D-91126 Schwabach / Germany
Managing director Ms Barbara Sommer
District court of Nuremberg HRB 4578
VAT identification number DE 133 534 817
Name and contact details of the external data protection officer:
Datenschutz Pöllinger GmbH
Ms Gisela Pöllinger
Dresdner Str. 38
D-92318 Neumarkt / Germany
Phone +49 (0) 91 81 / 27 05 77 0
Fax +49 (0) 91 88 / 90 32 68
Purpose and legal basis for processing in line with Art. 6, Paragraph 1, Letters a, b, f GDPR
Customer data: Collection, processing or use of personal data is carried out to fulfill the
business purpose of creating offers, order confirmations or invoices, supplying goods and
services as well as maintaining business contacts and informing customers.
Supplier data: Collection, processing or use of personal data is carried out to fulfill the
business purpose of obtaining offers, order confirmations, invoices, goods and services as
well as maintaining the business contact and receiving information from the supplier.
Categories of personal data processed:
The main categories of data are:
• Contact data of contacts in the company (first name, surname)
• Communication data (telephone number, mobile number, email address, fax number)
• Customer number as well as order and delivery data for the purpose of initiation
• Order and contract data
• Billing and payment data (bank account, SEPA mandates etc.)
Origin (source) of data
The stored data were either collected as part of our contractual relationship as well as
individual orders or as part of business relations and business initiation. Stored data are used
for the fulfillment and processing of orders placed with us as well as for obligations of
documentation and archiving as part of commercial law and tax law. Capture occurs through entries in the ERP system, signatures from e-mails and documents. The processing of your data in this respect takes place on the basis of Art. 6(1)(f) GDPR.
Recipients (categories) of personal data
Public authorities that receive data due to legal regulations
(e.g. social insurance agencies, tax authorities).
Internal departments that are involved in the execution of respective business processes
(Human Resources, Accounting, Controlling, Production, Documentation, Sales, Purchasing,
Technology and IT).
External parties (contractual partners) insofar as these are necessary for the fulfillment of the
contract. External contractors (service providers) in accordance with Art. 28 GDRP for the
processing of data as part of the processing of personal data on our account.
Further external parties such as financial institutions (salary payments, vendor invoices),
affiliated companies or other external parties for the fulfillment of the above-mentioned
purposes, provided that the person concerned has declared his/her written consent to this
being necessary for the fulfillment of the contract or a transmission for overriding legitimate
Transfer to third countries
Personal data will not be transferred outside the European Union.
Duration of storage until deletion
10 years – annual financial statements, opening balance sheets, commercial and business
books, records, work instructions, organizational documents, invoices and accounting
documents (HGB, AO, EStG, KStG, GewStG, UStG, AktG, GmbHG, GenG)
6 years – commercial and business letters as well as other documents (HGB, BGB)
4 years – reviews in accordance with Section 35, Paragraph 2, Number 4 of BDSG
6 months – applications following job advertisements considering AGG
3 months – unsolicited applications (e-mail) and general digital applications
The following data will be deleted in accordance with Art. 17 GDPR if:
· Storage of the data is no longer necessary.
· The data subject has withdrawn his/her consent to data processing.
· The data have been processed unlawfully.
· There is a legal obligation to delete according to EU law or national law.
Limitation of processing pursuant to Article 18
If a deletion in the case of non-automated data processing is not possible due to the special
nature of storage or it is only possible at disproportionately high expense and if the interest indeletion of the affected person is to be regarded as low, the right of the data subject to delete personal data does not exist, neither does the obligation of the party responsible for deleting personal data. In accordance with Article 17(1) of Regulation (EU) 2016/679 and in additionto the derogations referred to in Article 17(3) of Regulation (EU) 2016/679, this right and thisobligation shall then not apply. In this case, the deletion shall be replaced by a limitation of processing in accordance with Article 18 of Regulation (EU) 2016/679. Paragraphs 1 and 2 shall not apply where personal data have been processed unlawfully.
Rights of the data subject
· Information about your personal data stored (Art. 15 GDPR): In particular, you may request information about the purposes of the processing, the category of personal data, the categories of
recipients to whom your data has been or will be disclosed, the planned duration of storage, the existence of a right to adjustment, deletion, limitation or appeal of processing, the existence of
a right of complaint, the origin of your data if it has not been collected by us and on the existence of automated decision-making including profiling and, where appropriate, meaningful
information on its details.
· Correction: Should incorrect personal data be processed (Art. 16 GDPR).
· Cancellation and limitation as well as objection to the processing (Art. 17, 18 and 21
· Right to data transmission (Art. 20 GDPR: That is receiving your personal data which you
have provided to us in a structured, common and machine-readable format or requesting
transmission to other responsible parties.
· Revocation of consent (Art. 7(3) GDPR): As a result, we are not any longer allowed to
process data as based on this consent in the future.
· Right of appeal to the responsible supervisory authority (Art. 77 GDPR).
Right to appeal
Insofar as your personal data are processed on the basis of legitimate interests pursuant to
Article 6, Paragraph 1, Sentence 1, Letter f, you have the right to object to the processing of
your personal data pursuant to Art. 21 GDPR if there are reasons for it which result from your
special situation or if the appeal is directed against direct advertising. In the latter case, you
have a general right of objection, which will be implemented by us without you specifying a
Right of revocation of consent
Every person concerned has the right, within the meaning of Article 6, Paragraph 1, Letter a
or Article 9, Paragraph 2, Letter a, to revoke at any time and without disadvantages for
himself/herself any consent given for instance for the performance of the contract, without
affecting the lawfulness of the processing carried out on the basis of consent until revoked.
Please address the revocation of consents as well as any objection in writing to:
D-91126 Schwabach / Germany
Phone +49 (0) 91 22 / 97 61 0
Fax +49 (0) 91 22 / 97 61 25
Automated decision-making and profiling
Neither automated procedures for decisions pursuant to Art. 22 GDPR nor other profiling
measures Art. 4 GDPR are used.
Validity and amendment of this duty to inform pursuant to Art. 13 and 14 GDPR
This obligation to provide information on data protection is currently valid and as of May
2018. It may be necessary to change this information, among other things, due to changes in
legal requirements or official requirements. The latest version regarding the duty to inform on data protection can be accessed at any time on our website