Vendormanagement

​​Who is responsible for processing my data?

Arvato SE Reinhard-Mohn-Straße 22
33333 Gütersloh
Germany
Phone +49 511 9366 1201
https://arvato.com

is responsible for processing your data on the website. You can contact the data protection officer of Arvato SE using the above postal address with the addition “To the data protection officer” or using the email address data-privacy@arvato.com. Arvato SE (hereinafter “we” or “us”) process personal data in accordance with the provisions of GDPR and the German Federal Data Protection Act (hereinafter “BDSG”). 

​Which data is recorded?

In connection with your visit to the website and exclusively where technically, contractually or legally required, your data will be processed in order to display the desired content and to facilitate your use of the website’s features. When you visit the website, information is collected automatically from the computer used to access it (hereinafter “access data”). This access data includes details about the content you request on the website and your usage behavior as well as information about the browser type and version, operating system, internet service provider, the date and time of the use of the website, the websites visited previously and websites newly accessed via our website and the IP address of the computer (also referred to as “server log files”).. However, it is necessary to enter data such as your name, address, email address or telephone when signing up to the vendormanagement portal. Mandatory information is usually marked with an *. .

​​Which data is being collected and for what purposes?

The purposes of data processing can be based on technical, contractual or legal requirements or be based on permission granted if applicable. We use your data for the following purposes:

 • Provision of the website and guaranteeing of technical security, especially the rectification of technical errors and to ensure that unauthorized parties do not gain access to the website systems; 
 • Communication and questionnaires;
 • file sharing;
 • booking of appointments with us;
 • creating of records about incidents;
•  to contact us

 You can find information about these purposes of data protection in the following sections of this data privacy policy.

​​Description and scope of data processing

For the functionality of the website, the implementation of security analyses and to defend against attacks, the server log files are collected automatically as part of the access data accrued by the computer system accessing it and during the use of the website and are stored temporarily. The server log files are not stored alongside other data. We use the server log files for statistical analyses, to analyze and rectify technical disruptions, to combat attempts at attacks and fraud, as well as to optimize the functioning of the website.

For the purposes outlined above (other than the functionality of the website, the implementation of security analyses and to defend against attacks) the data you enter will be processed by us to interact and collaborate with you. Data about incidents that you provide will be shared in our organization to inform about and mitigate the incident.

​​Purposes and legal basis for data processing

The legal basis for the collection of server log files is Art. 6 (1) (f) GDPR. Legitimate interests lie in the functionality of the website, the performance of security analyses and the defense against threats. The legal basis for processing data other than server log files is Art. 6 (1) (b) GDPR. By agreeing to our terms & conditions you entered into a contract with us that necessitates the processing of these data. 

​​Duration of storage or criteria to define this duration

After loading the websites, the server log files are stored on the web server and the IP address contained therein is deleted after seven days at the latest in accordance with the requirements of the Telecommunications Act (“TKG”). Other regulations apply if concrete suspicion exists and storage going beyond this is legally required for the purpose of evaluation and clarification. All data other than server log files or user accounts will be deleted after the purpose for collecting them ceased to exist. Your user account will be deleted after 3 months of inactivity.

​​Right to objection or elimination

You have the right, for reasons that result from your particular situation, to submit an objection to the processing of your data. If you would like to assert your right to object, please contact the contact address specified under point 1.

​​Microsoft Bookings

The website uses Microsoft Bookings to facilitate the booking of appointments with us. This service is hosted in our Microsoft Azure environment. Microsoft does not receive this data

Web Tracking

This website incorporates services that optimize user-friendliness and measure the coverage of the website. For this purpose, your access data is recorded in accordance with Clause 2 and, with the use of cookies, usage behavior is analyzed in accordance with Clause 3. In principle, web tracking does not require you to be identified personally. The IP address included in your login details is either not used at all or is only use in abbreviated form, and therefore only pseudonymized usage profiles are created. When this happens, it is in principle not combined with other data and you have the right to revoke at any time. Personal usage profiles are only created in exceptional cases and only where you have given your permission. The web tracking services are regularly provided by service providers who process the usage profile according to our instructions, and not for their own purposes. This is ensured based on order processing contracts. If the service providers have offices outside of the European Union or the European Economic area (hereinafter “EU/EEA”), then what is called a third-country transfer takes place. This is permitted if you have consented to it, we have provided guarantees for a level of data protection in line with the European standard or the European Commission has classified the third country as a secure third country. The third-country transfer of the respective service is detailed below. You can find further information about the recipients of your data and the third-country transfer in Sections 6 and 7.

​Who receives my data?

In our company, the departments that require your data to fulfil the purposes presented under Section 4 will receive access to it. The service providers we commission may also receive access to your data (also referred to as “processors”). The requirement to observe instructions, data security and the confidential handling of your data by these service providers is ensured by means of processing contracts. The forwarding of data to further recipients such as advertising partners, providers of social media services or law enforcement authorities (referred to as “third parties”) only takes place where required by statutory provisions or where you have given your permission. The confidential handling of your data and compliance with data protection regulations is ensured by means of internal data protection guidelines and joint data security management.

​Is my data processed in a third country?

Insofar as the service providers and/or third parties named under Section 6 have branches outside of the EU/EEA, this can lead to your data being transmitted to a country where a level of data protection suitable for the EU/EEA cannot be guaranteed. Such a level of data protection can be ensured by means of a suitable guarantee, however. Standard contractual clauses provided by the EU Commission are an example of a suitable guarantee. Any guarantees may be waived by way of exception if you give your permission or the third-country transfer is necessary to execute our contractual relationship. The EU Commission has also recognized certain third countries as secure third countries, meaning that the company does not need to make suitable guarantees in these cases. A third-country transfer takes place through the use of Google services for web tracking and online advertising. In principle, the data will be processed by Google within the EU. Google will only be able to access the data in the USA in exceptional cases, such as due to technical maintenance. A third-country transfer may also take place via our newsletter in the case of targeted advertising. are based outside of the EU/EEA (e.g. USA or Shanghai). We have entered into standard contractual clauses with these subsidiaries in accordance with the EU Commission’s stipulations. You can find more information here https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2004:385:0074:0084:DE:PDF.

​What data protection rights do I have?

You have the right to be informed about the personal data we have stored about you at any time. Should data about you be incorrect or no longer up-to-date, you have the right to request its correction. You also have the right to request the deletion or restriction of processing of your data in accordance with Art. 17 and 18 GDPR. You may also have the right to receive the data you have provided in a common and machine-readable format (also known as “right to data portability”). If you have granted consent to the processing of personal data for certain purposes, you can revoke this consent at any time with future effect. The withdrawal should be addressed to the company via the contract address specified under Section 1.

In accordance with Art. 21 GDPR, you have the right, for reasons that result from your particular situation, to submit an objection against the processing of your personal data in accordance with Art. 6 (1) f GDPR at any time. You have the right to object to the processing of your personal data for the purpose of direct advertising at any time. The same applies for automated procedures when using individual cookies, provided that these are not absolutely necessary for the provision of the website.

In addition, you have the option to contact a data protection authority and to submit your objections to it.
The responsible authority is Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
Kavalleriestr. 2-4 40213 Düsseldorf
Germany
Phone: +49 211/38424-0
Fax: +49 211/38424-10
E-Mail: poststelle@ldi.nrw.de.

You can also contact the data protection authorities responsible for your place of residence.