Personal data processing information

to customers/clients, suppliers, other business partners and interested parties.

These Personal Data Processing Information (“Information”) are for the information of customers/clients, suppliers, and other interested parties.

With these Information we would like to inform you about how we process personal data (“Personal Data”) which you transferred to Exyte, which rights you have as data subject, and provide you with other helpful material about data processing.

You may have come into contact with these Information through various ways.

You may have been referred to these Information by a referring document. A referring document, email, website or other information (“Referring Document”) may modify these Information. In case the Referring Document modifies these Information, please read both documents in conjunction, whereas the Referring Document shall prevail. If there is no Referring Document or the Referring Document does not expressly mention any modification, the below Information apply.

Please note that in case you are using specialized tools (“Tools”), like our document management system, the speak up reporting system, the Exyte intranet oneNET, our website (, social media etc., such Tools may provide you with additional information on how your Personal Data are processed in the context of these Tools or may contain separate data processing information. Where this Information and the information provided by the Tools conflict, the information provided by the Tools prevail for the context of processing Personal Data you provided to us in relation to or while using the Tools or Personal Data we received in context of using the Tools. The same also applies, if we provide you with a special information about processing your Personal Data on special occasion (“Special Occasion”), such as during an application process, events when visiting our facilities etc.

If we refer to “you” as reader of the Information, we assume that you are the “Data Subject” whose Personal Data we process.


1. Name and contact details of the controller in the sense of the General Data Protection Regula-tion: (GDPR)

Exyte Management GmbH
Löwentorbogen 9b
70376 Stuttgart

Phone: +49(0) 8804-0

(following: “we”, “us” or “Exyte”)


2. Data Protection Officer

We have appointed a Data Protection Officer (“DPO”). You can reach the DPO under the following email address:

Please feel free to contact the DPO in case of any questions, complaints, inquiries or suggestions re-garding processing Personal Data at Exyte.


3. Data we collect

We process your Personal Data as customers/clients, suppliers, other business partners (jointly “Business Partners”). We may also process your Personal Data if you are an employee, representative, agent or other person of a Business Partners and you contact us on behalf of the Business Partner or the Business Partner provides us with your Personal Data in the frame of our business relationship. Personal Data we collect are in particular name, address, telephone number, e-mail address, contact details of contact persons, customer/client number, position at a company, titles, related ordering and delivery data, as well as when was the last contact and why. In case you joined events or invitations, we may also record such participation of events and invitations.

We may also store past employers, if you change your employer and contacts us with the new employer.
If you interact with us as a Business Partner as a natural person, we also process your bank data.
In addition, we may record the nature of our last interaction, your birthdate, and may record preferences in order to facilitate contact (such as office times, vacation times etc.).
Furthermore, if you choose to provide such data to us, we may also record personal email, phone number or contact address.
We may also collect your photo, if you provide us your photo in connection with your contact data.

You may also be pictured on photos for project and contract documentation (documentation of construction process), especially if you are on construction sides. Such photos in general do not depict individuals, but we cannot exclude that you as individual may be identifiable.

In case of constant video surveillance, we will provide additional information at the site independent of or in connection with this Information. Also, in case of specific pictures or pictures at special occasion we may provide you with additional information or obtain, if legally required, your consent.

For service providers, where the service may depend on individuals, such as freelancers and inhouse contractors we may also collect the CV and related information as well as health or social security data, where necessary.

Further we may process any content of communication with you, such as emails you sent to Exyte email addresses.

If you are an applicant, please note that for Personal Data you provide to us during the application process, we have a specific information for processing Personal Data on the occasion of the application process, which you will find under this link.


4. Purpose of processing Personal Data

Exyte processes Personal Data as listed under No 3 of this Information for the purpose of directly or indirectly initiating, concluding, implementing, settling, and fulfilling contractual relations, including for providing warranties and guarantees as well as services going along with these warranties and guarantees. In this regard we may also process Personal Data to assert or defend from legal claims.

We may further use the collected data to facilitate fulfillment or fulfill legal obligations such as documentation for tax authorities or to confirm that we are not initiating business with contract partners or trans-ferring money to contract partners which are subject to export, terrorist or antimoney laundry control or to confirm credit worthiness.

The contractual relations may be with you directly, with your contract partner, e.g. your employer or customer/client, or with a third party.

Further we may process Personal Data to comply with internal compliance requirements.

We may further process Personal Data to keep in contact with interested persons, former customers/clients and potential customers/clients or suppliers and inform the aforementioned about news and developments at the Exyte Group and market, promote or advertise our products, services or events to them.


5. Source of the Personal Data

If possible and as a preferred method, we collect the Personal Data directly at you as the data subject.

In most cases we receive the data through direct contact, such as by email, in a meeting, at trade fairs or conferences through an online conference or in the course of a project.

However, we may also receive your Personal Data from our contract partners, through social networks or from public records. Where legally required, we will inform you as data subject, that we received your Personal Data and may refer to this Information and from where we received your Personal Data.

Furthermore, we process data which we receive under the legal requirements of credit reporting agencies (for example from Schufa) for the purpose of credit checks concerning our customers/clients and other business partners as well as social networks and other public information sources.

We may also receive Personal Data from other affiliates in the Exyte Group.


6. Legal basis

The processing of your data takes place based on Art. 6 para I lit. b General Data Protection Regulation (EU Regulation 679/2016, following “GDPR”), if you are a contract partner.

The processing of your data takes place based on our legitimate interests Art. 6 Para I lit. f GDPR, if we received your Personal Data to implement a contract without you being a contract partner. In this case our legitimate interest is the implementation of the contract including initiation of the contract and subsequent services or communication, e.g. for guarantee and warrantee services.

We may process your Personal Data based on Art. 6 para I lit f GDPR to assert or defend against legal claims, whereas our legitimate interest is to safeguard our legal rights. In case we process special categories of data according to Art. 9 GDPR in order to assert or defend against legal claims, we process such data based on Art 9 para II lit f GDPR.

For keeping in contact and informing you about products or advertise and promote our products or events, the processing of your data takes place based on Art. 6 para I. f DSGVO. Our legitimate interest in processing your data stems from our desire to promote, sell and improve our own products and services.

The processing of your data from credit agencies takes place based on Article 6 para I lit f of the GDPR. Our legitimate interest in the processing of this data arises from our interest of ensuring that we receive the contractually owed consideration (for example, compensation) for our services.

In some cases, we may process your Personal Data with your consent according to Article 6 para I lit. a GDPR. In these cases we have collected your consent separately from this Information and provided you with additional information.

In case you are a service provider or a contact person of a service provider, where the service may depend on individuals, such as freelancers and inhouse contractors and we collected health information or social security information, we process such Personal Data based on Art. 9 Sec I lit a) in case you provided your consent, Art 9 lit I b) GDPR in case we have to process such data for social security reasons.

In case you provided us with a picture belonging to your contact and such picture depicts health, reli-gious or other special data subject to Art. 9 GDPR, we process such data based on Art 9 Sect I lit e)

GDPR i.c.m. Art 6 Sec I lit f GDPR, whereas our legitimate interest is to have an accurate picture sim-plifying contact with you when meeting in real life.

In case we process your Personal Data based on a legal obligation the data is processed based on Art 6 para I lit c GDPR i.c.m with the obligation. Such obligations are among others tax and accounting duties according to Art 147 Abgaben Ordnung and Art. 257 ff. Handelsgesetzbuch an for Invoices § 14b Umsatzsteuergesetz.

In some cases, we may not be legally obligated to process the Personal Data, but it may facilitate our compliance and communications with the authorities. In such cases we may process Personal Data based on Art. 6 para. I lit f, whereas our legitimate interest is an efficient and effective proceeding with legal obligations or compliance matters.


7. Transfer of Personal Data

We may transfer Personal Data between Exyte affiliates within the Exyte Group based on our legitimate interest according to Art. 6 para. I lit. f GDPR, whereas our legitimate interest is to organize the company group centrally and provide services within group service centers as well as to have the processing allocated at the most suitable group member for further interaction with the data subject.

All group members are subject to a Data Protection Policy to ensure a constant level of data protection.

Some Exyte Group members may be located outsider the European Economic Area (“EEA”) in countries for which the European Commission (“EC”) did not decide that such countries provide an adequate level of data protection.

All Exyte Group members therefore signed a Data Processing and Joint Controller Agreement (“DPJCA”) which includes the standard contractual clauses as approved by the EC to safeguard the processing of Personal Data outside the EEA, i.e. all Exyte Group members are contractually obligated to comply with an adequate data protection level.

Please find a list of all Exyte entities belonging to the Exyte Group under this link.

Beside the transfer within the Exyte Group a transfer of Personal Data to third parties does not take place, with the exception of:

  • Transfer with your express permission (Art 6 para. I lit a GDPR or Art 9 para I GDPR);
  • Transfers to third parties that we engage in to fulfill contractual and delivery conditions, such as banking institutions that process payments, subcontractors as well as transportation companies / shipping companies handling deliveries based on Art 6 para I lit b GDPR if the data subject is the contract partner otherwise based on Art 6 para I lit f GDPR with the legitimate interest to initiate, settle and implement the contract;
  • Transfer to third parties we engaged in marketing and advertising for our own products and services, such as printing agencies according to Art. 6 para. I lit. f GDPR. Our legitimate interest to process your data stems from our desire to promote, sell and improve our own products and services;
  • Transfers to third parties to which we are legally obliged, for example to the tax office or other governmental authorities, according to Art. 6 para I c GDPR;
  • Transfers to third parties to fulfill our commercial and tax obligations, for example to our tax auditor according to Art. 6 para I c GDPR i.c.m with the respective individual obligation, if we are legally obliged to transfer such data or Article 6 para I f GDPR, if the transfer is not mandatory, but required for our legitimate interest to efficiently communicate and proceed with authorities and comply with our obligations;.
  • In order to assert legal claims or to defend against legal claims we may transfer data to authorities or to lawyers, agents, experts etc. based on Art. 6 para I lit f GDPR, whereas it is our legitimate interest to assert or defend from legal claims. In case of special categories of Personal Data, we may transfer such data based on Art. 9 para II lit f GDPR to assert or defend against a legal claim.

Any transfer of data to a third country outside the EU, which is also not a party to the EEA, will only take place if such transfer of data is necessary for the purpose and always subject to requirements in compliance with the GDPR.

Mostly a transfer to a third country outside the EEA occurs, if such transfer is necessary to fulfill a con-tract, e.g. a project located outside the EEA or to assert or defend against legal claims.


8. Duration of processing

We will process your Personal Data for the time only, which is necessary to complete the purpose.

If you provided us with your consent, we will process your data until you recalled such consent.

In general we will process your data for the duration of the initiation and settlement of a contract or delivery relationship with you or in which you were involved, for example, any warranty or product liability obligations, as well as for the duration of commercial or tax law retention periods or guarantee and warrantee periods.

For projects and due to warranty and guarantee obligations the processing periods usually are as following:

  •  If you are engaged in a project, up to 12 years from completion of the project in order to fulfil and comply with quality control and guarantee obligations;
  • If your Personal Data are included in commercial communication and documents, we may store your data up to 10 years to comply with documentation duties, such as Art. 257 ff. Handelsgesetzbuch or Art 147 Abgaben Ordnung;

If feasible based on the applicable law or our legitimate interests, we will delete your Personal Data earlier.

We may however have to retain your Personal Data for longer in case of legal obligations (e.g. a tax audit) or to defend from or assert a legal dispute.

Furthermore, we may store your contact data as long as there is a legitimate interest to remain in con-tact with you based on our last communication or contact with you.


9. No automated decision making

We do not base decisions which produce legal or similar significant affects to you solely on automated decision making, such as profiling.


10. Your rights

Upon request we will inform you whether Exyte stores any Personal Data about you, and if yes which.

If we process your Personal Data in order to advertise, you have the right to object to the processing of your Personal Data for the purpose of advertising at any time. If you object to the processing for pur-poses of advertising, your Personal Data will no longer be processed for this purpose.

The easiest method to object to advertisement is to send an email to However, we accept any other form of objections to advertisement, which allows us to clearly identify you.

Furthermore, you have the right to object against processing of your Personal Data, based on your particular situation, which is processed based on Article 6 para. I lit. f GDPR, i.e. legitimate interest, or Art 6 para. I lit e GDPR, i.e. processing based on necessity for the performance of a task carried out in the public interest or in the exercise of official authority vested in Exyte. In case you object to processing based on the aforementioned legal basis due to your particular situation, we will only proceed processing, if our compelling legitimate grounds to process your data overrides your interest, rights or freedoms to stop processing your Personal Data or for the exercise or defense of legal claims. This also applies to profiling based on the aforementioned.

Under the conditions as set out in the GDPR, according to Art. 16 GDPR you also have the right to cor-rect your incorrect or incomplete Personal Data as well as a right to deletion according to Art. 17 GDPR and a right to restrict the processing of your Personal Data under Art. 18 GDPR.

You also have the right to receive from us Personal Data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format. You have the right to transmit (or have transmitted) the Personal Data to another controller.

If the processing of Personal Data concerning you is based on your consent, you have the right to revoke your consent at any time. The lawfulness of the processing based on the consent until the revocation is not affected.

You also have the right to lodge a complaint with the competent supervisory authority for data protection matters. Unless stated otherwise, the competent authority is the “Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg” in Baden-Württemberg, Germany