valid from 1. December 2021

With the following information, we would like to give you, as a customer or as someone interested in our products/services, an overview of the processing of your personal data by us and of your rights under data protection law. The data we process in detail and its use depend largely on the requested or agreed services. Therefore, not all parts of this information will apply to you.

Who is responsible for data processing and whom can I contact?

Responsible is

Auer Lighting GmbH
Hildesheimer Straße 35
37581 Bad Gandersheim

You can reach the company data protection officer at datenschutz@auer-lighting.com

What sources and data do we use?

We process personal data that we receive from our customers or other data subjects in the course of our business relationship. In addition, we process - to the extent necessary for the performance of our business relationship - personal data that we permissibly obtain from publicly accessible sources (e.g. debtor lists, land registers, commercial and association registers, the press, the Internet) or that are transmitted to us by other companies of the ADLT Group or by third parties (e.g. a credit agency).

Relevant personal data are personal details (name, address and other contact details, date and place of birth and nationality), legitimation data (e.g. ID data) and authentication data (e.g. specimen signature). In addition, this may also include order data (e.g. payment order), data from the fulfilment of our contractual obligations (e.g. turnover data in payment transactions), information about your financial situation (e.g. creditworthiness data, scoring/rating data, origin of assets), advertising and sales data (incl. advertising scores), documentation data (e.g. protocols from meetings) as well as other data comparable to the categories mentioned.

What do we process your data for (purpose of processing) and on what legal basis?

We process personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

a.    For the fulfilment of contractual obligations (Art. 6  (1) (b) GDPR)

We process data for the purpose of providing and fulfilling orders and contracts as part of the perfor-mance of our contracts with our customers or for the purpose of carrying out pre-contractual measures upon request. The purposes of the data processing primarily depend on the specific product and service and may include, but are not limited to, needs assessment, consulting, sales and work contracts, re-search contracts and regulatory requirements (e.g. FDA, EMA and PMDA). For further details on data processing purposes, please refer to the applicable contract documents and terms and conditions.

b.    For the balancing of interests (Art. 6 (1) (f) GDPR)

Where necessary, we process your data beyond the actual performance of the contract to protect our legitimate interests or those of third parties. Examples of this are:

• Consultation of and exchange of data with credit agencies (e.g. SCHUFA) to determine creditworthiness and default risks in our business transactions.
• Examination and optimization of procedures for needs assessment for the purpose of direct customer contact,
• Advertising or market and opinion research insofar as you have not objected to the use of your data,
• Assertion of legal claims and defense in legal disputes,
• Ensuring the IT security and operation of the company,
• Prevention and detection of crime,
• Video surveillance for the protection of our domiciliary rights, for the collection of evidence in the event of burglaries (cf. also § 4 BDSG),
• Measures for building and plant security (e.g. access controls),
• Measures to secure our domiciliary right,
• Measures for business management and further development of services and products,
• Risk management at Auer Lighting GmbH.

c.    Based on your consent (Art. 6 (1) (a) GDPR)

Insofar as you have given us consent to process personal data for certain purposes (e.g. passing on data on Auer-Lighting, evaluation of transaction data for marketing purposes, photographs in the context of events, newsletter dispatch), the lawfulness of this processing is based on your consent. You can revoke your consent at any time. This applies also to the revocation of consent given to us before the GDPR came into force, i.e. before 25 May 2018. The revocation of consent only takes effect for the future and does not affect the lawfulness of the data processed until the revocation.

d.    On the basis of legal requirements (Art. 6 (1) (c) GDPR) or public interest (Art. 6 (1) (e) GDPR).

In addition, we are subject to various legal obligations, i.e. legal requirements (e.g. money laundering law, tax laws and regulatory requirements). The purposes of the processing include, among others, creditworthiness checks, identity and age checks, fraud and money laundering prevention, the fulfilment of control and reporting obligations under tax law as well as the assessment and management of risks in the company.

Who will get my data?

Within the company, access to your data is granted to those departments that need it to fulfil our contractual and legal obligations. Service providers and vicarious agents employed by us may also receive data for these purposes if they maintain confidentiality and integrity. These receivers are companies in the categories of IT services, logistics, printing services, telecommunications, debt collection, consulting and sales and marketing.

With regard to the transfer of data to recipients outside our company, it should first be noted that we only transfer personal data in compliance with the applicable data protection regulations and to the extent necessary. As a matter of principle, we may only pass on information about you if this is required by law, you have given your consent or we are authorized to provide information. Under these conditions, recipients of personal data may be, for example:

• public bodies and institutions (e.g., tax authorities, prosecution agencies, family courts, land registry offices) in the event of a legal or official obligation,
• other credit and financial services institutions or comparable institutions to which we transmit personal data in order to carry out the business relationship with you (stock exchanges, credit agencies),
• to other companies for the purpose of risk management, based on legal or regulatory obligations,
• Creditors or insolvency administrators inquiring in the context of a compulsory execution,
• Auditors,
• Service providers that we use within the framework of data processing relationships (Art. 28 GDPR).

In addition, there is a special legitimate interest of us, the Auer-Lighting GmbH, to assign receivables from a contractual relationship within the scope of factoring in certain cases. For this purpose, we cooperate with the globally active provider FGI Worldwide LLC, 80 Broad Street, 22nd Floor, New York, NY 10004, USA (hereinafter "FGI"), to which we transfer data such as your name, your contact details and other information required for the transfer of receivables for this purpose. In order to establish an appropriate level of data protection at FGI, we have carried out a risk assessment, also with regard to applicable US regulations, and concluded a data protection agreement with FGI on the basis of the EU standard contractual clauses from the 27 June 2021.

Is there any transfer of data to a third country or to an international organization?

In exceptional cases, data is transferred to bodies in countries outside the European Union (so-called third countries) insofar as

• it is absolutely necessary for the execution of your orders (e.g. delivery orders),
• it is required by law (e.g. reporting obligations under tax law) or
• you have given us your consent.

Furthermore, a transfer to bodies in third countries is foreseen in the following cases:

• With the consent of the data subject or on the basis of statutory regulations to combat money laundering, terrorist financing and other criminal acts, as well as within the balancing of interests, personal data (e.g. legitimation data) are transmitted on a cases-by-case-basis in compliance with the data protection level of the European Union.
• For the assignment of receivables (factoring) with FGI using the valid EU standard contractual clauses after prior risk assessment (Data Transfer Impact Assessment), see previous chapter.

How long will my data be stored?

We process and store your personal data as long as it is necessary for the fulfilment of our contractual and legal obligations.
If the data are no longer necessary for the fulfilment of contractual or legal obligations, they are deleted, unless their - temporary - further processing is necessary for the following purposes:

• Fulfilment of commercial and tax retention obligations,
• Commercial Code (HGB), Fiscal Code (AO), Money Laundering Act (GwG). The periods specified for storage or documentation are generally two to ten years.
• reservation of evidence within the framework of the statutory limitation provisions. According to §§ 195 ff of the German Civil Code (BGB), these limitation periods can be up to 30 years, with the regular limitation period being 3 years.

What data protection rights do I have?

Every data subject has the right to information under Article 15 GDPR, the right to rectification under Article 16 GDPR, the right to erasure under Article 17 GDPR, the right to restriction of processing under Article 18 GDPR, the right to object under Article 21 GDPR and the right to data portability under Article 20 GDPR.
In addition, there is a right of appeal to a competent data protection supervisory authority (Art. 77 GDPR, § 19 BDSG). You can find the address under the following link on the Internet:  www.bfdi.bund.de/DE/Service/Anschriften/anschriften_table.html

You can revoke your consent to the processing of personal data at any time. This also applies to the revocation of declarations of consent given to us prior to the application of the GDPR, i.e. prior to 25 May 2018. Please note that the revocation only takes effect for the future. Processing that took place before the revocation is not affected.

Is there an obligation for me to provide data?

Within the scope of our business relationship, you must provide those personal data that are necessary for the establishment, execution and termination of a business relationship and for the fulfilment of the associated contractual obligations or data which we are legally obliged to collect. Without this data, usually we will not be able to conclude, execute and terminate a contract with you.

Is there automated decision making?

For the establishment, implementation and termination of the business relationship, we normally do not use automated individual decision-making in accordance with Art. 22 GDPR. If we use these procedures in individual cases (e.g. to improve our products and services), we will inform you separately about this and about your rights in this regard, in the extent required by law.

Is there any profiling?

We do not use profiling.