// Data Protection Statement
Processing of Prospect, Customer and Contact Data
With the following information, we aim to give you an overview of how we process your personal data and of your rights under the General Data Protection Regulation. What data will be processed in a specific case and the manner in which it will be used will essentially depend on whether you or your company are already our customers or whether we have stored your data upon your contacting us. Consequently, not all of the following information will be applicable to you.
// Who is responsible for data processing within the meaning of the GDPR?
ELWEMA Automotive GmbH
Dr.-Adolf-Schneider-Str. 21
73479 Ellwangen
Tel. +49 (0) 7961 877-0
Who is our data protection officer?
Gerald Saur
GS Managementsysteme
Quandtstraße 3
73479 Ellwangen
gerald.saur[at]gsmanagement.de
Tel. +49 (0) 7961 53171
Mob. +49 171 8116134
// For what purpose and on what legal basis will the data be processed?
We process personal data in compliance with the provisions of the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG)
a) for the purpose of performing contractual obligations (Article 6(1)(b) GDPR)
Data processing is carried out to fulfil or to place orders in the context of performing our contracts with our customers or to take pre-contractual steps upon receipt of an enquiry. The purposes of such data processing depend primarily on the specific product and may include, without limitation, requirement analyses, consulting, and any services related thereto. For further details on data processing purposes please refer to the relevant contractual documents.
b) based on your consent (Article 6(1)(a) GDPR)
To the extent to which you have granted us your consent to the processing of personal data for one or more specific purposes (e.g., newsletter distribution, advertising, photos in the context of events), such processing shall be lawful by virtue of your consent. A consent once given may be withdrawn any time. This also applies to the withdrawal of consent declarations issued to us prior to the coming into force of the GDPR, i.e., before 25 May 2018. Consent is withdrawn with effect for the future, i.e., the lawfulness of data processing performed up to such withdrawal will not be affected thereby.
c) for the sake of compliance with legal requirements (Article 6(1)(c) GDPR or where processing is in the public interest (Article 6(1)(e) GDPR)
Moreover, we are subject to diverse legal obligations, i.e., requirements imposed by law (e.g., tax law, Civil Code, Commercial Code, Fiscal Code). Processing may be conducted for the purposes of, e.g., conforming to tax law provisions, risk assessment and control, observing retention periods under commercial and tax law, and complying with export regulations (e.g., taking into account published sanctions lists).
d) as part of a balancing of interests (Article 6(1)(f) GDPR))
If necessary, we will process your data above and beyond actual contract performance in order to safeguard legitimate interests of ourselves or third parties.
// What are legitimate interests pursued by ourselves, or by a third party, in the processing of data (under Article 6(1)(f)?
Legitimate interests in the processing of data may reside in the following:
consultation and data exchange with credit agencies (e.g., Creditreform) in order to establish credit risks;
testing and optimization of demand analysis methods for addressing customers directly;
advertising, invitations to trade fairs and other events, sundry communications aimed at keeping up business relations, as well as market and opinion surveys, to the extent that you have not objected to the use of your data;
accounting for sales commissions;
assertion of legal claims and defence in legal disputes;
measures aimed at ensuring building and equipment security (e.g., access controls).
// What categories of personal data are processed?
Relevant personal data are personal identification particulars (name, address and other contact data, bank account information). They may further include contract data (e.g., purchase orders), data arising from our performance of contractual obligations (e.g., sales data), information about your company’s financial situation (e.g., data on credit standing), advertising or sales/distribution data, documentation data (e.g., visitation reports), or other data similar to the above categories.
// To whom do we pass on your personal data??
Within the company, access to your data is available to those units which need this information to fulfil our contractual and legal obligations.
Service providers or subcontractors/agents employed by ourselves may likewise obtain this data provided that the lawful use of your personal data is ensured. These are enterprises in the categories of project-relevant services, chartered accounting, auditing, IT services, logistics, telecommunications, consulting, and sales/marketing.
Furthermore, data recipients may include entities to whom we may transmit data under your consent, or to whom we are authorized to transmit personal data on the basis of a balancing of interests.
To which third countries will your data be transmitted?
A transmission of data to countries outside the European Union (so-called “third countries”) will take place to the extent that
this is necessary to fulfil your orders;
it is required by law;
you have given us your consent.
// For how long will your data be stored or archived?
We will process and store your personal data as long as is necessary for us to perform our contractual and legal obligations. Data no longer required for the fulfilment of contractual or legal obligations will be deleted on a regular basis except if they must be processed further, for a limited period of time, for any of the following purposes:
compliance with retention duties under commercial and fiscal law as set forth, e.g., in the Commercial Code, Fiscal Code and Civil Code. The document retention times stipulated therein usually amount to between 2 and 10 years.
conservation of evidence in accordance with legal limitation periods under sections 195 et seq. of the Civil Code; these limitation periods can be up to 30 years, with the regular limitation period being 3 years.
under the Product Liability Act, the retention period is at least 10 years but your customer-specific requirement will be taken into account if the retention period exceeds 10 years.
// What rights do you have?
You are entitled to obtain information on the personal data concerned, to have this data rectified or deleted, or to restrict the processing thereof. Furthermore, you have the right to object to the processing as well as a right to data portability. The GDPR provides for a right to complain to the Supervisory Authority. For contact data of this Supervisory Authority please refer to https://www.baden-wuerttemberg.datenschutz.de/aufsichtsbehorden/
// Do we need your consent to process your data?
Processing is performed on the above legal and contractual basis, hence no consent is required. With respect to processing based on your consent which you have given us under Article 6(1)(a) or Article 9(2)(a) (Consent), there exists a right to withdraw consent any time. Please note that pending such withdrawal, the lawfulness of any processing conducted by virtue of your consent remains unaffected.
// From where have we obtained your data?
We process personal data received in the context of our business relationship from customers or other parties concerned. Moreover, to the extent necessary for us to render our services and to fulfil our contracts, we process personal data lawfully obtained from publicly available sources (e.g., commercial registers, internet, press) or legitimately provided to us by other companies within our Group or by other third parties (e.g., a commercial credit agency, sales representatives, address portals).
// Is an automatic decision-making (profiling) process in place?
As a matter of principle, we do not employ fully automatic decision-making. Likewise, we do not use profiling.