Data protection information for members, customers and all interested

With the following information we would like to give you as a member, customer or interested party in our memberships/products/services an overview of the processing of your personal data by us and of your rights under data protection law. Which data is processed in detail and how they are used depends largely on the desired or agreed services. Therefore, not all parts of this information will apply to you.

Responsible is

The Association for Supply Chain Management, Procurement and Logistics (BME)
and its affiliates*
Frankfurter Str. 27
65760 Eschborn, Germany

You can contact the company’s data protection officer at

We process personal data that we receive from our members, customers or other affected persons in the course of our business relationships. In addition, to the extent necessary for our business relationship, we process personal data which we may obtain from publicly accessible sources (e.g. trade and association register, press, Internet) or which is legitimately transmitted to us by other BME companies or by other third parties (e.g. a credit agency).

Relevant personal data are personal information (name, address and other contact data, place and date of birth as well as nationality), identification data (e.g. ID data) and authentication data (e.g. signature sample). In addition, this may include order data (e.g. payment order), data from the fulfillment of our contractual obligations (e.g. sales data in payment transactions), information about your financial situation (e.g. creditworthiness data, scoring/rating data, origin of assets), advertising and sales data (including advertising scores), documentation data (e.g. minutes of meetings) and other data comparable with the categories mentioned.

We process personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR) and the Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG)

a. For the fulfillment of contractual obligations (Art. 6 Para. 1 b GDPR)

The processing of data takes place for the provision and execution of purchase and sales orders within the framework of the execution of our contracts with our members, customers or for the execution of precontractual measures which take place on request. The purposes of data processing are primarily  based on the specific product and service (e.g. membership, booking of seminars or services) and may include requirements analyses, consulting, purchase and work contracts, research contracts and regulatory requirements (e.g. FDA, EMA and PMDA). Further details on data processing purposes can be found in the relevant contractual documents and our terms and conditions.

b. Within the framework of the balancing of interests (Art. 6 Para. 1 f GDPR)

If necessary, we process your data beyond the actual performance of the contract to protect the legitimate interests of us or third parties. Examples of this are:

  • consultation and data exchange with credit agencies (e.g. SCHUFA) to determine creditworthiness and default risks in our transactions
  • examination and optimization of procedures for requirements analysis for the purpose of direct customer approach
  • advertising or market and opinion research, as long as you have not objected to the use of your data
  • enforcement of legal claims and defense in legal disputes
  • ensuring IT security and IT operation of the company
  • prevention and investigation of criminal offenses
  • video surveillance for the protection of domiciliary rights, for the collection of evidence in case of burglary (cf. also Section 4 BDSG)
  • measures for building and system security (e.g. access controls)
  • measures to secure domiciliary rights
  • measures for business management and further development of services and products
  • risk management in the BME Group

c. On the basis of your consent (Art. 6 Para. 1 a GDPR)

If you have given us your consent to the processing of personal data for specific purposes (e.g.  forwarding of data via the BME, evaluation of payment transaction data for marketing purposes, photographs for events, newsletter dispatch, webinars), legitimacy of this processing is given on the basis of your consent. A given consent can be revoked at any time. This also applies to the revocation of declarations of consent issued to us prior to the validity of the GDPR, i.e. before 25 May 2018. The revocation of a consent is only effective for the future and does not affect the legality of the data processed until revocation.

d. Due to legal requirements (Art. 6 Para. 1 c GDPR) or in the public interest (Art. 6 Para. 1 e GDPR)

In addition, as a company we are subject to various legal obligations, i.e. legal requirements (e.g. money laundering law, tax laws and regulatory requirements). The purposes of processing include, among other things, creditworthiness checks, identity and age checks, fraud and money laundering prevention, the fulfillment of tax control and reporting obligations as well as the assessment and management of risks in the company.

Within the company, the departments have access to their data, which they need to fulfill their contractual and legal obligations. Service providers and vicarious agents employed by us may also receive data for these purposes, provided that they in particular maintain confidentiality and integrity. These are companies in the categories of IT services, logistics, printing services, telecommunications, debt collection, consulting as well as sales and marketing.

With regard to the transfer of data to recipients outside our company, it must first be noted that we only pass on necessary personal data in compliance with the applicable data protection regulations. We may only disclose information about you if required to do so by law, if you have given your consent or if we are authorized to provide such information.

Under these conditions, recipients of personal data can be, for example:

  • public bodies and institutions (e.g. tax authorities, law enforcement authorities, family courts, land registries) in the event of a legal or official obligation
  • other credit and financial services institutions or similar institutions to which we transfer personal data in the course of the business relationship (stock exchanges, credit agencies)
  • other companies of the BME for risk control due to legal or official obligations
  • Creditors or insolvency administrators who request information in connection with foreclosure proceedings
  • Certified Public Accountant
  • service providers that we use within the framework of order processing relationships

Data are transmitted to offices in countries outside the European Union (so-called third countries) if

  • it is necessary for the execution of your orders (e.g. delivery orders)
  • it is required by law (e.g. tax reporting obligations) or
  • you have given us your consent

Furthermore, it is planned to transfer data to bodies in third countries in the following cases:

  • If necessary in individual cases, your personal data may be transferred to an IT service provider in a third country to ensure the company‘s IT operations in compliance with the European data protection level.
  • With the consent of the data subject, on the basis of legal regulations to combat money laundering, terrorist financing and other criminal acts as well as in the context of a balancing of interests, personal data (e.g. identification data) are transmitted in individual cases in compliance with the data protection level of the European Union.

We process and store your personal data as long as it is necessary for the fulfillment of our contractual and legal obligations.

If the data are no longer required for the fulfillment of contractual or legal obligations, they are regularly deleted, unless their – limited – further processing is necessary for the following purposes:

  • fulfillment of storage obligations under commercial and tax law
  • German Commercial Code (Handelsgesetzbuch, HGB), Tax Code (Abgabenordnung, AO), Money Laundering Act (Geldwäschegesetz, GwG). The periods for storage and documentation specified there are generally two to ten years
  • preservation of evidence within the framework of the statutory statute of limitations. According to Sections 195 et. seq. of the German Civil Code (Bürgerliches Gesetzbuch, BGB), these limitation periods can be up to thirty years, whereby the regular limitation period is three years

Any data subject shall have the right of access under Article 15 GDPR, the right to correction under Article  16 GDPR, the right to cancellation under Article 17 GDPR, the right to limitation of processing under Article 18 GDPR, the right of opposition under Article 21 GDPR and the right to data transfer under Article 20 GDPR.

The restrictions according to Sections 34 and 35 BDSG-new version apply to the right to information and the right to cancellation. In addition, there is a right of appeal to a competent data protection supervisory authority (Article 77 GDPR in conjunction with Section 19 BDSG).

You can revoke your consent to the processing of personal data at any time. This also applies to the revocation of declarations of consent issued to us prior to the validity of the GDPR, i.e. before 25 May 2018. Please note that the revocation will only take effect for the future. Processing that took place before the revocation is not affected by this.

Within the framework of our business relationship, you must provide such personal data which are required for the establishment, execution and termination of a business relationship and for the fulfillment of the associated contractual obligations or which we are legally obliged to collect. Without this information, we will usually not be able to enter into, execute and terminate a contract with you.

For the establishment, implementation and termination of the business relationship we do not use fully automated decision making according to Article 22 GDPR. If we use these procedures in individual cases (e.g. to improve our products and services), we will inform you separately about this and about your rights in this respect, insofar as this is prescribed by law.

We process your data partially automatically with the aim of evaluating certain personal aspects (profiling). For example, we use profiling in the following cases:

  • We use evaluation tools to provide you with targeted information and advice on products and services. These enable demand-oriented communication and advertising, including market and opinion research.
  • In assessing your creditworthiness, we use scoring. The probability with which a customer will meet its payment obligations in accordance with the contract is calculated. Scoring is based on a mathematically and statistically recognized and proven procedure. The calculated score values support us in decision-making within the scope of product contracts and are included in ongoing risk management.


Right of objection on a case-by-case basis

You have the right to object at any time to the processing of personal data concerning you on the basis of Art. 6 Para. 1 lit. e) GDPR (data processing in the public interest) and Art. 6 Para. 1 lit. f) GDPR (data processing on the basis of a balance of interests) for reasons arising from your particular situation, including profiling based on this provision within the meaning of Art. 4 Para. 4 GDPR.

If you object, we will no longer process your personal data unless we can prove compelling legitimate reasons for the processing, which outweigh your interests, rights and freedoms. In particular, this includes if the processing is necessary for asserting, exercising or defending legal claims.

Recipient of an objection

The objection can be made form-free with the subject „objection“ stating your name, your address and your date of birth and should be addressed to:

The Association for Supply Chain Management, Procurement and Logistics (BME)
Frankfurter Str. 27
65760 Eschborn, Germany

Phone: +49 6196 5828-165
Email: datenschutz(at)

 *BME-Group: Bundesverband Materialwirtschaft, Einkauf und Logistik e.V. (BME), BME Akademie GmbH, BME Marketing GmbH und BMEnet GmbH