Information for customers and service providers in accordance with the EU General Data Protection Regulation (GDPR)


Applicable to customers, interested parties, suppliers as well as distribution and cooperation partners of the pmd group (hereinafter referred to as "pmd"). The following information is intended to give you an overview of how we process your personal data and what your rights are under the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG). The processing of specific data depends largely on the products or services you have requested or contracted.

1. Responsible for data processing (controller)

pmdtechnologies ag
Martinshardt 19
57074 Siegen
Telephone +49 271 238 71-2800
Fax +49 271 238 71-2809

2. Appointed data protection officer of the controller

Mr. Arndt Halbach
Wetterauer Str. 6
42897 Remscheid
Telephone +49 (0) 2191 909 / 430


3. Data and services

a) Sources
We process personal data that we receive from you in the context of our business relationship. In addition, to the extent necessary for the provision of our products and services, we process personal data we have legitimately received from other subsidiaries of the ifm group or other third parties (e.g. for execution of orders and contracts or on the basis of your given consent). We also process personal data which we have legitimately obtained from publicly accessible sources (e.g. trade and association registers, press, media, Internet) and which we are allowed to process.

b) Categories of personal data
The following personal data may be collected, processed and stored in the course of establishing a business relationship or when creating master data: address and communication data (name, address, telephone, email address, other contact data), personal master data (date of birth / place of birth, gender, nationality, marital status, legal capacity, occupational group code, identification data (e.g. ID data), authentication data (e.g. signature sample), tax ID. When using products and services within the scope of the contracts concluded with us, the following personal data may be collected, processed and stored in addition to the aforementioned data: contract master data (order data, data from the fulfilment of our contractual obligations, information on any third-party beneficiaries), billing, service and payment data (direct debit data, tax information, other personal master data (profession, employer), documentation data (e.g. logs), product data (e.g. requested or booked services and products) as well as the following business credit documentation: net income statements, balance sheets, business assessment, type and duration of self-employment.

c) Customer contact information
As part of the business initiation phase and during the business relationship, further personal data is generated, in particular through personal, telephone or written contacts initiated by you or by pmd. This may include information about the contact channel, date, occasion and outcome, (electronic) copies of correspondence and information on participation in direct marketing activities.

d) Information society services
When processing data in the context of information society services, you will receive more information on data protection in connection with the relevant service.


4. Purpose and legal basis of the processing

We process the personal data mentioned under 3. in accordance with the provisions of the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG):

a) To fulfil contractual obligations (Art. 6(1) (b) GDPR)
Personal data are processed to establish, perform and terminate a contract concerning the provision of products or services and to execute pre-contractual activities for the preparation of offers, contracts or other activities for conclusion of the contract performed at your request. The purposes of data processing are based primarily on the specific products and services and may include, but are not limited to, needs analyses, consulting and support. Further details on the purpose of data processing can be found in the respective (also pre-contractual) contract documents of our cooperation. Interested parties may be contacted taking into account any restrictions expressed during the initiation of the contract, and customers, suppliers and distribution and cooperation partners during the business relationship using the data they have provided.

b) On the basis of your consent (Article 6(1) a) GDPR)
If you have given us your consent to process your personal data for specific purposes (e.g. forwarding of data within the group), the lawfulness of such processing is based on your consent. You may revoke your consent at any time. This also applies to declarations of consent issued to us prior to the entry into force of the EU General Data Protection Regulation, i.e., before 25 May 2018. Please be advised that the revocation shall only have effect for the future. Any processing that was carried out prior to the revocation shall not be affected thereby. You can request a status overview of the declarations of consent you have granted us at any time.

c) To comply with legal requirements (Article 6(1) c) GDPR) or in the public interest (Article 6(1) e) GDPR)
We are subject to various legal obligations and statutory requirements and process data for purposes including: identity and age checks, the fulfilment of tax control and reporting obligations as well as the evaluation and management of risks within the company.

d) To reconcile interests (Article 6(1) f) GDPR)
To the extent necessary, we process your data beyond the actual fulfilment of the contract to protect the legitimate interests pursued by us or by a third party. Examples:


  • review and optimisation of procedures for requirements analyses and for direct customer contacts including customer segmentation and calculation of the probability of closure;
  • advertising or market research and polling, as long as you have not objected to the use of your data
  • assertion of legal claims and defence in legal disputes;
  • ensuring IT security and operations;
  • consultation and data exchange with credit agencies for the identification of credit and default risks;
  • crime prevention;
  • video surveillance of our premises, collection of evidence in case of crimes;
  • measures for building and facility security (e.g. access controls);
  • measures to protect domiciliary rights;
  • measures for business management and the further development of services and products;
  • risk management in the group.


5. Recipients of the data

Within pmd, only those entities are given access to your data which require them in order to perform our contractual and statutory obligations. Our service providers may also receive data for these purposes if they comply with our written instructions under data protection law. With respect to transferring data to recipients outside of pmd, it is important to note that we are obliged to maintain secrecy about all customer-related information of which we obtain knowledge. We may only disclose information about you if we are legally required to do so, if you have given your consent and / or if processors commissioned by us guarantee compliance with the provisions of the GDPR / BDSG. Under these conditions, recipients of personal data may be, for example:

  • public authorities and institutions insofar as a statutory or official obligation exists;
  • processors to whom we transfer personal data in order to perform the business relationship with you. Specifically: support/maintenance of EDP/IT applications, archiving, document processing, call centre services, compliance services, controlling, data destruction, purchasing/procurement, area management, collection, customer administration, letter shops, marketing, media technology, reporting, research, risk controlling, expense accounting, telephone services, video legitimation, website management, audit services, payment transactions.

Other recipients of data may be those entities to which you have given your consent to the transfer of data.

6. Transfer of data to third countries or to international organisations

Data will only be transferred to countries outside the EU or the EEA (so-called third countries) if this is required for the execution of your orders, prescribed by law (e.g. reporting obligations under tax law), if you have given us your consent or in the context of contract data processing on behalf. If service providers in a third country are used, they are obligated to comply with the data protection level in Europe in addition to written instructions by agreement of the EU standard contractual clauses.

7. Duration of data storage

We process and store your personal data as long as it is necessary for the performance of our contractual and statutory obligations. If the data are no longer required for the performance of our contractual and statutory obligations, they are regularly deleted, unless their further processing (for a limited time) is necessary for the following purposes:

  • fulfilment of commercial and tax retention periods in accordance with section 257 of the German Commercial Code (HGB) and the German Tax Code (Abgabenordnung) with the periods for retention or documentation of two to ten years stipulated therein.
  • preservation of evidence within the scope of statutes of limitations. According to sections 195 et seq. of the German Civil Code (BGB), these limitation periods can be up to 30 years, with the regular limitation period being three years.

8. Data protection rights of the data subject

Every data subject has a right of access (Article 15 GDPR), a right to rectification (Article 16 GDPR), a right to erasure (Article 17 GDPR), a right to restriction of processing (Article 18 GDPR), a right to object (Article 21 GDPR) and a right to data portability (Article 20 GDPR). The right of access and the right to erasure are subject to the restrictions under sections 34 and 35 BDSG. Data subjects also have a right to lodge a complaint with a supervisory authority (Article 77 GDPR in conjunction with section 19 BDSG). You may revoke your consent to the processing of personal data at any time. This also applies to declarations of consent issued to us prior to the entry into force of the EU General Data Protection Regulation, i.e., before 25 May 2018. The revocation of consent does not affect the lawfulness of the consent-based processing that occurred up to the revocation.


9. Obligation to provide data

Within the scope of our business relationship, you must provide the personal data which are necessary for the initiation and execution of the business relationship and the performance of the associated contractual obligations or which we are legally obligated to collect. As a rule, we have to refuse to conclude the contract or provide the products and services without these data or may no longer be able to carry out an existing contract and would have to terminate it.


10. Automated decision-making

We generally do not use fully automated decision-making pursuant to Article 22 of the GDPR to initiate and implement the business relationship. Should we use these procedures in individual cases, we will inform you separately if required by law.


Information on your right to object under Article 21 of the EU General Data Protection Regulation (GDPR)

1. Ad hoc right to objectYou have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on Article 6(1) e) GDPR (processing in the public interest) and Article 6(1) f) GDPR (processing for the purposes of safeguarding legitimate interests); this includes any profiling based on those provisions within the meaning of Article 4(4) GDPR. If you lodge an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or unless the processing is for the establishment, exercise or defence of legal claims.

2. Right to object to the processing of data for marketing purposesIn certain cases, we process your personal data for direct marketing purposes. You have the right to object at any time to processing of personal data concerning yourself for such marketing, which includes profiling to the extent that it is related to such direct marketing. If you object to processing for direct marketing purposes, we will no longer processes your personal data for such purposes. There are no formal requirements for lodging an objection with the controller.


As of: June 2020