Data protection and privacy policy

The following is a translation that is intended for information purposes only. In the event of any inconsistency between the German original and the English translation, the German version shall prevail.

This data protection and privacy policy aims to inform you of how BMA Braunschweigische Maschinenbauanstalt GmbH (referred to as BMA GmbH below) processes your personal data, and of your rights as a data subject under the new EU General Data Protection Regulation (GDPR) and the new Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) from 25 May 2018.

Controller responsible for the processing of your personal data

BMA Braunschweigische Maschinenbauanstalt GmbH

Am Alten Bahnhof 5

38122 Braunschweig
Germany

Phone: +49 5331804-0
Fax: + 49 5331804-260
www.bma-worldwide.com

Data protection officer

Contact details:

Post:
BMA Braunschweigische Maschinenbauanstalt GmbH
Datenschutzbeauftragter
Am Alten Bahnhof 5
38122 Braunschweig
Germany
dsb@bma-de.com

Purposes and legal basis of data processing

We process your personal data exclusively in compliance with the statutory requirements of the EU General Data Protection Regulation (GDPR), the new Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG), and, where applicable, other relevant sector-specific laws. We therefore process your data only inasmuch as there is a contractual basis for this, you have given your consent to the processing of these data, or we are legally allowed or required to process your data. 

Data processing for the purpose of performance of a contract or for taking steps prior to entering into a contract

We process the personal data you provide to us inasmuch as this is required for entering into a contract, performance of a contract, or termination of a contract. For details of the purposes of data processing, please refer to the relevant contract documentation.

The legal basis for data processing for the performance of a contract and taking steps prior to entering into a contract is normally Article 6 (1) (b) GDPR.

Data processing for the purpose of legitimate interests pursued by the controller or by a third party

We also process your data inasmuch as this is required for the purpose of legitimate interests pursued by us or by a third party. Processing by us because of a legitimate interest includes regular direct marketing activities for our own products and services; preparing internal statistics; criminal investigations; and actions to ensure the correct functioning of our IT infrastructure.

The legal basis for data processing because of legitimate interests pursued by us or by a third party is Article 6 (1) (f) GDPR.

Data processing for compliance with a legal obligation

Moreover, we process your data inasmuch as this is required for compliance with a legal obligation that we are subject to. Legal obligations that we are subject to include, in particular, record-keeping duties under the German fiscal and commercial codes.

The legal basis for data processing for compliance with a legal obligation is Article 6 (1) (c) GDPR, in combination with the relevant legal standard in each case.

Data processing based on consent and for other purposes

We may also process your personal data inasmuch as you have given your express consent to this (see also Article 6 (1) (a) GDPR). In these cases, we provide you separately with additional data protection information in the context of the consent procedure. You can withdraw your consent at any time using the above contact details.

This also applies to the revocation of declarations of consent given to us before the effective date of the GDPR, i.e. before May 25, 2018. Revocation of consent has an effect only for the future and does not affect the legitimacy of the data processed until revocation.

Inasmuch as we will process your personal data in future for purposes not listed in this data protection and privacy policy, we will, where applicable, notify you separately of this in compliance with statutory requirements.

Categories of recipients of personal data

Data processing within a group of undertakings

In the context of our administrative work and in the performance of the contract, it may become necessary for us to disclose your personal data to the company within our group of undertakings that is responsible for the relevant data processing task.

External contractors

Under Article 28 GDPR, all external contractors performing data processing services on our behalf are bound by contract to handle all personal data in accordance with current rules. Inasmuch as these companies come into contact with your personal data, we have put in place legal, technical and administrative measures and perform regular monitoring to ensure that they comply with the rules of data protection and privacy legislation.

Public authorities

We may disclose your personal data to public authorities where this is required in the context of our statutory duties of disclosure.

Data transfers to a third country

We will not normally transfer your personal data to third countries or international organisations outside the European Economic Area (EEA). Where we do effect such transfers in individual cases, this will only be to third countries for which an adequacy decision by the European Commission exists, or whose level of protection of personal data has been confirmed by suitable or appropriate safeguards (such as binding corporate rules or standard EU contractual clauses).

Length of data storage

We will store your personal data only for as long as this is required in the context of the purposes specified above, and for a period where the establishment of legal claims against us could be expected.

The statutory limitation period for such claims may in individual cases run for between three and thirty years.

We also store your personal data inasmuch as we are required to do so in the context of the statutory duties of documentation and record-keeping (such as under the German Commercial and Fiscal Codes or the Money Laundering Act).

Statutory retention periods may run for up to ten years. In exceptional cases, specific duties of documentation may exist, which require your personal data to be kept for longer.

Rights of data subjects

As a data subject, you have the following rights under Article 15 ff. GDPR:

Right of access 

You have the right to obtain from us confirmation as to whether or not we process personal data concerning you. Where this is the case, you have the right to request access to these personal data.

Right to rectification 

You have the right to obtain from us rectification of inaccurate personal data concerning you.

Right to erasure

In certain cases, you have the right to obtain from us the erasure of personal data concerning you without undue delay.

Right to restriction of processing

In certain cases, you have the right to obtain from us the restriction of processing.

Right to data portability

You have the right to receive from us the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format.

Right to object to processing

You have the right to object at any time, on grounds relating to your particular situation, to the processing based on Article 6 (1) (e) or (f) GDPR of personal data concerning you. Inasmuch as we use your data for direct marketing purposes, you have the right to object to this at any time.

Right to revoke

Inasmuch as you have given your consent to the use of personal data by us, you can withdraw this at any time.

This also applies for the revocation of declarations of consent given to us before the effective date of the GDPR, i.e. before May 25, 2018. Please keep in mind that such revocation will be effective only for the future with no impact on processing carried out before the date of revocation.

Data protection supervisory authority

You also have the option of lodging a complaint with a data protection supervisory authority about our processing of personal data. The competent data protection supervisory authority is:

Die Landesbeauftragte für den Datenschutz Niedersachsen
Prinzenstraße 5
D-30159 Hannover

If you have any further questions or comments, please do not hesitate to contact us or our data protection officer.