Mandatory information personal data processing

Mandatory information according to Art. 13 DSGVO
on the processing of personal data of our business partners

The protection of personal data of our contact persons at interested parties, customers, sales partners, and suppliers (hereinafter referred to as "business partners") is an important matter for us. Therefore, we process personal data in accordance with the applicable legal provisions on the protection of personal data and data security.

     I.     Name and contact details of the responsible person:

The responsible person in the context of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection regulations is: 

AMS Technologies AG
Represented by:
Chief Executive Officer: Jan Meise
Chief Operating Officer / Chief Financial Officer: Philipp Weber
Fraunhoferstrasse 22
82152 Planegg / Martinsried
Germany

Tel.:         +49 89 895 77-0
E-Mail:     datasecurity@amstechnologies.com
Website:  www.amstechnologies.com 

     II.     Description of the processing

        1.   Description and scope of the processing
We process personal data that we receive from you during our business and contractual relationship (e.g., through your inquiry or at exhibitions) or from your employer or during a pre-contractual contact on your part.

We may process the following categories of personal data:

• Type of relationship: interested party, customer, supplier
• Master and contact data such as title, first and last name, private and/or business address, name and/or name at birth, private and/or business telephone number, private and/or business mobile phone number, private and/or business fax number and private and/or business E-mail address
• Information about your function and activity (at your employer)
• Credentials and user data
• Communication data in connection with correspondence
• Project, contract, and billing data
• Other data whose processing is required in the context of a project or the handling of a contractual relationship, or which is provided voluntarily by our contact partners, such as inquiries made or project details

 If you provide us your contact details at an exhibition, we will also store your preferred communication channel, the name of the trade fair and the date of your exhibition visit.

Your personal data is generally collected directly from you or your employer as part of the co-operation. The use of your personal data is neither required by law nor by contract but is nec-essary for the communication and processing of contracts with us. There is no obligation to provide it. If you do not provide us with the necessary information and documents, we will not be able to establish or continue the business relationship requested by you. This also applies to the response of inquiries from you. In addition, we will generally not be able to maintain the business relationship with you or to conclude, execute and terminate a contract with you or your employer. Therefore, its non-provision may result in you not being able to be a contact person and/or business partner. No fully automated decision-making (including profiling) as per Art. 22 DSGVO is used to process the data you have provided.

        2.   Legal basis of the processing
The processing of the data is carried out for the fulfillment of a contract or for the im-plementation of pre-contractual measures (initiation, implementation, and termination) based on Art. 6 para. 1 p. 1 lit. b DSGVO. The processing of your data as a contact person of a legal entity is carried out to protect our legitimate interests according to Art. 6 para. 1 p. 1 lit. f DSGVO, namely for the performance of a contract initiating or concluded with your employer. To the extent necessary, we also process your per-sonal data because of a balance of interests (legitimate interest as per Art. 6 para. 1 p. 1 lit. f DSGVO), according to which processing is permissible if it is necessary to protect the legitimate interests of us or of third parties and the interests or fundamen-tal rights and freedoms of the data subject, which require the protection of personal data, are not more important.
The processing of your data may also be based on legal requirements (according to Art. 6 para. 1 p. 1 lit. c DSGVO) or be in the public interest (according to Art. 6 para. 1 p. 1 lit. e DSGVO). The purposes of the data processing result from legal requirements or are in the public interest (e.g., compliance with retention obligations).

        3.   Purpose of the processing
We process data of business partners and their contact persons for the following purposes:

General communication with business partners regarding services and projects, e.g., to process inquiries from the business partner

• Planning, implementation, and management of the (contractual) business relationship between the responsible party and the business partner
• Processing product orders via our ERP system and commissioning shipping service providers for goods delivery
• Compliance with legal requirements (e.g., tax and commercial law retention obligations)

In addition, processing is performed for the following purposes:

• Measures for optimizing our business processes, such as maintaining a customer relationship management database
• Settling disputes, enforcing existing contracts, and asserting, exercising, and defending legal claims
• Maintaining and protecting the security of our services, preventing, and detecting security risks, fraudulent activity, or other criminal or harmful activity

In these purposes also lies our legitimate interest in the processing of personal data according to Art. 6 para. 1 p. 1 lit. f DSGVO. 

        4.   Duration of processing, possibility of objection and elimination
The processing of the data provided by you is carried out for as long as it is necessary to achieve the contractually agreed purpose, but in principle until the contractual relationship with you or your employer exists. The data will therefore be deleted as soon as it is no longer required to achieve the purpose for which it was collected. This is the case for the fulfillment of a contract or for the execution of pre-contractual measures when the data is no longer required for the execution of the contract. Even after the conclusion of the contract, it may be necessary to store personal data of the contractual partner to comply with contractual or legal obligations. After termination of the contractual relationship, the data provided by you will therefore be processed to comply with statutory retention obligations or on the basis of our legitimate interests. After our legitimate interests or legal requirements have expired, your data will be deleted.

        5.   Recipients of the data
Within our organization, access to your personal data is granted to those departments and divisions that need it to fulfill our contractual and legal obligations or the above-mentioned purposes and that are authorized to process this data.

Within our group of companies, your data is transferred to subsidiaries, which are contractually obligated to comply with the applicable data protection requirements. For this purpose, we conclude in writing corresponding order processing contracts and contracts on joint responsibility in accordance with Art. 26 DSGVO.

As part of our service provision, we authorize order processors who contribute to the fulfillment of the contractual obligations. We work together with service providers, such as service providers for IT maintenance services or video conferencing tools (so-called order processors). These service providers only act on our instructions and are contractually obligated to comply with the applicable data protection requirements. To this end, we conclude corresponding written order processing agreements with these service providers.

These are contracts required by data protection law, which ensure that our service providers only process the personal data of our business partners in accordance with our instructions and in compliance with the provisions of data protection law (DSGVO, BDSG, etc.).

If necessary, we transmit personal data to courts, supervisory authorities, or law firms as far as there is a legal obligation to do so according to Art. 6 para. 1 p. 1 lit. c DSGVO or if it is necessary according to Art. 6 para. 1 p. 1 lit. f DSGVO for the enforcement, execution, or defense of legal claims and if there is no reason to presume that our business partners have an essential interest in the non-disclosure of the data.

        6.   Data transfer to third countries
For the use of our systems, we use providers whose headquarters are in the USA. Processing of personal data thus also takes place in a third country. We have also concluded order processing agreements with these providers and instructed them to use European server locations. For the USA, there is currently no adequacy decision by the EU Commission within the meaning of Article 45 (1), (3) of the GDPR. This means that the EU Commission has not yet positively determined that there is a level of data protection there comparable to the requirements of the GDPR. In addition, the GDPR requires " appropriate guarantees" for a data transfer to a third country or to international organizations, Art. 46 (2), (3) GDPR. These can be, for example, internal company data protection regulations approved by a supervisory authority or standard data protection agreements. In summary, there is no level of data protection in the USA that is comparable with the requirements of the GDPR.

Risks of a transfer to a non-secure third country: Personal data could possibly be passed on by the provider to other third parties beyond the actual purpose of fulfilling the order, for example for advertising purposes. In addition, it is probably not possible to effectively enforce any rights to information against the subcontractor. There may be a higher probability that incorrect data processing may occur, as the technical and organizational measures of the subcontractor to protect personal data do not fully comply with the requirements of the GDPR in terms of quantity and quality. It is also possible that government agencies access the personal data provided without the data subject being aware of this. This risk is particularly present when data is transferred to the USA. In principle, this also corresponds to the European legal regulations, e.g., for the purpose of security. However, the comparable level of data protection for such data processing is higher in the European Union than in the country of the data recipient. 

     III.     Rights of the affected person

If we process personal data about you, you have the following rights as an affected person with respect to us as the data controller:

        1.   Right to obtain information, Art. 15 DSGVO.
Within the framework of the applicable legal provisions, you have the right to (free of charge) obtain information about your collected and stored personal data at any time. This includes, among other things, information about their processing purposes, their origin and recipients, the storage period, and the existence of various rights.

        2.   Right to rectification, Art. 16 DSGVO.
You have the right to rectification (also in the sense of completion) of your data against the controller, if the processed personal data concerning you is inaccurate or incomplete for the purpose of the processing. The controller shall carry out the rectification without undue delay.

        3.   Right to erasure, Art. 17 DSGVO.
Under the conditions of Art. 17 DSGVO, you may request the erasure of your personal data at any time, unless circumstances still apply that entitle or oblige the controller to continue processing your personal data (such as legal retention obligations).

        4.   Right to restriction of processing, Art. 18 DSGVO
If the legal requirements are met, you may request restriction of the processing of your personal data within the scope of Art. 18 DSGVO.

        5.   Right to data portability, Art. 20 DSGVO.
If you have provided us with personal data and automated processing is carried out based on your consent or based on a contract, you have a right to transfer the data you have provided within the scope of Art. 20 DSGVO, if this does not affect the rights and freedoms of other persons. The provision shall take place in a common, machine-readable format. If you request the direct transfer of the data to another controller, this will only be done if it is technically possible.

        6.   Right of objection, Art. 21 DSGVO
You have the right to object to processing within the scope of Art. 21 DSGVO, if the data processing is carried out for the purpose of direct marketing or profiling. You may object to processing based on a balance of interests by stating reasons arising from your particular situation.

        7.   Right to complain to a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to submit a complaint to a data protection supervisory authority, in the Member State of your residence, workplace or the place of the alleged infringement, if you have the opinion that the processing of personal data concerning you violates the GDPR.

The supervisory authority responsible for us is The Bavarian State Office for Data Protection Supervision. If you are in another federal state or not in Germany, you can also contact the data protection authority there.