Business Partner Data Processing Notice

Paul Craemer GmbH ("Craemer", "we" or "our") provides this Business Partner Data Protection Notice ("Notice") to explain our practices as the responsible controller regarding the processing of personal data relating to our vendors, customers, suppliers, and business partners (collectively, "Business Partners") and our Business Partners' employees.

The personal data referred to according to article 4 lit. 1 DS-GVO is all data that refer to you as a person or could be referred to you especially by means of names or organisational and customer code which allows an individual to be identified. 

We provide this privacy statement to business partners (“Notice”) to act as the controller of the data processing processes related to our suppliers, customers and business partners (collectively “Business Partners”) and their employees associated with Craemer. 

Scope: This Notice applies to you if you are a Business Partner of Craemer as an individual (e.g., a consultant or sole entrepreneur) or if you are an employee of a Business Partner who interacts with Craemer on such Business Partner's behalf.


Categories of Personal Data and Source

Craemer processes the following categories of personal data about you from you or from authorized third parties (e.g., your supervisor, public authorities or public resources):

  • Personal data relating to Business Partners who are individuals: name, business contact details, services or goods provided or offered, contract details, content of communication (such as email or business letters), payment information, invoice information, and business relationship history
  • Personal data relating to an employee of a Business Partner: name, business contact details, employer name, title/position, and content of communication (such as email or business letters)


Processing Purposes, Legal Basis, and Consequences

Your personal data is processed for purposes of performing the contractual relationship with the Business Partner (including fulfilling the contractual obligations, invoice processing, communication, and legal and compliance activities), for purposes of marketing and CRM activities, and for security and fraud prevention activities.

Craemer relies on the following legal grounds for such processing activities: 

  • Performance of the contractual relationship with the Business Partner (Art. 6 lit. b GDPR)
  • Legitimate interest of Craemer, Craemer's affiliates or other third parties (such as governmental bodies or courts) (Art. 6 lit. f GDPR),  The legitimate interest could be in particular group-wide information sharing, marketing and CRM activities, prevention of fraud, misuse of IT systems, or money laundering, operation of a whistleblowing scheme, physical security, IT and network security, internal investigations, or potential merger and acquisition activities
  • Consent (Art. 6 lit. a GDPR)
  • Compliance with legal obligations (Art. 6 lit. c GDPR)

The provision of personal data is necessary for the conclusion and/or performance of the Business Partner contract, and is voluntary. However, if you do not provide personal data, the affected Business Partner management and administration processes might be delayed or impossible.


Categories of Recipients

Craemer may engage service providers, acting as processors, in order to provide IT and other administrative support (e.g., service providers who provide account payable support or IT hosting and maintenance support). Those service providers may have access to your personal data to the extent necessary to provide such services.

Furthermore, Craemer may transfer your personal data to its parent entity, in the US for purposes of assisting its affiliates as a processor with the operation of information systems for management and analysis of customer relationships and interactions and related general IT support.

By way of entering into appropriate data transfer agreements based on Standard Contractual Clauses, which are accessible at or taking other measures to provide an adequate level of data protection, we have established that will provide an adequate level of data protection.  

Any access to your personal data is restricted to those individuals that have a need to know in order to fulfill their job responsibilities.


Retention Period

Craemer will store the personal data of our prospective customers for up to 12 months, subject to your prior objection. Further contacts or events may extend this retention period accordingly, e.g. contract or business initiations. As soon as Craemer no longer needs the data to fulfil its contractual or legal obligations, it will be removed from our systems and records and/or measures will be taken to make your personal data anonymous in a proper manner so that it can no longer be identified, unless we need to use your personal data to comply with legal or regulatory obligations to which Craemer is subject, e.g. For example, we may be required by law to retain your personal data for a period of between 6 and 10 years, including, but not limited to, the commercial or tax law, or we may be required to retain evidence within the limitation period, which is normally 3 years, but may last up to 30 years. 


Your Rights

If you have declared your consent regarding certain types of processing activities, you can withdraw this consent at any time with future effect. Such a withdrawal will not affect the lawfulness of the processing prior to the consent withdrawal.

Pursuant to applicable data protection law you may have the right to: 1) request access to your personal data; 2) request rectification of your personal data; 3) request erasure of your personal data; 4) request restriction of processing of your personal data; 5) request data portability; 6) object to the processing of your personal data. Please note that these aforementioned rights might be limited under the applicable national data protection law. 

  1. Right of access: You may have the right to obtain from us confirmation as to whether or not personal data concerning you is processed, and, where that is the case, to request access to the personal data. The access information includes – inter alia – the purposes of the processing, the categories of personal data concerned, and the recipients or categories of recipient to whom the personal data have been or will be disclosed. However, this is not an absolute right and the interests of other individuals restrict your right of access.

    You may have the right to obtain a copy of the personal data undergoing processing.

    For further copies requested by you, we may charge a reasonable fee based on administrative costs. 

  2. Right to rectification: You may have the right to obtain from us the rectification of inaccurate personal data concerning you. Depending on the purposes of the processing, you may have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

  3. Right to erasure (right to be forgotten): Under certain circumstances, you may have the right to obtain from us the erasure of personal data concerning you and we may be obliged to erase such personal data. 

  4. Right to restriction of processing: Under certain circumstances, you may have the right to obtain from us restriction of processing your personal data. In this case, the respective data will be marked and may only be processed by us for certain purposes. 

  5. Right to data portability: Under certain circumstances, you may have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and you may have the right to transmit those data to another entity without hindrance from us.

To exercise your rights please contact us as stated in the "Questions" section below. 

You also have the right to lodge a complaint with the competent data protection supervisory authority.


Right to object pursuant to Art. 21 General Data Protection Regulation

You have the right to object on grounds relating to your particular situation, at any time to the processing of your personal data concerning you, which is based on Art. 6 (1) lit. e and f GDPR and we can be required to no longer process your personal data.

As Craemer  processes and uses your personal data primarily for purposes of carrying out the contractual relationship with the Business Partner, Craemer will in principle have a legitimate interest for the processing which will override your objection request, unless the restriction request relates to marketing activities.

Company does not engage in automated decision-making.



If you have any questions about this Notice or your rights, please contact datenschutz(at)

Craemer's data protection officer can be contacted at

Mario Thiele
Ecoprotect GmbH