Information on data protection
Processing of customer data
We take the protection of personal data very seriously and comply with data protection regulations, in particular those of the EU General Data Protection Regulation ("GDPR”) and of the German Federal Data Protection Act (“BDSG”). This means in particular that we only process personal data where a legal regulation allows us to do so or the person concerned has declared his or her consent.
In this information on data protection we will explain which information (including personal data) is processed by us in connection with the business relationship between you and us.
I. Who is responsible for data processing?
The entity responsible in terms of data protection for the processing of personal data is Bitburger Braugruppe GmbH, Römermauer 3, 54634 Bitburg, Tel.: 06561-14-0, Fax: 06561-14-2289, e-mail: firstname.lastname@example.org. Where reference is made to "we" or "us” in this information on data protection, this relates to the aforementioned company in each case.
Our data protection officer can be contacted via the above communication channels as well as at email@example.com.
II. What data do we process?
Conducting our business relationships requires our customers’ data to be processed. Where said data allows conclusions to be made as to you as a natural person (e.g. if you are entering a business relationship with us as a sole trader), such data is personal data.
- Master data: We process basic data about your person and the business relationship with you, which we collectively refer to as "master data". This data includes in particular:
a) All information you provided to us at the time the business relationship was established or which we obtained from you or via your suppliers (e.g. your name, your address, your e-mail address, your date of birth, nationality, VAT ID and other contact information),
b) The data we have recorded in connection with the establishing of the business relationship (in particular, the details of contracts concluded with you).
- Historical data: We process personal data collected in the course of the business relationship, which may go beyond a mere change to your master data and which we refer to as "historical data". This data includes in particular:
a) Information about the services provided or accepted by you on the basis of contracts concluded,
b) Information about the services provided or accepted by us on the basis of contracts concluded,
c) Information you provided us with in the course of the business relationship - either actively or upon our request,
d) Personal information we receive in the course of our business relationship from you or from a third party in any other way.
III. For what purposes and on what legal bases do we process your data?
- The processing of master and historical data is carried out for the execution of contracts with you or for the performance of pre-contractual measures on the basis of Article 6(1)(b) of the GDPR.
- We can also process master or historical data in order to fulfil legal obligations to which we are subject; this is carried out on the basis of Article 6(1)(c) of the GDPR. These legal obligations include, in particular, our legally stipulated reports to the US (tax) authorities.
- Where necessary, we also process your data, in addition to the purpose of executing the contracts concluded with you and of complying with legal obligations, for the purpose of safeguarding our legitimate interests or the interests of third parties; this is carried out on the basis of Article 6(1)(f) of the GDPR. Our legitimate interests include
a) The clear identification of customers and for customer support,
b) The assessment of creditworthiness and collateral,
c) The producing of invoices/credit notes,
d) The assertion of legal claims and defence in legal disputes,
e) The prevention and investigation of criminal offenses,
f) The control and further development of our business activities, including risk control etc.
- Where we give you, at the time of establishing or during the course of the business relationship, the possibility of granting consent to the processing of personal data, we will process the data covered by the consent for the purposes specified in the consent; this is carried out on the basis of Article 6(1)(c) of the GDPR.
Please note that:
- Granting consent to us is voluntary and neither the granting nor the later revocation has any influence on the execution of the business relationship;
- The non-granting of consent or the later revocation of consent may have consequences nevertheless, about which we will inform you prior to the granting of consent;
- You can revoke consent given to us at any time with effect for the future, for example by sending post, fax or e-mail notification via one of the communication channels listed on the first page of this information on data protection.
IV. Am I obligated to provide data?
The provision of the master data and historical data under II is required for the establishment and execution of the business relationship between you and us, unless otherwise expressly stated by us at the time of collecting this data. Without the provision of this data we cannot establish and execute any business relationship with you.
V. Who gets my data?
Your personal data is generally processed within our company. Depending on the type of personal data, only certain departments / organizational units will have access to your personal data. These include, in particular, our field service and back office and, in the case of data processed via the IT infrastructure, the IT department to a certain extent.
We may also share your personal data with third parties outside of our company to the legally permitted extent. These external recipients can include in particular
- The service providers engaged by us who provide services for us on a separate contractual basis, which may include the processing of personal data, as well as the subcontractors of our service providers engaged with our consent;
- Non-public and public bodies, as far as we are obligated to share your personal data based on legal obligations.
- If you have concluded a rental/lease agreement, we may share the customer data with the house owner where there are pre-emption rights for the property. This is done for the purpose of supporting and billing of the rental/lease.
When processing the data we sometimes use GEDAT Getränkedaten GmbH (“GEDAT”) as an order processor. We also send the customer master data to the latter for the purpose of creating a checked, clear and up-to-date address data record for points of sale. The transmitted data may be processed by GEDAT on its own responsibility, possibly in addition to other data available to it or generally available data. They will sometimes use order processors to do this. The address of GEDAT and its data protection officer can be found at: www.gfgh-industriepartner.de.
VI. Is an automated decision-making used?
We generally do not use an automated decision-making process (including profiling) in the sense of Art. 22 of the GDPR at the time of establishing the business relationship or in the course of the business relationship. Where we use such procedures in individual cases, we will inform you about this separately to the extent provided for by law.
VII. How long will my data be stored for?
We generally store your personal data for as long as we have a legitimate interest in doing so and said interest is not outweighed by your interests in discontinuing storage.
Even without a legitimate interest we can still store the data where required to do so by law (to meet our obligation to preserve records for example). We will delete your personal data without any action on your part as soon as knowing it is no longer necessary for fulfilling the purpose of processing or storing it is otherwise legally inadmissible.
The master data and the further personal data accrued in the course of the business relationship will usually be stored at least until the business relationship has ended. The data will be deleted no later than at the time of its purpose being achieved. This may also be after the business relationship has ended. Personal data that we need to store in order to comply with our obligations to preserve records will be stored until the relevant obligation ends. Where we store personal data solely for the purpose of fulfilling our obligations to preserve records, said data is only accessed where doing so is required in view of the purpose of our obligation to preserve records. Gedat and its partner companies will delete the data no later than after 10 years have passed since the last recorded sales report for the point of sale, or also in accordance with the above criteria.
VIII. What rights do I have?
You have the right as an affected person:
- To receive information about the personal data stored about you, Art. 15 of the GDPR;
- To correction of inaccurate or incomplete data, Art. 16 of the GDPR;
- To deletion of personal data, Art. 17 of the GDPR;
- To restriction of processing, Art. 18 of the GDPR;
- To data portability, Art. 20 of the GDPR, and
- To object to the processing of the personal data concerning you, Art. 21 of the GDPR.
To exercise these rights, you can contact us at any time, e.g. via one of the communication channels specified at the beginning of this information on data protection.
If you have any questions regarding the processing of your data, you can also contact our data protection officer.
You are also entitled to file a complaint with a competent supervisory authority for data protection, Art. 77 of the GDPR.
* * *