Privacy Policy for Business Partners
Version: 13/07/2022
The protection of personal data of our customers’ and suppliers’ contacts ("business partners") is an important concern for Hamberger Sanitary GmbH and for Hamberger Industriewerke GmbH (in short: Sanitary/HIW). Therefore, Sanitary/HIW processes personal data exclusively in accordance with the applicable legal provisions on the protection of personal data and data security.
I. Controller’s name and address
The controller within the meaning of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection regulations is:
Hamberger Sanitary GmbH
Rohrdorfer Straße 133
83071 Stephanskirchen
II. Scope of the processing of personal data
When cooperating with business partners, Sanitary/HIW processes the following categories of personal data:
- Contact information, such as first and last name, business address, business phone number, business mobile phone number, business fax number and business e-mail address
- Payment data, such as details required to process payment transactions
- Other data, the processing of which is required in the context of a project or for the handling of a contractual relationship with Sanitary/HIW or which is voluntarily provided by our contacts, such as inquiries made or project details
- Data that are collected from publicly available sources, information databases or credit agencies
III. Legal basis for data processing
The legal basis for the temporary storage of data shall be points (b), (c) and (f) of Art. 6(1) GDPR.
IV. Purpose of data processing
When cooperating with business partners, Sanitary/HIW processes personal data for the following purposes:
- Communication with the business partners regarding the products, services and projects, e.g. to process inquiries from the business partner
- Planning, executing and managing the (contractual) business relationship between Sanitary/HIW and the business partner, e.g. to process orders for services, collect payments, for accounting, billing and debt collection/payment purposes and to perform deliveries, maintenance activities or repairs
- Maintaining and protecting the safety/security of our products and services and our websites, preventing and detecting security risks, fraudulent activity, or other criminal activity or acts performed with the intent to cause damage
- Compliance with legal requirements (e.g., tax and commercial retention obligations)
- Settling legal disputes, enforcing existing contracts, and asserting, exercising and defending legal claims.
If the aforementioned personal data are not provided or Sanitary/HIW is unable to collect such data, it may not be possible to achieve the individual purposes described.
V. Transfer and disclosure of personal data
Sanitary/HIW may transfer personal data to its tax consultant for compliance with legal obligations and generally accepted accounting principles.
Sanitary/HIW may transfer personal data to courts, supervisory authorities, government agencies or law firms as legally permitted and necessary to comply with applicable law or to assert, exercise or defend legal claims.
Sanitary/HIW collaborates with the following service providers (referred to as processors):
- Hosting service providers
- Telephone system service providers
- IT service providers
- Cloud service providers
- Software developers
These service providers will only act on the instructions of Sanitary/HIW and are contractually obligated to comply with the applicable data protection requirements.
No data processing takes place outside the EU or the EEA.
VI. Retention period
In so far as required, Sanitary/HIW processes the personal data for the duration of the business relationship; this also includes the initiation and execution of a contract.
In addition, Sanitary/HIW is subject to various storage and documentation obligations, resulting, inter alia, from the German Commercial Code (Handelsgesetzbuch, HGB). The retention and documentation periods specified therein are up to ten years beyond the end of the business relationship or the pre-contractual legal relationship.
VII. Rights of data subjects
The following list includes all rights of data subjects in accordance with the GDPR. If your personal data are processed, you are a data subject within the meaning of the GDPR and you shall have the following rights vis-à-vis Sanitary/HIW:
- Right to access
You may request confirmation from the controller as to whether personal data concerning you is being processed by Sanitary/HIW. Where that is the case, you may request information from the data controller about the following:
- the purposes for which the personal data are processed
- the categories of personal data which are processed
- the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed
- the envisaged period for which personal data concerning you will be stored, or, if not possible, the criteria used to determine that period
- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning you or to object to such processing
- the existence of a right to lodge a complaint with a supervisory authority
- where the personal data are not collected from the data subject, any available information as to their source
- the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
You have the right to request information about whether personal data concerning you are transferred to a third country or to an international organization. In this context, you shall have the right to be informed of the appropriate safeguards pursuant to Article 46 GDPR relating to the transfer.
- Right to rectification
You have a right to rectification and/or completion vis-à-vis the controller if the personal data processed concerning you are inaccurate or incomplete. The controller shall carry out the rectification without undue delay.
- Right to restriction of processing
Under the following conditions, you may request the restriction of the processing of personal data concerning you:
- You contest the accuracy of the personal data concerning you, for a period enabling the controller to verify the accuracy of the personal data.
- The processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead.
- The controller no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims.
- You have objected to processing pursuant to Article 21(1) GDPR pending the verification whether the legitimate grounds of the controller override those that you submitted.
Where processing of the personal data concerning you has been restricted, such data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State
If the restriction of processing has been restricted in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.
4. Right to erasure
a) Obligation to erasure
You shall have the right to obtain from the controller the erasure of personal data concerning you without undue delay and the controller shall have the obligation to erase such data without undue delay where one of the following grounds applies:
- The personal data concerning you are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
- You withdraw consent on which the processing is based according to point (a) of Article 6(1) or point (a) of Article 9(2) GDPR, and where there is no other legal ground for the processing.
- You object to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) GDPR.
- The personal data concerning you have been processed unlawfully.
- The personal data concerning you have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
- The personal data concerning you have been collected in relation to the offer of information society services referred to in Article 8(1) GDPR.
b) Information to third parties
Where the controller has made the personal data concerning you public and is obliged pursuant to Art. 17(1) GDPR to erase it, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you as the data subject have requested the erasure by such controllers of any links to, or copy or replication of, such personal data.
c) Exceptions
The right to erasure shall not apply to the extent that processing is necessary
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) and as well as Article 9(3) GDPR;
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) GDPR in so far as the right referred to in (a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
- for the establishment, exercise or defence of legal claims.
5. Right to notification
If you have asserted the right to rectification or erasure of personal data or restriction of processing against the controller, the controller shall communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. You have the right to be informed, by the controller, about those recipients.
6. Right to data portability
You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format. You also have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where
- the processing is based on consent pursuant to point (a) of Art. 6 (1) GDPR or point (a) of Art. 9 (2) GDPR or on a contract pursuant to point (b) of Art. 6 (1) GDPR and
- the processing is carried out by automated means.
In exercising this right, you furthermore have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. This right shall not adversely affect the rights and freedoms of others. The right to data portability shall not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
7. Right to object
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. Where personal data concerning you are processed for direct marketing purposes, you shall have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. If you object to processing for direct marketing purposes, the personal data concerning you shall no longer be processed for such purposes. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.
8. Right to revoke the declaration of consent under data protection law
You have the right to revoke your declaration of consent under data protection law at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.
9. Automated individual decision-making, including profiling
You shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly you. This shall not apply if the decision
- is necessary for entering into, or performance of, a contract between you and the controller;
- is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
- is based on your explicit consent.
However, these decisions shall not be based on special categories of personal data referred to in Article 9(1) GDPR, unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard your and freedoms and legitimate interests are in place. In the cases referred to in (1) and (3), the controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
10. Right to complain to a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, workplace or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR. The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Article 78 GDPR.