ART. 13 GDPR

Information Obligation under Article 13 GDPR

Protecting your personal data is a particular concern for us. We process your personal data (shortened to "data") exclusively based on legal regulations. This privacy policy aims to inform you comprehensively, in accordance with Article 13 of the European General Data Protection Regulation (EU GDPR), about how your data is processed in our company and your rights regarding data protection.

1. Who is responsible for data processing and who can you contact?

The responsible entity is

Gut Sonnenhausen GmbH & Co. KG
Sonnenhausen 2
85625 Glonn
Phone: 08093 – 5777 0

Managing Director: Georg Schweisfurth

Registered in the commercial register; Register court: Ebersberg District Court; Register number: HRA 78347
VAT identification number pursuant to § 27 a VAT Act: DE 219200068

You can reach our Data Protection Officer by email at: datenschutz@sonnenhausen.de.

The company Data Protection Officer is

Matthias Baumgartner
Projekt 29 GmbH & Co. KG
Ostengasse 14
93047 Regensburg

Email: anfrage@projekt29.de
Tel.: 0941-2986930

2. What data is processed and from which sources does this data originate?

We process data received from you in the framework of pre-contractual measures and contract fulfilment, consents, your application, or employment with us.

This personal data includes:

Your master and contact data, which for customers includes, for example, first and last name, address, contact details (email address, phone number, fax), bank details.

For applicants and employees, this includes, for example, first and last name, address, contact details (email address, phone number, fax), date of birth, information from your CV and reference letters, bank details, religious affiliation.

For business partners, this includes, for example, the name of their legal representatives, company, commercial register number, VAT ID, company number, address, contact person's contact details (email address, phone number, fax), bank details.

At events, photo and video recordings can be made. We inform you in advance and on the day of the event that these recordings will be made. These recordings may be used for marketing purposes on our website or in print media. We strive to use photos of guests, where possible, from the back or out of focus so that they cannot be individually identified. Legal basis: safeguarding legitimate interests, Art. 6 Para. 1 lit. f GDPR, for detailed information see paragraph 3.

Additionally, we process the following other personal data:

  • Information on the type and content of contract data, order data, sales and document data, customer and supplier history, and consultation documents,
  • Advertising and sales data,
  • Information from your electronic communication with us (e.g. IP address, login data),
  • other data we have received from you during our business relationship (e.g. in customer conversations),
  • data we generate from master/contact data and other data, such as through customer needs and potential analyses,
  • documentation of your consent for receiving newsletters, etc.

3. For what purposes and on what legal basis is the data processed?

We process your data in accordance with the provisions of the General Data Protection Regulation (GDPR) and the Federal Data Protection Act 2018 as amended:

• to fulfil (pre-)contractual obligations (Art. 6 Para. 1 lit. b GDPR):
Your data is processed for contract fulfilment either online or at one of our locations, and for managing your employment contract with us. Specifically, data is processed during contract initiation and execution with you.

• to comply with legal obligations (Art. 6 Para. 1 lit. c GDPR):
Processing your data is necessary to fulfil various legal obligations, such as those from the Commercial Code or Tax Code.

• to safeguard legitimate interests (Art. 6 Para. 1 lit. f GDPR):
Based on a balance of interests, data processing may occur beyond the actual fulfilment of the contract to safeguard our or third parties' legitimate interests. Data processing to safeguard legitimate interests may occur in the following cases:

  • Advertising or marketing (see No. 4),
  • Business management measures and service and product development,
  • Managing a corporate-wide customer database to improve customer services,
  • as part of legal proceedings.

• within the scope of your consent (Art. 6 Para. 1 lit. a GDPR):
If you have consented to data processing, e.g. for receiving our newsletter.

4. Processing of personal data for advertising purposes

You can object to the use of your personal data for advertising purposes at any time, for all or individual measures, without incurring costs other than transmission costs according to basic tariffs.

Under the legal conditions of § 7 Para. 3 Unfair Competition Act, we are entitled to use the email address you provided during contract conclusion for direct advertising of our own similar goods or services. You receive these product recommendations regardless of whether you have subscribed to a newsletter.

If you do not wish to receive such recommendations via email, you can object to the use of your address for this purpose at any time, without incurring costs other than transmission costs according to basic tariffs. A notice in text form is sufficient. Naturally, every email also includes an unsubscribe link.

5. Who receives my data?

If we hire a service provider for order processing, we remain responsible for protecting your data. All processors are contractually obligated to treat your data confidentially and only process it within the scope of service provision. Processors we hire receive your data if they need it for delivering their respective services. These include IT service providers needed for the operation and security of our IT systems as well as advertising and address publishers for our own advertising campaigns.

Your data is processed in our customer database. The customer database supports improving data quality of existing customer data (deduplication, moved/deceased markers, address correction) and allows enhancement with data from public sources.

These data are made available to group companies if needed for contract fulfilment. Customer data is stored on a company-specific and separate basis, whereby our parent company acts as a service provider for the individual participating companies.

If there is a legal obligation and in the context of legal prosecution, authorities, courts, and external auditors may be recipients of your data.

Additionally, for the purpose of contract initiation and fulfilment, insurance companies, banks, credit agencies, and service providers may be recipients of your data.

6. How long will my data be stored?

We process your data until the end of the business relationship or until the applicable statutory retention periods expire (e.g., from the Commercial Code, Tax Code, Care Home Act, or Working Time Act); beyond that, until any legal disputes where the data is needed as evidence are resolved.

7. Are personal data transmitted to a third country?

We generally do not transfer data to a third country. Transfer occurs only in specific cases based on a European Commission adequacy decision, standard contractual clauses, appropriate guarantees, or your explicit consent.

8. What data protection rights do I have?

You have the right to access, rectify, erase, restrict the processing of your stored data at any time, object to the processing, and have a right to data portability and to lodge a complaint under the conditions of data protection law.

Right of access:
You can request information from us as to whether and to what extent we process your data.

Right to rectification:
If we process your data, which is incomplete or incorrect, you can request its correction or completion at any time.

Right to erasure:
You can request the deletion of your data if we process it unlawfully or if processing disproportionately interferes with your legitimate protection interests. Note that there are reasons against immediate deletion, such as statutory retention obligations.
Regardless of your right to erasure, we will promptly and completely erase your data unless a retention obligation requires otherwise.

Right to restriction of processing:
You can request the restriction of the processing of your data if

  • You contest the accuracy of the data, for a period enabling us to verify the accuracy of the data.
  • The data processing is unlawful, but you refuse deletion and instead request the restriction of data use,
  • We no longer need the data for the intended purpose, but you need these data for asserting or defending legal claims, or
  • You have objected to data processing.

Right to data portability:
You can request that we provide you with your data supplied to us in a structured, commonly used, and machine-readable format, and that you may transmit these data to another controller without any hindrance, provided

  • We process these data based on your consent or for contract fulfilment, and
  • This processing is conducted through automated processes.

Subject to technical feasibility, you can request a direct transfer of your data to another controller.

Right to object:
If we process your data based on legitimate interest, you can object to this data processing at any time; this also applies to profiling based on these provisions. We will then cease processing your data unless we can demonstrate compelling legitimate grounds for processing that override your interests, rights, and freedoms, or the processing serves to assert, exercise, or defend legal claims. You can object to data processing for direct marketing purposes at any time without giving reasons.

Right to lodge a complaint:
If you believe that we are processing your data in violation of German or European data protection law, please contact us to clarify any questions. You also have the right to lodge a complaint with the competent supervisory authority, namely the State Office for Data Protection Supervision responsible for you.
If you wish to exercise any of the rights outlined above, please contact our Data Protection Officer. In case of doubt, we may require additional information to verify your identity.

9. Am I obligated to provide data?

Your data is required to conclude or fulfil your contract with us. If you do not provide us with these data, we generally have to refuse contract conclusion or terminate an existing contract. However, you are not obligated to provide consent for the processing of data that is not relevant or legally required for contract fulfilment.