1 General
Bürstner GmbH & Co. KG takes the protection of your personal data very seriously. Your privacy is important to us. We process your personal data in accordance with the applicable statutory data protection requirements for the purposes listed below. Personal data, as defined in this privacy policy, is all information that relates to you personally. Below you will learn how we handle this data. For a better overview, we have divided our privacy policy into chapters.
1.1 Responsible party for data processing
Bürstner GmbH & Co. KG
Weststraße 33
77694 Kehl
Tel.: +49 7851 85 0
Email: datenschutz@buerstner.com
1.2 Data Protection Officer
If you have any questions or comments regarding data protection (for example, regarding information about and updating your personal data), you can also contact our Data Protection Officer directly.
DDSK GmbH
Stefan Fischerkeller
Dr.-Klein-Str. 29
D – 88069 Tettnang
Phone: +49 (0) 7542 949 21 00
E-Mail: datenschutz@buerstner.com
2 Processing Framework
2.1 Source of Data Collection
We process personal data that we have collected directly from you.
To the extent necessary for the provision of our services, we process personal data lawfully received from other companies or other third parties (e.g., credit agencies, address publishers). We also process personal data that we have lawfully obtained, received, or acquired from publicly accessible sources (such as telephone directories, commercial and association registers, residents' registers, debtor lists, land registers, the press, the internet, and other media) and are permitted to process.
2.2 Data categories
Relevant personal data categories may include, in particular:
2.2.1 Data categories within the scope of the supplier relationship
Personal data (e.g., name, date of birth, place of birth, nationality, occupation/industry, and similar data)
Contact details (address, email address, telephone number, and similar data)
Payment/coverage confirmation for bank and credit cards
Customer history
Commissions and delivery addresses
Data about your use of the telemedia services we offer (e.g., time of access to our websites, apps, or newsletters, pages/links clicked from our site or entries, and similar data)
Video and image recordings
Credit data
Communication data (user details, content data, connection data, and similar data) in the context of telephone conferences, video conferences, and web meetings through the use of internet-based communication tools (hereinafter: web meetings)
2.2.2 Data categories as trading partners
Personal data (name, date of birth, occupation/industry, and similar data)
Contact details of you or your employees, if not collected directly (address, email address, telephone number, and similar data)
Payment/coverage confirmation for bank and credit cards, if personal
Customer history
Commissions and delivery addresses
Correspondence
Vehicle information about your customers, e.g., in connection with warranty and guarantee cases (warranty start/beginning date, serial or chassis numbers, year of manufacture, first registration, etc.)
2.2.3 Data categories in customer service:
2.3 Purposes and legal bases of the processed data
We process personal data in accordance with the provisions of the General Data Protection Regulation (GDPR), the new version of the Federal Data Protection Act (BDSG-neu), and other applicable data protection regulations (details below). Which data is processed and how it is used depends largely on the services requested or agreed upon. Further details or additions to the purposes of data processing can be found in the respective contract documents, forms, a declaration of consent, and/or other information provided to you (e.g., when using our website or our terms and conditions).
2.3.1 Purposes for the performance of a contract or pre-contractual measures (Art. para. 1 b GDPR)
Personal data is processed to execute contracts with you and execute orders, as well as to carry out measures and activities within the framework of pre-contractual relationships, e.g., with interested parties. Contractual partners with whom you have a contractual relationship (e.g., trading partners) may also receive your personal data from us, provided it is necessary to fulfill your request on this legal basis. This also essentially includes:
contract-related communication with you, the corresponding billing and associated payment transactions, the verifiability of orders and other agreements, and quality control through appropriate documentation, goodwill procedures, measures to manage and optimize business processes and fulfill general due diligence obligations, management and control by affiliated companies; statistical evaluations for corporate management, cost recording and controlling, reporting, internal and external communication, emergency management, billing and tax assessment of operational services, risk management, assertion of legal claims, and defense in legal disputes. Ensuring IT security (including system and plausibility tests) and general security, ensuring and enforcing house rules (e.g., through access controls); ensuring the integrity, authenticity, and availability of data, preventing and investigating criminal offenses, and monitoring by supervisory bodies or control bodies (e.g., auditing).
2.3.2 Purposes within the scope of a legitimate interest of us or third parties (Art. 6 (1) (f) GDPR)
Beyond the actual fulfillment of the contract or preliminary contract, we may process your data if necessary to protect the legitimate interests of us or third parties, in particular for purposes
Asserting legal claims and defending against legal disputes that are not directly related to the contractual relationship;
The further development of services and products, as well as existing systems and processes;
Effectively processing inquiries using IT-supported ticket and document management systems, particularly in the case of complaints, guarantees, or warranty claims;
Preventing and investigating criminal offenses, unless solely for the purpose of complying with legal requirements;
Restricted storage of data if deletion is not possible or only possible with disproportionate effort due to the special nature of the storage;
Building and facility security (e.g., through access controls), insofar as this goes beyond general due diligence obligations;
Internal and external investigations and security audits;
Obtaining and maintaining certifications under private or official law;
Ensuring and exercising house rules through appropriate measures (such as video surveillance) as well as securing evidence in the event of criminal offenses and preventing them.
the effective and resource-saving conduct of web meetings through the use of internet-based communication tools.
2.3.3 Purposes within the scope of your consent (Art. 6 (1) (a) GDPR)
Processing of your personal data for specific purposes (e.g., using your email address for marketing purposes, using other communication channels for the purpose of clarifying the facts) may also be based on your consent. As a rule, you can revoke this consent at any time. This also applies to the revocation of declarations of consent given to us before the GDPR came into force, i.e., before May 25, 2018.
You will be informed separately in the corresponding consent text about the purposes and consequences of revoking or not granting consent. In principle, the revocation of consent only takes effect for the future. Processing that occurred before the revocation is not affected and remains lawful.
2.3.4 Purposes for the fulfilment of legal requirements (Art. 6 (1) c GDPR) or in the public interest (Art. 6 (1) e GDPR)
Like everyone involved in business, we are subject to a variety of legal obligations. These primarily include statutory requirements (e.g., commercial and tax laws), but may also include regulatory or other official requirements. The purposes of processing may include fulfilling tax control and reporting obligations, archiving data for data protection and data security purposes, and audits by tax and other authorities. Furthermore, the disclosure of personal data may be required as part of official/judicial measures for the purposes of gathering evidence, criminal prosecution, or enforcing civil law claims.
2.4 Automated decisions in individual cases, including profiling (Art. 22 GDPR)
We do not use purely automated decision-making processes. Should we use such a process in individual cases in the future, we will inform you separately, provided this is required by law.
2.5 Consequences of non-provision of data
As part of our business relationship or communication with you, you must provide the personal data that is necessary for the establishment, execution, and termination of the legal transaction and the fulfillment of the associated contractual obligations or for processing your request, or which we are legally obligated to collect. Without this data, we will not be able to conduct the legal transaction with you or satisfactorily process your inquiry/request.
3 Recipients of the data
3.1 Within the EU
Within our company, your data will be passed on to those internal departments or organizational units that require it to fulfill our contractual and legal obligations or within the scope of processing and implementing our legitimate interests.
Your data will only be passed on to external bodies:
in connection with contract processing;
for the purpose of clarifying the facts based on your inquiry/concern (e.g., complaints, warranty/guarantee processing)
for the purpose of fulfilling legal requirements according to which we are obligated to provide information, report, or disclose data, or where the disclosure of data is in the public interest (see Section 2.3.4);
to the extent that external service providers process data on our behalf as processors or function providers (e.g., data centers, support/maintenance of IT applications, archiving, document processing, call center services, compliance services, controlling, data validation or plausibility checks, data destruction, purchasing/procurement, customer management, lettershops, marketing, media technology, research, risk controlling, billing, telephony, website management, auditing services, credit institutions, printing companies, or data disposal companies, courier services, logistics);
based on our legitimate interest or the legitimate interest of the third party for the purposes stated (e.g., to authorities, credit agencies, debt collection agencies, lawyers, courts, experts, subsidiaries, and committees and supervisory bodies);
if you have given us your consent to transmit your data to third parties.
We will not share your data with third parties beyond this. If we engage service providers to process your data, your data will be subject to the same security standards as we do. In other cases, the recipients may only use the data for the purposes for which it was transmitted.
3.2 Outside the EU
Data is transferred to locations in countries outside the European Union (EU) or the European Economic Area (EEA), so-called third countries.
3.3 Recipient overview
The following recipients will receive your data as part of the data processing described here:
Recipient: Tef-Dokumentation GmbH, Angelestr. 56, 88214 Ravensburg
Transfer to third countries: No transfer to third countries takes place.
Recipient: Erwin Hymer Group SE, Holzstraße 19, D-88339 Bad Waldsee
Transfer to third countries: No transfer to third countries takes place.
4. Storage periods
We process and store your data for the duration of our business relationship. This includes the initiation of a contract (pre-contractual legal relationship) and the execution of a contract.
In addition, we are subject to various retention and documentation obligations, which arise, among other things, from the German Commercial Code (HGB) and the German Fiscal Code (AO). The retention and documentation periods specified therein extend up to ten years to the end of the calendar year beyond the end of the business relationship or the pre-contractual legal relationship.
Furthermore, specific legal regulations may require a longer retention period, such as the preservation of evidence within the framework of statutory limitation periods. According to Sections 195 et seq. of the German Civil Code (BGB), the standard limitation period is three years; however, limitation periods of up to 30 years may also apply.
If the data is no longer required to fulfill contractual or legal obligations and rights, it will be regularly deleted, unless its - limited - further processing is necessary to fulfill the purposes based on an overriding legitimate interest. Such an overriding legitimate interest also exists, for example, if deletion is not possible or only possible with disproportionate effort due to the special nature of the storage, and processing for other purposes is excluded by appropriate technical and organizational measures.
5 Your rights
Under certain conditions, you can assert your data protection rights against us. Your requests to exercise your rights should, if possible, be addressed in writing or by email to the address provided above, or directly in writing or by email to our data protection officer. You have the right to receive information from us about your data stored by us in accordance with the provisions of Art. 15 GDPR (possibly with restrictions under Section 34 of the German Federal Data Protection Act).
You have the right to receive information from us about the data we have stored about you in accordance with the provisions of Art. 15 GDPR (possibly with restrictions under Section 34 of the New Federal Data Protection Act).
Upon your request, we will correct the data we have stored about you in accordance with Art. 16 GDPR if it is inaccurate or incorrect.
If you wish, we will delete your data in accordance with the principles of Art. 17 GDPR, provided that other legal regulations (e.g. statutory retention periods or the restrictions pursuant to Section 35 of the New Federal Data Protection Act) or an overriding interest on our part (e.g. to defend our rights and claims) do not conflict with this.
Taking into account the requirements of Art. 18 GDPR, you can request that we restrict the processing of your data.
If your personal data is processed on the basis of legitimate interests pursuant to Art. 6 (1) (f) GDPR or if it is necessary to perform a task carried out in the public interest or in the exercise of official authority, you have the right to object to the processing of your personal data pursuant to Art. 21 GDPR, provided there are reasons for doing so that arise from your particular situation or if the objection is directed against direct marketing. In the latter case, you have a general right of objection, which we will implement without specifying a particular situation.
You also have the right to receive your data in a structured, common and machine-readable format or to transmit it to a third party under the conditions of Art. 20 GDPR.
In addition, you have the right to revoke your consent to the processing of personal data at any time with future effect.
Furthermore, you have the right to lodge a complaint with a data protection supervisory authority (Article 77 GDPR). However, we recommend that you always first address any complaint to our data protection officer.
You can contact the supervisory authority responsible for us at:
The State Commissioner
for Data Protection and Freedom of Information Baden-Württemberg
P.O. Box 10 29 32, 70025 Stuttgart
Lautenschlagerstraße 20, 70173 Stuttgart
Telephone +49 711 6155410
poststelle@lfdi.bwl.de
