Data protection information relating to our data processing in accordance with Articles 13, 14 and 21 of the General Data Protection Regulation (GDPR)

We take data protection seriously and would hereby like to inform you of how we process your data and what entitlements and rights you have according to the regulations on data protection.

1. Controller responsible for data processing and contact details

Controller under the law on data protection:

ACQ Science GmbH
Etzwiesenstr. 37
72108 Rottenburg
Germany

Kontaktdaten unseres Datenschutzbeauftragten:

ACQ Science GmbH
Etzwiesenstr. 37
72108 Rottenburg
Germany
Tel.: +49 (0) 7457 / 94 69 3 – 0
Fax: +49 (0) 7457 / 94 69 3 – 69
[email protected]
www.acq-science.de

2. Purposes and legal basis on which we process your data

We process personal data in accordance with the provisions of the General Data Protection Regulation (GDPR), the German Data Protection Act (Bundesdatenschutzgesetz; BDSG) and other applicable data protection regulations (details below). The specific data processed and the manner in which they are used depends largely on the services requested and/or agreed upon in each case.

Further details or additions regarding the purposes of data processing can be found in the respective contractual documents, forms, a declaration of consent and/or other information with which you are provided (e.g. in the context of the use of our website or our terms and conditions). This data protection information may, moreover, be updated from time to time, as you can determine from our website www.acq-science.de.

2.1 Purposes related to the performance of a contract or steps taken prior to entering into a contract (Article 6 (1b) of GDPR)

Personal data is processed in order to execute our contracts with you and to carry out your orders, as well as to take steps and carry out activities prior to entering into a contract, e.g. with interested parties. In particular, the processing is thus carried out to deliver goods in accordance with your orders and wishes, and includes the services, steps and activities required for this purpose.

In the main, this includes contract-related communication with you, the verifiability of transactions, orders and other agreements, and quality control by means of corresponding documentation, goodwill procedures, steps to manage and optimise business processes and to fulfil our general duties of care, management and monitoring by affiliated companies (e.g. our parent company); statistical analysis for corporate management, cost recording and control, reporting, internal and external communications, emergency management, billing, and tax assessment for the company’s services, risk management, the enforcement of legal entitlements and defence in the case of legal disputes; guaranteeing IT security (including testing systems and plausibility) and general security, such as the security of buildings and plant, ensuring that the house rules can be and are implemented (e.g. in the form of access control); checking data integrity, authenticity and availability, preventing and investigating criminal offences and providing monitoring in the form of supervisory or regulatory bodies (e.g. auditing).

2.2 Purposes related to a legitimate interest pursued by us or third parties (Article 6 (1f) of the GDPR)

In addition to the actual fulfilment of the contract or preliminary agreement, we may also process your data when this is necessary to protect the legitimate interests pursued by us or third parties, including but not limited to purposes of

• advertising, market research or opinion research, insofar as you have not objected to the use of your data;
• obtaining information and exchanging data with credit agencies, insofar as this extends beyond our economic risk;
• checking and improving needs analysis processes;
• further developing services, products and existing systems and processes;
• disclosing personal data in the context of due diligence during company sales negotiations;
• comparing against European and international anti-terrorist lists, insofar as this extends beyond statutory obligations;
• adding to our data, e.g. by using or researching into publicly accessible data;
• statistical evaluations or market analysis;
• benchmarking;
• asserting legal claims and defending ourselves in legal disputes which are not directly linked to the contractual relationship;
• storing data to a limited extent if, due to their special means of storage, they cannot be erased, or can only be erased with a disproportionally high effort or cost;
• developing scoring systems or automated decision-making processes;
• preventing and investigating criminal offences, insofar as this is not exclusively for the fulfilment of legal requirements;
• building and plant security (e.g. via access control and video surveillance), insofar as this extends beyond generally applicable due diligence requirements;
• internal and external investigations, security checks;
• possibly listening in on or recording telephone conversations for the purposes of quality assurance and training;
• acquiring and maintaining certification under private or civil law, or of a regulatory nature;
• establishing and observing house rules by taking appropriate steps and using video surveillance to protect our customers and staff, and to provide evidence in the case of criminal offences and protect against such offences.

2.3 Purposes related to your consent (Article 6 (1a) of the GDPR)

Your personal data may also be processed based on your consent for certain purposes (e.g. using your e-mail address for marketing purposes). You can generally withdraw that consent at any time. This also applies to the withdrawal of consent given to us before the GDPR came into force, i.e. before 25 May 2018. You will be informed separately about the purposes and consequences of withdrawing or not giving your consent in the respective statement of consent.

As a rule, consent can only be withdrawn with future effect. This does not affect processing carried out before the consent was withdrawn: such processing remains lawful.

2.4 Purposes to fulfil legal requirements (Article 6 (1c) of GDPR)

or in the public interest (Article 6 (1e) of GDPR)

Like all those involved in business activities, we are subject to numerous legal obligations. These primarily consist in legal requirements (e.g. under commercial and tax law) but also include the requirements of regulatory authorities and other official bodies.

The purposes of the processing may include checking individuals’ identity and age, preventing fraud and money laundering, preventing, combating and investigating the financing of terrorism and criminal mischief causing pecuniary loss, making comparisons against European and international anti-terrorist lists, complying with tax inspection and reporting obligations and archiving data for the purposes of data protection and data security, and undergoing investigation by tax authorities and other authorities.

Moreover, it may become necessary to disclose personal data in the context of administrative / judicial measures for the purposes of gathering evidence, initiating a criminal prosecution or enforcing claims under civil law.

3. The data categories which we process, insofar as we do not receive data directly from you, and their source

To the extent that it is necessary to enable us to provide our services, we process personal data received by permitted means from other companies or other third parties (e.g. credit agencies, list compilers). We also process personal data that we have legitimately taken, received or acquired from publicly accessible sources (such as telephone directories, trade and association registries, residents’ registries, debt registries, land registers, the press, the Internet and other media) and which we are permitted to process.

Relevant personal data categories include, but are not limited to:

• personal data (name, date of birth, place of birth, nationality, marital status, occupation / industry and comparable data)
• contact details (address, e-mail address, telephone number and comparable data)
• address data (residents’ registration data and comparable data)
• payment / creditworthiness confirmation for bank and credit cards
• information about your financial situation (creditworthiness data including score, i.e. data to assess economic risk)
• customer history
• data on how you use the electronic media we offer (e.g. time at which you visit our websites, apps or newsletters, which of our pages / links you click on, information you enter and comparable data)
• video data

4. Recipients or categories of recipients for your data

Within our company, your data is given to the internal offices and/or organisational units which require those data to fulfil our contractual and legal obligations or to process and pursue our legitimate interests. Your data are only disclosed to external bodies

• in the context of implementing the contract;
• for the purposes of fulfilling legal requirements according to which we are obliged to provide information about, report on or disclose data, or if the disclosure of data is in the public interest (cf. Clause 2.4);
• if external service providers process data on our behalf as processors or outsourcers (e.g. external computer centres, support / maintenance of EDP / IT applications, archiving, document processing, call-centre services, compliance services, financial controlling, data screening for purposes of combating money laundering, data validation or plausibility checks, data destruction, purchasing / procurement, customer management, lettershop services, marketing, digital media technology, research, risk control, cost settlement, telephony, website management, auditing services, credit institutions, printing companies, data disposal companies, courier services, shipping and logistics service providers);
• based on our legitimate interest or the legitimate interest of a third party in the context of the purposes set out in Clause 2.2 (e.g. to authorities, credit agencies, debt collection agencies, lawyers, courts, appraisers, companies within the group, committees and supervisory bodies);
• if you have given us consent to disclose data to third parties.

We will not disclose your data to third parties for any other purposes.
To the extent that we commission service providers as processors, your data will be subject to the same security standards there as they would be in our hands. In all other cases, the recipients may only use the data for the purposes for which they were transmitted to them.

5. Time for which your data are stored

We process and store your data for the duration of our business relationship. This also includes the period leading up to the contract (pre-contractual legal relationship) and the time of its implementation.

In addition to this, we are subject to various archiving and documentation obligations such as those arising from the Commercial Code (HGB) and the Tax Code (AO). The archiving and documentation periods these prescribe last up to ten years after the end of the business relationship or the business relationship or the pre-contractual legal relationship.

Furthermore, specific legal regulations may require a longer archiving period, e.g. in the context of preserving evidence under statutes of limitations. According to Sections 195 et seq. of the German Civil Code (BGB), the standard period of limitation is three years; however, limitation periods of up to 30 years may also apply.

If the data are no longer required to fulfil contractual or statutory duties and rights, they shall be regularly erased unless their further processing is – temporarily – needed to fulfil the purposes listed in Clause 2.2 based on an overriding legitimate interest. One example of an overriding legitimate interest of this kind is if they cannot be erased, or can only be erased with disproportionate effort, due to the special nature of their storage, and appropriate technical and organisational measures are taken to ensure that they cannot be processed for other purposes.

6. Processing of your data in a third country or by an international organisation

Data shall be transmitted to countries outside the European Union (EU) or the European Economic Area (EEA) (so-called third countries) where this is necessary to carry out an order / contract placed by or concluded with you, where this is required by law (e.g. tax reporting obligations), where it is in the legitimate interest of us or a third party, or where you have given us consent.

Such processing of your data in a third country can also take place in the context of commissioning service providers as data processors. To the extent that the EU Commission has not passed a resolution as to whether the country in question has a sufficient level of data protection, we shall use contracts to ensure that your rights and freedoms are protected and guaranteed, in compliance with EU data protection regulations.

Corresponding detailed information is available on request. On request, information on suitable or appropriate guarantees and on the possibility of receiving a copy can be obtained from the company data protection officer.

7. Your privacy rights
Under certain circumstances, you can exercise your privacy rights in respect of us

• You thus have the right to obtain information from us about your data which we have stored pursuant to Article 15 of the GDPR (possibility with restrictions under Section 34 of the German Data Protection Act, BDSG).
• At your request, we will rectify the data saved about you pursuant to Article 16 of the GDPR, if they are inapplicable or incorrect.
• At your request, we will erase your data in accordance with the principles of Article 17 of the GDPR unless other legal regulations (e.g. statutory retention obligations or the limitations pursuant to Section 35 of the German Data Protection Act) or an overriding interest on our part (e.g. to defend our rights and obligations) stand in the way thereof.
• Taking into account the requirements of Article 18 of the GDPR, you can order us to restrict the processing of your data.
• Furthermore, you can object to the processing of your data in accordance with Article 21 of the GDPR, as a result of which we are obliged to stop processing your data. However, this right to object only applies in the case of very specific circumstances regarding your personal situation, and our company’s rights may conflict with your right to object.
• Under the conditions of Article 20 of the GDPR, you also have the right to receive your data in a structured, commonly used and machine-readable format or to transmit them to a third party.
• You also have the right at any time to withdraw your consent to the processing of personal data from us with future effect (cf. Clause 2.3).
• Furthermore, you have a right to lodge a complaint with a supervisory authority (Article 77 of the GDPR). However, we recommend first always directing complaints to our data protection officer.

If possible, your requests to exercise your rights should be sent in writing to the address given above, or directly to our data protection officer.

8. Scope of your obligations to provide us with your data

You are only required to provide the data which are necessary to enter into and implement a business relationship or a pre-contractual relationship with us, or which we are required to collect by law. Without these data we will generally not be able to conclude or execute the contract. This may also apply to data required later as part of the business relationship. If we request any further data from you, you will be made aware in that specific case that these data are provided voluntarily.

We do not use any purely automated decision-making processes pursuant to Article 22 of the GDPR. To the extent that we should introduce a process of this kind in future in individual cases, we will inform you separately if this is required by law.

Under certain circumstances we may sometimes process your data with the aim of evaluating certain personal aspects (profiling).

We may use evaluation tools to be able to inform and advise you about products in a targeted manner. These allow us to design products, communicate with you and carry out advertising, including market and opinion research.

Processes of this kind can also be used to assess your credit rating and creditworthiness, as well as to combat money laundering and fraud. Scoring may be used to assess your credit rating and creditworthiness. Scoring involves using mathematical procedures to calculate the probability of a customer meeting his or her payment obligations in accordance with the contract. Scores of this type thus help us, for example, assess a customer’s creditworthiness and make decisions about product sales, and are part of our risk management system.

The calculation is based on recognised and proven mathematical and statistical processes and carried out on the basis of your data, including but not limited to income, outgoings, pre-existing liabilities, your occupation, employer, length of time in employment, our experience from our business relationship so far, whether previous loans have been repaid in accordance with the contract and information from credit agencies.

The calculation does not involve information on nationality or special categories of personal data pursuant to Article 9 of the GDPR.

Information about your right to object; Article 21 of GDPR

1. You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Article 6 (1f) of the GDPR (data processing based on the balancing of interests) or Article 6 (1e) of the GDPR (data processing in the public interest). This also applies to profiling based on this provision as defined in Article 4 (4) of the GDPR.

If you object, we will cease processing your personal data, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

2. We may also process your personal data in order to carry out direct marketing. If you do not want to receive any advertising, you have the right to object to it at any time; this also applies to profiling to the extent that it is related to such direct marketing. We will take this objection into account with future effect.

We will no longer process your data for purposes of direct marketing if you object to processing for that purpose.

The objection can be submitted informally and should be addressed as far as possible to

ACQ Science GmbH
z.Hd. Datenschutzbeauftragter
Etzwiesenstr. 37
72108 Rottenburg
Germany