Overview of how we process your personal data

(Documentation of the processing activity according to the General Data Protection Regulation)

Information about the controller

Responsible body (acc. to Art. 4 (7) GDPR):

Bihl+Wiedemann GmbH, Flosswoerthstrasse 41, 68199 Mannheim, Germany


Legal representative (= Management):

Jochen Bihl and Bernhard Wiedemann


Data Protection Officer:

Carina Stolz (mein-datenschutzbeauftragter.de)

Basic information on data processing

Designation of the processing activity:

Personal data is processed in order to fulfil pre-contractual and contractual obligations. If necessary, we also process personal data of other third parties (Coface) for the execution of contracts or based on prior consent.


Responsible departments:
In order to fulfil pre-contractual and contractual obligations, data is processed exclusively in crucial departments according to the need-to-know principle.


Type of processing:

ERP system, CRM system, email for correspondence purposes


Place of processing:
All CRM, ERP and email data is stored in our own data centre in Mannheim / Germany. Access control, backup and archiving processes are based on the IT Baseline Protection Catalogue of the Federal Office for Information Security (BSI)

General data protection requirements of the GDPR

Intended purpose:

Personal data is processed in order to fulfil pre-contractual and contractual obligations.


Change of purpose:

Any change of purpose requires prior consent. It is obligatory to use the data for the intended purpose only.


Lawfulness of processing, Art. 6 GDPR:

  • Consent (Art. 6 (1) lit. a, Art. 7)
  • Contract or contract initiation (Art. 6 (1) lit. b)
  • Purposes of the legitimate interests pursued by the controller or by a third party (Art. 6 (1) lit. f)

Necessity and proportionality:

The lawfulness is based not only on the principles of "proportionality" (Art. 5 (1) lit. b), "transparency" (Art. 5 (1) lit. a), "data minimisation" (Art. 5 (1) lit. c), "accuracy" (Art. 5 (1) lit. d), "storage limitation" (Art. 5 (1) lit. c) and "integrity and confidentiality" (Art. 5 (1) lit. f), but also, and in particular, on the purpose limitation principle (Art. 5 (1) lit. b).


Is there a high risk to the rights and freedoms of natural persons acc. to Art. 35?:

No particularly sensitive data whatsoever is collected or stored at any time.

Collection of data

Circle of affected groups of people:

Customers, leads, suppliers


Types of data or data categories stored:

  • Billing information

  • Contact data

  • Credit information

  • IT usage data/log data/log files

  • IP address

  • Surname / name / salutation / title

  • Contractual data

  • Contract master data

  • Payment data

  • Email address

  • Telephone number

Recipients or categories of recipients with whom the data can be shared

Internal recipients (members of the responsible body):

To fulfil pre-contractual and contractual obligations, data is processed in the following departments:

  • Internal Sales (to channel general enquiries)
  • Sales (to maintain and expand the business relationship)
  • Order Processing (for orders)
  • Shipping (to process the shipment of products)
  • Accounting (for accounts)
  • Purchasing (to channel general enquiries, maintain and expand supplier relationships, during order processing)

Standard terms for data deletion

Storage duration:

The deletion period derives from the German commercial code (HGB).

Testing the effectiveness of processes

Frequency of process testing: