GDPR information requirements

Data protection of your personal information

Data protection and protecting your personal information is a top priority for us. The following will inform you about how our company processes your personal information. Personal data is processed in accordance with the provisions of the new German Federal Data Protection Act (BDSG-new), valid from 25/05/2018, and the General Data Protection Regulation (GDPR), valid from 25/05/2018.

Name and address of the person responsible

Westfalen AG
Industrieweg 43
48155 Münster

Tel.: 02 51/6 95-0

Registergericht Münster HRB 186

U.-Id.-Nr. DE 12 61 17 135


Data protection officer contact details

Per Post:


Westfalen AG

Industrieweg 43

48155 Münster


 Per E-Mail:

Company processing of personal data

We process personal information that we have received from you as part of information requested; enquiries, initial business contacts, contract processing, online orders or business relationships. We also process personal information that we have received from other companies or other permitted third parties (e.g. for executing orders, for contract compliance or for another reason for which you have given consent), insofar as it is required for contract compliance. Relevant personal
information is personal data (name, address and other contact details). Furthermore, it could also be order information, data relating to the fulfilment of our contractual obligations, advertising and sales information, documentation data, and other information of a comparable nature.

1. Purpose and legal bases of data processing

Data that is processed primarily to provide a service commissioned or requested by you.

1.1. The processing is required to fulfil a contract or to implement preliminary measures (article 6 para. 1 point b of GDPR).

  • Personal data is processed in order to initiate or conclude a contract with you, and to execute your orders.

1.2. The processing is done as part of the balancing of interests (article 6 para. 1 point f of GDPR). Where necessary, we process your data beyond simple contract fulfilment in order to safeguard our own, or a third party‘s, legitimate interests

  • Data exchange with credit agencies (SCHUFA, Creditreform) to determine credit ratings and/or default risks
  • Advertising or market and opinion research, where you have given consent for your data to be used
  • Handling queries and requesting information
  • Satisfying legal claims and defending legal disputes
  • Ensuring IT security
  • Preventing and investigating offences
  • Business management measures and development of products and services.

1.3. You have consented to your personal information being processed for one or more specific purposes (article 6 para. 1 point A of GDPR).

  • Insofar as you have consented to the processing of your personal data for a specific purpose (e.g. advertising, newsletter distribution, publication of photos or personal data), the legitimacy of this processing is based on your consent.
  • Consent can be withdrawn at any time. This also applies to the withdrawal of declarations of consent issued to us before GDPR came into force, i.e. before 25 May 2018.
  • Withdrawal of consent applies going forward. Any processing done prior to the withdrawal of consent is not affected.

1.4. The processing is necessary to fulfil a legal obligation that we are subject to (article 6 para. 1 point C of GDPR).

  • As a company we are subject to various legal obligations as part of tax and social security legislation control and reporting requirements. Additional requirements could come under the Disabilities Act, from professional associations, as part of fraud

2. Data recipients or categories of recipients (where data is transferred)

2.1. Within the company, each department receives the pieces of your data that they need to fulfil our contractual and statutory obligations. Data processors employed by us (article 28 of GDPR) may also receive data for the purposes stated. These are companies that provide credit services, IT services, printing services, telecommunications, advice, consulting, distribution and marketing.

2.2. Outside the company, if necessary, companies could receive your data, where this is required as part of our contractual obligations. In these circumstances, recipients of personal data could be, for example:

  • tax advisers, auditors, consultants
  • lawyers (disputes, debt collection, etc.)
  • technicians/trades people (maintenance, repairs)
  • transport and logistics companies
  • debt collection companies
  • banks
  • credit agencies (SCHUFA, Creditreform)

3. Storage period or criteria for setting the period

Where necessary, we process and store your personal data for the duration of our business relationship, including, for example, the preparation and execution of a contract.
Upon termination of a contract the data is deleted upon expiry of the statutory retention periods.
If the purpose for storing the data ceases to apply, the data will be blocked or deleted, insofar as this does not contravene statutory retention requirements.

4. Notes on the rights of those concerned

As per the GDPR, each person concerned has the following rights:

  • Right of access as per article 15 of GDPR
  • Right to rectification of inaccurate data as per article 16 of GDPR
  • Right to erasure as per article 17 of GDPR
  • Right to restrict processing as per article 18 of GDPR
  • Right to data portability as per article 20 of GDPR
  • Right to object as per article 21 of GDPR

To exercise any of the above-mentioned rights or to withdraw consent, please contact the above-mentioned responsible authority.
You have the right to complain to a regulatory authority. You can lodge your complaint with a regulatory authority in the Member State of your place of residence, your place of work or the place of the alleged infringement.
We would ask that you try and resolve any issues with our data protection officer, before you submit a complaint to the relevant regulatory authority.

5. Voluntary and obligatory provision of personal information

As part of our business relationship, we must receive all the personal data required to establish and implement a business relationship and to fulfil all the related contractual obligations and to collect any statutorily required information. Without this data we will be unable to agree or implement a contract.