Business Partner Data Processing Notice
Craemer GmbH, its branches, affiliates, divisions and groups (collectively “Craemer”) provides this Business Partner Data Protection Notice ("Notice") to explain our practices as the responsible controller regarding the processing of personal data relating to our vendors, customers, suppliers, and business partners (collectively "Business Partners") and our Business Partners' employees.
The personal data referred to according to article 4 lit. 1 DS-GVO is all data that refer to you as a person or could be referred to you especially by means of names or organisational und customer code which allows an individual to be identified.
We provide this privacy statement to business partners (“Notice”) to act as the controller of the data processing processes related to our suppliers, customers and business partners (collectively “Business Partners”) and their employees associated with Craemer.
Scope:
This Notice applies to you if you are a Business Partner of Craemer as an individual (e.g., a consultant or sole entrepreneur) or if you are an employee of a Business Partner who interacts with Craemer on such Business Partner 's behalf.
Categories of Personal Data and Source:
Your personal data is processed for purposes of performing the contractual relationship with the Business Partner (including fulfilling the contractual obligations, invoice processing, communication, and legal and compliance activities), for purposes of marketing and CRM activities, and for security and fraud prevention activities.
Craemer relies on the following legal grounds for such processing activities:
- performance of the contractual relationship with the Business Partner (Art. 6 lit. b GDPR) ;
- legitimate interest of Craemer, Craemer 's affiliates or other third parties (such as governmental bodies or courts) (Art. 6 lit. f GDPR), The legitimate interest could be in particular group-wide information sharing, marketing and CRM activities, prevention of fraud, misuse of IT systems, or money laundering, operation of a whistleblowing scheme, physical security, IT and network security, internal investigations, or potential merger and acquisition activities;
- consent (Art. 6 lit. a GDPR);
- compliance with legal obligations (Art. 6 lit. c GDPR);
The provision of personal data is necessary for the conclusion and/or performance of the Business Partner contract, and is voluntary. However, if you do not provide personal data, the affected Business Partner management and administration processes might be delayed or impossible.
Categories of Recipients:
Craemer may engage service providers, acting as processors, in order to provide IT and other administrative support (e.g., service providers who provide account payable support or IT hosting and maintenance support). Those service providers may have access to your personal data to the extent necessary to provide such services.
Any access to your personal data is restricted to those individuals that have a need to know in order to fulfill their job responsibilities.
Craemer may also disclose your personal data as required or permitted by applicable law to governmental authorities, courts, external advisors, and similar third parties.
Retention Period:
Your personal data is stored by Craemer and/or our service providers, strictly to the extent necessary for the performance of our obligations and strictly for the time necessary to achieve the purposes for which the information is collected, in accordance with applicable data protection laws. When Craemer no longer needs to use your personal data to comply with contractual or statutory obligations, we will remove it from our systems and records and/or take steps to properly anonymize it so that you can no longer be identified from it, unless we need to keep your information, including personal data, to comply with legal or regulatory obligations to which Craemer is subject, e.g. statutory retention periods which can result from e.g. Commercial Code, Tax Code etc. and usually contain retention periods from 6 to 10 years, or if we need it to preserve evidence within the statutes of limitation, which is usually three years but can be up to thirty years.
Your Rights:
If you have declared your consent regarding certain types of processing activities, you can withdraw this consent at any time with future effect. Such a withdrawal will not affect the lawfulness of the processing prior to the consent withdrawal.
Pursuant to applicable data protection law you may have the right to: a) request access to your personal data; b) request rectification of your personal data; c) request erasure of your personal data; d) request restriction of processing of your personal data; e) request data portability; f) object to the processing of your personal data. Please note that these aforementioned rights might be limited under the applicable national data protection law.
a) Right of access: You may have the right to obtain from us confirmation as to whether or not personal data concerning you is processed, and, where that is the case, to request access to the personal data. The access information includes – inter alia – the purposes of the processing, the categories of personal data concerned, and the recipients or categories of recipient to whom the personal data have been or will be disclosed. However, this is not an absolute right and the interests of other individuals restrict your right of access.
You may have the right to obtain a copy of the personal data undergoing processing.
For further copies requested by you, we may charge a reasonable fee based on administrative costs.
b) Right to rectification: You may have the right to obtain from us the rectification of inaccurate personal data concerning you. Depending on the purposes of the processing, you may have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
c) Right to erasure (right to be forgotten): Under certain circumstances, you may have the right to obtain from us the erasure of personal data concerning you and we may be obliged to erase such personal data.
d) Right to restriction of processing: Under certain circumstances, you may have the right to obtain from us restriction of processing your personal data. In this case, the respective data will be marked and may only be processed by us for certain purposes.
e) Right to data portability: Under certain circumstances, you may have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and you may have the right to transmit those data to another entity without hindrance from us.
To exercise your rights please contact us as stated in the "Questions" section below.
You also have the right to lodge a complaint with the competent data protection supervisory authority.
Right to object pursuant to Art. 21 General Data Protection Regulation You have the right to object on grounds relating to your particular situation, at any time to the processing of your personal data concerning you which is based on Art. 6 (1) lit. e and f GDPR and we can be required to no longer process your personal data. As Craemer processes and uses your personal data primarily for purposes of carrying out the contractual relationship with the Business Partner, Craemer will in principle have a legitimate interest for the processing which will override your objection request, unless the restriction request relates to marketing activities. To exercise your right please contact us as stated in the "Questions" section below. |
Craemer does not engage in automated decision-making.
Questions: If you have any questions about this Notice or your rights, please contact
Craemer GmbH
Data Protection
Brocker Straße 1
33442 Herzebrock-Clarholz
Craemer 's data protection officer can be contacted at
ecoprotec GmbH
Pamplonastraße 19
33106 Paderborn
datenschutzbeauftragter@craemer.com
Administration: Brocker Straße 1
Logistics, delivery, pick-up: Alte Ziegelei 2
33442 Herzebrock-Clarholz
Germany