Looking for experts?

Find now

Data protection information for customers and other affected persons

With the following information, we would like to provide you, as a customer or prospective customer of our products/services, with an overview of how we process your personal data and your rights under data protection law. Which specific data is processed and how it is used depends largely on the services you have requested or agreed to. Therefore, not all parts of this information will apply to you.

Who is responsible for data processing and who can I contact?

The responsible party is

SOMI Experts GmbH
Kennedyallee 93
60596 Frankfurt

You can reach our data protection officer at

SOMI Experts GmbH
Kennedyallee 93
60596 Frankfurt

as well as by email at datenschutz@somi.de and by telephone at 069 / 47 89 18 90-0.

What sources and data do we use?

We process personal data that we receive from our customers or other affected persons in the course of our business relationships.

In addition, we process personal data that we obtain from publicly accessible sources (e.g., debtor directories, land registers, commercial and association registers, press, Internet) to the extent necessary for our business relationship or that is legitimately transmitted to us by other third parties (e.g., a credit agency).

Relevant personal data relating to you and, where applicable, your employees include personal details (name, address and other contact details, date and place of birth, and nationality), identification data (e.g., ID card details), and authentication data (e.g., signature sample). In addition, this may also include order data (e.g., payment orders), data from the fulfillment of our contractual obligations (e.g., sales data in payment transactions), information about your financial situation (e.g., creditworthiness data, scoring/rating data, origin of assets), advertising and sales data (including advertising scores), documentation data (e.g., minutes of meetings), and other data comparable to the categories mentioned.

Why do we process your data (purpose of processing) and on what legal basis?

We process personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG)

a) To fulfill contractual obligations (Art. 6 para. 1 b GDPR)

Data is processed for the purpose of fulfilling and executing orders and contracts within the scope of our contracts with our customers or for the purpose of implementing pre-contractual measures requested by the customer. The purposes of data processing are primarily determined by the specific contract. Further details on the purposes of data processing can be found in the relevant contract documents and terms and conditions.

b) Within the scope of balancing interests (Art. 6 para. 1 f GDPR)

Where necessary, we process your data beyond the actual fulfillment of the contract to protect our legitimate interests or those of third parties. Examples of this are:

  • Consultation of and data exchange with credit agencies (e.g., SCHUFA) to determine creditworthiness or default risks in our business transactions
  • Review and optimization of procedures for needs analysis for the purpose of direct customer contact,
  • advertising, or market and opinion research, provided you have not objected to the use of your data
  • Assertion of legal claims and defense in legal disputes
  • Ensuring IT security and IT operations of the company
  • Prevention and investigation of criminal offenses
  • Video surveillance to protect property rights and collect evidence in the event of break-ins (see also § 4 BDSG)
  • Measures for building and facility security (e.g., access controls),
  • Measures to ensure house rules are observed,
  • Measures for business management and further development of services and products,
  • Risk Management.

c) Based on your consent (Art. 6 para. 1 a GDPR)

If you have given us your consent to process personal data for specific purposes (e.g., transfer of data, evaluation of payment transaction data for marketing purposes, photographs taken during events, newsletter distribution), the lawfulness of this processing is based on your consent. Consent that has been given can be revoked at any time. This also applies to the revocation of declarations of consent that were given to us before the GDPR came into force, i.e. before May 25, 2018. The revocation of consent only takes effect for the future and does not affect the legality of the data processed until the revocation.

d) Due to legal requirements (Art. 6 para. 1 c GDPR) or in the public interest (Art. 6 para. 1 e GDPR)

In addition, as a company, we are subject to various legal obligations, i.e. legal requirements (e.g. money laundering law, tax laws, and regulatory requirements). The purposes of processing include creditworthiness checks, identity and age verification, fraud and money laundering prevention, compliance with tax control and reporting obligations, and the assessment and management of risks within the company.

Who receives my data?

Within the company, those departments that need your data to fulfill our contractual and legal obligations will have access to it. Service providers and vicarious agents employed by us may also receive data for these purposes, provided that they maintain confidentiality and integrity. These are companies in the categories of IT services, logistics, printing services, telecommunications, debt collection, consulting, and sales and marketing.

With regard to the transfer of data to recipients outside our company, it should first be noted that we only transfer necessary personal data in compliance with the applicable data protection regulations. We may only disclose information about you if required to do so by law, if you have given your consent, or if we are authorized to provide such information. Under these conditions, recipients of personal data may include, for example:

  • Public authorities and institutions (e.g., tax authorities, law enforcement authorities, family courts, land registries) if there is a legal or official obligation to do so
  • Credit and financial services institutions or similar institutions to which we transfer personal data in the course of our business relationship (e.g., banks, credit agencies)
  • Creditors or insolvency administrators who make inquiries in the context of enforcement proceedings,
  • Auditors,
  • Service providers whom we engage in the context of order processing relationships.

Is data transferred to a third country or to an international organization?

No.

How long will my data and that of my employees be stored?

We process and store your personal data and that of your employees for as long as it is necessary to fulfill our contractual and legal obligations.

If the data is no longer required for the fulfillment of contractual or legal obligations, it will be deleted regularly, unless its further processing is necessary for the following purposes:

  • Fulfillment of commercial and tax law retention obligations,
  • Commercial Code (HGB), Tax Code (AO), Money Laundering Act (GwG). The retention and documentation periods specified therein are generally two to ten years.
  • Preservation of evidence within the framework of the statutory limitation provisions. According to §§ 195 ff. of the German Civil Code (BGB), these limitation periods can be up to 30 years, with the regular limitation period being 3 years.

What data protection rights do I have?

Every data subject has the right to information under Article 15 GDPR, the right to rectification under Article 16 GDPR, the right to erasure under Article 17 GDPR, the right to restriction of processing under Article 18 GDPR, the right to object under Article 21 GDPR, and the right to data portability under Article 20 GDPR.

The restrictions under Sections 34 and 35 of the new German Federal Data Protection Act (BDSG) apply to the right to information and the right to erasure. In addition, you have the right to lodge a complaint with a competent data protection supervisory authority (Article 77 GDPR in conjunction with Section 19 BDSG).

You may withdraw your consent to the processing of your personal data at any time with future effect.

This also applies to the revocation of declarations of consent that were given to us before the GDPR came into force, i.e. before May 25, 2018. Please note that the revocation only takes effect for the future. Processing that took place before the revocation is not affected.

Am I obliged to provide data?

Within the scope of our business relationship, you must provide us with the personal data that is necessary for the establishment, execution, and termination of a business relationship and for the fulfillment of the associated contractual obligations, or that we are legally obliged to collect. Without this data, we will generally not be able to conclude, execute, or terminate a contract with you.

To what extent is there automated decision-making?

We do not use fully automated decision-making in accordance with Article 22 of the GDPR for the establishment, execution, and termination of the business relationship. If we use these procedures in individual cases (e.g., to improve our products and services), we will inform you separately about this and your rights in this regard, provided that this is required by law.

Does profiling take place?

We process your data partially automatically with the aim of evaluating certain personal aspects (profiling). We use profiling in the following cases, for example:

  • We use evaluation tools to provide you with targeted information and advice on products and services. These enable needs-based communication and advertising, including market and opinion research.
  • We use scoring to assess your creditworthiness. This involves calculating the probability that a customer will meet their payment obligations in accordance with the contract. Scoring is based on a mathematically and statistically recognized and proven procedure. The calculated scores support us in our decision-making process when concluding product contracts and are incorporated into our ongoing risk management.

Information about your right to object under Article 21 of the GDPR

Right to object in individual cases

You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you on the basis of Article 6(1)(e) GDPR (data processing in the public interest) and Article 6(1)(f) GDPR (data processing based on a balancing of interests); this also applies to profiling within the meaning of Article 4(4) GDPR based on this provision.

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms. This includes, in particular, if the processing is necessary for the assertion, exercise, or defense of legal claims.

Recipients of an objection

The objection can be made informally with the subject line “Objection” stating your name, address, and date of birth and should be addressed to:

SOMI Experts GmbH
Kennedyallee 93
60596 Frankfurt

069 / 47 89 18 90-0
datenschutz@somi.de