Privacy Notices pursuant to the EU General Data Protection Regulation for Business Partners and their Contacts

With the following information, we provide you as a business partner (customers, service providers, analysts, investors and interested parties) an overview of the processing of your personal data by us and your rights under data protection law. Which data is processed in detail depends primarily on the type and scope of the existing business relationship. If applicable, further data protection information may be relevant for you, e.g. when you visit our website or use IT applications provided by us.

1. Who is responsible for processing your personal data and who can you contact?

The Controller (party responsible) for data processing:

Salzgitter AG
Eisenhüttenstraße 99
38239 Salzgitter, Germany
Telephone: +49 (0)5341 / 21-01

You can contact our Data Protection Officer at the aforementioned address and telephone number, as well as by email:

datenschutz.holding@salzgitter-ag.de

 

2. Who uses the data and how do we collect it?

As part of informing about our business development and the initiating and conducting of business relations, we process the following data categories of our business partners and their contacts in particular. We obtain this data directly from these partners or from other Salzgitter Group companies or from other parties within the scope permissible (e.g. for the performance of contracts or based on consent granted). Furthermore, data that we have obtained from sources in the public domain (e.g. commercial registers, press, Internet) within the scope permissible is also processed: 

interested parties, analysts, investors, shareholders, other business partners:

  • Personal/contact data (e.g. first name, surname, if applicable, company name, address, (mobile) telephone number, telefax, email)
  • Communication data in connection with correspondence (emails, letters)
  • when accessing or using our IT applications: Log data (e.g. user ID, time stamp, type of access)

Customers, suppliers, service providers

  • Personal/contact data (e.g. first name, surname, if applicable, company name, (mobile) telephone number, telefax, email)
  • Contractual and billing data (e.g. bank details, goods ordered, date of invoice)
  • Communication data in connection with correspondence (emails, letters)
  • Legitimation data (e.g. identification documents), authentication data (e.g. signature samples), Schufa (credit rating agency) score
  • when accessing or using our IT applications: Log data (e.g. user ID, time stamp, type of access)

Supervisory board members, general managers and other contact persons of subsidiaries and associates of the Salzgitter Group

  • Personal/contact data (e.g. first name, surname, if applicable, company name, address, (mobile) telephone number, telefax, email)
  • Communication data in connection with correspondence (emails, letters)
  • Participation in events held internally by the Group
  • when accessing or using our IT applications: Log data (e.g. user ID, time stamp, type of access)
  • In the case of elected representatives: information on the mandate, entry in the commercial register, date of birth, private address

3. For what purpose is your data processed and on what legal basis?

Data is processed by Salzgitter AG for the purpose of performing the tasks of the management holding within the Salzgitter Group pursuant to the provisions defined under the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) as well as all other pertinent laws (e.g. German Commercial Code – HGB), German Fiscal Code (Abgabenordnung – AO) etc.).


a.    For the performance of a contract or for pre-contractual measures (Art. 6 (1b)) GDPR)

Personal data are processed for the purpose of performing contracts with our customers, suppliers and service providers. This also includes the performance of pre-contractual measures upon request by the business partner.


b.    In the context of the balancing of interests (Art. 6 (1 f)) GDPR)

If necessary, we process your data beyond the actual performance of the contract with a view to safeguarding the justifiable interests of ourselves or of third parties. Examples:

  • Assertion of legal claims and defense in litigation
  • For internal administration purposes within the corporate group
  • For ensuring IT security and IT operations
  • For the prevention of crime
  • For the protection of property, anti-theft system (video)
  • For access control
  • For the reviewing and optimization of processes for analyzing requirements and for addressing the customer directly
  • For advertising purposes and marketing/opinion research provided that you have not objected to the use of your data
  • Implementation of group events

c.    On the basis of consent (Art. 6 (1 a)) GDPR)

If you have given us your consent to the processing of personal data for certain purposes (e.g. Newsletters), this processing complies with the requirement of lawfulness. Consent once granted can be revoked at any time with effect for the future. This also applies to the revocation of declarations of consent that we were granted before the GDPR took effect, i.e. before May 25, 2018. Please note that any revocation applies just to the future. Processing that took place before the revocation remains unaffected.

d.    Based on statutory requirements (Art. 6 (1 c)) GDPR) or in the public interest (Art. 6 (1 e)) GDPR)

Moreover, we are subject to various legal obligations, i.e. statutory requirements, e.g. tax regulations.

4. Who is your data given to?

The departments in our company that require your data for the purpose of fulfilling our contractual and legal obligations and for the aforementioned purposes are provided with your data. Service providers and agents used by us may be given data for this purpose.


Data is only relayed outside the company if this is required by statutory provisions or if you have given your consent.

In turn, all recipients are themselves obligated to comply with data protection.

Assuming these preconditions, recipients of personal data may be the following:

  • Public bodies and institutions (e.g. tax authorities) on the grounds of a statutory or official obligation
  • Processors to whom we relay personal data for the purpose of conducting the business relationship with you (e.g. support/maintenance of IT systems, data destruction, payments, bookkeeping)
  • Units with regard to which you have given us your consent for data transfer


No data is transferred to recipients in countries outside the EU or the EEA (so-called non-Member States). If, in the individual case, data is to be transferred to non-Member States, this is either necessary for performing a contract, takes place in the context of processing a contract, is mandatory under the law or is based on consent that you have granted to us. If service providers in a non-Member State are used, an appropriate level of data protection is guaranteed.

5. How long is your data stored for?

We process and store your personal data only as long as it is required for the fulfillment of the purposes cited under Item 3. It should be noted here that many of our business relationships are long term. If the data is no longer required for the performance of contractual or statutory obligations, it will regularly be erased unless this data is necessary for further temporary processing for the following purposes:

  • Compliance with retention periods under commercial and fiscal law, e.g. German Commercial Code or Fiscal Code that define the periods of retention as two to ten years.
  • Preservation of proof in the context of the statute of limitations (e.g. Sections 195 et seq. German Civil Code (BGB)).

6. What are your data protection rights?

All persons affected (data subjects) have the right to information pursuant to Art. 15 GDPR , the right to rectification pursuant to Art. 16 GDPR, the right to erasure pursuant to Art. 17 GDPR, the right to restriction on the processing pursuant to Art. 18 GDPR, the right to objection based on Art. 21 GDPR and the right to data portability pursuant to Art. 20 GDPR. The restrictions under Sections 34 and 35 of the German Federal Data Protection Act apply to the right to information and the right to erasure. Moreover, there is a right to lodge a complaint with the competent data protection supervisory authority (Art. 77 GDPR in conjunction with Section 19 of the German Federal Data Protection Act).

You can revoke any consent granted for the processing of personal data at any time. This also applies to the revocation of declarations of consent that we were granted before the GDPR took effect, i.e. before May 25, 2018. Please note that any revocation applies just to the future. Processing that took place before the revocation remains unaffected. 

7. Is there any obligation for you to provide data?

Within the scope of our business relationship, you must provide personal data required for the initiation and conducting of a business relationship and compliance with the associated contractual obligations, or data which we are required to collect under the law.

8. Is there automatic decision-making (including profiling)?

 No use is made of automatic decision-making or profiling.

9. Information on your right to object pursuant to Art. 21 GDPR

1.    Case-by-case right to object

You have the right to object at any time for reasons arising from your particular situation against the processing of your personal data that is carried out based on Art. 6 (1 e) GDPR (data processing in the public interest) and Art. 6 (1 f) GDPR (data processing on the basis of balancing of interests). If you lodge an objection, we will no longer process your personal data unless we can provide proof of compelling legitimate grounds for processing that override your interests, rights and freedoms, or if the processing serves the purpose of the establishment, exercise or defense of legal claims.

2.    Right to object against the processing of data for advertising purposes
In specific cases we process your personal data for the purpose of direct marketing. You have the right to object at any time against the processing of your personal data for the purpose of this kind of advertising. If you object to the processing for the purpose of direct advertising we will no longer process your personal data for these purposes. There objection that can be sent via email to holding.datenschutz@salzgitter-ag.de does not have to follow any specific form.