Data Protection information for business partners of BCNP Consultants GmbH

(updated version of 11. December 2020)

Why is this document available?

It is very important for BCNP Consultants GmbH to comply with all applicable regulations in data protection. The General Data Protection Regulation (GDPR) and the new Federal Data Protection Act (BDSG) stipulate that we fulfil comprehensive information obligations, we consider to be correct and take this responsibility very seriously. In the following text, we therefore explain to you what information, i.e. also so-called “personal data”, we process about you as a business partner and inform you about the rights you have vis-à-vis BCNP Consultants GmbH with regard to your personal data.

This information should be written in such a way that even legal layman can understand it – we hope we have succeeded. If you find individual points unclear, please contact us – we are happy to explain our extensive data protection measures to you in person.

Who is this data protection information primarily aimed at?

This information is primarily intended for our business partners: “Business partners” are customers or suppliers who want to enter into or have concluded contracts with us for the supply of products or the provision of services. However, it is also companies, organisations or natural persons with whom we have not concluded contracts for deliveries or services, but with whom we exchange information regularly or on a case-by-case basis. For example, these are partner companies and people from the professional associations to which we are affiliated and with whom we build, exchange and improve expertise to optimize our services and products, or so-called network partners who meet employees of BCNP Consultants GmbH at events such as trade congresses, trade fairs, cluster and lecture events, etc. and exchange contact details.

However, it is also aimed at any other person whose data we process:

Our top principle for the processing of your personal data is: We will only process personal data if a legal regulation allows or prescribes this to us or if the data subject, i.e. you, has given us express consent to this.

Who is responsible for data processing?

The data protection officer responsible for the processing of your personal data is our company, BCNP Consultants GmbH | Varrentrappstraße 40-42 | D-60486 Frankfurt | Tel. +49 (0)69 – 15 32 25 642. When we write “we”, “us” or “the company” in this data protection information, we always mean our company, BCNP Consultants GmbH.

If you have any questions about the processing of your personal data, please contact us simply and directly via this e-mail address:

What data do we process?

Of course, we can only exchange information or do business with our business partners if we process data from them: So the company name and address are at least necessary, but this alone is usually not yet personal data.

However, if the data allow conclusions to be drawn about a natural person, they will be personal data, which may already be the case if the company name contains the name of the owner, or with registered merchants or freelancers. Completely independent of the legal form of our business partners, we also usually process data about their contact persons in the company, i.e. your names and contact details such as e-mail addresses or telephone numbers. Therefore, please also make this data protection information available to the people within your organization who are involved in the business relationship with us, i.e. our contact persons in your company.


We refer to the essential data about your company, the contact persons and our business relationship (eI.E.. a contract) as master data. This includes, for exampleI.E. company name, contract data and the names of the contact persons.

In particular, the master data includes:

  • all information that we receive at the time of initiation or opening of the business relationship or which we have requested from our contractual partner or contact person (eI.E.. first and last name, function description, address and other contact details, as well as telephone and mobile phone data, bank details, tax data),
  • such data that we have collected from us in connection with the initiation or opening of the business relationship itself (in particular the details we need to provide you with information, consulting logs or information on processes in your company, if necessary for our work, as well as information to create offers or invoices or conclude contracts).

History data:

Of course, we also process personal data that accrues during our business relationship and which go beyond a mere change of master data. We then call this type of data historical data.

This category mainly includes:

  • data on the products and services supplied or provided by our business partners on the basis of the concluded contracts;
  • data on products and services supplied or provided by us on the basis of existing or concluded contracts;
  • information provided to us by our business or contact persons themselves or upon our request;
  • Information about the business activities of our business partners, which we receive from them, contact persons or third parties, or from public sources;
  • personal data that we receive in any other way from you, our business partners, contact persons or third parties or from publicly available sources.

We may also store personal data of third parties about the master or historical data to the extent permitted by law, such as information about the economic situation of our business partners. This can be, for example, data from business information agencies in order to be able to assess business risks, such as possible defaults.

For what purposes and on what legal bases do we process personal data?

  • We process master and historical data for the realization of the concluded contracts with our business partners or for the implementation of pre-contractual measures, such as i.e. offers or other correspondence based on Article 6 paragraph 1 b) GDPR. Irrespective of the legal form of the business partner, we process master and historical data with reference to one or more contact persons in order to safeguard our legitimate interest in the business relationship in accordance with Article 6 paragraph 1 f) GDPR.
  • Also due to legal obligations to which we are subject, we can process master and historical data in accordance with Art. 6 sec. 1 lit c). In particular, mandatory declarations to tax and other authorities belong to this category.
  • In addition, our legitimate interest or the legitimate interest of third parties allows us to process master and historical data on the basis of Art. 6 sec. 1 lit. f) GDPR. If necessary, we process information about the execution of contracts with business partners and about the fulfilment of legal obligations. Our legitimate interests include:
  • the clarification of economic risks associated with our business relationships, such as defaults,
  • the assertion of legal claims and the defence in the event of legal disputes;
  • the prevention and investigation of criminal offences;
  • control and optimization of our business activities, including risk management.
  • Insofar as we give a natural person the opportunity to give consent to the processing of his personal data, we always process the data covered by the consent only for the purposes specified in the consent on the basis of Art.6 sec.1 lit. a) GDPR.


Your right to withdraw consent

In Article 7, the General Data Protection Regulation (GDPR) grants you a comprehensive right to revoke consent. It is particularly important that

  • giving consent to us is always voluntary;
  • if you do not wish to give us consent or wish to withdraw a given consent, which may have certain consequences, about which we inform you before or when the consent is given,
  • consent given to us can be revoked at any time with effect for the future. You can do this i.e. by sending a message by post, fax or e-mail via one of the contact options mentioned above under “Who is responsible for data processing?”.

Is there an obligation to provide personal data?

We cannot enter into a business relationship with you without data. Therefore, the collection or provision of the above-mentioned master and historical data is always necessary if we do not specify otherwise when collecting the data.

In addition, if we collect personal data, we will inform you during the collection whether the provision of this information is required by law or contract or is necessary for the conclusion of a contract. We usually identify the data that you can provide voluntarily and whose collection is not based on an obligation or is not required to conclude a contract.

Who receives personal data from us?

Your personal data will always be processed within our company. Depending on the specific nature of the personal data, only the departments and persons in our company have access to the data to the extent that they need to carry out the purpose of the processing. To ensure this, we use a role and authorization concept. The departments mainly include the accounting and sales departments as well as, depending on the type of service agreed, the various service departments. Since we usually process data with the help of our IT, our internal IT staff also process personal data to a limited extent.

We may also transfer personal data to the extent permitted by law to third parties outside our company. These external recipients may include, in particular,

  • The service providers that we provide to us on a separate contractual basis, which may also include the processing of personal data, as well as the subcontractors of our service providers who are engaged with our consent;
  • Affiliated companies with whom we share data for internal management of business partner data,
  • other business partners to which we may transfer personal data in order to safeguard the legitimate interest of the business partner whose data we transfer,
  • Non-public and public authorities, insofar as we are obliged to transfer your personal data due to legal obligations.

Do we use automated decision-making?

In principle, we do not use automated decision-making within the meaning of Article 22 GDPR for our business relationships, which includes above all profiling. If we use such procedures in individual cases, we will inform the persons concerned to the extent required by law.

If data is sent to countries outside the EU or to international organisations?

The processing of personal data takes place exclusively within the EU or the European Economic Area; a transfer to third countries is not planned.

For what duration will personal data be stored?

In principle, we store personal data as long as we have a legitimate interest in storing it and the interests of the data subject in the non-continuation of the storage do not prevail.

We may also store the data without any legitimate interest if we are legally obliged to do so, for example to fulfil tax retention obligations. Personal-related data will be deleted by us as soon as they are no longer necessary for the purpose of processing or the storage is otherwise legally inadmissible. The deletion takes place without the data subject having to ask us to do so.

As a rule, we store master data and historical data at least until the business relationship is terminated. The data will be deleted at the latest if the purpose of the storage is fulfilled, even if this only occurs after the end of the business relationship. If we need to store personal data to fulfill retention obligations, it will be stored until the end of the respective retention obligation. If we only store personal data to fulfill the retention obligations, they are usually blocked in such a way that processing is only necessary in relation to the purpose of the retention obligation (eI.E.. for disclosure to tax authorities).


What rights do data subjects have?

Any person concerned has the right to

  • for information on the personal data stored about them in accordance with Article 15 GDPR;
  • upon correction of inaccurate or incomplete data in accordance with Article 16 GDPR;
  • on the deletion of personal data, in accordance with Article 17 GDPR;
  • restriction of processing, in accordance with Article 18 GDPR;
  • data portability, in accordance with Art. 20 GDPR, and
  • object to the processing of personal data concerning you, in accordance with Art. 21 GDPR.


In order to exercise your rights, you or any person concerned may contact us at any time, i.e. via one of the contact channels mentioned in the section “Who is responsible for data processing?”.

If you have any questions about the processing of personal data, you or the data subject can contact us at any time.

A data subject is also entitled to lodge a complaint with a competent supervisory authority for data protection in accordance with Article 77 GDPR.

The contact details of all German supervisory authorities can be found under this link at the Federal Commissioner for Data Protection and Freedom of Information (BFDI):

We thank you for your interest in our data protection information.

Your BCNP Consultants GmbH