Data protection notice for business partners of KernWerk GmbH regarding the processing of your personal data

Starting May 25, 2018, new standards for data protection within the European Union are determined with the EU General Data Protection Regulation ("GDPR"). KernWerk GmbH ("KernWerk GmbH" i.e. "The Enterprise") would like to inform you as a business partner as well as a customer, supplier, service-provider or other involved entities, about how we process your personal data and how you can contact us in this regard. KernWerk GmbH is obligated to provide this information to you pursuant to Article 12 et seq. of the GDPR.

I. Scope of responsibility and contact data

The party responsible pursuant to Article 4 Paragraph 7 of the GDPR is:
KernWerk GmbH
Schönherrstraße 8
09113 Chemnitz
Germany
Tel.: +49 (0) 371 444 555 4
E-Mail: service@kern-werk.de
Website: www.kern-werk.de

For more information please refer to our website under "Legal notice". You can contact our data protection officer at our postal address by including the additional phrase: "data protection officer" or at datenschutz@kern-werk.de

II. How do we collect your personal data

Collection of your personal data generally takes place through you. Our processing of the personal data received by you is necessary for fulfilment of the contractual obligations which arise out of the contract you have completed with us. On the basis of the duties to cooperate, it is absolutely essential to make available the personal data requested by us since we otherwise would not be able to fulfil our contractual obligations.
Within the framework of pre-contractual measures (e.g. the acquisition of master data during the quotation stage), the provision of your personal data is required. Should it be the case that the required data is not sufficiently or properly provided by you, a contract cannot be completed. For the performance of our contractual obligations, it could become necessary to process personal data that we have received from other enterprises or other third parties, for example taxation authorities, your business partners, or similar parties – all in a proper manner and for the respective contractual purpose.
Furthermore, if necessary, we process personal data from publically accessible sources such as internet sites, which we access in an authorized fashion and for the respective contractual purpose.

III. Purposes and legal grounds for the processing of your personal data:

On the basis of consent pursuant to Article 6 Paragraph 1 Sub-Paragraph 1 lit. a of the GDPR

The purposes for processing personal data are based on the consent given by you as the data subject. You may revoke your consent at any time with effect for the future. Also, consents which have been granted prior to the validity of the GDPR (May 25, 2018), can be revoked. Processing operations which have taken place prior to the revocation shall remain unaffected by said revocation. For example: at your request, distribution of a newsletter, release from the obligation to confidentiality regarding transfer of the data provided by you to third parties.

On the basis of the performance of contractual obligations pursuant to Article 6 Paragraph
1 Sub-Paragraph 1 lit. b of the GDPR
The purposes for processing personal data arise, on the one hand, from the introduction of contractual measures that precede a contractually-regulated business relationship and, on the other, for the performance of obligations from the contract completed with you. For example: issuing of or replies to requests for quotations, determination of the conditions of the contractual relationship and in reference to production development activities, or completion and/or processing of contracts and other business relationships, including the completion of contracts, shipments or payments, or in connection with complaints and rejections or in cases involving guarantees.

On the basis of legal provisions pursuant to Article 6 Paragraph 1 Sub-Paragraph 1 lit. c of the GDPR or in the public interest pursuant to Art 6 Abs. 1 Paragraph 1 Sub-Paragraph 1 lit. e of the GDPR

Moreover, KernWerk GmbH is obligated to fulfil various legal obligations which could make the processing of your personal data necessary. For example: compliance with retention regulations based on regulations involving taxation, international trade laws or sanction law.

In the context of the balance of interests pursuant to Article 6 Paragraph 1 Sub-Paragraph 1 lit. f of the GDPR

Processing of your personal data, furthermore, arises from the preservation of our legitimate interests. It could prove to be necessary to process your data surrendered to us above and beyond the actual performance of the contract. Our legitimate interests can be taken into consideration as a justification for further processing of the data surrendered by you to us, provided that your interests or basic rights and basic freedoms do not outweigh ours. For example: enforcement of legal claims, defence against liability claims, and prevention of criminal acts.

IV. Recipients of your personal data

Within the enterprise, only authorized KernWerk GmbH employees with respective competencies (which are required for the fulfilment of the contractual and legal obligations) have access to your personal data.
For the performance of our contractual obligations, it can become necessary to present personal data to other enterprises or other third parties such as our business partners in the field of product manufacturing and the suppliers necessary for this purpose. Within the course of this process only the personal data that we have collected in a permissible way and for its respective purpose is transferred.
In the context of rendering our services, we commission processors who contribute to the fulfilment of the contractual obligations, e.g. IT service providers, electronic data-processing partners, etc. These order processors are contractually bound by us to comply with the provisions of the GDPR and the Federal Data Protection Act (BDSG).
Moreover, we have the authority to transmit, provided it is legally authorized, your personal data for the fulfilment of legal obligations or in the enterprise’s interests to authorities (such as social insurance agencies, tax authorities or law enforcement authorities) and domestic and foreign courts.

V. Transfer of Personal Data

Transfer of the data surrendered by you to third parties or an international organization will not take place. In the event that, as a one-time occurrence, you should desire that, or it is necessary that, the data surrendered by you is transferred to a third party or an international organization, we shall do so only upon receipt of your written authorization.

VI. Does automated decision-making, including profiling, take place?

For the processing of data surrendered by you, an entirely automated decision-making process (including profiling) is not deployed, pursuant to Article 22 of the GDPR.

VII. Duration of the processing

The processing of the data surrendered by you takes place for as long as is necessary in order to achieve the contractual purpose as agreed, generally, for as long as the contractual relationship with you exists. After the contractual relationship is terminated, the data surrendered by you is processed in compliance with legal retention requirements or on the basis of our legitimate interests. After expiration of the legal retention period and/or cancellation of our legitimate interests, the data surrendered by you will be deleted.
Projected periods for the appropriate (to us) retention requirements and our legitimate interests:

• Fulfilment of the trade and tax-law retention periods. The periods regarding retention and/or storage of documentation stipulated there amount to two to ten years.
• Fulfilment of customer requests, particularly those from the automotive industry. From this, in individual cases, extended retention periods can also ensue.
• Retention of evidence in the context of the statute of limitations. Pursuant to the paragraphs 195 et seq. of the German Civil Code (BGB), these deadlines for statutory periods of limitation can last up to 30 years, the standard statutory period of limitation amounting to three years.

VIII. Your rights

Right of access to information pursuant to Article 15 of the GDPR
You have the right to receive information, free of charge, regarding whether and which information has been stored about you and for what purpose said storage has taken place.

Right to rectification pursuant to Article 16 of the GDPR
You have the right to demand of the party responsible, without delay, correction of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to demand completion of incomplete personal data – also by means of a supplementary statement.

Right to erasure ("right to be forgotten") pursuant to Article 17 of the GDPR
You have the right to demand of the responsible party, without delay, that your data shall be erased. The responsible party is obligated to promptly delete personal data, provided that one of the following grounds applies:

• a) The purposes, for which the personal data was collected, are no longer present.
• b) You withdraw your consent for processing and there is no other legal ground for the continued processing.
• c) You object to the processing and there is no other legal ground for the continued processing.
• d) The personal data was unlawfully processed.
• e) The personal data has to be erased for the compliance with a legal obligation according to European Union law or the law of Member States, to which the responsible party is subject.
• f) The personal data was collected in relation to proposed information society service offers pursuant to Article 8 Section 1 of the GDPR.

Right to restriction of processing pursuant to Article 18 of the GDPR, Paragraph 35 of the Federal Data Protection Act (BDSG) You have the right to demand restriction of processing, if one of the following applies:

• a) Accuracy of the personal data is contested by you.
• b) Processing is unlawful; you nevertheless choose to reject erasure thereof.
• c) Personal data is no longer required for the purposes of processing; you nevertheless require the data for purposes of establishing, exercising or defending legal claims.
• d) You have objected to processing pursuant to 21 Section 1 of the GDPR. During the time that it has not yet been determined whether the responsible party’s legitimate grounds override your legitimate grounds, the processing will be restricted.

Right to data portability pursuant to Article 20 of the GDPR
You have the right to receive the data which you have provided in a structured, commonly used and machine-readable format from the responsible party. The transmitting of this data to another responsible party may not be hindered by us.

Right to object pursuant to Article 21 of the GDPR
For information regarding this matter, please refer to the party responsible for processing (see above).

Right to lodge a complaint with the supervisory authority pursuant to Article 13 Paragraph 2 lit. d, 77 of the GDPR in connection with Paragraph 19 of the Federal Data Protection Act (BDSG)
If you are of the opinion that the processing of your data violates the GDPR, you have the right to lodge a complaint with the supervisory authority. For this purpose, please refer to the competent supervisory authority.

Withdrawal of the consent pursuant to Article 7 Paragraph 3 of the GDPR
If the processing of your personal data is based on your consent pursuant to Article 6 Section 1 Sub-Paragraph lit. a or Article 9 Paragraph 2 lit. a (processing of special categories of personal data), you have the right at any time to withdraw the purpose-linked consent. This shall not affect the lawfulness of the processing based on consent before its withdrawal.
These notices serve only to inform you. You are not required to take any form of action. Should you have any questions, comments or suggestions regarding this information notice or our handling of data protection, please refer to us at datenschutz@kern-werk.de or to the data protection officer.