Data protection information on the collection of personal data in accordance with Articles 13, 14 and 21 of the General Data Protection Regulation (GDPR) for our business partners
This information is intended to inform you about the processing of your personal data and the rights to which you are entitled under data protection law. Which data is processed in detail and how it is used depends largely on the services provided and agreed.
List of companies:
BBS Automation GmbH
Parkring 22, 85748 Garching, Germany
+49 89 8560 7354-0
info@bbsautomation.com
Contact the data protection officer: dataprotection@bbsautomation.com
BBS Automation Blaichach GmbH
Hans-Böckler-Straße 7, 87527 Sonthofen, Germany
+49 8321-60966-0
info.blaichach@bbsautomation.com
Contact the data protection officer: datenschutz.blaichach@bbsautomation.com
BBS Automation Hallbergmoos GmbH
Dornierstraße 14, 85399 Hallbergmoos, Germany
+49 811 999 77-0
info.hallbergmoos@bbsautomation.com
Contact the data protection officer: datenschutz.hallbergmoos@bbsautomation.com
BBS Automation Stuttgart GmbH
Planckstraße 40, 71691 Freiberg (Neckar), Germany
+49 7141 7003-113
info.stuttgart@bbsautomation.com
Contact the Data Protection Officer: datenschutz.stuttgart@bbsautomation.com
Who is responsible for data processing and who can I contact:
The responsible body is generally the company in our business division with which the contact for your specific business relationship exists.
These can be found in the list above.
In this list you will also find the contact details of the respective controller (the company with which you are in contact) and its company data protection officer.
In some cases, expressly described, two or more companies of the Dürr Group are jointly responsible for the processing (see also under Companies responsible for data processing
). also under To whom is the data disclosed).
What data we process, what we process your data for (purposes of processing) and on what legal basis we do so:
We process personal data in compliance with the EU General Data Protection Regulation (GDPR) and all other relevant laws. The processing of personal data (Art. 4 No. 2 GDPR) is generally always necessary if a business relationship with you is initiated or already exists. The purposes of the processing are primarily based on the service to be provided by us. In the following, we will inform you about "core processing" in our company. In addition, there may be further processing operations about which you will be informed separately in the respective process.
Purpose | Legal basis |
All aspects in connection with your contract as a customer/supplier (incl. pre-contractual measures such as preparation of quotations, order processing, invoicing, customer support, master data management, processing of questions/complaints, archiving, etc.) | fulfillment of contractual obligations (Art. 6 para. 1b) GDPR) |
supplier evaluation | protection of legitimate interests (Art. 6 para. 1f) GDPR) |
Customer satisfaction surveys for the purpose of product and process improvements (validation) | Protection of legitimate interests (Art. 6 para. 1f) GDPR) |
Statistical purposes | Protection of legitimate interests (Art. 6 Para. 1f) GDPR) |
Credit investigations with credit agencies | Protection of legitimate interests (Art. 6 Para. 1f) GDPR) |
Disclosure of business cases for debt collection | Fulfillment of contractual obligations (Art. 6 para. 1b) GDPR) in conjunction with our legitimate interest (Art. 6 para. 1 f) GDPR) |
Sending the newsletter | Consent (Art. 6 (1a) GDPR) |
External publication for advertising | Consent (Art. 6 (1a) GDPR) |
Organization and implementation of training courses / user seminars | Fulfilment of contractual obligations (Art. 6 (1b) GDPR) |
Ensuring IT security and IT operations | Protecting legitimate interests (Art. 6 (1f) GDPR) |
Prevention and investigation of criminal offenses | Protecting legitimate interests (Art. 6 (1f) GDPR) |
Group management | Protection of legitimate interests (Art. 6 (1f) GDPR) |
Categories of personal data
We process the following categories of personal data within the scope of the purposes listed above, insofar as this is necessary to fulfill the purpose:
Personal master data, address data, contact data, bank data, log data, proof of qualifications, function, payment information, log data, creditworthiness data.
Data retention period:
We process and store your personal data for the duration of our business relationship, if necessary. This also includes the initiation and processing of a contract/order. In addition, we are subject to various retention obligations, including those arising from the German Commercial Code. Finally, the storage period is also determined by the statutory limitation periods, which are generally 3 years, but can also be up to 30 years.
Note on your consent
Insofar as we have your consent to process personal data for specific purposes, the lawfulness of this processing is based on your consent. Once given, consent can be withdrawn at any time. Please note that the revocation is effective for the future. Processing that was carried out before this revocation is not affected by this.
Is there an obligation to provide data?
In the context of a business initiation or business relationship with us, you generally only need to provide the data that we require for the corresponding establishment, implementation or termination of this relationship. Without the provision of the necessary data, we may have to refuse to establish a business relationship or may not be able to do so or may even have to terminate such a relationship.
To whom is the data disclosed (categories of recipients):
Data processing within the company:
We process your data internally within our company wherever possible so that only the relevant specialist departments, such as customer service, invoice processing or data processing, can access it.
Data processing within the framework of joint controllership
The companies of the Dürr Group, to which we belong, operate a joint customer database (CRM system) and in this respect act as joint controllers within the meaning of Art. 26 GDPR (also known as joint controllers). You can view the companies of the Dürr Group here.
If data is transferred to Dürr companies outside the EEA, we rely on the standard contractual clauses of the EU Commission. We also refer to the information on third country transfers.
The CRM system is provided by Salesforce. The storage location is the EU. A transfer of the data to companies of the Salesforce Group outside the EEA is not excluded.
Internally, we have distributed the responsibilities in a contract as follows: Data subjects can contact all joint controllers to exercise data subject rights.
The Dürr Group company to which you have provided your data will nevertheless act as your first point of contact. Responsible for the information obligations under Art. 13 f. GDPR is Dürr Systems AG, which is in charge of operating the CRM system. The joint controllers are responsible for fulfilling the reporting obligations required within their area of activity and for maintaining documentation, obliging employees to maintain confidentiality and informing them of their data protection obligations, as well as ensuring technical and organizational security in data processing.
External contractors and service providers (this also includes processors):
Insofar as we do not provide services ourselves, we sometimes use external contractors and service providers to perform our tasks and fulfil contracts. We use these service providers for the following purposes, among others Printing services, marketing measures, IT services including website hosting.
Other recipients:
In addition, data may go to recipients to whom we are obliged to disclose data due to legal obligations (e.g. law enforcement authorities and courts).
Data transfer to third countries:
If recipients of your data and their service providers are located outside the European Economic Area (EEA) or process your personal data outside the EEA, we ensure that your personal data is adequately protected (e.g. by an adequacy decision or by concluding the EU Commission's standard contractual clauses, with additional safeguards if necessary). We will provide evidence of the respective protection mechanism on request.
In countries outside the EEA, different data protection regulations may apply than in your country of residence. Under certain circumstances, national law may offer less protection than that of your country of residence (e.g. because national regulations allow investigating authorities more extensive access rights to personal data).
We would like to point out that the USA is generally a so-called unsafe third country. This means that the USA generally does not offer a level of data protection comparable to that in the EU. If data is transferred to the USA, there is a risk that US authorities will access the data on the basis of surveillance programs (based on Section 702 of the Foreign Intelligence Surveillance Act and Executive Order 12333 or Presidential Police Directive 28) without EU citizens having effective legal protection against such access. For certain companies from the USA, however, the EU Commission has recognized the level of data protection as secure within the framework of the so-called "Data Privacy Framework" (DPF) with the adequacy decision of 10.07.2023. This means that US companies that are certified under the DPF offer the same level of data protection as companies within the EEA. The list of certified companies and further information on the DPF can be found on the website of the US Department of Commerce at https://www.dataprivacyframework.gov/.
Duration of data storage:
We generally delete your data as soon as it is no longer required to fulfill the purpose of data processing. Where necessary, we process and store your personal data for the duration of our business relationship. This also includes the initiation and processing of a contract/order. In addition, we are subject to various retention obligations, including those arising from the German Commercial Code. Finally, the storage period is also determined by the statutory limitation periods, which are generally 3 years, but can also be up to 30 years.
Your rights as a data subject:
The contact persons and contact details for the rights to which you are entitled are provided in the list at the beginning of this document.
You can request information about the personal data stored about you. (Art. 15 GDPR). You can also request the rectification or erasure of your data under certain conditions (Art. 16 and 17 GDPR). You have the right to request the restriction of the processing of your personal data (Art. 18 GDPR). In addition, you have the right to receive the data you have provided to us in a structured, commonly used and machine-readable format (Art. 20 GDPR). You also have the right to object (Art. 21 GDPR).
You also have the right to lodge a complaint with a data protection supervisory authority.
Privacy policy for the contact form
You can contact us via a contact form on our website. We will only process the personal data you provide via this form for the purpose of processing and responding to your request. It will only be passed on to third parties if this is necessary for the purpose of processing your contact. The legal basis for this is Art. 6 para. 1 b) GDPR, provided that your request is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. The legal basis in all other cases is our legitimate interest in the effective processing of the inquiries addressed to us in accordance with Art. 6 para. 1 f) GDPR.
We, BBS Automation GmbH, also manage the website of the BBS Group as the responsible body on this website. The data you enter in our forms will initially only be processed by us. However, if your request relates to the product portfolio of another business unit, we will forward your data to this responsible business unit. The legal basis is Art. 6 para. 1 f) GDPR. Our legitimate interest lies in the efficient processing of your request. If your request relates to the product portfolio of a business unit whose sales region is outside the EU/EEA and for which there is no adequacy decision, your data will be transferred to an insecure third country. In these cases, the legal basis for the data transfer is Art. 46 ff GDPR.
In order to process your request, the business unit will contact you directly. The following business units belong to us:
- BBS Automation GmbH
- Kahle Automation
- teamtechnik Maschinen und Anlagen GmbH
- HEKUMA GmbH
Your personal data will be deleted if it is no longer required to fulfill the purpose for which you contacted us. We would like to point out that your messages may have to be stored within the framework of statutory retention obligations. In this case, the legal basis is Art. 6 para. 1 c) GDPR.