261 Gutach-Breisgau
E-Mail: contact@guetermann.com
Phone: +49 7681 21- 267
Fax: +49 7681 21- 5267

You can contact our data protection officer at

E-Mail: dataprotection@guetermann.com
Phone: +49 7681 21- 460
Fax: +49 7681 21- 5460

Which sources and data do we use?
We process the personal data that we receive in the context of our business relationship from our suppliers, their partners or their employees. We also process personal data – if this is necessary for initiating contracts and for the performance of a contract – that we obtain from publicly accessible sources (such as the commercial register, Internet and press) that seems to be reliable to us, or which is transmitted to us by  companies within the A&E Group, or by other third parties (such as a credit agency called in by us). Relevant personal data includes personal details (name, address and other contact details, bank details). Furthermore, in connection with a person, this can also be information from order data (such as purchase orders), data from the fulfilment of our contractual obligations (such as business volume data), information about your company’s financial situation (such as creditworthiness data), advertising data, documentation data (such as visit reports) and other data that is comparable with the categories named.

Why do we process your data (purpose of the processing) and on which legal basis?
We process personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG)

a. to fulfil contractual obligations (Article 6 Paragraph 1 b GDPR)
Your personal data is processed with the aim of concluding and processing contracts or prior
to this in dealings with precontractual measures.

b. in the balancing of interests (Article 6 Paragraph 1 f GDPR)
If necessary, we process your data beyond the actual fulfilment of the contract to safeguard our legitimate interests or those of third parties.
Examples:
- Consultation of and data exchange with credit agencies (such as Creditreform) to determine credit risks
- Bid comparisons
- Supplier evaluation (such as quality, adherence to quantity stipulations, adherence to schedules)
- Supplier qualification (such as REACH confirmation, ISO certificates)
- Assertion of legal claims and defence in the event of legal disputes
- Enforcement of IT security and our company’s IT operation
- Prevention and investigation of criminal offences
- Measures for building and plant safety (such as access controls)

c. due to statutory provisions (Article 6 Paragraph 1 c GDPR) or public interest (Article 6 Paragraph 1 e GDPR)
We are also subject to various legal requirements for the retention of data due to statutory requirements (such as those from tax laws, German Civil Code, German Commercial Code). The purposes of processing include the fulfilment of tax law obligations, the valuation and containment of risks, the fulfilment of retention requirements based on commercial and tax law and compliance with export regulations (such as reporting recently published sanction lists).

Who receives my data?
Within the company, your data is transmitted to those departments who require it for fulfilling contractual and legal obligations. The service providers and agents that we use may also receive this data if we have concluded a data processing contract with them to ensure that your data is handled in a legally-compliant manner. These are companies from the categories of accounting, audits, IT services, maintenance companies, logistics, telecommunications and security service providers. During communications to perform contracts, in our automotive customer area in particular, it is possible that the customer already has direct contact with our suppliers before involving us, or else the customer wants to maintain this contact. In such cases, we want to enable direct contact.
Other companies in the A&E Group receive the data if this is necessary for the abovementioned purposes.
Additional recipients of the data may be those departments for which you have given us your express consent for data transmission, or to whom we are authorised to transmit personal data due to a balancing of interests in the context of our business relationship with you.
Data will be transmitted to authorities in states outside of the European Union (known as thirdparty
states) if
- this is necessary for performing the contracts,
- this is prescribed by law or
- you have given us your consent.
Furthermore, data may be transmitted to our parent company in the USA
American & Efird Gobal LLC
22 American Street
NC 28120 Mount Holly
USA
for the following purposes based on legitimate interest:
- Financial reporting
- Risk management, compliance, invoicing and audits
- To obtain legal advice with contract negotiations, contract conclusions or settlements with ongoing contracts
- The pursuit of claims or defence in legal disputes to protect the company, its employees and customers from damage, theft, liability, fraud and misuse (including internal and external investigations, evaluations).
These communications are subject to the Controller to Controller standard contractual clauses of the European Union.
(https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32004D0915&from=EN)
The data is transmitted to the parent company by e-mail by using our own mail server and FTP.

For how long is my data stored?
We process and store your personal data for as long as this is necessary for fulfilling our contractual and statutory obligations.
If data is no longer required for fulfilling contractual or statutory obligations, it will be deleted on a regular basis, unless temporary further processing of the data is necessary for the following purposes:
- Fulfilment of retention requirements according to commercial or tax laws that may arise from: The German Commercial Code (HGB), Regulation of taxation (AO), German Civil Code (BGB). The deadlines for retention or documentation specified there are usually between two and ten years.
- Records from the field of quality assurance are stored for 15 years.
- Quality assurance agreements are kept for a period of 30 years.
- To maintain evidence of the statutory statute of limitations in accordance with Sections 195ff of the German Civil Code, these retention periods may be up to 30 years.

Are special categories of personal data relating to me processed?
Special categories of personal data are not processed in accordance with Article 9 Paragraph DSGVO.

What are my data protection rights?
We would like to point out that you can withdraw the consent that you have given at any time.
You also have the right to obtain information regarding data that we have saved about you, and the right to data portability. If this data is incorrect, or if you believe it is no longer required because its designated purpose no longer applies, you have the right to demand the correction or deletion of this data or to the restriction of its processing. You have the right to object to the processing of personal data that affects you personally for reasons resulting from your particular situation. If you make an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate reasons for its processing that outweigh your interests, rights and freedoms, or if the processing serves to establish, exercise or defend legal claims. If you wish to exercise your rights, please write to the address named above or send an e-mail to contact@guetermann.com.
We will also make you aware of your right to complain to your data protection supervisory authority.

Am I obliged to provide data?
In the context of our business relationship, you must provide that personal data which is necessary for the acceptance, performance and termination of a business relationship and for the fulfilment of the contractual obligations associated with it, or that which we are legally required to collect. Without this data, we are not usually able to conclude a contract with you, perform it or terminate it.

To what extent does automated decision-making or profiling exist?
We do not use any fully-automated decision-making. We do not use profiling either.

Data protection information for suppliers and service providers
Download PDF