Data Privacy Information for Business Partners

Data protection information about our data processing in accordance with Ar-ticles 13, 14 and 21 of the General Data Protection Regulation (GDPR

We take data protection seriously and hereby inform you how we process your data and what claims and rights you are entitled to under data protection regulations.

1. Controller responsible for data processing and contact details
Responsible body within the meaning of data protection law

Diersch & Schröder GmbH & Co KG
P.O. Box 10 61 49
28061 Bremen
Cuxhavener Straße 42/44
28217 Bremen
Phone +49 (0) 421 396 99 0
Fax +49 (0) 421 396 99 79
info@ds-bremen.de
www.ds-bremen.de

Contact details of our data protection officer:

Diersch & Schröder GmbH & Co KG
Data Protection Officer
P.O. Box 10 61 49
28061 Bremen
Cuxhavener Straße 42/44
28217 Bremen
Phone +49 (0) 421 396 99 0
Fax +49 (0) 421 396 99 79
datenschutz@ds-bremen.de
www.ds-bremen.de

2. Purposes and legal basis on which we process your data

We process personal data in accordance with the provi-sions of the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and other applicable data protection regulations. Which data is processed in detail and how it is used depends largely on the services requested or agreed in each case. Further details or additions to the purposes of data processing can be found in the respective contract documents, forms, a declaration of consent and/or other information provided to you (e.g. as part of the use of our website or our terms and conditions). In addition, this data protection infor-mation may be updated from time to time, as you can see on our website.

2.1 Purposes for the fulfillment of a contract or pre-contractual measures (Art. 6 para. 1 b GDPR)
The processing of personal data takes place for the exe-cution of our contracts with you and the execution of your orders as well as for the execution of measures and activities in the context of pre-contractual relationships, e.g. with interested parties. In particular, the processing serves to provide consulting services in accordance with your orders and wishes and includes the services, measures and activities necessary for this. This essentially includes contract-related communication with you, the verifiability of transactions, orders and other agreements as well as quality control through appropriate documentation, goodwill procedures, measures to control and optimize business processes and to fulfill general due diligence obligations; statistical evaluations for corporate management, cost recording and controlling, reporting, internal and external communication, emer-gency management, billing and tax assessment of op-erational services, risk management, assertion of legal claims and defense in legal disputes; ensuring IT security (e.g. system and plausibility checks) and the protection of your personal data. IT security (including system and plausibility tests) and general security, including building and plant security, safeguarding and exercising domiciliary rights (e.g. through access controls); ensuring the in-tegrity, authenticity and availability of data, preventing and investigating criminal offenses; monitoring by su-pervisory bodies or supervisory authorities (e.g. audit-ing).

2.2 Purposes in the context of a legitimate interest of us or third parties (Art. 6 para. 1 f GDPR)
Beyond the actual fulfillment of the contract or preliminary contract, we may process your data if it is necessary to protect our legitimate interests or those of third parties, in particular for the following purposes:

advertising or market and opinion research, pro-vided you have not objected to the use of your data;
obtaining information and exchanging data with credit agencies, insofar as this goes beyond our economic risk;
the testing and optimization of demand analysis procedures;
the further development of services and products as well as existing systems and processes;
the disclosure of personal data in the context of due diligence during company sale negotiations;
for comparison with European and international anti-terror lists, insofar as this goes be-yond the legal obligations;
the enrichment of our data, e.g. by using or researching publicly available data;
statistical evaluations or market analysis;
of benchmarking;
the assertion of legal claims and defense in le-gal disputes that are not directly attributable to the contractual relationship;
the restricted storage of data if deletion is not possible or only possible with disproportionate effort due to the special type of storage;
the development of scoring systems or au-tomated decision-making processes;
the prevention and investigation of criminal of-fenses, unless exclusively for the fulfillment of le-gal requirements;
internal and external investigations, security checks;
the receipt and maintenance of certifications of a private or official nature;
securing and exercising domiciliary rights through appropriate measures such as video surveillance to protect our customers and employees and to se-cure evidence in the event of criminal offenses and their prevention.

2.3 Purposes within the scope of your consent (Art. 6 para. 1 a GDPR)
Your personal data may also be processed for certain purposes (e.g. use of your e-mail address for marketing purposes) on the basis of your consent. As a rule, you can withdraw this at any time. This also applies to the revocation of declarations of consent that were given to us before the GDPR came into force, i.e. before May 25, 2018. You will be informed separately about the purposes and consequences of withdrawing or not granting consent in the corresponding text of the consent.
In principle, the revocation of consent is only effective for the future. Processing that took place before consent was withdrawn is not affected and remains lawful.

2.4 Purposes for the fulfillment of legal requirements (Art. 6 para. 1 c GDPR) or in the public interest (Art. 6 para. 1 e GDPR)
Like everyone involved in business, we are also subject to a variety of legal obligations. These are primarily legal requirements (e.g. commercial and tax laws), but may also include regulatory or other official requirements. The purposes of processing may include identity and age veri-fication, fraud and money laundering prevention, the pre-vention, combating and investigation of terrorist financing and crimes that endanger assets, comparisons with European and international anti-terror lists, the fulfillment of control and reporting obligations under tax law and the archiving of data for data protection and data security purposes as well as audits by tax and other authorities. In addition, the disclosure of personal data may become necessary in the context of official/judicial measures for the purposes of gathering evidence, criminal prosecution or the enforcement of civil law claims.
3. The categories of data processed by us, insofar as we do not receive data directly from you, and their origin
Insofar as this is necessary for the provision of our services, we process personal data legitimately received from other companies or other third parties (e.g. credit agencies, address publishers).

Relevant personal data categories can be in particular

Personal data (name, date of birth, place of birth, nationality, marital status, profession/industry and comparable data)
Contact details (address, e-mail address, telephone number and similar data)
Address data (registration data and comparable data)
Confirmation of payment/cover for bank and credit cards
Information about your financial situation (cre-ditworthiness data including scoring, i.e. data to as-sess the economic risk)
Customer history
Data about your use of the telemedia offered by us (e.g. time of accessing our websites, apps or newslet-ters, pages/links clicked on by us or entries and comparable data)

4. Recipients or categories of recipients of your data
Within our company, those internal departments or or-ganizational units receive your data that need it to fulfil our contractual and legal obligations or as part of the processing and implementation of our legitimate interest.

Your data will only be passed on to external parties

in connection with the execution of the contract;
for the purposes of fulfilling legal require-ments according to which we are obliged to provide information, report or pass on data or the passing on of data is in the public interest (see section 2.4);
to the extent that external service providers process data on our behalf as processors or function providers (e.g. external data centers, support/maintenance of EDP/IT applications, archiving, document processing, call center services, compliance services, controlling, data screening for anti-money laundering purposes, data validation or plausibility checks, data de-struction, purchasing/procurement, customer administration, lettershops, marketing, media technology, research, risk controlling, billing, telephone, website management, auditing services, customer administration, marketing, media technology, research, risk controlling, telephone, website management, audit services-data validation or plausibility checks, data destruction, purchasing/procurement, customer administration, lettershops, marketing, media technology, research, risk controlling, billing, telephony, website management, auditing services, credit institutions, printers or companies for data disposal, courier services, logistics);
on the basis of our legitimate interest or the legitimate interest of the third party for the pur-poses specified in section 2.2 (e.g. to authorities, credit agencies, debt collection agencies, lawyers, courts, experts, group companies and bodies and supervisory authorities);
if you have given us your consent to transfer your data to third parties.

If we commission service providers as part of order pro-cessing, your data is subject to the same security stand-ards there as it is with us. In all other cases, the recipients may only use the data for the purposes for which it was transmitted to them.

5. Duration of storage of your data
We process and store your data for the duration of our business relationship. This also includes the initiation of a contract (pre-contractual legal relationship) and the execution of a contract.

In addition, we are subject to various retention and documentation obligations arising from the German Commercial Code (HGB) and the German Fiscal Code (AO), among others. The retention and documentation periods specified therein are up to ten years after the end of the business relationship or the pre-contractual legal relationship.

Furthermore, special statutory provisions may require a longer retention period, such as the preservation of ev-idence within the framework of statutory limitation periods. According to Sections 195 et seq. of the German Civil Code (BGB), the regular limitation period is three years; however, limitation periods of up to 30 years may also be applicable.

If the data is no longer required for the fulfillment of contractual or legal obligations and rights, it will be deleted unless its - temporary - further processing is necessary to fulfill the purposes listed in section 2.2 for an overriding legitimate interest. Such an overriding legit-imate interest also exists, for example, if deletion is not possible or only possible with disproportionately high effort due to the special type of storage and processing for other purposes is excluded by suitable technical and organizational measures.

6. Processing of your data in a third country or by an international organization
Data is transferred to bodies in countries outside the European Union (EU) or the European Economic Area (EEA) (so-called third countries) if it is necessary for the execution of an order/contract from or with you, if it is required by law (e.g. tax reporting obligations), if it is in our or a third party's legitimate interest or if you have given us your consent.
Your data may also be processed in a third country in connection with the involvement of service providers as part of order processing. If there is no decision by the EU Commission on an adequate level of data protection in the country in question, we ensure that your rights and freedoms are adequately protected and guaranteed in accordance with EU data protection regulations by means of appropriate contracts. We will provide you with the relevant detailed information on request.
Information on the appropriate or reasonable safeguards and the possibility of obtaining a copy from you can be obtained on request from the company data protection officer.

7. Your data protection rights
Under certain conditions, you can assert your data pro-tection rights against us

You have the right to receive information from us about your data stored by us in ac-cordance with the rules of Art. 15 GDPR (pos-sibly with restrictions according to § 34 BDSG).
At your request, we will correct the data stored about you in accordance with Art. 16 GDPR if it is inaccurate or incorrect.
If you wish, we will delete your data in accordance with the principles of Art. 17 GDPR, pro-vided that other legal regulations (e.g. legal storage obligations or the restrictions according to § 35 BDSG) or an overriding interest on our part (e.g. to defend our rights and claims) do not conflict with this.
Taking into account the requirements of Art. 18 GDPR, you can request us to restrict the processing of your data.
Furthermore, you can object to the processing of your data in accordance with Art. 21 GDPR, on the basis of which we must stop processing your data. However, this right to object only applies if there are very special circumstances relating to your personal situation, whereby our company's rights may conflict with your right to object.
You also have the right to receive your data in a structured, commonly used and machinereadable format or to transmit it to a third party in accordance with the requirements of Art. 20 GDPR.
In addition, you have the right to withdraw your consent to the processing of personal data at any time with effect for the future (see section 2.3).
You also have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). However, we recommend that you always address a complaint to our data protection officer first.

If possible, your requests to exercise your rights should be sent in writing to the above address
or directly to our data protection officer.

8. Scope of your obligations to provide us with your data
You only need to provide the data that is required for the establishment and execution of a business relationship or for a pre-contractual relationship with us or that we are legally obliged to collect. Without this data, we will generally not be able to conclude or execute the contract. This may also relate to data required later in the course of the business relationship. If we request additional data from you, you will be informed separately of the voluntary nature of the information.

9. Existence of automated decision-making in individual cases (including profiling)
We may use automated decision-making procedures and/or process your data partly with the aim of evaluating certain personal aspects (profiling).
In order to provide you with targeted information and advice on products, we may use analysis tools. These enable needs-based product design, communication and advertising, including market and opinion research.

Such procedures can also be used to assess your creditworthiness and credit standing and to combat money laundering and fraud. So-called "score values" can be used to assess your creditworthiness and credit standing. Scoring uses mathematical procedures to calculate the probability that a customer will meet their payment obligations in accordance with the contract. Such score values help us, for example, to assess creditworthiness, make decisions when concluding product contracts and are incorporated into our risk management. The calculation is based on mathematically-statistically recognized and proven procedures and is carried out on the basis of your data, in particular income, expenditure, existing liabilities, occupation, employer, length of employment, experience from the previous business relationship, contractual repayment of previous loans and information from credit agencies.

Information about your right to object Art. 21 GDPR

1. You have the right to object at any time to the processing of your data on the basis of Art. 6 para. 1 f GDPR (data processing on the basis of a balancing of interests) or Art. 6 para. 1 e GDPR (data processing in the public interest) if there are reasons for this arising from your particular situation. This also applies to profiling based on this provision within the meaning of Art. 4 No. 4 GDPR.

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defense of legal claims.

2. We may also process your personal data for direct marketing purposes. If you do not wish to receive advertising, you have the right to object to this at any time; this also applies to profiling insofar as it is associated with such direct adver-tising. We will observe this objection for the future.

We will no longer process your data for direct marketing purposes if you object to processing for these purposes.

The objection can be made informally and should preferably be addressed to

Our privacy policy and the information on data protection regarding our data processing in accordance with Articles (Art.) 13, 14 and 21 GDPR may change from time to time. We will publish all changes on this page www.ds-bremen.com