Information sheet on handling personal data in the business relationship pursuant to Art. 13 GDPR


1. Why are you receiving this information?

Protecting your personal data is important to us. Transparency about data processing is a key principle of the EU General Data Protection Regulation (EU GDPR), which came into force on 25 May 2018. We comply with this obligation pursuant to Art. 13 et seq. GDPR and provide you with relevant information through this document.

2. Who is the data controller for your data?

Schock GmbH
Hofbauerstraße 1
D-94209 Regen, Germany

3. Who is the company's Data Protection Officer?

Omnis Consulting GmbH,  
Ernst Buchner
Innere Passauer Straße 2,  
94315 Straubing, Germany

4. What do we use your data for?

Your data will be processed within the framework of the contractual relationship or the process of initiating such a relationship (quotation phase). Processing includes collecting, storing, using, modifying and deleting data, among other things. 

5. Which data do we process from you?

The required data includes in particular your master data, such as your title, first name, surname, and also of other contact persons in the company, if applicable, as well as your contact data, such as a valid email address, complete postal address, other postal address details, if applicable, telephone number (landline and/or mobile phone) and further information like tax numbers, VAT ID number, bank details and turnover data as well as information that is necessary for the performance of the respective contractual relationship.

6. How do we receive your data?

We process the data that we have received from you in the course of our business relationship, data provided by our commercial agents, and data that we have collected from publicly accessible directories (e.g. commercial register).

7. Who has access to your data and how is it secured?

Your personal data will be transferred within the company to those departments that need it to fulfil our pre-contractual, contractual and legal obligations.

Your personal data will not be transferred to third parties for purposes other than those listed below.  

Insofar as this is necessary for the fulfilment of contractual relationships with you in accordance with Art. 6(1)(1)(b) and (f) GDPR, your personal data will be passed on to third parties. This will be passed on to our tax advisor, auditor, and lawyers in order to collect receivables and, if necessary, to enforce claims in court in the context of financial accounting; to freight forwarders and logistics service providers (drop shipping) in order to fulfil existing delivery obligations; to credit institutions, credit insurers and providers of payment services to settle and process payments; public authorities in justified cases, e.g. the tax authorities; IT service providers to maintain our IT infrastructure and data backup. This will also be passed on to public bodies and institutions, such as the police/public prosecutor's office, or supervisory authorities in the event of a corresponding request, taking into account the legal basis.

When ordering on account (customers) or granting a down payment (suppliers), we may carry out an assessment of the credit risk on the basis of mathematical-statistical procedures implemented by a credit agency (scoring). For this purpose, the personal data required for the credit assessment (name and address) is transferred to the credit agency. Based on this information, a statistical probability of a credit default and thus your inability to pay is calculated, which may affect the agreement of the contract conditions.

We use Microsoft 365 and Microsoft Teams as part of normal office communication and for telephone conferences, online meetings and/or video conferences. If we record online meetings, we will tell you before we start and – where necessary – ask for verbal consent. If you do not wish to be recorded, you can leave the online meeting.

If it is necessary for the purposes of logging the results of an online meeting, we will log the chat content.

Microsoft 365 and Microsoft Teams are a service provided by Microsoft Ireland Operations, Ltd. To this effect, we have concluded an order processing agreement with the provider.

Different types of data are processed when using “Microsoft Teams”. The scope of the data also depends on the data you provide before or during participation in an “online meeting”.

The following personal data are subject to processing:

• Information about the user: Display name, email address, profile picture (optional), preferred language

• Meeting metadata: e.g. date, time, meeting ID, phone number, location

• Text, audio and video data: You may have the option to use the chat function in an online meeting. In this case, the text entries you make are processed in order to display them in the online meeting.

To enable the video display and audio playback, data from your end device's microphone and from a video camera on the end device are processed during the meeting. You can switch off the camera or mute the microphone yourself at any time via the “Microsoft Teams” apps.

If there is no contractual relationship with you, the legal basis for processing your personal data is Art. 6(1)(f) GDPR. Here our interest is in conducting online meetings effectively.

We also fulfil the obligation to regularly check whether you are listed on a counter-terrorism sanctions list. For this purpose, we regularly enter your full name and address data into a portal of a third-party service provider. This is necessary because, according to European regulations EC No. 881/2002 and EC No. 2580/2001, within the framework of the fight against terrorism, we must ensure that persons on the list associated with the regulation do not directly or indirectly provide money or economic resources to terrorists (the legal basis is therefore Art. 6(1)(1)(c) GDPR. If there is a match, we will inform you immediately. On the basis of your voluntary consent, provided you have expressly given us your consent for specific purposes (Art. 6(1)(1)(a) GDPR). Data are only passed on within the company to those departments that need them to fulfil these obligations.  

Processors used by us (Art. 28 GDPR) may also receive data for these purposes. These are companies that fall within the categories of IT service providers for maintaining our IT infrastructure and data backup, telecommunications, data destruction, travel expense management, sanctions list audit, marketing and consulting.

Within the scope of our collaboration, we use a CRM system provided by the company Salesforce Inc. based in the USA. Salesforce Inc. also operates servers within the EU, but it cannot be ruled out that data in this context will be transferred to a third country (e.g. the USA) and processed there or that your data stored within the EU will be accessed from third countries. An order processing contract in accordance with Art. 28 GDPR, which includes EU standard contractual clauses to ensure an appropriate level of data protection, has been concluded with Salesforce Inc.

The data disclosed may be used by the third party exclusively for the purposes stated.

8. Third country

Your data will not be transferred to a third country unless you are based in a third country.

If personal data are processed by processors selected by us for support purposes outside the European Economic Area (EEA), the processing will only take place if the third country has been confirmed by the EU Commission as having an adequate level of data protection or if other appropriate data protection guarantees (e.g. binding internal company data protection regulations or EU standard contractual clauses) are in place.  

9. On what legal basis do we process your data?

The data processing is carried out in response to your request and is necessary according to Art. 6(1)(1)(b) GDPR for the aforementioned purposes for the appropriate processing and the mutual fulfilment of obligations arising from the contract.  

Processing of your data is necessary for the purpose of fulfilling various legal obligations, e.g. from the German Commercial Code or the German Fiscal Code for the fulfilment of legal obligations (Art. 6(1)(c) GDPR).

Based on a balancing of interests, data processing may take place beyond the actual fulfilment of the contract in order to protect our legitimate interests or those of third parties (Art. 6(1)(f) GDPR). For example, data processing for the purpose of safeguarding legitimate interests takes place in the following cases: - Advertising or marketing (see Clause 9), - Measures for business management and further development of services, - In the context of legal prosecution.

10. Processing of personal data for advertising purposes

You can object to your personal data being used for advertising purposes at any time, either in whole or for individual measures, without incurring any costs other than the transmission costs according to the basic rates. Under the legal conditions of Section 7(3) of the German Act on Unfair Competition (UWG), we are entitled to use the email address you provided when concluding the contract for direct advertising relating to our own similar goods or services. You will receive these product recommendations from us regardless of whether you have subscribed to a newsletter. If you do not wish to receive these recommendations from us by email, you can object to us using your address for this purpose at any time without incurring any costs other than the transmission costs according to the basic rates. A written notification is sufficient for this purpose. Of course, an unsubscribe link is always included in every email.

11. How long will your data be stored?

The personal data collected by us for the purpose of implementing the business relationship will be stored until the statutory storage obligation expires and then deleted, unless we are obliged to store it for a longer period in accordance with Article 6(1)(1)(c) GDPR due to tax and commercial law storage and documentation obligations (from the German Commercial Code, German Criminal Code or German Tax Code) or you have consented to storage beyond this in accordance with Article 6(1)(1)(a) GDPR.

12. What applies to automated decision-making?

We do not carry out automated decision-making based on your data or automated processing, evaluation and prediction of certain aspects of your person (profiling).

13. What rights do you have?

a. Right to information

You have the right to information and the right to obtain an electronic copy of your personal data.

b. Right of rectification

You have the right to have your personal data rectified if it is inaccurate. This right includes the right to have your personal data completed if it is incomplete.

c. Right to erasure (right to be forgotten)

You have the right to have your personal data deleted, in particular if the data are no longer necessary for fulfilling the purpose for which they were collected. This right also exists insofar as the underlying legal basis was ineffective from the outset or its effectiveness subsequently lapsed.

d. Right to restrict processing

You have the right to restrict the processing of your personal data if the accuracy of these data is disputed by you, - You do not want the personal data to be deleted and instead request that their use be restricted, - The data controller no longer requires the personal data for the underlying purposes, - You need these data to assert, exercise or defend legal claims, - You have objected to the processing of the personal data pursuant to Article 21(1) of the GDPR and it has not been determined or has not yet been determined whether the data controller’s legitimate interests outweigh those of the data subject.  

e. Right to data portability

You have the right to receive your personal data, if you have provided these to us, in a structured, common and machine-readable format. Where these data are processed on the basis of consent or for the performance of a contract, you also have the right to have us transfer these data to a third party, provided this is technically possible.

f. Right to object

You have a right to object to the processing of your personal data on grounds relating to your particular situation at any time. This right exists insofar as the data processing is based on Article 6(1)(f) GDPR (data processing for the protection of legitimate interests).

g. Right to complain to the supervisory authority

You have the right to lodge a complaint with the competent data protection supervisory authority:

Bayerisches Landesamt für Datenschutzaufsicht (Bavarian State Office for Data Protection Supervision)
Promenade 27
91522 Ansbach, Germany


To exercise your rights, please contact the company by letter or email at

The processing of your data is necessary to conclude or fulfil the contract you have entered into with us. If you do not provide us with these data, we will usually have to refuse to conclude the contract or will no longer be able to perform an existing contract and consequently have to terminate it. However, you are not obliged to give your consent to data processing with regard to data that are not relevant for the performance of the contract or that are not required by law.


Information last updated: This information was last updated on 06/06/2023.