Privacy information for suppliers
In accordance with Art. 13, 14 and 21 of the General Data Protection Regulation (GDPR)
1. Who is responsible for data processing and who can you contact?
FHR Anlagenbau GmbH
Am Hügel 2
Tel.: 035205 520 0
Fax: 035205 520 40
2. Data Protection Officer’s contact details
3. Purposes of processing and legal basis
Your personal data are processed in accordance with the provisions of the General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG) and other relevant data protection requirements. The processing and use of individual data depends on the agreed or requested service. Our contract documentation, forms, consent declarations and other information made available to you (e. g. on our website or in our General Terms and Conditions) contain further details and supplementary information about the purposes for which data are processed.
3.1 Consent – Art. 6 (1) (a) GDPR
If you have given us your consent to the processing of your personal data, that consent provides the legal basis for the processing specified therein. You may withdraw your consent at any time with future effect.
3.2 Fulfilment of contractual obligations – Art. 6 (1) (b) GDPR
We process your personal data to fulfil our contracts with you, most notably in order to process orders and allow you to avail of our services. Your personal data are furthermore processed to undertake measures and activities within the scope of pre-contractual relationships.
3.3 Fulfilment of legal obligations – Art. 6 (1) (c) GDPR
We process your personal data where this is necessary for the fulfilment of legal obligations (e. g. commercial or fiscal laws). We may furthermore process your data for: checking identity and age; fraud and money laundering prevention; prevention, combatting and solving of terrorism financing and crimes that jeopardise assets; comparisons with European and international anti-terror lists; fulfilment of fiscal controlling and report-ing obligations and the archiving of data for the purposes of data protection and data security and inspection by fiscal and other authorities. It may furthermore be necessary to disclose personal data with-in the scope of measures imposed by the authorities/courts of law for the purposes of obtaining evidence, criminal proceedings or to enforce claims under civil law.
3.4 Our legitimate interest or that of third parties – Art. 6 (1) (f) GDPR
We can also use your personal data on the basis of an overriding interest, in order to preserve our legitimate interest or the legitimate interest of a third party. This is undertaken for the following purposes:
- To obtain information and for the exchange of data with credit agencies where this exceeds our economic risk,
- For the limited storage of your data where erasure is not possible or would entail disproportionate effort owing to the special nature of that storage,
- For comparison with European and international anti-terror lists where this extends beyond statutory obligations,
- For the further development of services and products and existing systems and processes,
- For the disclosure of personal data within the scope of due diligence, e. g. with regard to the sale of a company,
- To enrich our data through using or searching publicly accessible data,
- For statistical evaluations or market analyses,
- For benchmarking,
- To assert legal claims and for the purpose of defence in the event of legal disputes that are not directly associated with the contractual relationship,
- For internal and external examinations and/or security checks,
- To certify matters relating to private law or official matters; to secure and preserve our right to determine who may have access to our premises by means of appropriate measures (e. g. video surveillance, visitor badge).
4. Categories of personal data that we process
The following data are processed:
- Personal details (name, date of birth, profession/sector and similar data)
- Contact details (address, email address, telephone number and similar data)
- Supplier history
We furthermore process personal data from public sources (e. g. internet, media, press, trade and association registers, register of residents, debtor lists, land registers).
5. Who receives your data?
Within our company we pass on your personal data to those departments who require these data to fulfil contractual and statutory obligations and/or to assert our legitimate interest.Your data may moreover be shared with the following instances:
- Processors contracted by us (Art. 28 GDPR) particularly in areas such as IT services, support/maintenance of IT applications, Data screening for anti-money laundering purposes, data validation and plausibility checks, auditing services, data destruction companies, courier services,
- Public authorities and institutions on presentation of a statutory or official order under the terms of which we are obliged to provide information about data, report or share data, or where sharing data is in the public interest,
- Instances and institutions relating to our legitimate interest or the legitimate interest of a third party for the purposes set out in 3.5 above (e.g. authorities, credit agencies, debt collection services, lawyers, courts of law, assessors, Group-owned companies, committees and supervisory authorities)
- Other instances with whom you have authorised us to share your data (e. g. cooperation between suppliers).
6. Transfer of your data to a third country or an international organisation
Data is transferred to instances in states outside the European Union (EU) and/or the European Eco-nomic Area (EEA) – so-called “third countries” – where necessary for the fulfilment of an order/contract from and/or with you, where this is a statutory requirement (e. g. fiscal reporting obligations), where it is in our legitimate interest (e. g. address book shared by the entire centrotherm Group) or the legitimate interest of a third party to do so, or where you have given us your consent.The processing of your data in a third country may also be undertaken in connection with the employment of service providers within the scope of order processing. Where the country in question is not covered by a resolution of the EU Commission confirming that an adequate level of data protection is in place there, we shall in accordance with EU data protection requirements ensure by means of suitable contracts that your rights and freedoms are adequately protected and guaranteed. We will provide corresponding detailed information to you on request.
7. For how long do we store your data?
Where necessary we process your personal data throughout the duration of our business relationship. This also includes the initiation and handling of a contract. We are moreover subject to various retention and documentation obligations arising out of the German Commercial Code (HGB) and the German Fiscal Code. The prescribed retention and/or documentation periods set out therein extend up to ten years beyond the end of the business relationship and/or the precontractual legal relationship. Finally, the retention period is also defined on the basis of legal statutes of limitation which, for instance, are three years according to Art. 195 ff of the Federal Civil Code (BGB) as a rule, but may also be thirty years in certain cases.
8. To what extent is automated decision-making (including profiling) used in individual cases?
We do not use any purely automated decision-making processes as set out in Art. 22 GDPR. Should we use these processes in individual cases we will notify you separately where this is a legal requirement.
9. Your rights to privacy
You have the right to information (Art. 15 GDPR), the right to rectification (Art. 16 GDPR), the right to erasure (Art. 17 GDPR), the right to restriction of processing (Art. 18 GDPR) and the right to data portability (Art. 20 GDPR). You also have the right to lodge a complaint with a data protection authority (Art. 77 GDPR). In principle, Art. 21 GDPR gives you the right to object to our processing of personal data. However this right to object only applies where you can show the existence of very special personal circumstances whereby the rights of our company may override your right to object. Should you wish to exercise one of these rights, please contact our Data Protection Officer.
10. Your obligations in providing us with your personal data
You only need to provide us with those data that are necessary for the provision of your services as a supplier, or those data which we are legally obliged to collect. As a rule, without these data we will not be in a position to conclude a contract with you. Insofar as we request data from you at a later date, you will be informed separately that the provision of such data is voluntary.
11. Information about your right to object – Art. 21 GDPR
You have the right at all times to object to the processing of your data under the provisions of Art. 6 (1) (f) GDPR (processing is necessary for the purposes of a legitimate interest) or Art. 6 (1) (e) GDPR (processing is necessary in the public interest) where grounds exist arising out of your particular situation. This shall also apply to processing for the purposes of profiling in the sense of Art. 4 (4) GDPR. If you object, your personal data will no longer be processed unless where we can demonstrate compelling legitimate grounds for such processing that override your interests, rights and freedoms, or where the processing serves the establishment, exercise or defence of legal claims. Your objection can be made by simply writing to the address shown at 2. above.
12. Your right to lodge a complaint with the competent supervisory authority
You have the right to lodge a complaint with the data protection authority (Art. 77 GDPR). The competent supervisory authority in our case is:
Der sächsische Datenschutzbeauftragte
01067 Dresden Germany