bg-country-switch

Privacy Notice Customers

Last update: February 26th, 2021

1. Responsible party and contact information

Responsible party:

N.V. Paul HARTMANN S.A.
Avenue Paul Hartmann, 1
B-1480 SAINTES
Tél : +32 (0)2/391 44 44
Fax : +32 (0)2/391 44 45
E-Mail: info@hartmann.be

Contact Data Protection:

N.V. Paul HARTMANN S.A.
Department CFO-DPM / DPO
Avenue Paul Hartmann, 1
B-1480 SAINTES
E-Mail: dataprotection@hartmann.info

2. Legal bases and purposes of data processing

We process your personal data in accordance with the provisions of the GDPR and other applicable data protection regulations. You will find details under the following explanations.

2.1 Purposes in the context of pre-contractual/contractual measures (cf. Art. 6 (1) b GDPR)

We process your personal data in particular for the following purposes:

  • Implementation of registration processes;
  • Fulfilment of contractual obligations and services, memberships;
  • Execution of payment transactions;
  • Delivery of contractually ordered products and services;
  • Transfer of address data to logistics companies for the delivery and collection of goods;
  • Transfer of billing data to billing centres and forwarding to cost units;
  • Transfer to group companies for internal administrative purposes;
  • Sending of interesting information about products and promotions;
  • Forwarding to manufacturers, suppliers and service companies for custom-made products and for instruction and maintenance of the respective product;
  • Business partner due diligence;
  • Customers satisfaction surveys;
  • Obtaining creditworthiness information (e.g. via Creditreform: https://www.creditreform.de/datenschutz).

2.2 Purposes within the scope of legitimate interests of us or third parties (cf. Art. 6 (1) f GDPR)

We process your personal data if it is necessary to protect the legitimate interests of us or third parties, unless there are no overriding interests on your part (including fundamental rights and freedoms) that speak against such processing. Our purpose-oriented interests can be in particular:

  • Statistical evaluations for corporate management;
  • Transfer of data within our corporate group for internal administrative purposes;
  • Exclusive customer information on products and advertising materials;
  • Product training courses;
  • Measures for controlling and optimizing business processes;
  • Measures for the further development of services and products;
  • Testing and optimisation of procedures for demand analysis;
  • Comparison with national as well as European and other international sanctions lists as part of our compliance program to determine critical data (screening), insofar as this goes beyond the legal obligations. The comparison depends to a large extent on the matter in question and the circumstances of the individual case, i.e. on the risk forecast and the safety relevance of the specific activity;
  • Enrichment of our data, e.g. by using or researching publicly available data as far as necessary;
  • Benchmarking;
  • Assertion of legal claims and defence in the event of legal disputes which are not directly attributable to the contractual relationship;
  • Building and plant security, securing and exercising of the right to the building by taking appropriate measures (e.g. access controls) and, if necessary, by video surveillance to protect third parties and our employees and to prevent criminal offences and to secure evidence for the investigation of criminal offences, insofar as this goes beyond the general duty of care;
  • Further development of existing systems and processes;
  • Internal and external investigations, security checks, publications;
  • Obtaining and maintaining certifications of a private or official nature.

2.3 Purposes within the scope of your consent (cf. Art. 6 (1) a and Art. 9 (2) a GDPR)

Your personal data may also be processed for certain purposes (e.g. processing of your health data for providing of medical products) with your consent. You can revoke this consent at any time. This also applies to the revocation of declarations of consent that were issued to us prior to the validity of the GDPR, i.e. before 25 May 2018.

In principle, the revocation of a consent at any time is only effective for the future. Processing that took place before the revocation is not affected and remains legal. In all other respects you are not obliged to grant consent and you will not suffer any legal disadvantages from the refusal of consent..

2.4 Purposes to meet legal requirements (cf. Art. 6 (1) c GDPR or purposes in the public interest (cf. Art. 6 (1) e GDPR)

Like everyone who is involved in the economic process, we are also subject to a variety of legal obligations. These are primarily legal requirements (e.g. Works Constitution Act, Social Security Code, commercial and tax laws, Belgian Fiscal Code), but also, where applicable, regulatory or other official requirements (e.g. employers' liability insurance association). The purposes of the processing may include identity and age verification, fraud and money laundering prevention (e.g. comparison with European and international anti-terrorist lists), company health management and ensuring occupational safety. In addition, the disclosure of personal data may become necessary within the scope of official/judicial measures for the purpose of gathering evidence, criminal prosecution or the enforcement of civil law claims.

3. Categories and origin of the personal data we process

Insofar as it is necessary for the decision on the establishment of a contractual relationship with you, we process, in addition to the personal data received directly from you, any legally obtained personal data from third parties (see Art. 14 GDPR).

We process in particular the following data categories:

  • Stock data (e.g. title, first and last name, title, residential address, country, company address, date of birth, full legal capacity, industry);
  • Contact data (e.g. e-mail address, telephone number fixed/mobile, fax number);
  • Content data (e.g. text input contact form, photographs, videos);
  • Contract data (e.g. subject matter of the contract, duration, customer category, user name), in particular for the fulfilment of our contractual obligations and services in accordance with Art. 6 Para. 1 lit. b GDPR, for the implementation of marketing measures based on our legitimate interests in accordance with Art. 6 Para. 1 lit. f GDPR and on the basis of your consent in accordance with Art. 6 Para. 1 lit. a GDPR (e.g. in the context of customer satisfaction surveys
  • Payment data (e.g. bank details, account details, credit card details, payment history);
  • Health data (e.g. severely disabled status, general physical condition, diagnosis).
4. Recipients or categories of recipients of your personal data

We only process your personal data within the company. Within our company, those internal departments or organisational units receive your personal data insofar as they need it to fulfil the purpose and within the scope of processing. Internal data recipients are obliged in each case to use your personal data only to the aforementioned extent.

If we transfer your personal data to other persons and companies (third parties) or grant them other access to the personal data, this is only done on the basis of a legal permission. If we commission third parties to process personal data on the basis of a so-called "contract processing agreement" and thereby secure the necessary powers of influence or control with regard to the processing and use of the personal data, this is done on the basis of Art. 28 GDPR. However, we remain responsible to you for the legality of the data processing.

5. Storage of your personal data

We process or store your personal data in principle for the duration of the contractual relationship.

The above information on deletion does not apply if, among other things, legally prescribed retention periods prevent immediate deletion (cf. Art. 17 (3) GDPR) and/or a further case of Art. 17 (3) GDPR exists and/or a new purpose justifies further processing.

Incorrect and/or incomplete data will be deleted or - if possible - corrected immediately in accordance with Art. 5 (1) d GDPR.

6. Processing your personal data in a third country

A data transfer to bodies in states outside the European Economic Area EU/EEA (so-called third countries) takes place in particular if it is necessary for the decision on the establishment of a contractual relationship.

The processing of your personal data in a third country may also take place in connection with the use of service providers in the context of processing orders. Unless the EU Commission has decided on an adequate level of data protection in the country concerned, we guarantee - in accordance with Article 13 (1) f of the GDPR - that your rights and freedoms are protected by appropriate and reasonable safeguards in the case of transfers in accordance with Articles 46, 47 or 49 (1), second subparagraph, GDPR. Information on the suitable or appropriate guarantees and the possibility of how and where to obtain a copy of them can be obtained on request from the Data Protection Department.

7. Your rights
  • You have the right to withdraw your consent to the processing of your personal data in accordance with Art. 7 (3) GDPR at any time with effect for the future. Processing that took place before the revocation therefore remains lawful.
  • In accordance with Art. 15 GDPR, you can request information about your personal data processed by us.
  • In accordance with Art. 16 GDPR, you can demand the immediate correction of incorrect or incomplete personal data stored by us.
  • In accordance with Art. 17 GDPR, you can request the deletion of your personal data stored by us in accordance with the conditions stated therein, unless legally prescribed retention periods prevent immediate deletion (see Art. 17 (3) GDPR) and/or another case of Art. 17 (3) GDPR exists and/or a new purpose justifies further processing.
  • Pursuant to Art. 18 (1) GDPR, you may request the restriction of data processing if one or more conditions pursuant to Art. 18 (1) GDPR lit. a to d are met.
  • In accordance with Art. 20 (1) GDPR, you can receive the personal data processed by us in a structured, common and machine-readable format and transfer this personal data to another person responsible without hindrance from us.
  • In addition, you can object to the processing of your personal data in accordance with Art. 21 (1) GDPR. In the event of an objection, we will terminate the processing of your personal data. However, the right of objection only applies in the event of special circumstances arising from your personal situation. In addition, compelling reasons worthy of protection that speak in favour of processing may prevail. Furthermore, certain processing purposes may conflict with your right of objection.
  • Without prejudice to any other administrative or judicial remedy, you also have the right to appeal to the competent supervisory authority (see Art. 77 GDPR) if you believe that the pro-cessing of your personal data violates data protection provisions. In this context, however, we would ask you to address any complaints first to the contact details given under (1) above.
8. Scope of your obligations to provide us with your personal

You only need to provide us with the personal data that is necessary for the initiation, execution and termination of a contractual relationship or that we generally require for the execution of our services or that we are legally obliged to collect (e.g. to provide evidence to authorities). Without this personal data, we will generally not be able to conclude and carry out the contractual relationship with you or provide our services. This may also refer to personal data that will later become necessary within the scope of the contractual relationship or the provision of services. Boxes marked with an asterisk (*) in our forms are mandatory. If we request personal data from you in addition to this, your details are always voluntary.

9. Automated decision making in individual cases (including profiling)

We do not use purely automated decision-making procedures in accordance with Art. 22 GDPR. Should we nevertheless use such a procedure in individual cases in the future, we will inform you of this separately if this is required by law.