Data Protection Declaration according to EU-General Data Protection Regulation (GDPR)

Valid for customers, prospects, suppliers as well as sales and collaborators of Ernst Pennekamp GmbH & Co. OHG (hereinafter referred to as “Pennekamp”).

The following information gives a summary of the processing of your personal data by us and your rights under the EU General Data Protection Regulation (GDPR) and the Federal Data Protection Act (FDPA).

The data which is processed in detail and/or how it is used depends to a large extent on the requested or commissioned products and services.

1. Responsible for Data Processing

Ernst Pennekamp GmbH & Co. OHG

Königsfelder Straße 38-42

58256 Ennepetal


Tel.     +49 (0) 2333 / 605 0

Fax                 +49 (0) 2333 / 605 100


2. Data protection officer of the responsible party


Mr Arndt Halbach

Wetterauer Str. 6

42897 Remscheid


Tel.     +49 (0) 2191 909 / 430


3. Data and Service

a) Sources

We process personal information which we receive from you within the scope of our business relationship.

In addition, we process (to the extent necessary for the provision of our products and services) personal information that we have obtained from other Pennekamp organizations or from other third parties as permitted (e.g. for the execution of orders, fulfillment of contracts or based on your given consent). On the other hand, we process personal data that we have obtained and are permitted to process from publicly accessible sources (e.g. trade and association registers, press, media, Internet).

b) Categories of personal related Data

The following personal data may be collected, processed and stored when initiating a business relationship or creating master data:

Address and communication information (name, address, telephone, mail address, other contact details), personal master data (Date and place of birth, sex, nationality, marital status, legal capacity, occupational group code, identification data (e.g. ID card data), authentication data (e.g. specimen signature), tax ID).

When using products and services within the scope of contracts concluded with us, the following personal data may be collected, processed and stored in addition to the aforementioned data:

Contract master data (order data, data from the fulfilment of our contractual obligations, details of any third-party beneficiaries), billing, service and payment data (direct debit data, tax information, other personal master data (occupation, employer), documentation data (e.g. protocols), product data (e.g. requested or booked services and products) as well as the following business creditworthiness documents: income/surplus invoices, balance sheets, business evaluation, type and duration of self-employment

c) Customer Contact Information

Within the framework of a business initiation phase and during the business relationship, in particular through personal, telephone or written contacts initiated by you or Pennekamp, further personal data will be generated. This includes, for example, information about the contact channel, date, occasion and results, (electronic) copies of correspondence and information about participation in direct marketing activities.

d) Information Society Services

When processing data within the framework of information society services, you will receive further information on data protection in connection with the respective service

4. Purpose and legal basis of the processing

We process the personal data mentioned under 3. in accordance with the provisions of the EU General Data Protection Regulation (GDPR) and the Federal Data Protection Act (FDPA):

a) For the fulfilment of contractual obligations (Article 6 paragraph1 b GDPR)

The processing of personal data is carried out to establish, implement and terminate a contract for the provision of products or services as well as to implement pre-contractual measures for the preparation of offers, contracts or other wishes relating to the conclusion of the contract, which have been made upon your request.

The purposes of data processing depend primarily on the specific products and services and may include, among other things, requirement analyses, advice and support. Further details on the purpose of data processing can be found in the respective (also pre-contractual) contractual documents of our cooperation. Interested parties may be contacted, taking into account any restrictions expressed during the contract initiation process, and customers, suppliers as well as sales and cooperation partners may be contacted during the business relationship using the data they have provided.

b) Based on your consent (Article 6 paragraph 1 a GDPR)

If permission to process personal data for certain purposes has been provided from your side (e.g. passing on data in the organization group), the lawfulness of this processing is given on the basis of your consent. A given consent can be revoked at any time. This also applies to the revocation of declarations of consent given to us prior to the application of the EU General Data Protection Regulation, i.e. before 25 May 2018. Please note that the revocation will only take effect in the future. Processing operations that took place before the revocation are not affected by this. A summary of the status of your consents can be provided on your request at any time.

c) Based on legal requirements (Article 6 para.1 c GDPR) or in the public interest (Article 6 para.1 e GDPR)

We are subject to various legal obligations and legal requirements and process data for the following purposes, among others: Identity and age verification, the fulfilment of fiscal control and reporting obligations as well as the assessment and control of risks in the organizational group.

d) Within the scope of balancing of interests (Article 6 para. 1 f GDPR)

If necessary, your data is processed beyond the actual fulfilment of the contract to protect the legitimate interests of us or third parties. Examples:

–    Review and optimization of procedures for requirements analysis and direct customer approach; incl. segmentation and calculation of completion probabilities,

–    Advertising or market and opinion research, if you have not objected to the use of your data

–    Assertion of legal claims and defence in legal disputes

–    Ensuring IT security and IT operations

–    Consultation and data exchange with credit agencies to determine creditworthiness and default risk

–    Prevention of criminal offences

–    Video surveillance for the protection of domestic rights, for the collection of evidence with criminal offences

–    Measures for building and office security (e.g. access controls)

–    Measures for securing householder’s rights

–    Measures for business management and further development of services and product risk management in the organizational group.

5. Recipient of Data

Parties within Pennekamp who need your information to fulfill our contractual and legal obligations have access to it. Our service providers may also receive data for these purposes, if they comply with our written data protection instructions.

With regard to the transfer of data to recipients outside Pennekamp, it should first be noted that we are obliged to maintain secrecy regarding all customer-related information of which we gain knowledge.

Information about you may only be passed on if this is required by law, if you have consented to this and/or contract processors commissioned by us guarantee the same level of compliance with the requirements of the EU General Data Protection Regulation and the Federal Data Protection Act.

Under these conditions, recipients of personal data may be for example:

Authorities and institutions in the event of a statutory or official obligation

Contractors to whom we transfer personal data in order to conduct business relationship with you. In detail:           IT Support/maintenance, applications, archiving, document processing, Call-Center Services, Compliance- Services, Controlling, data destruction, purchasing/procurement, area management, recovery, customer management, Letter shops, marketing, Media technology, reporting system, Research, Risk control,   expense report, Telecommunications, video legitimation, website management, Auditing services, payment transactions.

Other data recipients may be those for whom you have given your consent for data transfer.

6. Transfer of data to third countries or international organizations

Data will only be transferred to countries outside the EU or the EEA (so-called third countries) to the extent that this is required by law for the execution of your orders (e.g. tax reporting obligations), you have given us your consent or as a part of order processing. If service providers are used in a third country, they are obliged to comply with the level of data protection in Europe in addition to written instructions through the agreement of the EU standard contract clauses.

7. Duration of data storage

Personal data will be processed and stored as long as it is necessary for the fulfilment of our contractual and legal obligations.

If the data is no longer necessary for the fulfilment of any contractual or legal obligations, it will be regularly deleted, unless its (temporary) further processing is necessary for the following purposes:

Compliance with commercial and tax law retention periods in accordance with §257 of the German Commercial Code and the German Tax Code for the periods specified therein for retention and storage of documentation for two to ten years respectively.

Preservation of evidence under the statute of limitations. According to §§ 195 et seq. of the German Civil Code (BGB), these limitation periods can be up to 30 years, whereby the regular limitation period is three years.

8. Data protection rights of the subject person

Every person concerned has the right of access pursuant to Article 15 GDPR, the right to rectification under Article 16 GDPR, the right to cancellation under Article 17 GDPR, the right to limit the processing pursuant to Article 18 GDPR, the right to appeal under Article 21 GDPR as well as the right to data transferability under Article 20 GDPR. The restrictions according to §§ 34 and 35 FDPA apply to the right to information and the right to cancellation.

In addition, there is a right of appeal to a data protection supervisory authority (Article 77 GDPR in conjunction with § 19 FDPA) Granted consent to the processing of personal data can be revoked at any time. This also applies to the revocation of declarations of consent given to us prior to the application of the EU General Data Protection Regulation, i.e. before 25 May 2018. The revocation of the consent does not affect the legality of the processing carried out on the basis of the consent up to the revocation.

9. Obligation to provide data

As part of our business relationship, personal information which is necessary to establish and conduct a business relationship must be provided and the contractual obligations associated therewith must be fulfilled or to the collection of which we are legally obliged. Without this information we will have to reject the conclusion of the contract, refuse to provide products and services or will no longer be able to perform an existing contract and may have to terminate it.

10. Automated decision making (including profiling)

For the establishment and execution of business relationships we do not use fully automated decision making (including profiling) according to Article 22 GDPR. Should these procedures be used in individual cases, you will be informed of this separately if this is required by law.

11. Profiling

Your data is partly processed automatically with the aim of evaluating certain personal aspects (profiling). For example, we use profiling to inform and advise you about products with the help of evaluation tools. This enables demand-oriented communication and advertising including market and opinion research.

Information on your right of objection under Article 21

EU-General Data Protection-Regulations (GDPR)

1. Right of objection in individual cases

You have the right, for reasons arising from your particular situation, to object at any time to the processing of personal data concerning you on the basis of Article 6 para. 1 e GDPR (data processing in the public interest) and Article 6 para. 1 f GDPR (data processing on the basis of a weighing of interests); This also applies to profiling based on this provision within the meaning of Article 4 (para.4) GDPR. If you file an objection, we will no longer process your personal data, unless we can prove compelling grounds for processing worthy of protection which outweigh your interests, rights and freedom, or the processing serves the assertion, exercise or defence of legal claims.

2. Right of objection to the processing of data for advertising purposes

In individual cases, we process your personal data in order to perform direct advertising. You have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising; this also applies to profiling in so far as it is connected with such direct advertising. If you object to the processing for purposes of direct marketing, we will no longer process your personal data for these purposes. Objections can be addressed to the person responsible in a form-free manner.
Stand: April 2018