Data Protection Costumer + Business Partner
Privacy information for customers and business partners
On these pages, we wish to tell you how we process your personal data, and inform you of your rights under the EU General Data Protection Regulation (GDPR). The policy outlined below applies to all business relations with us, from the first contact to the fulfilment of a contract, whereby the application of the various sections depends of course on the actual content of your query or the nature of the contract.
Responsible for data processing (Controller):
PEMA Verpackung GmbH
Telefon: +49 4242 5393-0
Contact person for queries concerning data privacy:
You can contact our (external) data protection officer at:
HUBIT Datenschutz GmbH & Co. KG
Telefon: +49 421 331143-00
From where does the Controller obtain personal data?
We process personal data submitted by business partners including customers, and other interested parties.
Personal data from other sources (e.g. German credit rating company SCHUFA) is only obtained and processed by us with your explicit consent.
What personal data does the Controller process?
We normally collect and process the following personal data:
▪ First name, surname
▪ Company, function
▪ Contact details (address, phone number, e-mail address, etc.)
▪ Contract + invoicing data
▪ Banking details
▪ Creditworthiness data
▪ Tax data
▪ Images / photos
▪ Video surveillance CCTV (outdoor area only)
For what purpose does the Controller process your data?
We process all personal data in strict compliance with the GDPR and the German Data Protection Act (BDSG).
▪ Consent of data subject
Article 6(1) (a) GDPR
Data processing is lawful, if you have given your consent to the processing of your personal data for one or more specific purposes (e.g. advertisement and marketing, data transfer). This consent can be revoked at any time, including for data for which you have given your consent to processing prior to the introduction of the GDPR.
▪ Entering into and fulfilment of contracts
Article 6(1) (b) GDPR
Processing of personal data is lawful if it is necessary for the fulfilment of a contract to which you are party, or in order to take steps at your request prior to entering into a contract with us.
▪ Legal obligation
Article 6(1) (c) GDPR
Processing of personal data is lawful if it is necessary for compliance with a legal obligation to which we are subject. Such obligations might arise in connection with tax law, anti-money laundering legislation, identity and age checks, etc.
▪ Legitimate interests of the controller
Article 6(1) (f) GDPR
In addition to the processing of data indicated above, personal data is processed by us in order to pursue legitimate interests. Such interests are, for example:
▪ Ensuring IT security
▪ Assertion of legal claims or defence in the case of litigation
▪ Video surveillance to protect, for instance, domiciliary rights (right of access to the premises), gathering of evidence
With whom does the Controller share my personal data?
Within our corporate group, only persons who need your personal data in order to perform a specific task - in particular in connection with contractual or legal obligations - have access to this information.
All transfers of personal data to a third party are made in strict compliance with the relevant statutory regulations, in particular GDPR and BDSG.
We might transfer personal data to:
▪ Banks / financial institutions
▪ Courier services / freight forwarders
▪ Public offices
▪ Investigative authorities
▪ Service providers involved in the fulfilment of a contract with you (Article 28 GDPR)
If you have given your consent to the transfer of your personal data to specific bodies or organisations, such transfers are also deemed lawful.
Is personal data transferred to third countries?
No. All personal data is processed in the Federal Republic of Germany.
For how long is personal data stored?
Your personal data is stored for as long as is required in order to meet our contractual or legal obligations.
Subsequently, your data is permanently erased, unless we are obliged by law to store your data for a statutory retention period, if the data is required for the assertion of legal claims, or if you have consented to its retention for a longer period of time.
What are your rights in connection with data privacy?
Under the GDPR, you as the data subject have the following rights:
▪ Information, Article 15 GDPR
▪ Rectification of incorrect data, Article 16 GDPR
▪ Erasure, Article 17 GDPR
▪ Restriction of processing, Article 18 GDPR
▪ Data portability, Article 20 GDPR
▪ Objection, Article 21 GDPR
▪ Withdraw consent, Article 7 GDPR
▪ Lodging complaint at supervisory authority, Article 77 GDPR
If the processing of your personal data is based on consent, you have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
You are entitled to object, on grounds relating to your particular situation, at any time to the
processing of your personal data. In such a case, we shall no longer process your personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.
If you wish to make use of any of your rights, please contact us or our data protection officer (for contact details, see above).
What are my duties as a data subject?
If you enter into a contract with us, you must provide us with the personal data we need to fulfil the contract or to meet our statutory obligations. Generally, it is not possible for us to enter into a contract with you without access to certain personal data pertaining to you. If this data is not made available to us, we might be forced to terminate the contract.
Does the Controller use profiling and automated decision making?
No, we do neither use any Profiling nor automated decision making.
Valid from: January 2024