Information on data protection for clients and other data subjects
With the following information, we would like to give you an overview on the processing of your personal data by us and your rights under data protection law. Which data are processed in detail and the manner in which they are used is predominantly determined by the services re quested or agreed. Therefore, not every element of this information may be applicable to you.
Who is responsible for data processing and who can I contact?
Responsibility lies with
Phone: +49 6104 60009-0
You can reach our internal Data Protection Officer under
Data Protection Officer
Phone: +49 6104 60009-0
Which sources and which data do we use?
We process personal data which we receive from our clients and other concerned parties in connection with our business relationship. Moreover, we process personal data legitimately obtained from publicly accessible sources (such as registers of commercial establishments and associations, press, Internet) or which have been legitimately transmitted to us from third parties (for example a credit bureau) to the extent necessary for rendering our services.
Relevant personal data are personal details (name, address and other contact data, date and place of birth and nationality), legitimisation data (such as data from ID cards). ln addition, these may also be contract data (such as a inquiry), data resulting from the performance of our contractual obligations (such as an order), information about your financial status (such as data on scoring or rating), advertising and sales data (including advertising scores), documentation data (such as a protocol on consultations) and other data comparable with the above-mentioned categories.
What is the purpose of processing your data (purpose of personal data processing) and on which legal basis does this take place?
We process personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR) and the German Federal Law on Data Protection (BDSG)
- in order to comply with contractual Obligations (Art.6 (1 b) GDPR)
Data are processed for the purpose of providing and arranging services in connection with the performance of our agreements with our clients or for performing pre-contractual measures as a result of queries. The purposes of data processing are primarily determined by the specific product or service and may, among other things, include needs assessments, consultation, administration and the execution of transactions. For further details on the purposes of data processing, please refer to the pertinent contractual documents and our General Terms and Conditions.
- within the scope of the balancing of interests (Art. 6 (1 f) GDPR)
To the extent necessary, we will process your data beyond the scope of the actual performance of the contract so as to protect justified interests of our own and of third parties. Examples:
- Consultation of and exchange of data with credit bureaus so as to determine credit standing or default risks,
- analysis and optimisation of processes for needs analysis for the purpose of the direct approach of clients,
- advertising or market and opinion research unless you have objected to the use of your data,
- Lodging legal claims and defence in case of legal disputes,
- ensuring IT security and the IT operation of the Company,
- prevention and investigation of criminal acts,
- measures for securing buildings and systems (such as admission control),
- measures for business management and advanced development of products and services,
- risk management within the Company.
- as a result of your consent (Art. 6 (1 a) GDPR)
To the extent you have consented to the processing of personal data by us for certain purposes (such as passing on data within the KITAGAWA-Group, analysis of payment or order data for marketing purposes, photographs taken in connection with events, mailing newsletters), such processing is legitimate on the basis of your consent. Consent once given may be revoked at any time. This also applies to the revocation of declarations of consent given to us before the effective date of the GDPR, i.e. before 25 May 2018. Revocation of con sent has an effect only for the future and does not affect the legitimacy of the data processed until revocation.
- on the basis of statutory regulations (Art. 6 (1 c) GDPR) or in the public interest (Art. 6 (1 e) GDPR)
Moreover, we, as a trading company, are subject to various legal Obligations, i.e. statutory requirements (such as tax laws). The purposes of processing include, among others, the assessment of creditworthiness, checking identity and reporting under tax law and the assessment and management of risks in the Company.
Who will receive my data?
Within the Company, those units will be granted access to your data that need them in order to comply with our contractual and statutory obligations. Service providers and agents appointed by us may also receive the data for these purposes on the condition that they, specifically, observe secrecy. These are companies in the categories banking services, IT services, logistics, printing services, telecommunication, collection of receivables, consultation as well as sales and marketing.
As far as passing on data to recipients outside our Company is concerned, it must first be kept in mind that we are obliged to keep all client-related facts and assessments we become aware of in strict confidence. As a matter of principle, we may pass on information about our clients only if this is required by law, the client has given his consent. Under these circumstances, recipients of personal data may, for example, be:
- Public authorities and institutions (such as tax authorities, the German Federal Bank), provided a statutory obligation or an official decree is in place,
- other institutes to whom we transmit your person al data for the purpose of performing transactions under our business relationship (depending on the agreement, for example, information bureaus),
- liquidators submitting queries in connection with a foreclosure,
- service providers whom we involve in connection with order processing relationships
Other recipients of data may be those bodies for which you have given us your consent to data transfer or to which we may transfer personal data on the basis of the balancing of interests
Will the data be transferred to a third country or an international Organisation?
Data transfer to bodies in states outside the European Union (so-called third countries) will take place to the extent
- this is required to carry out your orders (such as global project or custom-made order),
- it is required by law (such as obligatory reporting under tax law) or
- you have given your consent.
Moreover, transfer to bodies in third countries is intended in the following cases:
If necessary in individual cases, your personal data may be transmitted to an IT service provider in another third country to ensure that the IT department of the Company remains operative, observing the European data protection rules. With the consent of the data subject the personal data of parties interested in products can be processed in the course of a CRM system also in a third country.
For how long will my data be stored?
We process and store your personal data as long as this is required to meet our contractual and statutory obligations. ln this respect, please keep in mind that our business relationship is a continuing obligation designed to last for years.
If the data are no longer required for the performance of contractual or statutory obligations, these will be erased on a regular basis unless – temporary – further processing is necessary for the following purposes:
Compliance with obligations of retention under commercial or tax law which, for example, may result from the German Commercial Code (HGB), the German Fiscal Code (AO). As a rule, the time limit specified there for retention or documentation is 2 to 10 years. Preservation of evidence under the statutory regulations regarding the statute of limitations. According to Sees. 195 et seqq. of the German Civil Code (BGB), these statutes of limitations may be up to 30 years, the regular statute of limitation being 3 years.
What are my rights with regard to data protection?
Every data subject has the right of access pursuant to Article 15 GDPR, the right to rectification pursuant to Article 16 GDPR, the right to erasure pursuant to Article 17 GDPR, the right to restriction of processing pursuant to Article 18 GDPR, the right to object pursuant to Article 21 GDPR and the right to data portability pursuant to Article 20 GDPR. As far as the right to obtain information and the right to erasure are concerned, the restrictions pursuant to Sees. 34 and 35 BDSG are applicable. Moreover, there is a right to appeal to a competent data protection supervisory authority (Article 77 GDPR in conjunction with Sec. 19 BDSG).
Your consent to the processing of personal data granted to us may be revoked at any time by informing us accordingly. This also applies for the revocation of declarations of consent given to us before the effective date of the GDPR, i.e. before 25 May 2018. Please keep in mind that such revocation will be effective only for the future with no impact on processing carried out before the date of revocation.
Am I obliged to provide data?
Within the scope of our business relationship, you are obliged to provide those personal data which are required for commencing, executing and terminating a business relationship and for compliance with the associated contractual obligations or the collection of which is imposed upon us by law. Without these data, we will generally not be able to enter into agreements with you, to perform under such an agreement or to terminate it.
To what extent will decision-making be automated?
As a matter of principle, we do not use fully automated decision-making processes pursuant to Article 22 GDPR for establishing and performing a business relationship. ln the event that we should use such processes in individual cases we will inform you of this and of your rights in this respect separately if prescribed by law.
Will profiling take place?
Your data will be processed automatically in part with the objective of evaluating certain personal aspects (profiling). For example, we will use profiling of the following cases:
So as to be able to inform you selectively about our products and to provide advice to you, we use analysis tools. These permit communication according to your needs and advertising including market and opinion research. Scoring is based on a proven and recognised mathematical-statistical method. The resulting score values assist us in decision-making in connection with product transactions and will become part of the ongoing risk management.
On our websites, we use Google Analytics with the extension “anonymizeIp”, a web analytics service provided by Google Inc., 1600 Amphitheater Parkway, Mountain View, CA 94043, USA (” Google “). As a result, IP addresses of Google within the member states of the European Union or in other contracting states of the Agreement on the European Economic Area will be shortened further processed.Only in exceptional cases will the full IP address be sent to a Google server in the USA and shortened there. A personal reference can thus be excluded. Insofar as the data collected about you is assigned a personal reference, it will be immediately excluded and the personal data will be deleted immediately.
The legal basis for our use of Google Analytics is Art. 6 para. 1 sentence 1 lit. f) DS-GMO. On our behalf, Google will use the data obtained to evaluate your use of our website, to compile reports on website activity and to provide us with other services related to website usage and internet usage. The purpose of the processing is to analyze and optimize our website.
You can prevent the storage of cookies through appropriate settings in your browser, for example by generally deactivating the automatic setting of cookies. In this case, functions of this website may no longer be used properly. In addition, you may prevent the collection of the data related to your use of the website (including your IP address) as well as their transmission to and processing by Google by downloading and installing the browser plug-in available under the following link: https://tools.google.com/dlpage/gaoptout?hl=en .
Information about your right to object pursuant to Article 21 GDPR
Right to object based on individual cases
You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on point (e) of Article 6 (1) (data-processing in the public interest) and point (f) of Article 6 GDPR (data-processing on the basis of the balancing of interests); this also applies for profiling as defined in Article 4 point 4 GDPR.
If you do object, we will no longer process your personal data unless we have compelling justified reasons for such processing which take precedence over your interests, rights and freedom or, alternatively, such processing serves to assert, exercise or defend legal claims.
Right to object to processing data for the purpose of direct marketing
ln individual cases, we will process your personal data for the purpose of direct marketing. You have the right to object at any time against the processing of your personal data for the purposes of such marketing; this also applies for profiling to the extent it is connected to such direct marketing.
If you do object to processing for the purposes of direct marketing, we will refrain from using your personal data for such purposes henceforth.
Recipient of an objection
Such objection may be submitted informally under the heading “objection” indicating your name, your address and your date of birth and should be addressed to:
Phone: +49 6104 60009-0
Version 1 EN