Privacy information for users(1) of the Mairec Customer Portal

pursuant to Articles 13 and 14 of the General Data Protection Regulation (GDPR)

As of April 2021

Dear Users of Our Customer Portal,
As part of our obligations under the EU General Data Protection Regulation, we will inform you here as to the data processing which we carry out in connection with the use of our customer portal.

What sources and data do we use?
We process the data that is required in connection with the registration and use of the Mairec Customer Portal as part of our business relationships. We generally collect this data directly from you, in particular when you register with the registration application, or via your employer, who designated you as a user via the registration application.

The personal data we process includes:
•    Last name, first name and gender (to address you)
•    Generally two contact options in your company (e.g. telephone number and email address)
•    Records of business transactions along with the respective correspondence
•    Username and access ID
•    Log files for processes related to your user account

Why do we process your data (purpose of processing) and on what legal basis?
We use the data listed above for preparing and performing business transactions as well as for establishing and maintaining effective business communication. If you as a person are a direct contractual partner of ours, we process your data on the basis of Article 6, paragraph 1, point (b), of the GDPR, which permits the processing of personal data for the performance of a contract or for pre-contractual actions.

Should it arise that your data is required for legal proceedings, processing may be performed to safeguard our legitimate interests pursuant to Article 6, paragraph 1, point (f), of the GDPR. Our interest then lies in the assertion or defence of claims, for example as part of the burden of proof in a legal proceeding.

Who will receive my data?
In our company, only those persons have access to your data who need it to implement our business relationship efficiently. This can also involve several departments in our company, depending on which services or products you are purchasing from us. Furthermore, our IT department has access to your data exclusively to process it on a technical level.

Service providers we have commissioned may also be recipients of your personal data within the scope of commissioned processing pursuant to Article 28 of the GDPR. 

As part of the processing of your orders, it is sometimes necessary for us to transmit certain data to our respective suppliers, manufacturers or other service providers who are based in Germany, other European countries or the European Economic Area. These are, for example, your last name, possibly your first name, and your organisational affiliation along with your contact details within your organisation. 

We may need to disclose certain data to the relevant authorised bodies as part of our legal obligations. 

Are cookies used in the Mairec customer portal?
Yes. We use technically necessary cookies, which are absolutely essential for operating and maintaining our portal. Data processing is based on Art. 6 (1) (f) of the GDPR, since otherwise basic functions are not guaranteed or are restricted. Additionally, we also use cookies to facilitate or provide some of our portal’s functionalities or to improve interaction with customers. Our use of these cookies is also based on Art. 6 (1) (f) of the GDPR. If we use what are known as statistics and marketing cookies, this requires your consent and is therefore based on Art. 6 (1) (a) of the GDPR. You may revoke your consent to data processing at any time without affecting the lawfulness of processing carried out based on your consent up until such time that you revoke the same.

Please refer to the ‘Cookie settings’ for more information about what cookies we use, including their functions and storage duration.

Chat function
We use ‘RocketChat”, which is a chat service provided by Rocket.Chat Technologies Corp. and run on our own servers. This service allows you to communicate with our employees in real time. The date and time of the call, the duration of the chat, statistics on the number of chats, the duration of the chat, the response and reaction times and the respective content of the conversation are processed in this respect. The ‘RocketChat’ chat widget technically represents the source code that is executed on your computer and enables the chat. This source code communicates with the server component on our servers. The chat contents stored there are automatically deleted at regular intervals (every 24 hours). Statistics without personal data and without chat content are stored permanently and evaluated by the technical administrators. The use of the chat service is based on our legitimate interest in optimising and operating the online service under Art. 6 (1) (f) of the GDPR.

Push notifications
In the context of using our portal, you have the option (under Art. 6 (1) (a) of the GDPR) of receiving current information about services and news through what are known as push notifications.
We use Google Firebase technology to send the push notifications. Individual identification numbers are assigned for each terminal device (‘device token’ or ‘instance ID’) for this purpose. Further data (like your IP address) is not collected. The token is used for the purpose of identifying the notification destination. The notifications are sent using the Google Firebase Cloud Messaging service, which is provided by
Google, Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The push notifications can be disabled and re-enabled at any time. For more information about Google Firebase Cloud Messaging, please visit https://firebase.google.com/products/cloud-messaging/ and refer to
Google’s privacy policy at https://policies.google.com/privacy?hl=en&gl=gb

Usercentrics
We use the Usercentrics cookie consent tool, which is a piece of technology provided by the company Usercentrics GmbH, Rosental 4, 80331 Munich (‘Usercentrics’), to manage website visitors’ settings and, if necessary, to obtain your consent to store certain cookies on your terminal device. Usercentrics processes your IP address, information about your browser, information about your terminal device and the time of your visit to the website during the course of providing this tool. Furthermore, Usercentrics sets a cookie in your browser so it can allocate the consent granted or revocation of the same to you. Usercentrics is used to obtain the legally required consent for the use of cookies (Art. 6 (1) sentence (1) (c) of the GDPR). Information about Usercentrics’ privacy practices can be found at https://usercentrics.com/privacy-policy/

 
Is data transferred to a third country or to an international organisation?
Data is generally not transferred to countries outside the European Economic Area (so-called third countries). Nevertheless, data may be transferred to third countries in individual cases, provided that:
•    this is required by law;
•    you have given us your consent; or
•    this is justified by our legitimate interest under data protection law and there are no conflicting higher-priority interests of the data subject that are worthy of protection.

We also do not transfer any personal data to departments within third countries or international organisations. 

However, we use service providers for certain tasks, most of which also use service providers and the latter may have their registered office, parent company, or data centres in a third country. A transfer is permitted if the European Commission has decided that there is an adequate level of protection in a third country (Article 45 of the GDPR). If the Commission has not made such a decision, we or our service providers may only transfer personal data to a third country if there are suitable guarantees (e.g. standard data protection clauses that are accepted by the EU Commission or the supervisory authority in a certain procedure) and if enforceable rights and effective remedies are available. 

One example of this is our use of Microsoft Office 365 as a company-wide communication system. Although Microsoft also operates servers within the EU, it cannot be ruled out that your data will be passed on to a third country (e.g. the USA) and processed there in this context. 

We have concluded an order processing contract with Microsoft pursuant to Article 28 of the GDPR with EU standard contract clauses to maintain an appropriate level of data protection. If you require further information, please contact us using the contact details below. 

We have concluded corresponding contracts with all our service providers of this kind and have also contractually agreed that data protection guarantees must always exist with their contractual partners in compliance with the level of European data protection. We will provide you with a copy of these guarantees on request.

How long will my data be stored?
We store your data throughout ongoing business contact between us and your organisation, which includes in particular the existence of a contract or pre-contractual actions. If there is currently no contract or the term of a contract has ended, your data will be deleted from our customer database after ten years without business contact. 

Moreover, we only store your data to the extent and insofar as we are obliged to do so because of mandatory legal regulations, such as retention periods under commercial or tax law. This is generally a period of ten years. If we no longer need your data for the purposes described above, it will be stored separately during the respective statutory retention period and not processed for other purposes. After the statutory retention periods have expired, all remaining data will be immediately and securely deleted or destroyed.

Is there an obligation to provide data?
The provision of your personal data is initially not required by law or contract, nor are you obliged to provide this data. 

However, if you have a direct business relationship with us, you must provide the personal data that is necessary for the establishment and performance of a business relationship and for the fulfilment of the associated contractual obligations. Without this data, we will generally have to refrain from concluding a contract or carrying out an order, or will no longer be able to perform an existing contract and may have to terminate it, or we will not be able to give you access to the Mairec Customer Portal. 

If this involves a business relationship between a company you represent and us, you must provide us with the personal data that is necessary for establishing and implementing a power of representation/authorisation and for fulfilling the associated contractual obligations. Without this data, we will generally be unable to accept you as an authorised representative/authorised agent or have to end an existing authorised representative/authorised agent relationship.

To what extent are decisions made automatically?
We do not use fully automated decision-making pursuant to Article 22 of the GDPR to establish, perform and terminate business relationships. If we use these procedures in individual cases, we will inform you separately about this and regarding your rights in this respect insofar as that is required by law.  

Do we use profiling?
We do not process your data with the aim of automatically evaluating certain personal aspects.

Your rights
According to the General Data Protection Regulation, you have the following rights:
If your personal data is processed, you have the right to obtain information about the data stored on your person (Article 15 of the GDPR, Section 34 of the Federal Data Protection Act (BDSG)). Should incorrect personal data be processed, you have a right to correction (Article 16 of the GDPR). If the legal requirements are met, you may request the deletion or restriction of the processing and file an objection against the processing (Articles 17, 18 and 21 of the GDPR, Section 35 of the BDSG). The right to deletion is rendered invalid if a legal provision provides for further storage. In that case, we will only be able to comply with your request for deletion at the end of the statutory retention period. If you have consented to data processing or if there is a data processing contract and the data processing is performed using automated procedures, you may have the right to data portability with regard to the personal data that you have provided to us (Artide 20 of the GDPR). If you make use of your above-mentioned rights, we will check to see whether the legal requirements for doing so have been met. You also have a right to appeal to a supervisory authority for data protection (Article 77 of the GDPR, Section 19 of the BDSG). To assert your rights, please contact us as the responsible organisation:

Mairec Edelmetallgesellschaft mbH
Siemensstrasse 20
63755 Alzenau
Tel. +49 (0)6023
info@mairec.com

If you believe that the processing of your data violates data protection law or your data protection rights have otherwise been violated in any way, you can contact our data protection officer.

You can contact our data protection officer at:
Lutz Mönig i. H. Pohl Consulting Team GmbH
Mengeringhäuser Str. 15
34454 Bad Arolsen, Germany
Tel. +49 (0)5691 8900 501
Email: datenschutz@mairec.com

The data protection officer has been appointed by the supervisory authority responsible for us:

Bayerisches Landesamt für Datenschutzaufsicht
Michael Will
Promenade 27
91522 Ansbach, Germany
Tel. +49 (0)98153 1300
Fax +49 (0)98153 98 1300
poststelle@lda.bayern.de