This data protection information informs you how Gerresheimer AG, Düsseldorf, Germany, and its affiliated companies in the EU process your personal data in accordance with the European General Data Protection Regulation (hereinafter referred to as “the GDPR”).
This data protection information applies to the collection of your personal data by us for the purposes of performing services that have been contractually agreed between you as the customer or supplier and us, and for the purposes of the further regular exchange of information in connection with our contractual services.
Unless otherwise stated in this privacy policy, the Data Controller responsible for processing your personal data is:
Gerresheimer AG, Düsseldorf, Germany, and its affiliated companies in the EU.
www.gerresheimer.com
Please direct any questions concerning data protection to:
SystemDatenschutzConsulting
Rebenlaube 12
D-45133 Essen
www.rs-datenschutzconsulting.de
schroeder-dsc@web.de
This data protection information is underpinned by the following data protection terminology, which we have defined to ease understanding:
The GDPR refers to the European General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC).
Recipient: a natural or legal person, public authority, agency, or other body to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing. Depending on your choice of payment method, recipients of your personal data may include banks or other service providers with whom we work to provide our services.
As part of the contractual relationship, it may be necessary for us to forward your personal data to a sub-provider (processor). To this end, we have complied with our obligations in accordance with Art. 28 GDPR by concluding supplementary agreements with the relevant processors and firmly believe that they will handle your personal data in accordance with the applicable legal provisions.
Personal data: any information relating to an identified or identifiable natural person. In the language of the GDPR, this is referred to as the “Data Subject.” An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. Personal data may include your name, contact details, and bank details.
Data Controller: the natural or legal person, public authority, agency, or other body that decides on the purposes and means of processing personal data, either independently or in conjunction with others. If the purposes and means of this processing are determined under European Union law or the law of the relevant member state, the Data Controller or the particular criteria by which he/she is appointed may be determined under European Union law or the law of the relevant member state. For the purposes of the data processing described in this privacy policy, the Data Controller is (see no. 2 above).
Processing: any operation or set of operations that is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
In order to carry out our contractual services, we collect personal data directly from you where necessary:
Personal identification data:
First name and last name, company, address, date of birth, e-mail address, telephone number, and fax.
Other data involved in processing the contract:
Bank details, staff data where applicable
Contractual services and the further regular exchange of information in connection with our contractual services
We require your data in order to process our contractual services. This includes accessing your personal data (see section 5).
The legal basis for collecting data is the implementation of a contractual relationship in accordance with Art. 6 (1)(1)(b) GDPR.
In the first instance, we keep your personal data as long and as far as is required for the purposes specified in this privacy policy (see section 6 above).
Once the data are no longer required for the purposes specified in section 6 of this privacy policy, we will further retain your personal data for the period during which you are entitled to assert claims against us or vice versa (statutory limitation periods).
What is more, we also store your personal data as long and as far as we are legally obliged to do so. The corresponding obligations to furnish proof and to retain data are laid down, among other places, in the German Commercial Code (Handelsgesetzbuch), Fiscal Code (Abgabenordnung), and Money Laundering Act (Geldwäschegesetz). Under these laws, the retention periods last for up to ten years, beginning at the end of the calendar year in which the relevant process is completed.
When providing, implementing, and managing our services (see section 1), we also transmit your personal data to other companies in the Gerresheimer Group as part of an internal, collaborative process. These data are transmitted on the basis of our legitimate interest to perform internal administrative tasks efficiently and collaboratively and to improve our products and services in accordance with Art. 6 (1)(b) and (f) GDPR, and on the basis of concluding processor contracts in accordance with Art. 28 GDPR.
As regards processing payments and, where applicable, making refunds, we transmit your personal data (depending on your chosen payment method) to banks, payment service providers, financial service providers, and credit card companies in accordance with Art. 6 (1)(1)(b) GDPR.
If any legal disputes arise, we transmit your data to the competent court and to your lawyer, if you have appointed one, for the purposes of handling the dispute. We process your personal data on the basis of a legal obligation in accordance with Art 6(1)(1)(c) GDPR and on the basis of our legitimate interest to exercise, implement, and/or defend our legal interests in accordance with Art. 6(1)(1)(f) GDPR.
Furthermore, we transmit your personal data only if and to the extent that we are legally obliged to do so. We transmit these data in accordance with Art. 6(1)(1)(c) GDPR (e.g. to the police or regulatory authorities as part of investigations into misdemeanors and/or criminal offenses or to the data protection authorities).
As part of our contractual relationship, we or service providers appointed by us may carry out customer surveys and other advertising and marketing campaigns where appropriate. We transmit your personal data to the appointed service provider for the purposes of carrying out the customer survey. We process your personal data on the basis of our legitimate interest to improve our products and services in accordance with Art. 6(1)(1)(f) GDPR.
Your data may be transmitted to a third country for the purposes of performing contractual services. Please contact
Gerresheimer AG, Düsseldorf, Germany, for more information.
www.gerresheimer.com
We process your personal identification data for the purposes of exercising, implementing, and defending our legal interests (including in a court of law) and in order to manage our internal administration efficiently and collaboratively.
Insofar as we process your personal data in accordance with these legitimate interests (Art. 6(1)(1)(f) GDPR), you are entitled to object to our processing your data at any time for reasons arising from your specific situation. Please direct any requests to:
Gerresheimer AG, Düsseldorf, Germany.
www.gerresheimer.com
If you object to our processing your data, we will process the personal data collected in this connection for the purposes of responding to your request. In this case, the persona data are processed in compliance with a legal obligation in accordance with Art 6.(1)(1)(c) GDPR.
If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for doing so, which override your interests, rights, and freedoms, or your personal data serve to establish, exercise, or defend any legal claims.
You can exercise the following rights vis-à-vis us at any time in accordance with the GDPR:
Please direct any requests to: Gerresheimer AG, Düsseldorf, Germany.
www.gerresheimer.com
If you assert your rights against us, we will process the personal data collected in this connection for the purposes of responding to your request. In this case, the persona data are processed in compliance with a legal obligation in accordance with Art 6.(1)(1)(c) GDPR.
The competent supervisory authority responsible for the Data Controller is:
LDI NRW
P.O. Box 200444
D-40102 Düsseldorf
Phone: +49 (0)211/38424-0
Fax: +49(0)211/38424-10
E-mail: poststelle@ldi.nrw.de
Do you have any questions? We are happy to help you!
+49 211 61 81 - 00