Data protection information of HS Timber Productions GmbH
Why does this document exist?
It is very important for HS Timber Productions GmbH to observe all applicable data protection regulations. The General Data Protection Regulation (Datenschutz-Grundverordnung, DSGVO) and the new Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) stipulate that we fulfil comprehensive information obligations. We consider this to be correct and take this responsibility very seriously. In the following text we therefore explain which information, also known as "personal data", we process about you as a business partner and inform you about the rights you have vis-a-vis HS Timber Productions GmbH with respect to your personal data.
This information should be written so that even legal laymen can understand it - we hope we have succeeded. Should you find certain points unclear, please contact us - we will be pleased to explain our extensive data protection measures to you personally.
To whom is this data protection information primarily addressed?
This information is intended primarily for our business partners: "Business partners" are customers or suppliers who wish to conclude or have concluded contracts with us for the supply of products or provision of services. They can also be companies, organisations or natural persons with whom we have not concluded contracts for deliveries or services, but with whom we exchange information, regularly or in individual cases.
However, it is also directed at any other person whose data we process: Our top priority when processing your personal data: We will only process personal data if a legal regulation allows us to do so.
Who is responsible for data processing?
The person responsible for processing your personal data in accordance with data protection law is our company, HS Timber Productions GmbH | Industriestr. 1 | D-02923 Kodersdorf | Phone +49(0)35825-618-0. When we write "we", "us" or "the company" in this privacy information, we always mean our company, HS Timber Productions GmbH.
We have appointed a data protection officer because we are legally obliged to do so - also because we consider this function to be very important. He is always available to answer any questions you may have regarding the processing of your personal data. You can reach him either via our contact details above or directly via his e-mail address:
Which data do we process?
Of course, we can only exchange information or do business with our business partners if we process data from them: Company name and address are the minimum required, but these alone are usually not personal data.
However, if the data can be traced back to a natural person, they will become personal data, this may already be the case if the company name includes the name of the owner, or in the case of registered traders or freelancers. Regardless of the legal form of our business partners, we also usually process data on their contact persons in the company, i.e. their names and contact details such as mail addresses or telephone numbers. Therefore, please also make this privacy information available to the people within your organisation who are involved in the business relationship with us, e.g. our contact persons in your company.
We refer to the essential data about your company, contact persons and our business relationship (e.g. a contract) as master data. This includes, for example, the company name, contract data and the names of contact persons.
In particular, master data includes:
- all information which we receive when initiating or commencing the business relationship, or which we have requested from our contractual partner or the contact persons (e.g. first and last name, description of function, address and other contact data, as well as telephone and mobile phone data, bank details, tax data),
- such data that we have collected ourselves in connection with the initiation or opening of the business relationship (in particular, the details that we need to create and transmit information to you, consultation protocols or information on processes in your company, insofar as they are necessary for our work, as well as information to create offers or invoices, conclude contracts, or which is requested in the context of compliance checks)
Of course, we also process personal data that arise during our business relationship and that involve more than a mere change in master data. We then call this type of data history data.
This category includes in particular:
- Data on the products and services which have been delivered or rendered by our business partners on the basis of the contracts concluded;
- Data on products and services delivered or rendered by us that are based on
- existing or completed contracts;
- Information provided to us by our business or contact persons themselves or at our request;
- Information on the business activities of our business partners, which we receive from them, the
- personal data which we receive in any other way from you, our business partners, contact persons or also from third parties or from publicly accessible sources.
We may also store personal data from third parties in addition to master or history data, to the extent legally permissible, such as information on the economic and financial situation of our business partners. This may include, for example, data from credit reporting agencies and data from third-party compliance databases in order to assess business risks, such as possible payment defaults or compliance risks.
For what purposes and on what legal basis do we process personal data?
- We process master and history data in order to implement the contracts concluded with our business partners or to carry out pre-contractual measures, such as offers or other correspondence on the basis of Article 6 paragraph 1 b) DSGVO. Regardless of the legal form of the business partner, we process master and history data with reference to one or more contact persons in order to safeguard our legitimate interest in the business relationship in accordance with Article 6 Paragraph 1 f) DSGVO.
- In order to comply with legal obligations to which we are subject we may process master and history data in accordance with Art. 6 para. 1 letter c) DSGVO. In particular, mandatory reporting to tax and other authorities falls into this category.
- In addition, our legitimate interest or the legitimate interest of third parties allows us to process master and history data on the basis of Art. 6 para. 1 letter f) DSGVO. If necessary, we process information on the execution of contracts with business partners and on the fulfilment of legal obligations. Our legitimate interests include
- clarifying economic and compliance-related risks in connection with our business relationships, such as payment defaults;
- the assertion of legal claims and defence in legal disputes;
- the prevention and investigation of criminal offences;
- the management and optimisation of our business activities, including risk management.
- Insofar as we give a natural person the opportunity to give his or her consent to the processing of his or her personal data, we will always process the data covered by the consent only for the purposes stated in the consent on the basis of Art.6 para.1 letter a) DSGVO.
Is there an obligation to provide personal data?
We cannot open a business relationship with you without data. Therefore, the collection or provision of the above-mentioned master and history data is always necessary, unless we indicate otherwise when collecting the data.
If we collect personal data additionally, we will indicate at the time of collection whether the provision of this information is required by law or contract or is necessary for conclusion of a contract. As a rule, we indicate those data that you can provide voluntarily and whose collection is not based on an obligation or is not necessary for the conclusion of a contract.
Who receives personal data from us?
Your personal data is always processed within our company. Depending on the specific type of personal data, only the departments and persons in our company have access to the data to the extent that they need to carry out the processing purpose. In order to guarantee this, we use a role and authorisation concept. The departments include mainly the accounting and sales departments and, depending on the type of service agreed, the various service departments. Since we generally process data with the help of our EDP, our internal IT staff also process personal data to a limited extent.
We may also transfer personal data to third parties outside our company to the extent permitted by law. Such external recipients may include, in particular,
- the service providers engaged by us, who provide services for us on a separate contractual basis, which may also include the processing of personal data, as well as the subcontractors of our service providers engaged with our consent;
- non-public and public bodies, insofar as we are obliged to transfer your personal data due to legal obligations.
Do we use automated decision making?
In principle, we do not use automated decision making for our business relations, including above all profiling, in the sense of Article 22 DSGVO. Should we nevertheless use such procedures in individual cases, we will inform the persons concerned of this to the extent required by law.
Is data transferred to countries outside the EU or to international organisations?
Personal data processing takes place exclusively within the EU or the European Economic Area; a transfer to third countries is not planned.
What is the duration of personal data storage?
Personal data are stored by us as long as we have a legitimate interest in storing them and the interests of the person concerned in not continuing the storage do not prevail.
Without a justified interest, we may also store the data if we are obliged to do so by law, for example to fulfil tax retention obligations. Personal data are deleted by us as soon as they are no longer necessary for the purpose of processing or the storage is otherwise legally inadmissible. Deletion is carried out without the person concerned having to request us to do so.
In general, we store master data and history data at least until the business relationship is terminated. The data will be deleted at the latest when the purpose of storage has been fulfilled, even if this occurs after the business relationship has ended. If we have to store personal data in order to fulfil storage obligations, they shall be stored until the end of the respective obligatory storage period. If we store personal data only for the fulfilment of the storage obligations, these are usually blocked in such a way that processing is only necessary in relation to the purpose of the storage obligation (e.g. for disclosure to tax authorities).
What rights do data subjects have?
Every data subject shall have the right
- to information on the personal data stored about them in accordance with Article 15 DSGVO;
- to have incorrect or incomplete data corrected in accordance with Art. 16 DSGVO;
- to have personal data deleted in accordance with Art. 17 DSGVO;
- to restriction of processing, in accordance with Art. 18 DSGVO;
- to data transferability, in accordance with Art. 20 DSGVO, and
- to object to the processing of personal data related to you, in accordance with Art. 21 DSGVO.
In order to exercise your rights, you or the data subject may contact us at any time, e.g. through one of the channels indicated in the section "Who is responsible for data processing?
If you or the person concerned has any questions regarding the processing of personal data, you can contact our data protection officer at any time.
A data subject is also entitled to lodge a complaint with a competent supervisory authority for data protection pursuant to Art. 77 DSGVO.
The contact details of all German supervisory authorities can be found at this link at the Federal Commissioner for Data Protection and Freedom of Information (BFDI):
Thank you for your interest in our data protection information.
HS Timber Productions GmbH