2. Data Within the Scope of Order Processing

What personal data does MS POS process within the scope of order processing?

Within the scope of order processing, MS POS uses the following personal data:

What is the origin of the data within the scope of order processing?
Data within the scope of order processing is collected from:

• Suppliers: Suppliers provide information within the scope of establishing a business relationship and update it within the duration of the relationship
• Employees of Suppliers: Employees of Suppliers provide information within the scope of establishing a business relationship and update it within the duration of the relationship
• Public Sources: Information is obtained from publicly available sources (for example, commercial registers, population registers, media, internet, directories)
• Economic information institutions

Does the data - within the scope of order processing - include special categories of personal data as laid out by the GDPR?
No.
For what purpose does MS POS use data within the scope of order processing?
MS POS processes data within the scope of order processing:

• to be able to place orders

On which legal basis does MS POS use data within the scope of order processing?
As far as MS POS processes personal data based on legitimate interests, what are the legitimate interests of MS POS and third parties?
As far as MS POS processes personal data based on legitimate interests, what are the legitimate interests of MS POS and third parties?

• The processing is necessary for the placing of orders from MS POS to suppliers (Article 6 (1) (b) GDPR)
• The processing is necessary in order to safeguard the legitimate interests of MS POS in maintaining business relationships with suppliers (Article 6 (1) (f) GDPR)

Who is the recipient of the data within the scope of order processing?
Data is transmitted to the following categories of recipients as a part of order processing:

• Employees of MS POS
• Customers of MS POS

Is the data transmitted to a third country as a part of order processing?
No, unless this is explicitly required for processing the order (export).
How long will the data be stored within the scope of order processing?
MS POS stores data within the scope of order processing for the longest of the following periods:

• The duration of a continuing business relationship
• The duration of commercial and taxation record-keeping periods
• The period during which claims from the business relationship can be asserted by or against MS POS

3. Data Within the Scope of Payment Transactions

What personal data does MS POS process as a part of payment transactions?
Within the scope of payment transactions, MS POS processes the following personal data:

What is the origin of the data within the scope of payment transactions?
Data within the scope of payment transactions is collected from:

• Suppliers: Suppliers provide information within the scope of establishing a business relationship and update it within the duration of the relationship
• Employees of Suppliers: Employees of Suppliers provide information within the scope of establishing a business relationship and update it within the duration of the relationship
• Public Sources: Information is obtained from publicly available sources (for example, commercial registers, population registers, media, internet, directories)
• Economic information institutions

Does the data - within the scope of payment transactions - include special categories of personal data as laid out by the GDPR?
No.
For what purpose does MS POS process data within the scope of payment transactions?
MS POS processes data within the scope of payment transactions:

• in order to fulfil demands for payment

On which legal basis does MS POS process data within the scope of Invoicing and Accounts Receivable?
As far as MS POS processes personal data based on legitimate interests, what are the legitimate interests of MS POS and third parties?
As far as MS POS processes personal data based on legitimate interests, what are the legitimate interests of MS POS and third parties?

• MS POS processes data within the scope of Invoicing and Accounts Receivable on the following legal basis:
• The processing is necessary in order to safeguard the legitimate interests of MS POS in maintaining business relationships with suppliers (Article 6 (1) (f) GDPR)

Who is the recipient of the data within the scope of payment transactions?
Data is transmitted to the following categories of recipients within the scope of Invoicing and Accounts Receivable:

• Employees of MS POS
• Financial institutions

Is the data transmitted to a third country within the scope of payment transactions?
Yes, as far as the supplier instructs that payments are to be directed to a third country.
How long will the data be stored within the scope of payment transactions?
MS POS stores data within the scope of Invoicing and Accounts Receivable for the longest of the following periods:

• The duration of a continuing business relationship
• The duration of commercial and taxation record-keeping periods
• The period during which claims from the business relationship can be asserted by or against MS POS

Your Rights as a Data Subject

As a data subject, you have the following rights with respect to your personal information.

The Right of Access
You have the right to ask MS POS for confirmation of whether your personal information is processed; If this is the case, you have a right to information about such personal data and to detailed information on how the personal data is processed.

The Right to Rectification
You have the right to ask MS POS to rectify any incorrect personal data without delay. Taking into account the purposes of processing, you have the right to request the completion of incomplete personal data, including by means of a supplementary statement.

The Right to Deletion ("The right to be forgotten")
You have the right to require MS POS to restrict processing if certain conditions are met.
The Right to the Restriction of Processing
You have the right to require MS POS to restrict processing if certain conditions are met.

The Right to Object
You have the right, for reasons arising from your own particular situation, at any time, to file an objection to the processing of your personal data according to Article 6 (1) (e) or (f) of the GDPR.

Right to Portable Data
You have, under certain circumstances, the right to receive personal information that you have provided to MS POS, in a structured, mainstream and machine-readable format, and you have the right to pass on that information to another person without any hindrance from MS POS.

Right to Revoke Consent
If the processing is based on your consent, you have the right to revoke your consent at any time.

Right to Appeal
You have the right to complain to a supervisory authority - this is the respective data protection officer in your state.

Glossary

Data Protection Officer
The natural or legal person, public authority, institution or other body that, alone or together with others, decides on the purposes and means of processing personal data.

Data Transfer Agreement
Agreement containing standard data protection clauses adopted by the European Commission within the scope of Art. 46 (2) (c) GDPR.

Data Subject
Identified or identifiable natural person to whom the personal data refers.

GDPR
General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament).

BDSG
German Federal Data Protection Act (Bundesdatenschutzgesetz) of 30.06.2017 (BGBl. I p. 2097).

Legal Basis
Processing is only legal if at least one of the conditions according to the GDPR and / or BDSG is satisfied.
The conditions in question within an employment contract are summarized:

• the data subject has given their consent to the processing of personal data concerning them
• processing is for the fulfilment of a contract to which the data subject is a party
• the processing is necessary to fulfil a legal obligation
• the processing is necessary to protect the vital interests of the data subject or any other natural person
• processing is necessary to safeguard the legitimate interests of the controller or a third party, unless the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data prevail (legitimate interest).

Personal Data
Any information relating to an identified or identifiable natural person; a natural person is considered as being identifiable, directly or indirectly, in particular by means of an identifier such as a name, an identification number, location data, an online identifier or one or more special characteristics expressing the physical, physiological, genetic, mental, economic, cultural or social identity of this natural person.

Processing
Any process or series of operations related to personal information, performed with or without the aid of automated procedures, such as collection, organization, storage, adaptation or modification, reading, retrieval, use, disclosure by submitting, distributing or otherwise providing, comparing, linking, limiting, erasing or destroying.

Special Categories of Personal Data
Personal data showing racial and ethnic origin, political opinions, religious or spiritual beliefs, membership of a trades union, or the processing of genetic data, biometric data to uniquely identify a natural person, health data or data on sexual behaviour or orientation.