Online catalogue

Information according to Articles 13 and 14 of the General Data Protection Regulation (GDPR)

Dear business partners,

We should now like to inform you in accordance with Articles 13 and 14 GDPR about the processing of your personal data by our company and about the claims and rights accruing to yourself under the provisions of the data protection legislation.

Who is responsible for data processing and who can you contact in this regard?

Responsible body:

Herth+Buss Fahrzeugteile GmbH & Co. KG
Dieselstraße 2-4
63150 Heusenstamm, Germany
Phone: +49 (0) 6104 608-0
Fax: 06104 608-333
E-mail: verwaltung@herthundbuss.com

If you have any questions about data protection, you can contact our data protection officer, Mr Manfred Schlitt, in confidence at any time at: datenschutz@herthundbuss.com.

What sources and data do we use?

We process personal data that we receive from you in the course of our business relationship.

We also process personal data that we have obtained from other companies or other third parties (e.g. for the execution of orders, for the fulfilment of contracts or on the basis of consent granted by you) to the extent necessary for the performance of your order or to fulfil our contract.

However, we also process personal data that we have obtained from publicly accessible sources (e.g. registers of debtors, commercial and association registers, the press, media, terror and sanction lists). In these cases, we are permitted to obtain and process such data.

Why do we process your data (purpose of processing) and on what legal basis?

We process personal data in conformity with the provisions of the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG):

a) To fulfil contractual obligations (Art. 6 (1) (b) GDPR)

The processing of personal data (Art. 4 (2) of the GDPR) is conducted to provide services, supply goods, particularly in order to fulfil contracts we have concluded with you and fulfil your orders, in addition to performing all activities required for the operation and administration of a company.

The purposes of data processing primarily depend on the specific products or services.

Further details on the purpose of data processing can be found in the respective contract documents and terms and conditions.

b) In the framework of the evaluation and balancing of interests (Art. 6 (1) (f) GDPR)

Where necessary, we process your data beyond the purposes of fulfilling the contract in order to safeguard our legitimate interests or those of third parties.
Examples:

  • Checking and optimising procedures for requirements analysis and direct customer address
  • Advertising or market and opinion research, unless you have objected to the use of your data;
  • Assertion of legal claims and defence in the event of legal disputes
  • Safeguarding of IT security and IT operations
  • Video surveillance for the collection of evidence in criminal offences. This data is therefore used to protect customers and employees.
  • Building and plant security measures (e.g. access controls);
  • Measures for business management and further development of services and products

c) On the basis of your consent (Art. 6 (1) (a) GDPR)

Insofar as you have consented to the processing of personal data for specific purposes (e.g. sending of newsletter, disclosure of data to third parties), the lawfulness of such processing shall be deemed to exist on the basis of your consent. Where consent has been given, it can be revoked at any time.

Please note that such revocation will only apply with effect for the future. Any processing performed prior to revocation will not be affected here.

d) On the basis of legal requirements (Art. 6 (1) (c) GDPR), or in the public interest (Art. 6 (1) (e) GDPR)

In addition, we are subject to various juridical obligations, i.e. legal requirements (e.g. commercial legislation, tax legislation, etc.). If data is processed for such ends, this exclusively takes place as defined by these regulations.

Who receives your data?

Within the company, the departments that require your data to fulfil our contractual and legal obligations will be provided with such data. Data processors (Art. 28 of the GDPR) commissioned by us can also receive data for the aforementioned purposes. These are companies active in the following categories, for example: IT services, logistics, printing services, telecommunications, financial services, advice and consulting, sales and marketing.

The following must be noted with regard to the transfer of data to recipients outside the company: we only pass on your data where legal provisions permit or command us to do so, if you have consented to this or where we are authorised to provide the information in question.

For what period of time is your data stored?

Where necessary, we process and store your personal data for the duration of our business relationship, which includes, for example, the initiation and execution of a contract or in order to fulfil the contractual purposes. In order to provide you with the best possible support, we process personal data insofar as this is useful and necessary in order to ensure good business support. Your data will be stored for as long as you are a customer or supplier with us to ensure optimum support and then for a further five years to provide the relevant service after the relationship has ended.

We are also subject to various retention and documentation obligations arising from the German Commercial Code (HGB) and the German Fiscal Code (AO). The retention or documentation periods specified there are two to ten years.

Finally, the storage duration is also assessed according to the statutory periods of limitation, which, for example, may be up to 30 years in accordance with Sections 195 ff. of the German Civil Code (BGB).

Is the data is transferred to a third country or to an international organisation?

A transfer of data to third countries (countries outside the European Economic Area – EEA) only takes place when this is required to fulfil the contract or your orders, when it is a legal requirement or when you have granted us consent to do so. We will inform you separately about the details provided this is required by law.

What data protection rights do you hold?

Each data subject has the right to information pursuant to Art. 15 GDPR, the right to report pursuant to Art. 16 GDPR, the right to delete pursuant to Art. 17 GDPR, the right to restriction of processing in accordance with Art. 18 GDPR, the right to data portability from Art. 20 GDPR and the right to object under Art. 21 GDPR. The right to access and the right of erasure are subject to the restrictions under Sections 34 and 35 BDSG. There furthermore exists a right to lodge a complaint with a supervisory authority for data protection (Art. 77 GDPR within the meaning of Section 19 BDSG).

Are you under an obligation to provide data?

In the course of our business relationship, you are only obliged to provide the personal data required in order to establish, carry out and terminate a business relationship, or the data which we have a legal obligation to collect. Without this data, we will usually have to reject the conclusion of the contract or the execution of the order or may no longer be able to carry out an existing contract and will have to terminate it if necessary.

To what extent does automated decision-making take place in individual cases?

We do not generally use fully automated decision-making in order to establish and implement the business relationship in accordance with Art. 22 GDPR. Should we make use of such procedures in individual cases, we will inform you of this separately where required to do so by law.

To what extent is your data used for profiling (scoring)?

We do not process your data in an automated manner with the objective of evaluating specific personal characteristics (profiling).  Profiling is therefore not conducted.