Data Protection Information for Business Partners

Information about the processing of personal data in the context of business relationships with customers, suppliers and other business contacts

1. What information does this document contain for you?

The thyssenkrupp Materials DataflowWorks GmbH ("We") is in a business relationship with you or your employer/client, e.g. the initiation or execution of a contractual relationship as part of our business activities. In this context, we process your personal data as far as this is necessary. We make sure that we comply with the requirements of the applicable Data Protection Acts. Below is a detailed overview of how we handle your data and your rights.

2. Who is responsible for the data processing and who is the data protection officer (DPO)?

The controller for the data processing is
thyssenkrupp Materials DataflowWorks GmbH
thyssenkrupp Allee 1
45143 Essen
Telephone: +49 251 93 25 77 18

Our data protection officer can be reached at
Data protection officer
thyssenkrupp Materials DataflowWorks GmbH thyssenkrupp Allee 1
45143 Essen

3. Which data categories do we process and where do they come from?

We process personal data that you provide to us as part of the business relationship. If our business relationship is with your employer or client, we also collect the personal data from you or your employer or client. This includes the following data or categories of data:
  • Master data (e.g. name and salutation, title, job title/description)
  • Contact details (e.g. telephone number, fax number, email address, address)
  • Communication data (e.g. content and information on personal, telephone or written communication)
  • Payment data (e.g. payment details, account data, invoice information)
Moreover, we process the following categories of personal data that we generate inde¬pendently or receive from third parties (group companies, credit agencies, (personnel) service providers):
  • Master data (e.g. customer number)
  • Contract data (e.g. contract ID, contract history)
  • Communication data (e.g. consulting protocols)
  • Payment data (e.g. payment history, information on payment history, creditworthiness)

4. For what purposes and on what legal basis is data processed?

We process your data in compliance with the provisions of the EU General Data Protection Regulation (GDPR) and the German Bundesdatenschutzgesetz (BDSG) all other applicable laws and regulations. We primarily process personal data for the fulfillment of contractual obligations (Article 6 paragraph 1 lit. b GDPR), more precisely for the purpose of initiating, executing or fulfilling a contract. This includes, for example, placing orders, internal sales, shipping and payment of merchandise or contract negotiations. Unless you are not yourself a contracting party (for example, you are an employee of a business partner), processing for the same purposes takes place as a legitimate interest in accordance with Article 6 paragraph 1 lit. f GDPR. With your employer/client, we are in the initiation or execution phase of a contractual relationship as part of our business activities. We are processing your personal data due to your activity for your employer/client. If necessary, we also process personal data to fulfill statutory requirements (Article 6 para¬graph 1 lit. c GDPR) for the following purposes:
  • Preservation of statutory storage requirements
  • Preservation of legal reporting and documentation obligations
Furthermore, we process personal data in order to safeguard the following legitimate inter¬ests (Article 6 paragraph 1 lit. f GDPR):
  • Maintenance of the business relationship with existing customers (for example making contact with regard to customer satisfaction, customer loyalty, after-sales service)
  • Inclusion in our contact database, contact maintenance in connection with a business contact (for example after surrendering your business card)
  • Direct marketing to existing customers or employees of existing customers with regard to existing or past business relationships by post, e-mail, telephone (for example information on products and events, newsletters )
  • Organization of events (for example admission control, exchange of guest lists with event partners, taking photographs, publications, press work)
  • Asserting legal claims and defense in legal disputes
  • Payment and receivables management (for example debt collection, factoring)
In addition, we potentially process personal data for which we received consent (Article 6 paragraph 1 lit. a GDPR). We will collect them separately and in the following cases:
  • Direct marketing to interested parties / business partners / other business contacts (for example information on products and events, newsletters by post, e-mail, telephone)

The possibility of and the conditions for data processing on the basis of Article 6 para. 1 lit. f GDPR to object is explained in more detail at the end of this data protection information.

5. Who receives your data?

Your data will be processed within the #company name by the employees involved in the initiation/implementation of the business relationship and the execution of the respective business processes. Within our group of companies your data will be transmitted to certain group companies when they perform centralized data processing tasks for the group's affiliated companies (for example centralized contact data management, centralized contract management, file disposal, payment and claims management). In addition, to fulfill our contractual and legal obligations, we sometimes use different exter¬nal service providers who are required by data processing agreements to observe data protection laws, Article 4 No. 8 GDPR. These are service providers in the following areas
  • IT services
  • Logistics
  • Claims management
  • Marketing
  • Legal advice
In addition, we transmit your data to other recipients outside the company who process your data at their own responsibility, Article 4 No. 7 GDPR. For example, this may include the following categories of responsible persons:
  • Public institutions due to statutory provisions (e.g. tax authorities)
  • Third parties such as credit institutions, credit bureaus - if a transfer of legitimate inter¬est is permissible

6. How long will your data be stored?

We process your personal data as long as it is necessary for the above referenced purposes. After completion of the business relationship your data will be stored as long as we are legally obligated to do so. This is regularly the result of legal proof and retention obligations, which are regulated in the Commercial Code and the Tax Code. According to these codes, the storage periods are up to ten years. In addition, it may be necessary to retain personal data for the time during which claims can be asserted against us (statutory limitation period of up to thirty years).

7. Are you required to provide your data?

There is no contractual or legal obligation to provide personal data. However, without processing your personal data, we are not in a position to carry out the necessary pre-con¬tractual measures or execute the contractual relationship with you or your employer/client.

8. Is your data transmitted to a third country?

To the extent necessary for the above purposes, we also transmit data to group companies or service providers outside the European Economic Area (EEA). This is done in compliance with data protection requirements, in particular the assurance of an adequate level of data protection. The assurance is provided by a suitable guarantee (e.g. in the form of a standard data protection clause according to Article 46 paragraph 2 lit. c GDPR, which is agreed with the respective recipient). You may request additional information, in particular copies of these appropriate guarantees, by using the contact details mentioned in section 2 below.]

9. Which data protection rights can you claim as the person affected?

You have the right to request information about the data stored about you, Art. 15 GDPR. In addition, you may request the rectification or erasure of your data, Art. 16, 17 GDPR. You may also be entitled to restrict the processing of your data and a right to release the data you provided in a structured, common, machine-readable format, provided this does not affect the rights and freedoms of others, Art. 18, 20 GDPR. If you have given us consent to the processing of your personal data, you can revoke this consent at any time with effect for the future. The legality of the processing carried out based on the consent until the revocation remains unaffected. To exercise your rights, please contact the responsible body or data protection officer listed under section 2. In addition, you have a right of objection, which is explained in more detail at the end of this privacy policy. You also have the option to file a complaint with a data protection authority, Art. 77 GDPR. The right of appeal is without prejudice to any other administrative or judicial remedy. The data protection authority responsible for us is:
Landesbeauftragte für Datenschutz und Informationsfreiheit
Postfach 20 04 44
40102 Düsseldorf

Information about your right of objection according to Art. 21 of the General Data Protection Regulation (GDPR)

For reasons that arise from your particular situation, you have the right to object to the processing of your personal data at any time pursuant to Article 6 para. 1 f of the GDPR (data processing on the basis of a balance of interests); this also applies to any profiling based on this provision as defined in Article 4 No. 4 GDPR.

If you file your objection, we will no longer process your personal data unless we can estab-lish compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or the processing is for the purposes of asserting, exercising or defending legal claims.

In individual cases, we may also process your personal data according to Article 6 para. 1 f GDPR in order to generate direct mail. You have the right to object to the processing of your personal data used for such advertising at any time; this also applies to profiling insofar as it is associated with such direct mail advertising.

If you object to the processing for direct marketing, we will no longer process your personal data for these purposes.

The objection can be informal and should ideally be addressed with the responsible body or data protection officer listed in the privacy statement under section 2.