Bild zeigt Außenansicht des Gasteig

Information obligations

regarding the processing of personal data of suppliers

Information obligations regarding the processing of personal data of suppliers to Gasteig München GmbH in accordance with Article 13 of the European General Data Protection Regulation (EU GDRP)

1. Name and contact details of the controller
Gasteig München GmbH
Represented by Managing Director Max Wagner

Address: Rosenheimer Straße 5, 81667 Munich, Germany
E-mail:
Phone: +49 89 480980

2. Purposes for which your personal data are processed and legal bases for their processing
The term »personal data« refers to all information relating to an identified or identifiable natural person (Article 4(1) EU GDRP). In the following cases, we process personal data from you for the purposes stated below and based on the legal basis mentioned:

  • Processing of personal data for the purpose of implementing pre-contractual measures or fulfilling a contract
    Your personal data will be processed to the extent necessary to implement pre-contractual measures or to fulfil a contract with you. Legal basis of the processing of your personal data: point (b) Article 6(1) EU GDRP.
     
  • Processing of personal data due to legitimate interest
    Your personal data will be processed to the extent necessary to protect the legitimate interests of Gasteig München GmbH or a third party. This is in particular the case for
    - the implementation of pre-contractual measures or for the fulfilment of a contract with our supplier insofar as you are acting as a vicarious agent for our supplier.
    - assertion of legal claims and defence in legal disputes.
    Legal basis of the processing of your personal data: point (f) Article 6(1) EU GDRP.
     
  • Processing of personal data based on your consent
    Your personal data will be processed to the extent that you have expressly consented to its processing. Legal basis of the processing of your personal data: point (a) Article 6(1) EU GDRP.

You are not obliged by law to provide us with your personal data and must do so only insofar as this has been stated above for the respective purposes of processing your personal data. Your personal data will not be used for any automated decision-making process, including profiling.

3. Categories of recipients of personal data
Your personal data will be transmitted or made accessible to other recipients only insofar as this is necessary for us to process your request or insofar as we have entrusted other recipients with the performance of individual tasks or services and access to your personal data is thereby necessary or cannot be excluded. The categories of recipients of personal data are:

  • Internal departments involved in completing the respective business processes (e.g. Purchasing, Events Management, Accounts, IT)
  • Service providers for hosting, maintenance and administration of our applications or databases
  • External service providers for the direct, instruction-bound or independent support of the respective business processes (e.g. for support within the scope of an order or project award)
  • External auditors or accountants

The transfer of your personal data to the above recipients is based on your consent in accordance with point (a) Article 6(1) EU GDPR, insofar as this is necessary for taking pre-contractual measures or for fulfilling a contract with you in accordance with point (b) Article 6(1) EU GDPR, on the basis of the legitimate interest of the controller, insofar as this is necessary for implementing pre-contractual measures or for fulfilling a contract with our supplier in accordance with point (f) Art 6(1) GDPR, on the basis of contract processing in accordance with Article 28(1) EU GDPR or insofar as we are legally obliged to do so in accordance with point (c) Article 6(1) EU GDPR.

In addition, your personal data are transmitted to state institutions or authorities insofar as we are obliged to provide information by law or as a result of a court order. Furthermore, your personal data are transmitted to government institutions or authorities insofar as this is necessary to prosecute criminal offences against us as the injured party or to assert, exercise or defend civil law claims (legal basis for processing your personal data: legitimate interest of the controller in accordance with point (f) Article 6(1) EU GDPR, processing for other purposes by non-public bodies in accordance with Para. 24(1) of the German Federal Data Protection Act (BDSG)).

4. Data transmission to recipients in a third country or to an international organisation
A transfer of your personal data to a recipient in a third country or to an international organisation is not planned.

5. Duration of storage of personal data
Your personal data will only be stored for as long as is necessary to fulfil the purposes for which they were processed. As a rule, this is the case for as long as your personal data is required for carrying out pre-contractual measures or for fulfilling a contract in accordance with point (b) Article 6(1) EU GDRP or point (f) Article 6(1) EU GDPR. Furthermore, your personal data will be stored if you have given us your consent in accordance with point (a) Article 6(1) EU GDPR or if mandated by legal, statutory or contractual retention periods. For example, personal data relevant to tax law are usually stored for a period of ten years; other personal data are usually stored for a period of six years in accordance with German commercial law regulations.

6. Information about your rights as a data subject
In general and with respect to your personal data you may exercise the rights set out below.

  • Right of access in accordance with Article 15 EU GDRP:
    You have the right to request information from the controller about the personal data stored about you and other information relating to this personal data.
     
  • Right to rectification in accordance with Article 16 EU GDRP:
    You have the right to obtain from the controller rectification of inaccurate personal data concerning you.
     
  • Right to erasure in accordance with Article 17 EU GDRP:
    You have the right to obtain from the controller the erasure of personal data concerning you.
     
  • Right to restrict processing in accordance with Article 18 EU GDRP:
    You have the right to request the controller to restrict the processing of personal data concerning you.
     
  • Right to data portability in accordance with Article 20 EU GDRP:
    You have the right to receive your personal data from the controller in a structured, commonly used and machine-readable format.
     
  • Right of revocation in accordance with Article 7(3) EU GDRP:
    You have the right to withdraw your consent given in accordance with point (a) Article 6(1) EU GDRP to the processing of your personal data at any time. Your withdrawal of consent does not affect the lawfulness of processing based on your consent before its withdrawal.
     
  • Right to object in accordance with Article 21(1) EU GDRP:
    You have the right to object at any time to the processing of your personal data in accordance with point (e) or (f) Article 6(1) EU GDPR.
     
  • Right to lodge a complaint with a supervisory authority in accordance with Article 77 EU GDPR:
    If, as data subject, you consider that the processing of your personal data infringes the EU GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement.

You can address your above rights directly to the contact details provided under »Name and contact details of the controller« in this information.

7. Contact details of the Data Protection Officer
Data Protection Officer of Gasteig München GmbH
TÜV SÜD Sec-IT GmbH
Ridlerstrasse 57
80339 Munich
Germany
E-mail:

8. Further questions
If this information leaves any questions regarding your personal data unanswered, you may address your questions directly to the contact details provided in this information under »Name and contact details of the controller« or »Contact details of the Data Protection Officer«.

Version: May 2020