Information letter to business partners
Information according to Article 13 and Article 14 of the General Data Protection Regulation (GDPR)
This information letter shall give you an overview on how we are processing your personal data as well as of your rights relating to the processing of personal data. Which personal data is processed in particular and how it is used depends largely on the services requested or agreed upon in every single case. For this reason, not all parts of this information letter will be applicable to you.
Apart from that, this information on data protection may be updated from time to time. You can always access the current version using the link in our mail signature.
1. Who is responsible for data processing and whom can I contact?
The controller for the purpose of GDPR is
For clients of Forwardis GmbH:
Telefon: +49 30 549 793 30
You can reach our external Data Protection Officer at:
c/o activeMind AG
Management- und Technologieberatung
Telefon: +49 30 770 19 10 70
2. We are processing your personal data for the following purposes and on the following legal basis:
We are processing personal data in accordance with the provisions of the European Data Protection Regulation (GDPR) and of the Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG):
2.1 To fulfil the contractual obligations (point (b) of Article 6 (1) GDPR)
The data processing is carried out in order to perform:
- pre-contractual measures (e.g. preparation of offers)
- our contract
- additional contractual services by our subcontractor in charge
2.2 Based on the legal requirements (point (c) of Article 6 (1) GDPR)
We are subject to various legal obligations that imply the processing of personal data. These obligations include among others:
- the control and reporting obligations under the provisions of tax law as well as storage obligations
- the obligations arising from Money Laundering Act
- the processing of enquiries and fulfilment of requirements of supervisory authorities, law enforcement agencies or courts
- the processing of possible enquiries and fulfilment of requirements of the tax office during a company audit
2.3 Within the weighing of interests (point (f) of Article 6 (1) GDPR)
Whenever required, we are processing your personal data beyond the actual performance of the contract in order to protect our legitimate interests or legitimate interests of third parties.
Examples of such cases include:
- direct advertising for our own products and/or services (e.g. in the form of regular email newsletters)
- the assertion of legal claims and defence in case of legal disputes
- the processing of your personal data in our CRM system
3. Who receives your data?
3.1 Within our company
Our employees from the sales, accounting and operational departments, insofar as this is required to maintain the contact with you and to fulfil our contractual and statutory obligations (including the fulfilment of pre-contractual measures). Employees from office management area – for the purpose of internal maintenance of contact data.
3.2 Within the scope of order processing (internal recipients)
Your personal data may be passed on to the service providers acting as data processors on our behalf. These may include other group companies and/or external service providers from the following areas: Support or maintenance of EDP or IT applications:
- Data destruction
- All service providers are contractually bound and especially obliged to treat your personal data as confidential.
3.3 Other recipients (third parties)
Data is only passed on to the recipients outside of our company in compliance with the applicable data protection regulations. The recipients of personal data may include among others:
- public authorities and institutions (e.g. financial authorities or law enforcement agencies) in case of a legal or official obligation
- credit and financial service providers (processing of payment transactions)
- tax advisors or public auditors as well as payroll tax auditors and company auditors (statutory audit assignment)
- external Data Protection Officer
- operational subcontractors commissioned with the performance of your contract, if you need the data for the purpose of order performance.
4. Will personal data be transferred to a third country or to an international organisation?
Personal data is transferred to bodies in the countries outside of the European Economic Area (so-called third countries) insofar as:
- it is required by law (e.g. reporting obligations under the tax law),
- you have given us your consent or
- we have concluded a data processing agreement with our service provider. In this case, a transfer of your personal data may also take place
- where the European Commission has decided that the third country in question ensures an adequate level of protection (Article 45 GDPR) or
- on the basis of suitable guarantees (standard data protection clauses issued by the EU Commission).
Your personal data is currently processed by the following service providers based outside of the European Union and in the countries outside of the European Economic Area (EEA):
CITRIX, United States of America
Apart from that, we have also agreed with our service providers by contract that the data protection guarantees must always be provided also by their contracting parties, in compliance with the European data protection level. We will provide you with a copy of these guarantees upon request.
5. How long is the storage period of your personal data?
We process and store your personal data as long as this is necessary for the fulfilment of our contractual and statutory obligations. If the data is no longer required for the fulfilment of our contractual or statutory obligations, it is deleted on a regular basis.
The following exceptions shall apply,
- insofar as the statutory storage obligations must be fulfilled, e.g. pursuant to the German Commercial Code (Handelsgesetzbuch, HGB) and the German Fiscal Code (Abgabenordnung, AO). The storage or documentation periods specified therein are usually six to ten years;
- for the preservation of evidences within the statutory provisions on the statute of limitations. Pursuant to §§ 195 et seqq. of the German Civil Code (Bürgerliches Gesetzbuch, BGB), these limitation periods may add up to a total of 30 years, with the regular limitation period being 3 years.
- If the data processing is carried out in our legitimate interest or in legitimate interest of a third party, personal data will be deleted as soon as this interest will no longer exist. The aforementioned exceptions shall also apply here.
6. What data protection rights do you have?
You have the right of access under Article 15 GDPR, the right to rectification under Article 16 GDPR, the right to erasure under Article 17 GDPR, the right to restriction of processing under Article 18 GDPR, the right to object under Article 21 GDPR and the right to data portability under Article 20 GDPR.
Restrictions may apply to the right of access and to the right to erasure in accordance with §§ 34 and 35 BDSG.
Apart from that, there is also a right to lodge a complaint with a supervisory authority (Article 77 GDPR in conjunction with § 19 BDSG). A list of supervisory authorities (for non-public sector) together with the address can be found at:
More information on the BfDI site.
7. Am I obliged to provide my personal data?
Within the framework of the contractual relationship you have to provide those personal data that are necessary for the commencement, performance and termination of the contractual relationship and for the fulfilment of the related contractual obligations or data that we are collecting based on our statutory obligations. Without this data, we will usually not be able to conclude the contract with you or to execute it.
Information about your right to object in accordance with Article 21 of the General Data Protection Regulation (GDPR)
Right to object in individual cases
You shall have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (f) of Article 6 (1) GDPR (data processing based on the weighing of interests).
Should you exercise your right to object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or if the processing serves for the establishment, exercise or defence of legal claims.
8. Having an objection
If you wish to exercise your right to object, it is sufficient to send an e-mail to: