privacy notices

Data protection information for customers, suppliers and business partners

Status: May 23, 2022

With the following data protection information, we inform you about the type and scope of the processing of your personal data, purposes and legal bases, disclosure to third parties and deletion periods, as well as your rights as a data subject under the GDPR (General Data Protection Regulation) and the Federal Data Protection Act (BDSG).

1. Who is responsible for data processing and whom can I contact?

a) Responsible in the sense of Art. 4 No. 7 GDPR is:

5Flow GmbH

Nikolaus-Otto-Str. 18
52428 Jülich
E-Mail-Adresse: info@5flowtech.com

hereinafter referred to as "we" or "us".

b) Data protection officer

You can reach our data protection officer by e-mail: datenschutz@5flowtech.com or by post at the above address with the addition "Attn. data protection officer".

2. What categories of data do we process and what are the sources of the personal data?

a) The categories of personal data processed include:

  • Master data (title, first and last name, address, function, department)
  • Contact information (phone number, mobile phone number, fax number and email address);
  • data necessary for processing an inquiry, if necessary also creditworthiness data
  • CRM data, especially customer history, customer statistics
  • Advertising and sales data and other data from similar categories,
  • Support requests
  • Other information that is required to process our contractual relationship or a project with our customers or sales partners (such as payment data, order data, etc.)

b) We process personal data that we have obtained from business relationships (such as with customers or suppliers) or inquiries. We usually receive this data directly from the contractual partner or an inquiring person. However, personal data may also originate from public sources (e.g. commercial register), provided that the processing of such data is permitted. Data may also have been legitimately transmitted to us by other companies, as well as affiliated companies. Depending on the individual case, we also store our own information on this data (e.g. as part of an ongoing business relationship).

3. For what purposes and on what legal basis do we process personal data?

We process personal data in accordance with the provisions of the GDPR and national data protection legislation:

a) In the context of the performance of a contract or for the execution of pre-contractual measures (Art. 6 para. 1 lit. b) GDPR)

We process personal data primarily for the fulfillment of contractual obligations and the provision of related services or in the context of a corresponding contract initiation (e.g. contract negotiations, preparation of offers). The specific purposes here depend on the respective service or product to which the business relationship or contract initiation relates, in particular in connection with orders from customers and orders placed with suppliers, service partners. Furthermore, we process your data in processing the services provided, in particular invoicing, accounts receivable management, dunning and collection.

The data processing serves the following purposes in particular:

  • Initiation, execution and processing of purchase orders and production orders, logistics and customs management
  • administration of customer data, for the processing of payments and, if necessary, for credit checks. Certain shipping data is provided to the authorities of the transit or destination country - depending on the relevant legal requirements - for the purpose of customs clearance and taxation or for security checks. Such data usually includes the name and address of the sender, name and address of the recipient, description of goods, number of pieces, weight and value of the shipment.
  • Communication with customers, service providers, subcontractors, business partners as well as authorities
  • Support, in particular answering inquiries from our contact persons, interested parties, customers or partners
  • Organization and planning, implementation and management of the business relationship between us and our customers and partners as well as our affiliated companies

b) For the protection of legitimate interests (Art. 6 para 1 lit. f) GDPR)

To the extent necessary, we process your data beyond the actual performance of the contract to protect legitimate interests of us or third parties, namely:

  • Data processing for security, quality assurance and process optimization: to the extent permitted by law, we process the data collected in the course of contract performance for (data) security purposes (e.g. for the purpose of detecting criminal acts or misuse), for compiling statistics, and for quality assurance, process optimization and planning security. For this processing, there is a legitimate interest on the part of the responsible parties with regard to ensuring a smooth process as well as the continuous improvement of the respective products and services. In the opinion of the data controller, there is no predominant interest of the data subjects that is worthy of protection, since the intensity of the processing is kept as low as possible, e.g. by using pseudonyms. The legal basis for this data processing is Art. 6 para.1 lit. f) GDPR.
  • Settling legal disputes, enforcing existing contracts, and asserting, exercising, and defending legal claims.
  • Maintaining and protecting the security of our systems and the Company's IT operations.
  • Measures for building and facility security (e.g. access control or video surveillance)
  • Exchange of control and planning data, key figures
  • Credit check

c) Due to legal obligations (Art. 6 para. 1 lit c) GDPR)

The purposes of the processing include, among other things, the fulfillment of tax and social law control and reporting obligations. This also includes legal reporting obligations in the provision of services and posting under A1 procedures, see also item 5. Likewise, the processing of personal data insofar as this is necessary for the implementation of technical and organizational measures pursuant to Art. 32 GDPR.

d) Based on your consent (Art. 6 para. 1 lit. a) GDPR)

Insofar as you have given us consent in individual cases to process personal data for specific purposes (e.g. film and photo recordings, newsletter subscription), the lawfulness of this processing is based on your consent. You may revoke your consent at any time with effect for the future.

4. Who gets my data?

Within 5flow GmbH, access to your personal data is granted to those persons who need it to fulfill our contractual and legal obligations or to protect legitimate interests.

We may disclose personal data to courts, regulatory authorities or law firms to the extent legally permissible and necessary to comply with applicable law or to assert, exercise or defend legal claims.

Furthermore, service providers and vicarious agents employed by us may receive data for these purposes. We may only disclose information about you if this is required by law, you have consented, we are legally authorized to provide information or to disclose it and/or the processors we have commissioned guarantee compliance with confidentiality and the requirements of the General Data Protection Regulation and the Federal Data Protection Act.

Under these conditions, the following recipients may receive data in the process

  • Affiliated companies Within the scope of financial controlling and reporting or processing data as a processor
  • Customers, suppliers and business partners as well as authorities within the scope of order processing
  • Processors, especially cloud services
  • IT service provider within the scope of (remote) maintenance of IT systems
  • Subcontractors for order fulfillment, especially transport and logistics
  • Customers within the framework of business correspondence and order documentation
  • Auditors
  • Credit assessment service provider
  • Public bodies for the fulfillment of statutory notification obligations e.g. tax authorities, competent bodies in A1 proceedings
  • Data destruction service provider
  • Lawyers, tax consultants and auditors
  • Collection service provider
  • Banks, payment card processors (credit cards) and payment service providers
  • Telephony provider
  • Insurances

5. Will your data be transferred to a third country?

A data transfer to countries outside the EU or the EEA (so-called third countries) finds only if this is necessary for the execution of your orders (e.g. material procurement, manufacturing, delivery, logistics) or is required by law (e.g. tax reporting obligations), you have given us consent or in the context of an order processing. Furthermore, we transmit data to affiliated companies for the protection of legitimate interests. In case of transfer of personal data to third countries, we ensure an adequate level of data protection in compliance with the principles according to Art. 44 et seq. GDPR. This means that processing is carried out, for example, on the basis of special guarantees, such as the officially recognized determination of a level of data protection corresponding the Union (e.g. for Switzerland) or compliance with recognized special contractual obligations (so-called "EU standard contractual clauses").

When providing services and posting employees (A1 procedure), it may be that we transmit personal data about our customers and/or clients or the place of work to the competent authorities in accordance with the statutory reporting requirements.

6. How long will my data be stored?

We process and store your personal data as long as it is necessary for the fulfillment of our contractual and legal obligations. We delete your personal data as soon as it is no longer required for the above-mentioned purposes. In this context, personal data may be retained for the period during which claims can be asserted against our companies (statutory limitation periods of three or up to thirty years). In addition, we store your personal data to the extent that we are required to do so by law. Corresponding obligations to provide proof and to retain data result from commercial, tax and social security regulations. Furthermore, we store business-relevant documents and e-mails for the purpose of legally secure archiving for tax purposes and documentation for the defense against unjustified claims and enforcement of claims. The storage period for tax and commercial law is generally 6 or 10 years at the end of a fiscal year in accordance with § 147 AO (Tax Act), § 257 HGB (Commercial Code).

7. Obligation to provide data

We process your personal data insofar as it is necessary for the fulfillment of our contractual and legal obligations and for the protection of our legitimate interests or you have given us your consent. In the context of the performance or initiation of a contract, you must provide those personal data that are necessary for the performance of the contract or the performance of pre-contractual measures and the associated obligations. Furthermore, you must provide those personal data that we are legally obligated to collect. Without providing this data, we will not be able to conclude or fulfill a contract with you.

In cases of data collection based on consent, the provision of data by you is voluntary and not mandatory.

8. To what extent is there automated decision making (including profiling)?

For the establishment and implementation of the business relationship, we generally do not use fully automated decision findings pursuant to Article 22 GDPR. Profiling does not take place.

9. What data protection rights do I have?

You are entitled to the following rights against us as the data controller. If you wish to assert your rights or would like more detailed information, please contact us or our data protection officer:

a) Rights according to Art. 15 ff. GDPR

The data subject has the right to obtain confirmation from the controller as to whether personal data concerning him or her are being processed. If this is the case, he or she has a right to information about this personal data and to the information listed in detail in Article 15 of the GDPR. Under certain legal conditions, you have the right to rectification under Article 16 GDPR, the right to restriction of processing under Article 18 GDPR and the right to erasure ("right to be forgotten") under Article 17 GDPR. In addition, you have the right to receive the data you have provided in a structured, common and machine-readable format (right to data portability) pursuant to Article 20 GDPR, provided that the processing is carried out with the help of automated procedures and is based on consent pursuant to Article 6 (1) (a) or Article 9 para 2 lit. a) or on a contract pursuant to Article 6 para 1 lit. b) GDPR. With regard to the right to information and the right to deletion, the restrictions pursuant to Sections 34 and 35 BDSG apply.

b) Withdrawal of consent
If the processing is based on consent, e.g. for film and photo shoots, you can withdraw your consent to the processing of personal data at any time (Art. 7 para 3 GDPR). The withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation. The data subject will be informed of this before giving consent.

c) Right to lodge a complaint
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with us or with a data protection supervisory authority (Article 77 GDPR in conjunction with Section 19 BDSG).

In Nordrhein-Westfalen, the responsible supervisory authority is: The State Commissioner for Data Protection and Freedom of Information, P.O. Box 20 04 44, 40102 Düsseldorf, phone: +49 211/38424-0, fax: +49 211/38424-10, e-mail: poststelle@ldi.nrw.de.

d) Right of objection according to Article 21 GDPR

In addition to the aforementioned rights, you have the right to object as follows:

Right to object on a case-by-case basis
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6(1)(f) GDPR (data processing on the basis of legitimate interests); this also applies to a profiling based on this provision within the meaning of Article 4(4) GDPR, where applicable. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
Right to object to the processing of data for advertising purposes
In individual cases, we process your personal data for the purpose of direct advertising. You have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising; this also applies to profiling insofar as it is related to such direct advertising. If you object to processing for direct marketing purposes, we will no longer process your personal data for these purposes. The objection can be made informally to the office indicated under point 1.