Made in Germany | More than 800 systems | In more than 60 countries
DE | EN

Information on the processing of customer/supplier data

1 General information

ASCONA GmbH takes the protection of your personal data very seriously. Your privacy is an important concern for us. We process your personal data in accordance with the applicable statutory data protection requirements for the purposes listed below. Personal data within the meaning of this data protection information is all information that relates to you personally.

Below you will find out how we handle this data. For a better overview, we have divided our data protection information into sections.

Controller for data processing:
ASCONA GmbH
Maybachstrasse 11
88094 Oberteuringen
Phone 07546 917910
Fax 07546 9179150
office@ascona.de

If you have any questions or comments about data protection (e.g. about accessing and updating your personal data), you can also contact our data protection officer.

DDSK GmbH
Stefan Fischerkeller
Dr.-Klein-Straße 29
88069 Tettnang
Email: datenschutz@ascona.de

2 Processing framework

2.1 Source and origin of data collection

We process personal data that we have collected directly from you.

Insofar as this is necessary for the provision of our services, we process personal data legitimately received from other companies or other third parties (e.g. credit agencies, address publishers). We also process personal data that we have legitimately taken, received or acquired from publicly accessible sources (e.g. telephone directories, commercial and association registers, population registers, debtor directories, land registers, press, internet and other media) and are authorised to process.

 

2.2 Data categories

Relevant personal data categories may include, in particular

  • Personal data (name, profession/industry and comparable data)
  • Data about your use of the telemedia offered by us (e.g. time of accessing our websites, apps or newsletters, pages/links clicked on by us or entries and comparable data)
  • Communication data (user details, content data, connection data and comparable data) in the context of telephone conferences, video conferences and web meetings through the use of internet-based communication tools (hereinafter: web meetings)

 

2.3 Purposes and legal bases of the processed data

We process personal data in accordance with the provisions of the General Data Protection Regulation (GDPR), the new version of the German Federal Data Protection Act (BDSG-neu) and other applicable data protection regulations (details below). Which data is processed in detail and how it is used depends largely on the services requested or agreed in each case. Further details or additions to the purposes of data processing can be found in the respective contract documents, forms, a declaration of consent and/or other information provided to you (e.g. as part of the use of our website or our terms and conditions).

Purposes for the fulfilment of a contract or pre-contractual measures (Art. 6 para. 1 b GDPR)

Personal data is processed for the fulfilment of our contracts with you and the execution of your orders as well as for the implementation of measures and activities in the context of pre-contractual relationships, e.g. with interested parties. This essentially includes: contract-related communication with you, the verifiability of orders and other agreements as well as quality control through appropriate documentation, goodwill procedures, measures to control and optimise business processes and to fulfil general due diligence obligations, cost recording and controlling, reporting, internal and external communication, assertion of legal claims and defence in legal disputes; ensuring IT security (e.g. system and plausibility checks). including system and plausibility tests) and general security, safeguarding and exercising domiciliary rights (e.g. through access controls); ensuring the integrity, authenticity and availability of data, preventing and investigating criminal offences and monitoring by supervisory bodies or supervisory authorities (e.g. auditing).

Purposes within the scope of a legitimate interest of us or third parties (Art. 6 para. 1 f GDPR)

In addition to the actual fulfilment of the contract or preliminary contract, we may process your data if it is necessary to protect our legitimate interests or those of third parties, in particular for the purposes of

  • the further development of services and products as well as existing systems and processes
  • the limited storage of data if deletion is not possible or only possible with disproportionate effort due to the special type of storage
  • the prevention and investigation of criminal offences, unless exclusively for the fulfilment of legal requirements;
  • building and plant security (e.g. through access controls), insofar as this goes beyond the general duty of care;
  • obtaining and maintaining certifications under private law or from public authorities;
  • securing and exercising domiciliary rights through appropriate measures (such as video surveillance) as well as securing evidence in the event of criminal offences and preventing them.
  • the effective and resource-saving organisation of web meetings through the use of internet-based communication tools.

Purposes within the scope of your consent (Art. 6 para. 1 a GDPR)

Your personal data may also be processed for certain purposes (e.g. use of your email address for marketing purposes) on the basis of your consent. As a rule, you can withdraw your consent at any time. This also applies to the revocation of declarations of consent given to us before the GDPR came into force, i.e. before 25 May 2018. You will be informed separately about the purposes and consequences of revoking or not granting consent in the corresponding text of the consent. In principle, the revocation of consent only takes effect for the future. Processing that took place before consent was withdrawn is not affected and remains lawful.

Purposes for the fulfilment of legal requirements (Art. 6 para. 1 c GDPR) or in the public interest (Art. 6 para. 1 e GDPR)

Like everyone involved in business, we are also subject to a variety of legal obligations. These are primarily legal requirements (e.g. commercial and tax laws), but may also include regulatory or other official requirements. The purposes of processing may include the fulfilment of control and reporting obligations under tax law and the archiving of data for the purposes of data protection and data security as well as audits by tax and other authorities. In addition, the disclosure of personal data may become necessary in the context of official/judicial measures for the purposes of gathering evidence, criminal prosecution or the enforcement of civil law claims.

Existence of automated decision-making in individual cases (including profiling)

We do not use purely automated decision-making processes in accordance with Art. 22 GDPR. If we do use such a procedure in individual cases in the future, we will inform you of this separately if this is required by law.

 

2.4 Consequences of not providing data

As part of the business relationship, you must provide the personal data that is required for the establishment, execution and termination of the legal transaction and the fulfilment of the associated contractual obligations or that we are legally obliged to collect. Without this data, we will not be able to fulfil the legal transaction with you.

 

2.5 Recipients of the data

2.5.1 Within the EU

Within our company, those internal departments or organisational units will receive your data that require it to fulfil our contractual and legal obligations or as part of the processing and implementation of our legitimate interest.

Your data will only be passed on to external parties

  • in connection with contract processing;
  • for the purpose of fulfilling legal requirements according to which we are obliged to provide information, report or pass on data or the passing on of data is in the public interest (see section 2.4);
  • insofar as external service providers process data on our behalf as processors or function providers (e.g. data centres, support/maintenance of EDP/IT applications, archiving, document processing, call centre services, compliance services, controlling, data validation or plausibility checks, data destruction, purchasing/procurement, customer administration, lettershops, marketing, media technology, research, risk controlling, billing, telephony, website management, auditing services, credit institutions, printers or companies for data disposal, courier services, logistics);
  • on the basis of our legitimate interest or the legitimate interest of the third party for the purposes mentioned (e.g. to authorities, credit agencies, debt collection agencies, lawyers, courts, experts, subsidiaries and committees and supervisory bodies);
  • if you have given us your consent to transfer your data to third parties.

We will not pass on your data to third parties beyond this. If we commission service providers as part of order processing, your data will be subject to the same security standards as we do. In all other cases, the recipients may only use the data for the purposes for which it was transmitted to them.

2.5.2 Outside the EU

We transfer data to countries outside the EEA, so-called third countries. This is done for the purposes mentioned above. The transfer takes place to fulfil our contractual and legal obligations or on the basis of the data subject's prior consent. In addition, the transfer takes place in compliance with the applicable data protection laws, in particular taking into account Art. 44 et seq. GDPR, e.g. on the basis of adequacy decisions issued by the European Commission or other suitable guarantees (e.g. standard data protection clauses, etc.).

2.5.3 Overview of recipients

The following recipients receive your data as part of the data processing described here:

Recipient: combit Software GmbH, Bücklestraße 3-5, 78467 Konstanz, Germany
Third country transfer: No third country transfer takes place.

Recipient: TeamViewer Germany GmbH, Bahnhofsplatz 2, 73033 Göppingen, Germany
Third country transfer: A third country transfer does not take place.

Recipient: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA
Third country transfer:
There is no adequacy decision for the transfer. The transfer is based on Art. 46 GDPR. The services used are provided by Microsoft, a US provider. Personal data is therefore also processed in a third country. We have concluded an order processing contract with the provider of the services, which fulfils the requirements of Art. 28 GDPR.

The transfer of data to a third country only takes place if the special requirements of Art. 44 et seq. GDPR are fulfilled. The present transfer of data to the USA is based on the standard data protection clauses and the amended contractual conditions following the Schrems II judgement. Specifically, the following provisions were included in the new contractual clauses by Microsoft

  • the right to compensation for the data subject whose data has been processed unlawfully and who has suffered material or non-material damage as a result;
  • the information of the data subject if Microsoft is legally obliged by a government order to hand over data to US security authorities;
  • Microsoft's obligation to take legal action and appeal to the US courts to contest the official order to hand over the data.

 

2.6 Storage periods

We process and store your data for the duration of our business relationship. This also includes the initiation of a contract (pre-contractual legal relationship) and the fulfilment of a contract.

In addition, we are subject to various retention and documentation obligations arising from the German Commercial Code (HGB) and the German Fiscal Code (AO), among others. The retention and documentation periods specified therein are up to ten years to the end of the calendar year after the end of the business relationship or the pre-contractual legal relationship.

Furthermore, special statutory provisions may require a longer retention period, e.g. the preservation of evidence within the framework of statutory limitation periods. According to Sections 195 et seq. of the German Civil Code (BGB), the regular limitation period is three years; however, limitation periods of up to 30 years may also be applicable.

If the data is no longer required for the fulfilment of contractual or legal obligations and rights, it is regularly deleted, unless its - temporary - further processing is necessary for the fulfilment of the purposes for an overriding legitimate interest. Such an overriding legitimate interest also exists, for example, if deletion is not possible or only possible with disproportionate effort due to the special type of storage and processing for other purposes is excluded by suitable technical and organisational measures.

 

2.7 Your rights

Under certain circumstances, you can assert your data protection rights against us. If possible, your requests to exercise your rights should be addressed in writing or by e-mail to the address given above or directly in writing or by e-mail to our data protection officer.

  • You have the right to receive information from us about your data stored by us in accordance with the rules of Art. 15 GDPR (if necessary with restrictions according to § 34 BDSG-Neu).
  • At your request, we will correct the data stored about you in accordance with Art. 16 GDPR if it is inaccurate or incorrect.
  • If you wish, we will delete your data in accordance with the principles of Art. 17 GDPR, unless other legal regulations (e.g. statutory retention obligations or the restrictions according to § 35 BDSG-Neu) or an overriding interest on our part (e.g. for the defence of our rights and claims) prevent this.
  • Taking into account the requirements of Art. 18 GDPR, you can request that we restrict the processing of your data.
  • If your personal data are processed on the basis of legitimate interests in accordance with Art. 6 para. 1 sentence 1 lit. f) GDPR or if they are necessary for the performance of a task carried out in the public interest or in the exercise of official authority, you have the right to object to the processing of your personal data in accordance with Art. 21 GDPR if there are reasons for this arising from your particular situation or if the objection is directed against direct advertising. In the latter case, you have a general right to object, which will be implemented by us without specifying a particular situation.
  • You also have the right to receive your data in a structured, commonly used and machine-readable format or to transmit it to a third party in accordance with the requirements of Art. 20 GDPR.
  • In addition, you have the right to revoke your consent to the processing of personal data at any time with effect for the future.
  • You also have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). However, we recommend that you always address a complaint to our data protection officer first.

You can contact the supervisory authority responsible for us at

The State Commissioner for Data Protection and Freedom of Information Baden-Württemberg
P.O. Box 10 29 32, 70025 Stuttgart
Lautenschlagerstraße 20, 70173 Stuttgart
Phone 0711 6155410
Fax 0711 61554115
poststelle@lfdi.bwl.de