Information under Articles 13, 14 and 21 of the General Data Protection Regulation (GDPR) – for suppliers

Dear Sir/Madam,

Herewith we inform you according to Artt. 13, 14 and 21 GDPR on the processing of your personal data by us and your rights and claims under the data protection regulations. The specific items of data which are processed and how these are used essentially depends on the requested/agreed goods deliveries and services.

Who is responsible for data processing and who can you contact?

Herth+Buss Fahrzeugteile GmbH & Co. KG
Dieselstraße 2-4
63150 Heusenstamm
Telefon: 06104 608 0
Fax: 06104 608 333

Our company data protection officer can be reached at:
Herth+Buss Fahrzeugteile GmbH & Co. KG
Dieselstraße 2-4
63150 Heusenstamm
Telefon: 06104 608 400

Which sources and data do we use?

We process personal data that we receive from you as part of our business relationship.
In addition, as far as necessary for the provision of our service, we process personal data that we have legitimately received from other companies or other third parties in a legitimate manner (e.g. to execute orders, to fulfill contracts or on the basis of a consent you have given).

However, we also process personal data that we have obtained from publicly accessible sources (e.g. registers of debtors, commercial and association registers, the press, media, terror and sanction lists). In these cases, we are permitted to obtain and process such data.
Relevant personal data includes personal details (name, address and other contact details, date and place of birth, nationality), identification data (e.g. data from identification documents) and authentication data (e.g. signature sample). Furthermore, these can also include purchase-order data (e.g. a purchase order), data pertaining to the fulfilment of our contractual obligations (e.g. turnover data, credit facilities, etc.), commercial and distribution data, contractual and document-related data (e.g. business letters), register data, data from payment transactions (account number, bank details), communication data (telephone number, e-mail address, etc.), data concerning your use of the media we provide (e.g. time of access to our websites, apps or newsletters, which of our pages or posts you have clicked on), in addition to other data which is comparable to the aforementioned categories.

Why do we process your data (purpose of processing), and on which legal basis?

We process personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG):

a) For the fulfillment of contractual obligations (Article 6 (1) (b) GDPR)
The processing of personal data (Article 4(2) of the GDPR) is conducted to fulfil our purchase orders, deliver goods, particularly in order to fulfil contracts we have concluded with you, in addition to performing all activities required for the operation and administration of a company. The purposes of the data processing depend primarily on the specific products or services.
Further details on the purpose of data processing can be found in the respective contract documents and terms and conditions.

b) For purposes of the balancing of legitimate interests (Article 6 (1) (f) GDPR)
Where necessary, we process your data beyond the purposes of fulfilling the contract in order to safeguard our legitimate interests or those of third parties. Examples:

  • Checking and optimising procedures for requirements analysis and direct supplier address;
  • advertising or market and opinion research, provided that you have not objected to the use of your data;
  •  asserting legal claims and defense in legal disputes;
  • ensuring IT security and IT operations;
  • prevention and investigation of criminal offenses;
  • video surveillance to collect evidence of crime, thereby serving to protect customers and employees.
  •  measures for building and plant safety (e.g. access control);
  • measures to ensure the assertion of property rights;
  •  measures necessary for business management and the further development of services and products.

c) On the basis of your consent (Article 6 (1a) GDPR
Insofar as you have given us consent to the processing of personal data for specific purposes (e.g. disclosure of data to third parties, evaluation of data for marketing purposes), the lawfulness of the processing is based on your consent. A given consent can be revoked at any time. Please note that the revocation will only be effective for future processing of data. Processing that occurred before the revocation will not be affected.

d) Due to legal requirements (Article 6 (1) (c) GDPR) or in the public interest (Article 6 (1) (e) GDPR)
In addition, we are subject to various juridical obligations, i.e. legal requirements (e.g. commercial legislation, tax legislation, money-laundering legislation, etc.). If data is processed for such ends, this exclusively takes place as defined by these regulations.

Who gets your data?

Within the company, the departments that require your data to fulfil our contractual and legal obligations will be provided with such data. Data processors (Article 28 of the GDPR) commissioned by us can also receive data for the aforementioned purposes. These are companies active in the following categories: IT services, logistics, freight handling, printing services, telecommunications, financial services, advice and consulting, sales and marketing.
The following must be noted with regard to the transfer of data to recipients outside the company: we only pass on your data if legal provisions permit or command us to do so, if you have consented to this or if we are authorised to provide the information in question. As defined by these prerequisites, recipients of personal data can include the following, among others:

  • Public authorities and institutions (e.g. public prosecution offices, the police, supervisory bodies, customs offices, consulates, chambers of industry and commerce) where a legal or official obligation exists.
  • Other companies to which we pass on personal data for the purposes of fulfilling the business relationship with you (depending on the contract: e.g. banks, credit agencies, suppliers, sales representatives).
    Other data recipients may be bodies for whom you have given us your consent to submit the data.
How long will your data be stored?

If necessary, we process and store your personal data for the duration of our business relationship, which also includes, for example, the initiation and execution of a contract, or for the fulfillment of the contractual purpose.

In addition, we are subject to various storage and documentation obligations, which result, inter alia, from the German Commercial Code (HGB) and the Tax Code (AO). The periods for the retention of documentation are two to ten years.

Finally, the retention period is also determined by the statutory limitation periods, which are usually three years according to §§ 195 ff. of the Civil Code (BGB), but can, in some cases, be up to thirty years.

Is data transmitted to a third country or to an international organization?

A transfer of data to third countries (countries outside the European Economic Area – EEA) only takes place when this is required to fulfil the contract or your orders, when it is a legal requirement or when you have granted us consent to do so. We will inform you separately about the details provided this is required by law.

Which data protection rights do you have?

Each data subject has the right of access to Art. 15 GDPR, the right to a rectification under Art. 16 GDPR, the right to erasure under Art. 17 GDPR (‘right to be forgotten’), the right of restriction of processing according to Art. 18 GDPR and the right to data portability under Art. 20 GDPR. With regard to the right of access and the right to erase, the restrictions under §§ 34 and 35 BDSG apply. In addition, there is a right to lodge a complaint with a data protection supervisory authority (Article 77 GDPR in conjunction with § 19 BDSG).

Is there a duty for you to provide data?

As part of our business relationship, you only need to provide the personal information that is required to establish, conduct and terminate a business relationship or that we are required to collect by law. Without this data, we will generally have to refuse to conclude the contract or to execute the order, or be unable to complete an existing contract and possibly terminate it.

To what extent is there automated individual decision-making in individual cases?

We generally do not use fully automated decision-making pursuant to Art. 22 GDPR to establish and implement the business relationship. If we use such procedures in individual cases, we will inform you about this separately if required by law.

To what extent is your data used for profiling (scoring)?

We do not process your data in an automated manner with the objective of evaluating specific personal characteristics (profiling).

Information about your right to object according to Art. 21 General Data Protection Regulation (GDPR)

1. Case-specific right of objection
For reasons arising from your particular situation, you have the right to object at any time to the processing of your own personal data that takes place in accordance with Article 6, Paragraph 1, lit. e) of the General Data Protection Regulation (concerning data processing in the public interest) and Article 6, Paragraph 1, lit. f) of the GDPR (concerning data processing for the purpose of legitimate interests). This also applies to profiling as based on this provision and defined by Article 4(4) of the GDPR, which we implement for credit checks or for commercial purposes.
If you object, we will no longer process your personal information unless we can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

2. Right to object to the processing of data for direct marketing purposes
In individual cases, we process your personal data in order to operate direct marketing. You have the right to object at any time to the processing of personal data concerning you for the purposes of such marketing; this also applies to profiling insofar as it is associated with such direct marketing.
If you object to the processing for direct marketing purposes, we will no longer process your personal data for these purposes.

The objection can be free of form and, where possible, should be directed to:
Herth+Buss Fahrzeugteile GmbH & Co. KG
Dieselstrasse 2-4
63150 Heusenstamm
Phone: 06104 608-0
Fax: 06104 608-333

Should difficulties of interpretation arise, the German text of this bilingual information shall be binding.