Information obligation

Information according to article 13 GDPR (Data acquisition directly from the concerned party) and article 14 GDPR (Data acquisition via third parties)

Dear Sir or Madam,

The protection and transparency of your personal data collected and stored by us, Mayser GmbH & Co. KG, Bismarckstraße 2, 88161 Lindenberg / Allgäu (hereinafter “Mayser”) is important to us. With this document we would like to inform you about what happens to your data, so that you are clear about:

- Which information we acquire about you
- Why we acquire it
- How we store and use it
- When and with whom we share it

Name and contact information of the party responsible for data privacy ​

Mayser GmbH & Co. KG, Bismarckstraße 2, 88161 Lindenberg / Allgäu

Contact information of the company data privacy officer​

Dr. Jens Bücking, Attorney, 
c/o 
e|s|b Rechtsanwälte, 
Schockenriedstr. 8 A, 
D-70565 Stuttgart
jens.buecking@kanzlei.de

Personal data that is processed by us

If you send an inquiry to us, have us prepare an offer or conclude a contract with us, we process your personal data. The data processed in each case and how it is used depends largely on the services requested or agreed upon in each case.

In addition, we process your personal data for example to fulfil legal obligations, to protect a legitimate interest or on the basis of your consent.

Depending on the legal basis, the following categories of personal data are relevant:

  1. personal data (last name, first name, date of birth, place of birth, nationality, marital status, occupation/industry and comparable data)
  2. Contact data (postal address, e‐mail address, phone number and similar data) 
  3. Address data (registration data and similar data) 
  4. Account information, in particular registration and logins
  5. Specific data about your living situation (in particular number of persons living in the household, income and occupation, consumer insolvency proceedings initiated but not yet concluded, amount of rent and operating costs, consumption data and operating costs) 
  6. Data for the payment of our services (in particular invoice data / revenue data, account information)
  7. Other data related to business transactions and business relationships (e.g., order details, order/invoice/delivery note number, consultation records, communication history and similar data)
  8. Payment / credit notes for debit and credit cards
  9. Creditworthiness data including scoring, i.e. data to assess the economic risk 
  10. Customer/supplier history data 
  11. Data on the place of performance/receipt of performance in addition to persons involved in the performance
  12. Data on the use of the telemedia offered by us (e.g. time at which our websites are accessed, IP addresses, apps or newsletters; our pages/links or website entries that are clicked, e-mail protocol (communication partner, time of day) and similar data) 
  13. Video or image recording
  14. Data from publicly available sources / information databases (e.g. company register / commercial register number, agencies)
  15. Data in connection with relevant legal proceedings and other legal disputes

Purpose and legal grounds of data processing

We always process your personal data in accordance with the law, in particular in compliance with the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG) as well as all other relevant laws in accordance with the following provisions:

On the basis of permission granted by you (article 6, paragraph 1, letter a, GDPR)

If you have given us your voluntary consent to the collection, processing or communication of certain personal data, this consent forms the legal basis for the processing of this data. 

In the following cases we process your personal data on the basis of consent given by you:

  1. Creation of a customer account 
  2. Sending of an e-mail newsletter
  3. Market research (e.g. customer satisfaction surveys)
  4. Marketing and advertising (e.g. phone/SMS/e-mail/messenger)
  5. Creation of customer profiles
  6. Publication of video or image recordings
  7. Forwarding of e-mail addresses to transport service providers for shipment tracking
  8. Communication to “non-member countries” (i.e. countries outside the European Union/EU or the European Economic Area/EEA) for which there is no adequacy decision of the EU Commission or equivalent personal data protection regulation (e.g. EU standard contract clauses)
  9. Publication of customer references
  10. Communication to group companies

In fulfilment of a contract (article 6, paragraph 1, letter b, GDPR)

We collect, process and use your personal data to initiate, substantiate, execute, amend or terminate a contract concluded between us and you, which, depending on the subject matter and form of the contractual relationship, may be a purchase contract, a contract for work and materials, a contract for work, a service contract, a rental/lease contract or a licence agreement. Within this contractual relationship, we process your data in particular for the performance of the following activities:

  1. Contract-related contact
  2. Contract management
  3. Ongoing customer and supplier support (e.g. service centre)
  4. Fulfilment of warranty and guarantee claims
  5. Claims management
  6. Consent management
  7. Contract termination management (in particular the processing of revocations, cancellations, terminations and objections)

Additional information about the purposes of data processing can be found in the respective contract documents and general terms and conditions.

In fulfilment of legal obligations (article 6, paragraph 1, letter c, GDPR) or in the public interest (article 6, paragraph 1, letter e, GDPR)

As an enterprise we are subject to various legal obligations. The processing of personal data may be necessary in order to fulfil these obligations, in particular:

  1. Control and reporting obligations
  2. Creditworthiness, age and identity checks
  3. Prevention/defence against criminal offences/legal defence
  4. Comparison with anti-terror lists

On the basis of a legitimate interest (article 6, paragraph 1, letter f, GDPR)

In certain cases we process your data to protect legitimate interests of our own or third parties; such interests can include in particular: 

  1. Direct advertising or market and opinion research
  2. Consulting or sharing data with credit agencies
  3. Determination of creditworthiness and default risks
  4. Ensuring the protection and security of persons and objects, systems, procedures and information of operational importance, in particular IT security and IT operations
  5. Commission management for authorised dealers and/or commercial agents

Source of the information 

We process personal data that we receive from our customers, service providers and suppliers.

Categories of recipients of the personal data

As far as permissible, your personal data will be disclosed to various public or internal bodies and external service providers in order to fulfil our contractual or legal obligations:

External service providers:

  1. Sales partners / authorized dealers / suppliers / manufacturers and service providers for the initiation, substantiation, execution and termination of a contractual relationship with you
  2. Credit institutions and providers of payment services for invoicing and processing of payments
  3. Metering companies and billing companies (collection of consumption data for heating/hot water by the commissioned metering companies and forwarding to the commissioned billing companies for the purpose of billing operating costs)
  4. Experts
  5. Property insurers, liability insurers
  6. IT service providers (e.g. maintenance service providers, hosting service providers)
  7. Service providers for document and data destruction
  8. Print service providers
  9. Payment service providers
  10. Providers of consulting services
  11. Marketing service providers 
  12. Credit bureaus
  13. Service providers for phone and mail support (e.g. call centres)
  14. Web hosting service providers
  15. Providers of lettershops
  16. Auditors / tax consultants / fiduciary agencies
  17. Collection service providers and lawyers, in order to collect receivables and assert claims, if necessary
  18. Other external law firms not mentioned here
  19. Accreditation companies

Government offices:

In addition, it may be necessary for us to communicate your personal data to other recipients, such as authorities, in order to comply with statutory notification obligations.

  1. Tax authorities
  2. Customs officials
  3. Social insurance agency
  4. Police, public prosecutor, supervisory authorities
  5. Courts

Cooperation with contract processors and third parties

If we communicate personal data to other persons and companies (contract processors or third parties) within the scope of our processing or otherwise grant them access to the data, this is done on the basis of a (pre-) contractual agreement (pursuant to article 6, paragraph 1, letter b, GDPR, e.g. if the data is communicated to third parties, such as payment service providers, pursuant to article 6, paragraph 1, letter b, GDPR for fulfilment of a contract), you have consented (article 6, paragraph 1, letter a, GDPR), a legal obligation to do so (article 6, paragraph 1, letter c, GDPR), or on the basis of our legitimate interests (e.g. when using agents, web hosts, authorised dealers, etc. pursuant to article 6, paragraph 1, letter f, GDPR). 
If we commission third parties with the processing of data, this is done on the basis of a so-called order processing contract (article 28 of the GDPR).

Transmission of personal data to a non-member country

If we process data in a non-member country (i.e. a country outside the European Union (EU) or the European Economic Area (EEA)) or if this is done within the framework of the use of services provided by third parties or by contract processors or if data is communicated to third parties, this is done on the basis of (pre-) contractual obligations (article 6, paragraph 1, letter b, GDPR), on the basis of your consent (article 6, paragraph 1, letter a, GDPR), on the basis of a legal obligation (article 6, paragraph 1, letter c, GDPR) or on the basis of our legitimate interests (article 6, paragraph 1, letter f, GDPR). Subject to legal or contractual permissions, we process or allow the data to be processed in a non-member country only if the special requirements of article 44 ff. of the German Data Protection Act apply, i.e. the processing takes place, for example, on the basis of special guarantees, such as the officially recognised establishment of a level of data protection equivalent to that of the EU (e.g. for the USA through the so-called Privacy Shield), or the agreement of officially recognised specific contractual obligations (so-called standard contract clauses).

Duration and criteria for storage of personal data

The data processed by us will be deleted or its processing restricted in accordance with articles 17 and 18 of the GDPR.
The personal data required for the mutual fulfilment of obligations arising from contractual relationships is stored regularly until the end of the relevant limitation period and deleted at the end of this period.
If statutory record retention and documentation periods exist, we are obligated to retain the data until the expiry of these periods (see article 6, paragraph 1, sentence 1, letter c, GDPR). After expiry of the statutory record retention obligations, primarily on the basis of commercial and tax law (in particular §§ 147 Tax Code and 257 Uniform Commercial Code – ten years for tax-relevant documents or six years for other business correspondence), we will delete this data unless you have consented to retention beyond this in accordance with article 6, paragraph 1, sentence 1, letter a, GDPR.

Protection of your data

In addition to the actual data protection, the subject of data security is also of great importance to us. We process your personal data in accordance with the security requirements for processing pursuant to article 32 of the GDPR. For this purpose, we rely on extensive technical and organisational security measures that comply with internationally recognized IT standards and are continuously monitored. This ensures that your data is adequately protected against misuse or any other form of unauthorised data processing in accordance with the risk involved.

Rights of the concerned party

According to the EU General Data Protection Regulation, you have the following rights: 
If your personal data is processed, you have the right to receive information about the personal data that is stored (article 15 GDPR).
If incorrect personal data is processed, you are entitled to correction of the data (article 16 GDPR).
If the legal prerequisites are fulfilled, you can request deletion or restriction of the processing of your data, and you can object to data processing (article 17, 18 and 21 GDPR). We would like to point out that in this case, as well as whenever you do not provide us with the required data, it will generally not (or no longer) be possible for us to establish or execute a contractual relationship with you. 
If you have agreed to the processing of your data or a contract for data processing exists and the data processing is carried out by means of automated processes, you likewise have the right to data portability (article 20 GDPR).

If you wish to exercise your rights as described above, we will determine whether the legal prerequisites have been fulfilled. In certain situations we may not be able to provide you with information about all of your data due to legal requirements. If we have to reject your request for information in such a case, we will also inform you about the reasons for the rejection in any case within the statutory periods pursuant to article 12, paragraph 3 of the GDPR.
To exercise your rights, please contact contact@mayser.com.

For complaints related to data privacy you can contact the responsible supervisory authority: 

The regional commissioner for data privacy and freedom of information, Promenade 18, 91522 Ansbach, postal address: P.O. Box 606, 91511 Ansbach; phone: 0981 180093 – 0 ; fax: 0981 180093-800; e-mail: poststelle@lda.bayern.de (public key)

Right of revocation in case of permission 

If you have agreed in a corresponding declaration to the processing of your data by Mayser, you can revoke this permission at any time with effect for the future. The legality of the data processing on the basis of this permission up until the time of revocation is not affected by the revocation.

If you have any questions about the individual recipients, you can contact us at: contact@mayser.com.