Business partner privacy information for our customers and suppliers
Ladies and Gentlemen
The provisions of the EU General Data Protection Regulation (hereinafter: GDPR) have been in force across Europe since 25 May 2018. Many customers, suppliers and service providers entrust Hoffmann with their personal data. Hoffmann regards the protection of the information and data entrusted to the company as part of its corporate responsibility.
2. Which data categories do we use and where do they come from?
The processed categories of personal data include, in particular, master customer data (such as first name, surname, contact person's name extensions), contact person's contact details (such as postal address, telephone, fax and email address, date of birth), other data provided by you (such as shoe size, clothing size), log data resulting from the use of IT systems, as well other data from our business relationship (e.g. contract data, customer service information, accounting data, bank details, tax identification number).
As a general rule, your personal data is collected directly from you as part of the business transaction and during our business relationship. In certain situations, your personal data is also collected by other parties, due to legal regulations.
3. For what purposes and on what legal basis is data processed?
We process your personal data in compliance with the provisions of the EU General Data Protection Regulation (GDPR), national data protection law and any other applicable legislation.
Data processing primarily serves to establish, implement and terminate our joint business relationship. The predominant legal basis for this is Article 6 Point 1 b) of the GDPR. If necessary, your separate consent in accordance with Article 6 Point 1 a) and 7 of the GDPR (e.g. when using images and statements) may also be a permission requirement under data protection law.
We also process your data in order to comply with our legal obligations, especially in relation to tax law. The basis for this is Article 6 Point 1 c) of the GDPR.
Where necessary, we also process your data on the basis of Article 6 Point 1 f) of the GDPR, in order to protect our legitimate interests or those of third parties (e.g. authorities). This particularly applies to the investigation of criminal offences or for administrative purposes within the Group.
Furthermore, due to the European anti-terror regulations 2580/2001 and 881/2002, we are obliged to cross-check your data with the so-called "EU terror list", in order to ensure that no money or other financial resources are made available for terrorist purposes.
If we wish to process your personal data for a purpose not mentioned above, we will inform you in advance.
4. Who receives your data?
Within our organisation, only those individuals and departments (e.g. financial accounting, purchasing, sales, customer service) who need your personal data to comply with our contractual and statutory obligations receive this.
Within our corporate group, your data is disclosed to specific companies, where these perform data processing tasks centrally for the Group's affiliated companies (e. g. logistics, production).
Sometimes we also use different service providers to meet our contractual and statutory obligations. A list of the contractors and service providers we use, with whom we have a permanent business relationship, is available on request from firstname.lastname@example.org.
If we disclose personal data to contractors and service providers, this is processed on the basis of a Data Processing Agreement (DPA).
We therefore work exclusively with data processing companies who provide adequate guarantees that appropriate technical and organisational measures are in place and that the data is processed in compliance with the requirements of the GDPR.
Furthermore, we may disclose your personal data to other recipients outside the company, to the extent necessary to comply with contractual and statutory obligations. These may be:
Authorities (financial authorities, courts)
The company's bank (SEPA payment medium)
Bankruptcy administrators in case of insolvency
5. What data protection rights can you assert as the data subject?
You can request information about the data we store about you from the above-mentioned address. Under certain circumstances, you can also request the correction or deletion of your data. You also have the right to restrict the processing of your data and the right to receive the data you provide in a structured, standard and machine-readable format.
Right to object
You have the right to object to the processing of your personal data for direct marketing purposes without giving any reason. If we process your data in order to safeguard legitimate interests, you can object to this processing for reasons arising from your particular situation. We will then no longer process your personal data, unless we can demonstrate compelling legitimate grounds for this processing, which out-weigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
6. Where can you complain?
You have the option of submitting a complaint to the above-mentioned Data Protection Officer or to a data protection supervisory authority.
The Hoffmann head office is in Munich. The responsible supervisory authority is the Data Protection Authority for Bavaria, Promenade 27, 91522 Ansbach, email: email@example.com
7. How long will your data be stored?
We will delete your personal data as soon as it is no longer required for the above-mentioned purposes. Once our business relationship has been terminated, your personal data will only be stored for as long as we are legally obliged to do so. This stems from regular legal obligations to produce supporting documents and storage obligations that are regulated by the Commercial Code and Fiscal Code. Thereafter, the storage periods are up to ten years. Personal data may also be stored for the period in which claims can be made against us (statutory limitation period of three or up to thirty years).
8. Will your data be transferred to a third country?
If we transfer personal data to a service provider or Group company outside the European Economic Area (EEA), the transfer will only take place provided the EU Commission has confirmed that the third country has an adequate level of data protection or other appropriate data protection guarantees are in place (e.g. binding domestic data protection regulations or standard EU contractual clauses). You can request detailed information using the above-mentioned contact details.
9. Are you obliged to provide your data?
As part of our business relationship, you must provide the personal data that is required to establish, implement and terminate our business relationship and comply with the associated contractual obligations, or which we are legally obliged to collect. Without this data, we will be unable to conduct a business relationship with you.