Information obligations regarding the processing of suppliers’ personal data
Information obligations regarding the processing of personal data of suppliers to Gasteig München GmbH in accordance with Article 13 of the European General Data Protection Regulation (EU GDPR)
Name and contact details of the controller
Gasteig München GmbH
Represented by its Managing Director Stephanie Jenke
Address: Rosenheimer Straße 5, 81667 Munich, Germany
E-mail: zentral@gasteig.de
Tel.: +49 89 480980
Purposes for which your personal data are processed and legal bases for their processing
“Personal data” refers to any information relating to an identified or identifiable natural person (Art. 4(1) EU GDPR). In the following cases, we process your personal data for the purposes stated below and based on the legal basis mentioned:
- Processing of personal data for the purpose of carrying out pre-contractual measures or for the performance of a contract:
Your personal data will be processed insofar as this is necessary to carry out pre-contractual measures or to fulfil a contract with you. Legal basis of the processing of your personal data: point (b) Art. 6(1) EU GDPR. - Processing of personal data on the basis of legitimate interest:
Your personal data will be processed to the extent necessary to protect the legitimate interests of Gasteig München GmbH or a third party. This is in particular the case for
– the implementation of pre-contractual measures or for the fulfilment of a contract with our suppliers insofar as you are acting as a vicarious agent for our suppliers.
– assertion of legal claims and defence in legal disputes.
Legal basis for the processing of your personal data: point (f) Art. 6(1) EU GDPR. - Processing of personal data based on your consent:
Your personal data will be processed if you have expressly consented to the processing of your personal data in question. Legal basis for the processing of your personal data: point (a) Art. 6(1) EU GDPR.
You are not obliged by law to provide us with your personal data and must do so only insofar as this has been stated above for the respective purposes of processing your personal data. Your personal data will not be used for any automated decision-making process, including profiling.
Categories of recipients of personal data
Your personal data will be transmitted or made accessible to other recipients only insofar as this is necessary for us to process your request or insofar as we have entrusted other recipients with the performance of individual tasks or services and access to your personal data is thereby necessary or cannot be excluded.
The categories of recipients of personal data are:
- Internal departments involved in completing the respective business processes (e.g. Purchasing, Events Management, Accounts, IT)
- Service providers for hosting, maintenance and administration of our applications or databases
- External service providers for the direct, instruction-bound or independent support of the respective business processes (e.g. for support within the scope of an order or project award)
- External auditors or accountants
The transfer of your personal data to the above recipients is based on your consent in accordance with point (a) Art. 6(1) EU GDPR, insofar as this is necessary for taking pre-contractual measures or for fulfilling a contract with you in accordance with point (b) Art. 6(1) EU GDPR, on the basis of the legitimate interest of the controller, insofar as this is necessary for implementing pre-contractual measures or for fulfilling a contract with our suppliers in accordance with point (f) Art.6(1) GDPR, on the basis of contract processing in accordance with Art.28(1) EU GDPR or insofar as we are legally obliged to do so in accordance with point (c) Art. 6(1) EU GDPR.
In addition, your personal data are transmitted to state institutions or authorities insofar as we are obliged to provide information by law or as a result of a court order. Furthermore, your personal data are transmitted to government institutions or authorities insofar as this is necessary to prosecute criminal offences against us as the injured party or to assert, exercise or defend civil law claims (legal basis for processing your personal data: legitimate interest of the controller in accordance with point (f) Art. 6(1) EU GDPR, processing for other purposes by non-public bodies in accordance with Para. 24(1) of the German Federal Data Protection Act (BDSG)).
Transfer of data to recipients in a third country or to an international organisation
A transfer of your personal data to a recipient in a third country or to an international organisation is not planned.
Duration of storage of personal data
Your personal data will only be stored for as long as is necessary to fulfil the purposes for which they were processed. As a rule, this is the case for as long as your personal data is required for carrying out pre-contractual measures or for fulfilling a contract in accordance with point (b) Art. 6(1) EU GDPR or point (f) Art. 6(1) EU GDPR. Furthermore, your personal data will be stored if you have given us your consent in accordance with point (a) Art. 6(1) EU GDPR or if mandated by legal, statutory or contractual retention periods. For example, personal data relevant to tax law are usually stored for a period of ten years; other personal data are usually stored for a period of six years in accordance with German commercial law regulations.
Information on your rights as a data subject
In general and with respect to your personal data you may exercise the rights set out below.
- Right to information in accordance with Art. 15 EU GDPR: You have the right to request information from the controller about the personal data stored about you and other information relating to this personal data.
- Right to rectification in accordance with Art. 16 EU GDPR: You have the right to obtain from the controller rectification of inaccurate personal data concerning you.
- Right to erasure in accordance with Art. 17 EU GDPR: You have the right to obtain from the controller the erasure of personal data concerning you.
- Right to restrict processing in accordance with Art. 18 GDPR: You have the right to request the controller to restrict the processing of personal data concerning you.
- Right to data portability in accordance with Art. 20 EU GDPR: You have the right to receive your personal data from the controller in a structured, commonly used and machine-readable format.
- Right of revocation in accordance with Art. 7(3) EU GDPR: You have the right to withdraw your consent given in accordance with point (a) Art. 6(1) EU GDPR to the processing of your personal data at any time. Your withdrawal of consent does not affect the lawfulness of processing based on your consent before its withdrawal.
- Right to object in accordance with Art. 21(1) EU GDPR: You have the right to object at any time to the processing of your personal data in accordance with Art. 6(1) point (e) or (f) EU GDPR.
- Right to lodge a complaint with a supervisory authority in accordance with Art. 77 EU GDPR: If, as data subject, you consider that the processing of your personal data infringes the EU GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement.
You can address your above rights directly to the contact details provided under “Name and contact details of the controller” in this information.
Contact details of the Data Protection Officer
Data Protection Officer of Gasteig München GmbH
℅ TÜV SÜD Akademie GmbH
Westendstraße 160
80339 Munich
Germany
E-mail: dsb.gasteig@tuvsud.com
Further questions
If this Privacy Policy leaves any questions regarding your personal data processed through our website unanswered, you may address your questions directly to the contact details provided in this Privacy Policy under “Name and contact details of the controller” or “Contact details of the Data Protection Officer”.
As at: August 2022