Data Privacy Policy for Business Customers
and Suppliers of the HUECK Group of Companies

In the information below, we would like to provide you with an overview of our processing of your personal data as employees and your rights under the General Data Protection Regulation (Regulation (EU) 2016/679 – “GDPR”) and the German Federal Data Protection Act (“BDSG”).

This Data Privacy Policy applies to personal data, which we process in the context of existing or initiated contractual and business relationships and which belongs to people with whom we enter into contractual or business relationships, and to executive bodies, managing directors, key account managers or other employees of our contractual or business partners. This includes, e.g., existing or potential suppliers, service providers, customers or consultants, and existing or potential cooperation partners or other partner companies.

1. DATA CONTROLLER AND DATA PROTECTION OFFICER
The data controller in the definition of the GDPR with respect to the data processing described in this Data Privacy Policy is:
HUECK Rheinische GmbH
HUECK Engraving GmbH & Co. KG
HUECK Design GmbH
Helmholtzstraße 9
41747 Viersen
Phone: +49 (0) 2162 954694-0

Managing Director: Mr René Blume

You can reach our data protection officer, Ms Ursula Viehauser, at:
Holger Baunach – business consulting and data protection
Phone: +49 (0)2166 2625165

2. SOURCES AND CATEGORIES OF PERSONAL DATA
We primarily process such personal data, which is provided to us by the data subjects themselves in the context of contractual and business relationships or which we receive from the respective contractual and business partners (e.g., from your colleagues with whom we are already in contact), for example, in the course of processing a request or order. Furthermore, we process personal data that we gather from publicly accessible sources (such as the com-mercial register, press, internet) or which we receive from third parties (e.g. credit bureaus, business partners). We point out any gathering of personal data from third-party sources separately.
Relevant personal data includes in particular personal details (e.g., last name, first name, address, bank details, invoice address, tax number/VAT ID) and other contact details (e.g., phone number, email address). Besides this, it concerns contract or order data (e.g., sales data, vol-umes, planned quantities), data from the performance of our contractual duties, information about your financial situation (e.g., credit rating), your personal details (e.g., business interests, profession, industry, position, responsibilities and authorities) as well as other data comparable to the aforementioned categories.
The scope of data processed of a person varies depending on the role in which the person acts in relation to us, for example, what position he or she holds at the respective business partner.

3. PROCESSING PURPOSES AND LEGAL BASES
We process personal data for the following purposes and on the following legal bases:
3.1 In individual cases, we process data because you have expressly consented thereto (Art. 6 (1) lit. a) GDPR), for example, to the receipt of advertising by electronic mail (e.g., newsletter) and/or by telephone;

3.2 The data processing takes place for the performance of contracts concluded with you or your employer company or for the performance of precontractual measures, (Art. 6 (1) lit. b) GDPR); this includes, in particular:
– purchase and supply contracts (e.g., processing inquiries for sales and purchases, authentication of contractual partners, preparation and signing of contract documents, execution of purchases and sales, billing and settlement of purchase price payments);
– contracts for work and services, and other contractual relationships (e.g., processing and screening of corresponding offers and inquiries; authentication of contractual partners, preparation and signing of contract documents, settlement of payments; mailing of information by letter);

3.3 Further data processing takes place based on legal requirements (Art. 6 (1) lit. c) GDPR): for example, for the fulfillment of control and reporting duties under the tax code and other laws, as well as audits by tax and other authorities, and for compliance with statutory retention periods;

3.4 Furthermore, we process your data to protect our legitimate interests (Art. 6 (1) lit. f) GDPR); notably for the following purposes:
– optimal management of the contact/relationship, also regarding the employees of our business partners;
– optimization of our business processes, e.g., maintaining a supplier or prospective customer database, including as part of customer relationship management;
– direct marketing for existing customers;
– centralization or outsourcing of corporate functions;
– reduction of default risks in our business processes by consultation of credit bureaus (e.g., Creditreform, Bürgel) and assigning scoring values (profiling), helping us to assess the probability in which contractual partners will duly fulfill their pay-ment obligations based on a recognized mathematical statistical method;
– enforcement and defense of legal claims;
– market research purposes.

4. RECIPIENTS OF PERSONAL DATA
Under certain circumstances (beyond the cases named above), your personal data may be transferred for the aforementioned purposes; in detail:
4.1 If it is required for the investigation or litigation of illegal activities or misuse, personal data will be transferred to our legal advisers, the law enforcement authorities and if necessary, to damaged third parties. This, however, will only be done if concrete indications are given of illegal activities or misuse. Data can also be transferred if this serves for the enforcement of contractual agreements between us and our contractual and business partners.

4.2 We are further obligated under the law to provide information to certain public institutions on request. These are mostly law enforcement authorities, agencies prosecuting adminis-trative offences that are subject to penalties and the fiscal authorities.

4.3 If required for the processing of your inquiry or the conclusion or performance of a con-tractual or business relationship with you, and in the case of centralized or outsourced corporate functions, your data can be transferred to affiliates for the fulfillment of the aforementioned purposes.

4.4 Occasionally, in order to fulfill the purposes described in this Data Privacy Policy or so as to perform our services, we rely on contracted external companies or other cooperation partners as well as external service providers such as agents, logistics firms, IT service providers, auditors and financial institutions that may possibly be domiciled outside of the EU or the EEA. In such cases, information will be transferred to these companies or indi-viduals to allow them to process the data further. If these are entities outside of the EU or the EEA, we shall ensure an appropriate standard of data protection, for example, by concluding corresponding contracts with the data recipient.

4.5 As part of the further development of our business, the case may occur that the structure of our company is transformed by a change of the legal form or by founding, acquisition or sale of subsidiaries or of parts or divisions of the business. In the event of such trans-actions, the customer information will be transferred together with the part of the business to be transferred. In each transfer of personal data to third parties, we shall ensure to the prescribed extent that this will be done in accordance with this Data Privacy Policy and the applicable data protection laws.

5. PROCESSING DURATION
We process your personal data during the term of your employment with one of our business partners, but no longer than up to the final termination of the respective business relationship between us and the company that employs you. Information relating to processes (for example, concerning a concrete contractual relationship or purchase order) will be deleted by us upon the completion of the respective process, e.g., the performance of a supply contract, with a notice period of three years from the end of the respective calendar year, unless the information is subject to longer statutory retention periods (e.g., the six- or ten-year retention period according to Sec. 257 Commercial Code); in such a case, the relevant data will be blocked for any further processing.

6. RIGHTS OF DATA SUBJECTS

6.1 You have the right to receive a confirmation of the data that is stored about you at any time. If the respective conditions apply, you also have the following rights:
– Right of rectification: You have a right that personal data relating to you, which is incorrect, be corrected.
– Right of erasure: In addition, you can request the erasure of your personal data, for example, if your data is no longer needed for the purposes for which it has been gathered or otherwise processed.
– Right to restrict the processing: You also have the right to request the processing of your personal data be restricted; in such a case, the data will be blocked for any processing. This right applies in particular if the correctness of the personal data is contested between you and us.
– Right of data portability: Insofar as we process your personal data for the purpose of performing a contract with you or based on your consent, you have the right to receive your personal data in a structured, common and machinereadable format if and insofar as you have provided us with the data.
– Right to revoke a consent: If you have granted your consent to the processing of your personal data, you can revoke it at any time. The legitimacy of the processing that has taken place up until your revocation will not be affected by the revocation of the consent.
– The right to object:
Insofar as the processing of your personal data is carried out in accordance with Art. 6 (1) (f) GDPR to protect legitimate interests, you have the right, in accordance with Art. 21 (1) GDPR, to object at any time for reasons arising from your particular situation to the processing of this data. We will then no longer process this personal data unless we can demonstrate compelling legitimate grounds for processing. These must outweigh your interests, rights and freedoms, or the processing must serve to assert, exercise or defend legal claims.
If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for the purpose of such advertising; this also applies to profiling insofar as it is associated with such direct marketing. If you object, your personal data will then no longer be used for direct marketing purposes. (Art. 21 (2) GDPR).

6.2 If you wish to receive confirmation as to the data stored about your person or if you want to claim your other rights or have questions about data protection at our company, you can contact us at the following email address:

6.3 You furthermore have the right to lodge a complaint at any time with a supervisory au-thority, in particular a supervisory authority in the Member State of your residence, your place of work or the place of the suspected violation if you believe that the processing of the personal data relating to you violates data protection regulations..

7. STATUS AND CHANGE OF THIS DATA PRIVACY POLICY

The status of the Data Privacy Policy is 28.12.2022.

The further development of our company can also have effects on the handling of personal data. We therefore reserve the right to change this Data Privacy Policy in the future within the scope of the applicable data protection laws and, if necessary, adjust it to the changed circum-stances of the data processing. We will inform you separately of significant substantive chang-es.