Data protection information on our data processing under articles 13, 14 and 21 of the General Data Protection Regulation (GDPR)

We take data protection seriously and will now provide information on how we process your data and what claims and rights you have under the provisions of data protection law. Valid as from 25 May 2018.

1. Entity with responsibility for data processing; contact data

Contact data for our data protection officer:

Kamps GmbH
Datenschutzbeauftragter
Harald Eul
Auf dem Mutzer 11
D-41366 Schwalmtal
Email: Datenschutz@kamps.de

Responsible entity in terms of data protection law:

Kamps GmbH
Heiko Rogoll
Auf dem Mutzer 11
D-41366 Schwalmtal
Tel.: +49 (0)2163 947-754
Email: Heiko.Rogoll@kamps.de

2. Purposes and legal basis of our processing of your data

We process personal data in compliance with the provisions of the General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG) and other applicable data protection rules (details below). What particular data are processed and what use is made thereof is crucially dependent on the services requested or agreed in each particular case. Further details of, or supplements to, the purposes of the data processing can be found in the relevant contractual documents, forms, a declaration of consent and/or other information supplied to you (e.g. in the course of using our website, or in our general terms & conditions). Furthermore, this data protection statement may be updated from time to time, as can be seen from our website at www.kamps.de.

2.1 Purposes related to performance of a contract or steps taken prior to a contract (article 6 (1) b GDPR)

Personal data are processed for the performance of our contracts with you, for the execution of your orders and for the implementation of measures and activities in the context of pre-contractual negotiations, e.g. with prospective customers. In particular the processing thus serves the purpose of rendering services in accordance with your orders and requests, and comprehend the services, measures and activities necessary in this regard. The principal items include contract-related communication with you, the verifiability of transactions, orders/commissions and other agreements, also of quality assurance by way of the relevant documentation, ex gratia procedures, measures for directing and optimising business processes and for the fulfilment of general obligations of due care, direction and controls provided by affiliates (e.g. parent company); statistical analyses of corporate management, cost accounting and controlling, reporting system, internal and external communications, emergency management, invoicing and valuation of operational performance for tax purposes, risk management, assertion of claims at law and defence in legal disputes; ensuring IT security (including system or plausibility tests) and general security, including safety of buildings and plant, securing and exercising right of admission (e.g. by way of access controls); ensuring the integrity, authenticity and availability of data, prevention and successful investigation of criminal acts; controls by supervisory bodies or authorities (e.g. auditing).

2.2 Purposes related to our or a third party's legitimate interests (article 6 (1) f) GDPR)

In addition to the actual performance of the contract or pre-contractual requirements, we process your data in certain cases, when necessary, in order to pursue our or a third party's legitimate interests, in particular for the purpose of:

advertising or market and opinion research, unless you have objected to the use of your data;
obtaining information and exchanging data with enquiry agencies, but only within the bounds of our commercial risk;
examining and optimising methods of needs analysis;
further development of services and products, as well as existing systems and processes;
disclosure of personal data within the framework of a Due Diligence during negotiations on the sale of a company;
comparison with European and international anti-terror lists in cases where this goes beyond the statutory obligations;
enhancement of our data, inter alia through use of or research into data accessible to the public;
statistical assessments or market analysis;
benchmarking;
assertion of claims at law and defence in legal disputes which are not directly attributable to the contractual relationship;
limited storage of data if and when deletion, because of the special method of storage, is not possible or only possible at disproportionately great expense;
development of scoring systems or automated decision-making processes;
prevention and successful investigation of criminal acts, except when done exclusively to fulfil statutory requirements;
security of buildings and plant (e.g. by admission controls and CCTV) in cases where this goes beyond general obligations of due care;
internal and external investigations, security checks;
possibly, wire-tapping or recording of telephone calls for quality controls and for training purposes;
receiving and maintaining certifications under private law or of official character;
ensuring and maintaining the right of admission to the building, taking appropriate measures such as CCTV for the protection of our customers and staff and also for preserving evidence in case of criminal acts and the prevention thereof.

2.3 Purposes related to your consent (article 6 (1) a GDPR)

Your personal data may also be processed for specific purposes (e.g. using your email address for marketing purposes) if you have given your consent. Normally you may revoke such consent at any time. This also applies to the revocation of declarations of consent which were issued to us before the GDPR came into force, that is, before 25 May 2018. You will be informed expressly at the appropriate point in the consent text about the purpose and about the consequences of a revocation or a failure to give consent.
The basic rule is that a revocation of consent will only be effective for the future. Processing done before the revocation will not be affected and will continue to be lawful.

2.4 Purposes related to compliance with a legal obligation (article 6 (1) c) GDPR) or in the public interest (article 6 (1) f) GDPR)

Like everyone involved in economic activity, we too are subject to a number of legal obligations. Primarily, these are statutory requirements (e.g. under commercial and tax law), but there may also be obligations imposed by supervisory and other public authorities. The purposes of processing may include, in certain cases, checks on identity and age, the prevention of fraud and money laundering, the prevention, combating and investigation of the financing of terrorism and criminal acts endangering assets, comparisons with European and international anti-terror lists, the fulfilment of control and notification obligations under tax law, the archiving of data for the purposes of data protection data security, and auditing by tax and other authorities. Furthermore, it may become necessary to disclose personal data in the context of measures taken by courts or public authorities for the purpose of furnishing evidence, criminal prosecution or the enforcement of claims under civil law.

3. Categories of data processed by us in cases where we do not receive data direct from you; the origin of such data

In cases where this is necessary for the performance of our services, we lawfully process personal data received from other companies or other third parties (e.g. enquiry agencies, address providers). We also process and are allowed to process personal data which we lawfully obtain, receive or have acquired from sources accessible to the public (e.g. telephone directories, commercial and club registers, population registers, debtor registers, land registers, the press, the internet and other media).

Relevant categories of personal data may in particular be:

Data on person (name, date of birth, place of birth, nationality, marital status, profession/sector and comparable data)
Contact data (address, email address, telephone number and comparable data)
Address data (registration data and comparable data)
Payment/coverage confirmation for bank and credit cards
Information on your financial situation (credit standing data including scoring, i.e. data for assessment of financial risk)
Customer history
Data on your use of the telecommunications media offered by us (e.g. date and time of visit to our websites, apps or newsletter, pages/links of ours clicked on, or data input and comparable data)
Video data

4. Recipients or categories of recipients of your data

Inside our company, your data are received by those persons, offices or organisational units that need the data to fulfil our contractual and statutory obligations or within the framework of pursuing and implementing our legitimate interests. Your data are passed on to external persons or entities exclusively

in connection with the performance of the contract;
for the purpose of complying with statutory requirements, according to which we are obliged to provide information, ensure registration or disclose data or when the disclosure of the data is in the public interest (see section 2.4);
in cases where external service companies process data under commission from us as contracted processors or businesses to which operations have been outsourced (e.g. external computer centres, support/maintenance of EDP/IT applications, archiving, document processing, call centre services, compliance services, controlling, data screening for anti-money laundering purposes, data validation or plausibility checking, data destruction, purchase/procurement, customer management, letter shops, marketing, media technology, research, risk controlling, invoicing, telephony, website management, auditing services, banks, print shops or companies for data disposal, courier services, logistics);
on the basis of a legitimate interest of ours or the legitimate interest of a third party for the purposes specified in section 2.2 (e.g. transfer to public authorities, enquiry agencies, collection agencies, lawyers, courts, expert witnesses, group affiliates, corporate bodies, supervisory authorities);
if you have given us your consent to transfer of data to third parties.

We will not pass on your data to any further or additional third parties. If we engage service providers to carry out contracted processing on our behalf, your data will be protected there by the same safety standards as ours. In other cases the recipients may only use the data for the purposes for which the data were transferred to them.

5. Duration of storage of your data

We process and store your data for the duration of our business relationship. This includes the period leading up to a contract (pre-contractual legal relationship) and the performance of a contract.

We are in addition subject to various data retention and documentation obligations, which are stated inter alia in the German Commercial Code (HGB) and the German Fiscal Code (AO). The periods prescribed therein for retention or documentation are up to ten years after the end of the business relationship or alternatively the pre-contractual legal relationship).

Furthermore, specific statutory provisions may require a longer period of data retention, e.g. for the preservation of evidence in the context of the statute of limitations. According to sections 195 ff. of the German Civil Code (BGB), the usual limitation period is three years; it is however possible for limitation periods of up to 30 years to be applicable.

If and when the data are no longer necessary for the fulfilment of contractual and statutory obligations, they are normally deleted, unless their continued processing – with time limit - is necessary for the fulfilment of the purposes specified in section 2.2 on grounds of an overriding legitimate interest. Such an overriding legitimate interest is for example also present if deletion is not possible, or only possible at disproportionately great expense, because of the special method of storage, and processing for other purpose, using appropriate technical and organisational measures, is ruled out.

6. Processing of your data in a third country or by an international organisation

Data are transferred to points in states outside the European Union (EU) or the European Economic Area (EEA) if this should be necessary for the execution of an order or contract from or with you, or if it is required by law (e.g. notification obligations under tax law), or if it is in pursuit of our or a third party's legitimate interest, or if you have given your consent.
In this context, your data can also be processed in a third country in connection with the use of service providers for the performance of contracted processing. If the EU Commission has not adopted a decision on an adequate level of data protection in the country in question, we will ensure, under the relevant EU data protection requirements and by means of the relevant written agreements, that your rights and freedoms are appropriately protected and guaranteed. On request we will provide you with the relevant detailed information.
Information on the suitable and appropriate guarantees and the possibility of obtaining a copy thereof can be requested from the company data protection officer.

7. Your data protection rights

Subject to certain conditions you can assert your data protection rights against us

You have for example the right to obtain information from us about your data stored at our company subject to the rules of article 15 GDPR (where applicable with the restrictions stated in section 34 BDSG).
On your request we will, under article 16 GDPR, correct the data stored about you if they are inaccurate or erroneous.
If you wish we will, according to the principles stated in article 17 GDPR, delete your data, except where this is in conflict with other statutory provisions (e.g. statutory data retention obligations or the restrictions stated in section 35 BDSG) or with an overriding interest of ours (e.g. defence of our rights and claims).
Subject to the conditions stipulated in article 18 GDPR, you can require us to restrict the processing of your data.
Furthermore, you can lodge an objection to the processing of your data under article 21 GDPR, and on that basis we must cease processing your data. This right of objection applies however only if highly specific circumstances are present in your personal situation, and your right of objection may in certain cases conflict with the rights of our company.
You also have the right, subject to the conditions stated in article 20 GDPR, to receive your data in a structured, commonly used and machine-readable format or to transmit the data to a third party.
In addition you have the right to revoke, vis-à-vis us and with effect for the future, consent given for the processing of personal data (see section 2.3).
Moreover, you have the right to lodge a complaint with a data protection supervisory authority (article 77 GDPR). We recommend, however, that in every case you first direct your complaint to our data protection officer.

Your requests regarding the exercise of your rights should wherever possible be directed, in writing, to the address given above or direct to our data protection officer.

8. Scope of your obligations to provide us with your data

You need only provide the data which are necessary for the commencement and operation of a business relationship or for a pre-contractual relationship with us or which we are under a legal obligation to collect. Without these data we will normally not be in a position to conclude or execute the contract. This may also apply to data which become necessary subsequently in the context of the business relationship. If we request data from you in excess thereof, we will inform you expressly of the voluntary nature of your compliance.

9. Existence of automated individual decision-making (including profiling)

We do not make use of a purely automated decision-making process as referred to in article 22 GDPR. If we should however in future use such a process in individual cases, well will inform you separately provided this is required by law.

We will possibly process some of your data with a view to analysing specific personal aspects (profiling).
In order to be able to inform and advise you about products in a targeted manner, we may, where appropriate, use evaluation tools. These make it possible for product design, communication, advertising and market and opinion research to be tailored to specific needs.

Such methods can also be used to evaluate your credit rating and creditworthiness and to combat money laundering and fraud. So-called "score values" are used in order to assess your credit rating and creditworthiness. The scoring system uses mathematical techniques to calculate the probability with which a customer firm will meet its payment obligations in accordance with the contract. Such score values thus support us in assessing creditworthiness and in decision-making in relation to product deals, and they also play a part in our risk management. The calculation is based on recognised and trusted mathematical and statistical techniques, and is carried out on the basis of your data, in particular on revenue situation, expenditure, existing liabilities, profession, employer, period of service, experience derived from the business relationship to date, contractually correct redemption of previous loans and information from credit enquiry agencies.

Data related to nationality are not processed in this instance, nor are the special categories of personal data specified in article 9 GDPR.

Information on your right to object, article 21 GDPR

1. You have the right to object at any time to the processing of your data on the basis of article 6 (1) f) GDPR (data processing on the basis of a weighing up of interests) or article 6 (1) e) GDPR (data processing in the public interest) if there are reasons present which are inherent in your particular situation. This also applies to profiling, within the meaning of article 4 no. 4 GDPR, that is based on the present provision.

If you lodge an objection we will cease to process your personal data, unless we can demonstrate that there are compelling and legitimate reasons for the processing which override your interests, rights and freedoms, or unless the processing serves the assertion, exercise and defence of legal claims.

2. We also process your data, where appropriate, in order to run direct advertising. If you do not wish to have any advertising, you have the right at any time to object to it; this also applies to profiling when it is connected with such direct advertising. We will respect and observe this objection for the future.

We will cease to process your data for the purpose of direct advertising if you object to processing for that purpose.

The objection need not be in a specific form and should if possible be sent to: