Data protection information for suppliers

In Vetter’s eyes, the protection of your privacy and a maximum of transparency form the basis for a successful and trusting cooperation. With the following information, we would like to give you an overview on the processing of your personal data by us and your rights under data protection law. Which data are processed in detail and the manner in which they are used is predominantly determined by each individual case. Therefore, not every element of this information may be applicable to you.
 

Who is responsible for data processing and who can I contact?

Responsibility lies with

Vetter Pharma-Fertigung GmbH & Co. KG
Schützenstrasse 87
88212 Ravensburg, Germany
Tel.: +49-(0)751-3700-0
Telefax: +49-(0)751-3700-4000
E-Mail: info@vetter-pharma.com
(“Vetter“ or, respectively, “we")
 

You can reach our internal Data Protection Officer under

Mr. Henrik von Kunhardt
RISCREEN GmbH
Gerhart-Hauptmann-Strasse
85276 Pfaffenhofen, Germany
E-Mail: dataprotection@vetter-pharma.com
 

Which sources and which data do we use?

We process personal data which we receive from our suppliers in connection with our business relationship. Moreover, we process personal data legitimately obtained from publicly accessible sources (such as registers of commercial establishments and associations, press, Internet) or which have been legitimately transmitted to us from other companies of the Vetter Group or third parties (for example a credit bureau).

Relevant personal data are personal details (name, address and other contact data) and legitimisation data (such as data from ID cards). In addition, these may also be contract data (such as a payment order), data resulting from the performance of our contractual obligations (such as turnover data in payment transactions), information about your financial status (such as data on credit standing, scoring/rating, data relevant for loans (income and expenditure), documentation data (such as an excerpt from the Commercial Register) and other data comparable with the above-mentioned categories.
 

What is the purpose of processing your data (processing purpose) and on which legal basis does this take place?

We process personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR) and the German Federal Law on Data Protection (BDSG).

(1) To perform our contractual duties (Article 6 paragraph 1 lit. b) GDPR): Data are processed for the purpose of discharging our obligations from a purchasing, works, service, leasing or rental agreement or for performing precontractual measures as a result of queries.

(2) Within the scope of the balancing of interests (Article 6 paragraph 1 lit. f) GDPR): To the extent necessary, we will process your data beyond the scope of the actual performance of the contract so as to protect justified interests of our own and of third parties. Examples are: consultations of and exchange of data with credit agencies (e.g. SCHUFA) to determine credit worthiness or default risks in our purchasing processes, asserting and defending claims in connection with legal disputes, ensuring IT security and IT operation of the company, prevention and investigation of criminal acts, video surveillance to protect domiciliary rights, to collect evidence in case of break-ins (also cf. Sec. 4 BDSG), measures for securing buildings and systems (such as admission control, measures to secure domiciliary rights), measures to steer business and risk control in the Vetter Pharma Group.

(3) Based on your consent (Article 6 paragraph 1 lit. a) GDPR:  To the extent you have consented to the processing of personal data by us for certain purposes (such as an application to become a registered supplier in the supplier portal), such processing is legitimate on the basis of your consent. Consent once given may be revoked at any time. This also applies to the withdrawal of declarations of consent given to us before the effective date of the GDPR, i.e. before 25 May 2018. Withdrawal of consent will have an effect only for the future and does not affect the legitimacy of data processed until that date.

(4) Based on statutory regulations (Article 6 paragraph 1 lit. c) GDPR) or in the public interest Article 6 paragraph 1 lit. e) GDPR):  Moreover, we, as a company, are subject to various legal obligations, i.e. statutory requirements (such as the Law on Money Laundering, tax laws). The purposes of processing include, among others, the assessment of creditworthiness, checking identity, prevention of fraud and money laundering, compliance with obligations of control and reporting under tax law and the assessment and management of risks in the Vetter Pharma Group.
 

Who will receive my data?

Within the company, those units will be granted access to your data that need them in order to comply with our contractual and statutory obligations, e.g. Purchasing. Service providers and agents appointed by us may also receive the data for these purposes. These are companies in the categories IT services, logistics, printing services, telecommunication, and consulting.

As far as passing on data to recipients outside our company is concerned, it must first be kept in mind that we will pass on only necessary personal data, observing all regulations on data protection. As a matter of principle, we may pass on information about our suppliers only if this is required by law, the individual concerned has given consent or we have otherwise been granted authority. Under these circumstances, recipients of personal data may, for example, be: public authorities and institutions (such as tax authorities, authorities prosecuting criminal acts) if based on a statutory or regulatory obligation, other companies of the Vetter Pharma Group for risk control on the basis of statutory or regulatory obligations, creditors or liquidators submitting queries in connection with a foreclosure, auditors, service providers whom we involve in connection with order processing relationships. Other recipients of data may be those bodies for which you have given us your consent to data transfer or to which we may transfer data on the basis of the balancing of interests.
 

Will the data be transferred to a third country or an international organisation?

Data transfer to bodies in states outside the European Union (so-called third countries) will take place to the extent it is required for the performance of contracts (e.g. order processing), it is prescribed by law (e.g. reporting obligations under tax law) or you have given us your consent.

Moreover, transfer to bodies in third countries is intended in the following cases: (1) If necessary in individual cases, your personal data may be transmitted to an IT service provider in a third country to ensure that the IT department of the company remains operative, observing the level of the European data protection rules. (2) With the consent of the data subject or as a result of statutory provisions on controlling money laundering, the financing of terrorism and other criminal acts and within the scope of the balancing of interests, personal data (such as legitimisation data) will be transferred in individual cases, observing the data protection level of the European Union.
 

For how long will my data be stored?

We process and store your personal data as long as necessary for performing our contractual and statutory obligations. If the data are no longer required for the performance of contractual or statutory obligations, these will be erased on a regular basis unless – temporary – further processing is necessary for the following purposes: (1) Compliance with obligations of retention under commercial or tax law which, for example, may result from: the German Commercial Code (KWG), the German Fiscal Code (AO) and the German Law on Money-Laundering (GwG). As a rule, the time limits specified there for retention or documentation are 2 to 10 years; (2) Preservation of evidence under the statutory regulations regarding the statute of limitations. According to Secs. 195 et seqq. German Civil Code (BGB), these statute of limitations may be up to 30 years, the regular statute of limitations being 3 years.
 

What are my rights with regard to data protection?

Every data subject has the right to information pursuant to Article 15 GDPR, the right to rectification pursuant to Article 16 GDPR, the right to erasure pursuant to Article 17 GDPR, the right to restriction of processing pursuant to Article 18 GDPR, the right to objection pursuant to Article 21 GDPR and the right to data portability pursuant to Article 20 GDPR. As far as the right to obtain information and the right to erasure are concerned, the restrictions pursuant to Secs. 34 and 35 BDSG are applicable. Moreover, there is a right to appeal to a competent data protection supervisory authority (Article 77 GDPR in conjunction with Sec. 19 BDSG).

Your consent to the processing of personal data granted to us may be withdrawn at any time by informing us accordingly. This also applies to the withdrawal of declarations of consent given to us before the effective date of the GDPR, i.e. before 25 May 2018. Note that this withdrawal will be valid only for the future. Processing events that took place before withdrawal are not affected.
 

Am I obliged to provide data?

Within the scope of our business relationship, you are obliged to provide those personal data which are required for commencing, executing and terminating a business relationship and for compliance with the associated contractual obligations or the collection of which is imposed upon us by law. Without these data, we will generally not be able to enter into agreements with you, to perform under such an agreement or to terminate it.
 

To what extent will decision-making be automated?

As a matter of principle, we do not use fully automated decision-making processes pursuant to Article 22 GDPR to establish, perform or terminate a business relationship. In the event that we should use such processes in individual cases, we will inform you of this and of your rights in this respect separately if prescribed by law.
 

Information about your right to object pursuant to Article 21 GDPR

Right to object based on individual cases

You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on point (e) of Article 6 (1) (data-processing in the public interest) and point (f) of Article 6 GDPR (data-processing on the basis of the balancing of interests).

If you do object, we will no longer process your personal data unless we have compelling justified reasons for such processing which take precedence over your interests, rights and freedom or, alternatively, such processing serves to assert, exercise or defend legal claims.
 

Recipient of an objection

Such an objection may be submitted informally, headed “Objection”, stating your name, address and date of birth and should, if possible, be addressed to:

Vetter Pharma-Fertigung GmbH & Co. KG
Schützenstrasse 87
88212 Ravensburg, Germany
Tel.: +49-(0)751-3700-0
E-Mail: info@vetter-pharma.com