Data protection information for suppliers and service providers
of Karl Diederichs GmbH & Co. KG

This data protection information provides you as an individual with an overview of how your personal data is handled and processed in the context of our business relationship with Karl Diederichs GmbH & Co KG (Dirostahl Group).

We undertake to always process your personal data in accordance with applicable law. The data collected, used, stored or forwarded is kept transparent vis-à-vis our service providers and suppliers.

Responsibilities are named below and the regular data processing procedures are described. We may provide you with further data protection information for special processing procedures.

1 Responsibilities

1.1 Controller in terms of data protection

Responsible for the processing of your personal data is the:

Karl Diederichs GmbH & Co. KG
Luckhauser Straße 1-5
42899 Remscheid
+49 (0) 2191 593-0
info@dirostahl.de

1.2 Our data protection officer

We have appointed an external data protection officer for our organization, who can be contacted using the following contact details:

Boris Nicolaj Willm, Resilien[i]T GmbH, Monschauer Straße 12, D-40549 Düsseldorf
Phone: +49 (0) 211 695289 92, e-mail: dsb.dirostahl@resilienit.de

1.3 Competent supervisory authority

You can contact the supervisory authority responsible for us at:

LDI.NRW, Kavalleriestr. 2-4, 40213 Düsseldorf
Phone: 0211/38424-0, e-mail: poststelle@ldi.nrw.de

2 General information on data protection

Insofar as we process your data to establish, implement and terminate a business relationship, you may be contractually obliged to provide us with this data. The same applies to the processing of your data in order to fulfill our legal obligations, in particular under tax and financial law. Without this data, we may not be able to establish, conduct or terminate the business relationship.

2.1 What data do we process from you?

We process your personal data that you have provided yourself or that we receive from the respective contractual partners, e.g. as part of the processing of inquiries or orders. These are the following data categories:

  • Master data: such as name (e.g. contact person in the company) first name, surname, title, position, address, (nationality if applicable) etc.;
  • Communication data: (telephone number, mobile number, e-mail address, fax number, etc.);
  • Order and contract data (invoice address, tax number/ VAT ID);
  • Bank details, billing and payment data (e.g. IBAN, BIC, name of bank);
  • Supplier number;
  • Video recordings in connection with video surveillance on the company premises;
  • Publicly accessible debtor registers, land registers, commercial registers and registers of associations);
  • Results of credit and sanction checks;

This list contains an overview of the various data that may be processed as part of a business relationship. Please note that not all of the data listed will be collected. Sensitive personal data will only be stored if this is strictly necessary in order to comply with our legal obligations or if this data has been provided by you on a voluntary basis for this purpose.

2.2 For what purposes do we process your data?

We process and use your personal data exclusively for the purposes of your business relationship with our organization. These are listed below:

  • Fulfillment of the business purpose / establishment, fulfillment and termination of the contractual relationship: The processing of personal data is carried out to implement all necessary measures associated with the establishment, execution and termination of the supplier/service relationship: Implementation of pre-contractual measures (e.g. credit check, preparation of offers and processing of inquiries), fulfillment of contractual obligations (order, order processing, payment processing, invoicing), administration of delivery or receipt of goods and services.
  • Suppliers and service provider support: For communication (if we have received your name, e-mail address or postal address from you in connection with the provision of services and/or the sale of products), to provide the helpdesk, for suppliers and service provider support. To maintain a group-wide supplier database to improve supplier quality;
  • Supplier/service provider evaluation: Personal data is processed to optimize supplier and service quality.
  • Compliance with legal obligations: The company processes personal data to comply with data protection, tax, financial and commercial law requirements (e.g. sanctions list check and to maintain a blacklist to implement the objection to processing pursuant to Art. 21 GDPR).
  • Security and protection of company assets: Personal data is also processed as part of visitor management to protect the company’s facilities, equipment and assets from theft, unauthorized access and other damage; for example, as part of video surveillance to control access to office buildings and company premises.
  • IT security: IT system usage logs are created to identify threats such as computer viruses, access to potentially dangerous external websites, unauthorized access attempts and internal misuse (e.g. violations of information security guidelines); to ensure the security of company systems and to ward off or deal with cyber attacks. In the event of a security incident affecting your data, we are obliged under Art. 33 GDPR to report this immediately to the competent data protection supervisory authority. In our legitimate interest in complying with this legal obligation as quickly as possible, it may be necessary to process your personal data as part of the investigation of the incident. However, no personal data of yours will be transmitted to the data protection supervisory authority in the reports.
  • Data security: Personal data is processed to ensure the security, confidentiality and integrity of our IT systems (e.g. through security and effectiveness tests), to test IT systems and software products and to carry out migrations, as well as to ensure the functionality of new products and the correctness and completeness of migrations.
  • Corporate management, process management: Personal data is processed during audits and investigations in order to review and optimize operational processes within the company (quality and regulation management, risk and claims management).
  • Assertion, exercise and defense of legal claims: The company processes personal data for the assertion, exercise or defense of legal claims. This includes the evaluation of documents, the collection of evidence and the use of information in legal proceedings and processes.
  • Whistleblower system: The company also operates a reporting system (e.g. whistleblowing system) in order to uncover grievances and initiate appropriate measures.

Your data will only be processed for purposes other than those mentioned if this processing is compatible with the purposes of the business relationship. We will inform you of any such further processing of your data and, if necessary, obtain your consent.

2.3 On what legal basis do we process your data?

We process your personal data only insofar as this is required by law or necessary for the fulfillment of the contract and only on the basis of the legal bases listed below:

  • Art. 6 para. 1 lit. a GDPR – consent: Processing is based on consent, e.g. for the disclosure of contact data to business partners.
  • Art. 6 para. 1 lit. b GDPR – Contract fulfillment: Processing is necessary for the establishment, execution and termination of the service-supplier relationship.
  • Art. 6 para. 1 lit. c GDPR – Legal obligation: Necessary to fulfill legal obligations, e.g. in tax, financial and foreign trade law.
  • Art. 6 para. 1 lit. f GDPR – Legitimate interests: Processing for the protection of legitimate interests, e.g. IT and data security, corporate governance, defense of our legitimate interests in legal proceedings or video surveillance. In cases in which we rely on the legal basis of legitimate interest for processing, we regularly assume that our legitimate interests in the context of the business relationship outweigh these interests, subject to a balancing decision to be made on a case-by-case basis.
  • Art. 9 para. 2 lit. f GDPR – Legal claims: Processing of special data for the assertion or defense of legal claims, e.g. in legal proceedings.

2.4 From whom do we receive your data?

In principle, we process your personal data that has been collected from you or provided by you or your organization, e.g. as part of an inquiry, order or business relationship. We may collect personal data about you from external sources (see section 2.5). We may also collect personal data about you that has been made publicly available. Processing only takes place on the basis of a valid legal basis

2.5 Who do we share your data with?

As part of the business relationship or its initiation, it may be necessary to pass on personal data. This disclosure is always carried out in accordance with the provisions of the GDPR and only to the extent necessary to fulfill the respective purposes.

Your data may be passed on for the following purposes and to the following recipients:

  • Within the company itself: Within the company, your personal data may be passed on to the relevant departments and employees if this is necessary to fulfill the contract or the request. This includes, for example, the purchasing department, the IT department and the management in the context of business decisions. Data is always passed on in accordance with the principle of data minimization and only to those persons who are responsible for the respective tasks.
  • Within the group of companies: Personal data may be passed on within the group of companies if this is necessary for the performance of contracts, for group-wide compliance or for internal administrative and organizational purposes. The group of companies includes:
    Wilhelm Sönnecken GmbH
  • Here, too, the data will only be passed on within the framework of the applicable data protection regulations and in strict compliance with data protection.
  • Authorities, public bodies, law enforcement agencies: For example, to financial authorities, supervisory authorities or courts and customs in order to fulfill legal obligations (e.g. tax requirements).
  • External service providers and processors: These include IT service providers (e.g. for IT maintenance, cloud services, applications, website support), software manufacturers and other service providers (e.g. for credit checks, for sanctions list checks, tax consultants, auditors, legal advisors, advertising agencies, for the destruction of files and data carriers, call centers, printing and logistics companies, telecommunications service providers, delivery services, the recipient’s email provider as well as data protection officers, information security officers, occupational safety officers, fire safety officers and other representatives of the organization.
  • Credit institutions: As part of contract fulfillment and receivables management, data is passed on to credit institutions.
  • Lawyers and courts: In the event of legal disputes, it may be necessary to pass on your data to lawyers or courts in order to assert or defend against legal claims. In the event of a legal dispute or suspicion of a criminal offense (e.g. courts, opposing lawyers, authorities, contractual partners, consultants, business partners, opposing parties, to the extent necessary to exercise our rights).
  • External auditors: As part of audits, reviews or certifications, it may be necessary to disclose data to external auditors. This disclosure takes place in compliance with strict data protection controls and only to the extent that the disclosure of your data is necessary;
  • Insurance companies: Data may be passed on to insurance companies, for example to process insurance claims and benefits.
  • Caterer or operator of the canteen(s): Personal data may be collected in the course of billing for services used, health protection and food quality safety.
  • Security and protection services: To ensure access control and visitor management, it is necessary to process personal data.

2.6 Why do we transfer data to third countries?

As part of the business relationship or its initiation, personal data may be transferred to countries outside the European Union (EU) or the European Economic Area (EEA), so-called third countries. However, such a transfer will only take place in strict compliance with the provisions of the General Data Protection Regulation (GDPR).

The transfer of personal data to third countries takes place either on the basis of an adequacy decision by the EU Commission, through EU-approved standard data protection clauses, in exceptional cases on the basis of your express consent or using additional protective measures such as pseudonymization or encryption.

A transfer to a third country may take place in the following cases:

  • As part of the use of IT applications and cloud services (e.g. Microsoft 365, HR software, ERP systems), data may be transferred to service providers in third countries. These providers are contractually obliged to guarantee a level of protection in line with European data protection.
  • As part of the processing of international orders and projects.
  • As our company is part of an international group of companies, it may be necessary to transfer personal data to group companies in third countries, for example for group-wide accounting or compliance purposes. The aforementioned protection mechanisms are also applied here.

The transfer of personal data to third countries is always carried out with the greatest possible care and in compliance with the applicable data protection regulations. If you have any questions about the specific protective measures used or the recipients of your data in third countries, please contact our data protection officer.

2.7 Is there automated decision-making or profiling?

We do not use any automated decision-making processes or profiling that have legal effects on you or significantly affect you in a similar way. All significant decisions, in particular contract and payment modalities, are made by our employees and are based on a careful case-by-case examination.

2.8 How long do we store your personal data?

Unless an explicit or statutory storage period is specified at the time of collection, your personal data will be deleted as soon as it is no longer required to fulfill the aforementioned purposes and there are no statutory retention obligations or legal justifications for storage.

3 What rights do you have in relation to your data?

As a data subject, you have the following rights vis-à-vis us with regard to your personal data:

  • Right to information/right of access to your stored personal data, pursuant to Art. 15 GDPR.
  • Right to rectification and updating if the stored data concerning you is incorrect, outdated or otherwise inaccurate, in accordance with Art. 16 GDPR.
  • Right to erasure if the storage is inadmissible, the purpose of the processing is fulfilled and the storage is no longer necessary or you revoke your consent to the processing, in accordance with Art. 17 GDPR.
  • Right to restriction of processing where one of the grounds referred to in Art. 18 para. 1 lit. a) – d) GDPR is given in accordance with Art. 18 GDPR.
  • Right to data portability of the personal data provided by you and concerning you, pursuant to Art. 20 GDPR.
  • Right to object to data processing, pursuant to Art. 21 GDPR.
  • Right to lodge a complaint with a supervisory authority, pursuant to Art. 77 GDPR.
  • Right to withdraw consent, whereby the withdrawal does not affect the lawfulness of processing based on consent before its withdrawal, pursuant to Art. 7 (3) GDPR.

Detailed information on the rights of data subjects can be found on our website https://dirostahl.com/datenschutz/ in the data protection information provided there. If you have any questions about data protection at Karl Diederichs GmbH & Co KG, you can contact our data protection officer, who will be happy to inform you in detail about the rights to which you are entitled.

Exercising your rights as a data subject: You can assert your rights and, if applicable, your objection informally by post or e-mail, addressed to: datenschutz(at)dirostahl.de.

In order to ensure efficient processing and response to your request, we ask you to provide proof of your identity when exercising your right, for example by sending an electronic (redacted) copy of your ID or by making a personal request.

4 Changes to this data protection information

This data protection information is updated from time to time and adapted to the current legal situation. We will inform you separately of any significant changes in content.