Skip to main content
Legal

Privacy Policy for Suppliers and Customers (B2B)

1. Who is the Controller?

Hyundai Motorsport GmbH,
Brüsseler Platz 1-2,
63067 Offenbach am Main, Germany

E-Mail: info@hyundai-ms.com


2. Contact Details of our Data Protection Officer

You can reach our Data Protection Officer at the above address, addressed to the Data Protection Officer, or at: dataprotection@hyundai-ms.com 

3. Which of your personal data do we process?

Depending on your relationship with our company, we process different types of personal data about you. Primarily, we collect, process, and use data to fulfill contractual relationships, manage supplier relations, and handle prospective customer inquiries. This includes business client management and acquisition, appointment scheduling, contract management, service provision, procurement of goods, and payment processing.

As a rule, we process the following categories of personal data:

  • Name and contact details (business address, email address, and phone number)
  • Contract data, in particular contract number, duration, notice period, and type of contract
  • Billing and revenue data
  • Creditworthiness data
  • Payment information/bank details
  • Communication data

In the course of initiating a contract, we may also rely on data provided to us by third parties. Depending on the type of contract, this may include the following categories of personal data:

  •  Information on creditworthiness (from credit reference agencies)

4. What are the sources of the data?

Primarily, we process data that we receive directly from our suppliers and customers. In addition, we process personal data that we lawfully obtain from public sources (e.g., commercial registers) or that is lawfully provided to us by third parties (e.g., credit reference agencies, distribution partners).

We receive personal data from the following sources:

  • Credit reference agencies
  • Publicly accessible sources: commercial or association registers, debtor registers, land registries

5. For what purposes do we process your data and on what legal basis?

We process your personal data in particular in compliance with the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and all other applicable laws.

5.1  Based on your consent (Art. 6 para. 1 a GDPR)

If you have voluntarily given your consent for the collection, processing, or transfer of certain personal data, this consent forms the legal basis for processing that data.

We process your personal data on the basis of your consent in the following cases:

  • Sending email newsletters or targeted marketing information about our products, technical developments, or events – outside of existing business relationships
  • Market research and surveys on customer satisfaction, where personal feedback may be evaluated or published
  • Publication of photos, quotes, or project or client references naming contact persons on our website, in presentations, or in printed materials (e.g., in the context of joint projects)

Consent is given explicitly and can be withdrawn at any time with future effect. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

5.2 For the performance of a contract (Art. 6 para. 1 b GDPR)

If you or your company enter into a contract with us, we process the personal data necessary to perform the respective contract. 

5.3  For compliance with legal obligations (Art. 6 para. 1 c GDPR) 

As a company, we are subject to various legal obligations. Processing personal data may be necessary to fulfill these obligations.

  • Commercial and tax retention obligations under the German Commercial Code (HGB) and Tax Code (AO), e.g., retention of invoices and contract documents
  • Obligations under foreign trade law, in particular terrorism list screening under the EU Anti-Terrorism Regulations (EC No. 2580/2001 and EC No. 881/2002), to ensure that no business relationships exist with sanctioned persons or organizations
    • If a potential match is identified, we may carry out further due diligence. Depending on the respective sanctions list, this may involve processing additional personal data, such as date of birth, residential address, tax identification number, nationality, etc.
  • Obligations under the Whistleblower Protection Act (HinSchG), in particular in connection with the establishment and operation of internal reporting channels as well as the documentation and processing of incoming reports
  • Reporting obligations to authorities, e.g., customs, tax, or regulatory authorities
  • Occupational health and safety and product safety requirements, insofar as processing personal data of business partners is necessary (e.g., in the case of product recalls or safety information)

Processing is carried out only to the extent necessary to comply with these legal requirements. Personal data is shared with third parties only if and to the extent required to fulfill these obligations.

5.4  Based on legitimate interests (Art. 6 para. 1 f GDPR)

In certain cases, we process your data to protect a legitimate interest of ours or of third parties, for example:

  • Direct marketing or market and opinion research (marketing to existing customers in accordance with Section 7(3) of the Act against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb – UWG))
  • Centralized customer data management within the corporate group
  • Measures for building and facility security and visitor management
  • Video surveillance to safeguard property rights
  • Consultation with and data exchange with:
    • Credit reference agencies to assess creditworthiness or default risks
    • Hyundai Motor Europe GmbH to support the sanctions list screening process
  • Ensuring IT security and IT operations

6. To whom are your data disclosed?

To fulfill our contractual and legal obligations, your personal data may be disclosed to various public or internal authorities, as well as external service providers.

Affiliated companies of Hyundai Motorsport Germany GmbH

External service providers or third parties:

We work with selected external service providers to fulfill our contractual and legal obligations:

  • IT service providers (e.g., maintenance providers, hosting providers)
  • Providers of file and data destruction services
  • Printing service providers
  • Payment service providers
  • Consulting and advisory firms
    • Provider of the sanctions screening solution: Control Risks GmbH, Ebertstraße 2, 10117 Berlin
  • Marketing or sales service providers
  • Credit reference agencies
  • Authorized dealers
  • Telephone support providers (call centers)
  • Web hosting providers
  • Auditors

Public authorities:

In addition, we may be required to disclose your personal data to other recipients, such as authorities, in order to comply with statutory reporting obligations:

  • Tax authorities
  • Custom authorities

7.  Are your data transferred to countries outside the European Union (so-called third countries)?

Countries outside the European Union (and the European Economic Area, “EEA”) handle the protection of personal data differently than countries within the European Union. As a rule, your data is processed within the EU or the EEA.

In individual cases, we may also use service providers located in third countries outside the EU. In such cases, we have implemented special measures to ensure that your data is processed in third countries with the same level of protection as within the European Union.

For service providers in third countries, we enter into the Standard Contractual Clauses provided by the European Commission. These clauses provide appropriate safeguards for the protection of your data when processed by service providers in third countries.

8. How long are personal data stored?

We store personal data only for as long as it is necessary for the respective processing purpose or as long as statutory or contractual retention obligations exist. Typical retention periods in our company are:

  • Invoice and accounting data (e.g., names of contact persons on invoices): up to 10 years, in accordance with Sections 147 AO and 257 HGB
  • Business letters and emails with legal or tax relevance: up to 6 years, in accordance with Section 257 HGB
  • Contract documents and correspondence in the context of customer projects: generally 6 to 10 years, depending on relevance and legal requirements
  • Data related to product liability or warranty (e.g., contact persons in quality assurance or service): up to 10 years, to cover statutory liability periods
  • Data related to sanctions list screening: up to 10 years, to demonstrate compliance with our legal and regulatory obligations
  • Consent data (e.g., for marketing or publication of photos): until the consent is withdrawn, plus an additional 3 years for documentation purposes (limitation period according to Section 195 BGB)

After the respective retention periods expire, the data is routinely deleted or anonymized, provided it is no longer required for contract fulfillment or for compliance with legal obligations.

9. What rights do you have in connection with the processing of your data?

Under applicable law, you have the right to access your personal data (Art. 15 GDPR), the right to rectification (Art. 16 GDPR), the right to erasure (Art. 17 GDPR), the right to restriction of processing (Art. 18 GDPR), the right to object (Art. 21 GDPR), and the right to data portability (Art. 20 GDPR). Limitations regarding the right of access and the right to erasure apply in accordance with Sections 34 and 35 BDSG. In addition, you have the right to lodge a complaint with the competent data protection supervisory authority (Art. 77 GDPR in conjunction with Section 19 BDSG).

Rights in the case of processing based on legitimate or public interest

According to Art. 21(1) GDPR, you have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you that is carried out under Art. 6(1)(e) GDPR (processing in the public interest) or Art. 6(1)(f) GDPR (processing based on legitimate interests), including profiling based on these provisions.

In the event of your objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or if the processing serves the establishment, exercise, or defense of legal claims.

Withdrawal of consent

You may withdraw your consent to the processing of personal data at any time. Please note that withdrawal only applies to processing in the future.

Exercising your rights

To exercise your rights, you can contact the data controller or the Data Protection Officer using the contact details provided. We will promptly process your requests in accordance with legal requirements and inform you of the measures taken.

10. Is the provision of your personal data mandatory?

To enter into a business relationship, you must provide us with the personal data necessary to perform the contract or which we are legally required to collect. If you do not provide this data, we may be unable to carry out or complete the business relationship.

Status: 11.2025