Data Protection Notice for Business Partners
As of: 15.12.2025
These notes inform business partners (e.g. suppliers, service providers, consultants, brokers, insurers, reinsurers) about the processing of their personal data by Degussa Metales Preciosos, S.L.
1. Information about the Controller
Name and contact details of the controller
Degussa Metales Preciosos, S.L.U.
C/ Velázquez, 2
28001 Madrid
Spain
Phone: +34 911 98 2900
Email: info.es@degussa.com
Contact details of the Data Protection Officer of the controller
@-yet GmbH
Schloss Eicherhof
42799 Leichlingen
Germany
Phone: 02175 / 16550
Email: datenschutz@degussa.com
2. Categories of personal data
We process, depending on the business relationship, in particular:
• Identification and contact data: name, title, function, employer, business address, email, telephone, user ID.
• Contract and billing data: offers, contracts, orders, service records, invoices, payment data, bank details.
• Communication data: correspondence (emails, letters, meeting/call notes), minutes.
• Compliance/KYC/sanctions screening data: registry extracts, beneficial owners (UBO), sanctions list matches, PEP status, due diligence results.
• Insurance/claims data (if applicable): policies, coverage details, claims reports, settlement documents, expert reports.
• IT and security data: log data, access permissions, technical identifiers (e.g. IP addresses for remote meetings/portals).
• Special categories (only in exceptional cases): health data in claims handling where required and with legal basis.
3. Purposes of data processing
• Initiation, execution and management of business relationships (supplier/service provider management, contract management, procurement and invoicing).
• Communication and collaboration (project work, scheduling, exchange of information).
• Compliance & risk/insurance (due diligence obligations, KYC/sanctions checks, fraud prevention, audit, internal controls; underwriting, claims handling).
• Legal enforcement and defence (assertion, exercise or defence of legal claims).
• IT operations and security (access management, data backup, incident management).
• Fulfilment of legal obligations (tax/commercial retention requirements, reporting obligations to authorities).
4. Legal bases (Art. 6 GDPR)
Depending on the processing activity, we rely on:
• Performance of a contract / pre-contractual measures (Art. 6(1)(b) GDPR).
• Legal obligations (Art. 6(1)(c) GDPR), e.g. tax/commercial retention, sanctions regulations, anti-money laundering requirements (where applicable).
• Legitimate interests (Art. 6(1)(f) GDPR), e.g. efficient business operations, IT security, compliance, defence against legal claims.
• Consent (Art. 6(1)(a) GDPR), where we exceptionally request it (e.g. for special categories under Art. 9 GDPR if required).
For special categories (e.g. health data in claims handling), processing only occurs where a legal basis applies.
5. Sources of data
• Directly from you (correspondence, contracts, forms, portals/tools).
• Your company / affiliated companies.
• Public and third-party sources (commercial/transparency registers, sanctions lists, PEP databases, creditworthiness information, insurers/reinsurers, brokers, experts).
6. Recipients of data
Where necessary, we transfer data to:
• Internal departments (procurement, legal, finance, compliance, IT, insurance/claims, audit).
• Group companies (Degussa Metales Preciosos, S.L.).
• Service providers/processors (e.g. IT hosting, collaboration tools, KYC/sanctions screening, document/data management).
• Contractual partners in the supply chain (subcontractors, consortium partners).
• Insurers, reinsurers, brokers, experts (for insurance/claims matters).
• Authorities, courts, lawyers (where legally required).
Agreements pursuant to Art. 28 GDPR are in place with processors.
7. Transfers to third countries
Transfers to countries outside the EU/EEA may occur (e.g. group communications, cloud/collaboration services, insurance/reinsurance networks). Appropriate safeguards are applied, such as:
• Adequacy decisions (Art. 45 GDPR).
• Standard Contractual Clauses (SCC) under Art. 46 GDPR and additional measures where necessary.
• Binding Corporate Rules (BCR), if available.
Information can be obtained via the contact details in section 1.
8. Retention period
We process and store personal data for the duration of the business relationship and beyond in accordance with statutory retention obligations (generally 6–10 years under tax and commercial law). Data from compliance checks and claims files are stored for their specific purpose and deleted once statutory periods expire or legitimate interests no longer apply.
9. Obligation to provide data
Certain data is required for establishing and performing the business relationship. Without this data, a contract cannot be concluded or performed. Legal obligations (e.g. sanctions/KYC checks, tax requirements) may require additional information.
10. Your rights
You have the right to:
• Access (Art. 15 GDPR)
• Rectification (Art. 16 GDPR)
• Erasure (Art. 17 GDPR)
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Objection (Art. 21 GDPR)
If processing is based on consent, you may withdraw it at any time with future effect (Art. 7(3) GDPR).
These rights apply only to natural persons under the GDPR. Legal entities are excluded.
Right to lodge a complaint
You may lodge a complaint with a supervisory authority, e.g. the Hessian Commissioner for Data Protection and Freedom of Information (HBDI), Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Germany.
List of authorities: https://www.bfdi.bund.de
11. Automated decision-making / profiling
We do not use exclusively automated decision-making with legal effects. Risk assessments are reviewed by qualified staff.
12. Security
We protect data using appropriate technical and organisational measures (Art. 32 GDPR).
13. Updates
This notice may be updated. The latest version is available via the business partner privacy notice URL.
These notes inform business partners (e.g. suppliers, service providers, consultants, brokers, insurers, reinsurers) about the processing of their personal data by Degussa Metales Preciosos, S.L.
1. Information about the Controller
Name and contact details of the controller
Degussa Metales Preciosos, S.L.U.
C/ Velázquez, 2
28001 Madrid
Spain
Phone: +34 911 98 2900
Email: info.es@degussa.com
Contact details of the Data Protection Officer of the controller
@-yet GmbH
Schloss Eicherhof
42799 Leichlingen
Germany
Phone: 02175 / 16550
Email: datenschutz@degussa.com
2. Categories of personal data
We process, depending on the business relationship, in particular:
• Identification and contact data: name, title, function, employer, business address, email, telephone, user ID.
• Contract and billing data: offers, contracts, orders, service records, invoices, payment data, bank details.
• Communication data: correspondence (emails, letters, meeting/call notes), minutes.
• Compliance/KYC/sanctions screening data: registry extracts, beneficial owners (UBO), sanctions list matches, PEP status, due diligence results.
• Insurance/claims data (if applicable): policies, coverage details, claims reports, settlement documents, expert reports.
• IT and security data: log data, access permissions, technical identifiers (e.g. IP addresses for remote meetings/portals).
• Special categories (only in exceptional cases): health data in claims handling where required and with legal basis.
3. Purposes of data processing
• Initiation, execution and management of business relationships (supplier/service provider management, contract management, procurement and invoicing).
• Communication and collaboration (project work, scheduling, exchange of information).
• Compliance & risk/insurance (due diligence obligations, KYC/sanctions checks, fraud prevention, audit, internal controls; underwriting, claims handling).
• Legal enforcement and defence (assertion, exercise or defence of legal claims).
• IT operations and security (access management, data backup, incident management).
• Fulfilment of legal obligations (tax/commercial retention requirements, reporting obligations to authorities).
4. Legal bases (Art. 6 GDPR)
Depending on the processing activity, we rely on:
• Performance of a contract / pre-contractual measures (Art. 6(1)(b) GDPR).
• Legal obligations (Art. 6(1)(c) GDPR), e.g. tax/commercial retention, sanctions regulations, anti-money laundering requirements (where applicable).
• Legitimate interests (Art. 6(1)(f) GDPR), e.g. efficient business operations, IT security, compliance, defence against legal claims.
• Consent (Art. 6(1)(a) GDPR), where we exceptionally request it (e.g. for special categories under Art. 9 GDPR if required).
For special categories (e.g. health data in claims handling), processing only occurs where a legal basis applies.
5. Sources of data
• Directly from you (correspondence, contracts, forms, portals/tools).
• Your company / affiliated companies.
• Public and third-party sources (commercial/transparency registers, sanctions lists, PEP databases, creditworthiness information, insurers/reinsurers, brokers, experts).
6. Recipients of data
Where necessary, we transfer data to:
• Internal departments (procurement, legal, finance, compliance, IT, insurance/claims, audit).
• Group companies (Degussa Metales Preciosos, S.L.).
• Service providers/processors (e.g. IT hosting, collaboration tools, KYC/sanctions screening, document/data management).
• Contractual partners in the supply chain (subcontractors, consortium partners).
• Insurers, reinsurers, brokers, experts (for insurance/claims matters).
• Authorities, courts, lawyers (where legally required).
Agreements pursuant to Art. 28 GDPR are in place with processors.
7. Transfers to third countries
Transfers to countries outside the EU/EEA may occur (e.g. group communications, cloud/collaboration services, insurance/reinsurance networks). Appropriate safeguards are applied, such as:
• Adequacy decisions (Art. 45 GDPR).
• Standard Contractual Clauses (SCC) under Art. 46 GDPR and additional measures where necessary.
• Binding Corporate Rules (BCR), if available.
Information can be obtained via the contact details in section 1.
8. Retention period
We process and store personal data for the duration of the business relationship and beyond in accordance with statutory retention obligations (generally 6–10 years under tax and commercial law). Data from compliance checks and claims files are stored for their specific purpose and deleted once statutory periods expire or legitimate interests no longer apply.
9. Obligation to provide data
Certain data is required for establishing and performing the business relationship. Without this data, a contract cannot be concluded or performed. Legal obligations (e.g. sanctions/KYC checks, tax requirements) may require additional information.
10. Your rights
You have the right to:
• Access (Art. 15 GDPR)
• Rectification (Art. 16 GDPR)
• Erasure (Art. 17 GDPR)
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Objection (Art. 21 GDPR)
If processing is based on consent, you may withdraw it at any time with future effect (Art. 7(3) GDPR).
These rights apply only to natural persons under the GDPR. Legal entities are excluded.
Right to lodge a complaint
You may lodge a complaint with a supervisory authority, e.g. the Hessian Commissioner for Data Protection and Freedom of Information (HBDI), Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Germany.
List of authorities: https://www.bfdi.bund.de
11. Automated decision-making / profiling
We do not use exclusively automated decision-making with legal effects. Risk assessments are reviewed by qualified staff.
12. Security
We protect data using appropriate technical and organisational measures (Art. 32 GDPR).
13. Updates
This notice may be updated. The latest version is available via the business partner privacy notice URL.