Data protection information to our suppliers, service providers, business partners and interested parties

Translation, German version shall always prevail in case of doubt.

We, the tmax Germany GmbH, are committed to protect and comply with the applicable data protection laws, in particular the EU General Data Protection Directive („GDPR“) and  the Federal Data Protection Act (“BDSG”). This means, we only process your personal data if permitted by a legal regulation or the person concerned has declared consent.

In this data protection information, we explain which information (inclusively personal data) are processed, stored or used for the purposes of initiation and carrying out of contract and delivering agreements including orders, deliveries, payments, vendor rating and evaluations, risk analyses and possible complaints, guarantee or product liability. Please also inform within your organization the persons who are included in the business relations with us („contact person “) about this data protection information.

1. Responsibility for data processing and data protection officer
Responsible according to the EU General Data Protection Directive (GDPR), other applicable data protection laws and regulations within the European Union and its member states is:

tmax Germany GmbH
Ölhafenstrasse 20-28
68169 Mannheim
Phone: +49 621 322 35 100

Any reference to "we" or "us" in this data protection information is a reference to the aforementioned entity.

The data protection officer in charge for the aforementioned entity is:

Mr. Roland Mons

C-etra UG (haftungsbeschränkt) zukünftig UG
Theodor-Heuss-Anlage 12  | 68165 Mannheim


Telefon: +49 (0) 621 – 911 090 80
Telefax: +49 (0) 621 – 911 090 81

Every person concerned can consult directly with our data protection officer in case of all questions and suggestions to the protection of data privacy at any time. 

2. Scope of data being processed
The initiation, execution and care of our business relations requires the processing of data of our suppliers, service providers, business partners and interested parties. As far as these data allow conclusions on an individual person it is considered personal data (e.g., if you get into business relations with us as a sole proprietor). Independently of the legal form of your organization, we process data of the contact persons among our contracting parties.
We process certain general data concerning our business partners, its contact persons and our business relationship. Included are in particular:

  • all information which was communicated to us at initiation or settlement of the business relationship or which we asked for of our business partner or a contact person (e.g. names, address, e-mail, phone number and other contact data); as well as
  • those data which we have recorded in connection with the initiation or settlement of the business relations among us (like particularly the details of the agreed-on contracts);

Furthermore, we process personal data which arise or are updated during our business relations and which, if necessary, go beyond a bare change of master data. In particular:

  • Information about the performed or commissioned services based on contracts and commissioning;
  • Information about our performed or commissioned services based on contracts and commissioning;
  • Information, with which our contracting party or a contact person provides us during either the active business relations' or on an inquiry from us;
  • personal data which we receive in another way of our contracting party, a contact person or of third parties during our business relations;

On the legally permitted scale we can save also personal data of third parties. E.g. data of credit agencies as part of the economic situation checks of our contracting partners if this is required to the judgement of economic risks, such as delivery or payment failures.

The correspondence with our business partners is carried out on all usual communication channels like e.g. letter, e-mail, telefax, telephone and all relevant information about the business initiation and execution are exchanged via these channels. Especially data related to business performance, project communication, offers, orders, order confirmations, contracts, meeting minutes, protocols, agendas and other kind of information is exchanged and archived for possible questions.

3. Purposes and legal basis for the processing of personal data
The processing of data for the execution and care of the existing contracts and commissioning or for the execution of pre-contractual measures is carried out based on article 6 paragraph 1 b) GDPR. 

We can process data also for the fulfilment of legal obligations to which we are subject; this is carried out based on article 6 paragraph 1 c) GDPR. Particularly to these obligations belong required reports to (tax-) authorities or other state authorities.

Independently of the legal form of our contracting party, we process data with reference to one or several contact persons for the preservation of our vital interest at the initiation, execution and care of the business relations on basis of article 6 paragraph 1 f) GDPR.  Furthermore, beyond data concerning the execution of concluded contracts and the fulfilment of legal obligations, we process data for the preservation of our legitimate interests or legitimate interests of third parties.
Part of our vital interests are: 

  • Company-wide processes to the internal administration of our business partner data
  • the inquiry of economic risks, such as delivery and payment failures and complaints in connection with our business relations;
  • the assertion of legal claims and the defense at legal disputes;
  • the prevention and enlightenment of criminal offences;
  • the control and further development of our business activity including risk controlling

As far as we give an individual person the possibility to consent to the processing of personal data, we process the data covered by the consent for the purposes mentioned in the consent; this is carried out based on article 6 paragraph 1 a) GDPR.
Please consider, that

  • your consent is voluntary;
  • not granting or later revocation of the consent can lead to consequences about which we inform before not granting or revocation of the consent and
  • a consent can be revoked with effect for the future at any time, e.g. via letter, fax, e-mail to a contact mentioned in chapter “1. Responsibility for data processing and data protection officer

4. Obligation to the provision of personal data
The provision of the data mentioned in chapter „2. Scope of data being processed“, is required for the initiation and execution of the business relations with our contracting partners, as far as not shown off particularly differently by us at the collection of data. Without the provision of these data we cannot initiate a business relationship or carry out any business with you.

If we impose furthermore personal data, we inform at the collection, whether the provision of this information is legally or by contract specified or required for the conclusion of a contract.

5. Passing on of personal data
In principle, personal data are processed within our company. Depending on the nature of the personal data only certain departments/organizational Units have access to personal data. Particularly included are the purchasing department, design and engineering, quality assurance, human resources, finance, and controlling, project management, workers‘ council (in case of legal obligations to disclose information)  and – in case data are processed via our IT Infrastructure – in a certain scale also the IT department. Through user roles and an authorization concept the access is restricted to those functions and scope which is required for the respective purpose of the processing within our enterprise. 

We can transmit personal data on a legally permitted scale also to third parties outside our company. External recipients can be in particular

  • connected enterprises within the tegimus holding GmbH to which we transmit personal data for internal administration purposes;
  • service providers contracted by us, executing services for us on a separate contractual basis for the fulfilment of contract and delivery obligations which can also include the processing of personal data. These can be for example banking institutions, payment service providers, data processing services, inbound/outbound transportation service providers, customs broker, as well as subcontractors used by our service providers with our consent;
  • non-public and public institutions, as far as we are obliged due to legal requirements to the transmission of your personal data such as the tax office;
  • transmissions to third parties to the fulfilment of commercial and tax law obligations, e.g. tax consultants and external auditors relating to taxation law.

At the initiation or during our business relation we, in principle, do not use an automated decision making (including profiling) according to Article 22 GDPR. If we use such methods in individual cases in the future, we will inform persons concerned about it on the legally scale separately.

6. Data transfer to countries outside of the EU / European Economic Area (EEA)
A data transfer to a country outside of the European Union which is not treaty state of the agreement on the European Economic Area (EEA) is only carried out if this data transmission is required for the initiation or fulfillment of business relations (e.g., deliveries to a third country or communication and initiation of business relations with or for another entity of the tegimus holding GmbH).

Before such a transmission we make sure that the required adequate data protection level is ensured in the respective third country or with the recipient in the third country. This can particularly arise from a so-called „adequacy decision” of the European Commission, with which an adequate data protection level altogether is stated for a certain third country. Alternatively, we can support the data transmission also on so-called „EU standard contract clauses “, agreed on with a recipient or - in the case of recipients in the USA - on the compliance with the principles of the “EU-US Privacy Shield.

Further information about suitable and adequate guarantees for the compliance with an adequate data protection level can be provided upon request; the contact information on inquiries can be found in chapter “1. Responsibility for data processing and data protection officer” of this document. Information about the participants of the EU-US Privacy Shield can be found here:

7. Storage periods of personal data
We store personal data in general as long as we have a vital and justified interest in the retention of such data and the interest of the person concerned in refraining from the further processing do not prevail. 

Even without a justified interest, we may continue to store the data if there is a legal obligation (e.g. to comply with statutory retention obligations). We delete personal data even without an action by person concerned as soon as further retention is no longer necessary for the purposes for which the data were collected or otherwise processed or if further retention is not permitted by law otherwise.

In general, master data and the additional data collected during our business relationship are stored at least until the end of the respective business relationship. The data are deleted in any case if the purposes for the collection or processing were achieved. This point in time may be after the end of the business relationship with us.
If personal data need to be stored to comply with a legal obligation, such data is retained until the end of the respective retention period based on article 6 paragraph 1 c) GDPR. If personal data are only processed to comply with a statutory retention obligation, the access to such data is usually restricted so that the data are only accessible if needed for the purpose of the retention obligation.

8. Rights of persons concerned
A person concerned has the right to

  • get information about his/her personal data, acc. Article 15 GDPR;
  • rectification of incorrect personal data, acc. Article 16 GDPR;
  • complete deletion of his/her personal data, acc. Article 17 GDPR;
  • restriction of the processing of his/her personal data, acc. Article 18 GDPR;
  • data transmission of his/her personal data, acc. Article 20 GDPR, and
  • contradiction towards the processing of his/her personal data, acc. Article 21 GDPR.

For the exercise of these rights a person concerned can consult us - e.g. through one of the contacts provided in the chapter “1. Responsibility for data processing and data protection officer” at any time.

In addition, a person concerned is entitled to raise a complaint regarding the handling of personal data with the competent supervisory authority according to Article 77 GDPR.