Data Protection and Data Security

Information Obligations Pursuant to Articles 13 and 14 of the GDPR

Information On How We Handle Your Data

1 Controller

DATEV eG, Nuremberg

Represented by

Dr. Robert Mayr (Chairman)
Eckhard Schwarzer (Vice-Chairman)
Prof. Dr. Peter Krug
Julia Bangerth
Diana Windmeißer

Chairman of the Supervisory Board: Nicolas Hofmann

Phone +49-911-319-0

2 Data Protection Officer

Data Protection Officer
Dr. Jörg Spilker
Paumgartnerstrasse 6–14
90429 Nuremberg
Phone +49-911-319-0

3 Collecting and Processing of Personal Information

DATEV collects your personal data when you contact us, for example as an interested party or customer, particularly if you are interested in our products or if you would like to offer your products through DATEV. We also collect your data if you register for our online services or contact us by email or telephone, or if you use our products and services within the scope of existing business relationships. In addition, we process personal data from publicly available sources if they are necessary for our services. We may obtain this data from debtor registers or trade and association registers, for example. Personal data is also transferred to us by other third parties (such as credit agencies).

If you are an employee of a customer or supplier, DATEV may process the following data concerning you: your contact information, your customer group/area of interest, sales data, proposal data, cost estimates, information about your creditworthiness, payment data, log data, audit data, performance data, invoice data, proceedings.

If you are an employee of a customeror supplier, DATEV may have stored your contact information, particularly within the scope of your role as a contact for a certain business process. In addition to the aforementioned, if you use DATEV applications/software, log data from these applications and technical data from the systems you work with may also be stored.

4 Legal Bases and Purposes of the Processing

a) Processing based on your consent (point (a) of Article 6(1) of the GDPR)
If you have consented to the processing of your personal data for specific purposes (such as analyzing data for marketing purposes), the lawfulness of such processing is based on your consent. You have the right to withdraw your consent at any time. This also applies to withdrawing the consent you gave to us prior to the GDPR (General Data Protection Regulation) entering into force, i.e. before 25 May 2018.

Please note that withdrawing consent only applies to the future. Data processing that was carried out prior to withdrawing consent remains unaffected.

b) Processing necessary for the performance of a contract (point (b) of Article 6(1) of the GDPR)
We process personal data (Art. 4(2) of the GDPR) in order to provide our services, particularly for the performance of our contracts with you or in order to take steps prior to entering into a contract with you, as well as to fulfill your orders and in the context of customer management and support.

c) Processing necessary for compliance with a legal obligation (point © of Article 6(1) of the GDPR) or carried out in the public interest (point (e) of Article 6(1) of the GDPR)
Your personal data may be processed by DATEV on the basis of other legal obligations, such as a court order.

d) Processing necessary for the purposes of legitimate interests (point (f) of Article 6(1) of the GDPR)
Where required, DATEV also processes your data beyond the scope of actual performance of the contract to protect our legitimate interests or those of third parties. Examples include:

  • To provide better customer service
  • Safeguarding our IT security and IT operations, for example through the use of transmission logs
  • With regard to suppliers: Consulting with credit agencies (to determine creditworthiness and default risks)
  • Reviewing and optimizing needs assessment processes for the purpose of directly contacting customers
  • Advertising or market and opinion research, insofar as you did not object to the use of your data for this purpose
  • Assertion of legal claims and defense within the scope of legal proceedings
  • Measures to manage business operations and make advancements to products and services

5 Recipients of Personal Data

Within DATEV, access to your data is granted to the departments that require it in order to process it for the aforementioned purposes. Processors used by DATEV (Article 28 of the GDPR) and other service providers may also receive data for these purposes. This includes companies in the following categories: IT services, logistics, telecommunications, marketing, customer satisfaction surveys, and address research. Furthermore, DATEV also cooperates with universities to develop and improve our services.

Data will only be transferred to recipients outside DATEV if this is permitted or required by law, if you have given your consent to do so, or if we are otherwise authorized to transfer the data. Under these conditions, recipients of personal data can include, for example:

  • Public authorities and institutions if we have a legal or official obligation to transfer your data.
  • In rare individual cases of maintenance or for fault analysis, we may use hardware or software support partners. In this case, we will enter into agreements with these partners that include the legally stipulated contractual provisions governing purpose limitation and confidentiality as well as – if necessary – confidentiality obligations in accordance with Section 203 of the German Criminal Code.

Other recipients of data may be those entities for which you have granted us your consent to the transfer of data.

6 Third Countries

Within the scope of remote maintenance of standard IT components, it is possible that an IT service provider from a third country (e.g. USA) may, in rare cases, have controlled and limited access to personal data for the purposes of troubleshooting. Personal data is only transferred to service providers outside the European Economic Area (EEA) if the European Commission has confirmed that the third country provides an adequate level of data protection or if other appropriate data protection safeguards (e.g. Binding Corporate Rules or EU standard data protection clauses) are in place.

7 Duration of Data Storage

If your personal data is no longer required for the aforementioned purposes, it will be erased at regular intervals, unless its – temporary – storage is still necessary to fulfill contractual or legal obligations. Reasons for this can include

  • Preserving evidence for legal disputes within the framework of statutory limitation periods:
    The limitation periods under civil law in Germany can be up to 30 years, whereby the regular limitation period is three years.
  • Log data is stored for up to two years and your inquiries to our customer service team for up to three years.
    After these periods elapse, the data will be erased after a post-processing period.

8 Rights of the Data Subject

If DATEV has stored personal data about you, you can obtain information about the data stored concerning you at your request. Please inform us if we have stored inaccurate data about you or if you do not consent to certain parts of the data being stored so that we can rectify, erase, or restrict the processing of this data.

Data concerning you that you have provided to DATEV is available in a transferable format upon request.

To exercise your rights of a data subject, please contact DATEV’s Data Protection Officer, stating:

  • Your contact information
  • The rights of the data subject that you would like to exercise

9 Right to Lodge a Complaint

In the event of complaints, you can contact a supervisory authority. The Bavarian Data Protection Authority (BayLDA) is the responsible supervisory authority for DATEV.

10 Profiling and Automated Individual Decision-Making

We do partially process your data in an automated manner with the goal of assessing certain personal aspects (profiling). We do not, however, make any automated decisions based on this that have any legal effect on you or significantly affect you in a similar manner without the involvement of a person.

Should we make use of exclusively automated decision-making in individual cases in the future, we will inform you of this separately, insofar as this is prescribed by law.

11 Consequences of a Failure to Provide Data

Within the scope of our business relationship, we require the following personal data from you:

  • Data that is necessary to initiate and conduct a business relationship
  • Data that is necessary for the fulfillment of the associated contractual obligations
  • Data that we are legally obligated to collect

Without this personal data, we will not be able to enter into or execute a contract with you.

12 Right to Object

You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you that is based on our legitimate interests or that is carried out in the public interest.

You can object to the use of your personal data for direct marketing purposes at any time without having to provide a reason.

Updated: 25 May 2018