Date: August 2022
The following notice describes how and for what purpose astora GmbH, Karthäuserstraße 4, 34117 Kassel (hereinafter also “We”) processes the personal data of its business partners and their employees.
1. Responsibility for data processing and contact data
Responsible for the processing of your personal data is:
You can reach our data protection officer at the above address, attn: data protection officer, or at email@example.com.
2. Type of data processed
We process the personal data or categories of personal data listed below that we receive from you and your employees in the course of our business relationship:
- Master data (surname, first name, title, function/position in the company, business phone number, business mobile phone number, business fax number, business e-mail address) or the data that you disclose to us on the business card,
- Communication data (content of contact requests, meeting records),
- Technical usage data for communication by e-mail and telephone,
- Documentation of business transactions,
- Travel data and voluntary information on food preferences in the context of events,
- Other data in relation to events to which we invite you,
- Declarations on data protection (consent to the processing of personal data, assertion of data protection claims for information, correction, deletion, restriction and data portability, including the information that you transmit to us in this context).
3. Duration of data storage
The processed data is subject to various storage and documentation obligations, which result from national legal provisions, often from tax, labour and company law regulations. Finally, the retention period is also dependent on the national statutory limitation periods.
If necessary, we process and store your personal data for the duration of our business relationship or for the fulfilment of contractual purposes. This includes i.a. the initiation and execution of a contract. In addition, we are subject to various storage and documentation obligations, which result from the German Commercial Code (Handelsgesetzbuch - HGB) and the Fiscal Code (Abgabenordnung - AO), among other things. The storage and documentation periods stipulated there are two to ten years. Finally, the storage periods also depend on the statutory limitation periods, which are as a rule three years according to e.g. §§ 195 et seq. of the German Civil Code (Bürgerliches Gesetzbuch - BGB), but in certain cases can also be up to thirty years.
4. Purposes of data processing and legal basis
We process your personal data in accordance with the relevant data protection regulations, in particular the General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG), the Telecommunications Telemedia Data Protection Act (TTSG).
Specifically, we process your personal data for the following purposes and on the legal basis specified in each case:
Processed data or categories of data
Administration of business partner and their contact persons data for communication purposes and in order to initiate and conduct a business relationship
Master data; documentation of business transactions; communication data (e.g. content of contact requests, meeting records)
Art. 6 paragraph 1 points (b) and (f) GDPR
Events for business partners (e.g. trade fairs), Invitation and guest management, visitor registration in the company restaurant
Master data, travel data and preferences with regard to food as part of events, contact details of accompanying persons, guest car number plates when applicable for registration
Article 6 paragraph 1 points (a), (b) and (f) GDPR
Prosecution, establishment or defense of legal claims
Master data; all data or categories of data with relevance to the claim in question.
Article 6 paragraph 1 point (f) GDPR
Administration of consents and objections to data processing (administration of declarations of consent and revocations of consent, as well as objections to data processing)
Master data, declarations by the data subjects
Article 6 paragraph 1 point (c) GDPR
Administration of claims made by data subjects (establishment of claims by data subjects to obtain access to and information on their data, to rectify and delete their data, to restrict data processing and to request data portability)
Master data, declarations by the data subjects, all data or categories of data being subject of the request.
Article 6 paragraph 1 point (c) GDPR
Effective execution of online meetings; execution of meetings to initiate and execute a business relationship related communication via Zoom/MS-Teams/Skype
Master data, business email address, IP address, browser data, photo (optional), telephone number (optional)
Article 6 paragraph 1 point (b) and (f) GDPR
5. Recipients and categories of recipients
Your personal data can be passed on to the following recipients and categories of recipients:
5.1. Data Processors
We use service providers who process personal data on our behalf (so-called data processors, cf. Art. 4 No. 8, 28 GDPR). This includes service providers in the areas of IT, telecommunications and business services.
5.2. Disclusure to third parties
Except in the cases of above mentioned processing on behalf, we transfer your personal data to third parties if:
- you have given your explicit consent pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR;
- this is necessary for the fulfilment of a contract with you pursuant to Art. 6 para. 1 sentence 1 lit. b GDPR,
- there is a legal obligation for the data transfer according to Art. 6 Para. 1 S.1 lit. c GDPR.
The data disclosed may be used by the third parties for the defined purposes only.
6. Transfer of data to a third country or to an international organization
A transfer of your personal data to a third country or an international organization will only take place if this is necessary in the context of order processing and the requirements of Art. 44 et seq. GDPR are met.
We transfer your personal data to the following third countries (countries outside the European Economic Area - EEA): United Kingdom.
We will only transfer your personal data if
- the recipient provides appropriate safeguards in accordance with Art. 46 GDPR for the protection of personal data,
- you have explicitly agreed to the transmission, after we have informed you of the risks, in accordance with Art. 49 para. 1 lit. a GDPR,
- the transmission is necessary for the fulfilment of contractual obligations between you and us
- or another exception from Art. 49 GDPR applies.
Safeguards under Art. 46 GDPR can be so-called standard contractual clauses. In these standard contractual clauses, the recipient assures to protect the data sufficiently and thus to ensure a level of protection comparable to that provided by the GDPR.
7. Obligation to provide data
As part of our business relationship, you only have to provide the personal data that is necessary for the establishment and implementation of a business relationship or that we are legally obliged to collect. Without this data, we will generally have to refuse to conclude the contract or execute the order, or we will no longer be able to perform an existing contract and may have to terminate it.
For other purposes within our business relationship, there is only an obligation to provide data if this is absolutely necessary for this specific purpose.
8. Automated decision-making and profiling
We do not use your personal data for automated decision-making, including profiling.
9. Data subjects rights
9.1. Information, correction, deletion, restriction of processing data portability
Every data subject has the right to information under Art. 15 GDPR, the right to rectification under Art. 16 GDPR, the right to erasure under Art. 17 GDPR, the right to restriction of processing under Art. 18 GDPR and the right to data portability under Art. 20 GDPR. In order to exercise the aforementioned rights, you can contact us as stated in section 1 (Responsibility for data processing and contact details).
9.2. Right to object persuant to article 21 GDPR
You have the right, for reasons arising from your particular situation, to object at any time to the processing of personal data related to you, which is based on Art. 6 Subs. 1 Sentence 1 lit. e and Art. 6 Subs. 1 Sentence 1 lit. f GDPR (data processing on the basis of legitimate interest), to insert this also applies to any profiling based on this provision within the meaning of Article 4 No. 4 GDPR. If you file an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
If we process your personal data for the purpose of direct marketing, you have the right to object at any time to the processing of your personal data for the purpose of such marketing. If you object to the processing for direct marketing purposes, we will no longer process your personal data for these purposes.
The objection can be made in any form and should be addressed to the contacts stated in section 1 (Responsibility for data processing and contact details). You will not bear any costs other than the transmission costs according to the basic tariff.
9.3. Withdrawal of a consent
If you give us your consent to the processing of your personal data, you can revoke this consent at any time. As a result, we will no longer continue the data processing based on this consent for the future. The lawfulness of the processing carried out on the basis of the consent until the revocation remains unaffected.
Please address the revocation of consent to the contacts specified in section 1 (Responsibility for data processing and contact details).
10. Right to complain to the supervisory authority
According to Art. 77 para. 1 GDPR, you have the right to complain to a supervisory authority if you believe that the processing of your personal data is not lawful, in particular that it violates the GDPR. In this case, you have the choice of contacting the supervisory authority, in particular in the member state of your place of residence, your place of work or the place of the alleged violation. Irrespective of the aforementioned right to lodge a complaint, we will also accept your request ourselves (for contact details, see section 1. Responsibility for data processing and contact details).