The protection and legally compliant handling of your personal data ("processing") is an important concern for us.
All information about you, as well as all information that could be traced back to you, is referred to as personal data.
We want you to know when we collect which data and how we use it.
We have taken technical and organizational measures to ensure that the provisions on data protection are complied with both by us and by possible external service providers with whom we have concluded a contract processing agreement in accordance with Art. 28 GDPR. We use the information we have received from you in accordance with the European Union's (EU) General Data Protection Regulation (GDPR).
With the General Data Protection Regulation, we are obliged under Art. 13 GDPR to provide appropriate information whenever personal data is collected directly from the data subject.
1. Scope of Application
This Data protection information applies to the collection of your personal data by us for the purpose of providing services contractually agreed between you as a customer or supplier and us, and for the purpose of further periodic exchange of information in connection with our contractual services.
2. The Data Controller
Unless otherwise stated in this Privacy Policy, the Data Controller responsible for processing your personal data is:
Gerresheimer AG, Düsseldorf, and its affiliates in the EU.
www.gerresheimer.com
3. Data Protection Officer contact details
If you have any questions about data protection at Gerresheimer, please contact:
SystemData ProtectionConsulting
Rebenlaube 12D-45133 Essen
www.systemdatenschutzconsulting.de
[email protected]
4. Definitions
This privacy information is underpinned by the following privacy terminology, which we have defined to facilitate understanding:
The GDPR refers to the European General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC).
Recipient: a natural or legal person, public authority, agency or other body to which the personal data is disclosed, whether a third party or not. However, public authorities that may obtain personal data in the context of a particular inquiry in accordance with Union or Member State law are not considered as recipients. The processing of this data by these authorities shall be carried out in accordance with the applicable data protection regulations for the purposes of the processing. Depending on your choice of payment method, recipients of your personal information may include banks or other service providers with whom we work to provide our services.
As part of the contractual relationship, it may be necessary for us to forward your personal data to a sub-provider (processor). To this end, we comply with our obligations under Art. 28 GDPR by concluding supplementary agreements with the respective processors and firmly believing that they process your personal data in accordance with the applicable legal provisions.
Personal data: any information relating to an identified or identifiable natural person. In the language of the GDPR, this is referred to as "data subject". An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal data may include your name, contact details and bank details.
Data controller: the natural or legal person, public authority, agency or other body that determines the purposes and means of the processing of personal data, either independently or in conjunction with others. If the purposes and means of such processing are determined in accordance with the law of the European Union or the law of the respective Member State, the Data Controller or the particular criteria according to which they are appointed may be determined in accordance with the law of the European Union or the law of the respective Member State. The Data Controller responsible for the purposes of data processing is described in this Privacy Policy (see No. 2 above).
Processing: any operation or operation which is performed on personal data or on sets of personal data, even if not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
5. What data do we collect from you?
In order to be able to provide our contractual services, we collect personal data directly from you if necessary:
Personal data:
name and surname, company, address, date of birth, email address, email communication, telephone number and fax.
Other data involved in the execution of the contract:
bank details, personal data if applicable;documents (e.g. commercial receipts) and other information in the context of the handling of the business relationship.
6. Purposes and legal bases for processing your personal data
In the context of our business relationship for the initiation and fulfilment of our contractual obligations in accordance with Art. 6, para. 1 lit. b GDPR (We process your contact details, for example, to conclude a supply contract). By entering a business relationship as a supplier or business partner, we will store your contact details as well as information about business processes and communication with you and process them at least for the duration of the business relationship.
In accordance with Art. 6 (1) (c) GDPR: To comply with the legal obligations arising from the business relationship.
In accordance with Art. 6 (1) (f) GDPR, insofar as this is necessary to safeguard the legitimate interests of our company. In order to process the business relationship, we have a legitimate interest in processing the data, e.g. to carry out credit checks.
In individual cases, the processing may be carried out on the basis of your explicit consent in accordance with Art. 6 para. 1 lit. a. You can revoke this consent at any time with effect for the future.
We store your contact details in our commercial IT-systems until the purpose limitation and legal basis cease to apply.
Data processing occurs primarily within our CRM Tool, based on Microsoft Dynamics 365. The provider of this cloud service is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland – referred to hereafter as MS. A data processing agreement has been established with MS. During processing, data may also be transferred to MS servers in the USA. The company is certified under the “EU-US Data Privacy Framework” (DPF), accessible at https://www.dataprivacyframework.gov/list. The DPF is an agreement between the European Union and the United States aimed at ensuring compliance with European data protection standards during data processing in the USA. Any company certified under the DPF is obligated to adhere to these data protection standards. For further information on data processing by MS, please visit: https://www.microsoft.com/de-de/privacy/privacystatement
7. Storage and deletion of your personal data
Your data will be stored for at least the duration of our contractual relationship. We generally assume a long-term business relationship. Therefore, we only delete the data if you ask us to do so, or, if this should conflict with legal retention periods (e.g. under commercial or tax law), the data will be deleted after these periods have expired. If deletion is not possible in our systems, the data will be anonymized so that a personal reference can no longer be established. As al rule, we check data towards the end of a calendar year with regard to the need for further processing. Due to the volume of data, this check is carried out with regard to specific types of data or purposes of processing.
8. Categories of recipients of personal data
In the course of providing, implementing and administering our Services (see Section 1), we also transmit your personal data with other companies in the Gerresheimer Group as part of an internal, collaborative process. This data is transferred on the basis of our legitimate interest to carry out internal administrative tasks efficiently and collaboratively and to improve our products and services in accordance with Art. 6 (1) (b) and (f) GDPR and on the basis of the conclusion of processing agreements in accordance with Art. 28 GDPR.
In connection with the processing of payments and, if applicable, refunds, we transfer your personal data (depending on the payment method you have chosen) to banks, payment service providers, financial service providers and credit card companies in accordance with Art. 6 (1) (1) (b) GDPR.
In the event of legal disputes, we will transmit your data to the competent court and to your lawyer, if you have appointed one, for the resolution of the legal dispute. We process your personal data on the basis of a legal obligation pursuant to Art. 6 para. (1) (1) (c) GDPR and, on the basis of our legitimate interest in exercising, implementing and/or defending our legal interests in accordance with Art. 6 (1) (1) (f) GDPR.
In addition, we will only share your personal data if and to the extent that we are legally obliged to do so. We transfer this data in accordance with Art. 6 (1) (1) (c) GDPR (e.g. to the police or supervisory authorities, like the competent Data Protection Authority in the context of investigations into misdemeanours and/or felonies).
As part of our contractual relationship, we or service providers engaged by us may conduct customer surveys and other advertising and marketing campaigns. We transmit your personal data to the commissioned service provider for the purpose of conducting the customer survey. We process your personal data on the basis of our legitimate interest in improving our products and services in accordance with Art. 6 (1) (1) (f) GDPR.
Other data recipients may be those bodies for which you have given us your consent to the transfer of data or to which we are authorised to transmit personal data on thebasis of balancing of interests.
9. Transfer of data to a third country
Your data may be transferred to a third country for the purpose of providing contractual services.
In this case, your data may be transmitted to Gerresheimer subsidiaries in a third country without the European Commission having determined an equivalent standard of protection for personal data for this country in accordance with Art. 45 (3) GDPR in a so-called adequacy decision, as has been done for Switzerland, for example.
With Gerresheimer companies in these other third countries, appropriate guarantees, e.g. in the form of standard contractual clauses (SCC), have been established.
Please contact
Gerresheimer AG, Düsseldorf, for further information.
www.gerresheimer.com
10. Your right to object where we have a legitimate interest in processing your data
We process your personal identification data for the purpose of safeguarding, implementing and defending our legal interests (including in court) and for the efficient and collaborative management of our internal administration.
If we process your personal data in accordance with these legitimate interests (Art. 6 para. 1 no. 1 f GDPR), you have the right to object to our processing of your data at any time on grounds arising from your specific situation. Please send inquiries to:
Gerresheimer AG, Düsseldorf.
www.gerresheimer.com
If you object to the processing of your data, we will process the personal data collected in this context to respond to your request. In this case, the personal data will be processed in accordance with a legal obligation pursuant to Article 6. (1) (1) (c) GDPR.
If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds to do so that override your interests, rights and freedoms, or your personal data is used to establish, exercise or defend legal claims.
11. Your additional rights
In accordance with the GDPR, you can exercise the following rights vis-à-vis us at any time:
- Right of information, Art. 15 GDPR
- You have the right to receive information about the data stored about you.
- Right to rectification, Art. 16 GDPR
- If you become aware that incorrect data concerning you is being processed, you can request that it be corrected. Incomplete data must be filled in, taking into account the purpose of the processing.
- Right to erasure, Art. 17 GDPR
- You have the right to request the deletion of your data if there are certain reasons for deletion. This is particularly the case if they are no longer needed for the purpose for which they were originally collected or processed.
- Right to restriction of processing, Art. 18 GDPR
- You have the right to restrict the processing of your data. This means that your data will not be deleted, but it will be marked to restrict its further processing or use.
- Data portability (Art. 20 GDPR)
You have the right to data portability in relation to the personal data concerning you that you have provided to us. You can therefore ask us to transmit this data to you or another person, to the extent that this is technically possible.Right to object to inappropriate data processing (Art. 21 GDPR)
In principle, you also have a general right to object to lawful data processing for reasons of public interest, in the exercise of official powers or on the basis of legitimate interests of an individual.
Please send inquiries to: Gerresheimer AG, Düsseldorf.www.gerresheimer.com
If you exercise your rights against us, we will process the personal data collected in this context in order to respond to your request. In this case, the personal data will be processed in accordance with a legal obligation pursuant to Article 6. (1) (1) (c) GDPR.
Please understand that in the interest of the rights of other persons, we can only provide personal information if you can identify yourself appropriately.
We make every effort to store your personal data by taking all technical and organisational means in such a way that it is not accessible to third parties. When communicating via an unencrypted e-mail, we cannot guarantee complete data security, so we recommend that you send confidential information by post.
Right to lodge a complaint (Art. 77 GDPR)
Without prejudice to your rights, you have the right to lodge a complaint with a data protection authority if you believe that the processing of your personal data violates the GDPR (Art. 77 GDPR).
The supervisory authority responsible for the processing is:
LDI NRW
P.O. Box 200444
40102 Düsseldorf
Germany
Phone: +49 (0) 211 / 38424-0
Fax: +49 (0) 211 / 38424-10
E-Mail:[email protected]