Data protection information for customers

We take the protection of personal data seriously and comply with data protection regulations, in particular the EU General Data Protection Regulation (“GDPR”) and the German Federal Data Protection Act (“BDSG”). In particular, this means that we only process personal data if we are permitted to do so by law or if the data subject has given their consent.

In this data protection information, we explain what information (including personal data) we process in connection with the business relationship between you and us.

1. Who is responsible for data processing?

Data protection officer responsible for the processing of personal data is Fels-Werke GmbH, Geheimrat-Ebert-Str. 12, 38640 Goslar, Tel.: 05321-703-0,
Fax.: 05321-703-321 , Mail: Any reference to “we” or “us” in this data protection information is a reference to the aforementioned entity.

Our data protection officer may be contacted via the aforementioned means or via

2 What data do we process?

The realisation of our business relationships requires the processing of data from our contractual partners. Insofar as this data allows conclusions to be drawn about a natural person (e.g. if you enter into a business relationship with us as a sole trader), this is personal data. Irrespective of the legal form of our contractual partner, we also process data on the contact persons at our contractual partner.

Master data:

We process basic data about our contractual partner and the contact persons and the existing business relationship with our contractual partner, which we collectively refer to as “master data”. This includes in particular

  1. all information that was provided to us when the business relationship was established or that we received from our contractual partner or a contact person (e.g. addresses, telephone/fax and mobile phone numbers, email addresses, tax numbers, bank details);
  2. the data that we have collected in connection with the establishment of the business relationship with us (such as, in particular, the details of the contracts concluded);

Progress data:

We process personal data that arises in the course of the business relationship, which may go beyond a mere change of master data and which we refer to as “historical data”. This includes in particular

  1. Information about the services provided or accepted by our contractual partner on the basis of the contracts concluded;
  2. Information about the services provided or accepted by us on the basis of the contracts concluded;
  3. Information provided to us by our contractual partner or a contact person in the course of the business relationship – either actively or in response to a request from us;
  4. personal data that we receive in any other way from our contractual partner, a contact person or third parties in the course of our business relationship.

To the extent permitted by law, we may also store personal data from third parties in addition to master data and historical data. This includes, for example, data on the economic situation of our contractual partners if this is necessary to assess economic risks such as payment defaults.

3. for what purposes and on what legal basis do we process personal data?

  1. The processing of master data and historical data is carried out for the fulfilment of existing contracts with a natural person as a contractual partner or for the implementation of pre-contractual measures on the basis of Article 6(1)(b) GDPR. Irrespective of the legal form of our contractual partner, we process master data and historical data relating to one or more contact persons in order to safeguard our legitimate interest in conducting the business relationship on the basis of Article 6(1)(f) GDPR.
  2. We may also process master data and historical data to fulfil legal obligations to which we are subject; this is done on the basis of Article 6(1)(c) GDPR. These legal obligations include, in particular, the reports to (tax) authorities that we are required to submit.
  3. Where necessary, we also process data beyond the execution of the concluded contracts and the fulfilment of legal obligations to protect our legitimate interests or the interests of third parties; this is done on the basis of Article 6 (1) f) GDPR. Our legitimate interests include
    1. Group-wide processes for the internal management of business partner data;
    2. the identification of economic risks – such as payment defaults – in connection with our business relationships;
    3. the assertion of legal claims and defence in legal disputes;
    4. the prevention and investigation of criminal offences;
    5. the management and further development of our business activities, including risk management;
  4. If we give a natural person the opportunity to give consent to the processing of personal data, we process the data covered by the consent for the purposes stated in the consent; this is done on the basis of Article 6 (1) a) GDPR.

Please note that

  1. the granting of consent to us is voluntary;
  2. the non-granting of consent or its later revocation may nevertheless be associated with consequences, about which we will inform you before granting consent, and
  3. a consent given to us can be revoked at any time with effect for the future, e.g. by sending a message by post, fax or e-mail to one of the addresses listed in chapter “1. Who is responsible for data processing?”

4. is there an obligation to provide personal data?

The provision of the data described in chapter “2. What data do we process?” is required for the establishment and implementation of the business relationship with our contractual partners, unless expressly stated otherwise by us when collecting this data. Without the provision of this data, we cannot establish and conduct a business relationship.

If we also collect personal data, we will inform you at the time of collection whether the provision of this information is required by law or contract or is necessary for the conclusion of a contract. As a rule, we identify information that is provided voluntarily and is not based on any of the aforementioned obligations or is not required for the conclusion of a contract.

5 Who receives personal data?

Personal data is always processed within our company. Depending on the type of personal data, only certain departments / organisational units have access to personal data. This includes, in particular, the sales department and – in the case of data processed via the IT infrastructure – the IT department to a certain extent. A role and authorization concept limits access within our company to those functions and to the extent necessary for the respective purpose of processing.

We may also transfer personal data to third parties outside our company to the extent permitted by law. These external recipients may include in particular

  1. affiliated companies within the SigmaRoc Group to which we transfer personal data for internal administrative purposes;
  2. the service providers employed by us who provide services for us on a separate contractual basis, which may also include the processing of personal data, as well as the subcontractors of our service providers engaged with our consent;
  3. non-public and public authorities, insofar as we are obliged to transfer your personal data due to legal obligations.

6. is automated decision-making used?

When establishing or in the course of the business relationship, we do not use automated decision-making (including profiling) within the meaning of Article 22 GDPR. If we use such procedures in individual cases, we will inform the persons concerned separately to the extent required by law.

7. is data transferred to countries outside the EU/EEA?

The processing of personal data takes place exclusively within the EU or the European Economic Area; a transfer to other countries (so-called “third countries”) is not planned.

8 How long is personal data stored?

We generally store personal data as long as we have a legitimate interest in this storage and the interests of the data subject in not continuing the storage do not outweigh this interest.

Even without a legitimate interest, we may continue to store the data if we are legally obliged to do so (e.g. to fulfil storage obligations). We also delete personal data without the intervention of the data subject as soon as knowledge of it is no longer necessary to fulfil the purpose of the processing or the storage is otherwise legally inadmissible.

As a rule, the master data and other personal data collected in the course of the business relationship are stored at least until the end of the business relationship. The data will be deleted at the latest when the purpose has been achieved. This may only occur after the business relationship has ended. The personal data that we have to store in order to fulfil our storage obligations will be stored until the end of the respective storage obligation. As far as we store personal data exclusively for the fulfilment of storage obligations, these are usually blocked, so that they can only be accessed if this is necessary with regard to the purpose of the storage obligation.

9. what rights does a data subject have?

A data subject has the right

  1. to information about the personal data stored about them, Article 15 GDPR;
  2. to rectification of inaccurate or incomplete data, Article 16 GDPR;
  3. to erasure of personal data, Article 17 GDPR;
  4. to restriction of processing, Article 18 GDPR;
  5. to data portability, Article 20 GDPR and
  6. to object to the processing of personal data concerning you, Article 21 GDPR.
  7. to lodge a complaint with a competent supervisory authority for data protection, Article 77 GDPR.

If you have any questions or requests for changes to the use of your personal data by us, please send them – for reasons of complete and speedy processing – exclusively in writing to:

We will check and process your request immediately.

You can find our current privacy policy at: