FAQ on data protection at DEUTZ

The companies affiliated in the DEUTZ Group (‘DEUTZ’ or ‘we’) take the protection of your personal data very seriously and ensure strict compliance with all applicable data protection requirements. Below, you will find answers to frequently asked questions on important aspects regarding the processing and handling of your personal data by DEUTZ. We will also provide information on your rights as a data subject under applicable data protection laws.

What is personal data?

Personal data means any information relating to an identified or identifiable natural person (‘data subject’/’you’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

What are ‘special categories of personal data’?

This term refers to data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

What constitutes ‘processing’?

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Who is responsible for processing my data?

The controller responsible for the processing of your personal data at DEUTZ is the DEUTZ Group company where your data was first collected. As a rule, this will be the company with which you are in contact or have a business relationship. You can find the contact details in the imprint of the respective company website. Insofar as your personal data has been passed on within the DEUTZ Group, these companies are jointly responsible for the data processing.

Whom can I contact if I have questions concerning data protection?

As part of the data protection organization, the responsible persons have appointed contact persons for data protection topics or, if there is a legal obligation to do so, data protection officers. If you have any questions or suggestions regarding data protection at DEUTZ, you may of course contact the data controller, the data protection organization or data protection officers directly. You can reach them at the address of the person responsible with the addition (DATA PROTECTION) or by e-mail at privacy-team@deutz.com

Which categories of personal data are processed and how they are obtained?

Categories of personal data processed by us include basic data relating to your person (e.g. form of address, first name, last name, titles/affixes, nationality; department and role within the company), contact details (e.g. address, (cell) phone and fax number, email address), bank details and information on creditworthiness, as well as contract, billing, and payment data. We also process personal data obtained from the customer and supplier history. We may furthermore process personal data pertaining to the aforementioned special categories (Article 9 GDPR) as well as image material to the extent required by the law. Where such processing is not required by law, we will normally inform you separately about the processing. We generally process only the personal data you have made available to us. The relevant personal data is thus collected directly from you. FAQ | 01022022 DATA PROTECTION Page 2 of 5 In certain circumstances we may receive data relating to your person from other sources, e.g. from your employer or one of our business partners. We may also receive data from third parties (e.g. intermediaries). We furthermore process personal data that we lawfully obtain from public sources (e.g. professional networks).

For what purposes and on what legal basis will my personal data be processed?

DEUTZ processes your personal data for defined purposes only and always on a legitimate legal basis. The processing is therefore compliant with the EU’s General Data Protection Regulation (GDPR) and the German Data Protection Act (BDSG).

If you have consented to the processing of your personal data by DEUTZ, this consent constitutes the legal basis for the processing.

For example, you can consent to receiving a newsletter or to the use of photographs in which only you are pictured. In this context, we place particular importance on consent given by children and teenagers under the age of 16. Their consent is valid only if their parent(s) or legal guardian(s) also consent to the processing.

Cases where the processing of your personal data is required in order to perform a contract or complete steps prior to entering into a contract.

This situation occurs, for example, if we receive an enquiry from you, or if your employer refers us to you as a contact person, or if you initiate contact for some other reason, e.g. to obtain a quotation, reply, or follow-up, or to arrange the shipping of materials or goods. 

Other purposes of use may include:

• Completing transactions such as payments, invoicing, and contract management
• Administrative communications, for example with the aim of promoting sales in relation to products or services purchased by you or new product developments, or with the aim of clarifying questions or appointments or exchanging information
• Documenting activities, such as meetings, seminars, training, events, and agreements
• Answering questions and providing assistance as part of the warranty handling process or the use of the DEUTZ customer service.

Cases where the processing of your personal data is required for hiring decisions or for carrying out or terminating an employment contract with DEUTZ.

The processing of your personal data is also permitted if you have applied for a position at DEUTZ or if you are or were employed by DEUTZ.

Cases where the processing of your personal data is required to protect your vital interests or those of other natural persons.

For example, in a situation where first aid is administered by first responders or medical services.

Cases where the processing of your personal data is required in order to comply with a legal obligation or perform a task carried out in the public interest or in the exercise of official authority vested in DEUTZ.

DEUTZ is subject to a wide range of legal obligations, i.e. statutory requirements (such as tax laws). Compliance with tax-related monitoring and reporting duties and other, similar obligations are among the purposes for which DEUTZ processes personal data.

Cases where the processing of personal data is required for the purposes of legitimate interests pursued by DEUTZ or a third party, subject to careful balancing of interests. This means that personal data may be processed only if such legitimate interests are not overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

This makes it possible for DEUTZ to centralize its management of customers’ and employees’ personal data within the Group, which brings benefits such as enabling the company to process your enquiries in a speedier and more targeted manner. It is also within the legitimate interests of DEUTZ to disclose personal data to external auditors to the extent required as part of the audit process in order for the necessary certification to be obtained or granted. In this context, DEUTZ will always take care to protect the interests and fundamental rights and freedoms of the data subjects. Moreover, we are also obliged under the European Council Regulations (EC) No 2580/2001 and No 881/2002 to check your data against the EU’s list of terrorist organizations in order to ensure that no funds or other economic resources are made available for terrorist purposes. In order to ensure compliance with supply and payment restrictions – e.g. in respect of companies and persons on the various lists of individual countries – existing business contact details may be checked against such lists. To protect property and to prevent and solve crimes (e.g. theft and vandalism or destruction), DEUTZ uses optical systems (video recording) across large parts of its premises. Access to and the distribution of this data is subject to strict rules and limited to the requirements arising from any individual case, based on the relevant purpose. Further details can be found in a separate document with ‘information on video surveillance’. Personal data may also be processed in order to enable the investigation of crimes or for the purposes of corporate management, internal communications, or other internal administrative processes, e.g.:

• general internal administrative purposes, such as the central register of telephone and contact details or centralized human resources management
• reviewing and optimizing needs assessment processes for the purposes of direct customer contact,
• corporate management measures and measures for the further development of services and products;
• advertising and market and opinion research in relation to products and services of DEUTZ purchased by you, unless you have objected to the use of your data for such purposes,
• building and plant security measures (e.g. access controls);
• measures guaranteeing the proprietor’s right to decide who shall be allowed or denied access to their premises;
• ensuring the security and operation of IT systems;
• preventing and solving crime;
• asserting legal claims and stating a defense in legal disputes;
• promoting motivation and good health in the workforce

With whom does DEUTZ share my personal data?

In compliance with legal requirements and existing internal regulations, data required for a relevant purpose can be shared with internal and external recipients in the following cases. Within our company, access to your personal data is limited to staff and departments who need it to perform their operational tasks and ensure the company’s compliance with contractual obligations and statutory requirements. Within our Group, your data will be passed on to certain entities or units if these perform data processing tasks as a central function for the Group’s affiliated companies or if this transfer of data is required to ensure compliance with contractual obligations or statutory requirements. To the extent permitted by the law, we also use a number of service providers / processors to fulfil the processing purposes. Your data may also be passed on to further recipients outside the DEUTZ Group where this is necessary to fulfil the relevant purpose.

Does DEUTZ transfer my personal data to any international organizations and how are relevant data protection standards guaranteed in this case?

DEUTZ generally transmits personal data to third countries or recipients in a third country only if satisfactory guarantees of an adequate standard of data protection on the part of the recipient have been provided (Article 44 et seq. GDPR). Your personal data may be transmitted to recipients in third countries if this is required for the performance of a contract with you. Drop-shipping would be one example where this might be the case.

How long will my personal data be stored?
When, and subject to what criteria, will my data be erased?

DEUTZ stores personal data for as long as it is needed to fulfil the aforementioned purposes or for as long as prescribed by the law. Usually, personal data will be stored for the duration of the relevant contract or business relationship. This approach typically results from the requirements of the business relationship and its origination and from applicable legal evidence and record retention obligations such as those set out in the German Commercial Code and the German Tax Code. These provisions stipulate time limits for data storage of up to ten years from the last date of contact. Personal data of other persons such as visitors or newsletter subscribers is erased five years after the date of the last contact or by request. In some instances, personal data may be stored for the period during which legal claims may be raised against us (periods of limitation may range from three to thirty years). Data is erased in keeping with the erasure procedures defined by the process owners.

What are my rights as a data subject?

You have the right to obtain from DEUTZ information about personal data relating to you and you have the right to demand that such data be corrected or erased or its processing restricted. You also have the right to object to the processing of your data. In addition, you have the right to obtain any personal data you provided to DEUTZ in a structured, machine-readable format, and to send this data to a different controller.

Do I have a right to object?

You have the right to object to the processing of your personal data for direct marketing purposes at any time and without giving reasons. This also applies for profiling where this is connected with directed marketing activities. If you object to the processing of your data for direct marketing purposes, we will no longer process your data for such purposes. You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data where such data is processed in the public interest (Article 6 (1) e GDPR) or based on a balance of interests (Article 6 (1) f GDPR). This also applies for profiling activities based on this provision (Article 4 (4) GDPR). We will then refrain from processing your personal data, except in cases where we can provide compelling legitimate reasons for the processing which override your interests, rights, and freedoms, or where the processing is required to establish, assert, or defend legal claims.

To whom can I address my objection?

The objection can be made informally with the subject " OBJECTION", stating your name, address and date of birth, and can be addressed directly to the data controller or its data protection organization.

Can I withdraw my consent?

If DEUTZ is processing your personal data based on your consent, you have the right to withdraw your consent at any time with effect for the future. Your data will then no longer be processed. If you wish to exercise your right to withdraw your consent, please contact the controller or its data protection organization.

Whom can I contact with comments, complaints, or questions concerning data protection at DEUTZ?

If you wish to exercise your right to complain, please contact the data protection organization directly (by mail or e-mail) (privacy-team@deutz.com). You also have the option of submitting a complaint to a data protection supervisory authority. You can find a list of data protection supervisory authorities here: BfDI - Homepage (bund.de).

What measures are in place to ensure the security of the processing?

DEUTZ has put in place internal policies to ensure that appropriate technical and organizational data security measures are applied – where data is processed by an external service provider, corresponding contractual provisions are used, e.g. the EU’s standard contractual clauses for processing outside the European Union.

Am I obliged to provide my personal data?

In certain cases (especially as stipulated in Article 6 (1) c and 6 (1) e GDPR), DEUTZ may be required by law, or as part of the exercise of official authority vested in it, to process your data. In these cases, you will be obliged to provide the necessary information or to present proof that the recipient (the government body/public authority) already has the information in question. If you do not comply with this obligation, DEUTZ may not be able to respond to your enquiry and/or process your order.

Does DEUTZ make use of scoring or profiling methods?

DEUTZ does not normally employ methods which produce results solely based on automated decisionmaking. You will be notified separately if any such profiling or scoring methods are used and will be provided with information on the underlying logic and the scope and desired outcomes of these processing activities.

Are these FAQs subject to change?

We are adapting and improving these data protection FAQs on an ongoing basis. You will find the most up-to-date version published on our website in the data protection section. We recommend that you revisit this page from time to time to stay informed about the latest updates.