Privacy Policy for Business Partners

osapiens Holding GmbH and its affiliated Companies within the meaning of Sec. 15 of the German Stock Corporation Act (AktG) (hereinafter also referred to as the “osapiens Companies“, „we“ or „us“) have set themselves the goal of constantly improving the service and information offered to our business partners, including suppliers, customers or interested parties, in order to contribute to the success of the company on both sides. Within the scope of a business relationship and in times of increasing globalization, personal data (hereinafter referred to as “data”) are regularly used and processed by us. We take the protection of your data very seriously and take this into account in all our business processes. In doing so, we comply with the applicable legal rules on data protection. In the following, you will receive a detailed overview of how we process your data. We ask you to also make this data protection information available to your Employees who are in business contact with us.

Data means all personal data within the meaning of Article 4 No. 1 of the EU General Data Protection Regulation (GDPR) relating to an identified or identifiable natural person that you provide to us as a business partner during our business relationship. With this data protection information, we inform you about the nature, scope and purposes of the collection of data by us and how we handle this data. In addition, you will learn what rights you have with regard to the processing of your data.

Controller and Data Protection Officer

Responsible for the processing of your data is the osapiens Companies with which you are in business contact or an ongoing contractual business relationship or the initiation of such.

For all data protection issues, you can reach the osapiens Companies

at the central business address for data protection issues

Julius-Hatry-Strasse 1, 68163 Mannheim

with the addition of „Data Protection“


osapiens Holding GmbH, osapiens Services GmbH, osapiens Hub GmbH, osapiens assetOps GmbH, osapiens COE Spain S.L and fTRACE GmbH have appointed a Data Protection Officer in accordance with legal requirements.

Data Protection Officer of these Companies is:

TÜV SÜD Academy GmbH

Westendstrasse 160, 80339 Munich

You can also reach the Data Protection Officer centrally at our above-mentioned E-Mail address (

We and the Data Protection Officer will be happy to answer any questions you may have on data protection issues.

Where do your data originate from and what data is processed?

We process your data in accordance with the principles of data protection law only to the extent that it is necessary, we are permitted to do so by applicable legal requirements, or we are obliged to do so.

Unless otherwise stated below, the terms “process” and “processing” also include, in particular, the collection, use, storage, disclosure and transfer of data (Art. 4 No. 2 GDPR).

We process the data we receive from you in the course of our business relationship, i.e. either on the basis of a contractual relationship with you, or your company (such as the purchase and sale of products, services, works services, rights of use, etc.), a pre-contractual contact or any other inquiry on your part (e.g. via the Internet, by e-mail or telephone or on the occasion of a trade fair or product event).

We process the data we receive from you in the course of our business relationship, i.e. either on the basis of a contractual relationship with you, or your company (such as the purchase and sale of products, services, works services, rights of use, etc.), a pre-contractual contact or any other inquiry on your part (e.g. via the Internet, by e-mail or telephone or on the occasion of a trade fair or product event).

Relevant data are especially:

  • Contact details of the contact person(s) at the business partner and business address;
  • Communication data, such as telephone number and e-mail address;
  • Banking and billing information of our current and prospective business partners;
  • Tax number/VAT-ID of our current and prospective business partners; and
  • Order data, such as sales data or business partner history;
  • Name and business address of directors and shareholders, company representatives, to the extent this information is available from public sources and the commercial register.

We typically use and store the following categories of your business and/or personal data:

  • Salutation;
  • First and last name;
  • Postal address;
  • E-Mail address;
  • Landline number, mobile number and fax number; and
  • Occupation, position, title and academic degree.

What is my data used for (purpose of processing) and on what basis (legal basis) does this happen?

For the fulfillment of contractual obligations

We process your data primarily for the fulfillment of contracts with you, or your company, or for the implementation of pre-contractual measures (Art. 6 (1) lit. b) GDPR) upon request. In the context of our business relationship, you must provide those data that are necessary for the establishment, implementation and termination of a business relationship and for the fulfillment of the associated contractual obligations or which we are required to collect by law. Without this data, we will generally not be in a position to conclude a contract with you, to execute and terminate it, and to take pre-contractual measures to conclude a contract with you at your request. If you do not provide us with the necessary information and documents, we will not be able to establish or continue the business relationship you have requested.

Processing due to legal requirements

In addition, we process your data insofar as this is necessary for the fulfillment of legal obligations (Art. 6 para. 1 lit. c) GDPR).

Processing on the basis of a legitimate interest

In addition, we process your data insofar as this is necessary to protect the legitimate interests of us or a third party (Art. 6 para.1 lit. f) GDPR). This could include the following cases:

  • Provision of information, to invitations at events and other measures to describe our performance and our products;
  • Administrating customer requests using a communication tool from a service provider (ticket system) to improve our services;
  • Assertion of legal claims and defense in legal disputes;
  • Measures for optimizing our business processes, such as maintaining a supplier database or a “customer relationship management” database;
  • For the purpose of advertising products or promotions (with trading partners);
  • Measures to ensure operational security and business management;
  • For reconciliation with European and international embargolists
  • Credit checks; and
  • Collection of receivables, including within the framework of assignments to collection agencies.

Processing on the basis of a legitimate interest

Furthermore, the processing is based on your consent in accordance with Art. 6 (1) lit. a) GDPR, insofar as this has been requested. Consent can be withdrawn at any time.

Recipient of your data and Processing Place

Within the context of our business relationships, those who need to access your data in order to fulfill our contractual and legal obligations and to carry out our internal processes (e.g. sales, purchasing, logistics, financial accounting, personnel) will have access to it. The Employees authorized to access the data are obligated to maintain confidentiality and to protect business and trade secrets as well as data privacy.

To the extent necessary, we also share your data with other Companies affiliated with us within the meaning of Sec. 15 of the German Stock Corporation Act (AktG), which may process it for their own purposes as data controllers. Your data is only accessible to authorized persons and / or departments that have a legitimate reason to access and process this data for the above-mentioned purposes.

We use order processors to provide special services. The transfer of your data to them is carried out in strict compliance with the obligation of confidentiality and the requirements of the GDPR. The processors commissioned by us, who may only process the data for us and not for their own purposes, are obliged to comply with the requirements of the GDPR. In these cases, the responsibility for data processing remains with us.

Recipient of your data may be, for example:

  • Public bodies and institutions (e.g. tax authorities, law enforcement agencies) in the event of a legal or official obligation;
  • Insolvency administrators or creditors inquiring seated on a compulsory execution;
  • Auditors on the occasion of annual audits;
  • Service providers that we use in the context of order processing relationships for the provision of services, the provision of tools or other services; and
  • Affiliated Companies within the group of Companies as defined in Sec.s 15 et seq. of the German Stock Corporation Act (AktG).

To the extent that these data recipient (affiliated Companies or external entities/Companies) are located in countries outside the EU and the EEA that have not been recognized by the European Commission as having an adequate level of data protection, we will ensure that adequate safeguards are in place to ensure such a level of data protection, such as by entering into EU standard contractual clauses of the European Commission with the respective data recipients.

How long will your data be stored?

We process and store the data of our business partners as long as this is necessary for the fulfillment of our contractual and legal obligations arising from the existing business relationship. If your data is no longer required for the fulfillment of contractual or legal obligations, it is regularly deleted, unless its temporary further processing is necessary for the fulfillment of commercial and tax retention obligations resulting from the German Commercial Code (HGB) and the German Fiscal Code (AO) (retention periods or documentation periods are, for example, ten years for accounting documents and six years for commercial or business letters). documentation are, for example, ten years for accounting documents and six years for commercial or business letters) or for the preservation of evidence within the statutory limitation periods (these limitation periods can be up to 30 years, whereby the regular limitation period is 3 years).

In addition, we will retain your data for as long as necessary for other relevant processing purposes specified in this information.

Processing of your data in the context of our online events/meetings using Microsoft Teams

Thanks to the audio and video conferencing function, we can offer you participation in our online events/meetings via video/audio. For this purpose, we use Microsoft Teams to organise such online events/meetings. We process the following data as part of our online events/meetings:

  • Communication data: e.g. your e-mail address, if you provide the eMail adress a in personalized way;
  • Log files and log data;
  • Meeting metadata: e.g. date, time, meeting ID, telephone numbers, location;
  • User details: e.g. display name, profile picture (optional) and preferred language;
  • Text, audio and video data: it is possible to use the chat function in an online event/meeting. In this respect, the text entries made by the respective user are processed in order to display the online events/meetings. In order to enable the display of video and the playback of audio, the data from the microphone of your end device and from any video camera of the end device are processed accordingly for the duration of the online event/meeting. The camera or microphone can be switched off or muted by the user at any time via the Microsoft Teams applications;
  • Telemetry data: this includes diagnostic data in connection with the use of the service, including transmission quality. This data is used for troubleshooting, securing and updating the technical service and monitoring it; and
  • Personalising the background and sharing content: every user in online events/meetings has the option of personalising their background on a voluntary basis by uploading images, graphics, etc. This function is not intended to collect data. Furthermore, Microsoft Teams is not used to pass on content during an online event/meeting that contains special categories of data (e.g. health data, data on religious preferences, etc.).

Your rights (data subject rights)

You have extensive rights about the processing of your data.

Right to information:
You have the right to information about the data stored by us, in particular, for what purpose the processing takes place and how long the data is stored (Art. 15 GDPR). This right is limited by the exceptions of Sec. 34 BDSG, according to which the right to information does not apply if the data is stored only due to legal storage requirements or for data security and data protection control, the provision of information would require a disproportionate effort and a misappropriation of data processing is prevented by appropriate technical and organizational measures.

Right to rectify inaccurate data:
You have the right to request us to rectify the data concerning you without delay if it is inaccurate (Art. 16 GDPR).

Right to erasure:
You have the right to demand that we erase the data concerning you in accordance with the requirements of Art. 17 GDPR. These prerequisites exist in particular if a) the respective processing purpose has been achieved or otherwise ceases to apply, b) we have processed your data unlawfully, c) you have revoked consent without the data processing being able to continue on a different legal basis, d) you successfully object to the data processing, or e) in cases of the existence of an obligation to delete seated on the law of the EU or an EU member state to which we are subject. This right is subject to the restrictions set out in Sec. 35 of the BDSG, according to which the right to erasure may be waived in particular if, in the case of non-automated data processing, there is a disproportionate effort for erasure and your interest in erasure is to be regarded as low.

Right to restriction of processing:
You have the right to request restriction of the processing of your data (Art. 18 GDPR). This right exists in particular if a) the accuracy of the data is disputed, b) you request restricted processing instead of deletion under the conditions of a legitimate request for deletion, c) the data is no longer necessary for the purposes pursued by us, but you need the data to assert, exercise or defend legal claims or d) the success of an objection is still disputed.

Right to data portability:
You have the right to receive from us the data concerning you that you have provided to us in a structured, common, machine-readable format (Art. 20 GDPR), insofar as this has not already been deleted.

Right to object:
You have the right to object to the processing of data relating to you at any time on grounds relating to your particular situation (Art. 21 GDPR). We will stop processing your data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or if the processing serves the purpose of asserting, exercising or defending legal claims.

According to Art. 7 (3) GDPR, you have the right to revoke your consent at any time. The revocation does not affect the lawfulness of the processing carried out seated on the previous consent. The only consequence of the revocation is that we may no longer continue the data processing seated on this consent for the future. However, please note that we may not be able to provide certain services or additional services if we are not able to process the data required for this purpose.

Right in relation to automated decision making: You have the right (Art. 22 GDPR) not to be subject to automated decision making, including profiling, that has legal consequences for you or causes similar significant effects. We generally do not use automated decision making or profiling. However, if you have been subjected to automated decision-making and do not agree with the outcome, you may contact us through the channels set out below and ask us to review the decision.

Right to complain to the supervisory authority:
You have the possibility to contact the above-mentioned data protection officer or a data protection supervisory authority if you believe that the processing of data concerning you violates the GDPR.

If you submit a request for information and there is doubt as to your identity, we may request information from you that will enable us to satisfy ourselves as to your identity.