Data protection information pursuant to Art. 13 GDPR

Data protection information for customers and affected parties pursuant to Art. 13 and 14 GDPR

With the following information we would like to give you an overview of the processing of your personal data by us and your rights under data protection law. Which data is processed in detail and how it is used depends largely on the underlying purpose. Therefore, not all parts of this information may apply to you.

1.0  Who is responsible for data processing and to whom can I turn?

Responsible is

AutoDo GmbH
Otto-Hahn-Straße 3
31303 Burgdorf
Phone +49 5136 9755-0
Fax +49 5136 9755-200


We have an external data protection officer to guarantee data protection. If you have any questions regarding data protection, please contact us at


2.0  Processing frame

2.1  What sources do we use?

We process personal data that we receive from our customers or other parties concerned in the course of our business relationship.


2.2  Which data and categories of personal data do we use?

  • Relevant personal data are
  • vehicle data
  • person master data
  • contact details
  • communication data
  • Bank and invoice data


2.3  For what purposes and on what legal basis do we process personal data?

We process personal data on the basis of the Basic Data Protection Ordinance (GDPR), the Federal Data Protection Act (BDSG) and other provisions on data protection and data security:


a) to fulfil contractual obligations (Art. 6 para. 1 b GDPR)

The data is processed for the provision of services within the framework of contract processing with our customers or for the implementation of pre-contractual measures, which take place on request. The purposes of the data processing depend primarily on the concrete product (among other things supply of software for the marketing of vehicles).


b) Within the scope of balancing interests (Art. 6 para. 1 f GDPR)

If necessary, we process your data beyond the actual fulfilment of the contract to protect the legitimate interests of us or third parties (examples):

  • Assertion of legal claims and defence in legal disputes
  • Consultation of credit agencies (e.g. SCHUFA) including data exchange to determine creditworthiness and default risks,
  • Ensuring the company's IT security and IT operations
  • Prevention and investigation of criminal offences
  • Measures for building and plant security as well as for safeguarding the householder's title
  • Review and optimization of procedures for needs analysis for direct customer contact
  • advertising as well as market and opinion research, insofar as you have not objected to the use of your data
  • Measures for business management and further development of services and products


c) On the basis of your consent (Art. 6 para. 1 a GDPR)

If you have given us your consent to process your personal data for certain purposes, the legality is given on the basis of this consent.

Your consent can be revoked at any time. This also applies to the revocation of declarations of consent given to us before the GDPR came into force - i.e. before 25 May 2018. The revocation of a consent only takes effect for the future and does not affect the legality of the data processed until revocation.


d) Based on legal requirements (Art. 6 para. 1 c GDPR) or in the public interest (Art. 6 para. 1 e GDPR)

As a company we are subject to various legal obligations and legal requirements (e.g. tax laws).

The purposes of processing include, among others, identity verification, fraud prevention, compliance with tax control and reporting obligations.


2.4  Who gets my data?

Within the company, those departments that need your data to fulfil our contractual and legal obligations will have access to it. Service providers and vicarious agents employed by us may also receive data for these purposes. These are companies in the categories IT services, logistics, printing services, telecommunications, debt collection, consulting as well as sales and marketing. The passing on takes place here exclusively within the legal defaults (e.g. in the context of an order processing in accordance with art. 28 and art. 29 GDPR).


2.5  How long will my data be stored?

We process and store your personal data as long as this is necessary for the fulfilment of our contractual and legal obligations.

If the data are no longer required for the fulfilment of contractual or legal obligations, they will be deleted regularly, unless their temporary further processing is necessary for the following purposes:

Compliance with commercial and tax law retention periods, which may result, for example, from the German Commercial Code (HGB), the German Tax Code (AO) and the German Banking Act (KWG). The periods for storage and documentation specified there are usually two to 10 years.
Preservation of evidence within the framework of the statutory statute of limitations. According to §§ 195 ff of the German Civil Code (BGB) these limitation periods can be up to 30 years, whereby the regular limitation period is 3 years.


2.6  Is there an obligation to provide data?

As part of our business relationship, you must provide us with the information necessary to establish, conduct and terminate a business relationship and to perform the contractual obligations associated therewith, or which we are required to collect by law. Without this information, we will generally not be able to enter into, execute and terminate a contract with you.


2.7  To what extent is there automated decision-making?

As a matter of principle, we do not use fully automated decision making in accordance with Article 22 GDPR for the establishment and implementation of the business relationship. Should we use these procedures in individual cases (e.g. for credit enquiries), we will inform you of this and of your rights in this regard separately, insofar as this is prescribed by law.


2.8  Does profiling take place?

We partly process your data automatically with the aim of evaluating certain personal aspects (profiling). For example, we use profiling in the following cases:

  • Due to legal and regulatory requirements
  • In order to provide you with targeted information and advice on products, we use evaluation tools within the framework of legal requirements. These enable communication and advertising tailored to your needs, including market research and opinion polling.

3.0  Rights of affected parties

3.1  Information, rectification, erasure and limitation of processing

Every data subject has the right of access under Article 15 DS Block Exemption Regulation, the right of rectification under Article 16 DS Block Exemption Regulation, the right of cancellation under Article 17 DS Block Exemption Regulation and the right of limitation of processing under Article 18 DS Block Exemption Regulation. The right of access and the right of deletion are subject to restrictions pursuant to §§ 34 and 35 BDSG.


3.2  Data transferability

Every data subject has the right to data transferability under Article 20 GDPR.


3.3  Right of objection

Pursuant to Article 21 of the GDPR, every party concerned has the right to object.


3.4  Revocation of consent

You can revoke your consent to the processing of personal data at any time. This also applies to the revocation of declarations of consent given to us before the GDPR came into force, i.e. before 25 May 2018. Please note that the revocation will only take effect in the future. Processing that took place before the revocation is not affected by this.


3.5  Right of appeal to a supervisory authority

Every data subject has the right to appeal to the relevant data protection supervisory authority in accordance with Article 77 GDPR in conjunction with § 19 BDSG).