Data processing

Information on the
Data processing in accordance with Articles 13 and 14 GDPR

Here you can find out which of your personal data Bösch Boden Spies GmbH & Co. KG processes. Information on the controller and the data protection officer can be found in the privacy policy for the website: https://www.boeschbodenspies.com/datenschutz/

1. processing purposes & legal bases

We process your personal data for the following purposes:

  • Brokers and traders of fruit and fruit products
  • Logistics partner import, export, transport-related services such as documentation, contract and delivery monitoring, contract creation and administration.
  • Payment processing, currency management and hedging as well as compliance with tax regulations
  • Contract implementation and invoicing

Depending on the individual case, your data will be processed on the basis of the following legal grounds:

  • For the purpose of establishing, executing and terminating the contract in accordance with Art. 6 (1) b GDPR
  • due to legal regulations according to Art. 6 (1) c GDPR
  • Advertising and sales data in accordance with Art. 6 (1) f GDPR
  • other data within the scope of consent in accordance with Art. 6 (1) a GDPR

Bösch Boden Spies processes personal data (e.g. legal representatives, company, commercial register number, VAT ID, address, contact details, bank details) for the purpose of establishing, executing and terminating contracts in accordance with Art. 6 (1) b GDPR. Without this data, cooperation is not possible.

In addition, we process the following personal data:

  • Information on the type and content of contract data, order data, sales and document data, customer and supplier history and consulting documents,
  • Advertising and sales data
  • Information from your electronic communication with us (e.g. e-mails, IP address, log-in data),
  • Customer management
  • other data that we have received from you in the course of our business relationship (e.g. in discussions with customers),
  • Data that we generate ourselves from master / contact data and other data, e.g. by means of customer demand and customer potential analyses,
  • the documentation of your declaration of consent for the receipt of e.g. newsletters.

As a rule, you receive your data yourself, through recommendations or research in publicly accessible data sources, e.g. the Internet.

We receive data from applicants personally (in writing or by e-mail), via the employment agency, via web portals or recruitment agencies.

1.1 Right of withdrawal

Consent is always voluntary. If it is not given, there are no disadvantages. Your consent can be revoked or amended at any time with effect for the future without giving reasons. Data processing that has already taken place remains unaffected by this.

Please send your revocation either to our postal address or to office@BoeschBodenSpies.com

1.2 Profiling

We do not carry out any automated assessments (profiling).

2. recipient of the data

All services are provided by Bösch Boden Spies GmbH & Co. KG, personal data is transferred within the framework of legal requirements (e.g. to the supervisory authorities or the tax office) or through cooperation with other service providers, also in the context of recommendations or contact requests.

In connection with our normal range of services, we also transfer your data to so-called third countries for the purpose of order placement or contractual cooperation.

2.1
Salesforce

We use systems from Salesforce.com Germany GmbH, Erika-Mann-Str. 63, 80636 Munich ("Salesforce") to provide our store system, to manage our customer data and to send our personalized newsletter.

We therefore process the data that we process as part of the provision of your customer account, the purchase process and the personalized newsletter, including the analysis of your user behavior, in Salesforce systems.

We use Salesforce on the basis of our legitimate interest in accordance with Art. 6 (1) f GDPR. Our legitimate interest lies in the simplification of administrative and IT processes, customer management and communication, the processing of inquiries, increasing efficiency and the efficient implementation of marketing measures.

Salesforce is a group of companies with branches worldwide. The parent company of the group is salesforce.com Inc, Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105, USA. Data may therefore be transferred to the USA as part of data processing at Salesforce. There is no adequacy decision by the EU Commission regarding data transfers to the USA. However, Salesforce ensures an appropriate level of data protection through so-called Binding Corporate Rules (BCR). These are binding internal regulations that have been approved by a European supervisory authority. You can access a copy of the BCR under the following link: https://compliance.salesforce.com/en/salesforce-bcrs. In addition, Salesforce ensures an adequate level of data protection via the EU standard contractual clauses. You can access a copy of the clauses at the following link: https://www.salesforce.com/content/dam/web/en_us/www/documents/legal/Agreements/data-processing-addendum.pdf

2.2
Use of MS 365

We use MS 365 from Microsoft to carry out our office work and for communication for conference calls, online meetings, video conferences and online collaboration.

We are interested in simplifying IT processes, internal and external communication, processing inquiries, increasing efficiency and promoting cross-company collaboration.

MS 365 is a service of Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown Dublin 18, Ireland,

When using MS 365, various types of data, including personal data, are processed. We have concluded a data processing agreement with Microsoft for this purpose. A corresponding order processing contract is included in the Online Service Terms (OST).

https://www.microsoft.com/de-de/servicesagreement

https://www.microsoft.com/en-us/licensing/product-licensing/products

2.2.1
Categories of processed
Data and legal basis

When using MS 365, Microsoft processes a large amount of data.

  • Functionality data
  • License data
  • Diagnostic data (telemetry)
  • technical support
  • continuous improvement
  • Processing for legitimate business activities of Microsoft

 

Exactly which personal data is processed depends on the individual case:

  • Your IP address, which is used to access the Microsoft MS 365 applications. The legal basis for this is Art. 6 (1) f GDPR
  • The user name (access data for the Microsoft MS 365 applications), personal information that identifies you as a user, sender or recipient of data within the MS 365 world. Data in the context of multi-factor authentication that you yourself have stored in your Microsoft account (e.g. optionally the (private) cell phone number). The legal basis for this is Art. 6 (1) b.
  • Other voluntary data (such as a profile picture you have stored) can also be viewed in your profile at any time. This information is visible to you and other MS 365 users at all times in your profile, but especially in Outlook, and can be customized by you. The legal basis for this is Art. 6 (1) a GDPR.
  • Usage data: This includes, in particular, communication content (text, audio, video), files created by you or created by you. This depends on the application you use in MS 365 (Teams). The legal bases for this are Art. 6 (1) b and f GDPR
2.2.2
Recipients of data

Your personal data will only be passed on without your express prior consent in addition to the cases explicitly mentioned in this data protection declaration if it is legally permissible or required.

2.2.3
Data transfers to third countries

Data processing outside the European Union (EU) does not generally take place, as we have limited our storage location to data centers in the European Union. However, this does not apply to telemetry or diagnostic data, the support hotline and any other data that is processed outside the EU in Microsoft's area of responsibility.

Furthermore, due to legal obligations, personal data may be passed on or disclosed to third parties (in particular authorities), including to third countries (USA) with a different level of data protection.

In order to achieve the required secure level of data protection, in addition to internal organizational measures, the so-called Standard Contractual Clauses (SCC) were concluded with Microsoft, which are part of the Data Protection Addendum (DPA) as an annex to the above-mentioned OST.

2.2.4 
Profiling

The data will NOT be used by us for profiling, data analysis, market research or advertising.

2.2.5 
Encryption

Data is encrypted during transmission and at rest. This includes messages, files (video, audio, etc.), meetings and other content. Teams also uses TLS and MTLS to encrypt chat messages.

2.2.6 
Storage duration or criteria for determining this duration

If a user (or an administrator on behalf of the user) deletes the data, Microsoft will ensure that all copies of the personal data are deleted within 60 days.

If a service offered by Microsoft is terminated, the corresponding personal data will be deleted between 60 and 180 days after the service is discontinued. We generally delete personal data when there is no need for further storage. A requirement may exist in particular if the data is still needed to fulfill contractual services, to check and grant or defend against warranty and guarantee claims. Microsoft must then comply with the company administrator's request.

In the case of statutory retention obligations, deletion will only be considered after the respective retention obligation has expired.

2.3
Additional information for Microsoft Teams

We use the "Microsoft Teams" tool to conduct presentations, meetings, joint project work, team meetings, conferences, training courses and seminars.

Type of data

  • Activity data
  • User data (user name, profile picture)
  • Tele- and video data
  • Contact details
  • Meeting data (topic, participant IP addresses, device/hardware information)
  • User data (files for joint editing, chat data)

The legal basis for data processing when conducting "online meetings" is Art. 6 (1) b GDPR, insofar as the meetings are conducted within the framework of contractual relationships. If there is no contractual relationship, the legal basis is Art. 6 (1) f GDPR. Our legitimate interest lies in the effective conduct of online meetings.

Audio or video content will only be recorded with your consent; you will be informed of this in advance. The legal basis for this is Art. 6 (1) a GDPR.

Further information on the processing of personal data in Microsoft Teams can be found above or here: https://docs.microsoft.com/de-de/microsoftteams/teams-privacy.

3. storage duration or criteria for determining this duration

Bösch Boden Spies GmbH & Co. KG stores your data for the duration of the business relationship. For legal, tax and commercial reasons, personal data is stored for ten years or longer if necessary and only deleted after the legal obligation has expired.

4. your rights as a data subject

If we process your personal data, you are entitled to the following rights as a "data subject" within the meaning of the GDPR: You have the right to information, correction, blocking, deletion or restriction of the processing of your data at any time. You can revoke your consent to the processing of your data at any time. You can receive your personal data for data transmission in electronic form.

Please contact us either by post (see address above) or by e-mail datenschutz@BoeschBodenSpies.com

4.1
Information

You can request information from us as to whether your personal data is being processed by us. The right to information is excluded if the data is only stored because it may not be deleted due to legal or statutory retention periods or serves exclusively for the purposes of data backup or data protection control, provided that the provision of information would require a disproportionately high effort and processing for other purposes is excluded by suitable technical and organizational measures. If the right to information is not excluded in your case and your personal data is processed by us, you can request the following information from us:

  • Purposes of the processing,
  • Categories of personal data processed by you,
  • Recipients or categories of recipients to whom your personal data is disclosed, in particular recipients in third countries,
  • if possible, the planned duration for which your personal data will be stored or, if this is not possible, the criteria for determining the storage period,
  • the existence of a right to rectification or erasure or restriction of processing of personal data concerning you or a right to object to such processing,
  • the existence of a right to lodge a complaint with a data protection supervisory authority,
  • if the personal data have not been collected from you as the data subject, the available information on the origin of the data,
  • where applicable, the existence of automated decision-making, including profiling and meaningful information about the logic involved, as well as the significance and envisaged consequences of automated decision-making,
  • if applicable, in the case of transfer to recipients in third countries, provided that no decision of the EU Commission on the adequacy of the level of protection pursuant to Art. 45 para. 3 GDPR exists, information on the appropriate safeguards pursuant to Art. 46 para. 2 GDPR for the protection of personal data.