PRIVACY POLICY FOR BUSINESS PARTNERS
Last updated: March 8th, 2023
This Privacy Policy for business partners (“Privacy Policy”) stipulates how Höhle OÜ as the personal data controller processes the personal data of its business partners and their representatives in connection with the business relationship or any other contractual relationships concluded between the business partner and Höhle OÜ, as well as privacy rights available to data subjects. This Privacy Policy applies to all our business partners’ (legal persons’) representatives and contact persons acting as a management board member, employee or in any other capacity.
The controller of your personal data is Höhle OÜ (“Höhle”, “we”, “us” or “our”). Höhle is responsible for ensuring that your personal data is processed in accordance with this Privacy Policy and applicable personal data protection laws, in particular with the General Data Protection Regulation (EU) 2016/679 (“GDPR”).
Contact details of the controller:
Registry code: 12805467
Address: Torupõllu, Lõiuse, Rapla vald 79405, Estonia
Phone number: +372 514 7676
E-mail: margus.maasing@hohle.ee
If you have any questions regarding this Privacy Policy or the personal data we process about you, please contact us at the contact details provided above.
processing of personal data
As your or your employer’s business partner, we collect your personal data in a variety of ways. In particular, we collect personal data provided directly by you when you place sales order otherwise communicate with us (for example, through our website or by directly contacting our representatives) prior to or after entering into a contractual relationship with you acting on behalf of a legal person. We may also receive your personal data from legal persons with whom we have a contractual relationship. To the extent permitted by applicable law, we may also collect your personal data from third parties, such as government authorities and public databases.
Due to our contractual and statutory rights and obligations related to our business relationship and the values of Höhle, we may collect certain personal data, including:
general personal data, such as your name, personal identification code and date of birth, details and a copy of identity document, the language of communication;
contact details, such as your e-mail address, and phone number. We may also collect data on your position and contact details of the legal person you represent, as well as information on the authorisation (right of representation);
information related to our contractual relationship, such as data on inquiries and responses, feedback on our business activity, data on invoicing and transactions (including information on completed sales, fees payable and tax liabilities), details of the contract concluded between the business partner and us;
data related to a breach of the contract, such as nature and time of the breach;
information collected on an ongoing basis in the course of our business relationship and in everyday communication, such as data necessary for the operation of our e-mail systems and other communication tools, IP address;
data about our marketing activities towards you, such as information about the undertaken marketing activities, corporate gifts, etc;
data collected through video surveillance, if you visit our premises, but only to the extent needed to protect our legitimate interest to maintain security and establish, exercise or defend legal claims. Please note that this policy applies to the video surveillance which is installed near the entrance to the production room;
We may also collect other personal data about you that you voluntarily provide to us in the course of our contractual relationship. You can provide us with other personal data if you wish, but this is not required for the purposes related to our contractual relationship.
purpose and legal basis of data processing
We process your personal data for the following purposes on the basis of Article 6(1)(b) (for the performance of the contract or in order to take pre-contractual steps), Article 6(1)(c) (to comply with legal obligations applicable to us) and Article 6(1)(f) (our legitimate interests) of the GDPR, depending the circumstances under which you communicate with us. In some situations, we may also process your personal data based on your consent (Article 6(1)(a) of the GDPR).
Processing sales orders and/or managing our contractual relationship
The primary purpose of collecting personal data is to enable us to process submitted sales orders with the objective to conclude a contract, perform our contractual obligations, invoicing the other party to the contract, manage and maintain a business relationship with our business partner. In these cases, the processing of personal data is based on our legitimate interest if a sales contract is concluded between us and the company you represent. If you are a sole proprietor, the legal basis for the processing of personal data is the contract entered into between us, or taking steps at your request to enter into such contract.
Accounting purposes
We process personal data in order to comply with our obligations under applicable accounting and tax legislation. In these cases, the processing of personal data is based on legal regulations that oblige us to keep certain accounting data, such as accounting source documents.
Data related to legal claims
If necessary, we may process personal data for the purposes of our legitimate interest in filing, processing or defending legal claims arising from the contractual relationship between us and our business partner.
Marketing purposes
We may also process personal data for marketing purposes, in particular to provide you with information about our goods and services or to provide our business partners corporate gifts. In these cases, the legal basis for the processing of personal data is your consent or our legitimate interest to promote our business activities.
Purposes of security
We also process personal data for the purposes of ensuring the safety of our assets and intellectual property rights, security of our systems, preventing fraud or malicious activities and enhancing the security of our employees. In these cases, the legal basis for the processing of personal data is our legitimate interest in ensuring an adequate level of data security and security in our systems and facilities.
recipients of your personal data
We may disclose your personal data to third parties:
if permitted or required by applicable law, e.g. at the request of a competent authority or due to legal proceedings;
if our trusted service providers (such as IT, accounting and/or legal service providers) provide services to us or on our behalf in accordance with our instructions. In these cases, we will control and remain responsible for the use of your personal data at all times;
in connection with our merger, takeover or sale of all or part of our business; and
if we, in good faith, believe that disclosure of relevant data is necessary to protect your rights, to protect your or others’ safety, to investigate fraud or other illegal activity.
More specifically, we may disclose your personal data:
to our employees who are responsible for cooperation with business partners;
to cloud service providers and other IT service providers used to manage our communications with business partners;
the transfer of data to the Estonian Tax and Customs Board and other state authorities as such is required by law;
banks and other financial service providers;
our authorised processors and other persons involved in the performance of the contract;
persons who help us to exercise our rights under the agreement (providers of debt collection services, legal advisers, courts, etc.);
internal and external auditors; and
to parties involved in possible mergers, takeovers or the sale of all or part of our assets.
As a rule, we do not transfer personal data outside of the European Economic Area.
retention of personal data
We process and retain your personal data as long as necessary to achieve the specific purposes described in this Privacy Policy, including to comply with legal requirements applicable to us.
Most of your personal data will be retained until the end of the contractual relationship between the legal person you represent and us. Certain personal data may be retained after the end of the contractual relationship, if required or permitted by applicable law. For example, we retain the accounting source documents (eg, copies of invoices) for 7 years from the end of the relevant financial year when a business transaction was recorded, as required by applicable law.
In some cases, personal data may be also retained for a longer period if storage of personal data is required in order to protect our or any third parties’ legitimate interests, e.g. in case of a legal dispute.
We will delete or anonymise your personal data when processing is no longer necessary for intended purposes.
security measures
We use reasonable security measures (including physical, electronic and administrative) to protect your personal data from loss, destruction, misuse and unauthorised access or disclosure.
Please note that while we take reasonable steps to protect the security of your personal information, no system completely eliminates all potential security risks.
your rights
Subject to the restrictions and conditions set out in law, you have the following rights as a data subject:
to request access to your personal data. You may access, correct, update, change or remove your personal data at any time. However, please note that certain information is strictly necessary in order to fulfil the purposes defined in this Privacy Policy and may also be required by law. Thus, you may not remove such personal data;
to request rectification of your personal data;
to request erasure of your personal data. If personal data is erased under your request, we will only retain such copies of the information as are necessary for us to protect our or third parties’ legitimate interests, comply with governmental orders, resolve disputes, troubleshoot problems, or enforce any agreement you have entered into with us;
to data portability (insofar as it does not infringe our legitimate interests to protect our trade secrets or any other confidential information);
In some cases you may have a right to request restriction of processing of your personal data or to object to processing of your personal data.
If you wish to exercise your rights as a data subject, please contact us at the contact details provided in the beginning of this Privacy Policy.
If you think there is a problem with the way we are handling your personal data, you have a right to lodge a complaint to your national data protection authority in the EU/EEA, or seek judicial remedy. In Estonia, the competent supervisory authority is the Estonian Data Protection Inspectorate. You can find contact details of the Estonian Data Protection Inspectorate here: www.aki.ee. However, we encourage you to first contact us with any concerns that you may have, although you have no obligation to do so.