Data protection information

Data protection information

To access the data privacy statement of Brauerei C. & A. Veltins GmbH & Co. KG please click here.

Data protection information for customers, suppliers and other data subjects

The information below is designed to give you an overview of how we process your personal data and your rights under data protection law. The data that we process in each individual case and how it is used depends largely on the commissioned and agreed services. As a result, not all parts of this information will apply to you.

Who is responsible for data processing, who is my point of contact?

The party responsible, the “controller” is

Brauerei C. & A. VELTINS GmbH & Co. KG
An der Streue
59872 Meschede-Grevenstein
Tel.: +49-2934-959-0
Fax: +49 -2934-959-493

You can contact our company data protection officer at:

Brauerei C. & A. VELTINS GmbH & Co. KG
Datenschutzbeauftragter (Data protection officer)
An der Streue
59872 Meschede-Grevenstein

Which sources and data do we use?

We process personal data that we receive from our customers, competition participants, website visitors, employees, former employees and other data subjects in connection with our business activities and in accordance with various other legal bases, in particular declarations of consent. In addition, we process – to the extent necessary for the provision of our services/the fulfilment of (pre- and post-) contractual obligations – personal data which we legitimately receive or collect from publicly accessible sources (e.g. debtor registers, land registers, commercial and association registers, the media, the Internet, etc.) or which is legitimately transmitted to us by other companies or by other third parties.

Relevant personal data includes, by way of example:

  • personal master data (name, address and other contact details, possibly date and place of birth, as well as nationality),
  • in special cases, identification data relating to the personal master data (e.g. ID card data) and
  • if necessary, authentication data (e.g. specimen signatures).

In addition, relevant personal data may also include order data (e.g. payment instruction data), bank data (e.g. account details, IBAN, BIC), data from the fulfilment of our contractual obligations, advertising/sales data, documentation data (e.g. log of your enquiry) and other data comparable to the categories mentioned above.

For what purpose do we process your data and what is the legal basis for the processing operations?

We process personal data in accordance with the provisions of the valid legislation, in particular the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

a) If you have granted us your consent to data processing, then the processing is legal in accordance with Article 6 (1a) GDPR.
It goes without saying that the data will only be processed for the purposes for which you have granted your consent. These are usually specific purposes for passing on information (e.g. newsletters, advertising, etc.), your participation in a competition, a scenario in which you contact us, your communication of your data (e.g. handing over business cards, a scenario in which you contact us), photographs taken at events, data transmission in connection with events and other possible ways in which you have transmitted your personal data to us for processing.

Consent that you have granted can be revoked at any time. This also applies to the revocation of declarations of consent that you submitted to us before the GDPR came into force, i.e. before 25 May 2018. The revocation of consent is only effective for the future and does not affect the legality of the data processed up until the revocation.

b) In order to fulfil pre-contractual and post-contractual obligations, data processing is carried out in accordance with Article 6 (1b) GDPR.
Data is processed in order to perform one or more agreements to which you are party. Data processing may also be necessary for pre-contractual measures to be taken at the request of the data subject. The performance of the agreement also includes post-contractual obligations, insofar as these necessitate the processing of personal data.
The purposes of data processing are based primarily on the specific agreement, the respective contractual request and the other legal relationship between you and us, and may be based on a wide variety of contractual purposes and provisions. To this end, we can also make use of various requirements analyses, any advice and the execution of transactions. You can find further details on the data processing purposes in the relevant contractual documents and terms and conditions of business.

c) If data processing is necessary to fulfil a legal obligation to which we are subject, data processing is lawful in accordance with Article 6 (1c) GDPR.
Like all companies, we are subject to various legal obligations, i.e. statutory requirements arising from supervisory law, tax law, general regulatory law, data protection law, food law and other relevant areas of law. As we naturally have to comply with these statutory requirements, we cannot rule out a scenario in which your data will also be collected and processed for such purposes. This statutory obligation also affects your data indirectly, which is why your rights in this regard are limited by law.

d) If necessary, we will continue to process your data even after the actual performance of the agreement in order to safeguard our legitimate interests or those of third parties.
Examples in this regard include:

  • Review and optimisation of procedures for requirements analysis so that we can approach customers directly;
  • Advertising or market/opinion research as long as you have not objected to the use of your data;
  • Assertion of legal claims and defence in legal disputes;
  • Ensuring IT security and IT operations;
  • Prevention and investigation of criminal offences;
  • Measures for building and system security (e.g. access control);
  • Measures to secure domiciliary rights;
  • Measures for business management and the further development of services and products;
  • Risk management measures;
  • Measures to ensure compliance with food law obligations;
  • Measures to ensure due and proper business operations;
  • Measures to support sport (e.g. contacting clubs, sponsorship);
  • Measures for product and sales optimisation;
  • Measures to support the press;
  • etc.

Who receives my data?

Within the brewery, only those departments that require your data to fulfil the purposes specified will have access to your data.
Service providers and vicarious agents used by us, in particular contract data processors in accordance with Article 28 GDPR, may also receive data for these purposes if they comply with the data protection law provisions.
These include, in particular companies operating in the following areas:

  • Services,
  • IT services,
  • Logistics,
  • Banking,
  • Telecommunications services,
  • Collection services,
  • Management consultancy and legal advice,
  • Sales,
  • Marketing and
  • other outsourced activities.

In principle, data is not transmitted to such companies in the legal sense of the term, as contract data processing agreements have been concluded with these companies in accordance with Article 28 GDPR. As a result, the companies are not third parties within the meaning of the law, but are assigned to the brewery, i.e. to us, within the context of data processing. As a result, data is not transmitted unless expressly permitted by law or legitimised by your consent.

Will data be transmitted to a third country or an international organisation?

In principle, no data is transmitted to entities in countries outside the European Union or European Economic Area (EEA), known as “third countries”.
In exceptional cases, it may be necessary to transmit data to such third countries insofar as this is required for the execution of your orders/agreements, if such transmission is required by law (e.g. tax reporting obligations) or if you have granted us your consent.
Should a data transmission process to such third countries be established, we will, of course, inform you accordingly.

How long will my data be stored for?

We process and store your personal data for as long as is necessary in order to fulfil our contractual and statutory obligations. Within this context, it is important to note that some business relationships are structured as “continuing obligations”, which are designed for the long term. Your data will then also be processed and, in particular, stored for the duration of such contracts.

On the other hand, of course, the following applies:
If the data is no longer required in order to fulfil contractual or statutory obligations, then it will be erased at regular intervals, unless its – temporary – further processing is required to fulfil statutory obligations or safeguard legitimate interests. These include, in particular:

  • The fulfilment of commercial and tax law retention obligations which may arise, for example, from:
    • the German Commercial Code (HGB),
    • the German Tax Code (AO),
    • the German Banking Act (KWG),
    • the German Money Laundering Act (GWG),
    • the General Data Protection Regulation (GDPR),
    • the German Federal Data Protection Act (BDSG),
    • general food law,
    • general civil law,
    • etc.

    The retention/documentation periods specified in the legislation can generally be 2-10 years.

  • Conservation of evidence as part of the statutory statutes of limitation. In accordance with sections 195 et seq. of the German Civil Code (BGB), these limitation periods can amount to up to 30 years, for example, although the standard limitation period if 3 years.

What are my rights?

Every data subject has the following rights:

a) the right to information pursuant to Article 15 GDPR,
b) the right to rectification pursuant to Article 16 GDPR;
c) the right to erasure pursuant to Article 17 GDPR,
d) the right to the restriction of processing pursuant to Article 18 GDPR;
e) the right to object pursuant to Article 21 GDPR and
f) the right to data portability pursuant to Article 20 GDPR

In addition, there is a right to lodge a complaint with a responsible supervisory authority, Article 77 GDPR in conjunction with section 19 BDSG.

You can revoke consent you have granted to the processing of personal data vis-à-vis us at any time. This also applies to the revocation of declarations of consent that you submitted to us before the GDPR came into force, i.e. before 25 May 2018. Please note that revocation is only effective for the future. Processing operations performed before the revocation are not affected.
Please do not confuse your right of revocation with regard to the consent with the right to object under Article 21 GDPR. If processing by us is carried out pursuant to Article 6 (1e) or (1f) GDPR (requirement to perform of a task carried out in the public interest, in the exercise of official authority or to safeguard our legitimate interests or those of a third party), you may object to the processing of personal data relating to you at any time. We are then obliged to no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the processing, establishment, exercise or defence of legal claims. Details can be found in the following information box.

Version dated May 2018

Information on your right to object in accordance with Article 21 GDPR

Right to object in individual cases

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6 (1) GDPR, including profiling based on those provisions.
If we use personal data for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
If you object to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
If you object, we shall no longer process your personal data unless we demonstrate compelling ranking grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

Recipient of an objection

The objection can be made without adhering to any formal requirements indicating your name, your address and your date of birth and should be addressed to:
Brauerei C. & A. VELTINS GmbH & Co. KG
An der Streue
59872 Meschede-Grevenstein
Tel.: +49-2934-959-0
Fax: +49 -2934-959-493
(where appropriate, for the attention of our data protection officer).

In the event that your declaration of consent is revoked, we also ask you to contact us using the contact details set out above.