Business Partner data protection notice
practices as the responsible controller regarding the processing of personal data relating to our vendors, customers, suppliers, and business partners (collectively, "Business Partners") and our Business Partners' employees.
This Notice applies to you if you are a Business Partner of Bystronic Group as an individual (e.g., a consultant or sole entrepreneur) or if you are an employee of a Business Partner who interacts with Bystronic on such Business Partner 's behalf.
Categories of Personal Data and Source
Bystronic processes the following categories of personal data about you from you or from authorized third parties (e.g. your supervisor, public authorities or public resources):
- Personal data relating to Business Partners who are individuals: name, business contact details, services or goods provided or offered, contract details, content of communication (such as email or business letters), payment information, invoice information, and business relationship history
- Personal data relating to an employee of a Business Partner: name, business contact details, employer name, title/position, and content of communication (such as email or business letters)
Processing Purposes, Legal Basis, and Consequences
Your personal data is processed for purposes of performing the contractual relationship with the Business Partner (including fulfilling the contractual obligations, invoice processing, communication, and legal and compliance activities), for purposes of marketing and CRM activities, and for security and fraud prevention activities. Bystronic Group relies on the following legal grounds for such processing activities:
- performance of the contractual relationship with the Business Partner (Art. 6 lit. b GDPR);
- legitimate interest of Bystronic Group, Bystronic Group's affiliates or other third parties (such as governmental bodies or courts) (Art. 6 lit. f GDPR), The legitimate interest could be in particular group-wide information sharing, marketing and CRM activities, prevention of fraud, misuse of IT systems, or money laundering, operation of a whistleblowing scheme, physical security, IT and network security, internal investigations, or potential merger and acquisition activities;
- consent (Art. 6 lit. a GDPR);
- compliance with legal obligations (Art. 6 lit. c GDPR);
The provision of personal data is necessary for the conclusion and/or performance of the Business Partner contract, and is voluntary. However, if you do not provide personal data, the affected Business Partner management and administration processes might be delayed or impossible.
Categories of Recipients
Bystronic may engage service providers, acting as processors, in order to provide IT and other administrative support (e.g., service providers who provide account payable support or IT hosting and maintenance support). Those service providers may have access to your personal data to the extent necessary to provide such services.
Furthermore, we may transfer your personal data to other Bystronic companies as a processor with the operation of information systems for management and analysis of customer relationships and interactions and related general IT support. By way of entering into appropriate data transfer agreements based on Standard Contractual Clauses, which are accessible or taking other measures to provide an adequate level of data protection, we have established that we will provide an adequate level of data protection.
Any access to your personal data is restricted to those individuals that have a need to know in order to fulfill their job responsibilities.
The Bystronic companies may also disclose your personal data as required or permitted by applicable law to governmental authorities, courts, external advisors, and similar third parties.
Your personal data are stored by Bystronic and/or our service providers, strictly to the extent necessary for the performance of our obligations and strictly for the time necessary to achieve the purposes for which the information is collected, in accordance with applicable data protection laws. When we no longer needs to use your personal data to comply with contractual or statutory obligations, we will remove it from our systems and records and/or take steps to properly anonymize it so that you can no longer be identified from it, unless we need to keep your information, including personal data, to comply with legal or regulatory obligations to which Bystronic is subject, e.g., statutory retention periods which can result from national regulatory obligations, etc. and usually contain retention periods from 10 years, or if we need it to preserve evidence within the statutes of limitation, can be up to thirty years.
If you have declared your consent regarding certain types of processing activities, you can withdraw this consent at any time with future effect. Such a withdrawal will not affect the lawfulness of the processing prior to the consent withdrawal.
Pursuant to applicable data protection law you may have the right to: (i) request access to your personal data; (ii) request rectification of your personal data; (iii) request erasure of your personal data; (iv) request restriction of processing of your personal data; (v) request data portability; (vi) object to the processing of your personal data. Please note that these aforementioned rights might be limited under the applicable national data protection law.
(i) Right of access: You may have the right to obtain from us confirmation as to whether or not personal data concerning you is processed, and, where that is the case, to request access to the personal data. The access information includes – inter alia – the purposes of the processing, the categories of personal data concerned, and the recipients or categories of recipient to whom the personal data have been or will be disclosed. However, this is not an absolute right and the interests of other individuals restrict your right of access.
You may have the right to obtain a copy of the personal data undergoing processing. For further copies requested by you, we may charge a reasonable fee based on administrative costs.
(ii) Right to rectification: You may have the right to obtain from us the rectification of inaccurate personal data concerning you. Depending on the purposes of the processing, you may have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
(iii) Right to erasure (right to be forgotten): Under certain circumstances, you may have the right to obtain from us the erasure of personal data concerning you and we may be obliged to erase such personal data.
(iv) Right to restriction of processing: Under certain circumstances, you may have the right to obtain from us restriction of processing your personal data. In this case, the respective data will be marked and may only be processed by us for certain purposes.
(v) Right to data portability: Under certain circumstances, you may have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and you may have the right to transmit those data to another entity without hindrance from us.
To exercise your rights please contact us as stated in the "Questions" section below.
You also have the right to lodge a complaint with the competent data protection supervisory authority.
Right to object pursuant to Art. 21 General Data Protection Regulation
You have the right to object on grounds relating to your particular situation, at any time to the processing of your personal data concerning you which is based on Art. 6 (1) lit. e and f GDPR and we can be required to no longer process your personal data. As Bystronic processes and uses your personal data primarily for purposes of carrying out the contractual relationship with the Business Partner, Bystronic will in principle have a legitimate interest for the processing which will override your objection request, unless the restriction request relates to marketing activities.
To exercise your right please contact us as stated in the "Questions" section below.
Bystronic does not engage in automated decision-making.
If you have any questions about this Notice or your rights, please contact the data protection officer of Bystronic: Ecoprotec GmbH, Pamplonastrasse 19, 33106 Paderborn, Germany.