Privacy notice for the SWM “Supply Chain Compliance Questionnaire” of Stadtwerke München GmbH

The German Act on Corporate Due Diligence Obligations in Supply Chains (LkSG), which has been in force since 1 January 2023, sets requirements for responsible management of supply chains for obligated companies to improve the international human rights situation and environmental protection. Stadtwerke München GmbH (hereinafter also referred to as “SWM” or “we/us”) is subject to the LkSG. Therefore, we ask our direct suppliers to complete our Supply Chain Compliance Questionnaire online. Your response to the questions is required for the business relationship with the SWM companies to comply with their legal due diligence obligations.

In this privacy notice, we inform you of the personal data that we process in connection with the survey on the LkSG (by means of the “Supply Chain Compliance Questionnaire”). This privacy notice also tells you about the rights, options and objection procedures that are open to you with regard to your personal data. The term “personal data” means any information concerning an identified or identifiable individual. Insofar as we collect, process or use personal data, we comply with the applicable statutory regulations, in particular the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and the German Telecommunications and Telemedia Data Protection Act (TTDSG).

Further information on general data protection at the SWM companies can be found at https://www.swm.de/english/data-protection. Alternatively, you can send your questions to us using any of the contact details below.

The controller pursuant to Article 4 (7) of the EU General Data Protection Regulation (GDPR) is Stadtwerke München GmbH, Emmy-Noether-Strasse 2, 80992 Munich, Germany, datenschutz.stadtwerke@swm.de.

The Group Data Protection Officer of the SWM companies can be contacted at:

Stadtwerke München
Data Protection Officer
Emmy-Noether-Strasse 2
80992 Munich, Germany
E-mail: datenschutz@swm.de

The link to the Supply Chain Compliance Questionnaire will be sent by e-mail from the e-mail address noreply@moodys.com. The service provider Bureau van Dijk Electronic Publishing GmbH sends the e-mail, operates the linked website and conducts the survey on our behalf.

We process your business e-mail address and contact details in order to fulfil an existing contractual relationship or to carry out pre-contractual measures with your company. The legal basis is Article 6 (1) b) (performance of a contract) and f) (legitimate interests if we have been given your name as a contact for your employer) GDPR.

The link in the e-mail will take you to a survey page on a website of our service provider (the URL starts with https://forms.bvdinfo.com//...) (hereinafter also referred to as “the website”). No IP addresses are stored and no cookies (small text files that are saved on your hard drive and assigned to the browser that you use) are set when you access the website.

Our survey is used in order to implement the German Act on Corporate Due Diligence Obligations in Supply Chains (LkSG) and primarily relates to your company, i.e. not to you personally or another individual. Your responses to our survey will only be processed and used for risk analysis purposes. However, it may be possible to trace back to you or another individual via the survey if you yourself make this possible by stating corresponding details in your answers (e.g. by entering your name, e-mail address or position in a response field of our survey; in some cases, it is compulsory to state contact details of people (name and role of the person completing the questionnaire) or of people in specific positions (e.g. human rights officer)). The legal basis for this data processing is Article 6 (1) sentence 1 c) (legal obligation) and f) (legitimate interests) GDPR.

Please inform the other individuals at your company whose data you have entered in the questionnaire about this privacy notice.

For these purposes, we process personal data that we obtain from you and/or your employer or from other contacts at your company.

Unless you are expressly informed to the contrary, the provision of corresponding data is essential to a business relationship with the SWM companies so that we can fulfil our statutory due diligence obligations. However, there is no legal obligation to provide data. If you do not provide us with any data, we will usually be unable to enter into a business relationship with your company.

Within the SWM companies, your data is only accessible to the bodies that need it for the purposes stated in section 3.

To the extent permitted by law (for instance in the context of order processing), we pass on your personal data to service providers in the following categories:

• IT services
• Operators of the compliance database
• Lawyers
• Public bodies and institutions (e.g. financial authorities, police, public prosecutors, supervisory authorities) if there is a corresponding obligation/authorisation.

Compliance checks in the SWM Group, such as the survey regarding the LkSG, are managed centrally by the parent company, Stadtwerke München GmbH. Therefore, particularly in the context of agreements on joint responsibility, personal data is exchanged between Stadtwerke München GmbH and the company with which the supply contract is concluded. We would be happy to make the key elements of these agreements available to you on request.

Transfer to third countries is not intended.

However, for specific tasks, we use (IT) service providers that also use (IT) service providers whose headquarters, parent company or data centre may be situated in a third country (outside the European Union and the European Economic Area).

If personal data is transferred to a third country, the following conditions must be met: the transfer is permitted because there is a legal basis for permission or you have expressly consented to the transfer and the essential requirements for transfer to a third country are fulfilled. In particular, this means that the European Commission has decided that an appropriate level of data protection (Article 45 GDPR) or suitable guarantees (e.g. by means of EU standard contractual clauses that are stipulated by the European Commission or the supervisory authority), enforceable rights and effective legal remedies are in place in the third country.

We erase your personal data as soon as it is no longer required for the purposes for which it was collected, unless temporary further processing thereof is essential for:

• Fulfilment of statutory retention requirements that may arise from the likes of the German Commercial Code (HGB) and the German Fiscal Code (AO). Periods of up to ten years are stipulated in this legislation.
• Preservation of evidence in the context of statutory limitation periods. According to Section 195 et seq. of the German Civil Code (BGB), these limitation periods can last for up to 30 years, with the regular limitation period amounting to three years.

According to Article 15 GDPR, you have the right to request information at any time as to what personal data we have stored about you. This also applies to the recipients or categories of recipient to whom this data is passed on, and the purpose of storage. Under the conditions of Article 16 GDPR, you can request rectification and/or, under the conditions of Article 17 GDPR, erasure and/or, under the conditions of Article 18 GDPR, restriction of processing at any time. Furthermore, you can request data transmission at any time under Article 20 GDPR.

You have the right to object to the processing of your personal data if the conditions set out in Article 21 GDPR are in place.

You can exercise your rights as a data subject by contacting: Stadtwerke München GmbH, Emmy-Noether-Strasse 2, 80992 Munich, Germany, datenschutz.stadtwerke@swm.de

In addition, according to Article 77 GDPR, you have the option of lodging a complaint with a data protection supervisory authority.

Right to withdraw consent: you can withdraw your consent to the processing of your data with future effect at any time. Please address your withdrawal of consent to: Stadtwerke München GmbH, Emmy-Noether-Strasse 2, 80992 Munich, Germany, datenschutz.stadtwerke@swm.de.

We do not generally use automated decision-making as per Article 22 GDPR. If we do use this procedure in individual instances, we will inform you of this separately under the statutory provisions.

As our data processing is subject to change and the legal situation may alter, we will also amend our privacy notice from time to time.