PRIVACY NOTICE
on the processing of personal data with business partners

 

The following information is intended to provide you with an overview of how we processyour personal data and of your rights under the General Data Protection Regulation. The specific data processed and the manner in which it is used depend largely on whether you or your company are already business partners of ours, or whether we have stored your data following your contact with us. Therefore, not all parts of this information will apply to you.

Who is the data controller within the meaning of the GDPR?

AGO GmbH Energie + Anlagen
Am Goldenen Feld 23
95326 Kulmbach 

Who is our Data Protection Officer?

Gerald Saur – GS Managementsysteme – Quandtstraße 3 – 73479 Ellwangen
info[at]gsmanagement.de – Tel. 0049 (0) 7961 531 71 – Mob. 0049 171 811 6134

For what purposes is the data processed and what is the legal basis for this?

We process personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG)

  1. to fulfil contractual obligations (Art. 6(1)(b) GDPR)

Data is processed for the purpose of fulfilling and arranging orders as part of the performance of our contracts with our customers or for the implementation of pre-contractual measures carried out upon request. The purposes of data processing depend primarily on the specific product and may include, amongst other things, needs analyses, consultancy and services in this context. Further details regarding the purposes of data processing can be found in the relevant contractual documents and terms and conditions.

  1. on the basis of your consent (Article 6(1)(a) of the GDPR)

Where you have given us your consent to process personal data for specific purposes (e.g. sending newsletters, advertising, photographs taken at events), the lawfulness of this processing is based on your consent. Consent that has been given may be withdrawn at any time. This also applies to the withdrawal of declarations of consent given to us prior to the entry into force of the GDPR, i.e. before 25 May 2018. The withdrawal of consent only takes effect for the future and does not affect the lawfulness of the data processed up to the point of withdrawal.

  1. on the basis of legal requirements (Art. 6(1)(c) GDPR) or in the public interest (Art. 6(1)(e) GDPR)

Furthermore, we are subject to various legal obligations, i.e. statutory requirements (e.g. tax laws, the German Civil Code (BGB), the German Commercial Code (HGB) and the German Fiscal Code (AO)). The purposes of processing include, amongst other things, the fulfilment of tax obligations, the assessment and management of risks, the fulfilment of commercial and tax retention obligations, and compliance with export regulations (e.g. taking into account published sanctions lists). 
 

  1. as part of a balancing of interests (Article 6(1)(f) of the GDPR)

Where necessary, we process your data beyond the actual performance of the contract to safeguard our legitimate interests or those of third parties. This legitimate interest stems from the quality requirement that we ourselves be regarded by our customers as a reliable business partner with regard to the proper provision of our services, in which you, as our (potential) contractual partner, play a significant role. 

What legitimate interests do we or a third party pursue through the processing of data (in accordance with Article 6(1)(f))?

Legitimate interests in the processing of data exist for

  • consulting and exchanging data with credit reference agencies (e.g. Creditreform) to identify credit risks,
  • reviewing and optimising procedures for needs analysis for the purpose of direct customer outreach,
  • advertising, invitations to trade fairs and other events, and other communications aimed at maintaining the business relationship, as well as market and opinion research, provided you have not objected to the use of your data,
  • for the settlement of commissions, bonus agreements, etc.
  • asserting legal claims and defending against legal disputes,
  • ensuring IT security and the IT operations of our company,
  • preventing and investigating criminal offences,
  • measures relating to building and facility security (e.g. access controls).

Which categories of personal data are processed?

Relevant personal data includes personal details (name, address and other contact details, bank details). In addition, this may also include order data (e.g. orders, quotations), data arising from the fulfilment of our contractual obligations (e.g. sales data), information about your company’s financial situation (e.g. creditworthiness data), marketing and sales data, documentation data (e.g. visit reports) and other data comparable to the categories mentioned. 

To whom do we disclose your personal data?

Within the company, those departments that require your data to fulfil our contractual and legal obligations are granted access to it.

Service providers and agents engaged by us may also receive this data, provided that the lawful handling of your personal data is ensured. These include companies in the following sectors: auditing, IT services, logistics, commercial agents, telecommunications, consultancy, and sales and marketing. 

Other companies within the group will only receive your personal data if this is necessary for the purposes mentioned above.

Further recipients of your data may be those bodies to which you have given us your consent to transfer data, or to which we are authorised to transfer personal data following a balancing of interests.

To which third countries is your data transferred?

The GDPR provides for specific rules governing the transfer of personal data to a country outside the EU/EEA (so-called third countries): depending on the destination of the transfer, we ensure that any data transfer takes place in accordance with Articles 44–49. Should a data transfer need to be carried out on the basis of the derogations under Article 49 of the GDPR, we will consult with you in advance.

How long will your data be stored or archived?

We process and store your personal data for as long as is necessary to fulfil our contractual and legal obligations. If the data is no longer required to fulfil contractual or legal obligations, it is regularly deleted, unless its – temporary – further processing is necessary for the following purposes:

  • Compliance with commercial and tax law retention obligations, which may arise, for example, from: the German Commercial Code (HGB), the German Fiscal Code (AO) and the German Civil Code (BGB). The retention or documentation periods specified therein are generally between two and ten years.
  • Preservation of evidence within the framework of the statutory limitation periods under Sections 195 et seq. of the BGB; these limitation periods may be up to 30 years, although the standard limitation period is 3 years.
  • Your data will only be stored indefinitely if you have given your consent.

What rights do you have?

You have the right to access the personal data in question, as well as the right to have it rectified, erased or to restrict its processing. You also have the right to object to the processing and the right to data portability. The GDPR provides for a right to lodge a complaint with the supervisory authority. The contact details of the supervisory authority are available here: https://www.lda.bayern.de/de/kontakt.html 

Do we need your consent to process your data?

For processing operations based on your consent, which you have given to us in accordance with Article 6(1)(a) or Article 9(2)(a) (consent), you have the right to withdraw your consent at any time. Please note that this does not affect the lawfulness of the processing carried out on the basis of your consent up until the time of withdrawal. 

Where do we obtain your data from?

We process personal data that we receive from our customers or other data subjects in the course of our business relationship. In addition, we process – to the extent necessary for the provision of our services and the fulfilment of our contracts – personal data that we lawfully obtain from publicly available sources (e.g. commercial registers, the internet, the press) or which is lawfully provided to us by other companies within the group or by other third parties (e.g. commercial agents, address directories).

Is automated decision-making (profiling) used?

As a matter of principle, we do not use fully automated decision-making. Nor do we use profiling.