Information on the processing of personal data (Articles 13 and 14 of the GDPR)

Dear Sir or Madam,

The personal data of every individual who has a contractual, pre-contractual, or other relationship with our company deserves special protection. We aim to maintain a high standard of data protection. That is why we are committed to the continuous development of our data protection and data security concepts. It goes without saying that we comply with the legal requirements for data protection. According to Articles 13 and 14 of the General Data Protection Regulation (GDPR), companies have special information obligations when they collect personal data. This document fulfills these obligations.

The terminology of legal regulations is complicated. Unfortunately, it was not possible to avoid the use of legal terms when drafting this document. We would therefore like to point out that you are welcome to contact our data protection officer if you have any questions about this document, the technical terms used, or the wording.

I. Compliance with information obligations in the event of personal data being collected from the affected individual (Art. 13 GDPR)

A. Name and contact details of the responsible party (Art. 13 I lit. a GDPR)

BDE Engineering GmbH
Industriestr. 10
37688 Beverungen
Germany
Tel.: +49 5273 367700
Email: info@bde-engineering.de
Website: www.bde-engineering.de
Commercial register no.: HRB 9651 (AG Paderborn)
VAT identification number pursuant to §
27 a of the German VAT Act: DE 155578128

B. Contact details of the data protection officer (Art. 13 I lit. b GDPR)

BDE Engineering GmbH
- Data Protection Officer -
Industriestr. 10
37688 Beverungen
Germany
Tel.: +49 4273 367700
Email: datenschutzbeauftragter@bde-engineering.de

C. Purposes for which the personal data is to be processed and the legal basis for the processing (Art. 13 I lit. c GDPR)

The purpose of processing personal data is to handle all processes relating to the responsible parties, customers, interested parties, business partners, or other contractual or pre-contractual relationships between the aforementioned groups (in the broadest sense) or legal obligations of the responsible party.

Art. 6 I lit. a GDPR serves as the legal basis for our company for processing operations in which we obtain consent for a specific processing purpose. If the processing of personal data is necessary for the fulfillment of a contract to which the affected individual is party, as is the case, for example, with processing operations necessary for the delivery of goods or the provision of other services or consideration, the processing is based on Art. 6 I lit. b GDPR. The same applies to processing operations that are necessary for the implementation of pre-contractual measures, for example in cases of inquiries about our products or services. If our company is subject to a legal obligation that requires the processing of personal data, such as for the fulfillment of tax obligations, the processing is based on Art. 6 I lit. c GDPR.

In rare cases, the processing of personal data may be necessary to protect the vital interests of the affected individual or another natural person. This would be the case, for example, if a visitor to our premises were injured and the name, age, health insurance details, or other vital information had to be passed on to a doctor, hospital, or other third party. In this case, the processing would be based on Art. 6 I lit. d GDPR.

Finally, processing operations could be based on Art. 6 I lit. f GDPR. This legal basis applies to processing operations that are not covered by any of the aforementioned legal bases if the processing is necessary to safeguard a legitimate interest of our company or a third party, provided that the interests, fundamental rights, and freedoms of the affected individual do not prevail. We are permitted to carry out such processing operations in particular because they have been specifically mentioned by the European legislator. In this regard, the legislator took the view that a legitimate interest could be assumed if the affected individual is a customer of the controller (preamble 47, sentence 2 of the GDPR).

D. If the processing is based on Article 6(1)(f) GDPR, the legitimate interests pursued by the controller or a third party (Article 13(1)(d) GDPR)

If the processing of personal data is based on Article 6 I lit. f GDPR, our legitimate interest is the conduct of our business activities for the benefit of all our employees and our shareholders.

E. Categories of recipients of personal data (Art. 13 I lit. e GDPR)

  • Public authorities
  • External authorities
  • Other external authorities
  • Internal processing
  • Intra-group processing Miscellaneous bodies

F. Recipients in a third country and suitable or appropriate safeguards and the possibility of obtaining a copy of them or where they are available (Art. 13 I lit. f, 46 I, II lit. c GDPR)

All companies and branches belonging to our group (hereinafter referred to as group companies) that have their registered office or a place of business in a third country may be recipients of personal data. The addresses of all group companies are available on our website. Furthermore, a list of all group companies can be requested from our data protection officer.

According to Art. 46 I GDPR, the person responsible or a contract processor may only transfer personal data to a third country if the person responsible or the contract processor has provided appropriate safeguards and if the affected individuals have enforceable rights and effective legal remedies. Appropriate safeguards can be provided by standard data protection clauses without the need for specific approval from a supervisory authority, Art. 46 II lit. c GDPR.

The EU standard data protection clauses are agreed with all recipients from third countries before the first transfer of personal data. This ensures that all processing of personal data is subject to appropriate safeguards, enforceable rights, and effective legal remedies resulting from the EU standard data protection clauses. Any affected individual can obtain a copy of the standard data protection clauses from our data protection officer. In addition, the standard data protection clauses are also available in the Official Journal of the European Union (OJ 2010/L 39, pages 5-18).

G. Duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration (Art. 13 II lit. a GDPR)

The criterion for the duration of the storage of personal data is the respective statutory retention period. After the expiration of this period, the corresponding data are routinely deleted, provided they are no longer required for the fulfillment or initiation of a contract.

H. Existence of the rights to access, rectification, deletion, restriction of processing, and the right to object to processing, as well as the right to data portability (Art. 13 II lit. b GDPR)

All affected individuals concerned have the following rights:

a) Right to information

Every individual concerned has the right to access personal data relating to them. This right of access extends to all data processed by us. The right can be exercised without difficulty and at reasonable intervals, so that all affected individuals are always aware of the processing of their personal data and can verify its lawfulness (preamble 63 GDPR). This right arises from Article 15 of the GDPR. To exercise the right of access, the individual concerned may contact our Data Protection Officer.

b) Right to rectification

According to Art. 16 para. 1 GDPR, all affected individuals have the right to request that our company immediately correct any inaccurate personal data concerning them. In addition, Art. 16 para. 2 GDPR stipulates that, taking into account the purposes of the processing, the affected individual has the right to request the completion of incomplete personal data, including by means of a supplementary statement. To exercise the right to rectification, any affected individual may contact our data protection officer.

c) Right to deletion (right to be forgotten)

Furthermore, affected individuals have the right to deletion and to be forgotten in accordance with Art. 17 GDPR. This right can also be exercised by contacting our data protection officer. At this point, however, we would like to point out that this right does not apply if the processing is necessary to fulfill a legal obligation to which our company is subject, Art. 17 III lit. b GDPR. This means that we can only approve a request for deletion after the statutory retention period has expired.

d) Restriction of processing

According to Art. 18 GDPR, every affected individual has the right to restriction of processing. Restriction of processing may be requested if one of the conditions set out in Art. 18 I lit. a-d GDPR applies. The right to restriction of processing can be exercised via our data protection officer.

e) Right of objection

Furthermore, Article 21 of the GDPR guarantees the right of objection. The right of objection can be exercised via our data protection officer.

f) The right to the transferability of data

Article 20 of the GDPR grants the affected individual a right to the transferability of data. According to this provision, the affected individual has the right, under the conditions of Art. 20 I lit. a and b GDPR, to receive the personal data concerning them that they have provided to the responsible party in a structured, commonly used, and machine-readable format and to transmit this data to another responsible party without hindrance from the responsible party. The affected individual can exercise the right to the transferability of data through our data protection officer.

I. Right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal, provided that the processing is based on Art. 6 I lit. a GDPR or Art. 9 II lit. a GDPR (Art. 13 II lit. c GDPR)

If the processing of personal data is based on Art. 6 I lit. a GDPR, which is the case if the affected individual has given consent to the processing of personal data concerning him or her for one or more specific purposes, or if the processing is based on Art. 9 II lit. a GDPR, which regulates the express consent to the processing of special categories of personal data, the affected individual has the right to withdraw their consent at any time in accordance with Art. 7 III sentence 1 GDPR.

The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal, Art. 7 III sentence 2 GDPR. The withdrawal of consent must be as easy as the granting of consent, Art. 7 III sentence 4 GDPR. Therefore, the withdrawal of consent can always be done in the same way as the consent was given or in any other way that is considered easier by the affected individual. In today's information society, the easiest way to withdraw consent is probably a simple email. If the affected individual wishes to withdraw consent given to us, a simple email to our data protection officer is sufficient. Alternatively, the affected individual may choose any other means to notify us of the withdrawal of consent.

J. Right to lodge a complaint with a supervisory authority (Art. 13 II lit. d, 77 I GDPR)

As the responsible party, we are obliged to inform the affected individuals concerned of their right to lodge a complaint with a supervisory authority, Art. 13 II lit. d GDPR. The right to lodge a complaint is regulated in Art. 77 I GDPR. According to this provision, without prejudice to any other administrative or judicial remedy, every affected individual has the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work, or place of the alleged infringement, if the affected individual considers that the processing of personal data relating to them infringes the General Data Protection Regulation. The right to lodge a complaint has been restricted by the EU legislator solely in that it can only be exercised before a single supervisory authority (preamble 141, paragraph 1 of the GDPR). This provision is intended to prevent duplicate complaints on the same matter by the same affected individual. If an affected individual wishes to lodge a complaint about us, they are therefore requested to contact only one supervisory authority.

K. Legal or contractual requirements for the provision of personal data; necessity for the conclusion of the contract; obligation of the affected individual to provide personal data; possible consequences of non-provision (Art. 13 II lit. e GDPR)

We would like to inform you that the provision of personal data is in some cases required by law (e.g., tax regulations) or may also result from contractual provisions (e.g., information about the contractual partner).

In some cases, it may be necessary for an affected individual to provide us with personal data in order to conclude a contract, which we must then process. For example, the affected individual is obliged to provide us with personal data if our company concludes a contract with them. Failure to provide personal data would mean that the contract with the affected individual could not be concluded.

Before providing personal data, the affected individual must contact our data protection officer. Our data protection officer will explain to the affected individual on a case-by-case basis whether the provision of personal data is required by law or contract or is necessary for the conclusion of the contract, whether there is an obligation to provide the personal data, and what the consequences of not providing the personal data would be.

L. Existence of automated decision-making, including profiling, pursuant to Art. 22 I, IV GDPR and—at least in these cases—meaningful information about the logic involved, as well as the scope and intended effects of such processing for the data subject (Art. 13 II lit. f GDPR)

As a responsible company, we refrain from automated decision-making or profiling.

II. Compliance with information obligations in cases where personal data has not been collected from the affected individual (Art. 14 GDPR)

A. Name and contact details of the responsible party (Art. 14 I lit. a GDPR)

BDE Engineering GmbH
Industriestr. 10
37688 Beverungen
Germany
Tel.: +49 5273 367700
E-Mail: info@bde-engineering.de
Website: www.bde-engineering.de
Commercial register no.: HRB 9651 (AG Paderborn)
VAT identification number pursuant to §
27 a of the German VAT Act: DE 155578128

B. Contact details of the data protection officer (Art. 13 I lit. b GDPR)

BDE Engineering GmbH

- Data Protection Officer -

Industriestr. 10
37688 Beverungen
Germany
Tel.: +49 4273 367700
Email: datenschutzbeauftragter@bde-engineering.de

C. Purposes for which the personal data is to be processed and the legal basis for the processing (Art. 14 I lit. c GDPR)

The purpose of processing personal data is to handle all processes relating to the company, customers, interested parties, business partners, or other contractual or pre-contractual relationships between the aforementioned groups of parties (in the broadest sense) or legal obligations of the responsible party. If the processing of personal data is necessary for the performance of a contract to which the affected individual is party, as is the case, for example, with processing operations necessary for the delivery of goods or the provision of other services or consideration, the processing is based on Art. 6 I lit. b GDPR. The same applies to processing operations that are necessary for the implementation of pre-contractual measures, for example in cases of inquiries about our products or services. If our company is subject to a legal obligation that requires the processing of personal data, such as for the fulfillment of tax obligations, the processing is based on Art. 6 I lit. c GDPR.

In rare cases, the processing of personal data may be necessary to protect the vital interests of the affected individual or another natural person. This would be the case, for example, if a visitor to our premises were injured and his name, age, health insurance details, or other vital information had to be passed on to a doctor, hospital, or other third party. In this case, the processing would be based on Art. 6 I lit. d GDPR.

Finally, processing operations could be based on Art. 6 I lit. f GDPR. This legal basis covers processing operations that are not covered by any of the above legal bases if the processing is necessary to safeguard a legitimate interest of our company or a third party, provided that the interests, fundamental rights, and freedoms of the affected individual do not prevail. We are permitted to carry out such processing operations in particular because they have been specifically mentioned by the European legislator. In this regard, the legislator took the view that a legitimate interest could be assumed if the affected individual is a customer of the responsible party (preamble 47 sentence 2 GDPR).

D. Categories of personal data that are processed (Art. 14 I lit. d GDPR)

  • Customer data
  • Prospective customer data
  • Employee data
  • Supplier data

E. Categories of recipients of personal data (Art. 14 I lit. e GDPR)

  • Public authorities
  • External authorities
  • Other external authorities
  • Internal processing
  • Intra-group processing
  • Miscellaneous authorities

F. Recipients in a third country and suitable or appropriate safeguards and the possibility of obtaining a copy of them or where they are available (Art. 14 I lit. f, 46 I, II lit. c GDPR)

All companies and branches belonging to our group (hereinafter referred to as “group companies”) that have their registered office or a place of business in a third country may be recipients of personal data. The addresses of all group companies are available on our website. Furthermore, a list of all group companies can be requested from our data protection officer.

Pursuant to Art. 46 I GDPR, the responsible party or a contract processor may only transfer personal data to a third country if the responsible party or the contract processor has provided appropriate safeguards and if the affected individuals have enforceable rights and effective legal remedies at their disposal. Appropriate safeguards can be provided by standard data protection clauses without the need for specific approval from a supervisory authority, Art. 46 II lit. c GDPR.

The EU standard data protection clauses are agreed with all recipients from third countries before the first transfer of personal data. This ensures that all processing of personal data is subject to appropriate safeguards, enforceable rights, and effective legal remedies resulting from the EU standard data protection clauses. Any affected individual can obtain a copy of the standard data protection clauses from our data protection officer. In addition, the standard data protection clauses are also available in the Official Journal of the European Union (OJ 2010/L 39, pages 5-18).

G. The period for which the personal data will be stored or, if this is not possible, the criteria for determining this period (Art. 14 II lit. a GDPR)

The criterion for the duration of storage of personal data is the respective statutory retention period. After expiry of this period, the corresponding data is routinely deleted, provided that it is no longer required for the fulfillment of a contract or for the initiation of a contract.

H. Communication of the legitimate interests pursued by the responsible party or a third party if the processing is based on Art. 6 I lit. f GDPR (Art. 14 II lit. b GDPR)

According to Art. 6 I lit. f GDPR, processing is only lawful if it is necessary to safeguard the legitimate interests of the responsible party or a third party, provided that the interests or fundamental rights and freedoms of the affected individual requiring the protection of personal data do not prevail. According to preamble 47 clause 2 GDPR, a legitimate interest may exist if there is a relevant and appropriate relationship between the affected individual and the responsible party, e.g. if the affected individual is a customer of the responsible party. In all cases where our company bases the processing of personal data on Art. 6 I lit. f GDPR, our legitimate interest lies in carrying out our business activities for the benefit of all our employees and our shareholders.

I. Existence of the right to information, correction, deletion, restriction of processing, and the right to object to processing, as well as the right to the transferability of data (Art. 14 II lit. c GDPR)

All affected individuals have the following rights:

a) Right of access

Every affected individual has the right to access personal data concerning them. The right of access extends to all data processed by us. This right can be exercised easily and at reasonable intervals so that all affected individuals are always aware of the processing of their personal data and can verify its lawfulness (preamble 63 GDPR). This right arises from Art. 15 GDPR. To exercise the right of access, the affected individual can contact our data protection officer.

b) Right to rectification

According to Art. 16 sentence 1 GDPR, all affected individuals have the right to request that our company immediately rectify any inaccurate personal data concerning them. In addition, Art. 16 sentence 2 GDPR stipulates that, taking into account the purposes of the processing, the affected individual has the right to request the completion of incomplete personal data, including by means of a supplementary statement. To exercise the right to rectification, any affected individual may contact our data protection officer.

c) Right to deletion (right to be forgotten)

Furthermore, affected individuals have the right to deletion and to be forgotten in accordance with Art. 17 GDPR. This right can also be exercised by contacting our data protection officer. At this point, however, we would like to point out that this right does not apply if the processing is necessary to fulfill a legal obligation to which our company is subject, Art. 17 III lit. b GDPR. This means that we can only approve a request for erasure after the statutory retention period has expired.

d) Restriction of processing

According to Art. 18 GDPR, every affected individual has the right to restriction of processing. A restriction of processing may be requested if one of the conditions set out in Art. 18 I lit. a-d GDPR applies. The right to restriction of processing can be exercised via our data protection officer.

e) Right of objection

Furthermore, Article 21 of the GDPR guarantees the right of objection. The right of objection can be exercised via our data protection officer.

f) The right to the transferability of data

Article 20 of the GDPR grants the affected individual a right to the transferability of data. According to this provision, the affected individual has the right, under the conditions of Art. 20 I lit. a and b GDPR, to receive the personal data concerning them that they have provided to the responsible party in a structured, commonly used, and machine-readable format and to transmit this data to another responsible party without hindrance from the responsible party. The affected individual can exercise the right to the transferability of data through our data protection officer.

J. Right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal, provided that the processing is based on Art. 6 I lit. a or Art. 9 II lit. a GDPR (Art. 14 II lit. d GDPR)

If the processing of personal data is based on Art. 6 I lit. a GDPR, which is the case if the affected individual has given consent to the processing of personal data concerning them for one or more specific purposes, or if the processing is based on Art. 9 II lit. a GDPR, which regulates the express consent to the processing of special categories of personal data, the affected individual has the right to withdraw their consent at any time in accordance with Art. 7 III sentence 1 GDPR.

The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal, Art. 7 III clause 2 GDPR. The withdrawal of consent must be as easy as the granting of consent, Art. 7 III sentence 4 GDPR. Therefore, the withdrawal of consent can always be done in the same way as the consent was given or in any other way that the affected individual considers easier. In today's information society, the easiest way to withdraw consent is probably a simple email. If the affected individual wishes to withdraw consent given to us, a simple email to our data protection officer is sufficient. Alternatively, the affected individual may choose any other means to notify us of the withdrawal of consent.

K. Right to lodge a complaint with a supervisory authority (Art. 14 II lit. e, 77 I GDPR)

As the responsible party, we are obliged to inform the affected individual of their right to lodge a complaint with a supervisory authority, Art. 14 II lit. e GDPR. The right to lodge a complaint is regulated in Art. 77 I GDPR. According to this provision, without prejudice to any other administrative or judicial remedy, every affected individual has the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work, or place of the alleged infringement, if the affected individual considers that the processing of personal data relating to them infringes the General Data Protection Regulation. The right to lodge a complaint has been restricted by the EU legislator solely in that it can only be exercised before a single supervisory authority (preamble 141, sentence 1 GDPR). This provision is intended to prevent duplicate complaints on the same matter by the same affected individual. If an affected individual wishes to lodge a complaint about us, they are therefore requested to contact only one supervisory authority.

L. Source from which the personal data originates and, if applicable, whether it originates from publicly accessible sources (Art. 14 II lit. f GDPR)

Personal data is generally collected directly from the affected individual or in cooperation with a public authority (e.g., reading data from an official register). Other data about affected individuals comes from transfers from group companies. Within the scope of this general information, it is either impossible or would involve a disproportionate effort within the meaning of Art. 14 V lit. b GDPR to disclose the exact sources from which the personal data originates. We do not collect personal data from publicly accessible sources.

Any affected individual may contact our data protection officer at any time to obtain more detailed information about the exact sources of the personal data concerning them. If it is not possible to inform the affected individual exactly where the personal data originates because various sources have been used, the individual information provided will be kept general (preamble 61, sentence 4 of the GDPR).

M. Existence of automated decision-making, including profiling, pursuant to Art. 22 I, IV GDPR and—at least in these cases—meaningful information about the logic involved, as well as the scope and intended effects of such processing for the data subject (Art. 14 II lit. g GDPR)

As a responsible company, we refrain from automated decision-making or profiling.