Privacy information for our business partners

(for German version click here)

It is very important for s.boehme & co. KGaA to observe all applicable regulations in data protection. The General Data Protection Regulation (GDPR) and the new Federal Data Protection Act (BDSG) require us to fulfill comprehensive information obligations. We believe this is the right thing to do and take this responsibility very seriously. In the following text, we therefore explain to you what information, i.e. also so-called "personal data", we process about you as a business partner and inform you about the rights you have against s.boehme & co. KGaA with regard to your personal data.

This information is intended to be written in such a way that even legal laypersons can understand it - we hope we have succeeded. If you find any points unclear, please contact us - we will be pleased to explain our extensive data protection measures to you personally.

Who is this data protection information primarily aimed at?

This information is primarily intended for our business partners: "Business partners" are customers or suppliers who wish to conclude or have concluded contracts with us for the supply of products or the provision of services. However, they are also companies, organizations or natural persons with whom we have not concluded contracts for the supply of goods or services, but with whom we exchange information on a regular basis or in individual cases. For example, these are partner companies from the trade associations to which we are affiliated and with whom we build up, exchange and improve specialist knowledge in order to optimize our services and products.

However, it is also directed at any other person whose data we process:

Our overriding principle for processing your personal data is that we will only process personal data if a legal requirement allows us to do so or if the data subject, for example you, has given us express consent to do so.

Who is responsible for data processing?

The data controller for the processing of your personal data is our company, s.boehme & co. KGaA, Metzlerstraße 21, D-60594 Frankfurt am Main, Germany, telephone +49 69 8600 7227 0, fax +49 69 8600 7227 7, realestate@sboehme.com. When we write "we", "us" or "the company" in this data protection information, we always mean this company.

We are available at all times to answer any questions you may have about the processing of your personal data. You can reach us either via our contact details above or simply and directly via e-mail address dsb@sboehme.com .

What data do we process?

Of course, we can only exchange information or do business with our business partners if we process data from them: So company name and address are at least necessary, but that alone is usually not yet personal data.

However, if the data allow conclusions to be drawn about a natural person, they become personal data. This may already be the case if the company name contains the name of the owner, or in the case of registered traders or freelancers. Completely independent of the legal form of our business partners, we also usually process data on their contact persons in the company, i.e. their names and contact data such as e-mail addresses or telephone numbers. Therefore, please also provide this data protection information to the people within your organization who are involved in the business relationship with us, e.g. our contacts in your company.

Master data:

We refer to the essential data about your company, the contact persons and our business relationship (e.g., a contract) as master data. This includes, for example, the company name, the contract data and the names of the contact persons.

In particular, master data includes:

  • all information that we receive when initiating or opening the business relationship or that we have requested from our contractual partner or the contact persons (e.g. first and last name, job description, address and other contact data, also telephone and mobile phone data, bank details, tax data),

  • such data that we have collected from ourselves in connection with the initiation or opening of the business relationship (in particular, the details we need to prepare and send you information, consulting protocols or information on processes in your company, insofar as they are necessary for our work, as well as information to prepare offers or invoices or to conclude contracts).

History data:

Of course, we also process personal data that accrues during our business relationship and that goes beyond a mere change in master data. We then call this type of data historical data.

This category primarily includes:

  • Data about the products and services that were delivered or provided by our business partners on the basis of the contracts concluded;

  • Data on products and services supplied or rendered by us on the basis of existing or concluded contracts.

  • or provided by us on the basis of existing or concluded contracts;

  • Information provided to us by our business or contact partners themselves or at our request;

  • information on the business activities of our business partners, which we receive from them, their contacts or third parties, or which we obtain from public sources;

  • personal information that we otherwise receive from you, our business partners, contacts or also from third parties or from publicly available sources.

We may also store personal data from third parties to the master or historical data to the extent permitted by law, such as information about the economic situation of our business partners. This may, for example, be data from credit agencies in order to assess business risks, such as possible payment defaults.

For what purposes and on what legal basis do we process personal data?

We process master and history data for the realization of concluded contracts with our business partners or for the implementation of pre-contractual measures, such as offers or other correspondence on the basis of Article 6 (1) b) GDPR. Regardless of the legal form of the business partner, we process master and historical data relating to one or more contact persons to protect our legitimate interest in the business relationship pursuant to Article 6(1) f) GDPR.

We may also process master and historical data due to legal obligations to which we are subject pursuant to Art. 6 para. 1 lit c) GDPR. In particular, the mandatory reports to tax and other authorities belongs to this category.

In addition, our legitimate interest or the legitimate interest of third parties allows us to process master and historical data on the basis of Art. 6 (1) (f) GDPR. Our legitimate interests include the clarification of economic risks in connection with our business relationships, such as payment defaults, the assertion of legal claims and the defense in legal disputes, the prevention and investigation of criminal offences, the management and optimization of our business activities, including risk management.

Insofar as we give a natural person the opportunity to give consent to the processing of his or her personal data, we always process the data covered by the consent only for the purposes stated in the consent on the basis of Art.6 para.1 lit. a) GDPR.

Your right to revoke consent

The General Data Protection Regulation (DSGVO) grants you an extensive right to withdraw your consent in Art. 7. It is particularly important that

the granting of consent to us is always voluntary;

if you do not wish to give us consent or wish to withdraw consent you have given, this may be associated with certain consequences, about which we will inform you before or when you give your consent,

consent given to us can be revoked at any time with effect for the future. You can do this, for example, by sending us a message by mail, fax or e-mail via one of the contact options listed above under "Who is responsible for data processing?".

Is there an obligation to provide personal data?

No, but we cannot open a business relationship with you without data. Therefore, the collection or provision of the above-mentioned master and historical data is always required, unless we specify otherwise when collecting the data.

If we collect personal data in addition to the above, we will indicate at the time of collection whether the provision of this information is required by law or contract or is necessary for the conclusion of a contract. As a rule, we mark those data that you can provide voluntarily and whose collection is not based on an obligation or is not required for the conclusion of a contract.

Who receives personal data from us?

Your personal data is generally processed within our company. Depending on the specific type of personal data, only the departments and persons within our company have access to the data to the extent they need to carry out the purpose of the processing. To ensure this, we use a role and authorization concept. The departments primarily include the accounting and sales departments and, depending on the type of service agreed, the various service departments. Since we generally process data with the help of our IT, our internal IT employees also process personal data to a limited extent.

We may also transfer personal data to third parties outside our company to the extent permitted by law. These external recipients include, in particular, companies of our corporate group or service providers engaged by us who process personal data for us on a separate contractual basis, as well as subcontractors of our service providers engaged with our consent. In addition, non-public and public bodies, insofar as we are obliged to transfer your personal data due to legal obligations.

Do we use automated decision making?

As a matter of principle, we do not use automated decision-making within the meaning of Article 22 GDPR for our business relationships, which includes profiling in particular. If we do use such procedures in individual cases, we will inform the data subjects of this to the extent required by law.

Is data transferred to countries outside the EU or to international organizations?

Personal data is processed exclusively within the EU or the European Economic Area; there are no plans to transfer data to third countries.

For how long is personal data stored?

Personal data is generally stored by us for as long as we have a legitimate interest in storing it and the interests of the data subject in not continuing to store it do not outweigh this interest.

In the absence of a legitimate interest, we may also store the data if we are required to do so by law, for example to comply with tax retention obligations. Personal data will be deleted by us as soon as it is no longer necessary to fulfill the purpose of the processing or the storage is otherwise legally inadmissible. The deletion takes place without the data subject having to request us to do so.

As a rule, we store master data and history data at least until the business relationship has ended. Data is deleted at the latest when the purpose of the storage has been fulfilled, even if this only occurs after the business relationship has ended. If we have to store personal data to fulfill retention obligations, it will be stored until the end of the respective retention obligation. If we store personal data only for the purpose of fulfilling the retention obligations, they are generally blocked in such a way that processing is only necessary in relation to the purpose of the retention obligation (e.g. for disclosure to tax authorities).

What rights do data subjects have?

Every data subject has the right

  • to information on the personal data stored about them in accordance with Article 15 GDPR;

  • to correction of incorrect or incomplete data in accordance with Article 16 GDPR;

  • to erasure of personal data, pursuant to Art. 17 GDPR;

  • to restriction of processing, pursuant to Art. 18 GDPR;

  • to data portability, pursuant to Art. 20 GDPR, and

  • to object, pursuant to Art. 21 GDPR: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the legal basis of our legitimate interest pursuant to Article 6(1f) GDPR. In the event of such an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

  • To exercise your rights, you or the data subject may contact us at any time, e.g. via one of the contact channels mentioned in the section "Who is responsible for data processing?". If you have any questions regarding the processing of personal data, you or the data subject may contact our data protection officer at any time.

A data subject is also entitled to lodge a complaint with a competent data protection supervisory authority pursuant to Art. 77 GDPR. The contact details of all German supervisory authorities can be found under this link at the Federal Commissioner for Data Protection and Freedom of Information (BFDI): https://www.bfdi.bund.de

Thank you for your interest in our data protection information.

Your s.boehme & Co. KGaA