The following information is intended to provide you with an overview of the processing of your personal data by us and your rights under the Data Protection Law (DS-GVO/BDSG). What data are processed in detail and the way in which they are used depends essentially on the services requested or agreed. Therefore, not all parts of this information will apply to you specifically. Who is responsible for the data processing and who can you contact?
The party responsible is: SMT Scharf GmbH, Römerstraße 104, 59575 Hamm and thus the “Data Controller”, hereinafter referred to as “SMT” or “we”.
You can contact our Data Protection Officer at Datenschutz@smt-scharf.com or by post at SMT Scharf GmbH, c/o the Data Protection Officer, Römerstraße 104, 59575 Hamm.
- What sources and data do we use?
We process personal data that we receive from our customers or other stakeholders in the course of our business relationship. In addition – where necessary for the provision of our service – we process personal data that we obtain from publicly accessible sources (e.g. commercial and association registers, press, Internet) in a permissible manner or which are sent to us legitimately by other companies of our group members or other third parties (e.g. a credit agency).
Relevant personal data include personal details (name, address and other contact details, date and place of birth, nationality) and identification data (e.g. ID card data). This can also include order data (e.g. payment order), data arising from the fulfillment of our contractual obligations (e.g. sales data in payment transactions), information about your financial situation (e.g. credit rating data), as well as other data comparable to the aforementioned categories. In addition, we store your order history and your correspondence with us.
- What do we process your data for (purpose of the processing) and on what legal basis?
We process personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Law (BDSG).
a. for the fulfillment of contractual obligations (Art. 6 (1) (b) of the GDPR)
The processing of data is carried out for the provision of our production performance and services in the context of executing our contracts with our customers or for the implementation of pre-contractual measures taken on request. The purposes of data processing are primarily based on the specific product or service. Your data are also used for evaluation and acceptance as a business partner, e.g. to confirm and verify your identity. We also process your personal data for other administrative purposes, e.g. for due diligence and comparison with publicly accessible sanctions lists kept by government and/or law enforcement agencies. This processing is absolutely necessary for the conclusion of a contractual agreement between you and ourselves. We also use your personal data for administrative purposes, e.g. for sending invoices and making payments. We furthermore use your personal data to deliver/provide and manage our or your products and services. If you need access to our buildings/grounds, we process your personal data for verification purposes.
Further details concerning the purposes of data processing can be found in the relevant contract documents and terms & conditions of business.
b. in the context of balance of interests (Art. 6 (1) (f) of the GDPR)
Where necessary, we process your data beyond the actual fulfillment of the contract for the purpose of safeguarding our legitimate interests or those of third parties:
- Measures for business management and the further development of services and products,
- measures for the analysis of customer behavior and to improve the products and services accordingly (development, implementation and analysis of market studies and marketing strategies) as well as use of the analysis results to modify our offers, newsletter or our website.
- Advertising, insofar as you have not objected to the use of your data, sending appropriate offers/quotations, account management and recall purposes.
- For the execution of business processes and internal management. This includes SMT’s general administration, order management and asset management. We have central data processing systems at our disposal. We perform audits and inspections as well as corporate controls, and manage and use customer, vendor and business partner directories. We also process your personal data for financial, accounting, archiving and insurance purposes.
- Assertion of legal claims and defense of legal disputes,
- ensuring IT security and our company’s IT operations,
- prevention and investigation of criminal offenses,
- video surveillance for the purpose of safeguarding company rules and collecting evidence in the event of robbery,
- building and plant safety measures (e.g. access controls),
- measures to safeguard company rules,
- risk control in the company
c. on the basis of your consent (Art. 6 (1) (a) of the GDPR)
If you have given us your consent to the processing of personal data for particular purposes (e.g. invitations to events, promotions, etc.), the lawfulness of such processing is based on your consent. Consent that has been given can be withdrawn at any time. This also applies to the revocation of declarations of consent issued to us prior to the validity of the GDPR, i.e. before 25 May 2018. The withdrawal of consent is only effective for the future and does not affect the lawfulness of the data processed up to the time of revocation.
- Who gets your data?
Within the company, your data are made accessible to those departments/offices that need the same for the fulfillment of our contractual and statutory obligations. Service providers and vicarious agents used by us can also receive data for these purposes. These are companies in the IT services, logistics, printing services, telecommunication, consultancy, banking, insurance, accountancy and sales and marketing categories.
If third parties gain access to your personal data, SMT will take the contractual, technical and organizational measures required to ensure that your personal data are only processed to the extent that such processing is necessary. During processing, the third parties are obliged to comply with the applicable law at all times.
In principle, we may only pass on information about our customers if required to do so by law or if the customer has given his/her consent.
SMT staff may only access personal data to the extent necessary to meet the respective purpose and enable them to perform their individual tasks.
- Are data transmitted to countries outside the European Union or to an international organization?
Transmission of data to bodies in countries outside the European Union (so-called third third countries) takes place insofar as:
- it is required to complete your orders (e.g. payment orders),
- it is required by law (e.g. tax reporting obligations) or
- you have given us your consent.
In addition, transmission to bodies in third countries is provided for in the following cases:
- Personal data of parties interested in our products and services can be processed with their consent within the framework of a CRM system, even in the USA.
- Personal data (e.g. verification/identification data) are transmitted in compliance with the European Union data protection level in individual cases with the consent of the person concerned or on the basis of statutory provisions to combat money laundering, the financing of terrorism and other criminal offenses, as well as in the context of a balance of interests. SMT will ensure that your personal data are adequately protected – e.g. by agreeing standard EU contract terms with such third parties. In other cases, your personal data will not be disclosed to third parties unless this is required by law.
- How long are your data stored for?
We process and store your personal data for as long as this is necessary for the fulfillment of our contractual and legal obligations. It should be noted in this regard that our business relationship is a continuing obligation that lasts for several years.
If the data are no longer required for the fulfillment of contractual or legal obligations, they are deleted on a regular basis unless their – temporary – further processing is necessary for the following purposes:
- Fulfillment of retention obligations under commercial or tax law that can arise from, for example: The Commercial Code (HGB), the Tax Code (AO), Money Laundering Law (GwG). The storage and retention periods specified there are usually two to ten years.
- Preservation of evidence in the context of the statute of limitations. Under the provisions of §§ 195 ff of the Civil Code (BGB), these limitation periods can be up to 30 years, though the regular limitation period is 3 years.
SMT has taken reasonable precautions to guarantee the confidentiality and protection of your personal data. The company has taken adequate technical, physical and organizational precautions to protect personal data from accidental or unlawful destruction or accidental loss as well as against damage, alterations, unauthorized disclosure or access and any other form of unlawful processing (including, but not limited to unnecessary recording) or more extensive processing. These include, for example, IT security directives, staff training sessions and server backup.
- What data protection rights do you have?
Each data subject has the right to information under Article 15 of the GDPR, the right to correction under Article 16 of the GDPR, the right to erasure under Article 17 of the GDPR, the right to restriction of processing under Article 18 of the GDPR, the right to object under Article 21 of the GDPR and the right to data portability under Article 20 of the GDPR. The restrictions under §§ 34 and 35 of the GDPR apply with regard to the right to information and the right to erasure. In addition, there is a right to appeal to a competent data protection supervisory authority (Article 77 of the GDPR in conjunction with § 19 of the Federal Data Protection Law).
You can withdraw the consent to the processing of your personal data at any time. This also applies to the revocation of declarations of consent issued to us prior to the validity of the GDPR, i.e. before 25 May 2018. Please note that such revocation will only take effect for the future. Processing that occurred prior to withdrawal of the consent is not affected.
- Is there an obligation for you to provide data?
As part of our business relationship, you must provide the personal details necessary to initiate, conduct and terminate a business relationship and to perform the associated contractual obligations, or the data we are obliged to collect by law. Without these data, we will normally be unable to conclude, execute or terminate a contract with you.
Information concerning your right to object
under Article 21 of the GDPR (General Data Protection Regulation)
- Case-specific right of objection
You have the right, for reasons arising from your particular situation, to lodge an objection at any time against the processing of personal data concerning you that is carried out on the basis of Article 6 (1) (e) of the GDPR (data processing in the public interest) and Article 6 (1) (f) of the GDPR (data processing on the basis of balance of interests); this also applies to profiling based on this provision within the meaning of Article 4 (4) of the GDPR.
If you lodge an objection, your personal data will no longer be processed unless we can demonstrate compelling legitimate grounds for the processing that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise and defend legal claims.
- Right to object to the processing of data for direct marketing purposes
In individual cases, we process your personal data for the purpose of conducting direct marketing. You have the right to lodge an objection at any time against the processing of personal data concerning you for the purpose of such advertising; this also applies to profiling insofar as it is associated with such direct marketing.
If you object to processing for direct marketing purposes, we will no longer process your personal data for these purposes.
The objection can be lodged informally and should, where possible, be addressed to: email@example.com