Data Protection information for customers and suppliers

This data protection information informs you how Gerresheimer AG, Düsseldorf, Germany, and its affiliated companies in the EU process your personal data in accordance with the European General Data Protection Regulation (hereinafter referred to as “the GDPR”).

1. Scope

This data protection information applies to the collection of your personal data by us for the purposes of performing services that have been contractually agreed between you as the customer or supplier and us, and for the purposes of the further regular exchange of information in connection with our contractual services.

2. The Data Controller

Unless otherwise stated in this privacy policy, the Data Controller responsible for processing your personal data is:

Gerresheimer AG, Düsseldorf, Germany, and its affiliated companies in the EU.
www.gerresheimer.com

3. Data Protection Officer contact details

Please direct any questions concerning data protection to:

SystemDatenschutzConsulting
Rebenlaube 12
D-45133 Essen
www.rs-datenschutzconsulting.de
schroeder-dsc@web.de

4. Definitions

This data protection information is underpinned by the following data protection terminology, which we have defined to ease understanding:

The GDPR refers to the European General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC).

Recipient: a natural or legal person, public authority, agency, or other body to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing. Depending on your choice of payment method, recipients of your personal data may include banks or other service providers with whom we work to provide our services.

As part of the contractual relationship, it may be necessary for us to forward your personal data to a sub-provider (processor). To this end, we have complied with our obligations in accordance with Art. 28 GDPR by concluding supplementary agreements with the relevant processors and firmly believe that they will handle your personal data in accordance with the applicable legal provisions.

Personal data: any information relating to an identified or identifiable natural person. In the language of the GDPR, this is referred to as the “Data Subject.” An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. Personal data may include your name, contact details, and bank details.

Data Controller: the natural or legal person, public authority, agency, or other body that decides on the purposes and means of processing personal data, either independently or in conjunction with others. If the purposes and means of this processing are determined under European Union law or the law of the relevant member state, the Data Controller or the particular criteria by which he/she is appointed may be determined under European Union law or the law of the relevant member state. For the purposes of the data processing described in this privacy policy, the Data Controller is (see no. 2 above).

Processing: any operation or set of operations that is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

5. Which of your data do we collect?

In order to carry out our contractual services, we collect personal data directly from you where necessary:

Personal identification data:
First name and last name, company, address, date of birth, e-mail address, telephone number, and fax.

Other data involved in processing the contract:
Bank details, staff data where applicable

6. Purposes and legal bases for processing your personal data

Contractual services and the further regular exchange of information in connection with our contractual services

We require your data in order to process our contractual services. This includes accessing your personal data (see section 5).

The legal basis for collecting data is the implementation of a contractual relationship in accordance with Art. 6 (1)(1)(b) GDPR. 

7. Keeping and deleting your personal data

In the first instance, we keep your personal data as long and as far as is required for the purposes specified in this privacy policy (see section 6 above).

Once the data are no longer required for the purposes specified in section 6 of this privacy policy, we will further retain your personal data for the period during which you are entitled to assert claims against us or vice versa (statutory limitation periods).

What is more, we also store your personal data as long and as far as we are legally obliged to do so. The corresponding obligations to furnish proof and to retain data are laid down, among other places, in the German Commercial Code (Handelsgesetzbuch), Fiscal Code (Abgabenordnung), and Money Laundering Act (Geldwäschegesetz). Under these laws, the retention periods last for up to ten years, beginning at the end of the calendar year in which the relevant process is completed.

8. Categories of recipients of personal data

When providing, implementing, and managing our services (see section 1), we also transmit your personal data to other companies in the Gerresheimer Group as part of an internal, collaborative process. These data are transmitted on the basis of our legitimate interest to perform internal administrative tasks efficiently and collaboratively and to improve our products and services in accordance with Art. 6 (1)(b) and (f) GDPR, and on the basis of concluding processor contracts in accordance with Art. 28 GDPR.

As regards processing payments and, where applicable, making refunds, we transmit your personal data (depending on your chosen payment method) to banks, payment service providers, financial service providers, and credit card companies in accordance with Art. 6 (1)(1)(b) GDPR.

If any legal disputes arise, we transmit your data to the competent court and to your lawyer, if you have appointed one, for the purposes of handling the dispute. We process your personal data on the basis of a legal obligation in accordance with Art 6(1)(1)(c) GDPR and on the basis of our legitimate interest to exercise, implement, and/or defend our legal interests in accordance with Art. 6(1)(1)(f) GDPR.

Furthermore, we transmit your personal data only if and to the extent that we are legally obliged to do so. We transmit these data in accordance with Art. 6(1)(1)(c) GDPR (e.g. to the police or regulatory authorities as part of investigations into misdemeanors and/or criminal offenses or to the data protection authorities).

As part of our contractual relationship, we or service providers appointed by us may carry out customer surveys and other advertising and marketing campaigns where appropriate. We transmit your personal data to the appointed service provider for the purposes of carrying out the customer survey. We process your personal data on the basis of our legitimate interest to improve our products and services in accordance with Art. 6(1)(1)(f) GDPR. 

9. Transmitting data to a third country

Your data may be transmitted to a third country for the purposes of performing contractual services. Please contact

Gerresheimer AG, Düsseldorf, Germany, for more information.
www.gerresheimer.com

10. Your right to object when we have a legitimate interest in processing your data

We process your personal identification data for the purposes of exercising, implementing, and defending our legal interests (including in a court of law) and in order to manage our internal administration efficiently and collaboratively.

Insofar as we process your personal data in accordance with these legitimate interests (Art. 6(1)(1)(f) GDPR), you are entitled to object to our processing your data at any time for reasons arising from your specific situation. Please direct any requests to:

Gerresheimer AG, Düsseldorf, Germany. www.gerresheimer.com

If you object to our processing your data, we will process the personal data collected in this connection for the purposes of responding to your request. In this case, the persona data are processed in compliance with a legal obligation in accordance with Art 6.(1)(1)(c) GDPR.

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for doing so, which override your interests, rights, and freedoms, or your personal data serve to establish, exercise, or defend any legal claims.

11. Your additional rights

You can exercise the following rights vis-à-vis us at any time in accordance with the GDPR:

• Right of access, Art. 15 GDPR
  
  You have the right to obtain information regarding the personal data we store concerning you.

• Right to rectification, Art. 16 GDPR
  
  If you discover that incorrect data concerning you are being processed, you can request that they be rectified. Incomplete data must be completed, taking into account the purpose of the processing.

• Right to erasure, Art. 17 GDPR
  
  You have the right to request the deletion of your data if certain grounds for deletion apply. This is the case in particular if they are no longer required for the purpose for which they were originally collected or processed.

• Right to restriction of processing, Art. 18 GDPR
  
  You have the right to restrict the processing of your data. This means that, although your data will not be deleted, they will be marked in order to restrict their further processing or use. 

• Data portability (Art. 20 GDPR)
  
  You have the right to data portability in relation to the personal data concerning you which you have provided to us. This allows you to ask us to transmit these data to you or another person as far as is technically possible.

• Right to object to unreasonable data processing (Art. 21 GDPR)
  
  As a basic principle, you also have a general right to object to legal data processing for reasons of public interest, in the exercise of official authority, or based on the legitimate interests of an individual.

Please direct any requests to: Gerresheimer AG, Düsseldorf, Germany.
www.gerresheimer.com

If you assert your rights against us, we will process the personal data collected in this connection for the purposes of responding to your request. In this case, the persona data are processed in compliance with a legal obligation in accordance with Art 6.(1)(1)(c) GDPR.

• Right to lodge a complaint (Art. 77 GDPR)
  
  Without prejudice to your rights, you are entitled to lodge a complaint with a data protection authority if you believe that the processing of your personal data is in violation of the GDPR (Art. 77 GDPR).

The competent supervisory authority responsible for the Data Controller is:

LDI NRW
P.O. Box 200444
D-40102 Düsseldorf
Phone: +49 (0)211/38424-0
Fax: +49(0)211/38424-10
E-mail: poststelle-remove@remove-ldi.nrw.de