III. GENERAL DATA PROCESSING INFORMATION
1. Scope and purpose of data processing
Within the scope of cooperation with business partners, EDAG processes personal data for the following purposes:
On the basis of consents granted (Art. 6 para. 1 a DSGVO):
- Carrying out customer surveys, marketing campaigns, market analyses, prize draws, competitions or similar campaigns and events;
To initiate, implement and terminate contractual relationships (Art. 6 para. 1 b DSGVO):
- General communication with business partners on products, services and projects, e.g. to deal with business partner enquiries
- Planning, implementation and administration of the (contractual) business relationship between EDAG and the business partner, e.g. to process the order of products and services, to collect payments, for accounting, billing and debt collection purposes and to carry out deliveries, maintenance activities or repairs;
On the basis of legal requirements (Art. 6 Para. 1 c DSGVO):
- Compliance with
o legal requirements (e.g. of tax and commercial law retention obligations),
o existing obligations to carry out compliance screenings (to prevent white-collar crime or money laundering); and
o EDAG guidelines and industry standards; and
- Settlement of legal disputes, enforcement of existing contracts and the assertion, exercise and defence of legal claims;
Based on a legitimate interest (Art. 6 para. 1 f DSGVO):
- Maintaining and protecting the security of our products and services as well as our websites, preventing and detecting security risks, fraudulent actions or other criminal acts or acts committed with intent to cause damage.
For the above-mentioned purposes EDAG processes the following categories of personal data if necessary:
- Contact information, such as first and last name, business address, business telephone number, business mobile phone number, business fax number and business e-mail address;
- payment data, such as information required for the processing of payment transactions or fraud prevention, including credit card information and card verification numbers;
- Further information, the processing of which is necessary within the framework of a project or the handling of a contractual relationship with EDAG or which is voluntarily provided by our contact persons, such as orders placed, enquiries made or project details;
- Information collected from publicly available sources, information databases or credit agencies; and
- Where required in the context of compliance screenings: information on relevant court proceedings and other legal disputes involving business partners.
If the aforementioned personal data is not made available or EDAG is unable to collect it, the individual purposes described may not be achieved.
2. legal basis fort he processing of personal data
The processing of personal data is necessary to achieve the purposes mentioned under point III.1., including the execution of the (contractual) business relationship with the business partner. The legal basis for this is Art. 6 para. 1 sentence 1 lit. b) and lit. f) of the EU Basic Data Protection Regulation (hereinafter “DSGVO”) or, where express consent has been gi
iven, Art. 6 para. 1 sentence 1 lit. a) DSGVO.
3. data erasure and storage duration
If no explicit storage period is specified during collection (e.g. in the context of a declaration of consent), your personal data will be deleted if they are no longer required to fulfil the purpose of storage, unless their temporary further processing is required in particular for the following purposes:
- Fulfilment of commercial and tax law retention periods, e.g. in accordance with the German Commercial Code or the German Fiscal Code The periods mentioned there are 2 to 10 years.
- Preservation of evidence within the scope of the statute of limitations (e.g. §§ 195ff. BGB).
4. recipient of the data
Within our company, access to your data is granted to those entities that require it to fulfil our contractual and legal obligations or the above-mentioned purposes. Service providers and agents employed by us may also receive data for this purpose.
EDAG may transmit personal data to courts, supervisory authorities or law firms if there is a legal obligation to do so under Art. 6 Para. 1 S. 1 lit. c) DSGVO or if it is necessary under Art. 6 Para. 1 S. 1 lit. f) DSGVO to assert, exercise or defend legal claims and there is no reason to assume that our business partners have an overriding interest worthy of protection in not passing on the data.
EDAG works together with service providers (so-called contract processors), such as service providers for IT maintenance services. These service providers only work according to EDAG’s instructions and are contractually bound to comply with the applicable data protection requirements. For this purpose we conclude written contracts with these service providers.
5. data transfer to third countries
EDAG may transfer personal data to other EDAG group companies for the above-mentioned purposes, but only if and insofar as this is necessary to fulfil the above-mentioned purposes.
Should we transfer personal data to service providers or group companies outside the European Economic Area (EEA), the transfer will only take place if the third country has been confirmed by the EU Commission as having an adequate level of data protection or if other appropriate data protection guarantees (e.g. binding internal company data protection regulations or EU standard contract clauses) are in place.
6. revocability of granted declarations of consent
If our contact person has given his consent to process his personal data, the contact person has the right to revoke the given consent at any time with effect for the future, i.e. the revocation does not affect the lawfulness of the processing carried out before the revocation on the basis of the consent. After revocation EDAG may only process the personal data to the extent that EDAG can base the processing on another legal basis.