Data protection information for the processing of bidder and supplier data Bäderbetriebe Frankfurt GmbH (BBF)

  1. Who is responsible for data processing and who can you contact?

The person responsible is:

Badebetriebe Frankfurt GmbH (hereinafter referred to as 'BBF')

At the main station 16 | 60329 Frankfurt aM


You can reach our company data protection officer at:

Badebetriebe Frankfurt GmbH

To the data protection officer

At the main station 16 | 60329 Frankfurt aM

The data protection officer and data protection team can be reached by email:


2. Data categories and origin of data

We process personal data that we receive from you as part of our business relationship, especially in connection with tenders / procurement procedures / orders and contract processing, contract fulfillment or to fulfill pre-contractual measures. In addition, to the extent necessary in this context, we process personal data that we have lawfully received from publicly accessible sources (commercial and association registers, central commercial registers or competition registers, press, Internet) or from other third parties (e.g. credit agencies). Relevant personal data is:

Award procedure (tenders / bidder data)
User data Last name, first name, department, contact details (postal address, telephone number, email), communication data (e.g. telephone, email, IP) Company data such as company name, address data, company size (e.g. SME), contact details such as telephone, fax, E-mail, commercial register entry, sales tax ID, tax number, DUNS number. Further personal data may be added, for example, if applications for participation or offers include individual (customer) references, CVs, certificates, proof of qualifications, certificates, permits, self-declarations from employees or authorized representatives persons or organs of a company, etc. Applicants or bidders are responsible for ensuring that any necessary consent from the person concerned is available.

Suppliers, service providers
In accordance with legal requirements, e.g. Supply Chain Act, further personal data can be processed by suppliers, especially in private companies, like other job-related data (e.g. warehouse or production facility; economic sector (e.g. NACE code), business partner ID, bank details, tax identification number, national tax number , trading volume, annual turnover, insurance data, guarantee data, creditworthiness data.


  1. Why and on what legal basis do we process your data?

We process personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG) for:

3.1 Data processing to fulfill contractual obligations (according to Art. 6 Para. 1 lit. b) GDPR)

Personal data is processed to carry out tenders, commissions and contract processing/execution.

Further details on the purpose of data processing can be found in the respective contract documents and terms and conditions.

3.2 Data processing within the scope of balancing interests (according to Art. 6 Para. 1 lit. f) GDPR)

If necessary, we process your data beyond the actual fulfillment of the contract to protect our legitimate interests or those of third parties, such as

  • funded measures (funding)
  • Assertion of legal claims and defense in legal disputes
  • Ensuring IT security and IT operations
  • Prevention and investigation of crimes

 3.3 Data processing based on your consent (according to Art. 6 Para. 1 lit. a) GDPR)

If you have given us consent to process personal data for specific purposes, the lawfulness of this processing is based on your consent. Consent given can be revoked at any time.

Please note that the revocation will only take effect in the future. Processing that took place before the revocation is not affected by this.

 3.4 Data processing based on legal requirements (according to Art. 6 Para. 1 lit. c) GDPR)

Public clients are subject to legal obligations, ie legal requirements (e.g. laws against restrictions on competition, procurement regulations, competition registers, tax laws). In addition, data is processed on the basis of the Supply Chain Due Diligence Act (LkSG).


  1. Who will get your data?

Within the BBF, those departments that need it for tendering, commissioning and contract execution have access to your data. Processors or service providers we use may also receive data for these purposes. This is done, for example, to collect data for carrying out the risk analysis according to LkSG. We may only pass on information about you if required by law, if you have consented or if we are authorized to provide information. Under these conditions, recipients of personal data can e.g. B. public bodies and institutions if there is a legal or official obligation. In this context, your data may also be passed on to law enforcement authorities.

  1. How long will your data be stored?

If necessary, we process your personal data for the duration of the tender process until its conclusion, the order/contract period or for the duration of the statutory or funding law retention periods. In addition, we are subject to various retention and documentation obligations, which arise from, among other things, the Commercial Code and the Tax Code and last between two and ten years. In addition, statutory limitation periods must also be observed, for example according to Sections 195 ff. of the Civil Code, usually 3 years, but in certain cases they can also be up to thirty years.


  1. Will data be transferred to a third country or to an international organization?

A transfer of data to third countries (countries outside the European Economic Area - EEA) is not planned and not intended.


  1. What data protection rights do you have?
  • Right to information (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to notification obligation (Article 19 GDPR)
  • Right to object (Art. 21 GDPR)
  • Right to data portability (Art. 20 GDPR)

To exercise your rights, you can contact us using the contact details provided in point 1.

 7.1. Right to complain

Those affected have the right to lodge a complaint with a data protection supervisory authority.


  1. Is there an obligation to provide data?

As part of our business relationship, you only have to provide the personal data that is necessary for the establishment, implementation and termination of a business relationship or which we are legally obliged to collect. Without this data, we will usually have to refuse to conclude the contract or carry out the order or will no longer be able to carry out an existing contract and may have to terminate it.

  1. To what extent is there automated decision-making in individual cases?

In principle, we do not use fully automated decision-making. If we use these procedures in individual cases, we will inform you separately if this is required by law.


  1. To what extent is your data used for profile creation (scoring)?

We partially process your data with the aim of evaluating certain personal aspects (profiling). We use profiling, for example, in cases of participation competitions when awarding the services of consulting teams, lecturers and coaching, as well as in the context of terrorist list screening. In addition, as part of the risk analysis according to LkSG, a scoring is created to determine the need for further action. If the purpose of the processing of the data is to be changed by us, you will be informed in advance.

  1. Further information on data protection

If you have any questions about data protection or data processing at BBF, please contact our data protection team and our data protection officer by email:

Frankfurt aM, August 2023