Information on the Processing of Personal Data of Customers and Suppliers
Status: February 2026 rev. 01
To fulfill our information obligations when collecting personal data pursuant to Articles 13 and 14 of the General Data Protection Regulation (GDPR)
The protection of your privacy in the processing of personal data as well as the security of all business data are very important to us and are therefore an integral part of our corporate policy. We process personal data confidentially and only in accordance with the statutory provisions. Below, we inform you about the processing of your personal data and about your rights.
1. Controller
The controller within the meaning of the GDPR and other national data protection laws of the EU Member States as well as other data protection regulations is:
Rheinland Air Service GmbH
Flughafenstraße 31
41066 Mönchengladbach
Germany
Tel.: +49 2161 9948 – 100
E-Mail: info@ras.de
Website: www.ras.de
2. Data Protection Officer
The Data Protection Officer of our company is:
Reiner Herrmann
Flughafenstraße 31
41066 Mönchengladbach
E-Mail: privacy@ras.de
3. Security and Protection of Your Personal Data
We take security measures to protect the data managed by us against manipulation, loss, destruction, unauthorized access, or unauthorized disclosure. Therefore, we apply the utmost care and state-of-the-art security standards to ensure maximum protection of your personal data. Our security measures are continuously improved in line with technological developments.
We are subject to the provisions of the European General Data Protection Regulation and the German Federal Data Protection Act (BDSG). We have implemented technical and organizational measures to ensure that data protection regulations are complied with both by us and by our external service providers.
4. Purposes of the Processing of Personal Data
We process personal data of our users for the following purposes:
• Initiation, conclusion, and performance of contracts
• User management and communication
• Commercial and accounting processes
• Fulfillment of legal obligations (e.g. tax and commercial law obligations)
• Assertion or defense of legal claims
5. Scope of the Processed Personal Data
As a rule, we process personal data of our users only to the extent necessary for contract performance. We process personal data that has been provided to us by an authorized party for further use within the scope of the business relationship. These include in particular:
• Master data (e.g. name, address)
• Representatives
• Contact data (e.g. e-mail address, telephone number)
• Contract and order data
• Billing and payment data
• Communication data
We process personal data from publicly accessible sources (e.g. commercial registers, authorities, the internet) only insofar as this is legally permissible. This includes in particular:
• Name and address of the management and/or shareholders, for example the responsible person(s) stated in the legal notice (imprint).
By entering into a business relationship as an interested party, supplier, or business partner, we store your contact data as well as information on business processes and communication with you and process this data at least for the duration of the business relationship (see section 8).
6. Legal Bases for Processing
Where the processing of personal data is necessary for the performance of a contract, Article 6(1)(b) GDPR serves as the legal basis. This also applies to processing operations necessary to carry out pre-contractual measures.
Where processing is necessary for compliance with a legal obligation to which our company is subject, Article 6(1)(c) GDPR serves as the legal basis. Where processing is necessary to protect vital interests of the data subject or another natural person, Article 6(1)(d) GDPR applies.
Where processing is necessary for the purposes of the legitimate interests pursued by our company or a third party and such interests are not overridden by the interests or fundamental rights and freedoms of the data subject, Article 6(1)(f) GDPR serves as the legal basis.
Where explicit consent to the processing of personal data has been given, Article 6(1)(a) GDPR serves as the legal basis.
7. Disclosure of Personal Data to Third Parties
Where necessary for the performance of the contract with you, your personal data will be disclosed to third parties involved in contract fulfillment (e.g. subcontractors, suppliers, freight forwarders / parcel services). The legal basis for this is Article 6(1)(b) GDPR.
8. Data Deletion and Storage Period
Personal data will be deleted or blocked as soon as the purpose of storage no longer applies. Storage beyond this period may take place where required by European or national legislation, regulations, or other provisions to which the controller is subject. Data will also be blocked or deleted when a statutory retention period expires, unless further storage is necessary for the conclusion or performance of a contract.
9. Processors
In individual cases, we use external service providers (processors pursuant to Article 28 GDPR), e.g. manufacturers, accounting and payment service providers, and IT/hosting service providers. Processing agreements are concluded with these service providers to ensure the protection of your personal data.
10. Transfer to Third Countries
Personal data is transferred to countries outside the EU or the EEA only insofar as this is necessary.
As our company operates in the aviation sector, it may be necessary to transfer certain user data to manufacturers and service providers outside the European Union.
Such transfers serve in particular:
• Technical tracking of devices and aircraft
• Ensuring proper operation
• Detecting and preventing unauthorized or abusive use
Where personal data is transferred to a third country or an international organization, you have the right to be informed about the appropriate safeguards pursuant to Article 46 GDPR. We will provide a copy of the personal data undergoing processing. For any additional copies requested, we may charge a reasonable fee based on administrative costs.
If the request is made electronically, the information will be provided in a commonly used electronic format unless you request otherwise. The right to obtain a copy must not adversely affect the rights and freedoms of others.
11. Rights of Data Subjects
Users have the right at any time to:
• Access their stored data (Article 15 GDPR)
• Rectification of inaccurate data (Article 16 GDPR)
• Erasure (Article 17 GDPR)
• Restriction of processing (Article 18 GDPR)
• Data portability (Article 20 GDPR)
• Object to processing (Article 21 GDPR)
Consent given may be withdrawn at any time with effect for the future.
12. Right to Lodge a Complaint with a Supervisory Authority
Data subjects have the right to lodge a complaint with a data protection supervisory authority. The competent authority is generally the supervisory authority of the federal state (North Rhine-Westphalia, Germany) in which our company is established.
13. Obligation to Provide Data
The provision of personal data is required for the conclusion and performance of a contract. Without this data, a contractual relationship cannot be established or performed.
14. Automated Decision-Making
In certain cases, we use automated decision-making via a service provider, including profiling pursuant to Article 22 GDPR, in particular for:
• Creditworthiness assessment
• Decisions on the conclusion or performance of a contract
The following data may be considered, among others:
• Master data
• Contract and payment data
• Where applicable, credit information from credit agencies
Automated processing serves the purpose of fast and objective decision-making.
Supplementary Information pursuant to Article 14 GDPR
15. Change of Purpose
If personal data is processed for a purpose other than that for which it was originally collected, we will inform the data subjects in advance in accordance with statutory requirements.