(Documentation of the processing activity according to the General Data Protection Regulation)
Responsible body (acc. to Art. 4 (7) GDPR):
Bihl+Wiedemann GmbH, Flosswoerthstrasse 41, 68199 Mannheim, Germany
Legal representative (= Management):
Jochen Bihl and Bernhard Wiedemann
Data Protection Officer:
Carina Stolz (mein-datenschutzbeauftragter.de)
Designation of the processing activity:
Personal data is processed in order to fulfil pre-contractual and contractual obligations. If necessary, we also process personal data of other third parties (Coface) for the execution of contracts or based on prior consent.
In order to fulfil pre-contractual and contractual obligations, data is processed exclusively in crucial departments according to the need-to-know principle.
Type of processing:
ERP system, CRM system, email for correspondence purposes
Place of processing:
All CRM, ERP and email data is stored in our own data centre in Mannheim / Germany. Access control, backup and archiving processes are based on the IT Baseline Protection Catalogue of the Federal Office for Information Security (BSI)
Personal data is processed in order to fulfil pre-contractual and contractual obligations.
Change of purpose:
Any change of purpose requires prior consent. It is obligatory to use the data for the intended purpose only.
Lawfulness of processing, Art. 6 GDPR:
- Consent (Art. 6 (1) lit. a, Art. 7)
- Contract or contract initiation (Art. 6 (1) lit. b)
- Purposes of the legitimate interests pursued by the controller or by a third party (Art. 6 (1) lit. f)
Necessity and proportionality:
The lawfulness is based not only on the principles of "proportionality" (Art. 5 (1) lit. b), "transparency" (Art. 5 (1) lit. a), "data minimisation" (Art. 5 (1) lit. c), "accuracy" (Art. 5 (1) lit. d), "storage limitation" (Art. 5 (1) lit. c) and "integrity and confidentiality" (Art. 5 (1) lit. f), but also, and in particular, on the purpose limitation principle (Art. 5 (1) lit. b).
Is there a high risk to the rights and freedoms of natural persons acc. to Art. 35?:
No particularly sensitive data whatsoever is collected or stored at any time.
Circle of affected groups of people:
Customers, leads, suppliers
Types of data or data categories stored:
Internal recipients (members of the responsible body):
To fulfil pre-contractual and contractual obligations, data is processed in the following departments:
- Internal Sales (to channel general enquiries)
- Sales (to maintain and expand the business relationship)
- Order Processing (for orders)
- Shipping (to process the shipment of products)
- Accounting (for accounts)
- Purchasing (to channel general enquiries, maintain and expand supplier relationships, during order processing)
The deletion period derives from the German commercial code (HGB).
Frequency of process testing: