Data privacy information – Rheinmetall Procurement Suite

Transparency and care are the basis for a trusting cooperation with our suppliers. Therefore, we would like to inform you about how we process your personal data (hereinafter also referred to as "data") and how you can exercise your rights to which you are entitled under the General Data Protection Regulation (GDPR). Which personal data we process and for what purpose depends on the circumstances of the individual data processing.

 

I. Controller of the data processing

Controller

Rheinmetall AG and the Rheinmetall company with which you enter into a supplier relationship are jointly responsible for the processing of your data in this context.

Rheinmetall AG is responsible in particular for the processing of your data on our web-based "Rheinmetall Procurement Suite".

The respective Rheinmetall company with which you enter into a supplier relationship is generally responsible for the other data processing in the purchasing/procurement process or in the context of the supplier or purchasing partner relationship. This may also be Rheinmetall AG.
 

Contact details

Contact information of Rheinmetall AG
Rheinmetall Platz 1
40476 Düsseldorf, Germany
Telephone: +49 211 473-01
info@rheinmetall.com

The contact details of the other Rheinmetall companies can be found on our website at:

The subsidiaries

and

Locations worldwide

 

II. Contact details of the Data Protection Officers

Data Protection Officer of Rheinmetall AG

Rheinmetall AG
Datenschutzbeauftragter/Data Protection Officer
Rheinmetall Platz 1
40476 Düsseldorf, Germany
E-Mail-Adresse: DSB-RhAG@rheinmetall.com

Data Protection Officers of other Rheinmetall companies

You can find the contact details of the Data Protection Officers of other Rheinmetall companies here:

Data Protection Officers of Rheinmetall AG companies
(Only those companies are listed here that are required by law to appoint a Data Protection Officer or have appointed one voluntarily).

 

III. Type, scope and purposes as well as legal basis of data processing

1. Accessing our Procurement Suite Website: Logfiles and Cookies

Each time you access our Procurement Suite website, we ourselves or the Procurement Suite provider commissioned by us (Ivalua SAS, 102 Avenue de Paris, 91300 Massy, France) collect so-called log files (protocol data). The data collected includes:

• IP address of your end device with which you access our website
• Date and time of your visit
• The browser you are using incl. version
• The operating system you are using incl. version

We process these log files on the basis of our legitimate interest pursuant to Article 6 (1) letter f GDPR for the following purposes:

• Ensuring the security and stability of the website (e.g. avoiding server overloads due to abusive attacks, so-called DDoS attacks),
• Ensuring a smooth connection of the website,
• Ensuring a comfortable use of our website,
• Evaluation of system security and stability,
• For other administrative purposes.

We reserve the right to analyze these log files retrospectively if we become aware of concrete indications of illegal activities. The log files will be deleted immediately if they are no longer required to achieve these purposes, but no later than 90 days after collection.

This website also uses "Cookies". Cookies are text files that are stored on your computer/end device and that enable, for example, individualization/customization of the website to your preferences, automatic recognition on your next visit, proper functioning of the website and analysis of the use of the website. On this website, only the following "functional cookies" are used, which are necessary for the proper functionality of the website (cf. § 25 (2) TTDSG):

2. Registration as a purchasing partner on our Procurement Suite

As a supplier/service provider, you have the option of being listed as a purchasing partner with Rheinmetall (inclusion in our supplier pool). To do this, you must first register on our Procurement Suite.

For the initial creation of your supplier profile and subsequent consideration as a purchasing partner, we collect and store the following personal data from you as a supplier or as an employee/contact person of the supplier:

• First name, last name, title, position, business e-mail address, business telephone number, company name, company address.

These data will be collected and processed by us in order to carry out the registration process and to create your supplier profile on our platform.

In addition, you must accept the Terms of Use for the Procurement Suite in advance.

Legal basis for this data processing:

• For data of suppliers (entrepreneurs): initiation of a contract or performance of pre-contractual measures pursuant to Article 6 (1) letter b GDPR.
• For data of employees/contact persons of the supplier: Legitimate interest pursuant to Article 6 (1) letter f GDPR. Our legitimate interest in the present case is to process relevant master/contact data of the responsible contact persons of our suppliers.

Upon completion of registration, you will receive access to the restricted area of the Procurement Suite, which can only be accessed with your personal login data. Your login data consists of an UserID (your specified e-mail address) and password.
 

3. Use of our Procurement Suite / Logging

After you have registered on the Procurement Suite and have been activated by us as a purchasing partner, you can use the functions provided to you in accordance with your authorizations on the Procurement Suite with your personal login data.

In addition to the self-administration of your user and master data as well as your contracts, you may then also apply for corresponding tenders from Rheinmetall.

When using the Procurement Suite, the following log files (protocol data) are automatically collected and processed in addition to the log files mentioned under III.1:

• UserID
• Date and time of last login
• Change history
• Peformed activities
• If necessary further

We also process these (additional) log files on the basis of our legitimate interest pursuant to Article 6 (1) letter f GDPR for the following purposes:

• Ensuring the security and integrity of the system
• Ensuring traceability
• Prevention of abuse

These log files are automatically deleted no later than 100 days after generation.

Note: Maintenance of user and contact data on our Procurement Suite.

As a registered procurement partner, you are responsible under our Terms of Use for ensuring that the data you store/maintain in the system (in particular user and contact data) is correct and up-to-date. In particular, you must correct and/or delete the corresponding data in the event of changes to your contact persons.
 

4. Companies and Ultimate Beneficial Owner

In addition, as part of the registration and activation process, we conduct a business partner check of our purchasing partners. For this purpose, we collect general data on the company, the products offered, the quality with regard to production and manufacturing, environmental compatibility and the technology used. We need this information in order to establish a supplier relationship. In addition, we request data on the ownership structure. We collect the following personal data from ultimate beneficial owners, shareholders and contact persons:

• First name, last name, title, position, business e-mail address, business telephone number, company name, company address.

 

We process this data to fulfill legal obligations pursuant to Article 6 (1) letter c GDPR in conjunction with Sections 3, 11 of the German Money Laundering Act (GWG) and on the basis of our legitimate interest (Article 6 (1) letter f GDPR) in order to clearly identify purchasing partners or their ultimate beneficial owners and to be able to assess the performance and default risk of the purchasing partner. For this purpose, we also obtain information from third parties. You can find more information on this below under chapter IV.1 and IV.2.
 

5. Contact persons

Furthermore, we process data of your employees as contact persons for queries regarding the goods or services offered by you, insofar as you have provided them to us. For this purpose, we process the following data:

• First name, last name, title, position, business e-mail address, business telephone number, company name, company address.

We process this data on the basis of our legitimate interest (Article 6 (1) letter f GDPR) in being able to reach responsible contacts of our suppliers within the framework of the business relationship and, in particular, to process orders or complaints as quickly as possible.
 

6. Preparation, implementation, execution and termination of the business relationship

After you have been accepted as a purchasing partner in our supplier pool, we use personal data of the contact persons named to us in order to obtain offers for the goods or services offered by you or to purchase goods or commission services. For this purpose we process the following data:

• First name, last name, title, position, business e-mail address, business telephone number, company name, company address.

We process this data on the basis of our legitimate interest (Article 6 (1) letter f GDPR) or because the processing is necessary for the conclusion of a contract or in the context of a contract initiation (Article 6 (1) letter b GDPR), so that smooth communication and proper commissioning and contract execution can be ensured.

In addition, we process data that is generally required for the preparation, implementation, execution and termination of the business relationship with you. This processing usually takes place for the following business-typical purposes:

• General business communication
• Processing of orders and commissions
• Inquiries about current orders and purchase orders
• Administration and maintenance of contact data of designated contact persons including user administration on the Procurement Suite
• If necessary, organization of appointments and events required for business purposes as well as general cooperation within the scope of the business relationship (e.g. project organization, project management, kick-off appointments, offer presentations)
• Billing and invoicing
• Fulfillment of obligations under tax, commercial or corporate law (e.g. storage of receipts, legal documentation, annual financial statements, auditing)
• Accounting and receivables management
• If applicable, internal audits and reviews
• If applicable, assertion, exercise or defense of legal claims

 

We process the data required to fulfill these aforementioned purposes on the basis of the following legal grounds:

• Contract initiation/pre-contractual measures (Article 6 (1) letter b GDPR).
• Performance/fulfillment of contract (Article 6 (1) letter b GDPR).
• Fulfillment of tax, commercial and company law obligations (Article 6 (1) letter c GDPR).
• Legitimate interest in communicating with contacts and carrying out internal operational and administrative processes (Article 6 (1) letter c GDPR).

7. Freelancer

If you are a Freelancer and wish to be accepted and commissioned by us as a purchasing partner, we may require further information from you. If necessary, we will ask for the following data, among others:

• Name of your company
• First name, last name, title, position
• Business contact data (in particular address, e-mail address, telephone, fax number)
• Information on start-up / entrepreneurial status
• Information on status determination procedures with the German Pension Insurance (Deutschen Rentenversicherung) or a certificate of exemption
• Information on membership in professional associations
• Information on concluded or existing insurances
• Your bank details

We require this information in order to be able to exclude the possibility that we enter into an employment relationship with you that is subject to social insurance (in accordance with § 7 (1) SGB IV) or pension insurance (in accordance with § 2 No. 9 SGB VI) if we commission you on a service or work contract. This processing is based on our aforementioned legitimate interest (Article 6 (1) letter f GDPR) and serves in particular to defend against possible compensation claims of the social insurance institutions.
 

8. Surveys and market analysis

If you have a business relationship with us, we may occasionally contact you by e-mail or post for the purpose of satisfaction surveys or market analyses in accordance with Section 7 of the German Unfair Competition Act (UWG), unless you have expressly objected to this. Participation in such surveys or market analyses is, of course, voluntary for you.

The data processing related with this is carried out on the basis of our legitimate interest in obtaining feedback and suggestions from our business partners and in the closer analysis of relevant markets (Article 6 (1) letter f GDPR).
 

9. Obligation to provide data

In general, there is no legal obligation to provide us with the aforementioned data. However, if you wish to enter into a business relationship with us as a purchasing partner, you must provide the required data/information. Otherwise, we reserve the right not to accept you as a purchasing partner if you fail to provide information on the company or the ultimate beneficial owners.

 

IV. Data transfers / Recipients of your data

 

1. Credit rating check

We transmit company data (name of the company, legal form, address) to credit agencies within the framework of our contractual/business relationship based on our legitimate interest (Article 6 (1) letter f GDPR) for the purpose of checking your credit rating and obtaining information for assessing the risk of non-payment/default, which is determined by mathematical-statistical procedures using the aforementioned data. This assessment may be repeated on a regular basis.

Depending on the Rheinmetall company and business relationship, we use different credit agencies for this purpose. These include in particular:

• Verband der Vereine Creditreform e.V. (Hammfelddamm 13, 41460 Neuss, Germany; https://www.creditreform.de/datenschutz ).
• Bisnode Deutschland GmbH (Robert-Bosch-Straße 11, 64293 Darmstadt, Germany; https://www.bisnode.de/ )
• Dun & Bradstreet Deutschland GmbH (Robert-Bosch-Straße 11, 64293 Darmstadt, Germany; https://www.dnb.com/de-de/daten-und-sicherheit/downloadbereich/ )
• Euler Hermes SA (German branch: Gasstraße 29 22761 Hamburg, Germany; https://www.eulerhermes.de/service/dokumente/downloads.html#bc )
• Bureau van Dijk Editions Electroniques Sàrl (ein Unternehmen der Moody's Corporation, Avenue Louise 250, 1050 Brussels, Belgium; https://www.bvdinfo.com/de-de/datenschutzerklarung )

You may obtain detailed data protection information from the aforementioned companies in accordance with Article 14 GDPR, i.e. information on the business purpose, data processing, processing purposes, data storage, data recipients, the right to self-disclosure, the right to erasure and rectification, etc.
 

2. Business partner check

We also transmit personal data (including first name, last name, address and, if applicable, date of birth) of ultimate beneficial owners, managing directors and/or board members of purchasing partners to selected credit agencies and Rheinmetall AG as part of our purchasing/business partner check based on our legitimate interest (Article 6 (1) letter f GDPR) for the purpose of assessing the integrity and freedom from conflict of the respective purchasing partner and its executive bodies and/or ultimate beneficial owners. However, this check and assessment is only carried out if orders/contracts exceed a certain threshold value. In such cases, these checks may then takes place on a regular basis.

In addition to the credit agencies mentioned under IV.1., other credit agencies/service providers may also be used in a permissible manner. These include, among others:

• LexisNexis GmbH (Heerdter Sandberg 30, 40549 Düsseldorf, Germany; https://www.lexisnexis.com/global/privacy/de/privacy-policy-bis.page )
• CompanyHouse AG (CompanyHouse AG, Lettenstrasse 7, 6343 Rotkreuz, Switzerland; https://www.companyhouse.de/Datenschutz )
• Ecovadis SAS (43 avenue de la Grande armée, 75116 Paris, France; https://ecovadis.com/de/trust-center/data-privacy/ )
• Control Risks GmbH (Mainzer Landstraße 47, 60329 Frankfurt/Main, Germany; https://www.controlrisks.com/de/legal ).

You may obtain detailed data protection information from the aforementioned companies in accordance with Article 14 GDPR, i.e. information on the business purpose, data processing, processing purposes, data storage, data recipients, right to self-disclosure, right to erasure and rectification, etc.

You can find more information on our purchasing/business partner check in our specific Data Privacy Statement on this topic: Business Partner Policy
 

3. Data transfer to other companies of the Rheinmetall Group

After your admission to our supplier pool, we may also share, where necessary, your aforementioned data with other companies of the Rheinmetall Group. If necessary, this also includes contact data of contact persons, data on ultimate beneficial owners and on managing directors/board members.

In this way, we would also like to enable other companies of the Rheinmetall Group to perceive you as an accepted purchasing partner and to consider you for future orders and to be able to contact you directly. Only companies of the Rheinmetall Group have access to this information.

A list of our companies can be found on our website at

The subsidiaries

and

Locations worldwide

We base this group-internal transfer of data on our legitimate interest in having a uniform standard throughout the Group with regard to our purchasing partners and in maintaining a central pool of suppliers (Article 6 (1) letter f GDPR).

Under certain circumstances, Rheinmetall companies outside the European Union (EU) / European Economic Area (EEA) may also gain access to your personal data. To ensure an appropriate level of data protection at the respective companies, we have taken special measures in accordance with Article 44 et seq. GDPR and - where necessary - concluded EU Standard Contractual Clauses with the companies outside the European Union or the European Economic Area.
 

4. Data transfer to external service providers / processors

To the extent necessary and legally permissible, we also share data with external service providers that we have commissioned to provide certain services in the context of purchasing/procurement. These include, in particular, our IT service providers for maintaining our IT infrastructure and any providers of involved IT applications.

The necessary data protection agreements have been concluded with all service providers who perform data processing on our behalf in accordance with Article 28 GDPR.
 

5. Other data transfers

With the exception of the cases described above, we will only share your information with third parties if:

• you have given your consent,
• the disclosure is necessary for the assertion, exercise or defense of legal claims and there is no reason to assume that you have an overriding legitimate interest in the non-disclosure of your data,
• the disclosure is necessary for the fulfillment of a legal obligation, or
• this is legally permissible and necessary for the processing of contractual relationships with you.

 

V. Duration of data retention

 

We store your data as long as this is necessary for the fulfillment of our legal and contractual obligations or as long as a legitimate interest in the storage exists.

If storage of the data is no longer necessary for the fulfillment of contractual or legal obligations, your data will be deleted unless further processing is required, in particual, for the following purposes:

• Fulfillment of commercial, tax and company law retention obligations (Article 6 (1) letter c GDPR) - (e.g. 6 or 10 years retention according to § 247 German Commercial Code - HGB or § 147 German Tax Code - AO).
• Preservation of evidence within the framework of the statutory limitation provisions. According to the statutes of limitation of the German Civil Code (BGB), these statutes of limitation can be up to 30 years in some cases, the regular statute of limitations is three years (Article 6 (1) letter f GDPR);
• To ensure data protection and data security (Article 6 (1) letter f GDPR).

For employees of our suppliers/purchasing partners, the following applies additionally:

Your personal data as a contact person will be stored by us and used for the purpose of business communication (e.g. additional orders) with your employer until your employer or we are no longer interested in a further business relationship or your employer or you inform us that you are no longer acting as a contact person responsible for us (e.g. after company departures, department changes).

 

VI. Your rights in connection with the processing of your data

 

1. Overview of your rights

Under the GDPR, you have the following rights with regard to the processing of your personal data:

• Right to information/access according to Article 15 GDPR
• Right to rectification according to Article 16 GDPR
• Right to erasure according to Article 17 GDPR
• Right to restriction of processing according to Article 18 GDPR
• Right to data portability according to Article 20 GDPR
• Right of objection according to Article 21 GDPR
• Right to lodge a complaint with a supervisory authority pursuant to Article 77 GDPR
• Right to withdraw your consent at any time under Article 7 (3) GDPR.
• You may exercise these rights in accordance with the legal provisions. In the case of the right to information/access and the right to erasure, the restrictions of Sections 34 and 35 German Federal Data Protection Law (BDSG) also apply.

2. Right to information/access (Article 15 GDPR)

You may request information regarding whether we have stored personal data about you. If you wish, we will also inform you about what data is concerned, for what purposes the data is processed, to whom this data is or has been disclosed, how long the data is stored and what other rights you have with regard to this data.
 

3. Withdrawal of consent (Article 7 (3) GDPR)

In the exceptional event that a data processing should take place on the basis of your voluntary consent (Article 6 (1) letter a GDPR), you have the right to withdraw your consent at any time with effect for the future.
 

4. Right of objection (Article 21 GDPR)

What right do you have in the event of data processing based on our legitimate interest?
Pursuant to Article 21 (1) GDPR, you have the right to object at any time, on grounds relating to your particular situation, against the processing of your personal data which is carried out on the basis of Article 6 (1) letter e GDPR (data processing in the public interest) or on the basis of Article 6 (1) letter f GDPR (data processing necessary for the purposes of legitimate interests). This also applies to profiling based on this provision.
In the event of your objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

 

5. Further rights

In addition, you have the right to rectification of incorrect data (Article 16 GDPR) or to the erasure of your data (Article 17 GDPR). If no legitimate reason for further storage exists, we will delete your data, otherwise restrict the processing (Article 18 GDPR).

In accordance with Article 20 GDPR, you may also request that we hand over any personal data that you have provided to us in a structured, commonly used and machine-readable format either to you or to a person or company of your choice.
 

6. Right to lodge a complaint with a supervisory authority

Furthermore, you have the right to lodge a complaint with the competent data protection supervisory authority (Article 77 GDPR in conjunction with Section 19 BDSG) if you are of the opinion that data processing carried out by us violates data protection regulations.
 

7. Excercise of your rights

In order to exercise your aforementioned rights, please contact:

Rheinmetall AG
Rheinmetall Procurement Suite
Rheinmetall Platz 1
40476 Düsseldorf, Germany
procurement-portal.ag@rheinmetall.com

 

VII. Changes to this Privacy Statement / Other

 

If the purpose or the way of processing your personal data changes significantly, we will update this Privacy Statement in due time and inform you appropriately about the changes.

The terms used herein are not gender-specific.
 

 

Status of this data protection information: 19 January 2023