Data privacy information for business and cooperation partners

We hereby notify you of the processing of your personal data and of your rights within the scope of the General Data Protection Regulation (GDPR).

Controller

The controller is the company with which you are initiating or are executing business relations, with joint responsibility within the ALPLA Group being a possibility (Article 26 GDPR).
You will find a list of controllers and contact options here.
The appointed Data Protection Officer can be found below in the appendix.

Purposes and legal grounds 

Below is an overview of the purposes of and legal grounds for the processing of your personal data in the context of collaboration and correspondence with you/with your company. 

Data processing for the execution of business relations with you or your company 

We generally process the personal data belonging to you which is necessary for the preparation or execution of business relations with you (point b of Article 6[1] GDPR) or your company as well as on the basis of legitimate interests (point f of Article 6[1] GDPR) such as our legitimate interests in providing information on our products and services, in communicating with you and your contacts, and in maintaining business contact with you and your contacts and your legitimate interest in communication regarding possible future business relations concerning the sale of goods and services. The provision of data by you is necessary insofar as your personal data will be processed to prepare or execute business relations with you. Without your personal data, we are unable to conclude a contract with you.

The purposes of data processing depend on the specific business relations and include in particular:

  • Processing concluded contracts
  • Visitor management
  • Management of business and cooperation partners; providing services
  • Credit checks 
  • Direct marketing insofar as you have not objected to this 
  • Documentation of notices of defects
  • Execution of web conferences and conference calls
  • Preparation of quotations and order confirmations
  • Financial controls and reports
  • Safeguarding of (IT) security 
  • Exchange of information/collaboration  
  • Internal audits, in particular compliance 
  • Communication with you as a contact in the context of collaboration with you or your company
  • Supplier master data maintenance
  • Project management
  • Accounting and bookkeeping
  • Contract management
  • Order management
  • Signing of codes of conduct (COCs) and non-disclosure agreements (NDAs)

Data processing during web conferences and conference calls 
We use the following services when holding web conferences and conference calls for the purposes of online meetings, events, talks, live online training and other online events (hereinafter an ‘online meeting’):

  • Microsoft Teams

Note: Please refer to the provider’s data privacy notice regarding the processing of personal data:

  • Microsoft Teams: https://privacy.microsoft.com/en-gb/privacystatement

Various categories of data are processed when the aforementioned providers are used. For invitations, we use the contact details with which we were provided in the course of or for the initiation of business relations. These are, in particular, your name and email address. We additionally process information which you provide when participating in an online meeting. This information is personal data insofar as it is associated with your person. Examples here are chat data, posts and content shared by you during web meetings, such as presentations and documents. Other data (known as metadata) will additionally be collected depending on the medium used for participation in a web meeting. 
We will only process this data insofar as this is necessary for execution of the web meeting and to make the smooth execution of the web meeting possible. We will hold web meetings in the context of a contractual relationship or the initiation of a contract with you (point b of Article 6[1] GDPR – e.g. webinars, online seminars), in the context of business relations with the company for which you work (point f of Article 6[1] GDPR – for the purposes of the legitimate interest in executing joint projects and other business relations) or insofar as you specifically granted your informed consent to this (point a of Article 6[1] GDPR).  
With your consent, data processing may also include the recording of web meetings in the form of video and audio recordings, presentations, text files or log files (point a of Article 6[1] GDPR). Insofar as we intend to record web meetings, we will notify you of this transparently in advance. A recording will only be made if you have voluntarily given your consent following notification. You may revoke your consent at any time. Please note, however, that such a revocation will only have effect for the future, i.e. shall not affect the lawfulness of the processing of your data already effected up to the point in time of your revocation on the basis of your consent.
Data processing in the context of a credit check 

In the event of a contract offer, we will perform a credit check (point f of Article 6[1] GDPR). To check your credit quality, we will send the personal data you submitted to us upon formation of a contract (name, address, date of birth) to credit reference agencies and will obtain information regarding your credit quality from said agencies, and will use this information as the basis for our decision regarding the conclusion of a contract. To be able to unambiguously determine a business partner’s identity, we will send the personal data you submitted in the course of the formation of a contract (name, address, date of birth) to the credit reference agencies and will obtain information from said agencies for this purpose. This check serves as protection from the misuse of third-party data by unauthorised persons (‘data theft’) such as the use of third-party bank details to place orders over the phone or online. We will decide on the basis of the results of the credit and identity check and the scoring procedure whether and subject to which conditions the contract will be concluded with the interested party/whether the business partner will be permitted to use the direct debiting procedure. If there is reason to reject the contract, such as the suspicion of misuse or insufficient credit quality, the rating and its underlying indications may be reviewed by an employee. If there are concrete indications for you that our decision is founded on data regarding your person which you are unable to understand or which you believe is inaccurate, you are welcome to present your point of view to us; we will then take this into account in a subsequent repeated check. You may also contact the credit reference agencies directly to obtain access to your personal data and the information/scoring procedures they use.

Data processing in the context of consent 

We may also process your personal data on the basis of a declaration of consent given by you. The purpose of the data processing can be derived from the content of the declaration of consent in question. This is in particular the case if you have subscribed to our newsletter or have otherwise agreed to receive further information regarding our events. Here, data is processed on the basis of point a of Article 6(1) GDPR.  You may revoke your consent at any time. Please note, however, that such a revocation will only have effect for the future, i.e. shall not affect the lawfulness of the processing of your data already effected up to the point in time of your revocation on the basis of your consent.

Data processing on the basis of a legal obligation  

Your data may also be processed if a legal obligation requires us to do so (point c of Article 6[1] GDPR). Such obligations arise from, for example, commercial, tax, anti-money laundering or financial law. The concrete purposes of the processing can be derived from the statutory obligation in question, with data processing generally serving to comply with state control and information obligations. 

Data retention period 

We will erase your data when it is no longer needed for the purposes we are pursuing, the storage period stipulated in the declaration of consent has expired or you revoke your consent and there is no other legal basis which prescribes and/or legitimises its continued processing. If the latter applies, we will erase your data when this other legal basis is no longer applicable. 

Sources 

We may process not only personal data provided directly by you, but also personal data obtained from third parties. Below, you will find an overview of such (third-party) sources and the data categories included in this respect: 
Disclosure of your contact details by your company
Collection of your contact details from publicly accessible sources such as the Internet

Recipients 

Internal recipients: Access to your personal data will only be granted to those persons who need this to achieve the purposes specified in Section 4. At ALPLA, these are specifically the members of staff responsible for you/your company in the areas of supplier management, accounting, bookkeeping, financial controlling, internal auditing and purchasing. 
External recipients: We will only share your personal data with external recipients if this is necessary for the processing of our joint business relations or if there is some other statutory permission/obligation.
Examples of external recipients are:

Other ALPLA companies 
We share the personal data of our business and cooperation partners with other ALPLA companies insofar as is necessary for internal administration purposes. 

Processors
External service providers who we deploy for the provision of services, for example regarding our technical infrastructure. We carefully select and regularly audit these processors to ensure that they too comply with the statutory data privacy law requirements. The service providers may only use the data provided by us for the purposes stipulated by us.

Public authorities
Authorities and government institutions such as tax authorities to whom we are obliged to submit personal data for compelling legal reasons.

Credit reference agencies 
We may disclose personal data collected in the context of this contractual relationship regarding application for, the execution of and termination of these business relations. The credit reference agencies process the data they receive for scoring purposes, to provide their contractual partners in the European Economic Area and Switzerland as well as in other third countries if applicable (insofar as the European Commission has adopted an adequacy decision for such countries) with information for, among other things, assessing creditworthiness. Please refer to the credit reference agencies’ fact sheets for more details regarding their respective activities.

Other agencies
Other agencies may likewise be granted access to your personal data in the context of data privacy requirements, for example business consultants, cooperation partners or vicarious agents. Statutory confidentiality is guaranteed in this respect. 

Participants in online meetings and the providers of such services 
Insofar as you participate in our online meetings, internal and external participants in web conferences and conference calls may likewise be afforded an insight into the data shared by you.
The providers of such services may additionally collect diagnostics data for their own purposes. Please refer to the relevant provider’s data privacy notice regarding the processing of personal data: 
Microsoft Teams: https://privacy.microsoft.com/en-gb/privacystatement

Transfer of data to third countries

Your data will sometimes be transferred to another agency or another ALPLA company whose place of business or place of data processing is not in a member state of the European Union or in another signatory state to the Agreement on the European Economic Area. Insofar as the European Commission has not adopted an adequacy decision for the third country, we ensure that there is an adequate level of data protection for the transfer of personal data outside of the EEA before such data is shared by regularly concluding corresponding agreements with the recipients on the basis of the EU’s standard contractual clauses. 

Data subject’s rights

As the data subject, you have the following rights pursuant to the GDPR insofar as the relevant legal requirements apply: 

Access: You have a right of access to the data relating to you which is processed. 

Rectification: You many demand the rectification of inaccurate personal data. You may also demand that incomplete data be completed.

Erasure: You may, in certain instances, demand that your personal data be erased. 

Restriction of processing: You may, in certain instances, demand that the processing of your data be restricted. 

Data portability: If you provided data on the basis of a contract or your consent, you may demand receipt of the data you provided in a structured, commonly used and machine-readable format or demand that it be transmitted to another controller.

Right to object 

Case-based right to object                                    
Insofar as we process your personal data for the purposes of our legitimate interests (point f of Article 6[1] GDPR), you have the right to object to this processing at any time on grounds relating to your particular situation. 

Right to lodge a complaint with the supervisory authority: You have the right to lodge a complaint with a data protection supervisory authority, in particular in the EU member state of your habitual residence, place of work, or place of the alleged infringement, if you consider that the processing of personal data relating to you is unlawful.

Last updated: 1 February 2022


Appendix:

Data Protection Officer for ALPLA Werke Lehner GmbH & Co. KG, ALPLA Lehner GmbH & Co. KG and Lübecker Kunststoffwerk GmbH:
Boris Reibach
Scheja & Partner Rechtsanwälte mbB
Adenauerallee 136
53113 Bonn
Tel.: +49 (0)228 2272 260
Fax: +49 (0)228 2272 2626
Credit reference agencies https://www.scheja-partner.de
Contact: https://www.scheja-partner.de/en/contact/contact.html