Data protection

Data protection information for (new) business partners.

Dear Sir or Madam,

We are looking forward to collaborating with you. In the following, we would like to inform you about some fundamental topics in accordance with the EU General Data Protection Regulation (GDPR).

With the following information, we aim to provide you with an overview of the processing of your personal data by us and your resulting rights. The specific data processed and the manner in which it is used depend largely on the services requested or agreed upon. Therefore, not all statements contained herein may apply to you.

Furthermore, this data protection information may be updated from time to time. You can always find the current version on our website at: www.s-and-p.de

We process personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG) for the purpose of contract processing, maintaining connections, and gaining interests. Type of personal data collected: We process the following personal data, which we receive from you in the course of our business
relationship:

• Master data (e.g., names, company data, and addresses)
• Communication data (e.g., telephone numbers and email addresses)
• Contract data

In the context of balancing interests (Art. 6 para. 1 f GDPR) Where necessary, we process your data beyond the actual performance of the contract to protect legitimate interests of ours or third parties. Examples of such cases include:

• Processing in CRM system
• Processing in text systems

Who receives my data? Within our company All consultants and employees involved in a specific project or defined task who need to be aware of this data. In the context of commissioned processing Your data may be passed on to service providers who act as processors for us. In addition, the data may be shared with:

• Participating companies
• Partner companies
• Commissioned service providers All service providers are contractually bound and, in particular, obligated to treat your data confidentially.

Other third parties Disclosure of data to recipients outside our company is only made in compliance with applicable data protection regulations. Recipients of personal data may include, for example: tax consultants or economic and payroll auditors (legal auditing mandate). We do not sell or rent your personal data to third parties or otherwise market it. Are data transferred to a third country or to an international organization? Your data is only processed within the European Union and states within the European Economic Area (EEA).

How long will my data be stored? We process and store your personal data for as long as is necessary to fulfill our contractual and legal obligations. If the data is no longer required for contractual or legal obligations, it will be regularly deleted. Exceptions apply,

• if legal retention obligations must be fulfilled, e.g., Commercial Code (HGB) and Fiscal Code (AO), are required. The periods prescribed there for retention or documentation are usually six to ten years;
• for the preservation of evidence within the framework of statutory limitation periods. Pursuant to §§ 195 ff. of the German Civil Code (BGB), these limitation periods can be up to 30 years, with the regular limitation period being 3 years.

If data processing is carried out in our or a third party’s legitimate interest, personal data will be deleted once this interest no longer exists. The exceptions mentioned apply here.

What data protection rights do I have? You have the right to information under Article 15 GDPR, the right to rectification under Article 16 GDPR, the right to erasure under Article 17 GDPR, the right to restriction of processing under Article 18 GDPR, the right to object under Article 21 GDPR, and the right to data portability under Article 20 GDPR. Restrictions may apply to the right to information and the right to erasure pursuant to §§ 34 and 35 BDSG. In addition, there is a right to lodge a complaint with a competent data protection supervisory authority (Article 77 GDPR in conjunction with § 19 BDSG).

The supervisory authority responsible for us is:
State Commissioner for Data Protection and Freedom of Information
North Rhine-Westphalia
PO Box 20 04 44
40102 Düsseldorf
Tel .: 0211/38424-0
Fax: 0211/38424-10
Email: poststelle@ldi.nrw.de

Is there an obligation to provide data? In the context of the contractual relationship, you must provide those personal data that are necessary for the initiation, execution, and termination of the contractual relationship and for the fulfillment of the associated contractual obligations or which we are legally obligated to collect. Without this data, we will generally not be able to conclude or execute the contract with you.

Information about your right to object under Article 21 of the General Data Protection Regulation (GDPR) Case-specific right to object You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data based on Article 6(1)(f) GDPR (processing based on legitimate interests); this also applies to profiling based on this provision within the meaning of Article 4 No. 4 GDPR. However, profiling is intentionally not carried out by our company.

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing serves to assert, exercise, or defend legal claims.

The objection can be sent informally to our company headquarters in Essen.