The following is a translation that is intended for information purposes only. In the event of any inconsistency between the German original and the English translation, the German version shall prevail.
Controller responsible for the processing of your personal data
BMA Braunschweigische Maschinenbauanstalt AG
Am Alten Bahnhof 5
Phone: +49 5331804-0
Fax: + 49 5331804-260
Data protection officer
BMA Braunschweigische Maschinenbauanstalt AG
Am Alten Bahnhof 5
Purposes and legal basis of data processing
We process your personal data exclusively in compliance with the statutory requirements of the EU General Data Protection Regulation (GDPR), the new Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG), and, where applicable, other relevant sector-specific laws. We therefore process your data only inasmuch as there is a contractual basis for this, you have given your consent to the processing of these data, or we are legally allowed or required to process your data.
Data processing for the purpose of performance of a contract or for taking steps prior to entering into a contract
We process the personal data you provide to us inasmuch as this is required for entering into a contract, performance of a contract, or termination of a contract. For details of the purposes of data processing, please refer to the relevant contract documentation.
The legal basis for data processing for the performance of a contract and taking steps prior to entering into a contract is normally Article 6 (1) (b) GDPR.
Data processing for the purpose of legitimate interests pursued by the controller or by a third party
We also process your data inasmuch as this is required for the purpose of legitimate interests pursued by us or by a third party. Processing by us because of a legitimate interest includes regular direct marketing activities for our own products and services; preparing internal statistics; criminal investigations; and actions to ensure the correct functioning of our IT infrastructure.
The legal basis for data processing because of legitimate interests pursued by us or by a third party is Article 6 (1) (f) GDPR.
Data processing for compliance with a legal obligation
Moreover, we process your data inasmuch as this is required for compliance with a legal obligation that we are subject to. Legal obligations that we are subject to include, in particular, record-keeping duties under the German fiscal and commercial codes.
The legal basis for data processing for compliance with a legal obligation is Article 6 (1) (c) GDPR, in combination with the relevant legal standard in each case.
Data processing based on consent and for other purposes
We may also process your personal data inasmuch as you have given your express consent to this (see also Article 6 (1) (a) GDPR). In these cases, we provide you separately with additional data protection information in the context of the consent procedure. You can withdraw your consent at any time using the above contact details.
This also applies to the revocation of declarations of consent given to us before the effective date of the GDPR, i.e. before May 25, 2018. Revocation of consent has an effect only for the future and does not affect the legitimacy of the data processed until revocation.
Categories of recipients of personal data
Data processing within a group of undertakings
In the context of our administrative work and in the performance of the contract, it may become necessary for us to disclose your personal data to the company within our group of undertakings that is responsible for the relevant data processing task.
Under Article 28 GDPR, all external contractors performing data processing services on our behalf are bound by contract to handle all personal data in accordance with current rules. Inasmuch as these companies come into contact with your personal data, we have put in place legal, technical and administrative measures and perform regular monitoring to ensure that they comply with the rules of data protection and privacy legislation.
We may disclose your personal data to public authorities where this is required in the context of our statutory duties of disclosure.
Data transfers to a third country
We will not normally transfer your personal data to third countries or international organisations outside the European Economic Area (EEA). Where we do effect such transfers in individual cases, this will only be to third countries for which an adequacy decision by the European Commission exists, or whose level of protection of personal data has been confirmed by suitable or appropriate safeguards (such as binding corporate rules or standard EU contractual clauses).
Length of data storage
We will store your personal data only for as long as this is required in the context of the purposes specified above, and for a period where the establishment of legal claims against us could be expected.
The statutory limitation period for such claims may in individual cases run for between three and thirty years.
We also store your personal data inasmuch as we are required to do so in the context of the statutory duties of documentation and record-keeping (such as under the German Commercial and Fiscal Codes or the Money Laundering Act).
Statutory retention periods may run for up to ten years. In exceptional cases, specific duties of documentation may exist, which require your personal data to be kept for longer.
Rights of data subjects
As a data subject, you have the following rights under Article 15 ff. GDPR:
Right of access
You have the right to obtain from us confirmation as to whether or not we process personal data concerning you. Where this is the case, you have the right to request access to these personal data.
Right to rectification
You have the right to obtain from us rectification of inaccurate personal data concerning you.
Right to erasure
In certain cases, you have the right to obtain from us the erasure of personal data concerning you without undue delay.
Right to restriction of processing
In certain cases, you have the right to obtain from us the restriction of processing.
Right to data portability
You have the right to receive from us the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format.
Right to object to processing
You have the right to object at any time, on grounds relating to your particular situation, to the processing based on Article 6 (1) (e) or (f) GDPR of personal data concerning you. Inasmuch as we use your data for direct marketing purposes, you have the right to object to this at any time.
Right to revoke
Inasmuch as you have given your consent to the use of personal data by us, you can withdraw this at any time.
This also applies for the revocation of declarations of consent given to us before the effective date of the GDPR, i.e. before May 25, 2018. Please keep in mind that such revocation will be effective only for the future with no impact on processing carried out before the date of revocation.
Data protection supervisory authority
You also have the option of lodging a complaint with a data protection supervisory authority about our processing of personal data. The competent data protection supervisory authority is:
Die Landesbeauftragte für den Datenschutz Niedersachsen
If you have any further questions or comments, please do not hesitate to contact us or our data protection officer.