Notice on the Processing of Customer/Supplier Data

Information on the processing of customer/supplier data

1 General
Bürstner GmbH & Co. KG takes the protection of your personal data very seriously. Your privacy is important to us. We process your personal data in accordance with the applicable legal data protection requirements for the purposes specified below. Personal data, as defined in this data protection notice, refers to any information that relates to an individual.
In the following, you will learn how we handle such data. For a clearer overview, we have divided our data protection notice into chapters.

1.1 Data Controller for the Processing of Data
Bürstner GmbH & Co. KG
Weststrasse 33
77694 Kehl, Germany
Tel.: 07851 85 0
E-Mail: datenschutz@buerstner.com

1.2 Data Protection Officer
If you have any questions or comments about data protection (for example, about how to access and update your personal data), you can also contact our Data Protection Officer directly.

DDSK GmbH
Stefan Fischerkeller
Dr.-Klein-Str. 29
D – 88069 Tettnang
Tel.: +49 (0) 7542 949 21 00
E-Mail: datenschutz@buerstner.com

2 Scope of Processing
2.1 Source of Data Collection

We process personal data that we have collected directly from you.
To the extent necessary for the provision of our services, we process personal data legitimately received from other companies or other third parties (e.g. credit agencies, address publishers). In addition, we process personal data that we have legitimately collected, received or acquired from publicly accessible sources (such as telephone directories, commercial and association registers, civil registers, debtors’ registers, land registers, the press, the Internet and other media) and are permitted to process.

2.2 Data Categories
Relevant categories of personal data may include in particular:

2.2.1 Data Categories within the Supplier Relationship

  • Personal data (e.g. name, date of birth, place of birth, nationality, profession/industry and comparable data)
  • Contact details (address, e-mail address, telephone number and comparable data)
  • Payment/coverage confirmation for bank and credit cards
  • Customer history
  • Commissions and delivery addresses
  • Data on your usage of the telemedia services we offer (e.g. time of accessing our websites, apps or newsletters, clicked pages/links from us, entries, and similar data)
  • Video and image recordings
  • Credit rating data
  • Communication data (user details, content data, connection data as well as comparable data) in the context of telephone conferences, video conferences and web meetings through the use of internet-based communication tools (hereinafter: web meetings)

2.2.2 Data Categories as a Trading Partner

  • Personal data (name, date of birth, profession/industry and comparable data)
  • Contact details about you or about employees, if not collected directly (address, email address, telephone number and comparable data)
  • Payment/coverage confirmation in the case of bank and credit cards, if related to a person
  • Customer history
  • Commissions and delivery addresses
  • Correspondence
  • Vehicle information of your customers, e.g. in connection with guarantee and warranty cases (start/beginning of guarantee/warranty, serial or chassis numbers, year of manufacture, first registration, etc.).
     

2.2.3 Data Categories in Customer Service:

  • Personal data (name, first name)
  • Contact details (address, e-mail address, telephone number and comparable data)
  • Details about your vehicle (e.g. serial or chassis number, year of manufacture, first registration, or in the case of vehicle upgrades, copies of the vehicle registration document, vehicle assessment reports, etc.).
  • Correspondence with you and any vehicle history information (vehicle record)
  • Warranty and guarantee information or complaints

2.3 Purposes and Legal Basis of the Data Processed
We process personal data in accordance with the provisions of the General Data Protection Regulation (GDPR), the new version of the German Federal Data Protection Act (BDSG-Neu) and other applicable data protection regulations (details below). The specific data processed and the manner in which it is used depend primarily on the requested or agreed-upon services. You can find additional details or supplements on the purposes of data processing in the respective contractual documents, forms, a declaration of consent and/or other information provided to you (e.g. in the context of using our website or our terms and conditions).

2.3.1 Purposes for the Fulfilment of a Contract or Pre-contractual Measures (Art. para. 1 b GDPR)
Personal data is processed for the purpose of executing contracts with you and carrying out orders, as well as for the purpose of carrying out measures and activities in the context of pre-contractual relationships, e.g. with interested parties. In this context, contractual partners with whom you have a contractual relationship (e.g. business partners) may also receive personal data from us, insofar as this is necessary for the fulfilment of your request in accordance with this legal basis. This includes the following:

contract-related communication with you, corresponding billing and associated payment transactions, the traceability of orders and other agreements, as well as quality control through appropriate documentation, goodwill proceedings, measures for managing and optimising business processes, and fulfilling general due diligence obligations; management and control by affiliated companies; statistical analysis for business management, cost recording and controlling, reporting, internal and external communication, emergency management, billing and tax assessment of business services, risk management, asserting legal claims and defence in legal disputes; ensuring IT security (including system or plausibility tests) and general security, ensuring and exercising property rights (e.g. through access controls); ensuring the integrity, authenticity and availability of data, preventing and investigating crimes, and controls by supervisory bodies or oversight authorities (e.g. auditing).

2.3.2 Purposes within the Scope of a Legitimate Interest of Us or a Third Party (Art. 6 para. 1 f GDPR)

  • Beyond the actual fulfilment of the contract or preliminary contract, we may process your data if it is necessary to protect the legitimate interests of us or third parties, in particular for the purposes of
  • asserting legal claims and defending legal disputes that are not directly attributable to the contractual relationship;
  • further developing services and products as well as existing systems and processes;
  • effective processing of enquiries using IT-supported ticket and document management systems, especially in the case of complaints, warranty or guarantee cases;
  • preventing and investigating criminal offences, insofar as this is not exclusively for the fulfilment of legal requirements;
  • limited storage of the data if deletion is not possible or only possible with disproportionate effort due to the special nature of the storage;
  • building and plant security (e.g. through access controls), insofar as this exceeds the general due diligence obligations;
  • internal and external investigations and security checks;
  • obtaining and maintaining certifications of a private or regulatory nature;
  • securing and exercising property rights through appropriate measures (such as video surveillance) and for securing evidence in the event of criminal offences and preventing them;
  • conducting web meetings effectively and in a resource-efficient manner through the use of internet-based communication tools.

2.3.3 Purposes within the Scope of Your Consent (Art. 6 para. 1 a GDPR)
The processing of your personal data for specific purposes (e.g., using your email address for marketing purposes, utilising other communication channels for the clarification of facts) may also occur based on your consent. Generally, you can revoke your consent at any time. This also applies to the revocation of declarations of consent given to us before the GDPR came into effect, i.e. before 25 May 2018.
You will be informed separately about the purposes and consequences of revoking or not granting consent in the relevant text of the consent. Generally, the revocation of consent only takes effect for the future. Processing that took place before the revocation is not affected by this and remains lawful.

2.3.4 Purposes for the Fulfilment of Legal Requirements (Art. 6 para. 1 c GDPR) or in the Public Interest (Art. 6 para. 1 e GDPR)
As with anyone involved in business, we are subject to a broad range of legal obligations. These are primarily legal requirements (e.g. commercial and tax laws), as well as regulatory or other official requirements where applicable. The purposes of processing include, where applicable, the fulfilment of control and reporting obligations under tax law and the archiving of data for data protection and data security purposes as well as auditing by tax and other authorities. Furthermore, the disclosure of personal data may become necessary in the context of official/court measures for the purpose of collecting evidence, criminal prosecution or the enforcement of civil claims.

2.4 Automated Decisions on an Individual Basis, including Profiling (Art. 22 GDPR)
We do not use purely automated decision-making processes. If we do use such a procedure in the future on an individual basis, we will inform you of this separately, insofar as this is required by law.

2.5 Consequences of Failure to Provide Data
In the course of the business relationship or communication with you, you must provide the personal data that is necessary for the establishment, execution and termination of the contractual agreement and the fulfilment of associated contractual obligations, or for the processing of your inquiry, or data that we are legally obliged to collect. Without this data, we will not be able to carry out the legal transaction with you or to satisfactorily process your enquiry/request.

3 Recipient of the Data
3.1 Within the EU

Within our company, those internal departments or organisational units receive your data that require it for the fulfilment of our contractual and legal obligations or in the context of processing and implementing our legitimate interests.
Your data will only be passed on to external bodies

  • in connection with the processing of the contract;
  • for the purpose of clarifying the facts on the basis of your enquiry/request (e.g. complaints, warranty/guarantee processing);
  • for the fulfilment of legal requirements according to which we are obliged to provide information, report or disclose data or the disclosure of data is in the public interest (see section 2.3.4);
  • if external service providers process data on our behalf as data processors or sub-processors (e.g., data centres, support/maintenance of IT applications, archiving, document processing, call centre services, compliance services, controlling, data validation or plausibility checks, data destruction, purchasing/procurement, customer management, letter shops, marketing, media technology, research, risk control, billing, telephony, website management, auditing services, credit institutions, printing companies or data disposal companies, courier services, logistics) in accordance with the provisions of the GDPR;
  • on the basis of our legitimate interest or the legitimate interest of the third party for the purposes stated (e.g. to authorities, credit agencies, debt collection, lawyers, courts, experts, subsidiaries and committees and supervisory bodies);
  • if you have given us permission to disclose it to third parties.

We will not disclose your data to third parties beyond the above. If we commission service providers to process your data, they are subject to the same security standards as we are. In all other cases, the recipients are only allowed to use the data for the purposes for which they were transmitted to them.

3.2 Outside of the EU
Data is transferred to bodies in countries outside the European Union (EU) or the European Economic Area (EEA), so-called third countries.

3.3 Recipient Overview
The following recipients receive your data within the scope of the data processing described here:

Recipient:                        Tef-Dokumentation GmbH, Angelestr. 56, 88214 Ravensburg
Third country transfer: No third country transfer takes place.
Recipient:                         Erwin Hymer Group SE, Holzstraße 19, D-88339 Bad Waldsee
Third country transfer: No third country transfer takes place.

4 Retention Periods
We process and store your data for the duration of our business relationship. This also includes the initiation of a contract (pre-contractual legal relationship) and the execution of a contract.
In addition, we are subject to various retention and documentation obligations, which stem from the German Commercial Code (HGB) and the German Fiscal Code (AO), among other regulations. The periods specified therein for retention or documentation are up to ten years to the end of the calendar year beyond the end of the business relationship or the pre-contractual legal relationship.
Moreover, specific legal provisions may require a longer retention period, such as the preservation of evidence within the framework of statutory limitation provisions. According to §§ 195 et seq. of the German Civil Code (BGB), the standard limitation period is three years; however, limitation periods of up to 30 years may also be applicable.
If the data is no longer required for the fulfilment of contractual or legal obligations and rights, it is regularly deleted, unless its - temporary - further processing is necessary for the fulfilment of the purposes for an overriding legitimate interest. Such overriding legitimate interest exists, for example, when deletion is not possible or only possible with disproportionate effort due to the particular nature of the retention, and processing for other purposes is excluded by appropriate technical and organisational measures.

5 Your Rights
You can assert your data protection rights against us under certain conditions. Your requests about the exercise of your rights should be addressed, if possible, in writing or by e-mail to the address given above or directly in writing or by e-mail to our Data Protection Officer. Thus, you have the right to receive information from us regarding your data that we have stored in accordance with the provisions of Art. 15 GDPR (if applicable, with restrictions in accordance with § 34 of the German Federal Data Protection Act (BDSG)).

  • You have the right to receive information from us about your data that we have stored in accordance with the rules of Art. 15 GDPR (possibly with restrictions in accordance with § 34 of the BDSG-Neu).
  • Upon your request, we will correct the data stored about you in accordance with Art. 16 GDPR if it is inaccurate or incorrect.
  • If you so desire, we will delete your data in accordance with the provisions of Art. 17 GDPR, provided that other statutory provisions (e.g. statutory retention obligations or the restrictions pursuant to § 35 BDSG-Neu) or our overriding interest (e.g. for the defence of our rights and claims) do not prevent this.
  • In consideration of the requirements of Art. 18 GDPR, you may request us to restrict the processing of your data.
  • If your personal data is processed on the basis of legitimate interests pursuant to Art. 6 (1) p. 1 lit. f) GDPR or if it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, you have the right to object to the processing of your personal data pursuant to Art. 21 GDPR, provided that there are grounds for doing so which arise from your particular situation or if the objection relates to direct advertising. In the latter case, you have a general right to object, which will be implemented by us without the need to provide any specific situation.
  • You also have the right to receive your data in a structured, commonly used and machine-readable format under the conditions of Art. 20 GDPR or to transfer it to a third party.
  • Furthermore, you have the right to revoke your consent to the processing of personal data at any time with effect for the future.
  • In addition, you have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). However, we recommend that you always first address a complaint to our Data Protection Officer.

You can contact the supervisory authority responsible for us at:

The State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg (Der Landesbeauftragte
für den Datenschutz und die Informationsfreiheit Baden-Württemberg)
Postfach 10 29 32, 70025 Stuttgart
Lautenschlagerstraße 20, 70173 Stuttgart
Telephone 0711 6155410
poststelle@lfdi.bwl.de