1. General information
a) Introduction
The protection of your personal rights during the processing of personal data is of the utmost concern to Krug Expedition (hereinafter referred to as "Krug Expedition"). We process personal data in compliance with the provisions of the EU General Data Protection Regulation (GDPR) and in accordance with the legal regulations of the country in which the controller of the data processing is located.
Furthermore, Krug Expedition companies have undertaken to provide comprehensive and uniform protection of personal data through the implementation of a binding company policy. Within T Krug Expedition, this ensures a level of protection worldwide, which is comparable to that in Austria and the European Union. Moreover, our employees are obliged to maintain confidentiality with regard to the handling of personal data.
b) Controller and contact person
The controller as defined by data protection law is the Krug Expedition GmbH company that processes your data as part of an existing or incipient contractual relationship. In the event of questions relating to data protection, please contact the data protection officer/data protection coordinator at Krug Expedition with which you have or are initiating a contractual relationship. The Data Protection Officer at Krug Expedition can be reached at
info@krugxp.com.
2. Collection and processing of personal data
a) Purpose limitation and legal basis
Krug Expedition processes personal data in order to execute and manage an existing or incipient contractual relationship with you. In this context, your personal data is processed for various purposes as part of a range of processing activities.
b) Data sources
As a rule, your personal data is collected directly from you as part of an existing or incipient contract relationship.
c) Obligation to provide data
You must provide to the controller the personal data required to execute the contractual relationship. If you do not provide this data, Krug Expedition cannot fulfil the relevant legal obligations and enter the contractual relationship.
d) Intended purpose of processing activities
An overview of the intended purpose of our processing activities is provided below:
Putting services and materials out to tender
Sending requests, calling in outstanding quotes, commercial review and completeness checking on quotes, and performing negotiations.
Order processing (materials and services)
Writing, submitting, sending, and tracking orders in the system.
Supplier support
Communication regarding products or services, responding to inquiries and requests, and bottleneck and risk management.
Procurement controlling and services provider controlling.
Figures regarding suppliers and services provider.
Compliance with legal obligation.
Compliance with retention obligations, ensuring that compliance requirements are met through checks (e.g. sanctions list checks and money laundering, references to legal infringements), operating an internal control system (ICS) and other monitoring systems for ensuring that business processes are in accordance with regulations.
The processed data can be classified into the following data categories:
◦ Professional contact and (work) organizational data
◦ IT usage data
◦ Data on personal/professional circumstances & characteristics ◦ Creditworthiness and bank data
◦ Contractual data
The aforementioned processing activities are justified by the following legal bases:
◦ Consent to one or more specified purposes (Art. 6(1)(a) of the GDPR)
◦ Fulfilment of the contract or contract initiation (Art. 6(1)(b) of the GDPR)
◦ Fulfilment of legal obligations (Art. 6(1)(c) of the GDPR)
◦ Balancing of interests (Art. 6(1)(f) of the GDPR)
◦ The existence of a relevant and appropriate relationship between the controller and
the data subject
◦ Prevention of fraud
◦ Direct advertising
◦ Transfer of data within a corporate group for internal management purposes
(including customer and employee data)
3. Transfer of personal data
In certain cases, your personal data may also be disclosed to other bodies: If the disclosure of your personal data is necessary in order to execute or initiate the contractual relationship. We will also disclose your personal data to service providers commissioned by us in the framework of order processing. Your core data and contact details are disclosed in a centralized database for the purpose of ensuring a current data stock and for credit checking. If we are required to comply with country-specific legal requirements regarding the disclosure of your personal data, e.g. for transfer to financial authorities, courts, and auditors, we will fulfil this obligation.
4. Data storage and erasure
We erase your personal data as soon as it is no longer required for the purposes stated above. Your personal data is stored for as long as we are required to do so by law, or for as long as statutory limitation periods apply. This regular arises due to legal obligations to provide proof and preserve records, governed by legislation including the Allgemeines Bürgerliches Gesetzbuch (ABGB – Austrian Civil Code), Unternehmensgesetzbuch (UGB – Austrian Commercial Code), and the Bundesabgabenordnung (BAO – Austrian Tax Code). Beyond this, data is only saved if there are further statutory or contractual storage obligations to do so.
5. Your rights
You have the right to be informed about the data that relates to you, and the right to rectify your data. Provided that there are no statutory regulations to the contrary, you also have the right to erase your data and to object to the processing of your data, and the right to restrict the processing of your data. Furthermore, you have the right to data portability. If we collect and process your personal data on the basis of your consent, you also have the right to revoke the consent you granted with effect for the future. The legality of the data processing carried out with your consent until you revoke it, remains unaffected by your withdrawal of consent. If necessary, we need to verify your identity before we can process your requests. If, in spite of our efforts to maintain accurate and up-to-date data, incorrect information has been saved, we will correct such information upon corresponding request. In the event of complaints, there is the possibility to contact a data protection supervisory authority.
6. Automated decision-making
We do not perform automated individual decision-makings within the meaning of Art. 22 (1) & (4) of the GDPR.
7. Safety
Krug Expedition uses technical and organizational security measures to protect your data against accidental or premeditated manipulation, loss and destruction, and access by unauthorized persons. Our security measures, such as data encryption, are regularly improved in accordance with technological development.
Last Update May 1 2021