Data protection information for business partners

pursuant to Art. 13 and 14 of the General Data Protection Regulation (GDPR)

For reasons of better readability only, the simultaneous use of the language forms male, female and diverse (m/f/d) is dispensed with. All personal designations apply equally to all genders.

Preliminary remark

With this data protection information, we, e-mobilio GmbH (hereinafter also referred to as "e-mobilio", "we" or "us"), inform our business partners about the processing of their personal data and the rights to which they are entitled as data subjects under the data protection regulations.

With regard to the processing of personal data, the data subjects of our data processing activities and addressees of this data protection information are in particular the employees of our (potential) business partners, our (potential) project, cooperation and contractual partners, our (potential) service providers, suppliers and other companies that interact with us (hereinafter also referred to as "business partners" or "data subjects")

Personal data that e-mobilio processes on behalf of a controller is not part of this data protection information.

1. Controller for data processing & data protection officer

1.1 Joint controllers for data processing are

Controller A
Name: e-mobilio GmbH
Address: Gisela-Stein-Str. 21, 81671 Munich
E-mail: info@e-mobilio.de
Phone: +49 89 25555560

Managing Directors: Ralph Missy, Denis Reichel

Responsible B

Name: co2.auto GmbH
Address: Gisela-Stein-Str. 21, 81671 Munich
E-mail: info@co2.auto
Phone: +49 89 77997933

Managing directors: Ralph Missy, Denis Reichel

Name: co2.auto GmbH Branch Office Austria
Address: Simmeringer Hauptstraße 24, 1110 Vienna
E-mail: info@co2-auto.at
Phone: +49 89 77997933

Managing directors: Ralph Missy, Denis Reichel

1.2 Data protection officer

Responsible person A

You can reach our data protection officer using the following contact details

Name: Lutz Mönig, i. H. Pohl Consulting Team GmbH
Address: Mengeringhäuser Str. 15, 34454 Bad Arolsen
E-mail: datenschutz@e-mobilio.de

Responsible person B

You can reach our data protection officer using the following contact details

Name: Lutz Mönig, i. H. Pohl Consulting Team GmbH
Address: Mengeringhäuser Str. 15, 34454 Bad Arolsen
E-mail: datenschutz@co2.auto

If you believe that the processing of your data violates data protection law or your data protection claims have otherwise been violated in any way, you can contact our management or the supervisory authority responsible for us below:

Bavarian State Office for Data Protection Supervision (BayLDA)
P.O. Box 1349
91504 Ansbach
Telephone: +49 981 180093 0 | e-mail: poststelle@lda.bayern.de

2 Purposes and legal basis of processing
We process personal data in compliance with data protection laws, in particular the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG).

a) On the basis of consent (Art. 6 para. 1 lit. a) GDPR)

If you have given us your consent to process personal data for specific purposes, the lawfulness of this processing is based on your consent. Consent given can be revoked at any time with effect for the future. This also applies to the revocation of declarations of consent given to us before the GDPR came into force. Please note that the revocation only takes effect for the future; processing that took place before the revocation is not affected.

Processing based on your consent is carried out, for example, to conduct customer surveys, marketing campaigns, market analyses, web tracking, competitions, contests or similar promotions and events or to send newsletters.

We may wish to collect further data from you at a later date or use it in other ways. Should this occur, we will ask for your consent in accordance with Art. 6 para. 1 lit. a in conjunction with Art. 7 GDPR and inform you accordingly. If you give us this consent, it can be revoked informally at any time.

b) In the context of the performance of a contract or in order to take steps prior to entering into a contract (Art. 6 (1) (b) GDPR)

We process your personal data primarily for the establishment, execution and termination of the business relationship, i.e. for the fulfillment of contractual obligations and the provision of the associated services or in the context of a corresponding contract initiation, e.g. for contract negotiations, for the preparation of offers or for electronic payment transactions via e.g. online banking or PayPal for the settlement of liabilities. The specific purposes depend on the respective service or product to which the business relationship or contract initiation relates.

c) For the fulfillment of a legal obligation (Art. 6 para. 1 lit. c) GDPR)

We process your data to fulfill legal obligations, e.g. to fulfill tax control and reporting obligations, to fulfill obligations under corporate, data protection and civil law, in the event of audits by authorities and to comply with statutory retention periods. In addition, the disclosure of personal data may become necessary due to official or judicial measures for the purposes of gathering evidence, criminal prosecution or the enforcement of civil law claims.

d) As part of the balancing of interests (Art. 6 para. 1 lit. f) GDPR)

Where necessary, we process your personal data within our business relationships on the basis of a balancing of interests, according to which processing is permitted if it is necessary to safeguard the legitimate interests of us or third parties and does not outweigh the interests or fundamental rights and freedoms of the data subject that require the protection of personal data. This applies in particular to

• Assertion of legal claims and defense in legal disputes;
• measures to optimize our business processes, such as maintaining a supplier or customer relationship management database
• Measures to ensure operational security and business management;
• Ensuring IT security and IT operations
• Checking creditworthiness via corresponding credit agencies to assess the risk of default in business relationships
• For the limited storage of your data if deletion is not possible or only possible with disproportionate effort due to the special type of storage.
• Internal administrative purposes
• Measures to improve our internal business processes and for product optimization
• Carrying out audits and company controls
• Managing and using customer, supplier and business partner directories

3. Categories of personal data

We mainly process the data that we receive directly from you in connection with the establishment, implementation and/or termination of the business relationship (e.g. as part of a request for a quote, order placement or contractual relationship as well as through other contact via our website, by email or telephone, at trade fairs or comparable events).

If we receive data via a third party (e.g. via a colleague of the data subject who names them as a contact person), we will inform you of the source during the initial communication.

In addition, we process - where necessary - personal data that we legitimately obtain from publicly accessible sources (e.g. commercial and association registers, press, internet) or that are legitimately transmitted to us by companies affiliated with us or by other third parties (e.g. a credit agency).

The personal data processed by us includes

• Personal/contact data (e.g. title, first name, surname, company if applicable, (company) address, (mobile) telephone number, fax, e-mail, profession, position, title, academic degree)
• For office holders: Information on the mandate, commercial register entry, date of birth, private address
• Participation data in internal Group events
• Records of business transactions, business partner history, project details and communication data in connection with correspondence (e-mails, correspondence, telephone calls)
• Contract and billing data (e.g. bank details, credit card information if applicable, tax number/USt ID, invoice data, order data)
• Data from the fulfillment of our contractual obligations (e.g. sales data in payment transactions)
• Identification data (e.g. identity documents) and authentication data (e.g. specimen signature)
• Information about your financial situation (e.g. creditworthiness data)
• Information from publicly available sources and information databases (e.g. extract from the commercial register)
• Marketing information (contact and product preferences)
• Depending on the business purpose, possibly also user IDs for protected areas on systems
• As well as other data comparable to the above categories

4. Recipients or categories of recipients of the personal data

Within our company, only those persons have access to your data who need it to establish, implement and terminate our business relationship or to fulfill our contractual and legal obligations and to carry out our internal processes (e.g. sales, purchasing, logistics, financial accounting). This may also involve several departments in our company, depending on which services or products you purchase from us. Furthermore, our IT department has access to your data exclusively for technical processing.

Service providers and vicarious agents employed by us may also receive data from you for this purpose as part of order processing in accordance with Art. 28 GDPR.

As part of the processing of your orders or for the fulfillment of contracts, it is sometimes necessary for us to transfer certain data to our respective suppliers, manufacturers or distributors based in Germany, other European countries or the European Economic Area. This includes, for example, your surname, your first name and your organizational affiliation as well as your contact details in your organization.

Insofar as electronic payment transactions take place in order to record any payment orders still submitted in paper form on IT media and to process clearing transactions between the credit institutions or payment service providers using the paperless data carrier exchange procedure, the responsible employees/departments in the company (accounting), the responsible financial institution or various payment service providers such as PayPal will receive your data required for this purpose.

Furthermore, your data will be passed on within our affiliated companies as part of a joint responsibility if necessary. Detailed information on this can be found in Appendix 1.

Otherwise, data will only be passed on outside the company if this is required by law or if you have given your consent. For example, we may have to disclose certain data to authorized (public) bodies and institutions such as the tax authorities as part of our legal obligations.

5 Transfers to a third country

In principle, your personal data will only be processed within Germany, the European Union and the European Economic Area ("EEA"), where the provisions of the GDPR apply. As a rule, data is not transferred to countries, states or international organizations outside the EEA ("third country").

However, insofar as one of our service providers or the service providers may also use service providers that have their registered office, parent company or data centers in a third country, e-mobilio may transfer your personal data to a so-called third country in which the GDPR provisions do not apply. In such cases, data will only be transferred to third countries if the conditions of Chapter 5 (Art. 44 - 50) of the GDPR and the other provisions of the GDPR are implemented and complied with.

This applies in particular to the providers of the cloud applications we use for our company-wide communication system and for our CRM system.

Although we ensure that servers within Germany and the EU are used to store the data wherever possible, it cannot be ruled out that your data may be transferred to a third country (e.g. the USA) and processed there in this context.

We have concluded corresponding contracts with all our service providers of this kind and have also contractually agreed that guarantees in accordance with Chapter 5 (Art. 44 - 50) of the GDPR on data protection must always be in place with their contractual partners in compliance with the European level of data protection. We will provide you with a copy of these guarantees on request.

6 Duration of data storage

We process and store your data for as long as it is necessary to fulfill the purposes mentioned in section 2 and as long as it is necessary for the establishment, implementation and termination of our business relationship or for the fulfillment of our (pre-)contractual and legal obligations. It should be noted that many of our business relationships are long-term. If the data is no longer required for these contractual or legal obligations, it is regularly deleted or destroyed, unless its - temporary - further processing is required for the following purposes:

• Fulfillment of retention obligations under commercial and tax law, which may arise, for example, from: German Commercial Code (HGB), German Fiscal Code (AO), German Money Laundering Act (GwG). The retention and documentation periods specified there are generally two to ten years. The retention and documentation periods are, for example, ten years for accounting records and six years for commercial or business letters.
• Preservation of evidence within the framework of the statutory statute of limitations. According to §§ 195 ff of the German Civil Code (BGB), these limitation periods can be up to 30 years, whereby the regular limitation period is 3 years.

If the data processing is carried out in the legitimate interest of us or a third party, the personal data will be deleted as soon as this interest no longer exists and provided that there are no storage and documentation obligations to the contrary.

Personal data collected on the basis of consent will be processed until consent is withdrawn. The withdrawal of consent does not affect the lawfulness of the data processed until the withdrawal.

7 Your rights

Every data subject has the right of access under Art. 15 GDPR, the right to rectification under Art. 16 GDPR, the right to erasure under Art. 17 GDPR, the right to restriction of processing under Art. 18 GDPR, the right to notification under Art. 19 GDPR and the right to data portability under Art. 20 GDPR.

In addition, you have the right to lodge a complaint with a data protection supervisory authority in accordance with Art. 77 GDPR if you believe that your personal data is being processed unlawfully. The right to lodge a complaint is without prejudice to any other administrative or judicial remedy. The data protection supervisory authority responsible for us is the Bavarian State Office for Data Protection Supervision (BayLDA), P.O. Box 1349, 91504 Ansbach, telephone +49 (0) 981 180093-0.

If your personal data is processed on the basis of your consent, you are entitled under Art. 7 GDPR to revoke your consent at any time and without giving reasons for the future. This does not affect processing that took place before you withdrew your consent. Please also note that we may have to retain certain data for a certain period of time in order to comply with legal requirements (see section 6).

Insofar as your personal data is processed in accordance with Art. 6 para. 1 sentence 1 lit. f) GDPR to safeguard legitimate interests, you also have the right to object to the processing of this personal data at any time in accordance with Art. 21 GDPR for reasons arising from your particular situation. We will then no longer process this personal data unless there are compelling legitimate grounds for the processing. These must outweigh your interests, rights and freedoms, or the processing must serve the assertion, exercise or defense of legal claims.

To assert your rights or if you have further questions about data processing, you can contact our data protection officer using the contact details provided in section 1 of this data protection information.

8 Voluntary provision of data

The provision of your personal data for the establishment and execution of the business relationship is neither legally nor contractually required, nor are you obliged to provide this data.

However, if you are in a direct business relationship with us, you must provide the personal data that is necessary for the establishment and implementation of a business relationship and the fulfillment of the associated contractual obligations.

Without this data, we will generally have to refuse to conclude the contract or execute the order or will no longer be able to perform an existing contract and may have to terminate it.

If it is a business relationship with a company that you represent, you must provide us with the personal data that is required for the commencement and execution of a representation/authorization and the fulfillment of the associated contractual obligations. Without this data, we will generally have to reject you as an authorized representative/authorized representative or cancel an existing authorization/authorization.

9 Automated decision-making / profiling

We do not use automated decision-making in accordance with Art. 22 GDPR to establish, implement and terminate the business relationship. We also do not use profiling.

Should we use these procedures in individual cases, we will inform you separately about this and about your rights in this regard, insofar as this is required by law.

10. Changes to this data protection information

e-mobilio reserves the right to change this data protection information at any time.

Attachments:

Annex 1: Data protection information on joint responsibility pursuant to Art. 26 para. 2 GDPR

Appendix 1: Data protection information on joint responsibility pursuant to Art. 26 para. 2 GDPR