• Home
  • Privacy statement
  • Information on data protection for customers, interested parties and service providers

Information on data protection for customers, interested parties and service providers

In accordance with the provisions of Articles 13, 14 and 21 of the (GDPR), we are hereby giving you information on the way the personal data collected on you is processed as well as your rights as a data subject. Exactly which data is processed and how it is used will depend to a large degree on which services have been requested or agreed. To ensure that you are fully informed about the processing of your personal data in the context of executing a contract or implementing pre-contractual measures, please take note of the following information.

Notice about the responsible body

Papierfabrik Adolf Jass GmbH & Co. KG
Hermann-Muth-Straße 6
36039 Fulda

T +49 661 1 06-0
info@jass.com
jass.com

Managing Directors:
Dr. Marietta Jass-Teichmann
Frank Gumbinger
Michael Habeck

T +49 661 1 06-0
info@jass.com

Legally prescribed data protection officer

Kircher Datenschutz
Bernd Kircher
T +49 (0) 661 960 906-36
datenschutz@jass.com

We process personal data that we receive from you during the course of our business relationship. In addition, we process personal data that we have obtained and are allowed to process from publicly accessible sources (e.g. the Internet, commercial and association registers, press/media, debtor records and other directories, providers of address data and credit agencies).

In the case of customers who engage in business transactions as natural persons, relevant personal data are their first names, last names, address/company address, contact details such as telephone and/or e-mail, as well as data that we obtain as part of the business relationship or in fulfilling the contract. The contract data includes sales, movements of goods, financial data (including creditworthiness data) as well as written documentation data (contracts, orders, permissions, etc.), information about your operating equipment (machine type), data on compliance with customs regulations (supplier’s declaration), control data, data on customer history and purchasing behaviour.

In the case of all business partners, we process the personal data of the employees of the business partners. This includes contact details as well as other data (e.g. e-mail, faxes, letters, photos – if provided – and other personal information exchanged during the course of the business relationship).

When business partners use IT systems that we provide, such as ordering or information systems, the data that we use includes the personal data contained in them or transmitted via them.

In the case of other business partners, such as IT services, consulting services, maintenance, tradespeople, cleaners, we also process supplier data/vendor data, e.g. contract master data or billing and control data.

In the case of events that we organise, the data that we use includes the registration data as well as permissible image documentation.

More details or extra information about the purposes of data processing can be found in the respective contract documents, forms, a declaration of consent and/or other information that is provided to you (e.g. as part of the use of our website or our terms and conditions).

Purposes and legal bases on which we process your data

1. For the performance of a contract or for the implementation of pre-contractual measures pursuant to Art. 6 (1) (b) GDPR:

The processing of personal data (see Art. 4 (2) GDPR) is carried out for the purpose of executing our contracts with you and executing your orders, as well as for carrying out measures and activities within the scope of pre-contractual relationships.

This essentially includes the communication with you in relation to the contract, the verifiability of transactions, orders and other agreements, as well as quality control using appropriate documentation, goodwill procedures, measures for controlling and optimising business processes as well as for fulfilling general due diligence obligations, management and control by affiliated companies (e.g. freight forwarders and service providers), the statistical evaluations used for managing the business, cost recording and controlling, reporting, internal and external communication, emergency management, billing and tax assessment of operational services, risk management, filing of legal claims and defence in the event of legal disputes, ensuring IT security (including system tests and/or plausibility tests) and general security, including building and plant security, ensuring and exercising domiciliary rights (e.g. by having access controls), ensuring the integrity, authenticity and availability of data, preventing and investigating criminal offences. Furthermore, this also includes the receivables management by debt collection agencies that is associated with the execution of the contract.

If you are acting as a (legal or corporate) representative of a business partner, we consider that the processing of your personal data (e.g. as an invoice recipient, as a system user, etc.) is also covered by the purpose of the contract.

2. As part of balancing interests pursuant to Art. 6 (1) (f) GDPR:

Beyond the actual performance of the contract or preliminary contract, we may process your data if it is necessary to do so to safeguard our legitimate interests or those of third parties, in particular for the following purposes:

  • For reviewing and optimising procedures for analysing needs and contacting our customers directly, creating evaluations/statistics and using them for business management and the further development of products and services as well as existing processes.

For consulting credit agencies and exchanging data with credit agencies (e.g. Verband der Vereine Creditreform e. V. in Neuss or other credit agencies) to determine creditworthiness or default risks within the scope of what is permitted by law and taking into account your legitimate interests in the exclusion of transmission or use.

To ensure the best communication of promotions, we process your address, telephone number and e-mail address. In addition, we process data from your customer history (list of products purchased, special interests, etc.) for purposes of direct marketing, which we use to tell you about suitable and attractive offers in relation to our range of services, e.g. sending out product information, offers and information about services or satisfaction surveys, and invite you to relevant events, such as the presentation of new products at trade fairs. We have a substantial legitimate interest in processing the personal data for marketing purposes in order to cultivate or initiate a business relationship with you. You can object to this promotional approach. You will find the details in paragraph 3.

In the case of press and other media representatives, we use the address and communication data for sending media materials and/or information as part of a legitimate interest. In addition, we process personal data:

  • to include it in our contact database, to cultivate a contact after making business contact (e.g. after you have provided your business card);
  • for market research, provided you have not objected to your data being used;
  • for the purpose of expanding our data, including by using or researching publicly available data;
  • for statistical evaluations or market analysis;
  • for lodging legal claims and defending ourselves in any legal disputes that are not directly linked to the contractual relationship;
  • for the limited storage of the data if the data cannot be deleted due to the particular nature of the storage, or can only be deleted with a disproportionately high outlay;
  • for preventing and investigating any criminal offences, insofar as this is not exclusively for the fulfilment of legal requirements;
  • for internal and external investigations or security reviews;
  • for obtaining and maintaining certifications of a private or regulatory nature;
  • for building and plant security (e.g. with access controls and video surveillance), if this extends beyond the general due diligence obligations;
  • for purposes of IT and data security;
  • for safeguarding and exercising domiciliary rights by taking appropriate measures and employing video surveillance to protect our customers and employees as well as to secure evidence in the event of any criminal offences and to prevent them;
  • for purposes of administration at affiliated companies.
3. On the basis of your consent pursuant to Art. 6 (1) (a) GDPR:

To the extent that you have given us consent to process personal data for specific purposes, this consent forms the legal basis for such processing. The details of the processing, such as the purposes and consequences of revocation or failure to give consent, are set out in the respective declaration of consent. Consent that has been given may be revoked at any time vis-à-vis the body named at the outset, regardless of the time when this consent was given. An e-mail is sufficient. As a general rule, revocation of consent only applies to the the future.

Any processing that took place prior to such revocation is not affected by this and remains lawful.

4. On the basis of legal obligations pursuant to Art. 6 (1) (c) GDPR:

Like all companies in Germany, we are subject to a large number of legal regulations that demand processing and, in particular, storage of your personal data. This primarily involves legal requirements (e.g. commercial and tax laws), but also, where applicable, data protection, regulatory or other official regulations that require, among other things, the archiving of data for purposes of data protection and data security as well as auditing by tax authorities and other authorities. In addition, the disclosure of personal data may become necessary in the context of official/judicial measures for the purposes of gathering evidence, criminal prosecution or enforcement of claims under civil law, as well as for averting danger (e.g. EU terrorism regulations or regulations to prevent fraud and money laundering).

More details and extra information about the purposes of processing can be found in our contract documents, forms, declarations of consent and the other information that is provided to you (e.g. on the website or in the terms and conditions).

Who receives your data?

Within our company/the affiliated companies, access to your data is granted to those departments or organisational units that require it in order to fulfil our contractual and legal obligations as well as satisfy our legitimate interest.

Your data will only ever be passed on to external parties in relation to the execution of the contract;

  • for purposes of complying with legal requirements stipulating that we are obliged to provide information, report or pass on data, or where disclosure of the data is in the public interest (see clause 1); examples of disclosure in relation to the points listed above are: authorities, credit agencies, debt collection agencies, lawyers, tax consultants, auditors, courts, experts, credit institutions, group-affiliated companies.
  • in the event that external service providers process data on our behalf as processors (Art. 28 GDPR). These processors are companies working in the categories of IT application support/maintenance, data centres, website programming and hosting, archiving, data destruction, logistics, printing services, telecommunications, marketing, compliance services, marketing and media technology. With these service providers, your data is subject to the same security standards as it is with us. In all other cases, the recipients may only use the data for the purposes for which it was transferred to them.

We will only pass on your data to third parties for them to use if and to the extent that consent has been given or contractual and/or legal regulations make provision for this.

For how long will your data be stored?

Subject to further grounds for processing, we process your data for the duration of the business relationship with you or the business partner you represent (legal entities under public or private law). This also includes the initiation of a contract (pre-contractual legal relationship) and the execution of a contract. In addition, we will then store your personal data until the statute of limitations for any legal claims arising from the relationship with you has expired, so that it can be used as evidence if necessary. The statute of limitations is usually between 12 and 36 months, but it can also be up to 30 years. When the statute of limitations expires, we delete your personal data, unless there is a statutory obligation to retain it, for example arising from the German Commercial Code (Sections 238, 257 (4) of the German Commercial Code) or the German Fiscal Code (Section 147 (3) and (4) of the German Fiscal Code). The retention and documentation periods specified therein are up to ten years beyond the end of the business relationship or the pre-contractual legal relationship.

If the data is no longer required for the fulfilment of contractual or legal obligations and rights, it will be deleted on a regular basis, unless further processing – for a limited period of time – of this data is necessary for the fulfilment of the purposes listed under clause 2 for an overriding legitimate interest. Such an overriding legitimate interest shall also exist, for example, if deletion is not possible or only possible with a disproportionately high level of outlay due to the special type of storage, and processing for other purposes is excluded by means of appropriate technical and organisational measures.

Will your data be transferred to a third country or to an international organisation?

Data will be transferred to entities in countries outside the European Union (EU) or the European Economic Area (EEA) if

  • this is necessary for the execution of an order/contract,
  • it is prescribed by law (e.g. reporting obligations under tax law),
  • it is within the scope of a legitimate interest of us or a third party or you have given us your consent.

Is there an obligation to provide data?

In the context of our business relationship, you only have to provide the personal data that is necessary for the establishment, implementation and termination of the business relationship or that we are legally obliged to collect. Without the aforementioned data, we will not be able to enter into or maintain the business relationship.

Is there automated decision-making on a case-by-case basis?

We do not use any automated decision-making mechanisms in accordance with Art. 22 GDPR. If we should employ such a procedure in individual cases in the future, we will notify you about this separately if this is required by law.

In some circumstances, we may process some of your data with the aim of evaluating certain personal aspects. To allow us to inform you and advise you about products in a targeted manner, we may use evaluation tools. These facilitate needs-based product design, communication and advertising.

Such procedures can also be used to assess your creditworthiness and credit rating, as well as to combat money laundering and fraud. So-called “score values” may be used to assess your creditworthiness and credit rating. Scoring uses mathematical methods to calculate the probability that a customer will meet their payment obligations in accordance with the contract. Such “score values” thus help us, for example, to assess creditworthiness or make decisions in the context of concluding product deals, and are incorporated into our risk management. The calculation is based on mathematically and statistically recognised and proven procedures and is based on your data, in particular your sales with us, your existing liabilities with us, experience gained from the existing business relationship, contractual repayment of previous loans and information from credit reference agencies.

Information on nationality and special categories of personal data pursuant to Art. 9 GDPR are not processed as part of this.

Rights of the data subject

You have a right to receive information (pursuant to Art. 15 GDPR) vis-à-vis the controller about your personal data, as well as the right to rectification (Art. 16 GDPR), erasure (Art. 17 GDPR) and restriction of processing (Art. 18 (1) GDPR). Furthermore, you have a right to object to processing (Art. 21 GDPR) and the right to data portability (Art. 20 GDPR).

If you wish to exercise your rights, please contact the responsible body mentioned above.

Right to complain

You have a right to lodge a complaint with the relevant supervisory authority. Our privacy policy as well as the information on how your data is protected via our data processing in accordance with Articles 13, 14 and 21 GDPR may change from time to time.