1. Home
  2. Information on Customer and Supplier Data

Information on Customer and Supplier Data

1 General

Uhlmann Group Holding SE & Co. KG takes the protection of your personal data very seriously. Your privacy is important to us. We process your personal data in accordance with the applicable statutory data protection requirements for the purposes listed below. Personal data within the meaning of this data protection information is all information that is related to your person.

Below you can find out how we handle this data. For a better overview, we have divided our data protection information into chapters.

The controller for data processing is the

Uhlmann Group Holding SE & Co. KG
Uhlmannstraße 14 - 1888471 LaupheimTel.: 07392 / 7 02 - 0E-Mail: info(at)uhlmann-group.com. If you have any questions or comments about data protection (for example, information and updating of your personal data), please feel free to contact us by e-mail at datenschutz(at)uhlmann.de.

2 Processing frame

2.1 Source of data collectionWe process personal data that we have collected directly from you.
Insofar as this is necessary for the provision of our services, we process personal data lawfully obtained from other companies or other third parties (e.g. credit agencies, address publishers). In addition, we process personal data that we have permissibly extracted, received or acquired from publicly accessible sources (such as telephone directories, commercial and association registers, population registers, debtor registers, land registers, press, internet and other media) and are allowed to process. 

2.2 Data categoriesRelevant categories of personal data may include, but are not limited to:

  • Personal data (name, date of birth, place of birth, nationality, marital status, occupation/industry and comparable data)
  • Contact details (address, e-mail address, telephone number and comparable data)
  • Purchase Records
  • Marketing preferences
  • Activity histories (e.g., email sends, customer cases, campaign histories, and similar records)

2.3 Purposes and legal bases of the processed data

We process personal data in accordance with the provisions of the General Data Protection Regulation (GDPR), the new version of the German Federal Data Protection Act (BDSG) and other applicable data protection regulations (details below). Which data is processed in detail and in what way depends largely on the services applied for or agreed upon. Further details or additions to the purposes of data processing can be found in the respective contract documents, forms, a declaration of consent and/or other information provided to you (e.g. in the context of the use of our website or our terms and conditions).

Purposes for the performance of a contract or pre-contractual measures (Art. 6 para. 1 b GDPR)
The processing of personal data is carried out for the performance of our contracts with you and the execution of your orders as well as for the implementation of measures and activities within the framework of pre-contractual relationships, e.g. with interested parties. This essentially includes: contract-related communication with you, the corresponding billing and associated payment transactions, the verifiability of orders and other agreements as well as quality control through appropriate documentation, goodwill procedures, measures for the control and optimisation of business processes as well as for the fulfilment of general due diligence obligations, management and control by affiliated companies; statistical evaluations for corporate management, cost recording and controlling, reporting, internal and external communication, emergency management, billing and tax valuation of business services, risk management, assertion of legal claims and defence in legal disputes; Ensuring IT security (including system and plausibility tests) and general security, ensuring and exercising domiciliary rights (e.g. through access controls); Ensuring the integrity, authenticity and availability of data, preventing and investigating crimes, and monitoring by supervisory bodies or control bodies (e.g. auditing).

Purposes within the scope of a legitimate interest of us or third parties (Art. 6 para. 1 f GDPR)
In addition to the actual performance of the contract or preliminary contract, we may process your data if it is necessary to protect our legitimate interests or third parties, in particular for the purposes of:

  • advertising or market and opinion research, provided that you have not objected to the use of your data
  • the examination and optimization of procedures for needs analysis
  • Efficient processing of product orders
  • the further development of services and products as well as existing systems and processes
  • enriching our data, including by using or researching publicly available data
  • statistical evaluations or market analysis; of benchmarking
  • the assertion of legal claims and defence in legal disputes that are not directly attributable to the contractual relationship
  • the limited storage of the data, if deletion is not possible or only possible with disproportionately high effort due to the special nature of the storage
  • the development of scoring systems or automated decision-making processes
  • the prevention and investigation of criminal offences, unless exclusively to comply with legal requirements
  • building and plant security (e.g. through access controls), insofar as they go beyond the general duties of care
  • internal and external investigations and security checks; of possible eavesdropping or
  • obtaining and maintaining certifications of a private or regulatory nature
  • the safeguarding and exercise of domiciliary rights through appropriate measures (such as video surveillance) as well as for securing evidence in the event of criminal offences and preventing them

Purposes within the scope of your consent (Art. 6 para. 1 a GDPR)
Processing of your personal data for certain purposes (e.g. use of your e-mail address for marketing purposes, recording of telephone conversations for quality control and training purposes) may also take place on the basis of your consent. As a rule, you can revoke them at any time. This also applies to the revocation of declarations of consent that were given to us before the GDPR came into force, i.e. before 25 May 2018. You will be informed separately about the purposes and consequences of revocation or non-granting of consent in the corresponding text of the consent. In principle, the revocation of consent only takes effect for the future. Processing that took place before the revocation is not affected by this and remains lawful.

Purposes to comply with legal requirements (Art. 6 para. 1 c GDPR) or in the public interest (Art. 6 para. 1 e GDPR) 
Like everyone who participates in economic activity, we are also subject to a large number of legal obligations. Primarily, these are legal requirements (e.g. commercial and tax laws), but also regulatory or other official requirements. The purposes of the processing may include the fulfilment of control and reporting obligations under tax law as well as the archiving of data for the purposes of data protection and data security as well as the examination by tax and other authorities. In addition, the disclosure of personal data may become necessary in the context of regulatory/judicial measures for the purposes of gathering evidence, prosecution or enforcing civil law claims.

Existence of automated decision-making in individual cases (including profiling)
We do not use purely automated decision-making procedures in accordance with Article 22 GDPR. If we should use such a procedure in individual cases in the future, we will inform you separately if this is required by law.

2.4 Consequences of non-provision of data

In the context of the business relationship, you must provide those personal data that are necessary for the establishment, execution and termination of the legal transaction and the fulfilment of the associated contractual obligations or that we are legally obliged to collect. Without this data, we will not be able to carry out the legal transaction with you. 

2.5 Recipients of data within the EU

In our company, your data will be received by those internal departments or organisational units that need it to fulfil our contractual and legal obligations or in the context of processing and implementing our legitimate interest. 

Your data will only be passed on to external bodies

  • in connection with the execution of the contract
  • for the purposes of complying with legal requirements according to which we are obliged to provide information, report or pass on data or the disclosure of data is in the public interest (see Section 2.4)
  • insofar as external service providers process data on our behalf as processors or functional transferees (e.g. data centres, support/maintenance of EDP/IT applications, archiving, document processing, call centre services, compliance services, controlling, data validation or plausibility check, data destruction, purchasing/procurement, customer management, lettershops, marketing, media technology, research, risk controlling, billing, telephony, Website management, auditing services, credit institutions, printers or companies for data disposal, courier services, logistics)
  • on the basis of our legitimate interest or the legitimate interest of the third party for the purposes mentioned (e.g. to authorities, credit agencies, debt collections, lawyers, courts, experts, subsidiaries and committees and supervisory bodies, spare parts suppliers)
  • if you have given us consent to the transfer to third parties


We will not pass on your data to third parties beyond that. If we commission service providers in the context of order processing, your data is subject to the same security standards as ours. In the remaining cases, the recipients may only use the data for the purposes for which they were communicated to them.

2.6 Recipients of the data outside the EU

The data is not transferred to bodies in countries outside the European Union (EU) or the European Economic Area (EEA) (so-called third countries). Further transfer of personal data to entities outside the EU or the EEA will only take place if we use services for the performance of our activities. Personal data will only be transferred if the requirements of Art. 44 et seq. GDPR are met and if suitable safeguards are in place for the transfer of personal data.

2.7 Storage periods

We process and store your data for the duration of our business relationship. This also includes the initiation of a contract (pre-contractual legal relationship) and the execution of a contract. 

In addition, we are subject to various retention and documentation obligations, which result from the German Commercial Code (HGB) and the German Fiscal Code (AO), among others. The periods specified there for retention or documentation are up to ten years to the end of the calendar year beyond the end of the business relationship or the pre-contractual legal relationship. 

In addition, special legal regulations may require a longer retention period, such as the preservation of evidence within the framework of the statutory statute of limitations. According to §§ 195 et seq. of the German Civil Code (BGB), the regular limitation period is three years; however, limitation periods of up to 30 years may also apply. 

If the data is no longer required for the fulfilment of contractual or legal obligations and rights, they will be deleted on a regular basis, unless their - temporary - further processing is necessary to fulfil the purposes due to an overriding legitimate interest. Such an overriding legitimate interest also exists, for example, if deletion is not possible or only possible with disproportionately high effort due to the special nature of storage and processing for other purposes is excluded by suitable technical and organisational measures.

2.8 Your rights

Under certain conditions, you can assert your data protection rights against us. Your requests to exercise your rights should, if possible, be addressed in writing or by e-mail to the address given above or directly in writing or by e-mail to our Data Protection Officer.

  • For example, you have the right to receive information from us about your data stored by us in accordance with the rules of Art. 15 GDPR (possibly with restrictions according to § 34 BDSG-Neu)
  • At your request, we will correct the data stored about you in accordance with Art. 16 GDPR if it is inaccurate or inaccurate
  • If you wish, we will delete your data in accordance with the principles of Art. 17 GDPR, provided that other legal regulations (e.g. statutory retention obligations or the restrictions according to § 35 BDSG-Neu) or an overriding interest on our part (e.g. to defend our rights and claims) do not conflict with this
  • Taking into account the requirements of Art. 18 GDPR, you can request that we restrict the processing of your data
  • Furthermore, you can object to the processing of your data  in accordance with Art. 21 GDPR, which requires us to stop processing your data. However, this right of objection only applies if there are very special circumstances of your personal situation, whereby rights of our company may conflict with your right to object
  • You also have the right to receive your data in a structured, commonly used and machine-readable format or to transmit it to a third party under the conditions of Art. 20 GDPR
  • In addition, you have the right to revoke your consent to the processing of personal data at any time with effect for the future
  • You also have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). However, we recommend that you always first address a complaint to our Data Protection Officer
  • Your requests to exercise your rights should be made in writing or by email to the address above, if possible, or directly in writing or by email to our Data Protection Officer

Special note on your right to object according to Art. 21 GDPR

You have the right to object at any time to the processing of your data that is carried out on the basis of Art. 6 para. 1 f GDPR (data processing on the basis of a balancing of interests) or Art. 6 para. 1 e GDPR (data processing in the public interest), if there are reasons for this that arise from your particular situation.

This also applies to profiling based on this provision within the meaning of Art. 4 No. 4 GDPR. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

We may also process your personal data for direct marketing purposes. If you do not wish to receive advertising, you have the right to object to this at any time; this also applies to profiling, insofar as it is related to such direct advertising. We will take this contradiction into account for the future. We will no longer process your data for direct marketing purposes if you object to the processing for these purposes.

The objection can be made in any form and should be addressed to:
Uhlmann Group Holding SE & Co. KG
Uhlmannstraße 14 - 18
88471 Laupheim
E-Mail: info(at)uhlmann-group.com

You can reach the supervisory authority responsible for us at: 
The State Commissioner for Data Protection and Freedom of Information
Baden-Württemberg
70173 Stuttgart
Phone: 0711/615541-0
Fax: 0711/615541-15
E-Mail: poststelle(at)lfdi.bwl.de