Data protection for customers EN/RU/CN

PRIVACY POLICY FOR CUSTOMERS, OTHER BUSINESS PARTNERS AND INTERESTED PARTIES

Dear customers, prospective customers and contractual partners,

In accordance with the provisions of Articles 13, 14 and 21 of the General Data Protection Regulation (GDPR), we hereby inform you about the processing of your personal data and your rights under data protection law. The specific data processed and how it is used depends largely on the services requested or agreed upon. To ensure that you are fully informed about the processing of your personal data in the context of the performance of a contract or the implementation of pre-contractual measures, please take note of the following information.

1 Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is

BAUER COMP Holding GmbH

Wolfratshauser Straße 80

81379 Munich

Telephone: +49 (0) 89 / 78049 – 0

Email: info@bauer-kompressoren.de

2 Contact details of the data protection officer

You can contact the data protection officer at

Proliance GmbH

www.proliance.ai

Data Protection Officer

Leopoldstr. 21

80802 Munich

Email: datenschutzbeauftragter@proliance.ai

When contacting the data protection officer, please state the company to which your enquiry relates. Please also refrain from including sensitive information, such as a copy of your ID card, with your enquiry.

3 General information on data transfer to third countries

Your data may also be processed in countries outside the European Union (EU) and the European Economic Area (EEA).

For data transfers to certain third countries, an adequacy decision by the EU Commission may exist in accordance with Art. 45 (1) GDPR. Such a decision establishes that an adequate level of data protection exists in the third country. A list of previous adequacy decisions can be found at the following link: Data protection adequacy for non-EU countries.

The scope of an adequacy decision may also be limited to a specific group of recipients or linked to the fulfilment of additional conditions.

For example, the adequacy decision for data transfers to the USA only applies to companies certified under the EU-U.S. Data Privacy Framework. The certification status of a participating company can be viewed at the following link: Participant Search (dataprivacyframework.gov).

When your data is transferred to recipients in third countries for which no adequacy decision exists, there is a risk that local authorities may access your data for security and surveillance purposes without you being informed or being able to seek legal redress.

To ensure an adequate level of data protection when transferring your data to recipients in such third countries, we therefore ensure that appropriate safeguards within the meaning of Art. 46 GDPR are in place.

Standard data protection clauses of the European Commission in accordance with Art. 46 (2) (c) GDPR are therefore regularly concluded either by us or by the service providers we use. They oblige the recipient of the data in the third country to process it in accordance with the European level of protection. The clauses can be viewed at the following link: Publications on the Standard Contractual Clauses (SCCs) - European Commission. If you require further information on the modules of the standard data protection clauses or supplementary measures concluded by us in individual cases, we will be happy to provide you with a copy. In this case, simply contact us using the contact details provided above under "Controller".

For certain recipients, data transfers may also be based on binding internal data protection regulations (BCR) approved by the supervisory authorities in accordance with Art. 46 (2) (b) GDPR. These can be viewed at the following link: Approved Binding Corporate Rules | European Data Protection Board.

If the standard data protection clauses or binding internal data protection regulations are not sufficient to guarantee the level of protection, additional technical, contractual or organisational measures will be taken to secure the data transfer. In addition, regular reviews and assessments are carried out to determine whether these additional measures continue to guarantee an adequate level of data protection or whether further supplementary measures need to be taken.

Further information on data transfers to third countries can be found in the relevant cases below in the section on data processing or services used, "Data processing in third countries".

4 General information on the use of artificial intelligence

Artificial intelligence (AI) may be used in the processing of your data. Either entire AI systems and assistants for general use are employed, or specific AI functions integrated into other services and software solutions are used to perform specific tasks.

4.1 Use of AI systems and assistants for general purposes

We use AI systems or assistants for general purposes throughout the company. The use of these AI systems and assistants is not limited to individual functions or activities, but can be applied across a range of uses.

These systems are usually based on large language models and can be used flexibly for a variety of purposes, such as assisting with text creation, responding to internal enquiries or analysing content.

In this context, personal data may be processed in so-called "prompts". A prompt is an input request or instruction that our employees send to the AI system in order to obtain a specific output. The AI systems process these inputs and generate corresponding outputs, which may also contain personal data. These outputs can in turn be further processed and used.

With this type of AI use, it is not possible to provide a definitive list of the personal data that is processed in detail. However, we would like to emphasise that:

The input of highly personal and sensitive data does not take place as a matter of principle.

If the processing of personal data is unavoidable, it is limited to the minimum necessary.

It is ensured that any personal data entered is not used for training the AI model used.

We have compiled a list of the AI systems and assistants we use for general purposes below.

4.1.1 Microsoft CoPilot

Our company uses the AI system "Microsoft CoPilot" from Microsoft Corporation, One Microsoft Way, Redmond WA 94043, USA.

In the European Union (EU) and the European Economic Area (EEA), the service is provided by Microsoft Ireland Operations, Ltd, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland.

Description of data processing and purpose

When using Microsoft Copilot, prompts in the form of requests, questions, documents, images and other content can be entered and generated. These may then be processed internally or externally, as long as such processing is permissible within the scope of our business activities. For example, we use CoPilot for:

Research and questioning

Revising documents

It cannot be ruled out that CoPilot prompts may contain personal data or that this data may be included in responses. In principle, all categories of personal data that we hold about you may be affected, although the entry of sensitive personal data is expressly prohibited.

The use of the processed data for training the AI model by Microsoft is contractually excluded.

The purpose of data processing and our legitimate interest lie in enabling a more efficient way of working and facilitating the performance of certain work tasks within the scope of the aforementioned activities.

Legal basis for data processing

Data processing is carried out in accordance with Art. 6(1)(1)(f) GDPR in our aforementioned legitimate interest.

Recipients

As part of data processing, your data will be transferred to the following recipients:

Microsoft Ireland Operations, Ltd, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland,

Microsoft Corporation, One Microsoft Way, Redmond WA 94043, USA.

Data processing in third countries

Your data will be transferred to recipients in third countries. For data transfers to the USA, there is an adequacy decision by the EU Commission with regard to companies certified under the EU-U.S. Data Privacy Framework. Microsoft Corporation is certified under the EU-U.S. Data Privacy Framework.

Additional information and further links can be found above in the section "General information on data transfers to third countries".

Storage period

When you use CoPilot, data is transferred to the above-mentioned recipients and stored there for as long as necessary to achieve the stated purposes. In addition, this data is processed in our own systems for as long as necessary to achieve the stated purposes. We will then delete your data from our operational systems, unless data processing is still permitted for another purpose specified in this statement and on a corresponding legal basis.

4.1.2. ChatGPT Enterprise

Our company uses the AI system "Chat GPT Enterprise" from Open AI Inc., 3180 18th St, San Francisco, CA 94110, USA.

In the European Union (EU) and the European Economic Area (EEA), the service is provided by OpenAI Ireland Ltd., 1st Floor, The Liffey Trust Centre 117-126 Sheriff Street Upper Dublin 1, D01 YC43, Ireland.

Description of data processing and purpose

When using ChatGPT, prompts in the form of requests, questions, documents, images and other content can be entered and generated. These may then be processed internally or externally, as long as such processing is permissible within the scope of our business activities. For example, we use ChatGPT for:

research and questioning,
Revising documents.

It cannot be ruled out that ChatGPT prompts may contain personal data or that this data may be included in responses. In principle, all categories of personal data that we hold about you may be affected, although the entry of sensitive personal data is expressly prohibited.

The use of the processed data for training the AI model by OpenAI is contractually excluded.

Legal basis for data processing

Data processing is carried out in accordance with Art. 6(1)(1)(f) GDPR in our aforementioned legitimate interest.

Recipients

As part of data processing, your data will be transferred to the following recipients:

OpenAI Ireland Ltd., 1st Floor, The Liffey Trust Centre 1 17-126 Sheriff Street Upper Dublin 1, D01 YC43, Ireland,
Open AI Inc., 3180 18th St, San Francisco, CA 94110, USA

Data processing in third countries

Your data will be transferred to recipients in third countries. For data transfers to the USA where the recipients are not certified under the EU-U.S. Data Privacy Framework, there is no adequacy decision by the EU Commission. Therefore, standard data protection clauses are concluded and further measures are taken to ensure an adequate level of data protection.

Additional information on this and further links can be found above in the section "General information on data transfers to third countries".

Storage period

When using ChatGPT, data is transferred to the above-mentioned recipients and stored there for as long as necessary to achieve the stated purposes. In addition, this data is processed in our own systems for as long as necessary to achieve the stated purposes. We will then delete your data from our operational systems, unless data processing is still permitted for another purpose mentioned in this statement and on a corresponding legal basis.

4.2 Use of specific AI functions

In addition to the use of AI systems and assistants for general purposes, we use specific, purpose-built AI functions and extensions for certain data processing operations or when using certain services and software solutions.

Such AI functions and extensions may, for example, be integrated into the software we use in the context of one of the data processing operations described here. In this case, specifically defined tasks are always performed using AI.

In these cases, we provide separate information in the relevant section below about the specific use, its purpose and the type and scope of data processing.

5 Data protection information for customers, other business partners and interested parties

5.1 Conclusion, execution and fulfilment of contracts and for the implementation of pre-contractual measures in general

Description of data processing and purpose

We process your personal data if it is necessary for the establishment, execution and fulfilment of a contract and for the implementation of pre-contractual measures.

We only process data that is related to the establishment of the contract or pre-contractual measures. This may include general data about you or persons in your company (name, address, contact details, etc.) and, if applicable, other data that you provide to us in the course of establishing the contract.

Legal basis for data processing

Insofar as personal data is required for the initiation or execution of a contractual relationship or in the context of the implementation of pre-contractual measures, processing is lawful in accordance with Art. 6 (1) (b) GDPR.

Sources

We process personal data that we receive from you by post, telephone or email via forms on our website or via one of our social media profiles in the context of establishing contact or a contractual relationship or in the context of pre-contractual measures.

Recipients

In the context of data processing, your data will be transferred to the following categories of recipients or recipients that we use in the context of data processing to achieve the aforementioned purposes:

Affiliated companies of the BAUER GROUP,
Dealers,
Software service providers who provide us with solutions for internal and external communication, for creating and editing documents, and for managing databases
External tax advisor
Public authorities and institutions (e.g. public prosecutor's office, police, supervisory authorities, tax office) in the event of a legal or official obligation,
Recipients to whom the transfer is directly necessary for the establishment or fulfilment of a contract
Other data recipients, provided you have given us your consent to the transfer of data.

Data processing in third countries

Your data may also be processed in countries outside the European Union (EU) and the European Economic Area (EEA).

For data transfers to certain third countries, an adequacy decision by the EU Commission pursuant to Art. 45(1) GDPR may exist. Such a decision establishes that an adequate level of data protection exists in the third country. A list of previous adequacy decisions can be found at the following link: Data protection adequacy for non-EU countries.

The scope of an adequacy decision may also be limited to a specific group of recipients or linked to the fulfilment of additional requirements.

For example, the adequacy decision for data transfers to the United States only applies to companies certified under the EU-U.S. Data Privacy Framework. The certification status of a participating company can be viewed at the following link: Participant Search (dataprivacyframework.gov).

We therefore ensure that appropriate safeguards within the meaning of Art. 46 GDPR are in place to ensure an adequate level of data protection when transferring your data to recipients in such third countries.

Standard data protection clauses of the European Commission in accordance with Art. 46(2)(c) GDPR are therefore regularly concluded either by us or by the service providers we use. They oblige the recipient of the data in the third country to process it in accordance with the European level of protection. The clauses can be viewed at the following link: Publications on the Standard Contractual Clauses (SCCs) - European Commission. If you require further information on the modules of the standard data protection clauses or supplementary measures concluded by us in individual cases, we will be happy to provide you with a copy. In this case, simply contact us using the contact details provided above under "Controller".

For certain recipients, data transfers may also be based on binding internal data protection regulations (BCR) approved by the supervisory authorities in accordance with Art. 46(2)(b) GDPR. These can be viewed at the following link: Approved Binding Corporate Rules | European Data Protection Board.

If the standard data protection clauses or binding internal data protection regulations are not sufficient to guarantee the level of protection, additional technical, contractual or organisational measures will be taken to secure the data transfer. In addition, regular checks and assessments will be carried out to determine whether these additional measures continue to guarantee an adequate level of data protection or whether further supplementary measures need to be taken.

Storage period

Where necessary, we process and store your personal data for the duration of our business relationship or for the fulfilment of contractual purposes. This also includes the initiation and execution of a contract.

In addition, we are subject to various storage and documentation obligations, which arise from the German Commercial Code (HGB) and the German Fiscal Code (AO), among other things. The periods for storage and documentation prescribed therein are two to ten years.

Finally, the storage period is also based on the statutory limitation periods, which, for example, according to Sections 195 et seq. of the Civil Code (BGB), are generally three years, but in certain cases can also be up to thirty years.

Necessity of providing personal data

The provision of personal data for the decision on the conclusion of a contract, the fulfilment of the contract or for the implementation of pre-contractual measures is voluntary. However, we can only make a decision within the framework of contractual measures if you provide the personal data that is necessary for the conclusion of the contract, the fulfilment of the contract or pre-contractual measures.

5.2 Advertising

We process your personal data in order to contact you by post, telephone and e-mail for the purpose of direct advertising, as well as to evaluate data on interested parties, conduct market research and carry out customer satisfaction surveys.

4.2.1. Place of data collection

4.2.1.1. Collection of advertising data via forms on the website

Where applicable, we collect personal data on our websites via various web forms for the purpose of addressing you with advertising in order to promote the sale of our own products, goods or services or those of our cooperation partners by means of direct advertising.

These may be forms

for registering for newsletters, webinars or events,
for downloading white papers and other documents,

Further information on the scope of data processing, the purposes, legal bases, recipients and storage period of the data collected can be found in the following sections.

4.2.1.2. Collection of advertising data at events or trade fairs

Where applicable, we collect personal data at events or trade fairs using analogue or digital forms for the purpose of addressing you with advertising in order to promote the sale of our own products, goods or services or those of our cooperation partners by means of direct advertising.

Further information on the scope of data processing, the purposes, legal bases, recipients and storage period of the collected data can be found in the following sections.

4.2.2. Email advertising

4.2.2.1. Advertising to existing customers

Description of data processing and purpose

We process your personal data (title, first name, surname, business email address for business contacts, private email address for consumers) that we receive in connection with the conclusion of a contract for the purpose and in our legitimate interest of sending you or your company personalised direct advertising as existing customers for similar products, goods and services, events and promotions related to the previous contract conclusion.

Legal basis for data processing

The legal basis for this processing is Art. 6 (1) (f) GDPR. As we comply with the provisions of the exemption in Section 7(3) of the German Unfair Competition Act (UWG) and only process personal data that is related to your professional activities in order to achieve the purpose, there are no apparent overriding interests on your part that conflict with our interest in data processing, provided that you have not yet objected to the processing.

You can object to data processing at any time with effect for the future without incurring any costs other than the transmission costs according to the basic tariffs. To exercise your right of objection, please use the unsubscribe link in our promotional emails or the contact details listed above under "Controller".

Recipients

As part of data processing, your data will be transferred to the following categories of recipients or recipients that we use in the context of data processing to achieve the aforementioned purposes:

Email marketing service providers,
Affiliated companies of the BAUER GROUP,
Retailers,
Software service providers who provide us with solutions for internal and external communication, for creating and editing documents, and for managing databases

Data processing in third countries

Your data may also be processed in countries outside the European Union (EU) and the European Economic Area (EEA).

The scope of an adequacy decision may also be limited to a specific group of recipients or linked to the fulfilment of additional requirements.

Standard data protection clauses of the European Commission in accordance with Art. 46(2)(c) GDPR are therefore regularly concluded either by us or by the service providers we use. They oblige the recipient of the data in the third country to process it in accordance with the European level of protection. The clauses can be viewed at the following link: Publications on the Standard Contractual Clauses (SCCs) - European Commission. If you require further information on the modules of the standard data protection clauses or supplementary measures concluded by us in individual cases, we will be happy to provide you with a copy. In this case, simply contact us using the contact details provided above under "Controller".

For certain recipients, data transfers may also be based on binding internal data protection regulations (BCR) approved by the supervisory authorities in accordance with Art. 46(2)(b) GDPR. These can be viewed at the following link: Approved Binding Corporate Rules | European Data Protection Board.

If the standard data protection clauses or binding internal data protection regulations are not sufficient to guarantee the level of protection, additional technical, contractual or organisational measures will be taken to secure the data transfer. In addition, regular reviews and assessments will be carried out to determine whether these additional measures continue to guarantee an adequate level of data protection or whether further supplementary measures need to be taken.

Storage period

We store your data for as long as is necessary to achieve the aforementioned purpose, but no longer than we are engaged in advertising activities within the scope of our business activities or as long as you have not objected to data processing. We will then delete your data unless data processing is still permitted on another legal basis or is mandatory for us (e.g. in the case of statutory retention obligations).

4.2.2.2. Consent to receive promotional emails and the newsletter, Email tracking

Description of data processing and purpose

We process your personal data (title, first name, surname, business email address for business contacts, private email address for consumer contacts) solely for the purpose of sending you or your company personalised advertising by email or via our email newsletter and informing you about our own products, goods, services, events and offers or those of our cooperation partners, provided that you have given us your express consent to do so separately.

If you give us your consent, you also allow us to process data on whether you have received our marketing emails and whether you have opened them, to what extent you have interacted with the content, in particular which links you have clicked on and to what extent you have read or skimmed our emails (newsletter tracking).

Legal basis for data processing

The legal basis for this processing is your consent in accordance with Art. 6 (1) (a) GDPR. Your consent is voluntary and can be revoked at any time with effect for the future. The revocation of your consent does not affect the lawfulness of the data processing that has taken place up to that point. To exercise your right of revocation, please use the unsubscribe link in our promotional emails or in the newsletter, or the contact details listed above under "Responsible party".

Recipients

Email marketing service providers,
Affiliated companies of the BAUER GROUP,
Retailers,
Software service providers who provide us with solutions for internal and external communication, for creating and editing documents, and for managing databases.

Data processing in third countries

Your data may also be processed in countries outside the European Union (EU) and the European Economic Area (EEA).

The scope of an adequacy decision may also be limited to a specific group of recipients or linked to the fulfilment of additional conditions.

Standard data protection clauses of the European Commission in accordance with Art. 46(2)(c) GDPR are therefore regularly concluded either by us or by the service providers we use. They oblige the recipient of the data in the third country to process it in accordance with the European level of protection. The clauses can be viewed at the following link: Publications on the Standard Contractual Clauses (SCCs) - European Commission. If you require further information on the modules of the standard data protection clauses or supplementary measures concluded by us in individual cases, we will be happy to provide you with a copy. In this case, simply contact us using the contact details provided above under "Controller".

For certain recipients, data transfers may also be based on binding internal data protection regulations (BCR) approved by the supervisory authorities in accordance with Art. 46(2)(b) GDPR. These can be viewed at the following link: Approved Binding Corporate Rules | European Data Protection Board.

If the standard data protection clauses or binding internal data protection regulations are not sufficient to guarantee the level of protection, will take additional technical, contractual or organisational measures to secure the data transfer. In addition, regular reviews and assessments are carried out to determine whether these additional measures continue to guarantee an adequate level of data protection or whether further supplementary measures need to be taken.

Storage period

We store your data for as long as is necessary to achieve the aforementioned purpose, but no longer than we are engaged in advertising activities within the scope of our business activities or as long as you have not revoked your consent. We will then delete your data unless data processing is still permitted on another legal basis or is mandatory for us (e.g. in the case of statutory retention obligations).

4.2.3. Telephone advertising measures

Description of data processing and purpose

We process your personal data (title, first name, surname, business telephone number for business contacts, private telephone numbers for consumers) for the purpose and, where applicable, in our legitimate interest of contacting you or your company personally by telephone to provide information about our own products, goods, services, events and offers or those of our cooperation partners.

As we comply with the provisions of Section 7 (2) Nos. 1 and 2 of the German Unfair Competition Act (UWG) and, in order to achieve this purpose, only process personal data that is related to your professional activities, there are no apparent overriding interests on your part that conflict with our interest in data processing, provided that you have not yet objected to the processing.

Legal basis for data processing in the case of business contacts

The legal basis for processing in relation to business contacts is Art. 6 (1) sentence 1 lit. f GDPR. Our legitimate interest lies in promoting the sale of our products, goods and services by means of direct marketing.

You may object to data processing at any time with future effect without incurring any costs other than the transmission costs according to the basic tariffs. To exercise your right of objection, please use the contact details provided above under "Responsible party".

Legal basis for data processing for consumers

With regard to consumers, the legal basis for processing is your consent in accordance with Art. 6 (1) (a) GDPR in conjunction with § 7a (1) UWG (German Unfair Competition Act). Your consent is voluntary and can be revoked at any time with future effect. The revocation of your consent does not affect the lawfulness of the data processing that has taken place up to that point. To exercise your right of revocation, please use the contact details provided above under "Responsible party".

Recipients

Telephone and/or call centre service providers,
Affiliated companies of the BAUER GROUP,
Software service providers who provide us with solutions for internal and external communication, for creating and editing documents, and for managing databases.

Data processing in third countries

Your data may also be processed in countries outside the European Union (EU) and the European Economic Area (EEA).

The scope of an adequacy decision may also be limited to a specific group of recipients or linked to the fulfilment of additional requirements.

Standard data protection clauses of the European Commission in accordance with Art. 46(2)(c) GDPR are therefore regularly concluded either by us or by the service providers we use. They oblige the recipient of the data in the third country to process it in accordance with the European level of protection. The clauses can be viewed at the following link: Publications on the Standard Contractual Clauses (SCCs) - European Commission. If you require further information on the modules of the standard data protection clauses or supplementary measures concluded by us in individual cases, we will be happy to provide you with a copy. In this case, simply contact us using the contact details provided above under "Controller".

For certain recipients, data transfers may also be based on binding internal data protection regulations (BCR) approved by the supervisory authorities in accordance with Art. 46(2)(b) GDPR. These can be viewed at the following link: Approved Binding Corporate Rules | European Data Protection Board.

If the standard data protection clauses or binding internal data protection regulations are not sufficient to guarantee the level of protection, additional technical, contractual or organisational measures will be taken to secure the data transfer. In addition, regular reviews and assessments will be carried out to determine whether these additional measures continue to guarantee an adequate level of data protection or whether further supplementary measures need to be taken.

Storage period

We store your data for as long as is necessary to achieve the aforementioned purpose, but no longer than we are engaged in advertising activities within the scope of our business activities or as long as you have not revoked your consent or objected to data processing. We will then delete your data unless data processing is still permitted on another legal basis or is mandatory for us (e.g. in the case of statutory retention obligations).

4.2.4. Postal advertising measures

Description of data processing and purpose

We process your personal data (title, first name, surname, business address for business contacts, private address for consumers) for the purpose and in our legitimate interest of sending you or your company personalised advertising by post about our own products, goods, services, events and offers or about those of our cooperation partners.

As we comply with the provisions of Section 7 (2) Nos. 1 and 2 UWG and process only the personal data specified for the purpose of achieving the objective, there are no apparent overriding interests on your part that conflict with our interest in data processing.

Legal basis for data processing

The legal basis for this processing is Art. 6(1)(f) GDPR.

You may object to the data processing at any time with effect for the future. To exercise your right of objection, please use the contact details above.

Recipients

Postal service providers and/or lettershops,
Affiliated companies of the BAUER GROUP,
Software service providers who provide us with solutions for internal and external communication, for creating and editing documents, and for managing databases.

Data processing in third countries

Your data may also be processed in countries outside the European Union (EU) and the European Economic Area (EEA).

The scope of an adequacy decision may also be limited to a specific group of recipients or linked to the fulfilment of additional conditions.

Standard data protection clauses of the European Commission in accordance with Art. 46(2)(c) GDPR are therefore regularly concluded either by us or by the service providers we use. They oblige the recipient of the data in the third country to process it in accordance with the European level of protection. The clauses can be viewed at the following link: Publications on the Standard Contractual Clauses (SCCs) - European Commission. If you require further information on the modules of the standard data protection clauses or supplementary measures concluded by us in individual cases, we will be happy to provide you with a copy. In this case, simply contact us using the contact details provided above under "Controller".

For certain recipients, data transfers may also be based on binding internal data protection regulations (BCR) approved by the supervisory authorities in accordance with Art. 46(2)(b) GDPR. These can be viewed at the following link: Approved Binding Corporate Rules | European Data Protection Board.

If the standard data protection clauses or binding internal data protection regulations are not sufficient to guarantee the level of protection, additional technical, contractual or organisational measures will be taken to secure the data transfer. In addition, regular reviews and assessments will be carried out to determine whether these additional measures continue to guarantee an adequate level of data protection or whether further supplementary measures need to be taken.

Storage period

5.3 Management of customer and prospect data

Description of data processing and purpose

We manage customer and prospect data. This is data from existing or potential customers, business partners or local contacts for advertising purposes.

Legal basis for data processing

The legal basis for data management is Art. 6(1)(f) GDPR or Art. 6(1)(a) GDPR, depending on which of the two legal bases we use to justify the respective advertising communication by email, telephone or post. Further information on this can be found in this section of the privacy policy.

Recipients

Affiliated companies of the BAUER GROUP,
Dealers,
Software service providers who provide us with solutions for internal and external communication, for creating and editing documents, and for managing databases.

Data processing in third countries

Your data may also be processed in countries outside the European Union (EU) and the European Economic Area (EEA).

The scope of an adequacy decision may also be limited to a specific group of recipients or linked to the fulfilment of additional requirements.

Standard data protection clauses of the European Commission in accordance with Art. 46(2)(c) GDPR are therefore regularly concluded either by us or by the service providers we use. They oblige the recipient of the data in the third country to process it in accordance with the European level of protection. The clauses can be viewed at the following link: Publications on the Standard Contractual Clauses (SCCs) - European Commission. If you require further information on the modules of the standard data protection clauses or supplementary measures concluded by us in individual cases, we will be happy to provide you with a copy. In this case, simply contact us using the contact details provided above under "Controller".

For certain recipients, data transfers may also be based on binding internal data protection regulations (BCR) approved by the supervisory authorities in accordance with Art. 46(2)(b) GDPR. These can be viewed at the following link: Approved Binding Corporate Rules | European Data Protection Board.

If the standard data protection clauses or binding internal data protection regulations are not sufficient to guarantee the level of protection, additional technical, contractual or organisational measures will be taken to secure the data transfer. In addition, regular reviews and assessments will be carried out to determine whether these additional measures continue to guarantee an adequate level of data protection or whether further supplementary measures need to be taken.

Storage period

We store your data for as long as is necessary to achieve the aforementioned purpose, as long as you have not objected to the data processing or revoked your consent. We will then delete your data unless data processing is still permitted on another legal basis or is mandatory for us (e.g. in the case of statutory retention obligations).

5.4 Statistical evaluation and Analysis of customer and prospect data, market research and customer satisfaction surveys

Description of data processing and purpose

We process data collected from you as a prospective customer, e.g. via forms on our website, as well as data collected from you as a customer or employee of a customer in the context of pre-contractual measures or in the context of contract fulfilment, in order to find out which of our products, goods, services, events and offers, or which of our cooperation partners prospective customers and customers are interested in, how we can improve these if necessary, and how we can optimise our advertising measures. In order to be able to address prospective customers in a more targeted manner, we use the data to form so-called target groups. Your information from customer satisfaction surveys conducted by us may also be included in the analysis and evaluation.

For this purpose, we may collect your information and data about

your company (e.g. size, industry)
your position in the company,
your country,
your areas of interest or product categories,
and the referral source, i.e. information about how you became aware of our company.

Legal basis for data processing

The legal basis for the processing of your data is Art. 6 (1) (f) GDPR. Our legitimate interests lie in further developing our products and services in line with market requirements, as well as better understanding the needs and interests of our customers and potential customers, and enabling target group-oriented direct advertising on this basis.

Storage period

We store your data for as long as is necessary to achieve the aforementioned purpose or for as long as you have not objected to the data processing. We then delete your data unless data processing is still permitted on another legal basis or is mandatory for us (e.g. in the case of statutory retention obligations).

6 Data protection information for other data processing

6.1 Fulfilment of other legal obligations

Description of data processing and purpose

We process personal data if this is necessary to fulfil a legal obligation. The scope of the data to be processed is determined by the legal obligation we have to comply with.

Legal basis for data processing

In these cases, the legal basis for the processing of your data is Art. 6 (1) (c) GDPR in conjunction with the respective legal norm that imposes such an obligation on us.

These may be provisions from the German Fiscal Code (AO), e.g. Section 147 AO, the German Commercial Code (HGB), e.g. Section 257 HGB, or the German Code of Criminal Procedure (StPO).

Recipients

In the context of data processing, your data will be transferred to the following categories of recipients or recipients that we use in the context of data processing to achieve the aforementioned purposes:

Tax advisors,
auditors,
Financial or investigative authorities,
lawyers,
Experts,
courts.

These recipients include, in particular:

Companies with legal form in the EU/EEA, address, postcode, city, country,
where applicable, all relevant affiliated companies with legal form in the EU/EEA, address, postcode, city, country
if applicable, affiliated companies with legal form, address, postcode, city, third country
if applicable, companies with legal form, address, postcode, city, third country.

Storage period

We store your data to the extent necessary for as long as this is necessary to achieve the aforementioned purpose. The storage period is determined by the special legal regulations that oblige us to store or process data for up to 10 years, whereby the specific start of the storage periods is determined by the respective special law.

We will then delete your data unless data processing, possibly also in other systems, is still permitted on the basis of another legal basis.

6.2 Exercise or defence of legal claims

Description of data processing and purpose

In addition, we process your data in individual cases for the purpose and in the interest of asserting legal claims, for example to enforce our claims due to unpaid invoices, provided that your data is relevant to a legal dispute.

In addition, we process your data in individual cases for the purpose and in the interest of defending against legal claims brought against us, for example in the event of claims for liability for material defects, provided that your data is relevant to a legal dispute.

Legal basis for data processing

The legal basis for the processing of your data is Art. 6 (1) (f) GDPR.

Recipients

Tax advisors,
auditors,
financial or investigative authorities,
lawyers,
Experts,
courts.

Storage period

We store your data in individual cases to the extent necessary for as long as this is necessary to achieve the aforementioned purpose. We then delete your data unless data processing, possibly also in other systems, is still permitted on another legal basis or is mandatory for us (e.g. in the case of statutory retention obligations).

7 Your rights

Below you will find information on the rights granted to you by the applicable data protection law with regard to the controller in relation to the processing of your personal data:

The right to request information about your personal data processed by us in accordance with Art. 15 GDPR. In particular, you can request information about the purposes of processing, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, deletion, restriction of processing or objection, the existence of a right of appeal, the origin of your data if it was not collected by us, and the existence of automated decision-making, including profiling and, where applicable, meaningful information about its details.

The right to request the immediate correction of inaccurate or incomplete personal data stored by us in accordance with Art. 16 GDPR.

The right to request the erasure of your personal data stored by us in accordance with Art. 17 GDPR, unless the processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defence of legal claims.

The right to request the restriction of the processing of your personal data in accordance with Art. 18 GDPR, insofar as the accuracy of the data is disputed by you, the processing is unlawful, but you refuse to have it deleted and we no longer need the data, but you need it to assert, exercise or defend legal claims, or you have objected to the processing pursuant to Art. 21 GDPR.

The right, pursuant to Art. 20 GDPR, to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or to request its transfer to another controller.

The right to lodge a complaint with a supervisory authority in accordance with Art. 77 GDPR. As a rule, you can contact the supervisory authority of the federal state of our registered office indicated above or, if applicable, that of your usual place of residence or workplace.

The right to withdraw consent granted in accordance with Art. 7(3) GDPR: You have the right to withdraw your consent to the processing of data at any time with effect for the future. In the event of withdrawal, we will delete the data concerned without delay, unless further processing can be based on a legal basis for processing without consent. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

Right to object

If your personal data is processed by us on the basis of legitimate interests pursuant to Art. 6 (1) (f) GDPR, you have the right to object to the processing of your personal data pursuant to Art. 21 GDPR, provided that this is done for reasons arising from your particular situation. If the objection is directed against the processing of personal data for direct marketing purposes, you have a general right of objection without the need to specify a particular situation.

If you wish to exercise your right of revocation or objection, please contact us using the contact details provided above under "Responsible party".

8 Status of the privacy policy

This privacy policy was last amended on 24 October 2025.

PRIVACY POLICY FOR CUSTOMERS, OTHER BUSINESS PARTNERS AND INTERESTED PARTIES

My Account

Products

Solutions

Service & Support

Сompany

Title 4