Data Privacy Notice Suppliers/Service Providers

Data Privacy Notice (GDPR)

Applicable for suppliers/service providers of the entities named under point 1 hereunder (together hereinafter referred to as.”CPH”).

September, 2019

The following information provides our suppliers/service providers with an overview of how we process your personal data and your rights under applicable data protection law. The personal data are used in order to benefit from the products and services offered by our suppliers and service providers.

1. Who is responsible for the data processing and who can I contact in this regard?

For suppliers/service of Zeochem AG

Zeochem AG
Joweid 5
CH-8630 Rüti
Sören Günther

+41 44 922 92 10
soeren.guenther@zeochem.ch

For suppliers/service providers of Perlen Papier AG

Perlen Papier AG
Perlenring 1
CH-6035 Perlen
Markus Brütting

+41 41 455 80 52
markus.bruetting@perlen.ch

For suppliers/service providers of Perlen Converting AG

Perlen Converting AG
Perlenring 3
CH-6035 Perlen
Peter Henz

+41 41 455 88 12
peter.henz@perlenpackaging.com

You may also contact our Group Data Protection Manager directly:

CPH Chemie + Papier Holding AG
Richard Unterhuber
Perlenring 1
CH-6035 Perlen

datenschutz@CPH.ch

2. What sources and data do we use and for which purpose?

We process personal data which we receive from you or from your employer in the context of our business relationships. Generally, we keep your business contacts in the framework of our contractual relationship with your company. In particular, your personal data are used for the following purposes and/or in following processes:

  1. to request and negotiate offers, including delivery conditions, for products and services provided by your company;
  2. to coordinate delivery dates, generally process our orders, including payment and evaluation of your products and services;
  3. to keep your business contacts for future delivery or collaboration and to recruit potential suppliers and service providers;
  4. to send and execute our supplier surveys;

We also process personal data from publicly available sources (e. g., commercial registers and registers of associations, press, media, Internet) which we lawfully obtain and are permitted to process.

Relevant personal data collected and processed in the context of our business relationship may be:

  • Identification data for business purposes (name, business phone number and email, business addresses, function);
  • Payment data

3. What is the legal basis?

We process the aforementioned personal data in compliance with the provisions of the EU General Data Protection Regulation (GDPR) as well as the data protection laws and regulations, which are applicable locally (in Switzerland and in the EEA/EU area):

a. for the performance of contractual obligations (article 6 (1) b) GDPR)
If you (as an individual) are the contracting party, the processing of personal data is carried out in order to take steps necessary for entering into a contract or for performing a Supplier/Service Provider contract. For further details on the purpose of the data processing, please refer to the respective contractual documentation and terms and conditions.

b. for the purposes of safeguarding legitimate interests (article 6 (1) f) GDPR)
Where necessary, we process your data in order to safeguard the legitimate interests pursued by us or by a third party:

  • to request and negotiate offers, including delivery conditions, for products and services provided by your company;
  • to coordinate delivery dates, generally process our orders, including payment and evaluation of your products and services;
  • to keep your business contacts for future delivery or collaboration and to recruit potential suppliers and service providers;
  • to send and execute our supplier surveys regarding supplier- and service satisfaction;

c. on the basis of your consent (article 6 (1) a) GDPR)
Insofar as you have granted us consent to the processing of personal data for specific purposes, the lawfulness of such processing is based on your consent. Any consent granted may be revoked at any time. This also applies to the revocation of declarations of consent that are granted to us prior to the entry into force of the EU General Data Protection Regulation, i. e., prior to 25 May 2018. Please be advised that the revocation shall only have effect for the future.

Any processing that was carried out prior to the revocation shall not be affected thereby. You can request a status overview of the consents you have granted from us at any time or view some of them.

d. for compliance with a legal obligation (article 6 (1) c) GDPR) or in the public interest (article 6 (1) e) GDPR)
We are also subject to various legal obligations, i. e., statutory requirements. Examples:

  • Security obligations
  • Safety obligations
  • Trading and tax rules
  • Etc.

4. Who receives my data?

Within and outside CPH, those recipient are given access to your data which require them in order to perform our contractual and statutory obligations. Moreover, those recipients may be given access to your data which require them for the purpose of our legitimate interest according to the “need-to-know-principle”.

Within CPH it may be the following recipients:

  • Accounting
  • Operations
  • Fleet Management
  • Sales/Procurement
  • Marketing
  • Legal Services
  • Human Resources
  • IT

Outside CPH it may be the following recipients:

  • Tax authorities
  • Maintenance providers
  • Other suppliers (railway undertakings, terminal operators, etc.)
  • Ev. Customs authorities

5. Is data transferred to a third country or to an international organization?

Only your identification data for business purposes (name, business phone number, business addresses, function) may be transferred to countries outside the EU or the EEA (so called third countries), if this is required for the execution of a contract between CPH and your company, prescribed by law (e. g. tax law, customs law) or if you have given us your consent.

If personal data are transferred to a third country, the controllers or processors which receive or have access to personal data are obliged to comply with the written instructions according to the EU standard contractual clauses. You may request to obtain a copy of the SCC by contacting the responsible controller according to section 1 above.

6. How long will my data be stored?

We process and store your personal data as long as it is necessary for the performance of our contractual and statutory obligations. Data regarding our supplier surveys will be retained for 25 months and subsequently deleted.

If the data are no longer required for the performance of our contractual and statutory obligations, they are regularly deleted, unless their further processing (for a limited time) is necessary for the following purposes:

  • Compliance with records retention periods under commercial and tax law
  • Legal proceedings
  • Etc.

7. What data protection rights do I have?

Every data subject has a right of access (article 15 GDPR) to the processed data, a right to rectification (article 16 GDPR) a right to erasure (article 17 GDPR), a right to restriction of processing (article 18 GDPR), a right to object (article 21 GDPR) and a right to data portability (article 20 GDPR).

Data subjects also have a right to lodge a complaint with a supervisory authority (article 77 GDPR).

Suppliers/service providers of all entities named above:

Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter
Feldeggweg 1
CH-3003 Bern
Telefon: +41 58 462 42 95

8. Am I under any obligation to provide data?

Within the scope of our business relationship, you must provide personal data which is necessary for the initiation and execution of a business relationship and the performance of the associated contractual obligations or which we are legally obliged to collect. As a rule, we would not be able to enter into any contract and place the order without these data or we may no longer be able to carry out an existing contract and would have to terminate it.

9. To what extent is automated decision making (including profiling) carried out?

As a rule, we do not make decisions based solely on automated processing as defined in article 22 GDPR to establish and implement the business relationship. Provided that this is prescribed by law, we will inform you separately about automated decision making.

10. Is “profiling” used?

We do not process your data automatically with the aim of evaluating certain personal aspects (profiling).

Information on your right to object under article 21 of the EU GDPR
Note: Information on your right to object under article 21 of the EU General Data Protection Regulation (GDPR)

1. Ad hoc right to object
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on article 6 (1) e) GDPR (processing in the public interest) and article 6 (1) f) GDPR (processing for the purposes of safeguarding legitimate interests); this includes any profiling based on those provisions within the meaning of article 4 (4) GDPR. If you lodge an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or unless the processing is for the establishment, exercise or defense of legal claims.

2. Right to object to the processing of data for marketing purposes
In certain cases, we process your personal data for direct marketing purposes. You have the right to object at any time to processing of personal data concerning yourself for such marketing, which includes profiling to the extent that it is related to such direct marketing. If you object to processing for direct marketing purposes, we will no longer processes your personal data for such purposes.

There are no formal requirements for lodging an objection; where possible it should be made via email: datenschutz@CPH.ch