Dussmann Stiftung & Co. KGaA and its affiliates (hereinafter “Dussmann”) take protecting your personal data seriously and comply with the provisions of the laws on data protection and privacy. Personal data are processed only within the scope necessary for the specific purpose. Our employees have undertaken an obligation to maintain confidentiality and secrecy and to comply with the provisions of data protection and privacy law in accordance with the statutory provisions.
In the following, we explain how we process the personal data which we receive when working with business partners. “Personal data” refers to any information relating to an identified or identifiable natural person e.g. name, address, email addresses, telephone numbers.
1. Contact controller
The controller responsible for data processing according to article 4 para. 7 GDPR is:
Dussmann Stiftung & Co. KGaA
Friedrichstraße 90, 10117 Berlin
A list of affiliates is available here. To the extent that you contact our affiliates directly, via the website or otherwise, this company is the controller.
2. Contact data protection officer
Dussmann Stiftung & Co. KGaA
Data Protection Officer
Friedrichstraße 90, 10117 Berlin
datenschutzbeauftragter @dussmann.de
Telephone +49 30 2025-0
3. Data categories, purpose of data processing and legal basis
Clients, interested parties, suppliers, subcontractors and other partners are hereinafter referred to as "business partners". In the course of its interactions with business partners, Dussmann processes the personal data of their contact persons including:
Dussmann processes personal data for the following purposes:
The processing of personal data for the aforementioned purposes is carried out on the legal basis indicated above. Data processing is permitted in the following cases:
Where necessary, we ask our business partners to give their consent for the processing of personal data. When a business partner gives their consent, we process the data specified, for the purposes specified. The legalbasis is article 6 para. 1 a) GDPR.
4. Recipients of personal data
Personal data is processed within the company. Only specific departments or organizational units have access, depending on the type of personal data. These include the sales, procurement and accounting department. In the case of data processed in the IT infrastructure the IT department may have access to a certain extent. Role and authorization structures limit access to the functions necessary and to the extent necessary for the respective purpose of the processing. We transfer personal data to affiliated companies in the context of internal management of business partner data,
We may also transfer personal data to third parties outside the company to the extent permitted by law. External recipients may include:
5. Transfer of data to a third country
We do not intend to transfer your personal data to any third country (countries outside the European economic area). However, data transfers are made within the Dussmann Group in the course of implementation of business contacts. Data protection agreements between the companies of the Dussmann Group based on the standard data protection clauses adopted by the EU Commission are in place.
Personal data is transferred to recipients in third countries outside the Dussmann Group only if these recipients:
6. Duration of data storage
Where no express duration of storage is stated when data are collected (for example in the declaration of consent) or within this Data Protection and Privacy Statement, personal data are erased when they are no longer necessary for the purpose for which they were stored, except where statutory obligations (such as obligations of storage under commercial and tax law) conflict with erasure.
When we store personal data exclusively to fulfill storage obligations, these data are blocked to prevent access otherwise than for the purpose of storage.
7. Data security
We take all necessary technical and organizational security measures to protect your personal data from loss and abuse. Your data are stored in a secure operational environment that is not accessible to the public. SSL or TLS encryption is used on all websites. Your data are encrypted directly during transfer. For security reasons, we refrain from providing any further information here.
8. The rights of our business partners
To assert your data protection rights, please contact the data protection officer.
Withdrawal of consent
To the extent that you have granted your consent to the processing of personal data, you can withdraw it at any time with effect for the future. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. In the event of withdrawal of consent, we will erase the data in question without delay to the extent that there is no legal basis for processing thereof that does not require consent that can be used as the basis for further processing. You may send your withdrawal to datenschutzbeauftragter @ or by mail to Dussmann Stiftung & Co. KGaA, Friedrichstraße 90, 10117 Berlin, Germany. dussmann.de
Further rights:
Where your personal data has been transferred to a country outside the EU that does not provide an appropriate level of protection of personal data, we enter into a contract that ensures appropriate protection. Certification according to the EU-US Privacy Shield as a guarantee of appropriate protection is available at this link: https://www.privacyshield.gov/list. In addition, we use the standard data protection clauses shown here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.
You have the right to object to the processing of your personal data at any time on grounds relating to your particular situation. The controller will then no longer process the personal data unless the controller can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims (Article 21 GDPR).
You may object to the use of your data for direct marketing purposes at any time without any further considerations.
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you consider that the processing of personal data relating to you infringes the GDPR (Article 77 GDPR). You can exercise this right with a supervisory authority in the Member State of your habitual residence, place of work or place of the alleged infringement. For example, the supervisory authority with jurisdiction over Dussmann Stiftung & Co. KGaA in Berlin is the Berlin State Commissioner for Data Protection and Freedom of Information (Landesbeauftragte für Datenschutz und Informationsfreiheit Berlin), Friedrichstr. 219, 10969 Berlin, Germany. You can also contact a different supervisory authority at any time. For the relevant controllers responsible in your member state outside Germany, you can contact the authority with jurisdiction there.
An overview of further national and international data protection authorities is available here.
9. Credit assessment of business partners/ data processing in the credit inquiry procedure
We regularly check the creditworthiness of our business partners when concluding contracts and where there is a legitimate interest. We cooperate with external credit agencies, specifically, Creditreform and CRIF Bürgel GmbH. For this purpose, we transmit the name, address and email address (usually) of authorized representatives, details of the company and, where applicable, contract and receivables data to the credit agency. Information as per article 14 GDPR on data processing at Creditreform and at CRIF Bürgel GmbH is available here:
https://www.creditreform.de/datenschutz
https://www.crifbuergel.de/de/datenschutz
In the event of late payment and failed reminders, we may involve credit agencies and transfer the following data: Name, address, details of the company, amount of the claim and due date.
Article 6 para. 1 b) und f) GDPR are the legal basis for transfer of data to credit agencies, as this is necessary for the fulfillment of the contract, for the implementation of pre-contractual measures and/or the protection of our legitimate interests.
10. Data protection website
Please see the general data protection and privacy statement for further information concerning the use of our websites.
Status: 16.01.2020