Privacy policy

Categories of personal data

We process the following categories of personal data within the scope of the purposes listed above, insofar as this is necessary to fulfill the purpose:

Personal master data, address data, contact data, bank data, log data, proof of qualifications, function, payment information, log data, creditworthiness data.

Data retention period:

We process and store your personal data for the duration of our business relationship, if necessary. This also includes the initiation and processing of a contract/order. In addition, we are subject to various retention obligations, including those arising from the German Commercial Code. Finally, the storage period is also determined by the statutory limitation periods, which are generally 3 years, but can also be up to 30 years.

Note on your consent

Insofar as we have your consent to process personal data for specific purposes, the lawfulness of this processing is based on your consent. Once given, consent can be withdrawn at any time. Please note that the revocation is effective for the future. Processing that was carried out before this revocation is not affected by this.

Is there an obligation to provide data?

In the context of a business initiation or business relationship with us, you generally only need to provide the data that we require for the corresponding establishment, implementation or termination of this relationship. Without the provision of the necessary data, we may have to refuse to establish a business relationship or may not be able to do so or may even have to terminate such a relationship.

To whom is the data disclosed (categories of recipients):

Data processing within the company:

We process your data internally within our company wherever possible so that only the relevant specialist departments, such as customer service, invoice processing or data processing, can access it.

Data processing within the framework of joint controllership

The companies of the Dürr Group, to which we belong, operate a joint customer database (CRM system) and in this respect act as joint controllers within the meaning of Art. 26 GDPR (also known as joint controllers). You can view the companies of the Dürr Group here.

If data is transferred to Dürr companies outside the EEA, we rely on the standard contractual clauses of the EU Commission. We also refer to the information on third country transfers.

The CRM system is provided by Salesforce. The storage location is the EU. A transfer of the data to companies of the Salesforce Group outside the EEA is not excluded.

Internally, we have distributed the responsibilities in a contract as follows: Data subjects can contact all joint controllers to exercise data subject rights.

The Dürr Group company to which you have provided your data will nevertheless act as your first point of contact. Responsible for the information obligations under Art. 13 f. GDPR is Dürr Systems AG, which is in charge of operating the CRM system. The joint controllers are responsible for fulfilling the reporting obligations required within their area of activity and for maintaining documentation, obliging employees to maintain confidentiality and informing them of their data protection obligations, as well as ensuring technical and organizational security in data processing.

External contractors and service providers (this also includes processors):

Insofar as we do not provide services ourselves, we sometimes use external contractors and service providers to perform our tasks and fulfil contracts. We use these service providers for the following purposes, among others Printing services, marketing measures, IT services including website hosting.

Other recipients:

In addition, data may go to recipients to whom we are obliged to disclose data due to legal obligations (e.g. law enforcement authorities and courts).

Data transfer to third countries:

If recipients of your data and their service providers are located outside the European Economic Area (EEA) or process your personal data outside the EEA, we ensure that your personal data is adequately protected (e.g. by an adequacy decision or by concluding the EU Commission's standard contractual clauses, with additional safeguards if necessary). We will provide evidence of the respective protection mechanism on request.

In countries outside the EEA, different data protection regulations may apply than in your country of residence. Under certain circumstances, national law may offer less protection than that of your country of residence (e.g. because national regulations allow investigating authorities more extensive access rights to personal data).

We would like to point out that the USA is generally a so-called unsafe third country. This means that the USA generally does not offer a level of data protection comparable to that in the EU. If data is transferred to the USA, there is a risk that US authorities will access the data on the basis of surveillance programs (based on Section 702 of the Foreign Intelligence Surveillance Act and Executive Order 12333 or Presidential Police Directive 28) without EU citizens having effective legal protection against such access. For certain companies from the USA, however, the EU Commission has recognized the level of data protection as secure within the framework of the so-called "Data Privacy Framework" (DPF) with the adequacy decision of 10.07.2023. This means that US companies that are certified under the DPF offer the same level of data protection as companies within the EEA. The list of certified companies and further information on the DPF can be found on the website of the US Department of Commerce at https://www.dataprivacyframework.gov/.

Duration of data storage:

We generally delete your data as soon as it is no longer required to fulfill the purpose of data processing. Where necessary, we process and store your personal data for the duration of our business relationship. This also includes the initiation and processing of a contract/order. In addition, we are subject to various retention obligations, including those arising from the German Commercial Code. Finally, the storage period is also determined by the statutory limitation periods, which are generally 3 years, but can also be up to 30 years.

Your rights as a data subject:

The contact persons and contact details for the rights to which you are entitled are provided in the list at the beginning of this document.

You can request information about the personal data stored about you. (Art. 15 GDPR). You can also request the rectification or erasure of your data under certain conditions (Art. 16 and 17 GDPR). You have the right to request the restriction of the processing of your personal data (Art. 18 GDPR). In addition, you have the right to receive the data you have provided to us in a structured, commonly used and machine-readable format (Art. 20 GDPR). You also have the right to object (Art. 21 GDPR).

You also have the right to lodge a complaint with a data protection supervisory authority.