Skip to main content

As of: 24 May 2018

Information for Customers and Suppliers on Data Protection in accordance with the EU General Data Protection Regulation (GDPR)

Data Protection

As employees and contact persons for our customers and suppliers, we would like to present you the following information to give you an overview on the processing of personal data by us and your rights arising from the General Data Protection Regulation and the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG).

1. Who is responsible for data processing and who can I contact?

Therma Thermofühler GmbH
Schreinerweg 8
D-51789 Lindlar, Germany
Telephone: +49 (0)2266487330-0

2. For which purposes and on which legal basis do we process personal data?

We process personal data in accordance with the provisions of the EU General Data Protection Regulation and national data protection regulations:

a) For the fulfilment of contractual obligations (Art. 6 Para. 1 lit. b GDPR)

in particular in connection with customer orders, suppliers, service partners and employees.

b) To safeguard legitimate interests within the scope of balancing interests (Art. 6 Para. 1 lit. f GDPR)

If necessary, we process your data beyond the actual fulfilment of the contract to protect our legitimate interests or those of third parties, notably for

  • transferring data within Therma Thermofühler GmbH,
  • advertising, unless you have objected to the use of your data,
  • reviewing and optimising procedures for needs analysis and direct customer approach, incl. customer segmentation and calculating closing probabilities,
  • asserting legal claims and defence in legal disputes,
  • ensuring the company’s information security and IT operations,
  • measures for building and plant security (e.g. access control),
  • measures to secure domiciliary rights,
  • measures for business management and further development of services and products,
  • controlling and risk management at Therma Thermofühler GmbH.

c) On the basis of your consent (Art. 6 Para. 1 lit. a GDPR)

Giving us your consent to process personal data for certain purposes (e.g. contact, direct marketing, newsletter) constitutes the legality of this processing. You may revoke your consent at any time. This also applies to the revocation of declarations of consent given to us prior to the application of the EU General Data Protection Regulation, i.e. before 25 May 2018. Please note that the revocation will only take effect in the future. Any processing that has occurred prior to your revocation is not affected by this. You can request an overview of the consent you have given us at any time.

d) Based on legal requirements (Art. 6 Para. 1 lit. c GDPR)

Furthermore, we are subject to various legal obligations, i.e. legal requirements (e.g. reviewing sanction lists). Our purposes for processing include, among other things, verifying your identity, complying with obligations regarding tax and social security monitoring, preventing fraud and money laundering, as well as assessing and controlling any risks within Therma Thermofühler GmbH.

3. Who receives my data?

Within the responsibility of Therma Thermofühler GmbH, only offices that need your personal data to fulfil our contractual and legal obligations or to safeguard legitimate interests are given access to it.

Furthermore, service providers and vicarious agents who we commission may receive data for these purposes. We may only disclose information about you if required to do so by law, if you have consented to it, if we are legally authorised to disclose or transfer information, and/or if any of our commissioned contract processors guarantee compliance with maintaining confidentiality and the requirements of the General Data Protection Regulation and the German Federal Data Protection Act. Subject to these conditions, the following recipients can receive data:

  • Therma Thermofühler GmbH as the central computer centre of Therma Thermofühler GmbH,
  • credit assessment service providers,
  • public authorities to fulfil legal obligations regarding notification, e.g. tax authorities, social insurance institutions, criminal prosecutors,
  • service providers for processing bank information,
  • service providers for supporting/maintaining EDP/IT applications,
  • service providers for archiving,
  • service providers for document processing,
  • compliance services,
  • service providers for checking sanction lists,
  • service providers for erasing data,
  • auditing services,
  • leasing companies,
  • collection service providers,
  • service providers for payment card processing (credit cards) and payment transactions with banks,
  • marketing service providers,
  • registration offices,
  • telephoning services,
  • service providers for website management (hosting/maintenance),
  • insurance services.

4. Is data transferred to a third country or to an international organisation?

Data is only transferred to countries outside the EU or the EEA (so-called third countries) if this is necessary to execute your orders (e.g. material procurement, production, logistics), if legally required (e.g. tax reporting obligations), if you have given us consent or in the context of processing orders. Furthermore, data exchange also takes place with affiliated companies of Therma Thermofühler GmbH in third countries. If we use any service providers in third countries, in addition to written instructions they are obliged to comply with the level of data protection within the EU by agreeing on the EU’s standard contract clauses.

5. How long will my data be stored?

We process and store your personal data for as long as it is necessary to fulfil our contractual and legal obligations. We will erase your personal data as soon as it is no longer required for the above-mentioned purposes. Personal data may be retained for the period during which claims may be made against our companies (statutory limitation periods of three or up to thirty years). In addition, we store your personal data insofar as we are legally obliged to do so. Any corresponding proof and storage obligations result from commercial, tax and social security regulations.

6. To what extent do we use automated decision-making (including profiling)?

In principle, we do not use fully automated decision-making pursuant to Art. 22 GDPR to establish and execute the business relationship.

7. Does “profiling” taking place?

We use web analysis tools, especially tracking technologies, to inform and advise you about products and services in a targeted manner. These enable communication and advertising to be tailored to your requirements. In this regard, we refer to our privacy policy on our website, which also informs about the use of cookies. Due to statutory requirements, we are obliged to check with current sanctions lists. These measures also serve to protect you.

8. What rights do I have concerning data protection?

Within the meaning of the GDPR, you are as an employee considered to be a data subject if we process your personal data. Thus, you are entitled to the following rights towards us as controller. If you wish to assert your rights or to receive any further information, please contact us or our Data Protection Officer:

a) Rights according to Art. 15 et seqq. GDPR

(1) Pursuant to Art. 15 GDPR, you have the right to access. Pursuant to Art. 16 GDPR, under certain conditions you have the right to rectification; pursuant to Art. 18 GDPR, the right to restrict processing; and pursuant to Art. 17 GDPR, the right of erasure (“right to be forgotten”). In addition, pursuant to Art. 20 GDPR and provided that the processing is carried out using automated procedures and is based on consent in accordance with Art. 6 Para. 1 lit. a or Art. 9 Para. 2 lit. a or on a contract in accordance with Art. 6 Para. 1 lit. b GDPR, you have the right for the data provided by you to be transferred in a structured, common and machine-readable format (right to data transferability). The restrictions according to Sections 34 and 35 BDSG apply to the right to access and the right to erasure.

b) Revocation of consent pursuant to Art. 7 para. 3 GDPR

You can revoke your consent to the processing of personal data at any time if the processing is based on your consent. This also applies to the revocation of declarations of consent that were made before the EU General Data Protection Regulation came into force, i.e. before 25 May 2018. Please note that the revocation will only take effect in the future. Any processing that has occurred prior to your revocation is not affected by this.

c) Right to lodge a complaint

You may lodge a complaint with us or with a data protection supervisory authority, in particular in the member state of your place of residence, your place of work or the place of the presumed infringement (Art. 77 GDPR in conjunction with Section 19 BDSG).

d) Right to object pursuant to Art. 21 GDPR

In addition to the aforementioned rights, you have the right to object as follows:

(1) Right to object in individual cases

For reasons arising from your particular situation on the basis of Art. 6 Para. 1 lit. f GDPR (data processing on the basis of a weighing of interests), you have the right to object at any time to the processing of your personal data; this also applies to profiling based on this provision within the meaning of Art. 4 Para. 4 GDPR. If you file an objection, we will no longer process your personal data unless we can prove compelling reasons for processing which are worthy of protection and which outweigh your interests, rights and freedoms, or if the processing serves the assertion, exercise or defence of legal claims.

(2) Right to object to the processing of data for advertising purposes

In individual cases, we process your personal data in order to perform direct advertising. At any time, you have the right to object to the processing of your personal data for the purpose of such advertising; this also applies to profiling insofar as it is connected with such direct advertising. If you object to the processing for purposes of direct marketing, we will no longer process your personal data for these purposes.

The objection can be sent formally to the office indicated under Section 1 of this Data Protection Declaration.

9. Supervisory authority

You also have the right to lodge a complaint with your data protection supervisory authority about the processing of your data.