Mercateo (hereinafter ‘Mercateo’ or ‘we’) takes the protection of your data very seriously. We maintain the Mercateo platform in accordance with applicable data protection legislation as well as the rights and obligations contained in the EU General Data Protection Regulation (hereinafter ‘GDPR’). Below, we explain how your personal data is processed by Mercateo.
The controller is Mercateo’s respective national subsidiary operating the procurement platform for the territory where delivery is to take place. A list of Mercateo’s national subsidiaries and individual procurement platforms is available at https://www.mercateo.com/corporate/info/contractual-partners/.
The data protection supervisory authority for Mercateo is:
Das Bayerische Landesamt für Datenschutzaufsicht (BayLDA)
91522 Ansbach (Germany)
1. Data processing when using our website
Mercateo operates the Mercateo procurement platform. When you visit our website, various information such as your IP address is automatically sent to our server and temporarily stored. The legal basis for this is point (f) of Article 6(1) GDPR. Our legitimate interest arises from the following purposes:
- Optimising the connection
- Ensuring and optimising the user-friendliness and handling of the website
- Ensuring system security and stability
- Hazard prevention and criminal prosecution in the event of a cyberattack
More information about data processing on our website is contained in the document ‘Cookies, web analytics and social media’ (https://www.mercateo.co.uk/corporate/cookies-ie/).
2. Data processing upon registration
Registration is possible as either a customer or a supplier. For security reasons, if you are a customer, your account will be closed if you have not logged in for more than four years. The legal basis for data processing upon registration is provided by points (b) and (f) of Article 6(1) GDPR.
3. User management by the account holder
In user management, an account holder may activate certain members of staff as buyers and/or requesters. An account holder is responsible for managing and organising users, and can access the information given and generated about them. The account holder can do the following:
- Make settings affecting users
- Allow users to access the account or cancel this access
- Access and save account data
4. Data processing when orders are placed
Whenever an order is placed, data is processed to enable all the operations required to be carried out. The legal basis for this is provided by points (b) and (f) of Article 6(1) GDPR. Your email address is used to communicate with you electronically regarding your order and its processing in accordance with point (c) of Article 6(1) GDPR. To fulfil contractual obligations, order data is transmitted to the supplier and if necessary to its carrier delivering the goods or rendering the services, who is entitled to use the data for this purpose. Furthermore, we are also entitled to transmit your email address (and, if necessary, your telephone number) to the supplier and its carrier so that delivery can be organised.
To execute the contract, it may be necessary for your data to be shared with our payment service providers or the bank involved, depending on the method of payment selected.
Other partners may also offer goods and services for sale on the platform operated by Mercateo. In each case, responsibility is borne by the respective partner.
5. Assessment of commercial customers, credit analysis, fraud prevention, debt collection
Assessment of commercial customers
Since the procurement platform is aimed solely for the use of entrepreneurs in accordance to the General Terms and Conditions, we must make sure that customers aren’t consumers, for instance by requiring evidence of a trade licence. The legal basis for this is provided by point (c) of Article 6(1) GDPR.
If Mercateo is the seller, we will check your or your company’s creditworthiness to assess the risk of non-payment or insolvency. This constitutes our legitimate interest pursuant to point (f) of Article 6(1) GDPR. For credit assessment, we will transmit the data required (the first and last name of the managing director, the name and address of the company) to one of the following credit bureaus:
- Creditsafe Deutschland GmbH, Charlottenstr. 68–71, 10117 Berlin, Germany
- Verband der Vereine Creditreform e. V., Hellersbergstraße 12, 41460 Neuss, Germany
- Schufa Holding AG, Kormoranweg 5, 65201 Wiesbaden, Germany
- Crif GmbH, Diefenbachgasse 35, A-1150 Wien (Vienna), Austria (for orders placed outside Germany)
- Coface Central Europe Holding AG, Marxergasse 4c, 1030 Wien (Vienna), Austria
Order information can be used to check for atypical order transactions. We have a legitimate interest in carrying out such checks for fraud prevention pursuant to point (f) of Article 6(1) GDPR.
If there are still outstanding invoices despite repeated reminders, we are entitled to share data with a collection agency for the purpose of collection.
6. Additional data processing
Furthermore, we collect and record the data which you explicitly provide us with, for example by email, on the telephone, or in any other way, such as online chat (Intercom) or a feedback form. You will be informed of the type of data which we need to collect before the respective process is carried out if this is not apparent from the process itself. In addition, data such as your IP address as well as the date and time may also be collected. If third-party communication software is used, the third-party providers may process usage data and metadata for security, service optimisation or marketing purposes. Therefore, please note the privacy policies of the respective third-party providers.
Furthermore, usage data which you create when using the platform (e.g. during search operations) is collected. Usage data may include personal or corporate data or enable such data to be deduced. Usage data is stored automatically in server log files and is employed to make the usage of the platform’s features more attractive as well as to ensure and improve their efficiency. This constitutes a legitimate interest for us as provided for by point (f) of Article 6(1) GDPR.
7. Competitions and free incentives
If you enter a competition organised by Mercateo, we will use the data you provide to enable your participation in the competition, in particular to notify you if you win and perhaps to advertise our services and/or those of our partners or suppliers. More information will be provided in connection with the respective competition. Permission to take part in competitions or receive incentives such as white papers may be contingent on subscribing to the newsletter. In such cases, your consent is required by law. The legal basis for this is contained in points (a) and (f) of Article 6(1) GDPR.
8. Data processing for advertising purposes and newsletters
Data processing for advertising purposes constitutes a legitimate interest for Mercateo under point (f) of Article 6(1) GDPR. If you are registered or listed as a customer with us, we are entitled to process your contact data and to advise you of products and services as well as relevant news or invitations to surveys regardless of whether you have subscribed to our newsletter.
You are entitled to opt out of the processing of your data for advertising purposes with future effect at any time free of charge, either as a whole or for the respective communication channel. Following opt-out, the contact address concerned will be excluded from any further data processing for advertising purposes. You may opt out by using the unsubscribe link (at the end of advertising emails) or in writing (email or post) using the contact details provided.
Furthermore, we will send you regular newsletters by email after prior registration (with your consent as provided for in point (a) of Article 6(1) GDPR). The newsletters for example contain information about new and/or interesting products/items as well as information about Mercateo and its partners, webinars, competitions and events. This is a form of advertising for both Mercateo and third parties (our suppliers, manufacturers and partners). Subscribing to the newsletter requires a double opt-in. This means, that after entering your email address, you will receive an email after registration asking you to confirm your subscription. This is the only way to prevent others from signing up with an email address that is not their own. Subscriptions to the email are logged. Consent to receive the newsletter can be revoked at any time. A link to cancel your subscription is included at the end of every email.
Tracking is used for both the newsletter and promotional emails to measure their success and thus to improve our newsletter. This enables us to assess the response to our emails. It is not our intention to analyse the usage behaviour of individuals.
For more information, especially on online marketing, please see the document ‘Cookies, web analytics and social media’.
9. Sharing data with third parties
Mercateo sometimes uses third parties such as processors to process your data. Such third parties are selected very carefully. Your data is processed jointly with Mercateo or on behalf of Mercateo in particular by companies affiliated with Mercateo. If data is shared for administrative purposes, this is based on our legitimate business and commercial interests pursuant to point (f) of Article 6(1) GDPR.
10. Third-party websites
Mercateo has no control over the current content or operation of third-party websites which can be accessed via the procurement platform. Mercateo bears no liability for the content of such websites or how they handle users’ personal data.
11. Recipients outside the EU
12. Deletion of personal data
Data which we store will be deleted when the corresponding authorisation lapses (in particular once the related purpose has been achieved), blocked from further use, and deleted when the retention periods legally required under tax and commercial law have expired, unless you have expressly consented to the further use of your data or contractually agreed otherwise.
13. Data security
We take necessary and appropriate technical and organisational measures to guarantee an appropriate level of protection. We take into account the state of technological knowledge, the cost of implementation, and the nature, scope, context and purposes of processing, as well as the risks of varying likelihood, and the extent of the risks to the rights and freedoms of data subjects. For your security, your data is encrypted using an SSL (Secure Sockets Layer) website certificate.
14. Rights of the data subject
- Right of access: You are entitled to obtain information about the purposes of processing, the categories of personal data concerned, the categories of recipients to whom your personal data has been or will be disclosed, the envisaged storage period, and the source of your personal data where it has not been collected from you directly.
- Right to rectification: You are entitled to obtain the rectification of inaccurate personal data as well as the completion of correct data.
- Right to erasure and restriction: You are entitled to obtain the erasure of your personal data or alternatively to obtain the restriction of processing in accordance with legal requirements.
- Right to data portability: You are entitled to receive personal data which you have provided in a commonly used, machine-readable format, or to have it transmitted to another controller.
- Right to lodge a complaint: Please contact the supervisory authority for your habitual residence or the supervisory authority responsible for us.
- Right to opt out: You are entitled to opt out of all data processing described here that is carried out on the basis of point (f) of Article 6(1) GDPR. Unlike the data processing described in the section ‘Data processing for advertising purposes’, we are only required to accept your opt-out request if you demonstrate compelling legitimate grounds based on your particular circumstances.
- To exercise your rights, please contact firstname.lastname@example.org.
Last updated March 2021