TÜV SÜD Industrie Service GmbH
TÜV SÜD Industrie Service GmbH
1. Who is responsible for data processing, and who can I contact in this respect?
TÜV SÜD Industrie Service GmbH
Westendstr. 199, 80686 München
Please send any written communication to our Data Protection Officer by regular mail at the above address, adding "For the attention of the Data Protection Officer”, or email to [email protected]
2. What kind of data do we use?
The specific types of your personal data that are processed by us depend on the services contracted or agreed. We use personal data only for the purpose for which they have been provided to us. Personal data include your personal details (name, address and other contact details). In addition to personal details, personal data can also include data related to the contract or order (e.g. payment order), data obtained from the performance of our contractual obligations (e.g. sales data in payment transactions), information about the client’s financial situation (e.g. creditworthiness data), advertising and sales data, and other data comparable with the above categories.
3. For what purposes do we process your personal data, and on what legal basis?
We process your personal data in compliance with the GDPR and local data protection requirements (e.g. BDSG-Neu) as well as all other relevant legal regulations.
a. For the performance of a contract (Art. 6 (1) lit. b GDPR)
The legal basis for the processing of personal data is the necessity of performing a contract or a pre-contractual measure in which you are, or are to become, one of the contracting parties. This concerns the following purposes in particular (but not exclusively):
Communication with you within the context of a contract, for purposes such as
• performance of contractually agreed measures and activities,
• performance of services in line with your contracts/orders and requests,
• billing and collection of payments, remunerations or fees, and traceability of the completed transactions.
b. Within the scope of balancing of interest (Art. 6 (1) lit. f GDPR)
We process your personal data beyond the extent required to fulfil our obligations under the contract where this is necessary to pursue our legitimate interests or the legitimate interests of third parties.
This concerns purposes including the following:
• Direct advertising,
• Obtaining information from / exchanging data with credit agencies,
• Further development or improvement of our services and products or processes,
• Due diligence within the scope of sales negotiations,
• Benchmarking and market analyses,
• Knowledge databases for knowledge transfer and supporting business,
• Measures related to IT security and compliance with data protection,
• In case of an unsuccessful payment reminder process, transfer of data to a collection agency bound by a contract or an external lawyer.
c. Consent (Art. 6 (1) lit. a GDPR)
In as far as you have given us your consent to the processing of personal data for specific purposes (e.g. electronic contact by telephone, fax and email), the lawfulness of data processing is assured on the basis of your consent. You can withdraw your consent at any time. Withdrawal of your consent will not affect the lawfulness of data processing up to the time of your withdrawal of consent.
d. For compliance with legal obligations (Art. 6 (1) lit. c GDPR)
In addition, as an accredited body we are subject to various obligations, i.e. legal requirements and requirements by our accreditation body, such as review of documents within the scope of audits.
In as far as necessary, we will also process your personal data to comply with our legal obligations.
This particularly (but not exclusively) concerns the following purposes within the scope of:
•Commercial and tax laws (for example, compliance with control and reporting duties and retention for control by authorities as defined in tax law),
• Regulatory requirements by supervisory authorities
• Criminal law (e.g. to prevent fraud and money laundering, comparison against anti-terror and corruption lists),
• Disclosure of your personal data (e.g. by order of authorities or courts of law) within the scope of measures for the purposes of collection of evidence, criminal prosecution, or implementation of civil-law claims.
e. For exercise of official authority (Art. 6 (1) lit. e GDPR)
Your personal data will be processed for the handling of testing and inspection contracts within the scope of our legal obligation as a company performing activities with official authority (e.g. for the installation and operation of temporary structures) in performance of tasks carried out in the public interest.
4. Who has access to my data?
Your data will be transferred and/or made available to the employees and organisational units that require these data to fulfil our contractual, pre-contractual and legal obligations, or which need these data as essential for our legitimate interests.
We will only transfer your data to external third parties for specific purposes, in particular
• on the basis of contractual or legal provisions (e.g. auditing companies; accreditation bodies),
• within the context of the performance of contractually agreed measures and activities (e.g. manufacturing companies, assembly or installation companies, etc.),
• on the basis of our legitimate interests or the legitimate interests of third parties,
• in compliance with legal requirements which place us under the obligation to disclose data,
• on the basis of your consent ,
• to external service providers which act as processors on our behalf (e.g. IT service providers, application providers, hotlines, data destruction and disposal specialists, courier services, procurement, marketing, accounting, credit institutions)
5. Are data transferred to third countries?
Data processing generally only takes place in Member States of the European Union or the European Economic Area. Data transfer to “third countries” will only take place if you expressly request same within the scope of a contract or a pre-contractual measure, or if such transfer is necessary (e.g. if a contractual partner is headquartered in a third country), if required by law (e.g. reporting duty under tax law), or if you have given us your consent.
Should transfer to a third country be necessary, we require data protection measures suitable for the contract, so that you receive a comparable level of protection of your personal data in the third country.
6. For how long will my data be stored?
We will process and store your personal data for as long as is necessary to fulfil our contractual and legal obligations. An important point in this context is that storage periods vary depending on the purpose of data processing.
• Compliance with retention duties under commercial and tax law: Examples in this context include the German Commercial Code (Handelsgesetzbuch, HGB) and Tax Code (Abgabenordnung, AO). They define document retention and/or documentation periods of up to ten years.
• Retention of evidence in line with the legal statutes of limitation. According to
Sections 195 et seq. of the German Civil Code (Bürgerliches Gesetzbuch, BGB), limitation periods can be up to 30 years. However, the regular period of limitation is three years.
All data that are no longer needed for compliance with contractual or legal obligations will be deleted or anonymised at regular intervals.
7. What are my rights regarding protection of my personal data?
All data subjects have the right of access and information under Art. 15 GDPR, the right to rectification under Art. 16 GDPR, the right to erasure under Art. 17 GDPR, the right to restriction of processing under Art. 18 GDPR, the right to object under Art 21 GDPR, and the right to data portability under Art 20 GDPR. In addition to the above, you have the right to file a complaint with the competent supervisory authority.
You also have the right to contact the competent Data Protection Officer (DPO) at any time.
You have the right to withdraw your consent to the processing of your personal data provided to us at any time. Should you wish to withdraw your consent or to object to the processing of your personal data for advertising purposes or on the basis of your particular situation, simply send a short note to this effect by email to [email protected] or by post to TÜV SÜD Industrie Service GmbH, IS-GMV-MUC, Westendstraße 199, 80686 München.
Please note that such withdrawal will only affect processing in the future. It does not affect data processing that took place before the withdrawal of your consent.
8. Do I have to provide personal data?
Within the scope of our business relationship, you need to provide the personal data which are required to start and carry out a business relationship and to fulfil our associated contractual obligations, or which we are legally required to collect. Without these data, we will generally not be able to conclude or execute our contract with you.