1. Subject of this data protection notice
The protection of your personal data is a major and very important concern for us and is taken into account in all our business processes. Personal data means any information relating to an identified or identifiable natural person.
In the following, we would therefore like to inform you with a detailed overview of the processing of your personal data regarding IONITY’s tender process and contracts IONITY has concluded with suppliers.
Furthermore, we would like to inform you about the rights you are entitled to and the technical and organisational protective measures we have taken with regard to the processing of your data.
This data protection notice applies to (potential) suppliers and their contact persons during and after the tender process.
2. Name and address of the data controller and service provider
Responsible data controller according to Art. 4 (7) General Data Protection Regulation (“GDPR”) in terms of the basic data protection regulation (GDPR) and at the same time service provider in terms of Section 5 the of the German Telemedia Act (“Telemediengesetz” -TMG) is
Moosacher Strasse 84
D-80809 Munich, Germany
See our imprint for further details.
If you have any questions or comments about this protection policy or about data protection in general you can contact our data protection officer as follows:
Data Protection Officer
Moosacher Strasse 84
D-80809 Munich, Germany
3. Collection and use of data
We only process personal data where this is necessary and in accordance with the principles of data minimisation and purpose limitation. Therefore, following personal data categories will be collected:
a. General data from the business relationship
- Business and Contact data (e.g. name, business email address, name of the company, business address, phone number, position in your company, other data about your company)
- Data about the joint project (e.g. correspondence or other communication between you and IONITY, details about the joint project)
- Invoice data of the company (e.g. name of the invoiced party, registration number, IBAN, bank name, VAT ID, currency, DUNS number
b. Data from other sources
As far as it is necessary for the fulfilment of the contract or pre-contractual measures or if you have consented to it, we also process personal data (business and contact data) that we have permissibly received from other third parties.
4. Purpose and legal basis of the data processing
a. Collection and processing in the context of the fulfilment of contractual obligations
We process personal data in the context of the fulfilment of our contractual obligations und invoicing purposes (Article 6 (1) (b) GDPR).
b. Processing on the basis of a legitimate interest
We process your personal data if it is necessary to protect legitimate interests of IONITY or a third party (Article 6 (1) (f) GDPR). In detail:
- For the fulfilment of contractual obligations, e.g. in order to contact you,
- For the enforcement of legal claims and defence in legal disputes,
- To ensure IT security and IT operations,
- For accounting purposes,
- For risk management purposes.
c. Collection and processing based on your consent
In addition, your personal data will be collected and processed if you have agreed to this (Article 6 (1) (a) GDPR). This also includes optional data you provided during the tender or onboarding process.
5. Service providers and data transfer to third parties
In order to fulfil the aforementioned purposes, your personal data may be passed on to service providers supporting us (e.g. IT service provider), which we have carefully selected and commissioned in writing according to the requirements of the GDPR. These service providers are bound by our instructions and are regularly monitored by us.
Categories of recipients:
- Procurement software provider
- IT service provider
Your data will otherwise only be passed on to other third parties if this data protection declaration expressly refers to this or if we are legally obliged to transfer personal data.
6. Data transfers to third countries
We also transfer your data to service providers who are located in third countries or have access to your personal data from there. These data transfers have an adequate level of data protection according to Art. 45 (1) or Art. 46 (2) (c) GDPR. Our service providers in third countries are bound by our instructions and are regularly monitored by us.
7. Automated decision-making
No automated decision-making takes place.
8. Deletion of personal data
a. Tender process
We process your personal data only as long as we need it for the tender process and have to retain it for compliance purposes. After this period, we will delete your personal data.
b. Contractual data
If you are selected as supplier we will store your personal data as long as we need them for the fulfilment of contractual or legal obligations. Depending on the document we have to retain some data for up to 10 years due to legal retention periods in commercial and tax law. After this period, we will delete your personal data.
9. Your rights
You have the right to ask us to confirm whether personal data concerning you is being processed; if this is the case, you have the right to obtain information about this personal data and the information specified in Art. 15 of the GDPR.
You have the right to demand that we correct incorrect personal data relating to you without delay and, if necessary, complete incomplete personal data (Art. 16 GDPR).
You have the right to demand from us that personal data concerning you be deleted immediately if one of the reasons listed in Art. 17 GDPR applies in detail, e.g. if the data is no longer required for the purposes pursued (right to deletion).
You have the right to request us to restrict processing if one of the conditions listed in Art. 18 GDPR is met, e.g. if you have lodged an objection to processing, for the duration of the examination by us.
You have the right to object at any time to the processing of personal data concerning you for the purposes of direct marketing. You also have the right to object at any time to processing operations carried out pursuant to Article 6 (1) (e) or (f) GDPR for reasons arising from your particular situation (Article 21 GDPR). We will then no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
You have the right to revoke any consent you have given us at any time with effect for the future (right of revocation).
You have the right to receive from us the data concerning you which you have provided us with in a structured, common and machine-readable format. You may also transmit this data to other bodies or have it transmitted by us (right to data transferability).
To exercise your rights, please contact: firstname.lastname@example.org.
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you believe that the processing of personal data concerning you is in breach of the GDPR (Art. 77 DPA).
In Bavaria the competent supervisory authority is Bavarian State Office for Data Protection Supervision, Postfach 606, 91511 Ansbach, www.lda.bayern.de.
10. Version and updates of this data protection statement