Data privacy information for business and cooperation partners
We hereby notify you of the processing of your personal data and of your rights within the scope of the General Data Protection Regulation (GDPR) and the Personal Information Protection Law of the People's Republic of China (PIPL).
Controller
The controller is the company with which you are initiating or are executing business relations, with joint responsibility within the ALPLA Group being a possibility (Article 26 GDPR).
You will find a list of controllers and contact options here.
The appointed Data Protection Officer can be found below in the appendix.
Purposes and legal grounds
Below is an overview of the purposes of and legal grounds for the processing of your personal data in the context of collaboration and correspondence with you/with your company.
Data processing for the execution of business relations with you or your company
We generally process the personal data belonging to you which is necessary for the preparation or execution of business relations with you (point b of Article 6[1] GDPR) or your company as well as on the basis of legitimate interests (point f of Article 6[1] GDPR) such as our legitimate interests in providing information on our products and services, in communicating with you and your contacts, and in maintaining business contact with you and your contacts and your legitimate interest in communication regarding possible future business relations concerning the sale of goods and services. The provision of data by you is necessary insofar as your personal data will be processed to prepare or execute business relations with you. If you are our business and cooperation partners in the People's Republic of China (PRC), we will process the personal data belonging to you based on your consent (Article 13[1] PIPL). Without your personal data, we are unable to conclude a contract with you.
The purposes of data processing depend on the specific business relations and include in particular:
· Processing concluded contracts
· Visitor management
· Management of business and cooperation partners; providing services
· Credit checks
· Direct marketing insofar as you have not objected to this
· Documentation of notices of defects
· Execution of web conferences and conference calls
· Preparation of quotations and order confirmations
· Financial controls and reports
· Safeguarding of (IT) security
· Exchange of information/collaboration
· Internal audits, in particular compliance
· Communication with you as a contact in the context of collaboration with you or your company
· Supplier master data maintenance
· Project management
· Accounting and bookkeeping
· Contract management
· Order management
· Signing of codes of conduct (COCs) and non-disclosure agreements (NDAs)
Data processing during web conferences and conference calls
We use the following services when holding web conferences and conference calls for the purposes of online meetings, events, talks, live online training and other online events (hereinafter an ‘online meeting’):
· Microsoft Teams
Note: Please refer to the provider’s data privacy notice regarding the processing of personal data:
· Microsoft: https://privacy.microsoft.com/en-gb/privacystatement
Various categories of data are processed when the aforementioned providers are used. For invitations, we use the contact details with which we were provided in the course of or for the initiation of business relations. These specifically include your name and email address. We additionally process information which you provide or generate when participating in an online meeting. This information is personal data insofar as it is associated with your person. This specifically includes chat data, posts and presentations and other documents shared by you during web meetings. Other metadata will additionally be collected depending on the medium used for participation in a web meeting, which specifically includes your participation device information, network information, meeting login information, participation duration and participation operation records.
We will only process this data insofar as this is necessary for execution of the web meeting and to make the smooth execution of the web meeting possible. We will hold web meetings in the context of a contractual relationship or the initiation of a contract with you (point b of Article 6[1] GDPR – e.g. webinars, online seminars), in the context of business relations with the company for which you work (point f of Article 6[1] GDPR – for the purposes of the legitimate interest in executing joint projects and other business relations) or insofar as you specifically granted your informed consent to this (point a of Article 6[1] GDPR). If you are our business and cooperation partners in the PRC, we will process the personal data belonging to you based on your consent (Article 13[1] PIPL).
With your consent, data processing may also include the recording of web meetings in the form of video and audio recordings, presentations, text files or log files (point a of Article 6[1] GDPR, Article 13[1] PIPL). Insofar as we intend to record web meetings, we will notify you of this transparently in advance. A recording will only be made if you have voluntarily given your consent following notification. You may revoke your consent at any time. Please note, however, that such a revocation will only have effect for the future, i.e. shall not affect the lawfulness of the processing of your data already effected up to the point in time of your revocation on the basis of your consent.
Data processing in customer relationship management ("CRM")
We use the following services when managing and supporting our business relationships, sales activities, marketing initiatives, and customer service in a structured and secure manner:
· CRM-Software (Microsoft Dynamics 365 Customer Engagement)
· CRM-Software: Cloud Data Integrity at its Finest | Microsoft Trust Center
Various categories of data are processed when the aforementioned providers are used. Relevant information collected by us and provided by you in the course of your liaison with our relevant staff (refer to internal recipients under the Section titled "Recipients" below), as well as your data obtained through the channels specified in the Section titled “Sources” below, shall be duly and properly entered into the CRM-Software by our business personnel, for the purposes of business communication, demand coordination, cooperation advancement, marketing activities and other relevant scenarios. The following categories of data are processed within our CRM-Software:
· Customers:
First Name, Last Name, Account Name, Country, Company registration number, Email, Phone, Information: Where did you hear about us, Market Product or Service, Data protection / privacy, Newsletter subscription, Message, Industry, , Transaction history with any ALPLA companies, , SIC Code, Currency, Source Campaign, Marketing material, Last Campaign Date, Type of Contract, Business Development Order, Business Plan.
· Contact persons (at customers):
First Name, Last Name, Job Title, Address (Street, City, State/Province, ZIP/Postal Code, Country/Region, Lead Created On, Lead Created By, Personal Notes, Business Phone, Mobile Phone, Email, Website, Fax, Orginating Lead, Last Date Included in Campaign, Marketing List, Connections.
We will only process the above data insofar as this is necessary for managing and supporting our business relationships, sales activities, marketing initiatives, and customer service. We will save the above data in the context of a contractual relationship or the initiation of a contract with you (point b of Article 6[1] GDPR – e.g. webinars, online seminars), in the context of business relations with the company for which you work (point f of Article 6[1] GDPR – for the purposes of the legitimate interest in executing joint projects and other business relations) or insofar as you specifically granted your informed consent to this (point a of Article 6[1] GDPR). If you are our business and cooperation partners in the PRC, we will process the personal data belonging to you based on your consent (Article 13[1] PIPL).
Data processing in the context of a credit check
In the event of a contract offer, we will perform a credit check (point f of Article 6[1] GDPR). If you are our business and cooperation partners in the PRC, for the purpose of data processing for the credit checks mentioned above, we will entrust credit reference agencies to process your personal information and supervise their processing activities (Article 21 PIPL).To check your credit quality, we will send the personal data you submitted to us upon formation of a contract (name, address, date of birth) to credit reference agencies and will obtain information regarding your credit quality from said agencies, and will use this information as the basis for our decision regarding the conclusion of a contract. To be able to unambiguously determine a business partner’s identity, we will send the personal data you submitted in the course of the formation of a contract (name, address, date of birth) to the credit reference agencies and will obtain information from said agencies for this purpose. This check serves as protection from the misuse of third-party data by unauthorized persons (‘data theft’) such as the use of third-party bank details to place orders over the phone or online. We will decide on the basis of the results of the credit and identity check and the scoring procedure whether and subject to which conditions the contract will be concluded with the interested party/whether the business partner will be permitted to use the direct debiting procedure. If there is reason to reject the contract, such as the suspicion of misuse or insufficient credit quality, the rating and its underlying indications may be reviewed by an employee. If there are concrete indications for you that our decision is founded on data regarding your person which you are unable to understand or which you believe is inaccurate, you are welcome to present your point of view to us; we will then take this into account in a subsequent repeated check. You may also contact the credit reference agencies directly to obtain access to your personal data and the information/scoring procedures they use.
Data processing in the context of consent
We may also process your personal data on the basis of a declaration of consent given by you. The purpose of the data processing can be derived from the content of the declaration of consent in question. This is in particular the case if you have subscribed to our newsletter or have otherwise agreed to receive further information regarding our events. Here, data is processed on the basis of point a of Article 6(1) GDPR and Article 13[1] PIPL. You may revoke your consent at any time. Please note, however, that such a revocation will only have effect for the future, i.e. shall not affect the lawfulness of the processing of your data already effected up to the point in time of your revocation on the basis of your consent.
Data processing on the basis of a legal obligation
Your data may also be processed if a legal obligation requires us to do so (point c of Article 6[1] GDPR, Article 13[3] PIPL). Such obligations arise from, for example, commercial, tax, anti-money laundering or financial law. The concrete purposes of the processing can be derived from the statutory obligation in question, with data processing generally serving to comply with state control and information obligations.
Data retention period
We will erase your data when it is no longer needed for the purposes we are pursuing, the storage period stipulated in the declaration of consent has expired or you revoke your consent and there is no other legal basis which prescribes and/or legitimises its continued processing. If the latter applies, we will erase your data when this other legal basis is no longer applicable.
Sources
We may process not only personal data provided directly by you, but also personal data obtained from third parties. Below, you will find an overview of such (third-party) sources and the data categories included in this respect:
Disclosure of your contact details by your company
Collection of your contact details from publicly accessible sources such as the Internet
Recipients
Internal recipients: Access to your personal data will only be granted to those persons who need this to achieve the purposes specified in Section titled "Purposes and legal grounds". At ALPLA, these are specifically the members of staff responsible for you/your company in the areas of supplier management, accounting, bookkeeping, financial controlling, internal auditing and purchasing.
External recipients: We will only share your personal data with external recipients if this is necessary for the processing of our joint business relations or if there is some other statutory permission/obligation.
Other ALPLA companies
We share the personal data of our business and cooperation partners with other ALPLA companies insofar as is necessary for internal administration purposes. Other ALPLA companies will only process your personal data for achieving the purposes specified in Section titled "Purposes and legal grounds". You will find a list of the other ALPLA companies and contact options here.
Processors
External service providers who we deploy for the provision of services, for example regarding our technical infrastructure. We carefully select and regularly audit these processors to ensure that they too comply with the statutory data privacy law requirements. The service providers may only use the data provided by us for the purposes stipulated by us.
Public authorities
Authorities and government institutions such as tax authorities to whom we are obliged to submit personal data for compelling legal reasons. If you are our business and cooperation partners in the PRC, any provision of personal information from us to a foreign judicial or law enforcement authority shall be subject to the approval of the competent authority of the PRC.
Credit reference agencies
We may disclose personal data collected in the context of this contractual relationship regarding application for, the execution of and termination of these business relations. The credit reference agencies process the data they receive for scoring purposes, to provide their contractual partners in the European Economic Area and Switzerland as well as in other third countries if applicable (insofar as the European Commission has adopted an adequacy decision for such countries) with information for, among other things, assessing creditworthiness. Please refer to the credit reference agencies’ fact sheets for more details regarding their respective activities.
Other agencies
Other agencies may likewise be granted access to your personal data in the context of data privacy requirements, for example business consultants, cooperation partners or vicarious agents. Statutory confidentiality is guaranteed in this respect.
Participants in online meetings and the providers of such services
Insofar as you participate in our online meetings, internal and external participants in web conferences and conference calls may likewise be afforded an insight into the data shared by you.
The providers of such services may additionally collect diagnostics data for their own purposes. Please refer to the relevant provider’s data privacy notice regarding the processing of personal data:
Microsoft Teams: https://privacy.microsoft.com/en-gb/privacystatement
Transfer of data to third countries
Your data will sometimes be transferred to another agency or another ALPLA company whose place of business or place of data processing is not in a member state of the European Union or in another signatory state to the Agreement on the European Economic Area. Insofar as the European Commission has not adopted an adequacy decision for the third country, we ensure that there is an adequate level of data protection for the transfer of personal data outside of the EEA before such data is shared by regularly concluding corresponding agreements with the recipients on the basis of the EU’s standard contractual clauses.
If you are our business and cooperation partners in the PRC, since the servers of Microsoft Teams and CRM-Software used by ALPLA companies in the PRC for processing business partners’ personal information are located overseas in the Netherlands all the personal information we process in the above two software will all be stored overseas.
ALPLA companies in the PRC provide you with relevant services and cooperation opportunities through global resources and business contacts, so cross-border sharing of personal information provided by you within the ALPLA Group is essential to the development of business cooperation between us. We will transfer your personal information related to Microsoft Teams and CRM-Software to our overseas headquarters in Austria, i.e. Alpla Werke Alwin Lehner GmbH & Co KG will be the overseas recipient, and Alpla Werke Alwin Lehner GmbH & Co KG may further provide the relevant personal information to other overseas affiliates within the ALPLA Group in accordance with laws.
With regard to the aforementioned cross-border transfer of personal data, ALPLA companies within the territory of the PRC have entered into data processing agreements with the overseas recipient that comply with the relevant laws and regulations on personal data protection of the PRC, and strictly follow the compliance requirements of Chinese laws in relation to the cross-border transfer of personal data.
In order to exercise your data subject rights, you may contact the ALPLA companies in the PRC that have direct business dealings with you, or Alpla Werke Alwin Lehner GmbH & Co KG. You will find a list of all ALPLA companies and contact options here. The appointed Data Protection Officer of Alpla Werke Alwin Lehner GmbH & Co KG can be found below in the appendix.
Data Security
We will take all necessary technical and organizational security measures to protect the personal information you provide against loss and misuse. Therefore, the personal data you provide will be stored in a secure operating environment that is not accessible to the public. In addition, we will limit access to the personal data you provide to our employees, agents, contractors and other third parties on a need-to-know basis. They will only process the personal data you provide in accordance with our instructions and assume confidentiality obligations.
When a personal data security incident occurs, we will immediately notify you in accordance with the requirements of laws and regulations, including the basic facts and possible impact of the security incident, the measures we have taken or are about to take, the available risk prevention and mitigation measures we recommend to you , as well as the remediation actions. We will promptly notify you by email and other means. If it is difficult to make separate notifications for some specific subjects of personal data, we will use reasonable and effective methods to notify them by announcement. Meanwhile, we will take a proactive approach to report the handling of personal data security incidents in accordance with the requirements of local regulatory authorities.
Data subject’s rights
As the data subject, you have the following rights pursuant to the GDPR insofar as the relevant legal requirements apply:
Access: You have a right of access to the data relating to you which is processed.
Rectification: You may demand the rectification of inaccurate personal data. You may also demand that incomplete data be completed.
Erasure: You may, in certain instances, demand that your personal data be erased.
Restriction of processing: You may, in certain instances, demand that the processing of your data be restricted.
Data portability: If you provided data on the basis of a contract or your consent, you may demand receipt of the data you provided in a structured, commonly used and machine-readable format or demand that it be transmitted to another controller.
Right to object
Case-based right to object
Insofar as we process your personal data for the purposes of our legitimate interests (point f of Article 6[1] GDPR), you have the right to object to this processing at any time on grounds relating to your particular situation.
Right to lodge a complaint with the supervisory authority: You have the right to lodge a complaint with a data protection supervisory authority, in particular in the EU member state of your habitual residence, place of work, or place of the alleged infringement or the Cyberspace Administration of China or its local office, if you consider that the processing of personal data relating to you is unlawful.
If you are our business and cooperation partners in the PRC, in addition to the rights set forth above, you are entitled to the following additional rights:
Right to explain: You have the right to ask us to provide you with an explanation of our rules on the handling of personal data.
If you wish to exercise any of the above rights, you may contact the ALPLA companies in the PRC that have direct business dealings with you, or Alpla Werke Alwin Lehner GmbH & Co KG. You will find a list of all ALPLA companies and contact options here. The appointed Data Protection Officer of Alpla Werke Alwin Lehner GmbH & Co KG can be found below in the appendix.
For security purposes, we may require the subject of personal information to provide a written request or otherwise prove his/her identity. Generally, we will respond within fifteen working days.
Last updated: 09 March 2026
If we revise and update this data policy, we will post the revised version on this website and require your consent again.
Appendix: ALPLA Werke Alwin Lehner GmbH & Co. KG
Allmendstraße 81
6971 Hard
Tel.; +43 (0)5574 6020