Information pursuant to Articles 13 and 14 of the General Data Protection Regulation (GDPR)
Dear Business Partner,
Below, we provide you with information regarding the processing of your personal data (Art. 4(2) GDPR) within the scope of our business relationship, as well as your rights in connection with this data processing. Please also make this privacy notice available to your employees.
I Data Controller and Contact Information
The controller responsible for the processing of your personal data is:
The entity within the Duvenbeck Group with which you have a contractual relationship or communicate is generally responsible for the processing of your personal data. You can find this information in the email signature, among other places.
Processing within the Duvenbeck Group:
In certain cases, the processing of personal data may be carried out under joint responsibility by Duvenbeck Logistics Holding GmbH & Co. KG and other companies within the Duvenbeck Group in accordance with Article 26 of the GDPR. An agreement on joint responsibility specifies how the respective obligations under the GDPR are fulfilled, particularly with regard to the exercise of data subject rights and the fulfillment of information obligations pursuant to Articles 13 and 14 of the GDPR. You can find the key points of this agreement here.
You can contact our Data Protection Officer at:
You can contact our Data Protection Officer at the above postal address, with the addition “To the Data Protection Officer,” or at the email address:
II Collection and Processing of Personal Data
We process personal data that you voluntarily provide to us within the scope of our business relationship. This includes, among other things, the following data or categories of data:
- Master data: (e.g., last name, first name, company, position, address, contact information such as phone number, email address)
- Contract data and transaction data (e.g., contract content, contract term, billing and payment data, tax identification number, bank details (IBAN, BIC))
- Communication data (e.g., correspondence via email, mail, telephone logs)
- Data collected in connection with access control (e.g., last name, address, company, date of visit, contact person)
- User data (user ID, name, contact information, IP address), supplier data, customer data; in the event of a malfunction: application, malfunction, content of the inquiry, status of the inquiry, description of the solution
- Vehicle data (e.g., chassis number, license plate, KBA number, registration data, vehicle identification number, and insurance policy number)
- Logging data
- Diagnostic data (telemetry data)
- Declarations of intent
- Data protection declarations (Declaration of consent to the processing of personal data; declarations regarding the revocation of any consent you have provided; declarations regarding objection to the processing of personal data; declarations regarding the exercise of your rights to access, rectification, erasure, restriction of processing, and data portability, including the information you provide to us when exercising your rights
- Project data, tender data (quantities, etc.)
- Other data from publicly available sources, provided such data was lawfully collected
III Purpose of data processing
We use your data for the initiation, conclusion, and performance of a contract, responding to inquiries, as well as for invoicing and managing payments made or received. We process your data for the purpose of conducting and organizing events. In addition, we use your data for accounting processes and utilize the communication data you have provided for contract-related communication. The legal basis for this processing is Art. 6(1)(b) GDPR
Certain data processing activities are carried out on the legal basis of Article 6(1)(c) of the GDPR to fulfill legal obligations to which we are subject as a company. These include, for example, commercial and tax law requirements or reports to authorities. To the extent that special categories of personal data are involved, processing is carried out on the legal basis of Article 9(2)(g) of the GDPR within the framework of legal requirements.
In addition, we process personal data to safeguard our legitimate interests on the legal basis of Article 6(1)(f) of the GDPR. Our legitimate interests include maintaining and strengthening business relationships, asserting legal claims and defending against legal disputes, preventing and investigating criminal offenses, ensuring the security of our IT systems, ensuring the security of buildings and facilities, measures to enforce property rights, measures for business management and further development, as well as risk management within the company. Information regarding your right to object can be found below.
If we process personal data based on your consent, the purposes of the processing are set forth in your consent form. In this case, the legal basis is Article 6(1)(a) of the GDPR. If the consent relates to the processing of special categories of personal data, the processing is based on Article 6(1)(a) of the GDPR in conjunction with Article 9(2)(a) of the GDPR. Information on withdrawing consent can be found below.
Your personal data is processed in particular for the following purposes:
- Contract management and execution
- Maintenance of contact person and contact information
- Invoicing, payment processing, and financial accounting
- Communication via telephone, email, mail, and video conference
- Planning and execution of projects, appointments, events, and business trips
- User and IT system administration, standard system logging, and logging of email correspondence
- Measures to ensure property rights and the security of buildings and facilities
- Corporate controlling and internal administration
- Processing of inquiries, as well as the assertion of legal claims and defense in legal disputes
- Consent and objection management, as well as handling data subject rights
IV Recipients of the data
Your data will be disclosed to the relevant employees within our company/group for the aforementioned purposes (Art. 6(1)(b) GDPR). Data will only be disclosed to third parties outside our company if this is necessary for contract fulfillment or billing, if you have consented, or if there is a legal basis or obligation. Through a role- and permission-based system, access within our company is restricted to the group of persons and scope necessary for the respective processing purpose (“need-to-know principle”).
To the extent that we engage third-party service providers (so-called processors) to carry out and process data, the provisions of the GDPR are complied with. These are carefully selected and commissioned in accordance with Art. 28 GDPR; they are bound by our instructions and are regularly monitored. These are service providers from the following areas:
- SaaS, hosting providers, maintenance and support of IT systems
- IT service providers
- Maintenance and support of telecommunications systems
- Document storage
- Document and data carrier destruction
- Logistics and shipping services
- Telecommunications and email providers
- Printing services
These service providers (and, where applicable, their subcontractors) process the data only in accordance with explicit instructions and are contractually obligated to ensure appropriate technical and organizational measures for data protection.
Furthermore, within the legally permissible scope, we transfer personal data of our business partners to the following entities:
- Banks
- Tax advisors, auditors, attorneys
- Insurance companies
- Consultants and agencies
- Postal and delivery services
- Logistics and transportation service providers
- Data protection officers
- Public authorities where there is a legal obligation (e.g., tax, customs, and regulatory authorities)
- Business partners and partner companies, to the extent necessary for the conduct of the business relationship
V Data transfer to third countries
Your personal data is generally stored and processed within the EU. However, the transfer of data to third countries through the engagement of data processors and third parties cannot be ruled out. In such cases, we have put in place appropriate safeguards to protect your data.
VI Where does the data come from? (Data source)
We process personal data that you voluntarily provide to us within the scope of our business relationship. In addition, we process—to the extent necessary for the initiation, execution, or settlement of the business relationship—personal data that we lawfully receive from third parties (e.g., from credit bureaus, business partners, courts, authorities, public registers, or from publicly accessible sources such as the commercial register or the internet).
VII How long will my data be stored?
We process your personal data only for as long as is necessary to fulfill the respective purpose of processing. In addition, we are subject to various retention and documentation obligations arising, among other things, from the German Commercial Code (HGB) or the German Fiscal Code (AO). These may amount to up to ten full years . Finally, the storage period is also determined by the statutory limitation periods, which, for example, pursuant to Sections 195 et seq. of the German Civil Code (BGB), can be up to thirty years, although the standard limitation period is three years.
As a rule, the master data and contract data relevant to the business relationship are stored at least until the termination of the business relationship. We retain your contract- and billing-related data for 6 or 10 years in accordance with statutory provisions (Sections 147 AO, 257 HGB).
We will delete your personal data as soon as it is no longer necessary for the purposes for which it was collected or if its storage is prohibited by law—even without a separate request from you.
VIII What data protection rights do I have?
Every data subject has the right to access under Article 15 of the GDPR, the right to rectification under Article 16 of the GDPR, the right to erasure under Article 17 of the GDPR, the right to restriction of processing under Article 18 of the GDPR, and the right to data portability under Article 20 of the GDPR. To exercise the aforementioned rights, you may contact the controller (Section 1).
To the extent that the processing of your personal data is carried out to pursue our legitimate interests pursuant to Article 6(1)(f) of the GDPR, you may object to such processing in accordance with the legal provisions of Article 21 of the GDPR. The objection may be submitted in any form, including via
If you have given us your consent to data processing, you may revoke it at any time in any form, including via
In addition, you have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR) if you believe that the processing of your personal data is not lawful.