1 Controller responsible for the data processing
The controller as per Art. 4 (7) of the EU General Data Protection Regulation (EU GDPR): Chromsystems Instruments & Chemicals GmbH (hereafter: “Chromsystems”).
The Chromsystems Data Protection Officer is available to answer your questions about the processing of personal data by e-mail to email@example.com, or by post, adding “Attn: The Data Protection Officer” to the address.
2 Sources and data categories
Chromsystems processes personal data received from you within the framework of a business relationship. To the extent necessary for the provision of its service, Chromsystems also processes personal data that it has legitimately received from other companies (e.g. in order to perform orders, fulfil contracts or received on the basis of consent granted). Chromsystems also processes personal data that it has legitimately obtained from publicly available sources (e.g. press, media) and which it may process.
Relevant personal data are master data (name, address and other contact details, date and place of birth and nationality) and authentication data (e.g. ID data). In addition, this may also include order data (e.g. order data, product data), data from the fulfilment of a contractual obligation (e.g. sales), creditworthiness data, scoring/rating data, advertising and sales data (including advertising scores), documentation data (e.g. documenting meetings), data about your use of offered telemedia (e.g. time of visit to a website, use of apps or newsletters, clicked pages or entries) as well as other data comparable with the categories mentioned.
3 Purpose and legal basis of the data processing
Chromsystems processes personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the Federal Data Protection Act (FDPA), in detail below:
3.1 For the fulfilment of contractual obligations (Art. 6 (1) (b) GDPR)
The processing of personal data (Art. 4 No. 2 GDPR) takes place to fulfil the obligation arising in connection with customer contracts with you, in particular for the execution of contracts or pre-contractual measures with you and the execution of orders and all activities required in the industry associated with the operation and management of the company.
The purposes of data processing are based primarily on the specific product or service (e.g. order, framework agreement).
Further details on the purpose of data processing can be found in the respective contract documents and terms and conditions.
3.2 In the context of weighing interests (Art. 6 (1) (f) GDPR)
If necessary, Chromsystems processes your data beyond the actual fulfilment of the contract in order to safeguard the legitimate interests of Chromsystems or third parties, e.g.:
- Data exchange with credit agencies (e.g. SCHUFA) to determine creditworthiness or default risks
- Testing and optimisation of needs analysis and customer targeting approach procedures
- Advertising or market and opinion research, in so far as no objections were raised against the use of the data
- Assertion of legal claims and defence in legal disputes
- Ensuring IT security and IT operations of the company
- Prevention and investigation of criminal offences
- Video surveillance is used to collect evidence of crimes, for example, to verify transactions in the area of logistics. They thus serve to protect suppliers, customers and employees and to implement the access policy
- Building and plant security measures (e.g. access control)
- Measures for ensuring compliance with the access policy
- Measures for business management and the further development of services and products
Chromsystems' interest in the respective processing stems from the respective purposes and otherwise serves economic purposes (efficient performance of tasks, sales, avoidance of legal risks).
To the extent the specific purpose permits, Chromsystems processes your data in pseudonymised or anonymised form.
3.3 On the basis of a consent (Art. 6 (1) (a) GDPR)
In so far as consent to the processing of personal data has been granted by you for specific purposes (e.g. dissemination of data within the Group, use of your e-mail address including for advertising about its own similar goods and services), such processing is deemed legal based on the consent. Granted consent can be revoked at any time. This also applies to the revocation of declarations of consent that were granted before 25 May 2018. Please note that the revocation is only effective for the future. Processing that occurred before the revocation is not affected.
4 Use of data
Chromsystems only transfers your data to those entities within the organisation that need it to fulfil their contractual and legal obligations or to perform their respective duties (e.g. sales and marketing). In addition, the following entities may receive data:
- Data processors commissioned by Chromsystems (Art. 28 GDPR), in particular in the area of IT services, logistics and printing services, processing data for Chromsystems bound by instructions
- Public bodies and institutions (for example), if legal or regulatory obligations to do so exist
- The respective agents, employees, representatives, authorised persons, auditors, service providers and any subsidiaries or group companies (and their respective agents, employees, consultants, representatives, authorised persons)
- Any other body you have given your consent to Chromsystems to transfer data to
5 Data storage
If necessary, Chromsystems processes and stores your personal data for the duration of the business relationship, which includes, for example, the initiation and execution of a contract.
In addition, Chromsystems is subject to various storage and documentation obligations, which stem from the German Commercial Code (HGB) or the German Tax Code (AO) among others. The deadlines for storage or documentation stipulated there are two to ten years. Lastly, the storage period is also determined according to statutory limitation periods that are, for example, usually three years, but in some cases can also be up to 30 years pursuant to Sections 195 et seq. German Civil Code (BGB).
6 Transfer of data to a third country or to an international organisation
Your data will only be transferred to countries outside the European Economic Area - EEA (third countries), if necessary to process the orders, if required by law or if your consent was given.
7 Privacy rights
Each data subject has the right to information under Art. 15 GDPR, the right to rectification under Art. 16 GDPR, the right to erasure under Art. 17 GDPR, the right to restriction of processing under Art. 18 GDPR and the right to data portability from Art. 20 GDPR. With regard to the right to information and the right to erasure, the restrictions under Art. 34 and 35 FDPA apply. In addition, there is a right to lodge a complaint with data protection supervisory authority (pursuant to Art. 77 GDPR).
The responsible data protection supervisory authority is the
Bavarian Data Protection Authority, Promenade 27 (Schloss),
91522 Ansbach, Germany
Telephone: 0049 (0) 981 53 1300,
Fax: 0049 (0) 981 53 98 1300,
8 Right to object (Art. 21 GDPR)
a) Case-specific right to objectYou have the right, for reasons stemming from your particular situation, to object at any time to the processing of the personal data pursuant to Art. 6 (1) (f) GDPR (data processing on the basis of a weighing of interests). This also applies to profiling based on this provision within the meaning of Art. 4 (4) GDPR, which can be carried out for customer advice and support and sales purposes.
If you object, your personal data will no longer be processed unless there are compelling legitimate grounds for processing that outweigh the interests, rights and freedoms, or unless the processing is for the purposes of asserting, exercising or defending against legal claims.
b) Right to object to the processing of data for direct marketing purposes
Chromsystems and the additional controllers can also process your data within the scope of the legal regulations for direct advertising purposes. You have the right to object at any time to the processing of the personal data for the purpose of such advertising. This also applies to profiling if it is associated with this direct marketing.
If you object to processing for direct marketing purposes, Chromsystems will no longer process your personal data for such purposes. The objection can be made in any form. The contact details are: Chromsystems Instruments & Chemicals GmbH, Am Haag 12, 82166 Gräfelfing/Munich, Germany, E-mail: firstname.lastname@example.org