Skip to main content
Simply innovative

Data protection_Suppliers

// Data Protection Statement for Supplier Data

Processing of supplier data

The following information is intended to provide an overview of how we process your personal data and your rights resulting from the General Data Protection Regulation (Regulation (EU) “GDPR”). The type of data we process and how we use it depends primarily on whether you or your company are already a customer of ours or whether we have stored your data when you contacted us. Therefore, not all the information below will be applicable to you.

// Who is responsible for data processing pursuant to GDPR?

ELWEMA Automotive GmbH
Dr.-Adolf-Schneider-Str. 21
73479 Ellwangen
Tel. +49 (0) 7961 877-0

Who is our data protection officer?

Gerald Saur
GS Managementsysteme
Quandtstraße 3
73479 Ellwangen
Tel. +49 (0) 7961 53171
Mob. +49 171 8116134

// For what purposes is the data processed and what is the legal basis for this?

We process personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG)

a) To fulfil contractual obligations (Article 6(1b) GDPR)
The purpose of processing this data is the provision and mediation of assignments as part of executing our contracts with our customers or to perform pre-contractual measures on request. The purposes of the data processing are primarily determined by the specific product and may include needs assessments, consultation and services in this area, among other elements. For further details on the purposes of the data processing, please refer to the relevant contractual documents and terms and conditions.

b) On the basis of your consent (Article 6(1a) GDPR)
Where you have given your consent for us to process your personal data for certain purposes (e.g. for a newsletter service, advertising, photographs from events), the statement of consent in question shall form the legal basis for the processing referred to therein. You may withdraw your consent to the processing of personal data at any time. This shall also apply to the withdrawal of declarations of consent which we received before the GDPR entered into force, i.e. prior to 25th May 2018. The withdrawal of consent will only take effect in the future; this means that the withdrawal does not affect the lawfulness for the processing of data up to the point at which data is withdrawn.

c) On the basis of legal requirements (Article 6[1c] GDPR) or in the public interest (Article 6 [1e] GDPR)
We are also bound by a number of legal obligations, i.e. statutory requirements (such as the German Temporary Employment Act [AÜG], tax legislation, the German Civil Code [BGB], the German Commercial Code [HGB] and the Fiscal Code of Germany [AO]). The purposes of processing include, amongst others, the fulfilment of tax law obligations, the valuation and containment of risks, the fulfilment of retention requirements based on commercial and tax law, and compliance with export regulations (such as reporting recently published sanction lists).

d) Based on the weighing up of interests (Article 6[1f] GDPR)
Where this is necessary to protect our legitimate interests, our processing of your data or the processing of your data by third parties may go beyond what is essential to the performance of the contract. This legitimate interest results from the quality requirement to be viewed as a reliable business partner by our customers in relation to the proper provision of our services, to which you make a considerable contribution as our (potential) supplier.

// What legitimate interests do we pursue or does a third party pursue when processing data (in accordance with Article 6[1f])?

There are legitimate interests for processing data in the following instances

- Consultation and data exchange with credit agencies (such as Creditreform) in order to determine credit risks,
- Reviewing and optimising procedures to conduct needs analyses for the purpose of approaching customers directly
- Advertising, invitations to trade fairs and other events and other communication to maintain the business relationship as well as market and opinion research, unless you have objected to the use of your data,
- Asserting and defending legal claims,
- Ensuring IT security and our company’s IT operation,
- Preventing and investigating criminal offences,
- For building and facility security measures (e.g. access controls).

// Which categories of personal data are processed?

Relevant personal data includes particulars (such as name, address and other contact details, bank details). Furthermore, this data can include order data (e.g. orders), data from the performance of our contractual obligations (e.g. turnover data), information regarding the financial situation of your company (e.g. creditworthiness data), advertising data, sales data, documentation data (e.g. reports) and other data deemed comparable with the categories specified here.

// With whom is your personal data shared?

Within the company, those who have access to our contractual and legal obligations are provided with this data.
Service providers and vicarious agents appointed by us can also receive access to this data if legally-compliant handling of your personal data is ensured. These are companies from the categories of accounting, audits, IT services, logistics, commercial agents, telecommunications, consulting, sales and marketing.
Other data recipients may be those for whom you have given us your consent to submit the data or to whom we may delegate personal data due to legitimate interests.

// To which third countries is your data transmitted?

Data is transmitted to locations outside the European Union (so-called third countries), provided that

- It is necessary for the execution of your orders,
- It is legally mandatory or
- You have given us your consent.

// How long is your data stored/archived for?

We process and store your personal data as long as this is required to fulfil our contractual and legal obligations. If the data is deemed no longer necessary for the contractual purposes or to fulfil legal obligations, the affected data will be deleted regularly, unless its (temporary) further processing is necessary for the following processes:

- To fulfil commercial or tax law retention periods, e.g. from the German Commercial Code (HGB), the Fiscal Code of Germany (AO) or the German Civil Code (BGB). The retention and/or documentation periods stipulated in these laws usually range from two to ten years.
- To preserve evidence within the framework of statutory periods of limitation in accordance with Sections 195 et seq. of the German Civil Code (BGB), these limitation periods are up to 30 years, with the regular limitation period lasting three years.

// What rights do you have?

You have the right of access to personal data concerning you, the right to rectification, the right to erasure and the right to the restriction of processing. Furthermore, you have the right to object to processing and the right to data portability. The GDPR stipulates a right to lodge a complaint with the supervisory authority. The contact details for the supervisory authority are available here:

// Do we require your consent for the processing of your data?

The processing is based on the aforementioned legal and contractual basis; therefore no consent is required. For processing based on your consent that you have provided us with in accordance with Article 6(1a) or Article 9(2a) (consent), you have the right to withdraw your consent at any time. Please note that withdrawing your consent does not affect the lawfulness of the processing of data on the basis of your consent before the time at which consent was withdrawn.

// Where do we gather your data?

We process personal data that we receive from our customers or other data subjects during the course of our business relationship. We also process personal data – in so far as is necessary for the provision of our services and the fulfilment of our contracts – that we legally obtain from publicly accessible sources (such as commercial registers, the Internet or the press) or that is legitimately transmitted to us by other companies or any other third parties (e.g. commercial agents, address portals).

// Is there automated decision-making (profiling)?

As a rule, we do not use any fully automated decision-making systems, nor profiling.