Data Privacy Information
innogy for Suppliers and Service Providers
Compliance with data protection regulations is very important to us. Below we inform you about the
processing of personal data in the context of
the contractual relationship of your employer with us.
our contractual relationship, should you be e.g. as a sole trader directly our contractual
We process your personal data in accordance with the applicable statutory data protection
requirements for the purposes listed below. Personal data in the sense of this data protection
information is all information that is related to your person.
Generally, that company belonging to the innogy group is responsible for processing your personal data
with which you wish to get into contact or with which you wish to enter into a contract . If innogy SE is
your contact, then innogy SE is the data controller for your personal data. Where "innogy" is referred to
below, it means either innogy SE/Corporate Procurement or the respective responsible national innogy-
„innogy SE“ is referred to below, it means exclusively innogy SE/Corporate
Contact at innogy SE:
innogy SE/Corporate Procurement
You can reach the Group Data Protection Officer of innogy SE at:
Data Protection Officer
Purposes of data processing and legal basis
Processing of your data to establish, execute and terminate a contractual relationship (Art. 6
Para. 1 lit. b EU GDPR) or in our legitimate interest (Art. 6 Para. 1 lit. f EU GDPR)
innogy will use your data for the purpose of
market sounding, pre-qualification,
tendering of supplies and services,
conclusion, execution and termination of the contract as well as for the
implementation of downstream/accompanying contract processes
management, supplier management) and optimization of internal Procurement-processes and
with you or your employer.
The process steps are called “Procurement” or “Procurement Process” in the further Data Privacy
Personal data includes in particular surname, first name, business address, business contact data such
as telephone number and e-mail address. If you are our contractual partner, innogy collects further
data, such as data on payment transactions (e.g. your bank details), data to evaluate the financial
situation (e.g. creditworthiness data - see 2.2), data for documentation purposes (e.g. extract from the
If innogy has not received the aforementioned data from you, the data comes from publicly accessible
sources (e.g. trade and association register, press, internet) or from other third parties (e.g. a credit
innogy will neither sell personal data to third parties nor market them in any other way.
Processing of your data for purposes of credit assessment and pre-qualification, observation of
insolvency proceedings (legitimate interest - Art. 6 Para. 1 lit. f EU GDPR)
If you yourself are our contractual partner, innogy conducts a pre-qualification procedure under
certain conditions when establishing contractual relationships.
That means innogy establishes whether you fulfill certain innogy-requirements, especially it means
that innogy SE
determines whether we may enter into business relations with you in consideration of the
provisions of the Money Laundering Act, the UK Bribery Act and EU and US sanctions law, in
particular on the basis of the EU sanctions lists pursuant to EU Regulations 2580/2001 and
881/2002, the sanctions lists of the Office of Foreign Assets Control, the US sanctions lists as
well as the list of "Ineligible firms & individuals" of the World Bank, also carry out occasional
business partner reviews on the basis of a risk-based approach.
observes the opening of insolvency proceedings in order to avoid bad debt losses
checks your creditworthiness, the existence of necessary/required certifications, amongst
In order to check creditworthiness, innogy obtains information on credit-relevant features from credit
agencies before concluding the contract. The credit agencies used by innogy SE are currently the
Dun & Bradstreet.
If there is negative information about characteristics of your creditworthiness, innogy may refuse a
contractual relationship with you.
The information on creditworthiness-relevant characteristics can be hard negative characteristics
(insolvency, affidavit, arrest warrant), soft negative characteristics about your behaviour not in
accordance with a contract (e.g. non-payment of receivables in the cases specified in Section 31 Para.
2 German Data Protection Act [new] or other nationally applicable data protection laws) and
probability values for assessing the credit risk (so-called scoring).
The credit agencies store data that they receive, for example, from banks or companies. These data
include surname, first name, date of birth, address and information on outstanding receivables and
non-contractual behaviour. The credit agencies make this data available to their partner companies so
that these can check the creditworthiness. Prerequisite: The contracting parties of the credit agencies
have a legitimate interest in the data being transmitted. A justified interest can be a planned
contractual relationship, for example. If you would like information on the data the credit agencies
have stored about you, you can obtain it directly from the credit agencies.
Supplier management (legitimate interest - Art. 6 para. 1 lit. f EU GDPR)
Supplier management is an essential component of the procurement process. Within the framework
of supplier management, innogy carries out the pre-qualifications listed under Section 2.2, and stores
all information on compliance with legal or company-specific requirements, e.g. the statutory
minimum wage or occupational safety.
In the case of supplier feedback, the satisfaction of our suppliers is determined. Supplier surveys are
carried out once a year for this purpose. As part of supplier management, innogy SE regularly holds a
supplier Day. For this purpose, innogy SE processes the following types of data: Supplier's name, first
name and surname of the participant to be invited, e-mail address of the participant to be invited.
Analysis of anonymous data
In certain cases innogy carries out analyses to optimise the Procurement Process and use the contract
and supplier information available to us for this purpose in anonymised form.
Safety and security
innogy and the IT service providers commissioned by innogy as data processors for operation and
support/maintenance of necessary IT systems guarantee the necessary technical and organisational
measures to protect the data against misuse.
Your data will be conscientiously protected against loss, destruction, falsification, manipulation and
unauthorised access or disclosure, e.g. in the context of encrypted data transmission. Consequently,
we shall do everything possible to prevent unauthorised access by third parties.
Duration of storage or deletion of data
innogy will delete registration data in IT systems provided by innogy at the latest after one year,
provided that the registration is not followed by sub-processes of Procurement with you or your
If a contractual relationship is established with you or your employer, innogy will delete your personal
data eleven years after the contractual relationship with you has ended, all mutual claims have been
met and no other legal retention obligations or legal justifications for retention exist.
Recipients and categories of recipients and transfers of data to third countries
If necessary, your personal data will be passed on to other companies affiliated with innogy SE, insofar
as they are involved in the preparation and evaluation of the Procurement Process and/or are
admitted as observers of a concrete Procurement, e.g. to an eAuction and/or electronic tender,
because they have a concrete interest in this Procurement as future customers. Approval is only
granted in individual cases.
A transfer of supplier/service provider data (e.g. company name, commodity group) also takes place to
further companies of E.ON-Group with Procurement organizations which are involved in the supplier
management and the supplier steering.
If and to the extent necessary, your personal data will also be processed by other companies affiliated
with innogy or by external companies working on behalf of innogy ("data processors"). These are
mainly IT service providers and service centers.
Within the framework of the administration, development and operation of IT systems, innogy has
individual tasks and services carried out by carefully selected and commissioned external IT service
providers based outside the European Economic Area ("third country"). In such cases, a third-country
transfer takes place. The transfer or granting of access to personal data only takes place to the extent
that the transfer is generally permissible under data protection law and the special requirements for a
transfer to a third country are met. To the extent required by law in order to provide an adequate
level of protection for your data, innogy uses guarantees in accordance with legal requirements to
provide an adequate level of data protection, including EU Standard Contractual Clauses. You have the
possibility to request further information at any time and to receive copies of the guarantees.
The EU Standard Contractual Clauses are available at the following link:
Your rights, data protection contact and contact persons
Your contractual partner or contact person for a pre-contractual or contractual measure is the data
controller for processing your personal data. You can find the specific contact person either in the
contract concluded with you or your employer or in the correspondence or tender documents.
You have the right at any time to object to the use of your data for advertising or other purposes, insofar
as such use is based on Art. 6 Para. 1 lit. f EU GDPR (i.e. in the legitimate interest of the data controller).
For this purpose, a simple notification to the specific data controller is sufficient (see above under
Section 1; innogy SE via the contact options listed below or the respective responsible national company
via the contact option known to you from that company).
You also have the right at any time and free of charge to request information from the specific data
controller (innogy SE or responsible national company) about the personal data stored about you. In
addition, you can assert your rights to restriction of processing, erasure and rectification of your
personal data against innogy.
You have the right to receive your data in a structured, common, machine-readable format and to
make it available to another data controller if you have provided the data to us or if the processing is
necessary for the fulfilment of a contract. This does not apply if innogy process the data because
innogy are legally obliged to process them. innogy will also forward your data to a third party or other
company named by you at your request.
In order to assert your rights, please contact innogy SE at
keyword: "Data Protection" or by letter to innogy SE, Corporate Procurement, Flamingoweg 1, 44139
Dortmund or the responsible national company and their respective data protection office at the
contact address known to you.
Without prejudice to any other remedy, you shall have the right to complain to a supervisory
authority, in particular in the Member State in which you are staying, your place of work or the place
where the alleged infringement was committed. The supervisory authority responsible for innogy SE is
the State Commissioner for Data Protection and Freedom of Information for North Rhine-Westphalia
(Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen).
For further information on data protection, please refer to the supplementary data protection
information of the client of the individual order and/or the respective responsible national company.