Germany
United Kingdom 
Spain Data Protection Notice for Business Partners
Status: 15.12.2025
This notice informs business partners (e.g., suppliers, service providers, consultants, brokers, insurers, reinsurers) about the processing of their personal data by Degussa Sonne/Mond Goldhandel GmbH.
1. Information regarding the Data Controller
Name and contact details of the Data Controller
Degussa Goldhandel GmbH
Friedrich-Ebert-Anlage 35 – 37
60327 Frankfurt
Phone: 0800 / 1882288
E-Mail: info@degussa.com
Contact details of the Data Protection Officer
@-yet GmbH
Schloss Eicherhof
42799 Leichlingen
Phone: 02175 / 16550
E-Mail: datenschutz@degussa.com
2. Categories of personal data
Depending on the business relationship, we process in particular:
• Identification and contact details: name, title, function, employer, business address, email, telephone, user ID.
• Contract and billing data: offers, contracts, orders, proofs of service, invoices, payment data, bank details.
• Communication data: correspondence (email, letters, notes from meetings/calls), minutes.
• Compliance/KYC/sanction screening data: register extracts, beneficial owners, UBO information, sanctions list hits, PEP status, due diligence results.
• Insurance/claims data (if applicable): policies, coverage details, claims reports, settlement documents, expert reports.
• IT and security data: log data, access permissions, technical identifiers (e.g., IP addresses for remote meetings/portals).
• Special categories (only in exceptional cases): health data in claims processing, as far as necessary and subject to a legal basis.
3. Purposes of data processing
• Initiation, execution, and management of business relationships (supplier/service provider management, contract management, procurement, and accounting).
• Communication and cooperation (project work, scheduling, exchange of information).
• Compliance & risk/insurance (due diligence obligations, KYC/sanction checks, fraud prevention, audit, internal controls; underwriting, claims processing).
• Legal enforcement and defense (assertion, exercise, or defense of legal claims).
• IT operations and security (access management, data backup, incident management).
• Fulfillment of legal obligations (retention requirements under tax and commercial law, reporting and disclosure obligations towards authorities).
4. Legal basis (Art. 6 GDPR)
Depending on the specific process, we base our processing on:
• Performance of a contract / pre-contractual measures (Art. 6 (1) (b) GDPR).
• Legal obligations (Art. 6 (1) (c) GDPR), e.g., retention requirements under tax/commercial law, sanction regulations, anti-money laundering (as applicable).
• Legitimate interests (Art. 6 (1) (f) GDPR), e.g., efficient business operations, IT security, compliance, defense against claims.
• Consent (Art. 6 (1) (a) GDPR), if requested in exceptional cases (e.g., for special categories under Art. 9 GDPR, where required).
For special categories (e.g., health data in claims processing), we only process data if a corresponding legal basis is available.
5. Data sources
• Directly from you (correspondence, contracts, forms, portals/tools).
• Your company / affiliated companies.
• Public and third-party sources (trade/transparency registers, sanctions lists, PEP databases, credit information, insurers/reinsurers, brokers, experts).
6. Recipients of data
We transfer data – as far as necessary – to:
• Internal departments (procurement, legal, finance, compliance, IT, insurance/claims, audit).
• Affiliates / Group companies (Degussa Holding AG, Switzerland).
• Service providers/data processors (e.g., IT hosting, collaboration tools, KYC/sanction screening, file/data management).
• Contractual partners in the supply chain (subcontractors, consortium partners).
• Insurers, reinsurers, brokers, experts (regarding insurance/claims matters).
• Authorities, courts, legal counsel (as legally required).
Contracts according to Art. 28 GDPR are in place with data processors.
7. Transfers to third countries
Transfers to countries outside the EU/EEA may occur (e.g., group communication, cloud/collaboration services, insurance/reinsurance networks). We apply appropriate safeguards, such as:
• Adequacy decisions (Art. 45 GDPR), e.g., EU adequacy for specific countries.
• Standard Contractual Clauses (SCC) (Art. 46 GDPR) and – where necessary – additional measures (technical/organizational/contractual).
• Binding Corporate Rules (BCR), if available.
Information regarding this can be obtained via the contact channels under Section 1.
8. Storage duration
We process and store personal data for the duration of the business relationship and beyond, in accordance with legal retention obligations (regularly 6–10 years according to § 147 AO, § 257 HGB). Data from compliance checks and claim files are stored for the specific purpose and deleted after the expiration of the respective applicable periods or when legitimate interests no longer exist.
9. Obligation to provide data
Certain data are required for the initiation and execution of the business relationship (e.g., identification and contact details, payment/tax information). Without this data, it is not possible to conclude a contract or provide the service. Legal obligations (e.g., sanction/KYC checks, tax information) may require additional information.
10. Your rights
Subject to the legal requirements, you have the right to:
• Access (Art. 15 GDPR)
• Rectification (Art. 16 GDPR)
• Erasure (Art. 17 GDPR)
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Objection (Art. 21 GDPR), particularly against processing based on our legitimate interests.
If processing is based on your consent, you may withdraw it at any time with effect for the future (Art. 7 (3) GDPR).
According to the scope of the GDPR, these data subject rights are exclusively available to natural persons. Legal entities are excluded from the GDPR.
Right to lodge a complaint
You have the right to lodge a complaint with a data protection supervisory authority, e.g., at:
The Hessian Commissioner for Data Protection and Freedom of Information (HBDI), Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Germany.
A list of supervisory authorities can be found at: https://www.bfdi.bund.de
11. Automated decision-making / Profiling
We do not carry out exclusively automated decisions with legal effect. Case-related risk assessments (e.g., KYC/sanction screening, creditworthiness, insurance underwriting) are not performed exclusively in an automated manner but are reviewed by qualified employees.
12. Security
We protect data through appropriate technical and organizational measures (TOMs) according to Art. 32 GDPR (including access control, encryption, authorization management, logging, deletion and backup concepts, employee training).
13. Updates
This notice may be updated. The current version is provided at the URL for the data protection notice for business partners.
This notice informs business partners (e.g., suppliers, service providers, consultants, brokers, insurers, reinsurers) about the processing of their personal data by Degussa Sonne/Mond Goldhandel GmbH.
1. Information regarding the Data Controller
Name and contact details of the Data Controller
Degussa Goldhandel GmbH
Friedrich-Ebert-Anlage 35 – 37
60327 Frankfurt
Phone: 0800 / 1882288
E-Mail: info@degussa.com
Contact details of the Data Protection Officer
@-yet GmbH
Schloss Eicherhof
42799 Leichlingen
Phone: 02175 / 16550
E-Mail: datenschutz@degussa.com
2. Categories of personal data
Depending on the business relationship, we process in particular:
• Identification and contact details: name, title, function, employer, business address, email, telephone, user ID.
• Contract and billing data: offers, contracts, orders, proofs of service, invoices, payment data, bank details.
• Communication data: correspondence (email, letters, notes from meetings/calls), minutes.
• Compliance/KYC/sanction screening data: register extracts, beneficial owners, UBO information, sanctions list hits, PEP status, due diligence results.
• Insurance/claims data (if applicable): policies, coverage details, claims reports, settlement documents, expert reports.
• IT and security data: log data, access permissions, technical identifiers (e.g., IP addresses for remote meetings/portals).
• Special categories (only in exceptional cases): health data in claims processing, as far as necessary and subject to a legal basis.
3. Purposes of data processing
• Initiation, execution, and management of business relationships (supplier/service provider management, contract management, procurement, and accounting).
• Communication and cooperation (project work, scheduling, exchange of information).
• Compliance & risk/insurance (due diligence obligations, KYC/sanction checks, fraud prevention, audit, internal controls; underwriting, claims processing).
• Legal enforcement and defense (assertion, exercise, or defense of legal claims).
• IT operations and security (access management, data backup, incident management).
• Fulfillment of legal obligations (retention requirements under tax and commercial law, reporting and disclosure obligations towards authorities).
4. Legal basis (Art. 6 GDPR)
Depending on the specific process, we base our processing on:
• Performance of a contract / pre-contractual measures (Art. 6 (1) (b) GDPR).
• Legal obligations (Art. 6 (1) (c) GDPR), e.g., retention requirements under tax/commercial law, sanction regulations, anti-money laundering (as applicable).
• Legitimate interests (Art. 6 (1) (f) GDPR), e.g., efficient business operations, IT security, compliance, defense against claims.
• Consent (Art. 6 (1) (a) GDPR), if requested in exceptional cases (e.g., for special categories under Art. 9 GDPR, where required).
For special categories (e.g., health data in claims processing), we only process data if a corresponding legal basis is available.
5. Data sources
• Directly from you (correspondence, contracts, forms, portals/tools).
• Your company / affiliated companies.
• Public and third-party sources (trade/transparency registers, sanctions lists, PEP databases, credit information, insurers/reinsurers, brokers, experts).
6. Recipients of data
We transfer data – as far as necessary – to:
• Internal departments (procurement, legal, finance, compliance, IT, insurance/claims, audit).
• Affiliates / Group companies (Degussa Holding AG, Switzerland).
• Service providers/data processors (e.g., IT hosting, collaboration tools, KYC/sanction screening, file/data management).
• Contractual partners in the supply chain (subcontractors, consortium partners).
• Insurers, reinsurers, brokers, experts (regarding insurance/claims matters).
• Authorities, courts, legal counsel (as legally required).
Contracts according to Art. 28 GDPR are in place with data processors.
7. Transfers to third countries
Transfers to countries outside the EU/EEA may occur (e.g., group communication, cloud/collaboration services, insurance/reinsurance networks). We apply appropriate safeguards, such as:
• Adequacy decisions (Art. 45 GDPR), e.g., EU adequacy for specific countries.
• Standard Contractual Clauses (SCC) (Art. 46 GDPR) and – where necessary – additional measures (technical/organizational/contractual).
• Binding Corporate Rules (BCR), if available.
Information regarding this can be obtained via the contact channels under Section 1.
8. Storage duration
We process and store personal data for the duration of the business relationship and beyond, in accordance with legal retention obligations (regularly 6–10 years according to § 147 AO, § 257 HGB). Data from compliance checks and claim files are stored for the specific purpose and deleted after the expiration of the respective applicable periods or when legitimate interests no longer exist.
9. Obligation to provide data
Certain data are required for the initiation and execution of the business relationship (e.g., identification and contact details, payment/tax information). Without this data, it is not possible to conclude a contract or provide the service. Legal obligations (e.g., sanction/KYC checks, tax information) may require additional information.
10. Your rights
Subject to the legal requirements, you have the right to:
• Access (Art. 15 GDPR)
• Rectification (Art. 16 GDPR)
• Erasure (Art. 17 GDPR)
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Objection (Art. 21 GDPR), particularly against processing based on our legitimate interests.
If processing is based on your consent, you may withdraw it at any time with effect for the future (Art. 7 (3) GDPR).
According to the scope of the GDPR, these data subject rights are exclusively available to natural persons. Legal entities are excluded from the GDPR.
Right to lodge a complaint
You have the right to lodge a complaint with a data protection supervisory authority, e.g., at:
The Hessian Commissioner for Data Protection and Freedom of Information (HBDI), Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Germany.
A list of supervisory authorities can be found at: https://www.bfdi.bund.de
11. Automated decision-making / Profiling
We do not carry out exclusively automated decisions with legal effect. Case-related risk assessments (e.g., KYC/sanction screening, creditworthiness, insurance underwriting) are not performed exclusively in an automated manner but are reviewed by qualified employees.
12. Security
We protect data through appropriate technical and organizational measures (TOMs) according to Art. 32 GDPR (including access control, encryption, authorization management, logging, deletion and backup concepts, employee training).
13. Updates
This notice may be updated. The current version is provided at the URL for the data protection notice for business partners.