General information on the collection and processing of personal data and your rights as a data subject

Date: May 2018

We, i.e. Narex s.r.o. and its affiliated companies (hereinafter referred to as "NAREX"), collect and process personal data and company data to fulfil a number of purposes.

What categories of data do we use and where do these come from?

The categories of personal data processed primarily include your contact details (company name, address, first name and surname of a contact partner, (mobile) phone number, email address of the responsible contact partner) and, depending on the purpose of the processing, your bank details and potentially VAT identification number as well.

Your personal data is generally collected from you directly. We may also obtain your data from third parties (e.g. retailers) in individual basis. We will inform you without delay if this is the case.

What purposes are data processed for, on what legal basis and who is responsible for the processing?
We process your data taking into consideration the provisions of the EU General Data Protection Regulation (GDPR), any local data protection laws that apply and all other relevant legislation.

a) Conducting contractual relationships

NAREX concludes a range of contracts (e.g. contracts with suppliers, systems partners and service providers, processing repairs, etc.) in order to serve their commercial purposes. The collection and processing of data is used for the establishment, fulfilment and termination of the contractual relationship. The primary legal basis for this is Article 6(1b) GDPR. Where necessary, we also process your data on the basis of Article 6(1f) GDPR, in order to protect our legitimate interests or those of third parties (such as the authorities). This applies in particular to the investigation of criminal offences, or within the group for the purposes of group management, internal communication and other administrative purposes. In addition, the processing of personal data can be based on your consent.

The controller is your respective NAREX contractual partner. You can find the relevant contact details at

b) Holding competitions

NAREX regularly holds competitions. We collect personal data (first name, surname, address and email address) in order to implement these activities. Article 6(1a) and Article 6(1b) GDPR provide the legal basis for this.

Who receives your data?

Within our company, only those individuals and offices (e.g. specialist departments) who require your personal data for the fulfilment of our contractual and legal obligations actually receive said data. Your data is transferred to certain companies within our corporate group when these companies centrally administer data processing tasks for their affiliated companies within the group.

In addition, we sometimes employ different service providers in order to fulfil our contractual and legal obligations (such as sending products or mailings). You can obtain a list of the contractors and service providers we use ‒ including those with whom we have short-term and long-term business relationships ‒ on request from the respective controller.

We may also transfer your personal data to additional recipients outside the company where this is necessary to fulfil our contractual and legal obligations as an employer. Examples include:

  • Public authorities (e.g. financial authorities, courts)
  • Banks (SEPA payment transfer media)
  • Insolvency administrators in the event of private bankruptcy.

Are you obliged to provide your data?

We wish to inform you that, as part of the respective contractual relationship, you must provide the personal data and company data necessary for establishing, fulfilling and terminating the contractual relationship or service commitment and the performance thereof, or that we are required to collect by law. If you exercise your right to object in this regard or do not provide us with this data, we will not be in a position to fulfil the contract with you.

How long are your data stored for?

We erase your personal data as soon as it is no longer required for the aforementioned purposes or you have exercised your right to object. Your personal data is stored after the termination of the contractual relationship as long as we are legally obliged to so. This is frequently the case as a result of statutory obligations to provide evidence and statutory retention obligations, which are governed by the German Commercial Code and the German Fiscal Code, among others. Retention periods are up to ten years under this legislation. Personal data may also be stored for the period for which claims can be brought against us (legal limitation periods can fall between three and thirty years).

What privacy rights can you exercise as a data subject?

You can obtain information on the data stored about you personally from the respective controller. Furthermore, you can have your data rectified or erased if certain criteria are met. You may also have the right to restrict the processing of your personal data, as well as the right to obtain the data you have provided in a structured, commonly used and machine-readable format.

Right to object

You have the right to object to the processing of your personal data for direct marketing purposes, without giving any reason.
Where we process your data for the purpose of safeguarding legitimate interests, you can object to the processing on grounds relating to your particular situation. We will then stop processing your personal data, unless we can demonstrate compelling legitimate grounds for processing which override your interests, rights and freedoms, or where the processing is used for the establishment, exercise or defence of legal claims.

Where can you complain?

You can lodge a complaint with the aforementioned Data Protection Officer or the competent supervisory data protection authority.