Data protection information for suppliers

under Articles 13, 14 and 21 of the General Data Protection Regulation GDPR

Data protection is an important concern for us. We provide information below on how we process your data and what rights you have.

1. Who is responsible for data processing and who can you contact?

Ernst Granzow GmbH & Co. KG
Hertichstr. 27
71229 Leonberg
Telefon: 07152/18-0
Fax: 07152/18-108

2. Contact details of the data protection officer

Edmund Hilt, hilt evolution

3. Processing purposes and legal basis

Your personal data will be processed in accordance with the provisions of the General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG) and other relevant data protection regulations. The processing and use of the individual data depends on the agreed or requested service. Our contractual documents, forms, declarations of consent and other information provided to you (e.g. on the website or in the terms and conditions) contain further details and supplements for processing purposes.

3.1 Consent (Art. 6(1)(a) GDPR)

If you have given us your consent to the processing of personal data, the respective consent is the legal basis for the processing indicated there.You can revoke your consent at any time with effect for the future.

3.2 Fulfilment of contractual obligations (Article 6(1)(b) GDPR)

We process your personal data for the performance of our contracts with you, in particular in the context of our order processing and use of services. In addition, your personal data will be processed for the implementation of measures and activities within the context of pre-contractual dealings.

3.3 Fulfilment of legal obligations (Art. 6(1)(c) GDPR)

We process your personal data if this is necessary to fulfil legal obligations (e.g. commercial, tax laws). In addition for the fulfilment of tax monitoring and reporting obligations as well as the archiving of data for the purposes of data protection and data security as well as audits by tax and other authorities. In addition, the disclosure of personal data within the context of official/judicial measures may become necessary for the purposes of collecting evidence, bringing prosecutions or the enforcement of civil claims.

3.4 Legitimate interest of ourselves or third parties (Art. 6(1)(f) GDPR)

We may also use your personal data on the basis of a balance of interests to protect the legitimate interests of ourselves or of third parties. This is done for the following purposes:
  • for advertising, if you have not objected to the use of your data.
  • for obtaining information and exchanging data with credit agencies, if this goes beyond our economic risk.
  • for the provision of a service (commissioning, programming, etc.) by third parties.
  • for the limited storage of your data, if deletion is not possible or only possible with disproportionate effort due to the special type of storage.
  • for the further development of services and products as well as existing systems and processes.
  • for the disclosure of personal data in the context of due diligence, e.g. in the case of company sales.
  • for the supplementation of our data through the use or research of publicly accessible data.
  • for statistical assessments or for market analyses.
  • for benchmarking.
  • for the assertion of legal claims and defence in legal disputes which are not directly attributable to the contractual relationship.
  • for internal and external investigations and/or security reviews.
  • for certifications of private law or official matters.
  • for securing and exercising our domiciliary rights through appropriate measures (e.g. video surveillance).
We continuously process personal data from public sources (e.g. Internet, media, press, trade and association registers, registration registers, debtor registers and land registers). If necessary for the provision of our services, we process personal data that we have lawfully received from third parties (e.g. address publishers or credit agencies).

4. Categories of personal data processed by us

The following data is processed:
  • Personal data (name, nationality, occupation/sector and similar data)
  • Contact information (address, email address, telephone number and similar data)
  • Payment/coverage confirmation for bank and credit cards
  • Information about your financial situation (credit rating data, i.e. data for assessing the economic risk)
  • Supplier history
  • We continuously process personal data from public sources (e.g. Internet, media, press, trade and association registers, registration registers, debtor registers and land registers).
  • If necessary for the provision of our services, we process personal data that we have lawfully received from third parties (e.g. address publishers or credit agencies).

5. Who receives your data?

We pass on your personal data within our company to those areas that require this data to fulfil contractual and legal obligations or to implement our legitimate interests.
In addition, the following offices may receive your data:
  • contract processors used by us (Art. 28 DS-GVO) especially in the area of IT services, logistics and printing services, external computer centres, archiving, document processing, call centre services, compliance services, controlling, data screening for anti-money laundering purposes, data validation or plausibility check, data destruction, purchasing/procurement, customer administration, letter shops, marketing, media technology, research, risk controlling, billing, telephony, website management, auditing services, banks and courier services.
  • public authorities and institutions in the event of a legal or official obligation under which we are required to disclose, report or pass on data or the disclosure of data is in the public interest.
  • bodies and institutions on the basis of our legitimate interest or the legitimate interest of the third party for purposes mentioned in the context (e.g. authorities, credit agencies, debt collection, lawyers, courts, experts, companies belonging to the group and committees and controlling bodies).
  • other bodies for which you have given us your consent to the transmission of data (e.g. electrical planners, architects, etc.).

6. Transfer of your data to a third country or an international organisation

Data processing outside the EU or the EEA does not take place and is not planned.

7. How long do we store your data?

If necessary, we process your personal data for the duration of our business relationship, which also includes the initiation and processing of a contract.
In addition, we are subject to various storage and documentation obligations, which result from the Commercial Code (HGB) and the Tax Code (AO), in particular. The periods for storage or documentation specified there are up to ten years beyond the end of the business relationship or the pre-contractual legal relationship.
Ultimately, the storage period is also assessed under the statutory limitation periods, which, for example, under §§ 195 ff. of the Civil Code (BGB) can generally be three years, but in certain cases up to as many as thirty years.

8. To what extent is there automated decision making in individual cases (including profiling)?

We do not use a purely automated decision-making procedure under Article 22 GDPR. Should we use these procedures in individual cases, we will inform you separately, insofar as this is required by law.

9. Your privacy rights

You have the right to information under Art. 15 GDPR, the right to correction under Art. 16 GDPR, the right to cancellation under Art. 17 GDPR, the right to limitation of processing under Art. 18 GDPR and the right to data portability under Art. 20 GDPR. In addition, you have a right of appeal to a data protection regulator (Art. 77 GDPR). In principle, you also have the right of objection to the processing of personal data in accordance with Article 21 GDPR. However, this right of objection only applies in the event of very special circumstances of your personal situation, whereby our company's rights may conflict with your right of objection.If you wish to assert any of these rights, please contact our data protection officer (

10. Scope of your obligations to provide us with your data

You only need to provide those data which are necessary for the establishment and implementation of a business relationship or for a pre-contractual relationship with us or to whose collection we are legally bound. Without this information, we will usually not be able to conclude or execute the contract. This may also refer to data required later in the course of the business relationship. If we request further data from you, you will be separately informed of the optional nature of the information.

11. Information on your right of objection under Art 21 GDPR

You have the right to object at any time to the processing of your data under Art. 6(1)(f) GDPR (data processing on the basis of a balance of interests) or Art. 6(1)(e) GDPR (data processing in the public interest), if there are reasons for this arising from your particular situation. This also applies to profiling based on this provision within the meaning of Art. 4 No. 4 GDPR.
If you file an objection, we will no longer process your personal data unless we can prove compelling grounds for processing that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
The objection can be sent informally to the address listed under point 1.

12. Your right of appeal to the competent regulator

They have a right of appeal to the data protection regulator (Art. 77 GDPR). The regulator responsible for us is:
The State Commissioner for Data Protection and Freedom of Information
Königstrasse 10 a
70173 Stuttgart