Data Protection and Data Security
Information Obligations Pursuant to Articles 13 and 14 of the GDPR
Information On How We Handle Your Data
Information On How We Handle Your Data
DATEV eG, Nuremberg
Dr. Robert Mayr (Chairman)
Eckhard Schwarzer (Vice-Chairman)
Prof. Dr. Peter Krug
Chairman of the Supervisory Board: Nicolas Hofmann
Data Protection Officer
Dr. Jörg Spilker
DATEV collects your personal data when you contact us, for example as an interested party or customer, particularly if you are interested in our products or if you would like to offer your products through DATEV. We also collect your data if you register for our online services or contact us by email or telephone, or if you use our products and services within the scope of existing business relationships. In addition, we process personal data from publicly available sources if they are necessary for our services. We may obtain this data from debtor registers or trade and association registers, for example. Personal data is also transferred to us by other third parties (such as credit agencies).
If you are an employee of a customer or supplier, DATEV may process the following data concerning you: your contact information, your customer group/area of interest, sales data, proposal data, cost estimates, information about your creditworthiness, payment data, log data, audit data, performance data, invoice data, proceedings.
If you are an employee of a customeror supplier, DATEV may have stored your contact information, particularly within the scope of your role as a contact for a certain business process. In addition to the aforementioned, if you use DATEV applications/software, log data from these applications and technical data from the systems you work with may also be stored.
a) Processing based on your consent (point (a) of Article 6(1) of the GDPR)
If you have consented to the processing of your personal data for specific purposes (such as analyzing data for marketing purposes), the lawfulness of such processing is based on your consent. You have the right to withdraw your consent at any time. This also applies to withdrawing the consent you gave to us prior to the GDPR (General Data Protection Regulation) entering into force, i.e. before 25 May 2018.
Please note that withdrawing consent only applies to the future. Data processing that was carried out prior to withdrawing consent remains unaffected.
b) Processing necessary for the performance of a contract (point (b) of Article 6(1) of the GDPR)
We process personal data (Art. 4(2) of the GDPR) in order to provide our services, particularly for the performance of our contracts with you or in order to take steps prior to entering into a contract with you, as well as to fulfill your orders and in the context of customer management and support.
c) Processing necessary for compliance with a legal obligation (point © of Article 6(1) of the GDPR) or carried out in the public interest (point (e) of Article 6(1) of the GDPR)
Your personal data may be processed by DATEV on the basis of other legal obligations, such as a court order.
d) Processing necessary for the purposes of legitimate interests (point (f) of Article 6(1) of the GDPR)
Where required, DATEV also processes your data beyond the scope of actual performance of the contract to protect our legitimate interests or those of third parties. Examples include:
Within DATEV, access to your data is granted to the departments that require it in order to process it for the aforementioned purposes. Processors used by DATEV (Article 28 of the GDPR) and other service providers may also receive data for these purposes. This includes companies in the following categories: IT services, logistics, telecommunications, marketing, customer satisfaction surveys, and address research. Furthermore, DATEV also cooperates with universities to develop and improve our services.
Data will only be transferred to recipients outside DATEV if this is permitted or required by law, if you have given your consent to do so, or if we are otherwise authorized to transfer the data. Under these conditions, recipients of personal data can include, for example:
Other recipients of data may be those entities for which you have granted us your consent to the transfer of data.
Within the scope of remote maintenance of standard IT components, it is possible that an IT service provider from a third country (e.g. USA) may, in rare cases, have controlled and limited access to personal data for the purposes of troubleshooting. Personal data is only transferred to service providers outside the European Economic Area (EEA) if the European Commission has confirmed that the third country provides an adequate level of data protection or if other appropriate data protection safeguards (e.g. Binding Corporate Rules or EU standard data protection clauses) are in place.
If your personal data is no longer required for the aforementioned purposes, it will be erased at regular intervals, unless its – temporary – storage is still necessary to fulfill contractual or legal obligations. Reasons for this can include
If DATEV has stored personal data about you, you can obtain information about the data stored concerning you at your request. Please inform us if we have stored inaccurate data about you or if you do not consent to certain parts of the data being stored so that we can rectify, erase, or restrict the processing of this data.
Data concerning you that you have provided to DATEV is available in a transferable format upon request.
To exercise your rights of a data subject, please contact DATEV’s Data Protection Officer, stating:
In the event of complaints, you can contact a supervisory authority. The Bavarian Data Protection Authority (BayLDA) is the responsible supervisory authority for DATEV.
We do partially process your data in an automated manner with the goal of assessing certain personal aspects (profiling). We do not, however, make any automated decisions based on this that have any legal effect on you or significantly affect you in a similar manner without the involvement of a person.
Should we make use of exclusively automated decision-making in individual cases in the future, we will inform you of this separately, insofar as this is prescribed by law.
Within the scope of our business relationship, we require the following personal data from you:
Without this personal data, we will not be able to enter into or execute a contract with you.
You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you that is based on our legitimate interests or that is carried out in the public interest.
You can object to the use of your personal data for direct marketing purposes at any time without having to provide a reason.
Updated: 25 May 2018