Privacy Notice
Information Regarding Data Protection for Users of SupplyOn-Services
Version 2.0.1 from Oct. 15, 2020
In connection with the use of the SupplyOn-Services, personal data will be processed both from you as a user and from other persons involved in the delivery of the SupplyOn-Services. These “data subjects”, as defined by the GDPR, are for simplification hereinafter referred to as “users”.
The following groups of persons may be considered users of SupplyOn-Services:
- Contact persons (including interested parties) for procurement, sales, technology, administration and finance departments of buyers and suppliers,
- Contact persons for service providers (business partners and other subcontractors of SupplyOn) as well as
- Employees of SupplyOn and affiliated companies.
SupplyOn processes users’ personal data in two different scenarios:
A) For SupplyOn’s own purposes, to operate, advertise or distribute the SupplyOn-Services.
B) On behalf of buyers, who use the SupplyOn-Services to manage processes with their suppliers.
You can use the following methods to obtain information regarding which buyer is responsible for your case after logging into the SupplyOn Portal:
- If your company is registered with SupplyOn as a supplier, your user administrator can see which buyer your company cooperates with via the menu options Administration –> Contract and Invoice –> Connect-Overview. You may access the user administrator responsible for your company via the menu options Administration –> My user administrator.
- If you are a user of SupplyOn-Services and work for a buyer, this buyer is responsible.
- If you are an unregistered supplier you can view the responsible buyer using the corresponding link to your business transaction, which you should have received from SupplyOn via e-mail.
Alternatively, please send your request, to determine the responsible buyer, to datenschutz@supplyon.com. Please note that in order to process the legitimacy of your request, we must verify your identity and will request further information. However, we will never ask you for your user password.
The following information regarding the protection of personal data being processed should therefore be understood in relation to the relevant scenario of each case.
1. Name and Contact Details of the Controller
A) For SupplyOn’s own purposes
If you are a user of the SupplyOn-Services for SupplyOn directly or for a service provider, then SupplyOn is the controller responsible for processing your data:
SupplyOn AG
Ludwigstrasse 49
85399 Hallbergmoos
Telephone: +49 811 99997 0
E-Mail: datenschutz@supplyon.com
B) Processing on behalf of Buyers
As a user of SupplyOn-Services, you can either work for a buyer or for a supplier. A supplier is always associated with at least one buyer at SupplyOn. In this case, the buyer is responsible for the processing of your personal data, for which SupplyOn has been commissioned to work for in accordance with the instructions given by the buyer.
2. Contact Details for the Controller’s Data Protection Officer
A) For SupplyOn’s own purposes
SupplyOn’s Data Protection Officer is
datenschutz süd GmbH
Wörthstraße 15
97082 Würzburg
Telephone: +49 931 304976 0
E-Mail: datenschutz@supplyon.com
B) Processing on behalf of Buyers
As a user of SupplyOn-Services, you can either work for a buyer or for a supplier. A supplier is always associated with at least one buyer at SupplyOn. SupplyOn is a processor working under the instructions of buyers, therefore, we will respond to any requests for information sent to datenschutz@supplyon.com by providing the contact details of the data protection officer of the buyer responsible for the personal data in question. Alternatively, you may contact the buyer directly at any time.
3. Purposes of Processing & Legal Basis
A) For SupplyOn’s own purposes
Your personal data will be processed by SupplyOn for its own purposes.
As a user of SupplyOn-Services, we initially process your personal data, in connection with the use of the SupplyOn Platform, for the purpose of contract processing. This finds its legal basis in Art. 6 para. 1 lit. b GDPR in connection with the applicable terms and conditions for SupplyOn-Services. During the registration process, you as a user of SupplyOn-Services will be requested to provide the following registration data, which will be stored by SupplyOn and used as described below:
- Business contact data of the contact person for SupplyOn-Services in your company (Company Administrator),
- Contract data, i.e. inventory data, which is necessary for the establishment, content or modification of the contractual relationship regarding the use of SupplyOn-Services, and
- Company profile data, i.e. data that you as a user enter about your company, as a customer of SupplyOn-Services, to introduce your company, its products and services.
During the use of SupplyOn-Services, SupplyOn stores and uses the following data from you, the user, and your company (customer):
- Your business contact details
- login data, i.e. customer identification, user name, password or other registration details,
- Transaction data, i.e. data that is automatically recorded as electronic log files when SupplyOn-Services are used, and
- Business data, i.e. data that a customer transmits to another customer when using the SupplyOn-Services.
This includes, in particular, the following processing steps:
- Granting the right of use for the contractually agreed SupplyOn-Services,
- Identification of users and disclosure of personal data of existing users in order to enable the allocation of newly registered customers to previously registered affiliated companies,
- Sending information about product features or service availability, application notifications, and communication with customer support,
- Facilitation of the establishment of contact between buyers and suppliers by providing and transmitting the data and information relevant for a potential business relationship, in particular by notifying buyers which suppliers are registered for which SupplyOn-Service, as well as the contact details of relevant contact persons for the possible initiation of a contract for the use of (further) SupplyOn-Services,
- Promoting the business relationship between a buyer and a seller by passing on information, to the buyer, regarding the contractual relationship between SupplyOn and the seller (such as changing the relevant contact persons, contract status, activation, or impending deactivation due to non-payment) and which is relevant to the relationship between a buyer and a seller
If you decide to pay by credit card, we process the necessary data to process the payment on the basis of Art. 6 para. 1lit. b GDPR. Your bank data will not be collected by SupplyOn, but exclusively via a payment service provider whose service is directly integrated into our payment page. SupplyOn has no access to your bank data. If you require more information about the processing of your data processed for payment purposes, please click on the following link: https://www.evopayments.eu/datenschutz/.
As a registered user, you have the ability to be informed, depending on your own area of interests, about certain services provided by SupplyOn (through subscribing to newsletters or receiving invitations to surveys). You decide voluntarily about the scope. The legal basis for this is explicit consent in accordance with Art. 6 para. 1 lit. a and Art. 7 GDPR in conjunction with § 7 para. 2 UWG. You can manage these services at any time and, if necessary, adjust or revoke previously given consent. You can view your personal services after logging in to the SupplyOn-Portal via the menu options Administration –> My User –> Privacy Settings.
If you are interested in SupplyOn-Services you may contact us via the contact form on our website or order our newsletter. All necessary information regarding these services can be found in this document, in the corresponding sections above.
B) Processing on behalf of Buyers
Your personal data as a user is processed on behalf of a buyer in order to enable you to use the SupplyOn-Services as Software-as-a-Service (SaaS). This includes in particular the rollout of the SupplyOn-Services, the operation of the SupplyOn-Services as well as training and support when using the SupplyOn-Services. SupplyOn processes your personal data on behalf of the buyer in accordance with the conditions laid out in a commissioned data processing agreement pursuant to Art. 28 GDPR.
The use of SupplyOn-Services, for you as a contact person or employee of a buyer, finds its legal basis in Art. 88 para. 1 GDPR in conjunction with § 26 para. 1 sent. 1 FDPA-new and requires your employer to fulfill the obligations from your respective employment relationship.
4. Recipients of data and involvement of service providers located outside the EU/EEA
A) For SupplyOn’s own purposes
Your personal data, as a user, may be passed on to service providers in connection with the use of certain SupplyOn-Services. These service providers will either act in strict accordance with our instructions within the framework of a commissioned data processing agreement pursuant to Art. 28 GDPR and we will transmit your personal data on a legal basis pursuant to Art. 6 para. 1 GDPR. Insofar as the service providers providing support have their headquarters outside the EU/EEA, we have ensured the legality of the data transfer by means of suitable guarantees (e.g. by means of EU standard contractual clauses in accordance with Art. 46 para. 2 lit. c GDPR)
B) Processing on behalf of Buyers
In connection with providing SupplyOn Services on behalf of a buyer (as a commissioned SaaS service), SupplyOn is the primary recipient of your personal data.
Your personal data will not be passed on to third parties by SupplyOn without documented instructions from the buyer, unless there is a legal obligation to do so under relevant legal provisions.
Your personal data will be passed on to external service providers (business partners and other subcontractors) within the scope of SupplyOn-Services, depending on the scope of the agreement involved. These service providers support us in data processing within the scope of a commissioned data processing agreement and are strictly bound by instructions pursuant to Art. 28 GDPR. If the service providers are located outside the EU/EEA, SupplyOn has ensured the legality of the data transfer by means of suitable guarantees (e.g. by EU standard contractual clauses according to Art. 46 para. 2 lit. c GDPR). Upon request, we will provide you with an overview of the service providers relevant to your case.
5. Criteria for the Erasure of Data
A) For SupplyOn’s own purposes
As soon as consent is limited or completely revoked regarding the receipt of information about SupplyOn Services, SupplyOn restricts the use of users’ personal data.
In addition, SupplyOn processes users’ personal data for the purpose of processing a contract only as long as the underlying contractual relationship exists.
Furthermore, as soon as you are no longer registered as a user (e.g. termination of the contract between SupplyOn and the company for which you work), SupplyOn deletes your personal data which was being used for the purpose of informing you about SupplyOn-Services.
This only applies if there are no legal obligations on SupplyOn’s part to retain the data, preventing such deletion. In this case a restriction of processing takes the place of deletion.
B) Processing on behalf of Buyers
SupplyOn deletes users’ personal data on the instructions of the buyer and upon termination of the contract between SupplyOn and the buyer or the corresponding supplier, provided that SupplyOn does not have any legal obligation to store the data, preventing such deletion. In this case, a restriction of processing takes place instead of deletion.
6. Existing Rights: Access, Rectification, Erasure, Restriction, Objection, Data Portability, Complaint to a Supervisory Authority
Regardless of which company is specifically responsible for the processing of your data, you are entitled to various rights as a data subjects, which we would like to explain to you below.
Data subjects have the right to be informed by the controller about the personal data concerning them and to have incorrect data corrected or deleted, if one of the reasons stated in Art. 17 GDPR applies, e.g. if the data is no longer required for the purposes pursued. You have also the right to limit the processing if one of the conditions mentioned in Art. 18 GDPR is present and in the cases of Art. 20 GDPR the right to transfer data. If data is collected on the basis of Art. 6 para. 1 lit. e (data processing for the fulfilment of official tasks or the protection of the public interest) or lit. f (data processing to pursue legitimate interests), the data subject has the right to object to the processing at any time for reasons arising from his/her particular situation. We will then no longer process the personal data unless there are verifiable compelling grounds for processing worthy of protection which outweigh the interests, rights and freedoms of the data subject, or the processing serves to assert, exercise or defend a legal claim.
Furthermore, any data subject shall have the right to complain to a supervisory authority if he or she considers that the processing of data concerning him or her is in breach of data protection provisions. In particular, the right of appeal may be exercised before a supervisory authority in the Member State in which the data subject is residing or in which the alleged infringement took place. The competent supervisory authority for SupplyOn is the Bayerisches Landesamt für Datenschutzaufsicht, Promenade 27 (Schloss), 91522 Ansbach, Germany.
To exercise your rights as a data subject, please contact the relevant controller. We will be happy to support you! You will find the necessary information for making contact in this document in the section “Contact Details for the Controller’s Data Protection Officer”.
7. Consequences of Not Providing Personal Data
Regardless of which company is responsible for the processing of your personal data, the following applies:
The disclosure of your personal data is neither required by law, nor by contract, nor is it necessary to conclude a contract. As a user of SupplyOn-services, you are not obligated to provide your personal data. The consequences of not providing your personal data are that you cannot register for or use the SupplyOn Services.