Privacy Policy for Business Partners

osapiens Holding GmbH and its affiliated Companies within the meaning of Sec. 15 of the German Stock Corporation Act (AktG) (hereinafter also referred to as the «osapiens Companies*», „we“ or „us“) have set themselves the goal of constantly improving the service and information offered to our business partners, including suppliers, customers or interested parties, in order to contribute to the success of the company on both sides. Within the scope of a business relationship and in times of increasing globalization, personal data (hereinafter referred to as «data») are regularly used and processed by us. We take the protection of your data very seriously and take this into account in all our business processes. In doing so, we comply with the applicable legal rules on data protection. In the following, you will receive a detailed overview of how we process your data. We ask you to also make this data protection information available to your Employees who are in business contact with us.

Data means all personal data within the meaning of Article 4 No. 1 of the EU General Data Protection Regulation (GDPR) relating to an identified or identifiable natural person that you provide to us as a business partner during our business relationship. With this data protection information, we inform you about the nature, scope and purposes of the collection of data by us and how we handle this data. In addition, you will learn what rights you have with regard to the processing of your data.

*osapiens Companies are osapiens Holding GmbH, osapiens Services GmbH, osapiens AssetOps GmbH, osapiens Terra GmbH (all of the aforementioned Companies seated in Mannheim), osapiens COE Spain S.L (seated in Madrid), osapiens France S.à r.l. (seated in Paris), osapiens Netherlands B.V. (seated in Amsterdam), oneIDentity+ GmbH (seated in Munich) and fTRACE GmbH (seated in Cologne).

 

Controller and Data Protection Officer

Responsible for the processing of your data is the osapiens Companies with which you are in business contact or an ongoing contractual business relationship or the initiation of such. For all data protection issues, you can reach the osapiens Companies at the central business address for data protection issues

Julius-Hatry-Strasse 1, 68163 Mannheim

with the addition of „Data Protection“

or

by E-Mail at dataprotection@osapiens.com

osapiens Holding GmbH, osapiens Services GmbH, osapiens AssetOps GmbH, osapiens Terra GmbH, osapiens COE Spain S.L, osapiens France S.à r.l., osapiens Netherlands B.V. and fTRACE GmbH have appointed a Data Protection Officer in accordance with legal requirements.

Data Protection Officer of these Companies is:

TÜV SÜD Akademie GmbH

Westendstrasse 160, 80339 Munich

You can also reach the Data Protection Officer centrally at our above-mentioned E-Mail address (dataprotection@osapiens.com).

We and the Data Protection Officer will be happy to answer any questions you may have on data protection issues.

 

Where do your data originate from and what data is processed?

We process your data in accordance with the principles of data protection law only to the extent that it is necessary, we are permitted to do so by applicable legal requirements, or we are obliged to do so.

Unless otherwise stated below, the terms «process» and «processing» also include, in particular, the collection, use, storage, disclosure and transfer of data (Art. 4 No. 2 GDPR).

We process the data we receive from you in the course of our business relationship, i.e. either on the basis of a contractual relationship with you, or your company (such as the purchase and sale of products, services, work services, rights of use, etc.), a pre-contractual contact or any other inquiry on your part (e.g. via the Internet, by email, via contact form provided by a data processor or telephone or on the occasion of a trade fair or product event). We process the data we receive from you in the course of our business relationship, i.e. either on the basis of a contractual relationship with you, or your company (such as the purchase and sale of products, services, works services, rights of use, etc.), a pre-contractual contact or any other inquiry on your part (e.g. via the Internet, by email or telephone or on the occasion of a trade fair or product event).

In addition, to the extent necessary for the fulfilment of our contractual or legal obligations, we process your data that we legitimately obtain from publicly accessible sources (e.g. commercial and association registers, press, Internet) or are legitimately transmitted by other third parties (e.g. a credit agency).

Relevant data are especially:

  • Contact details of the contact person(s) at the business partner and business address;
  • Communication data, such as telephone number and e-mail address;
  • Banking and billing information of our current and prospective business partners;
  • Tax number/VAT-ID of our current and prospective business partners; and
  • Order data, such as sales data or business partner history;
  • Name and business address of directors and shareholders, company representatives, to the extent this information is available from public sources and the commercial register.

We typically use and store the following categories of your business and/or personal data:

  • Salutation;
  • First and last name;
  • Postal address;
  • E-Mail address;
  • Landline number, mobile number and fax number; and
  • Occupation, position, title and academic degree; and
  • Electronic identification data (e.g. IP address).

 

What is my data used for (purpose of processing) and on what basis (legal basis) does this happen?

For the fulfillment of contractual obligations

We process your data primarily for the fulfillment of contracts with you, or your company, or for the implementation of pre-contractual measures (Art. 6 (1) lit. b) GDPR) upon request. In the context of our business relationship, you must provide those data that are necessary for the establishment, implementation and termination of a business relationship and for the fulfillment of the associated contractual obligations or which we are required to collect by law. Without this data, we will generally not be in a position to conclude a contract with you, to execute and terminate it, and to take pre-contractual measures to conclude a contract with you at your request. If you do not provide us with the necessary information and documents, we will not be able to establish or continue the business relationship you have requested.

Processing due to legal requirements

In addition, we process your data insofar as this is necessary for the fulfillment of legal obligations (Art. 6 para. 1 lit. c) GDPR).

Processing on the basis of a legitimate interest

In addition, we process your data insofar as this is necessary to protect the legitimate interests of us or a third party (Art. 6 para. 1 lit. f) GDPR). This could include the following cases:

  • Provision of information, to invitations at events and other measures to describe our performance and our products;
  • Administrating customer requests using a communication tool from a service provider (ticket system) to improve our services;
  • Assertion of legal claims and defense in legal disputes;
  • Measures for optimizing our business processes, such as maintaining a supplier database or a «customer relationship management» database;
  • For the purpose of advertising products or promotions (with trading partners);
  • Measures to ensure operational security and business management;
  • For reconciliation with European and international embargolists
  • Credit checks;
  • Collection of receivables, including within the framework of assignments to collection agencies; and
  • For the purpose of optimal digital processing of your request or order (e.g. via form).

Processing on the basis of a legitimate interest

Furthermore, the processing is based on your consent in accordance with Art. 6 (1) lit. a) GDPR, insofar as this has been requested. Consent can be withdrawn at any time.

Recipient of your data and Processing Place

Within the context of our business relationships, those who need to access your data in order to fulfill our contractual and legal obligations and to carry out our internal processes (e.g. sales, purchasing, logistics, financial accounting, personnel) will have access to it. The Employees authorized to access the data are obligated to maintain confidentiality and to protect business and trade secrets as well as data privacy.

To the extent necessary, we also share your data with other Companies affiliated with us within the meaning of Sec. 15 of the German Stock Corporation Act (AktG), which may process it for their own purposes as data controllers. Your data is only accessible to authorized persons and / or departments that have a legitimate reason to access and process this data for the above-mentioned purposes.

We use order processors to provide special services. The transfer of your data to them is carried out in strict compliance with the obligation of confidentiality and the requirements of the GDPR. The processors commissioned by us, who may only process the data for us and not for their own purposes, are obliged to comply with the requirements of the GDPR. In these cases, the responsibility for data processing remains with us.

Recipient of your data may be, for example:

  • Public bodies and institutions (e.g. tax authorities, law enforcement agencies) in the event of a legal or official obligation;
  • Insolvency administrators or creditors inquiring seated on a compulsory execution;
  • Auditors on the occasion of annual audits;
  • Service providers that we use in the context of order processing relationships for the provision of services, the provision of tools or other services; and
  • Affiliated Companies within the group of Companies as defined in Sec.s 15 et seq. of the German Stock Corporation Act (AktG).

To the extent that these data recipient (affiliated Companies or external entities/Companies) are located in countries outside the EU and the EEA that have not been recognized by the European Commission as having an adequate level of data protection, we will ensure that adequate safeguards are in place to ensure such a level of data protection, such as by entering into EU standard contractual clauses of the European Commission with the respective data recipients.

How long will your data be stored?

We process and store the data of our business partners as long as this is necessary for the fulfillment of our contractual and legal obligations arising from the existing business relationship. If your data is no longer required for the fulfillment of contractual or legal obligations, it is regularly deleted, unless its temporary further processing is necessary for the fulfillment of commercial and tax retention obligations resulting from the German Commercial Code (HGB) and the German Fiscal Code (AO) (retention periods or documentation periods are, for example, ten years for accounting documents and six years for commercial or business letters). documentation are, for example, ten years for accounting documents and six years for commercial or business letters) or for the preservation of evidence within the statutory limitation periods (these limitation periods can be up to 30 years, whereby the regular limitation period is 3 years).

In addition, we will retain your data for as long as necessary for other relevant processing purposes specified in this information.

Processing of your data when participating in online conferences

We use online conference tools to communicate with you. The respective online conference tools we use are listed below.

We collect and process your data when you communicate with us by video or audio conference using an online conference tool. The conference tools collect all data that you provide/enter to use of the online conference tools e-mail address and/or your telephone number). The online conference tools also process the duration of the conference, the start and end (time) of participation in the conference, the number of participants and other «contextual information» in connection with the communication process (metadata).

We use the online conference tools for the purpose of contract fulfilment initiation, implementation and termination of a business relationship). The legal basis for this is Art. 6 para. 1 lit. b) GDPR. Furthermore, the use of online conferencing tools serves to generally simplify and accelerate effective communication with us. This data processing to protect our legitimate interests or those of third parties is based on Art. 6 para. 1 lit. f) GDPR. The data collected directly by us via the online conference tools will be deleted from our systems as soon as you request us to delete it, revoke your consent to its storage or the purpose for which it was stored no longer applies. Stored cookies remain on your terminal device until you delete them. Mandatory statutory storage periods remain unaffected.

Online conference tools in use

Microsoft Teams

Microsoft Teams is a Microsoft Office 365 service. It is a productivity, collaboration and exchange platform. Microsoft Office 365 is a software of the company Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland (hereinafter referred to as «Microsoft») and is part of the Microsoft Office 365 cloud application, for which a user account must be created.

The data is processed by Microsoft on our behalf. For this purpose, we have concluded a data processing agreement with Microsoft in accordance with Art. 28 GDPR.

Various types of data are processed when using Microsoft Teams. The scope of the data also depends on the information you provide before or when participating in an «online meeting». If you require information about the processing of your personal data by Microsoft, you can consult the corresponding privacy policy provided by Microsoft. You can find detailed information on this from Microsoft here:

https://privacy.microsoft.com/de-de/privacystatement

https://learn.microsoft.com/de-de/microsoftteams/teams-security-guide

Information on the use of cookies by Microsoft can also be found in Microsoft’s privacy policy.

Zoom

Zoom is a service of Zoom Video Communications, Inc., which is based in the USA (hereinafter referred to as «Zoom»). The data is processed by Zoom on our behalf. For this purpose, we have concluded a data processing agreement with Zoom in accordance with Art. 28 GDPR. Zoom is a service provided by a provider from the USA. Therefore, the data is also processed in a third country. An adequate level of data protection is guaranteed on the one hand by the conclusion of the so-called EU standard contractual clauses. Additionally, Zoom is also certified in accordance with the EU-U.S. Data Privacy Framework (DPF). Various types of data are processed when using Zoom. The scope of the data also depends on the data you provide before or when participating in an ‘online meeting’. If you require information about the processing by Zoom, please refer to Zoom’s privacy policy: https://explore.zoom.us/en/privacy/.

Your rights (data subject rights)

You have extensive rights about the processing of your data.

Right to information: You have the right to information about the data stored by us, in particular, for what purpose the processing takes place and how long the data is stored (Art. 15 GDPR). This right is limited by the exceptions of Sec. 34 BDSG, according to which the right to information does not apply if the data is stored only due to legal storage requirements or for data security and data protection control, the provision of information would require a disproportionate effort and a misappropriation of data processing is prevented by appropriate technical and organizational measures.

Right to rectify inaccurate data: You have the right to request us to rectify the data concerning you without delay if it is inaccurate (Art. 16 GDPR).

Right to erasure: You have the right to demand that we erase the data concerning you in accordance with the requirements of Art. 17 GDPR. These prerequisites exist in particular if a) the respective processing purpose has been achieved or otherwise ceases to apply, b) we have processed your data unlawfully, c) you have revoked consent without the data processing being able to continue on a different legal basis, d) you successfully object to the data processing, or e) in cases of the existence of an obligation to delete seated on the law of the EU or an EU member state to which we are subject. This right is subject to the restrictions set out in Sec. 35 of the BDSG, according to which the right to erasure may be waived in particular if, in the case of non-automated data processing, there is a disproportionate effort for erasure and your interest in erasure is to be regarded as low.

Right to restriction of processing: You have the right to request restriction of the processing of your data (Art. 18 GDPR). This right exists in particular if a) the accuracy of the data is disputed, b) you request restricted processing instead of deletion under the conditions of a legitimate request for deletion, c) the data is no longer necessary for the purposes pursued by us, but you need the data to assert, exercise or defend legal claims or d) the success of an objection is still disputed.

Right to data portability: You have the right to receive from us the data concerning you that you have provided to us in a structured, common, machine-readable format (Art. 20 GDPR), insofar as this has not already been deleted.

Right to object: You have the right to object to the processing of data relating to you at any time on grounds relating to your particular situation (Art. 21 GDPR). We will stop processing your data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or if the processing serves the purpose of asserting, exercising or defending legal claims. According to Art. 7 (3) GDPR, you have the right to revoke your consent at any time. The revocation does not affect the lawfulness of the processing carried out seated on the previous consent. The only consequence of the revocation is that we may no longer continue the data processing seated on this consent for the future. However, please note that we may not be able to provide certain services or additional services if we are not able to process the data required for this purpose.

Right in relation to automated decision making: You have the right (Art. 22 GDPR) not to be subject to automated decision making, including profiling, that has legal consequences for you or causes similar significant effects. We generally do not use automated decision making or profiling. However, if you have been subjected to automated decision-making and do not agree with the outcome, you may contact us through the channels set out below and ask us to review the decision.

Right to complain to the supervisory authority: You have the possibility to contact the above-mentioned data protection officer or a data protection supervisory authority if you believe that the processing of data concerning you violates the GDPR.

If you submit a request for information and there is doubt as to your identity, we may request information from you that will enable us to satisty ourselves as to your identity.