Privacy Statement for business partners

We take the protection of your personal data very seriously. We do, of course, comply with statutory regulations.

We only process personal data (“Data”) in compliance with data protection law to the extent necessary, where legal regulations permit us to do so, or where we are required to do so. Personal data is defined as any information that refers to an identified or identifiable natural person (art. 4, no. 1 GDPR).

The purpose of this data protection information is for us to tell you about the type, scope, and purpose of the processing of your data at burgbad GmbH. Furthermore, you will be informed of your rights regarding the processing of your data.

The term “processing” covers any operation in conjunction with using your data, such as the capture, usage, storage, transmission, amendment to, or erasure of this data (art. 4, no. 2 GDPR).


1. Data controller

in conjunction with burgbad GmbH:

burgbad GmbH
Morsbacher Straße 15
91171 Greding

Phone: +49 (0) 8463 901 - 0
E-mail: info@burgbad.com

in conjunction with burgbad AG:

burgbad AG
Am Donscheid 3
57392 Schmallenberg

Phone: +49 (0) 2974 9617 - 0
E-mail: info@burgbad.com

in conjunction with Saniverse Bathrooms GmbH:

Saniverse Bathrooms GmbH
Agrippinawerft 24
50678 Köln

Phone: +49 (0) 221 277368 - 0

2. Data protection officer

Data protection officer at the burgbad Group
c/o TÜV SÜD Akademie GmbH
Westendstraße 160
80339 München

E-mail: datenschutz@burgbad.com

3. Legal basis and purposes of processing and origin of the data

a) Based on your consent (art. 6 section 1 lit. a) GDPR)
If you have consented to your data being processed for specific purposes (e.g. to receive our newsletter), this processing is considered lawful because you have given your consent. You can withdraw consent you have given at any time (art. 7, section 3, GDPR). You may also withdraw consent you have given us before the GDPR applied, in other words, before 25 May 2018. Please note, that all such withdrawals are not retroactive and do not apply to data processing that occurred before you withdrew consent.

b) To meet contractual obligations (art. 6, section 1, lit. b) GDPR)
Personal data is processed to fulfil our business purpose (art. 4 no. 2 GDPR), which is to manufacture and sell furniture and to meet the associated contractual obligations, in particular to procure materials for the manufacturing process, to fulfil customers’ orders, process servicing jobs, to manage customers and provide support.

c) Furthermore, data processing may be carried out pursuant to art. 6, section 1 c of the GDPR (legal stipulations) because we as a company are required to meet various legal obligations (e.g. tax laws), or based on.

d) art. 6, section 1 f of the GDPR provided such processing is necessary to protect our legitimate interests or is required by third parties. In the following case, for instance: to assert legal entitlements and provide a defence in the case of legal disputes, or to improve customer management.

burgbad captures personal data belonging to the following people:

Customers’ designated contacts in order for us to make contact and as part of a business relationship so that we can provide the product/service we are contractually obliged to provide. We have received the data required from you yourself or their employer.
Consumers when servicing jobs are required: in order to contact them to plan and carry out the job. If you have not transmitted the data to us yourself, we will have received their data from a wholesaler or fitter they have appointed and who has appointed us to carry out the job. The data is only processed to carry out the service job and to contact get into contact to carry out the job in the first place.
Interested parties so that we can contact them and send information, catalogues. We only use their data to process their request. We have received the information required to get into contact from you directly, or in conjunction with a magazine publisher whom you have ordered our information or literature from.
Suppliers’ designated contacts in order for us to make contact and as part of a business relationship so that we can provide the product/service we are contractually obliged to provide. We have received the data required from you yourself or their employer.
External service providers in order for us to make contact and as part of a business relationship so that we can provide the product/service we are contractually obliged to provide. We have received the data from you personally.
To send newsletters: we will have received the contact info and consent to receipt of our newsletter from you personally.

4. Categories of personal data processed

In particular, the information processed by us includes as follows:

  • Salutation, first name, surname of the contacts concerned
  • Address
  • E-mail address
  • Phone number (landline and/or mobile phone)
  • Business partner’s information, such as a supplier number, data relating to the order, data relating to the contract
  • Data and information required to meet our contractual obligation, e.g. data relating to complaints, payments, correspondence

5. Recipients of personal data

Throughout burgbad, access to your data is granted to departments that need it for the above-mentioned purposes. We do so by limiting user rights as much as possible.
Parties burgbad uses to process the data (art. 28 GDPR) and other service providers may also receive your data for the above-mentioned purposes. Such companies are those falling under categories such as IT service providers, logistics, repair/assembly services and marketing businesses that send information. The companies we appoint that are permitted to process your data just for us and not for their own purposes, are required to comply with the General Data Processing Regulation’s stipulations. In such cases, we are still responsible for the data processing.

6. Transmission and processing of personal data to Turkey

burgbad Group companies are members of Eczacıbaşı Holding A.Ş, with headquarters in Turkey. Turkey is a third country for which the European Commission has not adopted an adequacy decision on data protection. As the General Data Processing Regulation does not apply in Turkey, there is no guarantee that personal data enjoys adequate protection there that is comparable with European data protection law. In Turkey, your personal data is transmitted to Eczacıbaşı Holding A.Ş., which is also part of the Group, and processed there for the following purposes:

  • Data storage: the data communicated (via e-mail) is stored on the parent company’s central servers in Turkey.
  • Data processing: the data required to process your order is stored on the parent company’s central servers in Turkey

Service-provider contracts and order-processing contracts have been concluded between the burgbad Group and the Turkish parent company. Such contracts include appropriate data protection guarantees (standard EU contract clauses). If you are interested in viewing these documents, you can request to see them by sending a mail to the following address: datenschutz@burgbad.com
Irrespective of this, data transmission and data processing in Turkey and by the above-mentioned companies belonging to the Group is necessary to fulfill a contract between you and the burgbad Group and to perform pre-contractual measures, because the burgbad Group does not have its own data-processing infrastructure. In view of the central data storage and data processing by the burgbad Group Turkish companies mentioned above, data transfer and data processing is also in our legitimate interest. The legal basis is provided by art. 6 section 1 lit. b/f GDPR in conjunction with art. 49 section 1 b) GDPR. art. 49 section 1 b) GDPR.
Should you require more information, feel free to send an e-mail to our data protection officer, or to the following e-mail address at any time: datenschutz@burgbad.com

7. Duration of data storage

If your data is no longer required for the above-mentioned purposes, it will be deleted at regular intervals, unless its - temporary - storage is still necessary to meet contractual or legal obligations pursuant to articles 238 and 257 of the HGB (German Commercial Code), article 147 of the AO (German Fiscal Code). The terms specified in these codes for storage and documentation are six to ten years. Deletion of the data then takes place at the end of the year in which the term expires.

8. Your rights (rights of the data subject)

You can ask for information on all personal data stored about you (art. 15 GDPR). Please inform us if we have stored incorrect data about you or if you do not agree with some of the data stored about you so that we can rectify the data (art. 16 GDPR), erase it (Art. 17 DSGVO) or restrict its processing (art. 18 GDPR). You may also object to processing of your data on grounds relating to your own particular circumstances (art. 21 GDPR).
We can, of course, on request, provide the data stored about you in a format suitable for transmission (art. 20 GDPR). As set out in point 3 a, you also have the right to withdraw any consent already given (art, 7, section 3, GDPR). To exercise your rights as a data subject, please contact burgbad GmbH’s data protection officer and provide the following information: .

  • Information about your address
  • As the data subject, the rights you wish to exercise.

9. Right to lodge appeals with the supervisory authorities

In addition to the rights listed in point 8, you may also lodge a complaint with the data protection authority concerned or any other data protection authority in a federal German state pursuant to art. 77 GDPR.

In the case of  burgbad GmbH ithe competent authority is the
Bavarian Data Protection Authority (BayLDA)
Promenade 27
91522 Ansbach
Telefon: +49 (0) 981 53 1300
E-mail: poststelle@lda.bayern.de

In the case of  burgbad AG and  Saniverse Bathrooms GmbH it is
North Rhine-Westphalia’s officer for data protection and freedom of information at
Kavalleriestr. 2-4
40213 Düsseldorf
Telefon: +49 (0) 211 38424 - 0
Fax: +49 (0) 211 38424 - 10
E-mail: poststelle@ldi.nrw.de

10. Profiling and automated decision making (art, 22, GDPR)

No profiling or automated decision making takes place at burgbad. Automated decision is defined as decisions that are soley taken by machines without any involvement with natural persons. Profiling is defined as any kind of automated processing of personal data, the purpose of which is to analyse or predict the productivity, solvency, health, personal preferences, interests, reliability, conduct, place of residence, or change of residence of a natural person.

11. Voluntary provision of your data/consequences of not providing it

As part of the business relationship, we need the following personal data from you:

  • Data required to enter into and carry out a business relationship
  • Data required to fulfill contractual obligations.
  • Data we are legally required to capture.

We are not able to enter into a contract with you, or fulfill an order without this personal data.


burgbad, As of 01.08.2023