Privacy Policy for Business Partners, Customers and third parties

1) General information

As a rule, the personal data of yours that we collect is obtained directly from you.

However, it may also be necessary to process personal data that we obtain from other companies, authorities, customers, potential claimants or injured parties or opposing parties in the event of legal disputes, etc., or other third parties, such as credit agencies, tax offices and the like. This may include personal data that we obtain through our whistleblower channels about potential compliance violations or in the context of compliance investigations.

Relevant personal data may include: personal details (e.g., first name, last name, address and other contact details, date and place of birth and nationality), identification and authentication data (e.g., commercial register excerpts, I.D. data, specimen signature), data within the scope of our business relationship (e.g., payment data, data on orders), creditworthiness data, data on corporate and ownership structure, photos and videos (e.g., with deliveries of goods) and other data comparable to the aforementioned categories.

You may elect to communicate with us by e-mail or mail. For technical reasons, e-mail communications may be unencrypted.

2) Controller Within the Meaning of Article 4(7) GDPR

The controller responsible for data processing within the meaning of Article 4(7) GDPR is the company named in the e-mail signature or in the letterhead or the company with which you are initiating or entertaining a business relationship. Depending on the circumstances, it may be a joint controller with one or more other Schwarz Group companies.

If you as a citizen/customer of our contractual partner contact us, your matter will be processed by the PreZero company responsible in the given case.

If you contact us regarding the "PreZero SPOT in cooperation with Packaging Cockpit" tool, PreZero Dual GmbH, Stiftsbergstraße 1, 74172 Neckarsulm, Germany, is the responsible data controller.

The office responsible for handling reports received via our reporting channels on potential compliance violations is the office that is indicated to you as the data recipient when the report is submitted.

3) Purposes and Legal Bases of Processing

a) Visiting this Website

When you visit this website, log files are generated containing the following information:

• The website from which you visit our site;
• The IP address;
• The date and time of access;
• The client request;
• The http response code;
• The data volume transmitted;
• The information about the type of browser and operating system you are using.

Recipients/Categories of Recipients

Each time that a user accesses this website and each time a file is accessed, we, and in some cases, third parties save log files documenting this process; this serves exclusively to protect our systems and to prevent improper and/or fraudulent behavior.

Storage Time/Criteria for Determining Storage Time:

Storage time is 7 days.

b) For the Performance of Contractual Obligations (Article 6(1)(b) GDPR)

The purposes of processing follow from the need to take steps prior to entering into a contract, in advance of a contractual business relationship and to perform obligations under an existing contract.

c) For Compliance with a Legal Obligation (Article 6(1)(c) GDPR)

The purposes of processing follow from statutory requirements in the individual case. Such legal obligations include, e.g., complying with retention and identification obligations, e.g., in the context of anti-money laundering requirements, tax monitoring and reporting requirements and data processing in the context of requests from authorities.

d) For the Purposes of Legitimate Interests (Article 6(1)(f) GDPR)

It may be necessary to process your personal data beyond the actual performance of the contract. Legitimate interests in this case include, in particular, selecting suitable business partners, conducting research on prospective business partners, e.g., to ensure that compliance requirements and the like are met, including one-off checks against EU sanctions lists (see EC Regulations No 2580/2001 and No 881/2002) beforehand and in cases of doubt involving the processing in particular of name/company name, registered office and sector as well as ad hoc checks against sanctions lists for other countries, asserting legal claims, defending against liability claims, avoiding legal risks and financial detriment (including for third parties), protecting our IT infrastructure, managing system access authorizations, data access controls, other internal administrative purposes (such as optimizing processes and workflows, ensuring data quality), sending the invitation to provide feedback you previously agreed to provide about your contact at the companies of Schwarz Group, if necessary, obtaining feedback from our employees on the services provided by you (e.g. training and seminars), conducting and facilitating communication (e.g. web meetings, telephone, etc.) and  contact via our Group-wide user directory, clarifying potential compliance violations, preventing crimes and settling claims arising out of the business relationship.

If you report potential compliance violations to us, we also process this information on the basis of Article 6(1)(f) GDPR. Our legitimate interest lies in investigating potential compliance violations.

At the time of contracting, we occasionally obtain data on your credit history from credit agencies to serve the aforementioned legitimate interests. We use the credit history information from the credit agencies to assess your creditworthiness. Credit agencies store data that they receive from banks or companies, for example. Such data includes in particular last name, first name, date of birth, address and information on payment history. Information on the data stored about you can be obtained directly from the credit agencies.

If you provide us with your e-mail address in connection with the sale of a product or service, you will receive information about similar PreZero products or services on the basis of legitimate interests pursuant to Art. 6 (1) (f) GDPR, within the boundaries of § 7 (3) UWG (Act against unfair competition). You can object to this use of your e-mail address at any time by replying to one of the e-mails or by contacting the address given in the e-mail as the contact address, without incurring any costs other than the transmission costs according to the basic tariffs. If you accept our offer of contract by means of digital signature (e.g., Adobe Sign), we process your data, such as in particular e-mail address, IP address as well as the time and date of any modifications you make to the respective contract document, for instance when you approved, displayed or digitally signed it. We have a legitimate interest in ensuring that the process for signing contracts digitally is fast and efficient and that the signing process can be logged for verification purposes. Certain contracts may also be signed using a so-called qualified electronic signature. In this case we also process the certificate data associated with your signature in addition to the aforementioned data. We have a legitimate interest in being able to verify whether you are able to provide a valid qualified electronic signature serving to replace any written form prescribed by statute. To use a qualified electronic signature, you must independently register with a trust service provider (e.g., D-TRUST/Bundesdruckerei). When you register, the respective provider will process your data under its own responsibility and not on our behalf, however.

If you, as an employee of a business partner company that provides services for PreZero using the Frontify platform, have a Frontify account, your business contact data provided there as well as the account user data will be processed on the basis of legitimate interests.

If you as a citizen/customer contact PreZero by mail, e-mail, telephone or contact form with a concern, we will use your contact data (in particular name, address, e-mail address, telephone number) and any other substantive information you provide us with, to classify and respond to your request if necessary.

In addition, we occasionally process personal data to document key milestones and events in the development of the companies of Schwarz Group in order to chronicle its corporate history.

Furthermore, we process your personal data in the context of complaints cases, legal disputes, insurance claims and similar circumstances in which you are directly or indirectly involved, e.g. as a lawyer, expert, treating doctor or health insurance company of possible claimants or injured parties or opposing parties.

If your counterparty has commissioned PreZero Service Deutschland GmbH & Co. KG to process the data of yours set out below, it will process the contact details (first name, last name, e-mail address, work telephone/fax number, company address) of contact persons at customers, prospective customers, suppliers and other business partners for communication by e-mail (e.g., in the context of sending e-invoices, offers, contractual e-mail communication), telephone, fax and mail. The legal basis for the processing is Article 6(1)(f) GDPR. We have a legitimate interest in initiating and performing the business relationship with our customers, prospective customers, suppliers and other business partners and maintaining personal contact with contact persons.

In the context of using our tool for e-invoicing and sending automated offers, our service provider SC-Networks GmbH, Würmstraße 4, 82319 Starnberg, Germany is given access to your aforementioned data subject to strict instructions. A data processing agreement has been entered into.

We store personal data for the purpose of performing business relationships only for as long as this is necessary to achieve the stated purpose, unless statutory retention periods require that the data be retained longer.

e) On the Basis of your Consent (Article 6(1)(a) GDPR)

 When you subscribe to our newsletter or give your consent to receive marketing e-mails, the company specified in the newsletter registration and in the newsletter is the controller.

If you consent to receive our newsletter or marketing e-mails, .

We also use a tracking pixel in our newsletter and marketing e-mails to record your usage behavior (receipt, opening, clicking on links) and store this in your personalized user profile in order to evaluate and optimize our newsletter and marketing e-mails.

The legal basis for the aforementioned processing is your consent pursuant to Article 6(1)(a) GDPR, section 25 (1) sentence 1 of the German Telecommunications Digital Services Data Protection Act (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz – TDDDG).

To ensure that no mistakes are made when entering the e-mail address, we use the "double opt-in" procedure: once you enter your e-mail address in the registration field, we will send you a confirmation link. Your e-mail address will not be added to our distribution list until you click on the confirmation link.

You can withdraw your consent at any time with effect for the future by clicking on the link at the bottom of every marketing e-mail or newsletter to unsubscribe from our advertising e-mail communication.

When you unsubscribe, we consider your consent to receiving our newsletter and marketing e-mails and the recording of your usage behavior as withdrawn. You will then no longer receive any newsletters or advertising e-mails from us and we will delete your usage data. Any such withdrawal of consent shall not affect the lawfulness of data processing prior to receiving the notice of withdrawal.

If you have consented to receiving the newsletter or advertising e-mails from PreZero Service Deutschland GmbH & Co KG, our service provider SC-Networks GmbH, Würmstraße 4, 82319 Starnberg, Germany will be given access to your aforementioned data (e.g., e-mail address, behavior tracking, usage behavior, etc.) subject to strict instructions. A data processing agreement has been entered into. Your e-mail address and your name and your usage data will be deleted as soon as you unsubscribe from our newsletter/marketing e-mails. For verification purposes, we store the record of your consent for a period of three years from the date on which you withdraw your consent.

4) Who Receives the Personal Data You Provide to Us?

Within our company, access to the data provided by you will be granted to those departments that require such data for the purposes of performing contractual obligations, complying with legal obligations or serving legitimate interests. Processors or service providers may also be given access to your personal data in the context of contractual relationships and in order to fulfill statutory obligations and safeguard legitimate interests. This includes in particular service providers who help us to improve our data quality. Their compliance with data protection requirements is ensured by contractual agreement.

In addition, the data may be transferred to companies of Schwarz Group for purposes of performing contractual obligations.

To fulfill statutory obligations and safeguard legitimate interests when we process reports of potential compliance violations, access to the personal data you provide in this connection may also be provided to processors, authorities, companies within the Schwarz Group or service providers. We are legally required to notify the persons accused that we have received a report concerning them as soon as providing such information no longer hampers the continued investigation of such reports. Your identity as a whistleblower will be protected in accordance with the relevant statutory provisions. In the case of contracts executed by digital signature, your data is also accessible to all persons involved in the approval and signing of the contract, as they receive a log after the contract has been signed indicating all processing steps, including e-mail address, IP address, date and time. Your data may also be accessible to the respective service providers that we use for the relevant digital signature procedure. In the case of Adobe Sign, this would be Adobe Systems Software Ireland Limited, 4-6 Riverwalk, City West, Business Campus, Saggart D24, Dublin, Ireland. If a qualified electronic signature is used to execute digital contracts, your data will also be accessible to D-Trust GmbH, Kommandantenstraße 18, 10969 Berlin, Germany, which is the provider responsible for checking the validity of the signature.

In addition, in connection with your customer's/citizen's request, the necessary data may be transmitted to the relevant contracting party of PreZero who is responsible for your concern (waste management company) if doing so is necessary to process your request.

In the context of the Frontify Platform, we are supported by Frontify AG, Unterstrasse 4, 9000 St. Gallen, Switzerland as a contractually-bound data processor.

5) For How Long Will the Data Be Stored?

The personal data will be stored for as long as necessary for fulfilling the above-mentioned purposes. Particularly relevant in this context are the statutory retention obligations under the German Commercial Code (Handelsgesetzbuch – HGB) and the German Fiscal Code (Abgabenordnung – AO), which provide for retention periods of up to 12 years.

The maximum storage time for data in connection with reports of potential compliance violations is 3 years following the conclusion of the investigation into the report. In the case of investigations by the courts or relevant authorities, or proceedings for administrative fines or criminal proceedings, the data may be retained until the conclusion of these investigations or proceedings plus appeal periods.

The data in connection with your request as a customer will be stored for 90 days, as previous experience has shown that there may still be follow-up questions in connection with the concern during this period.

Data in the corporate history will be stored on a permanent basis, to the extent it remains relevant for that purpose.

6) Are You Obligated to Provide the Data?

Within the scope of our business relationship, you must provide us with the personal data needed to commence, execute and terminate a business relationship and to perform the obligations associated therewith, which we are legally obligated to collect or are entitled to collect on the basis of legitimate interests. Without such data, we would generally not be able to enter into a business relationship with you.

With respect to the reporting of potential compliance violations, you are neither legally nor contractually obligated to provide personal data to us. Your personal data will not be subject to automated decision-making.

7) Is Data Transferred To Third Countries?

If we transfer personal data to recipients outside the European Economic Area (EEA), the transfer will only take place if an adequate level of data protection has been confirmed for that third country by the European Commission, if an adequate level of data protection has been agreed with the data recipient (e.g., by means of EU standard contractual clauses) or if we have received your consent.

8) Special Constellations

a) Zero Waste Survey

After participating in our Zero Waste Survey, you have the option of submitting your name and business contact details, as well as information about your company, and requesting to be contacted by PreZero in order to receive further information about our products.

On the basis of Art. 6 (1) (b) GDPR, the data you provide will be added into our customer database as part of the initiation of a possible business relationship and the data about your company will be used to provide you with information about the products best suited to your company’s needs (e.g. based on industry). In this context, we will contact you once via email.

In addition, we use the company data provided on the basis of legitimate interests in accordance with Art. 6 (1) (f) GDPR for statistical evaluations.

Your data will be stored in our customer database for as long as there is a potential interest in entering into a business relationship or an active business relationship exists. If there is no further communication within 6 months of the initial contact, your data will be deleted.

In the context of our Zero Waste Survey, we are supported by AudienceFirst B.V., Goirkekanaaldijk 14, 5046 AT Tilburg, NL as a contractually-bound data processor.

b) PreZero SPOT in cooperation with Packaging Cockpit

As part of PreZero Dual's activities as a distributor of the "PreZero SPOT in cooperation with Packaging Cockpit" tool for Packaging Cockpit, details of the contacts at potential customer companies (name, company, position in the company if applicable, business contact details, e-mail correspondence / telephone note, interest in the tool or request for an offer, etc.) are collected, stored and transferred to Packaging Cockpit on the basis of PreZero Dual’s legitimate interest in facilitating the conclusion of the contract with Packaging Cockpit as well as evaluated for sales monitoring purposes in accordance with Art. 6 (1) (f) GDPR. If you contact PreZero Dual with questions about the tool, the associated data or data contained in the inquiry will be processed on the basis of the legitimate interest in providing an appropriate response to your request. 

The data recipient is Packaging Cockpit GmbH, Canovagasse 7/ Top 13, 1010 Vienna, Austria (provider of the software tool).

In connection with sales activities, the data mentioned above will be stored for the duration of the business relationship with Packaging Cockpit; in the case of an inquiry by email that does not lead to a contract with Packaging Cockpit for 6 months.

9) Your Rights As A Data Subject

Under Article 15(1) GDPR, you have the right to obtain information, free of charge, on the personal data stored about you.

If the statutory requirements are met, you also have a right to rectification (Article 16 GDPR), erasure (Article 17 GDPR) and restriction of processing (Article 18 GDPR) of your personal data. If the basis of processing is Article 6(1)(e) or (f) GDPR, you have a right to object under Article 21 GDPR. If you object to processing, your data will no longer be processed thereafter, unless the controller demonstrates compelling legitimate grounds for the processing which override the interests of the data subject in the objection.

If you have provided the processed data yourself, you have a right to data portability under Article 20 GDPR.

If the data processing is carried out on the basis of consent granted under Article 6(1)(a) or Article 9(2)(a) GDPR, you may withdraw that consent at any time with effect for the future without this affecting the lawfulness of the previous processing.

In the above-mentioned cases, or if you have questions or complaints, please write to or e-mail the data protection officer (see no. 9).

You also have a right to lodge a complaint with a data protection supervisory authority. The data protection supervisory authority located in the state in which you live or where the controller is domiciled has jurisdiction.

10) Data Protection Officer/Coordinator

For further questions concerning the processing of your data or the exercise of your rights, please contact the competent data protection officer/coordinator of the controller at:

For PreZero Stiftung and PreZero Dual:

PreZero Stiftung & Co. KG
Data protection officer
Stiftsbergstraße 1
74172 Neckarsulm, Germany 
E-Mail: datenschutz-stiftung@prezero.com

For the other PreZero companies:

PreZero Deutschland KG
Data protection officer/coordinator 
Kleiststraße 49
32457 Porta Westfalica, Germany 
E-Mail: datenschutz@prezero.com