The following information is intended to provide an overview about how we process your personal data and about your rights under data protection legislation.
1. Party responsible for data-processing and contact details of data privacy officer
Common-Link AG, Koellestrasse 30b, 76189 Karlsruhe, Tel.: +49 (0) 721 81968 300, Fax: +49 (0) 721 81968 400, Mail: email@example.com
Data privacy officer: E-mail to firstname.lastname@example.org or to our postal address addressed to the “data privacy officer”.
2. Sources from which personal data originates?
We process personal data that we have obtained from business relationships (e.g. with customers and suppliers) or from queries addressed to our enterprise. As a rule, we receive such data directly from our contracting partner or from the person submitting a query. However, personal data can also originate from public sources (e.g. the Commercial Register), provided such data may be lawfully processed. Data can also be provided by other enterprises authorized accordingly. Depending on the individual case, we store such data as well as own information (e.g. within the context of an ongoing business relationship).
Depending on the individual case, this can concern master data (e.g. name and address), contact details (e.g. telephone number, e-mail address), contractual and invoicing data in order to perform our contractual obligations, or data required in order to deal with a query, possibly data on credit-worthiness, advertising and sales data as well as other data from similar categories.
3. What are the purposes of and the legal basis on which personal data is processed?
We process personal data in accordance with data privacy laws, in particular the EU General Data Protection Regulation and the German Federal Data Protection Act (BDSG).
a.) Within the context of the performance of a contract or in order to implement pre-contractual measures (Art. 6(1)(b) EU General Data Protection Regulation)
We process personal data primarily for the performance of contractual obligations and to provide the relevant performance, or within the context of the corresponding initiation of a contract (e.g. contractual negotiations, preparation of an offer). The exact purposes depend on the relevant performance or product to which the business relationship or the initiation of a contract relates.
b.) Within the context of compliance with a legal obligation (Art. 6(1)(c) EU General Data Protection Regulation
Often we are under a legal obligation to obtain certain personal data from you and to forward it or make it available to certain - usually public - offices.
For example, we provide the personal data required according to the relevant statutory requirements to the tax authorities, for the purpose of assessing taxes.
c.) Within the context of a balancing of interests (Art. 6(1)(f) EU General Data Protection Regulation)
In addition, we collect and process personal data in order to pursue legitimate interests in the following situations:
- Processing of general queries concerning our products and services
- Verification of credit-worthiness using corresponding credit agencies in order to estimate the default risk in business relationships
- Advertising and market research
- In order to make or defend legal claims where legal disputes arise
- In order to ensure IT operations and IT security
- Measures for the safety of buildings and facilities (e.g. access authorization)
- Measures to improve our internal business processes and to optimize products
d.) Within the context of consent granted (Art. 6(1)(a) EU General Data Protection Regulation)
In some situations the processing of your personal data is not essential and is only permitted with your consent. In such cases we will point out this fact, in particular the voluntary nature of the grant of consent and the possibility of revoking such consent with future effect.
This is, for example, the case regarding
- some situations in advertising (existence of consent to advertising, insofar as required by law)
4. Recipient of personal data
Generally speaking, the enterprise grants access to your data solely according to the need-to-know principle, i.e. to persons and offices that require access to the data for compliance with a contractual or legal obligation. Such persons and offices can also include service providers and vicarious agents acting upon the instructions of the enterprise and/or under a confidential data-processing obligation.
In certain situations we provide your data to
- public offices (e.g. the tax authorities) where there is a corresponding statutory obligation
- other enterprises within the context of the performance of contractual relations, a balancing of interests or based on your consent. Depending on the business relationship or the commission, in an individual case this can be an enterprise contributing to the provision of our performance, logistics partners, marketing services providers, credit agencies, banks, tax advisors and lawyers.
5. Is data transferred to a third country or an international organization?
We transfer personal data to other offices in countries outside the European Union (Third Country), insofar as is necessary in order to conduct the business relationship, insofar as it is prescribed by law or insofar as you have granted your consent accordingly.
In certain situations we avail ourselves or reserve the right to avail ourselves of service providers who might be located in a Third Country or who on their part might have service providers located in a Third Country.
The transfer of data to a Third Country is permissible under Art. 45 EU General Data Protection Regulation where the European Commission has decided that there is an adequate level of protection in a Third Country. In the absence of such a decision, the transfer of data to a third country is permissible if the controller or processor has provided appropriate safeguards (e.g. the so-called standard data protection clauses issued by the European Commission), and on condition that enforceable rights and effective legal remedies are available to the data subject (Art. 46 EU General Data Protection Regulation).
As a matter of principle, we only work together with offices in a Third Country that meets the above-mentioned criteria.
6. Storage term for data
We process and store your personal data for as long as is necessary in order to satisfy our contractual and statutory obligations. Insofar as the storage of personal data is no longer necessary for the satisfaction of such obligations, such data will be erased unless there are statutory safe-keeping obligations, for example safe-keeping obligations under commercial or tax law under the Tax Code and the Commercial Code (6 or 10 years), and in order to preserve evidence within the context of statutory provisions on statutory limitation periods.
7. Rights of data subject
You have the following rights in relation to us with regard to your personal data:
- Right to obtain information
- Right to correction and erasure
- Right to restrict processing
- Right to object to processing
- Right to data portability
You are also entitled to submit a complaint to a data protection supervisory authority about the processing of your personal data performed by us.
However, you may also contact (in confidence) our company data privacy officer.
Insofar as you have granted consent to us (Art. 6(1)(a) EU General Data Protection Regulation), you may revoke such consent at any time with future effect.
Insofar as the processing of your personal data by us is based on a balancing of interests (Art. 6(1)(f) EU General Data Protection Regulation), you may object to such processing. When submitting such an objection, please state the reasons why we should not process your personal data in the manner in which we did. If your objection is well-founded, we will examine the situation and will either discontinue or adjust the data-processing, or will present our reasons meriting compulsory protection, on the basis of which we will continue the processing.
You may object to the processing of your personal data for advertising purposes at any time.
8. Obligation to provide personal data
Within the context of performing or initiating a contract, you have to provide the personal data required in order to perform the contract or implement pre-contractual measures and the obligations they entail. In addition, you have to provide the personal data that we are obliged by law to collect. If such data is not provided, we will be unable to enter into or perform a contract with you.
Where data is collected on the basis of consent, you provide such data voluntarily and without being obliged to do so. Where consent is not granted, we will however be unable to provide the performance or services based on data-processing by means of consent. You may revoke such consent at any time after it is granted, with future effect.
9. Does automated decision-making or profiling take place?