Privacy Notice Suppliers

Responsible party:
PAUL HARTMANN AG
Paul-Hartmann-Straße 12
89522 Heidenheim
Phone: +49-7321-36-0
Fax: +49-7321-36-3636
E-Mail: info@hartmann.info

Contact Data Protection:
PAUL HARTMANN AG
Department CFO-DPM / DPO
Paul-Hartmann-Straße 12
89522 Heidenheim
E-Mail: datenschutz@hartmann.info

We process your personal data in accordance with the provisions of the GDPR, the German Federal Data Protection Act (BDSG) and other applicable data protection regulations. You will find details under the following explanations.

2.1 Purposes in the context of pre-contractual/contractual measures (cf. Art. 6 (1) b GDPR)

We process your personal data in particular for the following purposes:

• Comparison with national as well as European and other international sanctions lists as part of our compliance program to determine critical data (screening);
• Business partner due diligence;
• Sending Christmas cards and birthday cards;
• Reminders of business relations;
• Consultation or contact after trade fairs etc.;
• Fulfilment of contractual obligations;
• Sending of invoice documents and delivery notes;
• Implementation of payment processing;
• Transfer of address data to logistics companies for the collection of goods;
• Sending interesting information about products and promotions;
• Obtaining creditworthiness information (e.g. via Creditreform: https://www.creditreform.de/datenschutz).

2.2 Purposes within the scope of legitimate interests of us or third parties (cf. Art. 6 (1) f GDPR)

We process your personal data if it is necessary to protect the legitimate interests of us or third parties, unless there are no overriding interests on your part (including fundamental rights and freedoms) that speak against such processing. Our purpose-oriented interests can be in particular:

• Statistical evaluations for corporate management;
• Transfer of data within our coroprate group for internal administrative purposes;
• Sending Christmas cards and birthday cards;
• Reminders of business relations;
• Consultation or contact after trade fairs etc.;
• Measures for controlling and optimizing business processes;
• Capturing the license plate number of suppliers when driving on the factory premises;
• Measures for the further development of services and products;
• Testing and optimisation of procedures for demand analysisnalyse;
• Comparison with national as well as European and other international sanctions lists as part of our compliance program to determine critical data (screening), insofar as this goes beyond the legal obligations. The comparison depends to a large extent on the matter in question and the circumstances of the individual case, i.e. on the risk forecast and the safety relevance of the specific activity;
• Enrichment of our data, e.g. by using or researching publicly available data as far as necessary;
• Benchmarking;
• Assertion of legal claims and defence in the event of legal disputes which are not directly attributable to the contractual relationship;
• Building and plant security, securing and exercising of the right to the building by taking appropriate measures (e.g. access controls) and, if necessary, by video surveillance to protect third parties and our employees and to prevent criminal offences and to secure evidence for the investigation of criminal offences, insofar as this goes beyond the general duty of cared;
• Further development of existing systems and processese;
• Internal and external investigations, security checks; publications;;
• Obtaining and maintaining certifications of a private or official nature.

2.3 Purposes within the scope of your consent (cf. Art. 6 (1) a GDPR)

Your personal data may also be processed for certain purposes with your consent. You can revoke this consent at any time. This also applies to the revocation of declarations of consent that were issued to us prior to the validity of the GDPR, i.e. before 25 May 2018.

In principle, the revocation of a consent at any time is only effective for the future. Processing that took place before the revocation is not affected and remains legal. In all other respects you are not obliged to grant consent and you will not suffer any legal disadvantages from the refusal of consent.

2.4 Purposes to meet legal requirements (cf. Art. 6 (1) c GDPR or purposes in the public interest (cf. Art. 6 (1) e GDPR)

Like everyone who is involved in the economic process, we are also subject to a variety of legal obligations. These are primarily legal requirements (e.g. Works Constitution Act, Social Security Code, commercial and tax laws, German Fiscal Code), but also, where applicable, regulatory or other official requirements (e.g. employers' liability insurance association). The purposes of the processing may include identity and age verification, fraud and money laundering prevention (e.g. comparison with European and international anti-terrorist lists), company health management and ensuring occupational safety. In addition, the disclosure of personal data may become necessary within the scope of official/judicial measures for the purpose of gathering evidence, criminal prosecution or the enforcement of civil law claims.

Insofar as it is necessary for the decision on the establishment of a contractual relationship with you, we process, in addition to the personal data received directly from you, any legally obtained personal data from third parties (see Art. 14 GDPR).

We process in particular the following data categories:

• Stock data (e.g. title, first and last name, title, country, company address, industry)
• Contact details (e.g. e-mail address, fixed/mobile phone number, fax number);
• Contract data (e.g. object of contract, duration, customer category, user name);
• Payment data (e.g. bank details, account details, credit card details, payment history).

We only process your personal data within the company. Within our company, those internal departments or organisational units receive your personal data insofar as they need it to fulfil the purpose and within the scope of processing. Internal data recipients are obliged in each case to use your personal data only to the aforementioned extent.

If we transfer your personal data to other persons and companies (third parties) or grant them other access to the personal data, this is only done on the basis of a legal permission. If we commission third parties to process personal data on the basis of a so-called "contract processing agreement" and thereby secure the necessary powers of influence or control with regard to the processing and use of the personal data, this is done on the basis of Art. 28 GDPR. However, we remain responsible to you for the legality of the data processing.

We process or store your personal data in principle for the duration of the contractual relationship.

The above information on deletion does not apply if, among other things, legally prescribed retention periods prevent immediate deletion (cf. Art. 17 (3) GDPR) and/or a further case of Art. 17 (3) GDPR exists and/or a new purpose justifies further processing.

Incorrect and/or incomplete data will be deleted or - if possible - corrected immediately in accordance with Art. 5 (1) d GDPR.

A data transfer to bodies in states outside the European Economic Area EU/EEA (so-called third countries) takes place in particular if it is necessary for the decision on the establishment of a contractual relationship.

The processing of your personal data in a third country may also take place in connection with the use of service providers in the context of processing orders. Unless the EU Commission has decided on an adequate level of data protection in the country concerned, we guarantee - in accordance with Article 13 (1) f of the GDPR - that your rights and freedoms are protected by appropriate and reasonable safeguards in the case of transfers in accordance with Articles 46, 47 or 49 (1), second subparagraph, GDPR. Information on the suitable or appropriate guarantees and the possibility of how and where to obtain a copy of them can be obtained on request from the Data Protection Department.

• You have the right to withdraw your consent to the processing of your personal data in accordance with Art. 7 (3) GDPR at any time with effect for the future. Processing that took place before the revocation therefore remains lawful.
• In accordance with Art. 15 GDPR, you can request information about your personal data processed by us.
• In accordance with Art. 16 GDPR, you can demand the immediate correction of incorrect or incomplete personal data stored by us.
• In accordance with Art. 17 GDPR, you can request the deletion of your personal data stored by us in accordance with the conditions stated therein, unless legally prescribed retention periods prevent immediate deletion (see Art. 17 (3) GDPR) and/or another case of Art. 17 (3) GDPR exists and/or a new purpose justifies further processing.
• Pursuant to Art. 18 (1) GDPR, you may request the restriction of data processing if one or more conditions pursuant to Art. 18 (1) GDPR lit. a to d are met.
• In accordance with Art. 20 (1) GDPR, you can receive the personal data processed by us in a structured, common and machine-readable format and transfer this personal data to another person responsible without hindrance from us.
• According to Article 21 (2) GDPR, you have the right to object to the processing of your personal data for the purposes of direct marketing at any time and without further conditions. This also applies to profiling, insofar as it relates to such direct advertising. If you lodge an objection, your personal data will no longer be processed for these purposes (cf. Art. 21 (3) GDPR).
• In addition, you can object to the processing of your personal data in accordance with Art. 21 (1) GDPR. In the event of an objection, we will terminate the processing of your personal data. However, the right of objection only applies in the event of special circumstances arising from your personal situation. In addition, compelling reasons worthy of protection that speak in favour of processing may prevail. Furthermore, certain processing purposes may conflict with your right of objection.
• Without prejudice to any other administrative or judicial remedy, you also have the right to appeal to the competent supervisory authority (see Art. 77 GDPR) if you believe that the processing of your personal data violates data protection provisions. In this context, however, we would ask you to address any complaints first to the contact details given under (1) above.

You only need to provide us with the personal data that is necessary for the initiation, execution and termination of a contractual relationship or that we generally require for the execution of our services or that we are legally obliged to collect (e.g. to provide evidence to authorities). Without this personal data, we will generally not be able to conclude and carry out the contractual relationship with you or provide our services. This may also refer to personal data that will later become necessary within the scope of the contractual relationship or the provision of services. Boxes marked with an asterisk (*) in our forms are mandatory. If we request personal data from you in addition to this, your details are always voluntary.

We do not use purely automated decision-making procedures in accordance with Art. 22 GDPR. Should we nevertheless use such a procedure in individual cases in the future, we will inform you of this separately if this is required by law.