Data protection

Your data privacy as our customer

Information on the processing of your personal data

The utmost care and transparency form the basis for trustworthy cooperation with our customers. We should therefore like to inform you on how we process your personal data and how you may assert the rights to which you are entitled under the General Data Protection Regulation. Which personal data we process and our purpose in doing so depend on the respective contractual relationship.

Who is responsible for data privacy?

Data Processing Controller:

SUND GmbH + Co. KG
Victoriaallee 1
22143 Hamburg

How can the Data Protection Officer be contacted?

You can contact our Data Protection Officer at:

SUND GmbH + Co. KG
Data Protection Officer
Victoriaallee 1
22143 Hamburg

Which of your personal data do we use?

Whenever you submit an enquiry, have requested an offer from or concluded a contract with us, we process your personal data. In addition, we also process your personal data in compliance with legal obligations, for the protection of a legitimate interest, or on the basis of the consent which you have granted.

Depending on the respectively applicable legal requirements, this involves the following categories of personal data:

  • first name, last name
  • communication data (telephone, email address)
  • contractual master data, in particular the contract number and duration, the period of notice and type of contract
  • invoicing data/sales data
  • credit-history data relating to your company
  • payment details/bank account information relating to your company
  • if required, user account information, particularly registrations and logins
  • in the case of events - if required - video recordings and photographic images

During the initial contract procedure, we also draw on data made available to us by third parties. Depending on the respective type of contract, this involves the following categories of personal data:

  • if required, information (via credit agencies) on the creditworthiness of your company

From which sources do these data originate?

We process personal data which we have received from our customers, service providers and suppliers.

In addition, we obtain personal data from the following sources:

  • credit agencies
  • publicly accessible sources: commercial or association registers, records of debtors, land registers
  • other corporate group companies

For which purposes and on which legal basis do we process your personal data?

Primarily, we process your personal data in strict compliance with the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and any further applicable laws.

1. On the basis of any consent you have given (Article 6[1] [a] GDPR)

If you have expressed your voluntary consent to our collecting, processing or transferring certain personal data, this consent constitutes the legal basis for the processing of such data.

In the following cases, we process your personal data on the basis of the consent you have granted:

  • the transmission of email newsletters
  • personalised newsletter tracking
  • market research (e.g. customer satisfaction surveys)
  • marketing and the creation of advertising from customer profiles

2. In fulfilment of a contract (Article [1] [b] GDPR)

We use your personal data for the implementation of a sales contract. Within the scope of this contractual relationship, we particularly use your data in performance of the following tasks:

The establishment of contract-related communication, contract management, ongoing customer support, service centre activities, the processing of warranty claims, receivables management, contract-termination management.

For further information on the purpose of such data processing, please consult the respective contract documents and our General Terms and Conditions of Business.

3. Compliance with legal obligations (Article 6[1] [c] GDPR)

As a company, we are subject to various legal obligations. Compliance with such obligations may necessitate the processing of personal data:

  • monitoring and reporting obligations in accordance with the German Commercial Code (HGB), the Turnover Tax Act (UStG) and Income Tax Act (EStG)
  • prevention/defence against criminal offences as per HGB, UStG and EStG

4. Assertion of a legitimate interest (Article 6[1] [f] GDPR)

In certain cases we process your data in assertion of our own legitimate interest or that of a third party.

Should we retain your email address when concluding a contract, we use it in order to inform you of similar products and services. The legal basis in this connection is provided by our legitimate interest in optimising our offers and promoting our operations.

  • Centralised customer-data management within our corporate group
  • Measures to ensure building and plant safety
  • Video surveillance to safeguard our domiciliary right
  • Consultory advice from and data exchange with credit agencies in determining default and/or credit risks
  • Safeguarding IT security and IT operations

To whom are your data transmitted?

For purposes relating to the fulfilment of our contractual and legal obligations, your personal data are disclosed both to various public or internal bodies, and to external service providers.

Member companies in the corporate group:

SUND is a subsidiary in the SUND Group, which provides a centralised customer-data management system accessible to staff at any of our affiliated companies with the purpose of presenting to you the full extent of our service offer from a single source. You can visit any of the member companies in the SUND Group under the following link (

External service providers:

We work together with a variety of selected external service providers in compliance with our contractual and legal obligations:

  • IT service providers (e,g. maintenance and hosting providers)
  • service providers for document and data destruction
  • printing services
  • telecommunications
  • payment service providers
  • advisors and consultants
  • service providers for marketing or sales
  • credit agencies
  • authorised dealers
  • providers of telephone support (call centre)
  • webhosting providers
  • lettershops
  • auditors

Public authorities:

In addition, we may also be obliged to submit your personal data to further recipients such as public authorities and thus comply with statutory disclosure obligations.

  • Tax authorities
  • Customs authorities
  • Social insurance agencies

Should you have any questions concerning the individual recipients, please contact us at:

Are your data transmitted to countries outside the European Union (the so-called third countries)?

Countries outside the European Union (and the EEA European Economic Area) manage the protection of personal data on the basis of different procedures to those adopted in countries within the European Union. In order to process your data, we also deploy service providers located in third countries outside the European Union. No decision has yet been taken by the EU Commission requiring that an appropriate level of overall protection be provided by these third countries.

We have therefore adopted special measures for the purpose of ensuring that your data will be processed just as securely in such third countries as is the case within the European Union. In these third countries we conclude agreements with service providers which are in full compliance with the standard data privacy clauses drawn up by the EU Commission. These clauses include appropriate guarantees ensuring that secure protection is upheld by the third-country service provider.

Furthermore, our service providers in the USA are certified in accordance with the EU-US Privacy Shield Agreement.

Should you require greater insight into the existing guarantees, please contact us at

How long are your data stored?

We store your personal data for as long as is necessary to comply with our statutory and contractual obligations.

Should storage of your data no longer be required for the fulfilment of contractual or legal obligations, such data will be deleted unless subsequent processing thereof is essential for the following purposes:

  • compliance with statutory retention periods under commercial and tax law. This particularly applies in the case of retention periods pursuant to the German Commercial Code (HGB) or German Fiscal Code (AO). Retention periods apply for up to ten years.
  • preservation of evidence in compliance with statutory limitation periods. Pursuant to limitation rules set out in in the German Civil Code (BGB), these limitation periods can, in certain cases, apply for up to 30 years; the regular limitation period applies for three years.

What are your rights in connection with the processing of your data?

Any affected data subject has the right to obtain information pursuant to Article 15 GDPR, the right to rectification of data pursuant to Article 16 GDPR, the right to erasure of data pursuant to Article 17 GDPR, the right to restriction of processing pursuant to Article 18 GDPR, the right of objection pursuant to Article 21 GDPR and the right to data portability pursuant to Article 20 GDPR. As regards the right to obtain information and the right to erasure of data, the restrictions set forth in §§ 34 und 35 of the German Federal Data Protection Act (BDSG) shall apply.

1. Right of objection

You may object at any time to your data being used via electronic media for advertising purposes without incurring any other costs than those for transmission at the usual basic rates.

What is your right if data concerning you is processed on the basis of a legitimate or public interest?

Pursuant to Article 21(1) GDPR, you have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you which occurs pursuant to Article 6(1) (e) GDPR (data processing in the public interest) or Article 6(1) (f) GDPR (data processing for the protection of a legitimate interest); this also applies to any profiling conducted on the basis of this provision. Should you lodge an objection, we will discontinue the processing of your personal data unless we can demonstrate compelling legitimate grounds for such processing which override your rights, interests and freedoms, or such processing is conducted for the establishment, exercise or defence of legal claims.

What is your right if data processing is conducted for the purpose of direct marketing?

Insofar as we process your personal data for the purpose of direct marketing, you have the right, pursuant to Article 21(2) GDPR, to object at any time to personal data concerning you being processed for this purpose; this also applies to any profiling performed in connection with such direct marketing. Should you object to the processing of your personal data for the purpose of direct marketing, we will discontinue processing for this purpose.

2. Revocation of consent

You may at any time revoke your consent to the processing of personal data concerning you. Please note that your revocation will only apply for the future.

3. Right to obtain information

You may request information on whether we have stored any personal information concerning you. If desired, we will provide you with details on the data involved, the purposes for which these data are being processed, the parties to whom we disclose these data, how long these data will be stored, and on any additional rights relating to these data to which you are entitled.

4. Further rights

In addition, you have the right to rectification of incorrect data or erasure of your data. If no reason exists for continued storage, we will either erase your data or restrict processing thereof. You may also request that all personal data which you have entrusted to us be made available by us, either to you or to a person or company of your choice, in a structured, common and machine-readable format.

Furthermore, you may exercise the right of appealing to the competent data protection authority (Article 77 GDPR in connection with § 19 BDSG, the Federal Data Protection Act).

5. Assertion of your rights

You may assert your rights by applying to the controller or data protection officer via the contact data provided or our customer service: / phone +49 40 5380960. We will promptly respond to your enquiry in accordance with legal requirements and inform you about the measures which we have taken.

Are you obliged to make any of your personal data available?

In order to enter into a business relationship with us, you must provide such personal data as will be required for us to fulfil the contractual relationship, or those which we are obliged to collect in compliance with statutory requirements. Should you fail to provide these data, we will be unable to conduct and implement the contractual relationship.

Amendment of this information

Should any significant changes arise in the purpose of processing your personal data or the methods adopted in doing so, we will update this information in a timely manner and inform you promptly about these changes.

This current Data Privacy Statement was last updated in January 2023