We are committed to protect your personal data and comply with applicable data protection law, in particular the EU General Data Protection Regulation (GDPR).
In this data protection information, we explain which information (including personal data) are processed by us in connection with the business relationship between you and us.
In order to comply with applicable data protection law, we only process your personal data on the basis of a statutory authorization or if you have declared your consent. This also applies for the processing of personal data for marketing purposes.
On this Website we may collect information that does not allow us to draw any direct conclusions about your person. In certain cases – especially when combined with other data – this information can nevertheless be considered as “personal data” under applicable data protection law. Furthermore, we may also collect information on this Website that does not enable us to identify you, directly or indirectly; this is the case, for example, with aggregated information about all users of this Website.
You can access our Website without entering personal data (such as your name, your postal address or your e-mail address). Also, in this case we must process certain information to enable you to access our Website.
Logfiles: When you visit this Website, our web server automatically stores the domain name or IP address of the requesting computer (usually a computer of your internet access provider) including the date, time and duration of your visit, the subpages/URLs you visit and information about the application(s) and terminal(s) you use to view our pages.
The controller responsible for the processing of personal data is Xinnor. Any reference to “we” or “us” in this data protection information is a reference to the aforementioned entity. You can contact us at email@example.com.
The performance of our business relationships requires the processing of data related to our customers. If this data concern a natural person (e.g. if you are a single trader and you enter into a business relationship with us). It is considered as personal data. Regardless of the legal form of our contract partners, we process data concerning the contact persons acting for a customer.
Please make this data protection information available to the persons within your organization that are involved in the business relationship with us, collectively “contact persons”. Basic data shall include:
Basic data. We process certain general data concerning our customers and the contact persons as well as business relationship with us, collectively “basic data”. Basic data shall include:
- any information provided to us in the course of establishing a business relationship or requested by us form our customers or a contact person (e.g. name, address, and other contact details); and
- any information collected and processed by us in connection with the establishment of the business relationship (e.g. details of the agreements entered into).
Performance data. We process personal data collected in the course of our business relationship other than by merely updating basic data and that we refer to as “performance data”. Performance data shall include:
- information on the performance of contractual obligations by our customers on the basis of the agreements entered into;
- information on the performance of contractual obligations by us on the basis of the agreements entered into;
- information provided by a customer or a contact person in the course of our business relationship, be it actively or upon our request, and
- personal data that are provided to us in the course of our business relationship by our customer, a contact person or by third parties.
To the extent permitted by the law, we can add personal data provided by third parties to the aforementioned basic and performance data. Such data may include:
- information regarding the commercial standing / rating of our customers if necessary for the assessment of financial risks (e.g. late payments);
- information on the performance of contractual obligations by our customers on the basis of the agreements entered into.
Purposes and legal basis of processing personal data
We process basic, performance, and usage data for the performance of the contractual relationships with our customers of for pre-contractual measures on the basis of Article 6 para 1 b) GDPR. Regardless of the legal form of our customers, we process basic and performance data concerning one or more contact persons for the purpose of our justified interest in the performance of business relationship on the basis of Article 6 para 1f) GDPR.
We may process basic, performance and usage data also for compliance with legal obligations to which we are subject; this processing is based on Article 6 para 1 c) GDPR. Legal obligations may in particular include the mandatory disclosure of personal data to (tax) authorities.
To extent necessary, we process personal data (in addition to the processing for the purposes of the business relationship or to comply with legal obligations) for the purposes of our justified interests or the justified interests of a third party on the basis of Article 6 para 1 f) GDPR. Justified interest may include:
- group-wide processes for internal administration of customer data;
- establishment of or defense against legal claims;
- prevention and investigation of criminal offences;
- maintenance of security for our information technology systems;
- maintenance of security of our premises and infrastructure;
- management and further development of our business operations including risk management.
If we provide to a natural person the option to declare a consent in the processing of personal data, we process the personal data covered by the consent for the purposes specified in such consent on the basis of Article 6 para 1 a) GDPR.
Please note that:
- declaration of consent is voluntary;
- failure to declare consent or the withdrawal of a consent may, nevertheless, have consequences, and we will inform you about such consequences before you are given the option to declare your consent;
- consent may be withdrawn at any time with effect for the future, e.g. by providing notice to us via mail, fax, email using the contact information specified on the first page of this data protection notice.
The information required for the registration for our newsletter, the provision of information and consulting, the execution of online orders or the registration as user or the creation of a customer account are marked as mandatory information in the corresponding area of the Website (e.g. an online form); without the provision of mandatory information, we cannot enable you to use the respective functionality.
If we collect additional data from you, we will inform you if the provision of such information is based on a legal or contractual obligation or necessary for the performance of an agreement. We usually indicate which information may be provided voluntarily and is neither based on a legal or contractual obligation nor necessary for the purposes of an agreement.
Obligation to provide personal data
The provision of the basic and performance specified above is necessary for entering into and maintaining business relationship with us, unless specified otherwise before or at collection of the data. Without the provision of this data, we are not able to enter into and maintain a business relationship.
If we collect additional data we will indicate that provision of such information is based on a legal or contractual obligation or necessary for the performance of an agreement. We usually indicate which information may be provided voluntary, and is neither based on a legal or contractual obligation nor necessary for the purposes of an agreement.
Access to personal data
Personal data are generally processed within our company. Depending on the categories of personal data, only dedicated departments / organizational units are granted access to your personal data. Such units include in particular Sales department, Marketing department, Production department, and – if data are processed via our IT infrastructure – also our IT department. Based on a role / rights management concept, access to personal data is limited to the functions and the extent necessary for the respective purpose of the processing.
If and to the extent permitted by the law, we may transfer you personal data to recipients outside of our company. Such external recipients may include:
- services providers that – on the basis of separate agreements with us – provide certain services including the processing of personal data, as well as approved subcontractors of our service providers;
- private or public bodies. To the extent we are obliged to transfer your personal data on the basis of legal obligations to which we are subject to.
Automated decision making
In the course of the business relationship, we generally do not use automated decision-making (including profiling) within the meaning of Article 22 GDPR. If we apply such processes in the future, we will inform data subjects separately in accordance with the applicable statutory provisions.
We generally store personal data as long as we have a justified interest in the retention of such data and there the interest of the data subject in refraining from the further processing do not prevail.
Even without a justified interest, we may continue to store the data if there is a legal obligation (e.g. to comply with statutory retention obligations). We delete personal data even without an action by the data subject as soon as further retention is no longer necessary for the purposes for which the data were collected or otherwise processed or if further retention is not permitted by law otherwise.
In general, basic data and the additional data collected in the course of the business relationship at least until the end of the respective business relationship. The data are deleted in any case if the purposes for the collection or processing were achieved. This point in time may be after the end of the business relationship with us. If personal data need to be stored to comply with a legal obligation, such data are retained until the end of the respective retention period. If personal data are only processed to comply with a statutory retention obligation, the access to such data is usually restricted so that the data are only accessible if needed for the purpose of the retention obligation.
Rights of data subject
A data subject may:
- request access to his/her personal data, Article 15 GDPR;
- request the rectification of incorrect personal data, Article 16 GDPR;
- request the erasure of his/her personal data, Article 17 GDPR;
- request the restriction of the processing of his/her personal data, Article 18 GDPR;
- exercise the right to data portability, Article 20 GDPR.
The aforementioned rights may be asserted against us, e.g. by providing notice to us via the contact details specified on the first page of this data protection information.
In case of further questions, you may also get in touch with us at firstname.lastname@example.org.
In addition, the data subject is entitled to lodge a complaint regarding the handling of personal data with the competent supervisory authority, Article 77 GDPR.