in accordance with Article 13 GDPR
Data protection is an important concern for us. This document informs our business partners about how we collect, store and process your personal data at HIWIN, in accordance with the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG-neu), as well as your rights in connection with your personal data. The term business partner denotes any contact person for interested parties, customers, sales partners, suppliers and general partners; hereinafter collectively referred to as “business partners”.
This data protection policy relates to all of our products and services and applies to any company affiliated with HIWIN (see Section 6), excluding any services and offers with their own data protection policy.
This data protection statement extends our existing general data protection statement, which provides concrete information about how we process your personal data when you visit our website and other topics.
1. Controller and data protection officer
The controller (hereinafter simply referred to as the “company”) responsible for processing your personal data is:
HIWIN GmbH
Brücklesbünd 1
77654 Offenburg
Phone: 0781 93278 0
Email: info@hiwin.de
You can reach our data protection officer by post or email:
Christoph Boser
Email: datenschutz@hiwin.de
Tel: 0781 932 78 0
2. What is the purpose of processing your data?
During cooperation with business partners, HIWIN processes personal data for the following purposes:
- initiation or implementation of a contractual relationship or implementation of pre-contractual measures;
- communication with business partners about products, services and projects, e.g. to handle inquiries and orders from the business partner;
- planning, execution and administration of the (contractual) business relationship between HIWIN and the business partner, e.g. in order to complete orders for products and services, collect payments, for purposes relating to accounting, billing and debt collection or to carry out deliveries, maintenance or repairs;
- maintenance and protection of the security of our products and services as well as our websites;
- compliance with legal requirements (e.g. tax and commercial law retention obligations), compliance screenings (for the prevention of white-collar crime or money laundering) and adherence to HIWIN guidelines and industry standards;
- prevention and detection of security risks, fraudulent actions or other criminal or malicious acts;
- settlement of legal disputes, enforcement of existing contracts and the assertion, exercise and defence of legal claims.
3. What is the legal basis for processing your data?
We process your personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG-neu). If processing is necessary for the establishment, execution or performance of a contract and for the implementation of pre-contractual measures, the legal basis of this processing is Article 6(1)(b) GDPR.
If you give us your express consent to process personal data for specific purposes (e.g. disclosure to third parties, evaluation for marketing purposes or advertising), the legal basis of this processing is your consent in accordance with Article 6(1)(a) GDPR. Any consent that you have given can be revoked at any time, with effect for the future.
If necessary and legally permissible, we may process your data beyond the contractual purposes to fulfil legal obligations in ac-cordance with Article 6(1)(c) GDPR. In addition, processing may be performed to protect our legitimate interests or those of a third party in accordance with Article 6(1)(f) GDPR. If necessary, we will inform you separately and state the relevant legitimate interest, insofar as this is required by law.
4. Which of your information and personal data do we process?
HIWIN may process the following categories of personal data for the purposes cited above:
- contact information, such as first and last name, business address, business telephone number, business mobile number, business fax number, and business email address;
- payment information, such as information required to process payment transactions or prevent fraud for credit card pay-ments, including credit card information and card verification numbers;
- information whose processing is necessary as part of a project or for the establishment, execution or performance of a contract with HIWIN;
- other information voluntarily provided to us by our contact persons, e.g. other project participants, internal and external contact persons or special instructions regarding project implementation;
- previously purchased products or services and their history;
- information collected from publicly available sources, information databases or credit agencies;
- where required as part of compliance screenings, information about any relevant legal proceedings and other legal disputes involving business partners.
5. Who receives your data?
Within our company, we only give your personal data to the departments and persons who need these data to fulfil their contractual and legal obligations, or to the relevant departments and persons when processing is performed to protect a legitimate interest under Article 6(1)(f) GDPR.
When processing your personal data, we also use service providers, e.g. to maintain and service our software programs and IT infrastructure or defend against cybercrime. Your personal data will also be passed on to third parties acting on our behalf and processed by them. Our instructions are communicated to these third parties by means of contract processing agreements under Article 28 GDPR. This ensures that personal data are processed in accordance with the provisions of the GDPR and that your data are protected and processed in accordance with any applicable data protection regulations. The categories of such recipients include, for example, companies that provide services in the following areas: IT services, cybercrime prevention, data storage and linkage, marketing, market research, payment processing, product and service delivery, online marketing, trade show and event execution, shipping logistics and regulatory compliance (e.g. matching against anti-terror lists for exports). We only ever share the minimum amount of personal information that our service providers need to provide their services.
In some cases, we may also give your personal data to business partners who represent our products nationally and internationally as dealers or distributors. If we receive an inquiry that we can associate with a specific trade partner by virtue of its content, geography or subject matter, for example a request for further information from a visitor contact at a trade fair, then we may forward personal data to the relevant business partner for processing. Our business partner will then contact you directly. When we share personal information with other business partners, we require them to protect and process your information in accordance with applicable data protection laws. The legal basis of such data processing and disclosure is Article 6(1)(f) GDPR. The legitimate interest in question is the provision of an efficient and customer-oriented sales structure and optimal customer care for our products and services. If you object to this forwarding, you can inform us at any time and it will be revoked. If you do so, however, we may not be able to execute your inquiry or order.
Data will otherwise only be forwarded to recipients outside the company or affiliated companies if this is permitted or mandated by law or if this forwarding is necessary for processing and thus fulfilling the contract. This also includes any pre-contractual measures taken at your request which require a transfer to third parties for implementation.
Forwarding may also occur with your express consent or if you have authorized us to disclose the information. Recipients of personal data may include public bodies and institutions to whom we have a legal or regulatory obligation (e.g. public prosecutor's office, police, supervisory authorities, tax office).
Your data will not be forwarded to other third parties, e.g. for advertising purposes, without your express consent.
6. Transfer of personal data to affiliated companies
HIWIN may transfer personal data to other companies in the HIWIN group or companies affiliated with HIWIN (hereinafter referred to as the “HIWIN group”) for the purposes cited above, but only if necessary to fulfil these purposes (see also Sections 2, 3 and 5).
We only ever share the minimum personal information necessary with other companies in the HIWIN group, e.g. to provide any requested products and services or manage and improve our products, services and day-to-day operations. Companies in the HIWIN group may be based outside the EU and the EEA economic area (third countries) in locations with less strict data protection legislation than the EU. Personal data will only be transferred to a HIWIN group recipient in a third country if we have a contract with the recipient that includes the EU standard contractual clauses, the recipient has introduced binding corporate rules which provide EU levels of data protection or – for recipients domiciled in the USA – the recipient is certified under the EU/US Privacy Shield.
For further information, please contact the person indicated in Section 1.
The legal basis of this data processing is Article 6(1)(b) GDPR, which permits the processing of data to fulfil a contract or pre-contractual measures, and Article 6(1)(f) GDPR with the legitimate interests cited above (see also Sections 2, 3 and 5).
7. Transfer of data to a third country
There are no plans for transfer to a third country.
8. How long are the data stored?
If necessary, we process and store your personal data for the duration of our business relationship or the fulfilment of contractual purposes. This also includes the initiation and execution of a contract. In addition, we must comply with various storage and doc-umentation obligations, including those arising from the German Commercial Code (HGB) and the Fiscal Code (AO). The retention periods for storage and documentation prescribed by these regulations range from two to ten years, or up to thirty years in special cases.
We also store and use your data for a reasonable period of time after the order has been placed in order to keep you up to date regarding our services and offers and to provide you with information about these services and offers. The legal basis for this is Article 6(1)(f) GDPR. Any mandatory legal provisions - in particular retention periods - remain unaffected. After this period, we delete personal data in a secure manner. If the data are still required after this period for analytical, historical or other legitimate business purposes, we will take appropriate steps to make these data anonymous.
9. Children
In principle, our offers are aimed at adults. Persons under the age of 18 should not transmit any personal data to us without the consent of their parents or legal guardians.
10. Necessity of providing personal data
As a general rule, the provision of personal data for the purpose of establishing, executing and fulfilling a contract or for imple-menting pre-contractual measures is neither required by law nor by contract. You are therefore not obliged to provide your personal data. Please note, however, that these data are usually required for decision-making regarding the conclusion of a contract, the fulfilment of a contract or for pre-contractual measures. If you do not provide us with any personal data, we may not be able to make the necessary decisions as part of contractual measures. We recommend that you only provide personal data that are necessary for the conclusion of the contract, the performance of the contract or pre-contractual measures.
11. Automatic decision-making
In principle, we do not use fully automated decision-making in the sense of Article 22 GDPR to establish, perform or execute business relationships or for pre-contractual measures. Should we use these procedures in individual cases, we will inform you of this separately and obtain your consent if necessary.
12. What are my rights in connection with my personal data?
You can request information about your stored personal data from the addresses listed in Section 1. In addition, you can request the correction of your data and, subject to certain conditions, the deletion of your data. You also have the right to restrict the processing of your data, as well as the right to request a copy of any data provided by you in a structured, common and machine-readable format.
Right of objection
If we are processing your data on the basis of a legitimate interest, you can object to this processing for reasons arising from your particular situation. If you do so, we will no longer process your personal data unless we can prove compelling reasons for this processing which outweigh your interests, rights and freedoms or unless the processing serves the assertion, exercise or defence of legal claims.
If the legal basis of the processing is your consent, you are entitled to revoke this consent for the use of your personal data at any time under Article 7 GDPR. Please note that revoking your consent will only take effect for the future. Any processing performed before you revoke your consent is not affected. Please note also that we may need to retain certain data for a period of time to comply with legal requirements.
In individual cases, we may process your personal data for the purpose of direct advertising. You have the right to object at any time to processing for this purpose. This also applies to any profiling associated with direct advertising. If you object to processing for the purpose of direct advertising, we will not process your personal data further for this purpose.
You can also contact our data protection officer or a data protection authority to submit a complaint.