jumpToMain
95098

General Privacy Statement pursuant to Art. 13 GDPR for suppliers

Note: This General Privacy Statement for suppliers applies if and insofar as you have not received any special Privacy Statements / Data Protection Information for suppliers from your Rheinmetall business partner.

Care and transparency are the basis for a trusting cooperation with our suppliers. Therefore, we would like to inform you about how we process your personal data (hereinafter also referred to as "data") and how you can exercise your rights to which you are entitled under the General Data Protection Regulation (GDPR).

I. Controller of the data processing and contact details of the Data Protection Officer

Controller of the data processing

Rheinmetall AG
Rheinmetall Platz 1
40476 Düsseldorf
Germany

The Rheinmetall company with which you enter into a supplier or business relationship or with which you come into contact as a (potential) supplier is generally the Con-troller for the data processing.
A list of the Rheinmetall Group companies, including con-tact details, can be found here.
 

Contact details of the Data Protection Officer

Rheinmetall AG
Group Data Protection Officer
Rheinmetall Platz 1
40476 Düsseldorf
Germany
dsb-rhag@rheinmetall.com

(The Group Data Protection Officer is only responsible for those Rheinmetall companies that are required by law to appoint a data protection officer.)


II. Type, scope and purposes as well as legal basis of data processing

1.    Registration as a purchasing partner

As a supplier/service provider, you have the option of being listed as a purchasing partner with Rheinmetall (inclusion in our supplier pool). For the initial creation of your supplier profile and subsequent consideration as a purchasing partner, we collect and store the following personal data from you as a supplier or as an employee/contact person of the supplier:

  • First name, last name, title, position, business e-mail address, business telephone number, company name, company address, legal form of the company, business bank details, (sales) tax number, DUNS number, (potentially) credit rating data (see also Section III.1), (potentially) certifications.

 

Legal basis for this data processing:

  • For data of suppliers (entrepreneurs): initiation of a contract or performance of pre-contractual measures pursuant to Article 6 (1) letter b GDPR.
  • For data of employees/contact persons of the supplier: Legitimate interest pursuant to Article 6 (1) letter f GDPR. Our legitimate interest in the present case is to process relevant master/contact data of the responsible contact persons of our suppliers.
 

2.    Companies and Ultimate Beneficial Owner

In addition we conduct a business partner check of our purchasing partners. For this purpose, we collect general data on the company, the products offered, the quality with regard to production and manufacturing, environmental compatibility and the technology used. We need this information in order to establish a supplier relationship. In addition, we request data on the ownership structure. We collect the following personal data from ultimate beneficial owners, shareholders and contact persons:

  • First name, last name, title, position, business e-mail address, business telephone number, (potentially) date/place of birth, company name, company address, legal form of the company, business bank details, (sales) tax number, DUNS number, (potentially) credit rating data (see also Section III.1), (potentially) certifications.
 

We process this data to fulfill legal obligations pursuant to Article 6 (1) letter c GDPR in conjunction with Sections 3, 11 of the German Money Laundering Act (GWG) and on the basis of our legitimate interest (Article 6 (1) letter f GDPR) in order to clearly identify purchasing partners or their ultimate beneficial owners and to be able to assess the performance and default risk of the purchasing partner. For this purpose, we also obtain information from third parties. You can find more information on this below under chapter III.1 and III.2.
 

3.    Contact persons

Furthermore, we process data of your employees as contact persons for queries regarding the goods or services offered by you, insofar as you have provided them to us. For this purpose, we process the following data:

  • First name, last name, title, position, business e-mail address, business telephone number, company name, company address.
 

We process this data on the basis of our legitimate interest (Article 6 (1) letter f GDPR) in being able to reach responsible contacts of our suppliers within the framework of the business relationship and, in particular, to process orders or complaints as quickly as possible.
 

4.    Preparation, implementation, execution and termination of the business relationship

After you have been accepted as a purchasing partner in our supplier pool, we use personal data of the contact persons named to us in order to obtain offers for the goods or services offered by you or to purchase goods or commission services. For this purpose we process the following data:

  • First name, last name, title, position, business e-mail address, business telephone number, company name, company address.
 

We process this data on the basis of our legitimate interest (Article 6 (1) letter f GDPR) or because the processing is necessary for the conclusion of a contract or in the context of a contract initiation (Article 6 (1) letter b GDPR), so that smooth communication and proper commissioning and contract execution can be ensured.

In addition, we process data that is generally required for the preparation, implementation, execution and termination of the business relationship with you. This processing usually takes place for the following business-typical purposes:

  • General business communication
  • Processing of orders and commissions
  • Inquiries about current orders and purchase orders
  • Administration and maintenance of contact data of designated contact persons
  • If necessary, organization of appointments and events required for business purposes as well as general cooperation within the scope of the business relationship (e.g. project organization, project management, kick-off appointments, offer presentations)
  • Billing and invoicing
  • Fulfillment of obligations under tax, commercial or corporate law (e.g. storage of receipts, legal documentation, annual financial statements, auditing)
  • Accounting and receivables management
  • If applicable, internal audits and reviews
  • If applicable, assertion, exercise or defense of legal claims


We process the data required to fulfill these aforementioned purposes on the basis of the following legal basis:

  • Contract initiation/pre-contractual measures (Article 6 (1) letter b GDPR).
  • Performance/fulfillment of contract (Article 6 (1) letter b GDPR).
  • Fulfillment of tax, commercial and company law obligations (Article 6 (1) letter c GDPR).
  • Legitimate interest in communicating with contacts and carrying out internal operational and administrative processes (Article 6 (1) letter f GDPR).
 

5.    Freelancer

If you are a Freelancer and wish to be accepted and commissioned by us as a purchasing partner, we may require further information from you. If necessary, we will ask for the following data, among others:

  • Name of your company
  • First name, last name, title, position
  • Business contact data (in particular address, e-mail address, telephone, fax number)
  • Information on start-up / entrepreneurial status
  • Information on status determination procedures with the German Pension Insurance (Deutsche Rentenversicherung) or a certificate of exemption
  • Information on membership in professional associations
  • Information on concluded or existing insurances
  • Bank details
  • (Sales) tax number
  • Certifications (potentially)


We require this information in order to be able to exclude the possibility that we enter into an employment relationship with you that is subject to social insurance (in accordance with § 7 (1) SGB IV) or pension insurance (in accordance with § 2 No. 9 SGB VI) if we commission you on a service or work contract. This processing is based on our aforementioned legitimate interest (Article 6 (1) letter f GDPR) and serves in particular to defend against possible compensation claims of the social insurance institutions.
 

6.    Surveys and market analysis

If you have a business relationship with us, we may occasionally contact you by e-mail or post for the purpose of satisfaction surveys or market analyses in accordance with Section 7 of the German Unfair Competition Act (UWG), unless you have expressly objected to this. Participation in such surveys or market analyses is, of course, voluntary for you.

The data processing related with this is carried out on the basis of our legitimate interest in obtaining feedback and suggestions from our business partners and in the closer analysis of relevant markets (Article 6 (1) lit. f GDPR).
 

7.    Technical data processing

If you use a (web-based) supplier portal provided by us (or a comparable web-based IT platform), personal data is regularly processed for technical reasons:

a) Server log files

When you visit the portal (or the website), we or the IT service providers involved process so-called server log files, which include the following data/information

  • IP address
  • Date and time of your visit
  • The browser you are using, including version
  • The operating system you are using, including version
  • Which resources (e.g. subpage, contact form) you call up on our website (is logged in the form of the so-called URL)
 

We process these server log files on the basis of our legitimate interest in accordance with Art.6 (1) lit. f GDPR for the following purposes

  • Ensuring the security and stability of the website (e.g. avoiding server overloads due to abusive attacks, so-called DDoS attacks)
  • Ensuring a smooth connection to the website
  • Ensuring convenient use of the website
  • Evaluation of system security and stability
  • For further administrative purposes
 

b) Cookies and comparable technologies

Cookies or similar technologies may also be used on the web-based portals (or websites). In general, these are only technically necessary cookies / technologies, the use of which is based on Section 25 (2) No. 2 of the German Telecommunications Telemedia Data Protection Act (TTDSG) and Art. 6 (1) lit. f GDPR.

If, in exceptional cases, cookies/technologies that are not technically necessary (e.g. for reach measurement) are also used, you will be informed of this separately on the portal (or website).

 

8.    Obligation to provide data

In general, there is no legal obligation to provide us with the aforementioned data. However, if you wish to enter into a business relationship with us as a purchasing partner, you must provide the required data/information. Otherwise, we reserve the right not to accept you as a purchasing partner if you fail to provide information on the company or the ultimate beneficial owners.


III. Data transfers / Recipients of your data

1.    Credit rating check

We transmit company data (name of the company, legal form, address) to credit agencies within the framework of our contractual/business relationship based on our legitimate interest (Article 6 (1) letter f GDPR) for the purpose of checking your credit rating and obtaining information for assessing the risk of non-payment/default, which is determined by mathematical-statistical procedures using the aforementioned data. This assessment may be repeated on a regular basis.

Depending on the relevant Rheinmetall company and business relationship, we use different credit agencies for this purpose. These include for example:

 

You may obtain detailed data protection information from the aforementioned companies in accordance with Article 14 GDPR, i.e. information on the business purpose, data processing, processing purposes, data storage, data recipients, the right to self-disclosure, the right to erasure and rectification, etc.
 

2.    Business partner check

We also transmit personal data (including first name, last name, title, address and, if applicable, date of birth) of ultimate beneficial owners, managing directors and/or board members or other relevant key / contact persons of purchasing partners to selected credit agencies and Rheinmetall AG as part of our purchasing/business partner check based on our legitimate interest (Article 6 (1) letter f GDPR) for the purpose of assessing the integrity and freedom from conflict of the respective purchasing partner and its executive bodies and/or ultimate beneficial owners. However, this check and assessment is only carried out if orders/contracts exceed a certain threshold value. In such cases, these checks may then takes place on a regular basis.

In addition to the credit agencies mentioned under III.1., other credit agencies/service providers may also be used in a permissible manner. These include, among others:

 

You may obtain detailed data protection information from the aforementioned companies in accordance with Article 14 GDPR, i.e. information on the business purpose, data processing, processing purposes, data storage, data recipients, right to self-disclosure, right to erasure and rectification, etc.

You can find more information on our purchasing/business partner check in our specific Data Privacy Statement on this topic: https://www.rheinmetall.com/Rheinmetall%20Group/Unternehmen/Compliance/rheinmetall-data-protection-information-for-business-partner-verification.pdf


3.    Data transfer to other companies of the Rheinmetall Group

After your admission to our supplier pool, we may also share, where necessary, your aforementioned data with other companies of the Rheinmetall Group. If necessary, this also includes contact data of contact persons, data on ultimate beneficial owners and on managing directors/board members.

In this way, we would also like to enable other companies of the Rheinmetall Group to perceive you as an accepted purchasing partner and to consider you for future orders and to be able to contact you directly. Only companies of the Rheinmetall Group have access to this information.

A list of our companies can be found on our website at

https://www.rheinmetall.com/de/rheinmetall_ag/group/locations_worldwide/locations-worldwide.php.

We base this group-internal transfer of data on our legitimate interest in having a uniform standard throughout the Group with regard to our purchasing partners and in maintaining a central pool of suppliers (Article 6 (1) letter f GDPR).

Under certain circumstances, Rheinmetall companies outside the European Union (EU) / European Economic Area (EEA) may also gain access to your personal data. To ensure an appropriate level of data protection at the respective companies, we have taken special measures in accordance with Article 44 et seq. GDPR and - where necessary - concluded EU Standard Contractual Clauses with the companies outside the European Union or the European Economic Area.
 

4.    Data transfer to external service providers / processors

To the extent necessary and legally permissible, we also share data with external service providers that we have commissioned to provide certain services in the context of purchasing/procurement. These include, in particular, our IT service providers for maintaining our IT infrastructure and any providers of involved IT applications.

The necessary data protection agreements have been concluded with all service providers who perform data processing on our behalf in accordance with Article 28 GDPR.
 

5.    Other data transfers

With the exception of the cases described above, we will only share your information with third parties if:

  • you have given your consent,
  • the disclosure is necessary for the assertion, exercise or defense of legal claims and there is no reason to assume that you have an overriding legitimate interest in the non-disclosure of your data,
  • the disclosure is necessary for the fulfillment of a legal obligation, or
  • this is legally permissible and necessary for the processing of contractual relationships with you.


IV. Duration of data retention

We store your data as long as this is necessary for the fulfillment of our legal and contractual obligations or as long as a legitimate interest in the storage exists.

If storage of the data is no longer necessary for the fulfillment of contractual or legal obligations, your data will be deleted unless further processing is required, in particular, for the following purposes:

  • Fulfillment of commercial, tax and company law retention obligations (Article 6 (1) letter c GDPR) - (e.g. 6 or 10 years retention according to § 247 German Commercial Code - HGB or § 147 German Tax Code - AO).
  • Preservation of evidence within the framework of the statutory limitation provisions. According to the statutes of limitation of the German Civil Code (BGB), these statutes of limitation can be up to 30 years in some cases, the regular statute of limitations is three years (Article 6 (1) letter f GDPR);
  • To ensure data protection and data security (Article 6 (1) letter f GDPR).
 

 

For employees of our suppliers/purchasing partners, the following applies additionally:

Your personal data as a contact person will be stored by us and used for the purpose of business communication (e.g. additional orders) with your employer until your employer or we are no longer interested in a further business relationship or your employer or you inform us that you are no longer acting as a contact person responsible for us (e.g. after company departures, department changes).


V. Your rights in connection with the processing of your data

1.    Overview of your rights

Under the GDPR, you have the following rights with regard to the processing of your personal data:

  • Right to information/access according to Article 15 GDPR
  • Right to rectification according to Article 16 GDPR
  • Right to erasure according to Article 17 GDPR
  • Right to restriction of processing according to Article 18 GDPR
  • Right to data portability according to Article 20 GDPR
  • Right of objection according to Article 21 GDPR
  • Right to lodge a complaint with a supervisory authority pursuant to Article 77 GDPR
  • Right to withdraw your consent at any time under Article 7 (3) GDPR.
  • You may exercise these rights in accordance with the legal provisions. In the case of the right to information/access and the right to erasure, the restrictions of Sections 34 and 35 German Federal Data Protection Law (BDSG) also apply.
 

2.    Right to information/access (Article 15 GDPR)

You may request information regarding whether we have stored personal data about you. If you wish, we will also inform you about what data is concerned, for what purposes the data is processed, to whom this data is or has been disclosed, how long the data is stored and what other rights you have with regard to this data.
 

3.    Withdrawal of consent (Article 7 (3) GDPR)

In the exceptional event that a data processing should take place on the basis of your voluntary consent (Article 6 (1) letter a GDPR), you have the right to withdraw your consent at any time with effect for the future.
 

4.    Right of objection (Article 21 GDPR)

What right do you have in the event of data processing based on our legitimate interest?

Pursuant to Article 21 (1) GDPR, you have the right to object at any time, on grounds relating to your particular situation, against the processing of your personal data which is carried out on the basis of Article 6 (1) letter e GDPR (data processing in the public interest) or on the basis of Article 6 (1) letter f GDPR (data processing necessary for the purposes of legitimate interests). This also applies to profiling based on this provision.

In the event of your objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
 

5.    Further rights

In addition, you have the right to rectification of incorrect data (Article 16 GDPR) or to the erasure of your data (Article 17 GDPR). If no legitimate reason for further storage exists, we will delete your data, otherwise restrict the processing (Article 18 GDPR).

In accordance with Article 20 GDPR, you may also request that we hand over any personal data that you have provided to us in a structured, commonly used and machine-readable format either to you or to a person or company of your choice.
 

6.    Right to lodge a complaint with a supervisory authority

Furthermore, you have the right to lodge a complaint with the competent data protection supervisory authority (Article 77 GDPR in conjunction with Section 19 BDSG) if you are of the opinion that data processing carried out by us violates data protection regulations.
 

7.    Excercise of your rights

To exercise your aforementioned rights, please contact us via e-mail:

procurement-portal.ag@rheinmetall.com


VI. Changes to this Privacy Statement / Other

If the purpose or the way of processing your personal data changes significantly, we will update this Privacy Statement in due time and inform you appropriately about the changes.

The terms used herein are not gender-specific.

 

Status of this data protection information: 7 June 2024

Rheinmetall Platz 1

40476 Dusseldorf

Germany

Phone: +49 211 473-01

Fax: +49 211 473-4727

© 2024 Rheinmetall AG