Data Protection, Business Partners

Dussmann Stiftung & Co. KGaA and its affiliates (hereinafter “Dussmann”) take protecting your personal data seriously and comply with the provisions of the laws on data protection and privacy. Personal data are processed only within the scope necessary for the specific purpose. Our employees have undertaken an obligation to maintain confidentiality and secrecy and to comply with the provisions of data protection and privacy law in accordance with the statutory provisions.

In the following, we explain how we process the personal data which we receive when working with business partners. “Personal data” refers to any information relating to an identified or identifiable natural person e.g. name, address, email addresses, telephone numbers.

1. Contact controller

The controller responsible for data processing according to article 4 para. 7 GDPR is:
Dussmann Stiftung & Co. KGaA
Friedrichstraße 90, 10117 Berlin

A list of affiliates is available here. To the extent that you contact our affiliates directly, via the website or otherwise, this company is the controller.

2. Contact data protection officer

Dussmann Stiftung & Co. KGaA
Data Protection Officer
Friedrichstraße 90, 10117 Berlin

datenschutzbeauftragter @dussmann.de
Telephone +49 30 2025-0

3. Data categories, purpose of data processing and legal basis

Clients, interested parties, suppliers, subcontractors and other partners are hereinafter referred to as "business partners". In the course of its interactions with business partners, Dussmann processes the personal data of their contact persons including:

• first and family name, business address, telephone number, email address and fax number;
• information necessary during in a tender or contract completion e.g. proposals, services contracts, orders and requests for information;
• personal data available from credit agencies and public sources.

Dussmann processes personal data for the following purposes:

• Communication with business partners about products and services e.g. during answers to inquiries. The legal basis is article 6 para. 1 b) and f) GDPR.
• Planning, carrying out and managing (contractual) services agreed between Dussmann and the business partner e.g. ordering of services, ordering of products and invoicing. Legal basis is article 6 para. 1b) and f) GDPR. Furthermore, we process data for the purposes of contract preparation, accounting, invoicing and payment, to carry out services, deliveries and repairs and to fulfill servicing contracts. The legal basis is article 6 para. 1b), c) and f) GDPR.
• Conducting client satisfaction surveys, information meetings, promotions, market analysis, and events. The legal basis is article 6 para. 1f) and, under the condition of your consent,  article 6 para. 1 a) GDPR.,
• Compliance with commercial and tax legislation e.g. obligation to provide evidence, obligation to retain documentation. The legal basis is article 6 para. 1c) GDPR. Further, for the prevention of money laundering or legal infringements in connection with compliance and internal guidelines. The legalbasis is article 6 para. 1c) and f) GDPR.
• Termination of legal disputes, enforcement of existing contracts and assertion, exercise and defense of legal claims. Legal basis is article 6 para. 1f) GDPR and for special categories of personal data, article 9 para. 2f) GDPR.
• Credit assessment in the context of contract preparation, completion and termination. The legal basis is article 6 para. 1b) and f) GDPR.
• Payment information (transaction data) to claim outstanding amounts, to effect freeze of funds or to terminate a contract. The legal basis is article 6 para. 1 b) and f) GDPR and for special categories of personal data, article 9 para. 2f) GDPR.

The processing of personal data for the aforementioned purposes is carried out on the legal basis indicated above. Data processing is permitted in the following cases:

•  article 6 para. 1 b) GDPR for the execution and fulfillment of a contract
•  article 6 para. 1 c) GDPR for the fulfillment of legal obligations
•  article 6 para. 1 f) GDPR to safeguard the legitimate interests of Dussmann which lies in the initiation and execution of service contracts and business transactions. 

Where necessary, we ask our business partners to give their consent for the processing of personal data. When a business partner gives their consent, we process the data specified, for the purposes specified. The legalbasis is article 6 para. 1 a) GDPR.

4. Recipients of personal data

Personal data is processed within the company. Only specific departments or organizational units have access, depending on the type of personal data. These include the sales, procurement and accounting department. In the case of data processed in the IT infrastructure the IT department may have access to a certain extent. Role and authorization structures limit access to the functions necessary and to the extent necessary for the respective purpose of the processing. We transfer personal data to affiliated companies in the context of internal management of business partner data,

We may also transfer personal data to third parties outside the company to the extent permitted by law. External recipients may include:

• other business partners to whom we transfer personal data to protect the legitimate interests of the business partner to whom the transferred data belongs;
• service providers contracted by us to provide services, which may include the processing of personal data, and their subcontractors, contracted with our consent;
• non-public and public bodies to comply with applicable law or to assert, exercise or defend legal claims.

5. Transfer of data to a third country

We do not intend to transfer your personal data to any third country (countries outside the European economic area). However, data transfers are made within the Dussmann Group in the course of implementation of business contacts. Data protection agreements between the companies of the Dussmann Group based on the standard data protection clauses adopted by the EU Commission are in place.

Personal data is transferred to recipients in third countries outside the Dussmann Group only if these recipients:

• have an agreement with Dussmann based on EU standard data protection clauses or
• have introduced binding corporate regulations, or
• are certified under the EU/US Privacy Shield (for recipients in the USA).

6. Duration of data storage

Where no express duration of storage is stated when data are collected (for example in the declaration of consent) or within this Data Protection and Privacy Statement, personal data are erased when they are no longer necessary for the purpose for which they were stored, except where statutory obligations (such as obligations of storage under commercial and tax law) conflict with erasure.

When we store personal data exclusively to fulfill storage obligations, these data are blocked to prevent access otherwise than for the purpose of storage.

7. Data security

We take all necessary technical and organizational security measures to protect your personal data from loss and abuse. Your data are stored in a secure operational environment that is not accessible to the public. SSL or TLS encryption is used on all websites. Your data are encrypted directly during transfer. For security reasons, we refrain from providing any further information here.

8. The rights of our business partners

To assert your data protection rights, please contact the data protection officer.

Withdrawal of consent

To the extent that you have granted your consent to the processing of personal data, you can withdraw it at any time with effect for the future. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. In the event of withdrawal of consent, we will erase the data in question without delay to the extent that there is no legal basis for processing thereof that does not require consent that can be used as the basis for further processing. You may send your withdrawal to datenschutzbeauftragter @remove-this.dussmann.de or by mail to Dussmann Stiftung & Co. KGaA, Friedrichstraße 90, 10117 Berlin, Germany.

Further rights:

• You have the right to obtain confirmation from the relevant controller within the Dussmann Group as to whether or not your personal data is being processed. Where that is the case, you have the the right of access to such personal data and the information enumerated in Article 15 GDPR.
• You have the right to obtain from the relevant controller without undue delay the rectification of inaccurate personal data concerning you and, where applicable, to have incomplete personal data completed (article 16 GDPR).
• You have the right to erasure of your personal data without undue delay where one of the specific grounds enumerated in Article 17 GDPR applies, for example if the data are no longer needed for the purposes pursued.
• You have the right to restriction of processing where one of the conditions enumerated in article 18 GDPR applies, for example if you have lodged an objection to the processing.
• You have the right to ask for your personal data in a commonly used and machine-readable format and the right to have the relevant controller transmit this data to another controller (right to data portability, Article 20 GDPR) to the extent that this is technically feasible.

Where your personal data has been transferred to a country outside the EU that does not provide an appropriate level of protection of personal data, we enter into a contract that ensures appropriate protection. Certification according to the EU-US Privacy Shield as a guarantee of appropriate protection is available at this link: https://www.privacyshield.gov/list.   In addition, we use the standard data protection clauses shown here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.

You have the right to object to the processing of your personal data at any time on grounds relating to your particular situation. The controller will then no longer process the personal data unless the controller can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims (Article 21 GDPR).

You may object to the use of your data for direct marketing purposes at any time without any further considerations.

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you consider that the processing of personal data relating to you infringes the GDPR (Article 77 GDPR). You can exercise this right with a supervisory authority in the Member State of your habitual residence, place of work or place of the alleged infringement. For example, the supervisory authority with jurisdiction over Dussmann Stiftung & Co. KGaA in Berlin is the Berlin State Commissioner for Data Protection and Freedom of Information (Landesbeauftragte für Datenschutz und Informationsfreiheit Berlin), Friedrichstr. 219, 10969 Berlin, Germany. You can also contact a different supervisory authority at any time. For the relevant controllers responsible in your member state outside Germany, you can contact the authority with jurisdiction there.

An overview of further national and international data protection authorities is available here.

9. Credit assessment of business partners/ data processing in the credit inquiry procedure

We regularly check the creditworthiness of our business partners when concluding contracts and where there is a legitimate interest. We cooperate with external credit agencies, specifically, Creditreform and CRIF Bürgel GmbH. For this purpose, we transmit the name, address and email address (usually) of authorized representatives, details of the company and, where applicable, contract and receivables data to the credit agency. Information as per article 14 GDPR on data processing at Creditreform and at CRIF Bürgel GmbH is available here:
https://www.creditreform.de/datenschutz
https://www.crifbuergel.de/de/datenschutz

In the event of late payment and failed reminders, we may involve credit agencies and transfer the following data: Name, address, details of the company, amount of the claim and due date.

Article 6 para. 1 b) und f) GDPR are the legal basis for transfer of data to credit agencies, as this is necessary for the fulfillment of the contract, for the implementation of pre-contractual measures and/or the protection of our legitimate interests.

10. Data protection website

Please see the general data protection and privacy statement for further information concerning the use of our websites.

Status: 16.01.2020