Data protection notice according to Art. 13 and Art. 14 GDPR for customers, suppliers and other external parties

The following information is intended to give you an overview of the personal data processed by us and to inform you about your rights under the data protection laws.

1. Responsible body for data processing and contact details of the Data Protection Officer
ViGEM GmbH, Zeppelinstraße 2, 76185 Karlsruhe, Germany; tel.: +49 (0)721.90990.500; fax: +49 (0)721.90990.699; email: visions @vigem .de
Data Protection Officer: Emails to datenschutzanfragen @xdsb .de or via our postal address c/o "Data Protection Officer".

2. From what sources does the personal data come from?
We process personal data that we have obtained from business relationships (e.g. with customers or suppliers) or requests to our company. As a rule, we receive this data directly from the contracting party or from a personal request. However, personal data may also come from public sources (e.g. commercial registers), if the processing of such data is permitted. In addition, data may have been transmitted to us by other companies. Depending on the individual case, we also retain our own information about this data (e.g. as part of an ongoing business relationship).
Depending on the individual case, this may involve master data (e.g. name, address), contact data (e.g. telephone number, email address), contract and billing data for the fulfilment of our contractual obligations or necessary data for processing a request, and if necessary also credit data, advertising and sales data and other similar classes of data.

3. For what purposes and on what legal basis are personal data processed?
We process personal data in compliance with the data protection laws, in particular the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG).
a.) Within the context of contract performance or for the implementation of pre-contractual measures (Art. 6 para. 1 sentence 1 lit. b GDPR)
We process personal data primarily for the purpose of fulfilling contractual obligations and the provision of related services or in the context of a corresponding contract initiation (e.g. contract negotiations, offer preparation). The specific purposes are based on the respective service or product to which the business relationship or the initiation of the contract relates.
b.) Within the context of fulfilment of a legal duty (Art. 6 para. 1 sentence 1 lit. c GDPR)
In many situations, we are required by law to collect certain personal data from you and to make it available to certain - usually public - entities. For example, we provide the tax authorities with the personal data necessary for tax calculation in accordance with the relevant statutory provisions.
c.) Within the context of balancing different interests (Art. 6 para. 1 sentence 1 lit. f GDPR)
In addition, we collect and process personal data for the purpose of exercising legitimate interests in the following situations:
•  Processing general inquiries about our products and services
•  Checking the creditworthiness of relevant credit bureaus for the assessment of a credit risk in business relationships
•  Advertising or market research
•  Video surveillance to enforce the house rules on/ in our company premises/ buildings
•  Asserting legal claims and defence in legal disputes
•  Safeguarding IT operations and IT security
•  Measures for building and plant safety (e.g. access authorisation)
•  Measures to improve our internal business processes and product optimisation
d.) Within the context of consent (Art. 6 para. 1 sentence 1 lit. a GDPR)
In some situations, the processing of your personal data is not mandatory and is only allowed with your consent. In these cases, we will inform you of this fact, in particular with regard to the voluntary nature of your consent and that it may be revoked non-retroactively at any time.
Relevant scenarios include
•  Some data processing through our website (see Privacy Policy on our website)
•  In some advertising situations (subject to permission of use, if required by law)

4. Recipient of personal data
In general, the company only grants access to your data to entities that need to work with your data ("need-to-know" principle), i.e. access to this data is required to fulfil a contractual or legal obligation. These may also be service providers and vicarious agents who act on behalf of the company and/or have been obliged to process the data confidentially.
In certain situations, we will submit your data to
•  Public authorities (e.g. tax authorities) in the case of a legal obligation
•  Other companies for fulfilment of the contractual relationship, in the context of a balance of interests or on the basis of your consent. In individual cases, depending on the business relationship or order, this could mean e.g. companies involved in the provision of our services, logistics partners, marketing service providers, credit bureaus, banks, tax consultants or lawyers.

5. Are data transmitted to a third country or an international organisation?
We shall transfer personal data to other locations in countries outside the European Union (third countries), insofar as it is necessary to conduct the business relationship, or is required by law or if you have granted us your consent.
In certain situations, we use or reserve the right to use service providers who may either be based in a third country or who may, in turn, have service providers based in a third country.
Data transfer to a third country is permissible under Art. 45 GDPR if the European Commission has decided that an adequate level of protection exists in said third country. Unless such a decision is available, data transmission to a third country is permitted if the controller has provided appropriate guarantees (e.g. so-called standard data protection clauses issued by the European Commission) and enforceable rights and effective remedies are available to the data subject (Art. 46 GDPR).
In principle, we work only with entities in a third country that meet the listed criteria.

6. Duration of data retention
We process and retain your personal data as long as it is necessary in order to fulfil our contractual and legal duties. If it is no longer necessary to retain your personal data to fulfil these obligations, they will be subject to deletion, unless statutory retention requirements exist, such as for commercial and tax records arising from the Tax Code and Commercial Code (6 or 10 years) and the preservation of evidence within the framework of the statute of limitations.

7. Rights of the data subject
You have the following rights with respect to your personal data:
•  Right to access
•  Right to rectification or erasure
•  Right to restriction of processing
•  Right to object to processing
•  Right to data portability
You also have the right to complain to a data protection supervisory authority about our processing of your personal data.
However, you also have the option of contacting our company Data Protection Officer (including confidentially).
Insofar as you have given us consent (Art. 6 para. 1 p. 1 lit. a GDPR), you can revoke it at any time with effect for the future.
Insofar as we base the processing of your personal data on the balancing of interests (Art. 6 para. 1 sentence 1 lit. f GDPR), you can object to the processing. In the event of any such disagreement, we ask you to explain the reasons why we should not process your personal data as we have done. In the event that your objection is legitimate, we will examine the situation and either discontinue or modify our data processing or point out to you our compelling and legitimate reasons on which we will continue the data processing.
You may object at any time to the processing of your personal data for advertising purposes.

8. Duty to provide data
You must provide the personal data necessary to fulfil the contract or implement pre-contractual measures and their associated duties within the context of performance or initiation of a contract. You must also provide the personal data that we are required to collect by law. Without providing this information we will not be able to conclude or fulfil a contract with you.
In cases of consent-based data collection, the provision of data by you is voluntary and not mandatory. However, if consent is not given, we will not be able to provide the benefits or services based on data processing by consent. You may revoke your consent at any time non-retroactively, even after it has been initially granted.

9. Is automated decision-making or profiling performed?


As of February 2023