according to Art. 13, 14 and 21 of the General Data Protection Regulation (GDPR)
Data protection is a key concern for us. The following describes how we process your data and sets out your rights.
Who is responsible for processing your data, and who you can consult for assistance?
B+B Thermo-Technik GmbH
Heinrich-Hertz-Strasse 4
D – 78166 Donaueschingen, Germany
Contact details of the Data Protection Officer
Edmund Hilt
hilt evolution
Nelkenstrasse 36
D – 71272 Renningen, Germany
datenschutz(at)hilt-evolution.com
Purposes of processing data and legal basis
We process your personal data in accordance with the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and other relevant data protection regulations. The processing and use of individual items of data is dependent on the agreed or contracted service. Our contract documents, forms, consents and other information provided to you (such as on our website or in our terms and conditions) contain more details and set out additional purposes of processing.
Consent (Art. 6 (1) lit. a GDPR)
If you have given us a consent to process personal data, it forms the legal basis for the processing detailed in the specific statement of consent. You can revoke your consent at any time with effect for the future.
Fulfilment of legal obligations (Art. 6 (1) lit. b GDPR)
We will process your personal data in order to execute our contracts with you, meaning in particular in the fulfilment of our supplies, services and consulting. We will also process your personal data to carry out pre-contractual measures and activities.
Fulfilment of legal obligations (Art. 6 (1) lit. c GDPR)
We will process your personal data where necessary in order to fulfil legal obligations (such as under commercial or tax law).
We will also process your data where appropriate to cross-check against European and international anti-terror lists, to comply with controlling and reporting obligations under tax law, for data archiving for the purposes of data protection and security, as well as for auditing by tax authorities and other regulatory bodies. It may also be necessary to disclose your personal data in the course of regulatory or court proceedings for the purposes of evidence gathering, criminal investigations or the assertion of claims under civil law.
Legitimate interest of ourselves or third parties (Art. 6 (1) lit. f GDPR)
We may also use your personal data on the basis of a balancing of interests in order to preserve the legitimate interests of ourselves or of third parties. This may be done for the following purposes:
- For advertising, promotion or market research, provided you have not objected to the use of your data.
- To obtain information from and exchange data with credit agencies/factors, in the case of commercial risk beyond our normal scope.
- To store your data in restricted form if erasing it is not possible, or possible only at unreasonable cost and expense, owing to the particular way in which it is stored.
- To cross-check against European and international anti-terror lists, if this extends beyond the legal obligations.
- To update and upgrade products and services, as well as existing systems and processes.
- To enrich our data by using or searching publicly accessible data.
- For statistical reporting or market analyses.
- To assert legal claims and defend in the case of legal disputes which are not linked directly to the contractual relationship.
- To assure and assert our domiciliary rights by appropriate measures (including video surveillance).
Categories of personal data which we process
We process the following data:
- Personal details (name, first name)
- Contact details (postal address, e-mail address, telephone number and comparable data)
- Confirmation of bank/credit card payment coverage
- Customer history
We will also process personal data from publicly accessible sources (e.g. the Internet, media, registers of companies and association listings, civil registers).
If necessary in order to deliver our services, we will process personal data which we have legally obtained by third parties (e.g. mailing list companies, credit agencies/factors).
Who will receive your data?
We will forward your personal data within our organisation to the departments which need it in order to fulfil our contractual and legal obligations and to preserve our legitimate interests.
The following parties may additionally be provided with your data:
- Data processors contracted by us (Art. 28 GDPR), contractors providing ancillary services and other data controllers under the terms of the GDPR, in particular in the fields of IT, logistics, courier and printing services, external data centres, IT applications support/maintenance, archiving, document processing, bookkeeping and financial controlling, data destruction, purchasing/procurement, customer relationship management, agency selling, factoring, lettershops, marketing, call centres, website management, financial auditing, banking
- Public agencies and institutions where we are subject to legal or regulatory obligations to provide information, report or pass on data, or where passing on data is in the public interest
- Agencies, organisations and institutions pursuant to our legitimate interests or those of third parties (e.g. to public authorities, credit agencies, collection agencies, legal advisors, courts of law, expert auditors and regulatory bodies)
- Other parties to which we transfer data based on your consent
Transfer of your data to a third country or an international organisation
Your data will not be processed outside the EU or the EEA.
How long will we store your data for?
We will process your personal data to the extent necessary for the duration of our business relationship. This also includes the preparation and execution of contracts.
We are additionally subject to duties of retention and documentation, including pursuant to the German Commercial Code (HGB) and the German Fiscal Code (AO). The retention and documentation periods they stipulate extend up to 10 years beyond the end of the business relationship or legally basis pre-contractual relationship.
Ultimately, retention periods are also decided in accordance with legal requirements including
sections 195 ff. of the German Civil Code (BGB). These are normally three years, though in some cases may also be up to 30 years.
To what extent will automated decision-making (including profiling) be employed in individual cases?
We employ no purely automated decision-making procedures under the terms of Article 22 GDPR. If we do employ such procedures in individual cases, we will notify you specially, where so required by law.
Your data protection rights
You have the right to information concerning your data according to Art. 15 GDPR, the right to rectification of your data according to Art. 16 GDPR, the right to erasure of your data according to Art. 17 GDPR, the right to restriction of processing of your data according to Art. 18 GDPR, and the right to data portability according to Art. 20 GDPR. You also have the right to submit a complaint to a data protection authority (Art. 77 GDPR). According to Art. 21 GDPR, you fundamentally have the right to object to the processing of your personal data by us. However, the said right to object applies only in special circumstances relating to your personal situation, and it may be that our rights are contrary to your right to object. If you wish to assert one of these rights, please contact our Data Protection Officer datenschutz(at)hilt-evolution.com.
Extent of your obligations to provide your data to us
You need provide only the data necessary to initiate and execute a business relationship or to establish a pre-contractual relationship with us, or data which we are legally obligated to collect. Without that data we will not normally be in a position to conclude or execute the contract. This may also relate to data required subsequently in the course of the business relationship. Where we request additional data from you, we will advise you in each specific case that it is provided on a voluntary basis.
Information concerning your right to object according to Art. 21 GDPR
You have the right to object at any time to the processing of your data pursuant to Art. 6 (1) lit. f GDPR (Processing of data based on balancing of interests) or Art. 6 (1) lit. e GDPR (Processing of data in the public interest) where there are grounds to do so based on your particular circumstances. This also applies to profiling based on this provision under the terms of Art. 4 (4) GDPR.
If you raise an objection, we will cease processing your data, unless we are able to prove the existence of pressing reasons for further processing of it which are deemed worthy of protection and which outweigh your own interests, rights and freedoms, or unless its processing serves to establish, assert or defend against legal claims.
We will also process your personal data where appropriate to carry out direct marketing. If you do not wish to receive marketing communications, you have the right to object to our sending you such material at any time. This also applies to profiling linked to such direct marketing. We will then respect your objection in the future.
We will no longer process your data for direct marketing purposes if you object to its processing for the said purposes.
You can submit your objection informally by contacting the address listed in section 1.
Your right of complaint to the regulatory authority
You have the right to submit a complaint to a data protection authority (Art. 77 GDPR). The data protection authority to which we are subject is:
Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit (The Data Protection and Freedom of Information Officer of the State of Baden-Württemberg)
https://www.baden-wuerttemberg.datenschutz.de/
Data protection information for suppliers and service providers
Data protection information for applicants
