Data Privacy Information for Business Partners

osapiens Holding GmbH and its affiliated companies within the meaning of Section 15 of the German Stock Corporation Act (AktG) (hereinafter also referred to as the "osapiens Companies"[1] , "we" or "us") have set themselves the goal of constantly improving the service and information offered to our business partners, including suppliers, customers or interested parties, in order to contribute to the success of the company on both sides. Within the scope of a business relationship and in times of increasing globalization, personal data (hereinafter referred to as "data") are regularly used and processed by us. We take the protection of your data very seriously and take this into account in all our business processes. In doing so, we comply with the applicable legal rules on data protection. In the following, you will receive a detailed overview of how we process your data. We ask you to also make this data protection information available to your employees who are in business contact with us.

Data means all personal data within the meaning of Article 4 No. 1 of the EU General Data Protection Regulation (GDPR) relating to an identified or identifiable natural person that you provide to us as a business partner during our business relationship. With this data protection information, we inform you about the nature, scope and purposes of the collection of data by us and how we handle this data. In addition, you will learn what rights you have regarding the processing of your data.

Controller and data protection officer:
Responsible for the processing of your data is the Osapiens Company[1] with which you are in business contact or an ongoing contractual business relationship or the initiation of such.

For all data protection issues, you can reach the Osapiens Company:

- at our central business address for data protection issues
Julius-Hatry-Strasse 1, 68163 Mannheim, Germany
with the addition "data protection"


- by e-mail at

osapiens Holding GmbH, osapiens Services GmbH, osapiens Hub GmbH, osapiens AssetOps GmbH, osapiens COE Spain S.L and fTRACE GmbH have appointed a data protection officer in accordance with legal requirements.

Data Protection Officer of these companies is:
TÜV SÜD Akademie GmbH
Larissa Bichert, certified data protection expert
Westendstraße 160, 80339 Munich, Germany

You can also reach the data protection officer centrally at our above-mentioned e-mail address (

Where does your data come from and what data is processed?

We process your data in accordance with the principles of data protection law only to the extent that it is necessary, we are permitted to do so by applicable legal requirements, or we are obliged to do so.

Unless stated otherwise below, the terms "process" and "processing" also include the collection, use, storage, disclosure and transfer of data (Art. 4 No. 2 GDPR).

In principle, the provision of your data is voluntary. However, for the conclusion and implementation of the business relationship, it is mandatory to process certain data about you or your company.

We process the data we receive from you in the course of our business relationship, i.e. either on the basis of a contractual relationship with you, or your company (such as the purchase and sale of products, services, works services, rights of use, etc.), a pre-contractual contact or any other inquiry on your part (e.g. via the Internet, by e-mail or telephone or on the occasion of a trade fair or product event).

In addition, to the extent necessary for the fulfilment of our contractual or legal obligations, we process your data that we permissibly obtain from publicly accessible sources (such as commercial and association registers, the press, the Internet) or are legitimately provided by other third parties (e.g., a credit agency).

Relevant data are in particular:

  • Contact details of the contact person(s) at the business partner and business address;
  • Communication data, such as telephone number and e-mail address;
  • Banking and billing information of our current and prospective business partners;
  • Tax number/USt ID of our current and prospective business partners; and
  • Order data, such as sales data or business partner history;
  • Name and business address of directors and shareholders, company representatives, to the extent that this information is available from public sources and the Commercial Register.

We typically use and store the following categories of your business and/or personal information:

  • Salutation;
  • First and last name;
  • Postal address;
  • E-mail address;
  • Landline number, mobile number and fax number; and
  • Occupation, position, title and academic degree.

What is my data used for (purpose of processing) and on what basis (legal basis) does this happen?

For the fulfilment of contractual obligations
We process your data primarily for the fulfilment of contracts with you, or your company, or for the implementation of pre-contractual measures (Art. 6 (1) (b) and (f) GDPR) upon request. In the context of our business relationship, you must provide those data that are necessary for the establishment, implementation and termination of a business relationship and for the fulfilment of the associated contractual obligations or which we are required to collect by law. Without this data, we will generally not be able to conclude a contract with you, to execute and terminate it, and to take pre-contractual measures to conclude a contract with you at your request. If you do not provide us with the necessary information and documents, we will not be able to establish or continue the business relationship you have requested.

Processing due to legal requirements
In addition, we process your data insofar as this is necessary for the fulfillment of legal obligations (Art. 6 para. 1 letter c) GDPR).

Processing based on a legitimate interest
In addition, we process your data insofar as this is necessary to protect the legitimate interests of us or a third party (Art. 6 para.1 letter f) GDPR). This could include the following cases:

  • Provision of information, to invitations at events and other measures to describe our performance and our products;
  • Assertion of legal claims and defense in legal disputes;
  • Measures for optimizing our business processes, such as maintaining a supplier database or a "customer relationship management" database;
  • For the purpose of advertising products or promotions (with trading partners);
  • Measures to ensure operational safety and business management;
  • For matching with European and international embargo lists;
  • credit checks; and
  • Collection of debts, also within the framework of assignments of collection agencies.

Recipients of your data and place of processing

Within the framework of our business relationships, those who need to access your data to fulfil our contractual and legal obligations and to carry out our internal processes (e.g., sales, purchasing, logistics, financial accounting, HR) will have access to it. The employees authorized to access the data are obligated to maintain confidentiality and to protect business and trade secrets as well as data privacy.

To the extent necessary, we also share your data with other companies affiliated with us within the meaning of Section 15 of the German Stock Corporation Act (AktG), which may process it for their own purposes as controllers. Your data is only accessible to authorized persons and / or departments that have a legitimate reason to access and process this data for the above-mentioned purposes.

We use order processors to provide special services. The transfer of your data to them is carried out in strict compliance with the obligation of confidentiality and the requirements of the GDPR. The processors commissioned by us, who may only process the data for us and not for their own purposes, are obliged to comply with the requirements of the GDPR. In these cases, the responsibility for data processing remains with us.

Recipients of your data may be, for example:

  • Public bodies and institutions (e.g., tax authorities, law enforcement agencies) in the event of a legal or regulatory obligation;
  • Insolvency administrator or creditors inquiring due to foreclosure;
  • auditors on the occasion of the audits of the annual financial statements;
  • Service providers that we use in the context of order processing relationships to provide services, the provision of tools or other services; and
  • Affiliated companies within the group of companies as defined in sections 15 et seq. of the German Stock Corporation Act (AktG).

To the extent that these data recipients (affiliated companies or external entities/companies) are located in countries outside the EU and the EEA that have not been recognized by the European Commission as having an adequate level of data protection, we will ensure that adequate safeguards are in place to ensure such a level of data protection, such as by entering into EU standard contractual clauses of the European Commission with the respective data recipients.

How long will your data be stored?

We process and store the data of our business partners as long as this is necessary for the fulfillment of our contractual and legal obligations arising from the existing business relationship. If your data is no longer required for the fulfillment of contractual or legal obligations, it is regularly deleted, unless its temporary further processing is necessary for the fulfillment of commercial and tax retention obligations resulting from the German Commercial Code (HGB) and the German Fiscal Code (AO) (retention periods or documentation periods are, for example, ten years for accounting documents and six years for commercial or business letters). documentation is, for example, ten years for accounting documents and six years for commercial or business letters) or for the preservation of evidence within the statutory limitation periods (these limitation periods can be up to 30 years, whereby the regular limitation period is 3 years).

In addition, we will retain your data for as long as necessary for other relevant processing purposes specified in this information.

Your rights (data subject rights)

You have extensive rights regarding the processing of your data.

Right to information: You have the right to information about the data stored by us for what purpose the processing takes place and how long the data is stored (Art. 15 GDPR). This right is limited by the exceptions of § 34 German Federal Data Protection Act (BDSG), according to which the right to information does not apply if the data is stored only due to legal storage requirements or for data security and data protection control, the provision of information would require a disproportionate effort and a misappropriation of data processing is prevented by appropriate technical and organizational measures.

Right to rectify inaccurate data: You have the right to request that we rectify the data concerning you without delay if it is inaccurate (Art. 16 GDPR).

Right to erasure: You have the right to demand that we erase the data concerning you in accordance with the requirements of Art. 17 GDPR. These prerequisites exist in particular if a) the respective processing purpose has been achieved or otherwise ceases to apply, b) we have processed your data unlawfully, c) you have revoked consent without the data processing being able to continue on a different legal basis, d) you successfully object to the data processing, or e) in cases of the existence of an obligation to erase based on the law of the EU or an EU member state to which we are subject. This right is subject to the restrictions set out in Section 35 of the BDSG, according to which the right to erasure may be waived if, in the case of non-automated data processing, there is a disproportionate effort for erasure and your interest in erasure is to be regarded as low.

Right to restriction of processing: You have the right to request restriction of the processing of your data (Art. 18 GDPR). This right exists if a) the accuracy of the data is disputed, b) you request restricted processing instead of deletion under the conditions of a legitimate request for deletion, c) the data is no longer necessary for the purposes pursued by us, but you need the data to assert, exercise or defend legal claims or d) the success of an objection is still disputed.

Right to data portability: You have the right to obtain from us the data concerning you that you have provided to us in a structured, common, machine-readable format (Art. 20 GDPR), unless it has already been deleted.

Right to object: You have the right to object to the processing of data relating to you at any time on grounds relating to your particular situation (Art. 21 GDPR). We will stop processing your data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or if the processing serves the purpose of asserting, exercising or defending legal claims.
According to Art. 7 (3) GDPR, you have the right to revoke your consent at any time. The revocation does not affect the lawfulness of the processing carried out based on the previous consent. The only consequence of the revocation is that we may no longer continue the data processing based on this consent for the future. However, please note that we may not be able to provide certain services or additional services if we are not able to process the data required for this purpose.

Right in relation to automated decision making: You have the right (Art. 22 GDPR) not to be subject to automated decision making, including profiling, that has legal consequences for you or causes similar significant effects. We generally do not use automated decision making or profiling. However, if you have been subjected to automated decision making and do not agree with the outcome, you may contact us in the ways set out below and ask us to review the decision.

Right to complain to the supervisory authority: You have the possibility to contact the above-mentioned data protection officer or a data protection supervisory authority if you believe that the processing of data concerning you violates the GDPR.
If you submit a request for information and there is doubt as to your identity, we may request information from you that will enable us to satisfy ourselves as to your identity.

[1] osapiens Companies are osapiens Holding GmbH, osapiens Services GmbH, osapiens Hub GmbH, osapiens AssetOps GmbH, osapiens Network GmbH, osapiens BrandOS GmbH (all of the aforementioned companies based in Mannheim), osapiens COE Spain S.L (based in Madrid), oneIDentity+ GmbH (based in Munich) and fTRACE GmbH (based in Cologne).