sig combibloc group logo

Privacy Notice

if you are a supplier

This supplemental Privacy Notice explains what personal data we collect about you when you are a supplier to us. This Privacy notice should be read in conjunction with the main Privacy Notice.


SIG Group AG reserves the right to modify this Privacy Notice at any time. Please periodically review this Privacy Notice so that you know, among other things, what personal data we collect, how we use it, and with whom we may share it.


Which types of personal data do we process?

Personal data is any information that directly or indirectly relates to an identified or identifiable living individual. Which (types of) personal data we process, depends on the relationship you have with SIG. We may process the following personal data about you:


Personal data that we may process about you if you are a supplier:

When we work with you as a supplier, we may process the following types of personal data:

  • Name
  • Title
  • Company name and address
  • Email address
  • Telephone number
  • Bank details of the company
  • Unique administration number
  • Supply and product information
  • Any other information you provide to us.
For which purposes do we process your personal data?

We may process your personal data for the following purposes:


  • To offer and improve our goods and services.
  • Conducting satisfaction and market research surveys.
  • Promoting our company and our goods and services.
  • To ensure the continuity of our services.
  • To handle questions, requests, complaints and claims.
  • Internal control, protecting our assets and the security and integrity of our systems and data.
  • To comply with our statutory obligations and requests of authorities, to avoid and settle claims.


  • Administrating and managing supply chain.
  • Administrating and managing purchases, executing and registration of agreements.
  • Calculating costs and expenses.
  • Maintaining contact with you.


What are the legal grounds for the processing of your personal data?

A data controller may only process personal data if one of the prescribed legal grounds apply. SIG complies to the principles of the EU General Data Protection Regulation (GDPR) and any applicable data protection regulation.  For the data processing activities of SIG that are subject to the GDPR, the following legal grounds are relevant:

  • Performance of an agreement. We process your data to perform an agreement that we enter into or have entered into with you when we purchase products or services from you.
  • Consent. We ask your permission for certain data processing operations, for example if we want to send you our newsletter or other commercial emails whilst you are not an existing supplier. Consent may be withdrawn at any time without affecting the lawfulness of processing based on the consent before the withdrawal.
  • Statutory obligation. We may process your data if and to the extent that this is necessary to comply with any of our statutory obligations.
  • Legitimate interest. In some cases, we process personal data because we have a legitimate interest in doing so and because we do not disproportionately invade your privacy when doing so.
With whom can we share your personal data?

Your personal data will be processed within the relevant department of the local SIG entity. We may in certain cases share your personal data within our group and/or with third parties, as described below. We will only transfer your personal data if and to the extent this is necessary for the purposes as described in this Privacy Notice.

We may share your personal data with the SIG group companies as listed on our website when this is necessary to fulfil your requests and to provide our services.


We may share your personal data with suppliers and vendors that help us with our business activities including shipping vendors, billing and refund vendors, payment card processors and companies that help us improve our products and services such as suppliers who provide direct fulfilment services for certain products. Also, we may involve hosting providers and other service providers that may need to process personal data for us. When such third parties act as data processors on our behalf, we make appropriate arrangements about the security of your personal data in a data processing agreement.


We may transfer your personal data in the event that we merge with or are acquired by a third party or should any such transaction be proposed. If and insofar as we are legally obliged and/or permitted to do so, we may share your personal data with relevant authorities.


How long do we retain your personal data?

We do not retain your personal data longer than necessary for the purposes mentioned in this Privacy Notice. For suppliers we retain your personal data during our relationship and for a maximum period of two years after our relationship has ended, unless we are required to retain the data for a longer period, for example to comply with tax laws and regulations. In that case, we will retain the data for a period of at least seven years.