Information on data processing in accordance with Articles 13 & 14 DSGVO.

We process your personal data (in short “data”) exclusively on the basis of the statutory provisions. With this data protection information, we would like to inform you about the processing of your data in our company and the data protection claims and rights to which you are entitled comprehensively within the meaning of Articles 13 and 14 of the General Data Protection Regulation (DSGVO).

For information on the responsible office and the data protection officer, please refer to the data protection information on the homepage: https://www.fristam.de/en/privacy-policy/

1. Purposes of processing and where the data come from

FRISTAM Pumpen KG (GmbH & Co.) is a manufacturer of stainless steel pumps and processes personal data for the following purposes:

  • Processing of inquiries for pumps, spare parts as well as services.
  • Contract execution, billing and communication

As a rule, we receive data from customers and suppliers from the latter themselves, on knives, by recommendation or research in publicly accessible data sources, e.g. the Internet.
We receive data from applicants personally, via the employment agency, web portals or recruiters.

1.1 On what legal basis is the data processed?

We process your data

  • for the fulfillment of (pre-)contractual obligations pursuant to Article 6 (1) b. You must provide us with this data, otherwise cooperation is not possible.
  • required for the fulfillment of legal obligations according to Art 6 (1) c DSGVO: e.g. from labor law, commercial code or tax code. You must provide us with this data, otherwise cooperation is not possible.
  • To safeguard legitimate interests (Art 6 (1) f DSGVO): Based on a balancing of interests, data processing may be carried out beyond the actual performance of the contract to safeguard legitimate interests of us or third parties. Data processing for the protection of legitimate interests occurs, for example, in the following cases:
    – Use of software
    – Advertising or marketing
    – Measures for business management and further development of services
    – Data received from you in the course of our business relationship (e.g. in customer meetings)
    – Maintenance of a customer database
    – In the context of legal proceedings
    – use of web applications
  • in the context of your consent (Art 6 (1) a DSGVO): e.g. for sending newsletters, storing applicant data for a longer period of time.

The legal basis for the processing of applicant data is § 26 BDSG.

1.2 Right of withdrawal for consents

Consent is always voluntary. If it is not given, no disadvantages will arise. Your consent can be revoked or amended at any time without giving reasons with effect for the future. Data processing that has already taken place remains unaffected. Please send your revocation either to our postal address or to datenschutz@FRISTAM.de.

1.3 Processing of personal data for advertising purposes

You can object to the use of your personal data for advertising purposes at any time. To do so, please use the address given above or the e-mail address datenschutz@FRISTAM.de.

We are entitled, under the legal conditions of § 7 Abs.3 UWG, to use the e-mail address of clients and suppliers, which was given when the contract was concluded, for direct advertising for our own similar services.

If you do not wish to receive advertising by e-mail from us, you can object to the use of your data for this purpose at any time. A message in text form to datenschutz@FRISTAM.de is sufficient for this purpose.

2. Who receives your data?

In addition to the cases explicitly mentioned in this data protection declaration, your personal data will only be passed on without your express prior consent if this is permitted or required by law.

If we use a service provider in the sense of commissioned processing, we nevertheless remain responsible for the protection of your data. All commissioned processors are contractually obligated to treat your data confidentially and to process it only in the context of providing the service. The processors we commission receive your data insofar as they require the data to fulfill their respective service. These are, for example, IT service providers that we require for the operation and security of our IT system as well as software providers for the implementation of our business processes.

In the context of contractual cooperation or projects, personal data may be passed on to other project partners in individual cases. This is done in the legitimate interest of all parties involved.

In addition, we transfer your personal data to other recipients outside the company, insofar as this is necessary to fulfill our contractual and legal obligations (e.g. tax advisors, authorities).

2.1 Data transfer to third countries

As a rule, we do not transfer any data to a third country. A transfer takes place in individual cases only on the basis of an adequacy decision of the European Commission, standard contractual clauses, appropriate guarantees or your express consent.

We use the following services with data transfer to third countries:

3. Salesforce Sales Cloud

2.1 To provide our store system, the management of our customer data, we use systems of Salesforce.com Germany GmbH, Erika-Mann-Str. 63, 80636 Munich (“Salesforce”). The aim of this is to improve customer relationship management (CRM). We use Salesforce based on our legitimate interest according to Art. 6 (1) f DSGVO. Our legitimate interest is the simplification of administrative and IT processes, customer management and communication, the processing of inquiries, the increase of efficiency as well as the efficient implementation of marketing measures.

3.1 Data transfers to third countries

Salesforce is a group with subsidiaries worldwide. The parent company of the group is salesforce.com Inc, Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105, USA. Data may therefore be transferred to the USA in the course of data processing at Salesforce.

  • Functionality Data
  • License data
  • diagnostic data (telemetry)
  • technical support data
  • Data for continuous improvement

With regard to data transfers to the USA, there is no adequacy decision by the EU Commission. However, Salesforce ensures an adequate level of data protection through so-called Binding Corporate Rules (BCR). These are binding internal rules that have been approved by a European supervisory authority. You can access a copy of the BCR at the following link: https://compliance.salesforce.com/en/salesforce-bcrs.

In addition, Salesforce ensures an adequate level of data protection through the EU Standard Contractual Clauses. You can access a copy of the clauses at the following link: https://www.salesforce.com/content/dam/web/en_us/www/documents/legal/Agreements/data-processing-addendum.pdf

3.2 Encryption

Data is encrypted during transmission and at rest.

4. Usage of Microsoft 365

We use Microsoft 365 from Microsoft to carry out our office work as well as for communication for telephone conferences, online meetings, video conferences and for online collaboration. We use Microsoft 365 based on our legitimate interest according to Art. 6 (1) f DSGVO. Our legitimate interest is the simplification of administrative and IT processes, customer management and communication, processing of inquiries, increasing efficiency and the efficient implementation of marketing measures.

Microsoft 365 is a service of Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown Dublin 18, Ireland. When using Microsoft 365, personal data is also processed. For this purpose, we have concluded an order processing agreement with Microsoft. A corresponding order processing agreement is included in the Online Service Terms (OST).

https://www.microsoft.com/de-de/servicesagreement
https://www.microsoft.com/en-us/licensing/product-licensing/products

When using Microsoft 365, Microsoft processes a variety of data.

  • Functionality data
  • License data
  • diagnostic data (telemetry)
  • technical support
  • continuous improvement
  • processing for legitimate Microsoft business activities

4.1 Data transfers to third countries

Data processing outside the European Union (EU) generally does not occur, as we have limited our storage location to data centers in the European Union. However, telemetry or diagnostic data, the support hotline and possible other data processed in Microsoft’s area of responsibility outside the EU are excluded from this.

Furthermore, due to legal obligations, personal data may be passed on or disclosed to third parties (in particular authorities), also to third countries (USA) with a different level of data protection.

To achieve the required secure level of data protection, in addition to internal organizational measures, the so-called Standard Contractual Clauses (SCC) have been concluded with Microsoft, which are part of the Data Protection Addendum (DPA) as an annex to the above-mentioned OST.

4.2 Encryption

Data is encrypted in transit and at rest. This includes messages, files (video, audio, etc.), meetings, and other content. Teams also uses TLS and MTLS to encrypt chat messages.

4.3 Additional information for Microsoft Teams

We use the tool “Microsoft Teams” to conduct presentations, meetings, joint project processing, team meetings, conferences, trainings and seminars.

Type of data

  • activity data
  • User data (username, profile picture)
  • Tele-, and video data
  • Contact data
  • Meeting data (topic, participants IP addresses, device/hardware information)
  • User data (files for joint processing, chat data)

The legal basis for data processing when conducting “online meetings” is Art. 6 (1) b DSGVO, insofar as the meetings are conducted in the context of contractual relationships. If there is no contractual relationship, the legal basis is Art. 6 (1) f DSGVO. Our legitimate interest is the effective conduct of online meetings.

Audio or video content is only recorded with your consent; you will be informed of this in advance in each case. The legal basis for this is Art. 6 (1) a DSGVO.

Further information on the processing of personal data in Microsoft Teams can be found above or here: https://docs.microsoft.com/de-de/microsoftteams/teams-privacy.

5 How long will your data be stored?

Data of persons of the customer/supplier will be deleted after expiry of the purpose. Individual data may be subject to longer storage obligations for legal, fiscal or commercial reasons and may only be deleted after these legal obligations have expired. Data is also used for a longer period of time for the technical support of long-standing customers.

In the event of legal disputes in which the data is required as evidence, the data will not be deleted until the legal disputes have been concluded.

Data of applicants are usually deleted 6 months after the end of the application process, longer storage is only with the consent of the applicant.

6. What data protection rights do you have?

Data subjects have the right to information, correction, blocking, deletion or restriction of the processing of their data at any time. You can revoke consents with effect for the future, the data processing remains legal until the effect of your revocation. You can receive your stored personal data under certain circumstances for data transmission in electronic form or as a copy.

6.1 Profiling

FRISTAM Pumpen KG (GmbH & Co.) does not perform automated profiling.

6.2 Right of objection:

If we process your data for legitimate interest, you may object to this data processing at any time. This would also apply to any profiling.

We will then no longer process your data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims. You may object to the processing of your data for the purpose of direct marketing at any time without giving reasons.

6.3 Right of complaint:

If you are of the opinion that we violate German or European data protection law when processing your data, please contact us to clarify any questions. Please contact us either by mail (address see above) or by e-mail: datenschutz@FRISTAM.de. In case of doubt, we may request additional information to confirm your identity.

In addition, the supervisory authority of the Federal State of Hamburg is available to you as a contact.

7 Document status

This document was adopted and published by the management on 18.03.2022.
It is checked regularly – but at least every two years – for topicality and adjusted if necessary.

Current version 0.9