Privacy Policy for Business Partners of Konica Minolta Business Solutions Europe GmbH


The following information is intended to provide you with an overview of how we process your personal data and your rights under the General Data Protection Regulation (Regulation (EU) 2016/679 - "GDPR"). We request that you also make this privacy policy available to any of your employees who deal with us in business capacity.

In principle, this privacy policy applies to personal data of natural persons (e.g. sole traders, shareholders, executive bodies, managing directors, key account managers or other employees of one of our business partners) who are made available to us as business partners within the framework of the respective contractual relationship.
 

1) Controller and data protection officer


Controller in accordance with Art. 4 VII GDPR is:
Konica Minolta Business Solutions Europe GmbH
Europaallee 17
30855 Langenhagen
Tel.: +49 (0) 800 646 6582
Email: info@konicaminolta.eu

(hereinafter: "Konica Minolta", "we" or "us").

If you have any questions concerning data protection, you are welcome to contact our company data protection officer:

Dr. Frederike Rehker
Konica Minolta Business Solutions Europe GmbH
Europaallee 17, 30855 Langenhagen, Germany
Telephone: +49 (0)511 7404-0
E-mail: dataprotection(at)konicaminolta.eu
 

2) Which of my personal data are processed and where do the data come from?


We process personal data that we receive from our business partners in the course of our business relations. In addition, we process personal data that we collect from publicly accessible sources (such as trade and association registers, the press, the Internet) or that is provided to us by third parties (e.g. a credit agency).

Relevant personal data are in particular personal details (such as surname, first name, professional address, bank details, invoice address, tax number/USt-Id.) and other contact details (such as telephone number, e-mail address). In addition, this may also include order data (e.g. turnover data, contract data, planned quantities, data on the purchase of goods, customer number), data from the fulfilment of our contractual obligations, information on your financial situation (e.g. creditworthiness data), data on your personal situation (e.g. business interests, profession, industry, marital status) and other data comparable with the categories mentioned. When providing business cards, we use the phone number and/or e-mail address to stay in contact with you regarding the discussed topics and store the data contained on the business card in our customer database.

The amount of the data processed about a person varies depending on the position he or she holds with the respective business partner.
 

3) For which purposes does the processing of my personal data take place and on which legal basis is it based?


We process your personal data in accordance with the GDPR and the Federal Data Protection Act (BDSG). This is because any processing of your personal data by us is always bound to a specific, explicit and legitimate purpose in accordance with the principle of purpose limitation pursuant to Art. 5 (1)(b) GDPR, which was already defined before the processing activity was initiated.

Furthermore, the processing of your personal data is always based on a legal basis. Article 6 of the GDPR defines legal bases for the processing of personal data. 

In the following, you will find an overview of the legal basis on which your personal data may be processed:

3.1 Consent 
If we obtain your consent for the processing of your personal data, the processing will be carried out on the legal basis of Art. 6 (1)(1)(a) GDPR. The following example serves to clarify this legal basis: You receive advertising from us by electronic mail and/or telephone and have given your prior consent.

3.2 Contract or pre-contractual measure 
If the processing of your personal data is necessary for the fulfilment of a contract with you or for the implementation of pre-contractual measures taken in response to your request, the legal basis on which our processing is based is Art. 6 (1)(1)(b) GDPR.

3.3 Legal obligation 
In cases where the processing of your personal data is necessary to comply with a legal obligation to which we are subject, this processing is based on Art. 6 (1)(1)(c) GDPR.

3.4 Public interest 
In cases where we process your personal data in order to perform a task which is in the public interest or in the exercise of official authority delegated to us, Art. 6 (1)(1)(e) GDPR constitutes the legal basis.

3.5 Legitimate interest
If the processing of personal data is necessary to safeguard a legitimate interest of our company or a third party and at the same time the interests, basic rights and fundamental freedoms of the data subject, which require the protection of personal data, do not override our legitimate interest, Art. 6 (1)(1)(f) GDPR serves as the legal basis for the processing.

Our legitimate interests in particular:

  • Providing optimal customer care and relations, also with regard to the employees of our business partners;
  • Optimization of our business processes, such as the maintenance of a supplier or customer database, also within the framework of a "customer relationship management system" or the centralization or outsourcing of corporate functions;
  • Reducing the risk of default in our procurement processes by consulting credit agencies (such as Creditreform);
  • Establishing and defending legal claims;
  • Measures to ensure operational, building and plant safety and for business management;
  • Market research purposes;

 

4) Legal bases for the processing of special categories of personal data

If, in extraordinary cases, we need to process special categories of personal data, such as
  • data on racial or ethnic origin (e.g. skin color or special languages),
  • data on political opinions (e.g. party memberships),
  • data on religious or philosophical beliefs (e.g. membership of a sect),
  • data on trade union membership,
  • genetic data,
  • biometric data (e.g. fingerprints or photographs),
  • health data (e.g. identification numbers for disabilities),
  • or data concerning the sex life or sexual orientation
by you, this processing is based on one of the following legal bases, which are defined in Article 9 GDPR:

4.1 Explicit consent
If you have given us your explicit consent for the processing of the above categories of personal data, this constitutes the legal basis for the processing in accordance with Art. 9 (2)(a) GDPR.

4.2 Manifestly public data
Insofar as special categories of personal data of yours are processed, which have previously been made public by yourself, the processing of these data is based on Art. 9 (2)(e) GDPR.

4.3 Establishment / Exercise / Defense of legal claims
Insofar as the processing of the special categories of personal data relating to you serves us to establish, exercise or defend legal claims, Art. 9 (2)(f) GDPR constitutes the legal basis for the processing.

4.4 Substantial public interest
In the case of the processing of special categories of personal data concerning you in order to safeguard a substantial public interest arising from EU or national law, the processing is based on Art. 9 (2)(g) GDPR.

4.5 Public interest in the area of public health
If the processing of special categories of personal data of yours should be necessary for public health reasons, including protection against cross-border health threats such as pandemics, this processing is carried out on the legal basis of Article 9 (2)(i) GDPR.
 

5) Will my personal data be disclosed?


Under certain circumstances, your personal data may be passed on (apart from your express prior consent) for the purposes mentioned below:

5.1 If it is necessary for the investigation or prosecution of illegal or abusive incidents, personal data will be disclosed to our legal advisors, the law enforcement agencies and, if applicable, to injured third parties. However, this only applies if there are concrete indications of illegal or abusive behavior. Data may also be disclosed if this serves to enforce contractual regulations between us and our business partners.

5.2 We are also legally obliged to provide information to certain public authorities upon request. These are law enforcement agencies, authorities that prosecute administrative offences subject to fines and the tax authorities.

5.3 In the case of centralised or outsourced corporate functions, your data may be passed on to companies affiliated with us for the fulfilment of the above-mentioned purposes. Insofar as these are bodies outside the EU or the EEA, we ensure an appropriate level of data protection, for example by concluding corresponding contracts or certifications of the respective data-receiving body.

5.4 Occasionally, in order to fulfil the purposes described in this Privacy Policy, we may need to rely on contractually affiliated third party companies and external service providers located outside the EU or EEA, such as logistics companies, IT service providers, business advisors and financial institutions. In such cases, information will be shared with these companies or individuals to enable them to continue processing. These external service providers are carefully selected and regularly reviewed by us to ensure that your data is only used for the purposes specified by us and in accordance with applicable data protection laws. Insofar as these are bodies outside the EU or the EEA, we ensure an appropriate level of data protection, for example by concluding corresponding contracts or certifications of the respective data-preserving body.

5.5 In the course of the further development of our business, the structure of our company may change by changing its legal form or by founding, buying or selling subsidiaries, parts of companies or components. In such transactions, customer information will be transferred along with the part of the business being transferred. In any transfer of personal data to third parties to the extent described above, we will ensure that this is done in accordance with this privacy policy and the relevant data protection laws.
 

6) How long will my personal data be processed?


We process and store your personal data as long as this is necessary for the fulfilment of the above-mentioned purposes and legal obligations: We generally retain master and contact data for an unlimited period of time or until the final termination of the respective business relationship. We delete transaction-related information (e.g. relating to a specific order transaction or contractual relationship) after the end of the respective transaction with a period of three years after the end of the respective calendar year, unless this is subject to statutory retention obligations (e.g. the six or ten-year retention period pursuant to Section 257 of the German Commercial Code); in such a case, the data concerned is blocked for any further processing.
 

7) What are my rights as a data subject?


As a data subject, you have the following rights:

Right of access (Art. 15 GDPR): You have the right to be informed at any time of the categories of personal data processed, the purposes of processing, any recipients or categories of recipients of your personal data and the planned storage period.

Right of rectification (Art. 16 GDPR): You have the right to request the rectification or completion of personal data concerning you that is incorrect or incomplete.

Right to erasure („right to be forgotten“) (Art. 17 GDPR): You have the right to request the immediate erasure of your personal data. In particular, we are obliged as the responsible party to delete your data in the following cases:

  • Your personal data is no longer needed for the purposes for which it was collected.
  • A processing of your personal data took place solely on the basis of your consent, which you have now withdrawn, and there is no other legal basis that legitimises a processing of your personal data.
  • You have objected to a processing which is based on the legitimate or public interest and we cannot prove that there are legitimate grounds for processing.
  • Your personal data has been processed unlawfully.
  • The erasure of your personal data is necessary in order to comply with a legal obligation to which we are subject.
  • Your personal data has been collected in connection with information society services offered in accordance with Art. 8 (1) GDPR.

Please be aware that the right to erasure is subject to a limitation in the following cases, so that a deletion is excluded:

  • Your personal data is used to exercise the right to freedom of expression and information.
  • Your personal data serves to fulfil a legal obligation to which we are subject.
  • Your personal data is used to carry out a task that is in the public interest or in the exercise of official authority that has been assigned to us.
  • Your personal data serves the public interest in the field of public health.
  • Your personal data are necessary for archiving purposes in the public interest, for scientific or historical research or for statistical purposes.
  • Your personal data serve for us to establishment, exercise or defend legal claims.

Right of restriction of processing (Art. 18 GDPR): You also have the right to request that the processing of your personal data be restricted; in such a case, your personal data will be excluded from any processing. This right applies if:

  • You contest the accuracy of your personal data and we have to verify the accuracy of your personal data.
  • The processing of your personal data is unlawful and instead of erasing your personal data, you request a restriction of processing.
  • We no longer need your personal data for the fulfilment of the specific purposes, but you still need this personal data to establish, exercise or defend legal claims.
  • You object to the processing of your personal data and it has not yet been determined whether your or our legitimate reasons override this.

Right of data portability (Art. 20 GDPR): You have the right to receive the personal data concerning you that you have provided to us as a controller in a structured, common and machine readable format and to transfer it to another controller. Furthermore, you also have the right to request that your personal data be transferred from us to another controller, insofar as this is technically feasible.

The requirements for the applicability of data portability are:

  • Your personal data is automatically processed based on your consent or a contract.
  • Your personal data does not serve to fulfil a legal obligation to which we are subject.
  • Your personal data will not be used to perform a task that is in the public interest.
  • Your personal data do not serve for the performance of a task which is performed in the exercise of a official authority delegated to us.
  • The exercise of your right shall not interfere with the rights and freedoms of others.

Right to object (Art. 21 GDPR): You have the right at any time to object to the processing of your personal data on grounds arising from your particular situation. This also applies to profiling. The requirement for this is that the processing is based on a legitimate interest on our part (Art. 6 (1)(1)(f) GDPR) or the public interest (Art. 6 (1)(1)(e) GDPR).

Furthermore, you may also at any time object to the processing of your personal data for the purposes of direct marketing or profiling linked to such direct marketing. 

Should you object to the processing of your personal data based on a legitimate interest, we will check in each individual case whether we can show grounds worthy of protection that override your interests and rights and freedoms. In the event that there are no reasons worthy of protection on our part or your interests as well as rights and freedoms override our own, your personal data will no longer be processed. An exception is made if your personal data is still used for the establishment, exercise or defense of legal claims.

If you object to the processing of your personal data for the purposes of direct marketing or profiling, insofar as this is linked to such direct marketing, your personal data will no longer be processed for these purposes.

Right to lodge a complaint with the supervisory authority (Art. 77 GDPR):
Right to lodge a complaint with the supervisory authority (Art. 77 DPA):

You also have the right to lodge a complaint with a supervisory authority at any time, in particular with a supervisory authority in the Member State of your residence, place of work or place of suspected infringement, if you consider that the processing of personal data concerning you is in breach of the data protection regulations.

The address of the supervisory authority responsible for our company is:

Barbara Thiel
Die Landesbeauftragte für den Datenschutz Niedersachsen
Prinzenstraße 5
30159 Hanover
Germany
Telephone: 0511-120 4500 
Fax: 0511-120 4599
poststelle@lfd.niedersachsen.de

Right of withdrawal (Art. 7 GDPR): If you have given us consent to process your personal data, you can withdraw this consent at any time without giving reasons and in an informal manner. Withdrawal of consent does not affect the lawfulness of the processing that has taken place on the basis of the consent up to the point of withdrawal.