WILO SE: note on data protection

With the following information, we would like to give you an overview of the processing of your personal data by WILO SE and your rights under Data Protection law. Which data are processed in detail and how they are used depends on the concluded contractual relationship or other agreed services.

Competent Authority

Competent authority is:

WILO SE
Nortkirchenstr. 100
44263 Dortmund
Telephone: +49 231 4102-0
Fax: +49 231 4102-7575
E-mail address: wilo@wilo.com

You can contact our Data Protection Officer at:

WILO SE
Data Protection Officer
Nortkirchenstr. 100
44263 Dortmund
Telephone: +49 231 4102-6161
E-mail address: datenschutz@wilo.com

Use of the Data

We process personal data that we receive from our customers, suppliers or other third parties as part of our business relationship. If it is necessary for the provision of our services, we also process personally identifiable information that we obtain in a permissible manner from publicly available sources (such as the internet) or which are submitted to us by other companies of the Wilo Group or other third parties.

Relevant personal data are personal details (name, address and other contact details of contact persons of customers, suppliers or other third parties). In addition, this may also include order data (e.g. orders or payment information), data from the fulfillment of our contractual obligations (e.g. year of birth), information about the financial situation (e.g. credit checks), advertising and sales data (including advertising scores), documentation data (e.g. consulting protocols) and other data comparable to the above-mentioned categories.

Purpose of Processing

We process personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

Fulfillment of contractual obligations (Article 6 (1) (b) GDPR)

The processing of data takes place in order to provide our commercial transactions and services as part of the execution of our contracts with our customers, suppliers or other third parties or to carry out pre-contractual measures on request. The purpose of the processing is directed to the specific product (e.g. delivery of goods, advice, services) and might include needs analysis, consulting, and transaction execution. Further details on the data processing purposes can be found in the relevant contract documents and terms & conditions.

In the context of weighing interests (Article 6 (1) f GDPR)

If necessary, we process your data beyond the actual fulfillment of the contract for the protection of legitimate interests of third parties or us:

  • review and optimization of requirement analysis procedures for direct customer approach,
  • advertising or market- and opinion research, as long as you have not objected to the use of your data,
  • measures for the business control and further development of services and products,
  • consultation and data exchange with credit bureaus (e.g., SCHUFA) to identify credit and default risks,
  • risk management within the Wilo Group,
  • asserting legal claims and defense in legal disputes,
  • ensuring the IT security and IT operations of the company,
  • video surveillance to safeguard the rights of buildings and to collect evidence in case of burglary or theft, as well as further measures to ensure the rights of buildings,
  • measures for building- and plant safety (e.g. access control),
  • prevention and investigation of criminal offenses.

Based on your consent (Article 6 (1) a GDPR)

If you have given consent to the processing of personal data for specific purposes (e.g. disclosure of data within the Wilo Group, evaluation of purchasing behavior for marketing purposes), the legality of this processing is based on your consent. A given consent can be revoked at any time for the future. This also applies to the revocation of declarations of consent, which were issued to us before validity of the GDPR, May 25, 2018. The revocation of consent does not affect the legality of the data that have been processed before the revocation took place.

Due to legal requirements (Article 6 (1) c GDPR) or in the public interest (Article 6 (1) (e) GDPR)

As an international company, we are subject to various legal obligations, i.e. legal requirements (for example money laundering law, tax laws). Processing purposes include i.a. credit check, identity verification, fraud and money laundering prevention, as well as the evaluation and management of risks within the Group.

Data Recipients

Within our organization, only those entities/functions get access to your data, which need them to fulfill contractual and legal obligations. Our service providers and vicarious agents could also receive data for these purposes. This can be companies in the categories IT Services, Logistics, Printing Services, Telecommunications, Debt Collection, Consulting as well as Sales and Marketing.

With regard to the data transfer to recipients outside of our company, all our employees who work with personal data rely on data secrecy and confidentiality.

We only pass on information about you, if required by law or with your consent. Under these conditions, recipients of personal data can be:

  • Public bodies and institutions (e.g. tax authorities, law enforcement agencies) in the presence of a legal or regulatory obligation.
  • Other companies to whom we provide personal information to conduct the business relationship with you (e.g., credit bureaus, catalog shipping, etc.).
  • Other companies in the Group for risk management due to statutory or regulatory obligation.

Other data recipients may be the ones for whom you have given us your consent to submit the data.

Transmission of the Data to a Third Country or to an International Organization

A transfer of data to offices in countries outside the European Union (so-called third countries) takes place, as far as

  • it is necessary to execute your orders (e.g. production orders),
  • it is required by law (e.g. tax reporting obligations) or
  • you have given us your consent.

In addition, Wilo does not submit any personal data to third-countries or international organizations. However, Wilo uses service providers for certain tasks, most of whom also use service providers who can have their company headquarters, parent company or data center in a third country. The European Commission has decided that a transfer is permitted if an adequate level of protection exists in a third country (Article 45 GDPR).

If the Commission has not made such a decision, Wilo or the service provider may only transfer personal data to a third country or to an international organization, that intends appropriate safeguards (e.g. standard Data Protection clauses adopted by the Commission or the supervisory authority in a specific procedure) and if there are enforceable rights and effective remedies given. With these service providers, Wilo contractually agreed that their fundamentals of Data Protection are always compliant with the European Data Protection level.

Storage Duration

We process and store your personal information as long as it is necessary for the fulfillment of our contractual and legal obligations. It should be noted that our business relationship is a long-term debt, which is designed for years.

If the data are no longer required for the fulfillment of contractual or legal obligations, they are deleted on a regular basis, unless their temporary processing is necessary for the following purposes:

  • Fulfillment of commercial and tax retention requirements, e.g. the German Commercial Code (HGB). The terms for storage and documentation are six to ten years.
  • Preservation of evidence within the statutory limitation period. According to §§195 ff. of the German Civil Code (BGB), these limitation periods can be up to 30 years, whereby the regular limitation period is three years.

Privacy Rights

Each data subject has the right to information under Article 15 of the GDPR, the right of correction under Article 16 GDPR, the right to cancellation under Article 17 GDPR, the right to restriction of processing under Article 18 GDPR, the right to object under Article 21 GDPR and the right to data portability under Article 20 GDPR. With regard to the right to information and the right to erase, the restrictions under §§ 34 and 35 BDSG apply. In addition, there is a right of appeal to a competent data protection supervisory authority (Article 77 DSGVO in conjunction with § 19 BDSG).

You can revoke your consent to the processing of personal data at any time. This also applies to the revocation of declarations of consent that were given to us prior to the validity of the General Data Protection Regulation, i.e. before 25 May 2018. Please note that the revocation only works for the future. Processing that occurred before the revocation is not affected.

Withdrawal Rights

Case-specific right of objection

You have the right at any time, for reasons arising out of your particular situation, to prevent the processing of your personal data, pursuant to Article 6 (1) (e) of the GDPR (Data Processing in the Public Interest) and Article 6 (1) (f) GDPR ( Data processing on the basis of a balance of interests); this also applies to profiling based on this provision within the meaning of Article 4 No. 4 GDPR.

If you object, we will no longer process your personal information unless we can establish compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or the processing is for the purposes of asserting, exercising or defending legal claims.

Right to object to the processing of data for direct marketing purposes

In individual cases, we process your personal data in order to address direct mail. You have the right to object the processing of your personal data for the purposes of such advertising at any time; this also applies to profiling insofar as it is associated with such direct mail. If you object to the processing for direct marketing purposes, we will no longer process your personal data for these purposes. The objection can be free of form and should be directed to:

WILO SE
Nortkirchenstr. 100
44263 Dortmund

Provision of Data

As part of our business relationship, you must provide those personal information that are necessary to enter into a business relationship and perform its contractual obligations, or that we are required to collect by law. Without this information, in some cases we may not be able to conclude or execute the contract with you.

Profiling

Sometimes we process your data automatically with the aim of evaluating certain personal aspects (profiling). For example, we use profiling in the following cases:

  • In order to provide you with targeted information and advice on products, we use evaluation tools on our webpages. These tools enable needs-based communication and advertising, including market and opinion research.
  • We use scoring to assess your creditworthiness. This calculates the probability with which a customer will meet its payment obligations in accordance with the contract. For example, the calculation may include income, expenses, existing liabilities, occupation, employer, duration of employment, past business experience, past repayment of the loan and information from credit reporting agencies. The scoring is based on a mathematically-statistically recognized and proven procedure. The calculated scores help us to make decisions in the context of product deals and are part of ongoing risk management.

Automated Decision-Making

In principle, we do not use full automated decision-making in accordance with Article 22 GDPR to justify and implement the business relationship. If we use these procedures in individual cases, we will inform you about this separately, if this is required by law.

Children

Children should not submit any personal information to Wilo without the consent of the parent or guardian. Wilo encourages all parents and guardians to instruct their children in the safe and responsible use of personal information, especially on the internet. In any case, Wilo will not knowingly collect, use, or otherwise disclose personally identifiable information about children in any way.

As of May 2018

Please note that this statement may be supplemented or amended in the future due to legal or other requirements. Please inform yourself regularly about the status.