Privacy Information of the ROTHENBERGER GROUP
1. Scope; responsible data controller within the meaning of the GDPR; contact details
ROTHENBERGER AG (hereinafter: “ROTHENBERGER” or “we”), Spessartstraße 2-4, 65779 Kelkheim, Germany is the data controller responsible for processing your personal data within the meaning of the EU General Data Protection Regulation (“GDPR”).
ROTHENBERGER AG is the parent company of the ROTHENBERGER GROUP (this includes all companies controlled by ROTHENBERGER AG by a majority of voting rights) and is responsible for data protection within the corporate group.
This privacy information applies to our customers, suppliers, service providers and other business partners, as well as our employees.
The data protection officer for the ROTHENBERGER GROUP is:
Der Konzerndatenschutzbeauftragte (The Group Data Protection Officer)
c/o ROTHENBERGER AG
The central contact address for enquiries regarding data protection is firstname.lastname@example.org.
2. Which sources and data do we use and under which categories will personal data be processed?
We process personal data that we receive from our business partners, employees and applicants in the course of our commercial activity. We also process personal data which we have obtained permissibly from publicly accessible sources or that is transmitted to us from other companies within the ROTHENBERGER GROUP or from other third parties (e.g. credit agencies, social security funds), should this be required in order for us to perform our services. We process data according to the following categories:
- Master data: e.g. surname, first name and department of the contact person, company name, address, telephone no., fax and email
- Order data: e.g. company name, address, contact person
- Data to fulfil our contractual obligations: e.g. contract billing and payment information
- Correspondence (exchange of letters and emails with you)
- Communication data (e.g. use of websites)
- Publicity and sales data
- Credit rating and identity information
- Planning and control data
- Qualification information of employees and applicants
- Other data comparable to the categories stated.
3. For what purpose and on what legal basis do we process the data?
We process the aforementioned personal data in accordance with the current applicable legal data protection requirements. In this respect, processing is lawful if at least one of the following conditions is met:
a) On the basis of your consent (Art. 6 para. 1a GDPR)
If you have granted us consent to process personal data for certain purposes (e.g. using the data for marketing purposes). Consent that has been granted previously may be withdrawn at any time with future effect. This also applies for revoking declarations of consent that were granted to us before 25/05/2018. Revocations apply to future data processing, processing that has taken place up until then remains unaffected by this.
b) To fulfil contractual duties or to perform pre-contractual measures (Art. 6 para. 1b GDPR)
We process data to ensure we comply with our contractual duties to provide services and to perform pre-contractual measures. The purposes of data processing arise primarily from the specific business relationship or the initiation thereof, from the provision of services or the particular product. The details regarding the purposes of data processing originate from the contract documents and general terms and conditions of the respective product or service.
c) On the basis of legal guidelines (Art. 6 para. 1c GDPR) or in the public interest (Art. 6 para. 1e GDPR)
The ROTHENBERGER GROUP is subject to various legal obligations and as a consequence thereof, various legal requirements (e.g. retention periods relating to customs, commercial and tax law according to the guidelines of the customs authorities, the German Fiscal Code, as well as commercial and employment law). The fulfilment of monitoring and reporting duties under customs and tax law, as well as risk assessment and management in companies are included as purposes of processing, amongst others.
d) For the balancing of interests (Art. 6 para. 1f GDPR)
If necessary, we process your data beyond the actual fulfilment of the contract to safeguard the legitimate interests of the ROTHENBERGER GROUP or those of third parties. Examples are:
- Ensuring product quality, research and development of new products
- Fulfilling our sales, service and administrative processes
- Operating professionally designed websites which function smoothly
- Internal monitoring mechanisms for preventing criminal offences;
- Measures for protecting the building and safeguarding access rights (e.g. access controls);
- Safeguarding IT operations and IT security;
- Advertising or market and opinion research, unless you have objected to the use of your data;
- Asserting legal claims and defence in legal disputes;
- Consulting and exchanging data with credit agencies (e.g. Creditreform) and with government agencies.
4. Who receives my data?
(Categories of those receiving personal data)
At ROTHENBERGER, the departments which require access to fulfil our contractual and legal duties are authorised to access data. Service providers which comply with data protection regulations and have been carefully selected by ROTHENBERGER may also receive access to data for these purposes. These primarily include companies in the categories of:
- Payment transactions;
- IT service providers;
- Sales and marketing;
- Service providers in the context of order processing relationships.
When we disclose data to other recipients, we are only permitted to share information about you if legal provisions require it, you have agreed to the data transfer or we are entitled to transfer it. Other such possible recipients of personal data are, amongst others:
- Government agencies or institutions (e.g. customs office, financial authorities, social insurance agencies) if a legal or official obligation applies;
- Other companies or comparable bodies (e.g. customs clearance offices) to which we convey your personal data for the performance of business relationships;
- Other companies within the ROTHENBERGER GROUP, provided that disclosure is legally permitted;
- Where applicable, other recipients, if and to the extent that you have granted us your consent to do so.
5. Is data transferred to third-party countries?
The recipients of your personal data may potentially be located in a country outside the EU. In the event that data is transferred to a country in which the applicable data protection laws provide a lower standard of protection than in the EU, we shall ensure that your data remains adequately protected by other means, e.g. by ensuring that the recipient meets the guidelines of the “EU-US Privacy Shield” or by ROTHENBERGER requesting recipients to sign the so-called EU Model Clauses; a series of contract clauses which were adopted by the European Commission for the purpose of ensuring the adequate protection of personal data in connection with transnational transmissions.
6. How long will my personal data be stored for?
Your personal data will only be stored for as long as it is required for pre-contractual purposes and to fulfil our contractual and legal duties. If the data is no longer required for the fulfilment of contractual or legal duties it shall be deleted on a regular basis, unless further processing/storage is required for the following purposes:
- To fulfil retention periods under commercial and fiscal law: this relates to the German Commercial Code (HGB) and the German Fiscal Code (AO) in particular. The periods for retention prescribed therein amount to up to 10 years.
- Preserving evidence for the purposes of statutory limitation periods. In accordance with Section 195 et seq. of the German Civil Code (BGB), the usual retention period amounts to 3 years, under certain circumstances up to 30 years.
- Adherence to storage obligations under telecommunications law in accordance with the German Telecommunications Act (TKG) and other laws.
7. What data protection rights do I have?
Every data subject concerned has the right to information according to Article 15 GDPR, the right to correction according to Article 16 GDPR, the right to deletion according to Article 17 GDPR, the right to restriction according to Article 18 GDPR, the right to objection under Article 21 GDPR and the right to data portability under Article 20 GDPR. In addition, data subjects have the right to complain to the regulatory body responsible for data protection (Article 77 GDPR). You can revoke consent granted for processing personal data at any time with effect for the future. This also applies for revoking declarations of consent that were granted to us prior to the entry into force of the GDPR on 25th May 2018.
8. What obligation do I have to provide data? What are the consequences of not providing data?
In the course of our business relationships, you must provide the personal details which are required for initiating and executing the business relationship and fulfilling the contractual duties associated with this, or those which we are legally obligated to collect. Without this data, we will generally not be in a position to conclude or execute the contract with you.
9. Does automated decision-making take place (including profiling)?
In principle, we do not use fully automated decision-making for justifying and executing business relationships or employment relationships in accordance with Article 22 GDPR. Should we use this procedure in individual cases, we will inform you separately about it provided that this is prescribed by law.
10. What rights do I have with regard to my data?
You have the right to receive information free of charge regarding the personal data stored with us concerning you, its origin and recipients, and the purpose of data processing, as well as a right to correction, blocking or deletion within the context of the EU General Data Protection Regulation (EU-GDPR) at any time.
In addition you have a right to file a complaint with the regulatory authority responsible for the respective Federal State. These are the contact details for the regulatory authority in Kelkheim (Hesse):
The data protection officer for Hesse: Prof. Michael Ronellenfitsch, PO Box 31 63, 65021 Wiesbaden (Germany); Telephone: +49 (0)611 14 08-0; email@example.com; www.datenschutz.hessen.de.
Information about your right to object according to Article 21 (General Data Protection Regulation) GDPR
1. Right to object on a case-by-case basis
According to Article 21 GDPR, you have the right, for reasons which arise from your particular situation, to file an objection to the processing of personal data concerning you which occurs on the basis of Article 6 para. 1e GDPR (data processing in the public interest) and Article 6 para. 1f GDPR (data processing on the basis of a balance of interests) at any time; if necessary, this also applies for profiling based on these provisions within the meaning of Article 4 para. 4 GDPR. If you file an objection, your personal data will no longer be processed unless we can prove compelling legitimate grounds for processing which prevail over your interests, rights and freedoms, or processing serves to assert, exercise and defend legal claims.
2. Right to object to data processing for direct advertising purposes
If we use your personal data to engage in direct advertising, you have the right to file an objection to the processing of personal data concerning you for the purpose of such advertising at any time: this also applies for profiling to the extent that it is related to direct advertising of this sort.
We will no longer process your personal data for these purposes if you object to processing for the purpose of direct advertising.
The objection may be effected in any form and should be addressed to:
Der Konzerndatenschutzbeauftragte (The Group Data Protection Officer)