Last updated: 30.01.2019
1. Legal basis of processing
As required by art. 13 GDPR we inform you about the legal basis for our data processing. Unless a more specific legal basis is named in this Privacy Notice in connection with a processing, the following applies: If we ask for your consent, the legal basis for the processing is art. 6 (1) 1 lit. a. and art. 7 GDPR. If we process data to perform a contract or to respond to an inquiry the legal basis is art. 6 (1) lit. b. GDPR. If we process data to comply with legal requirements the legal basis is art. 6 (1) lit. c. GDPR. If we process data to pursue our legitimate interest or the legitimate interest of a third party the legal basis is art. 6 (1) lit. f. GDPR.
2. Changes and updates to this Privacy Notice
Please check the content of this Privacy Notice regularly. We amend this Privacy Notice as soon as changes to our data processing make changes necessary. We will inform you if such changes require you to take action or if an individual information is necessary.
3. Security measures
3.1. We take technical and organisational measures in accordance with art. 32 GDPR taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for rights and freedoms of natural persons to ensure a level of security appropriate to the risk. Among those measures are in particular the ensuring of ongoing confidentiality, integrity, availability of processing systems though controlling physical access to Data as well as access, entering, transfer, ensuring availability as well as segregation. In addition, we have established processes ensuring that data subjects can invoke their rights, Data is deleted and reactions to threats to Data are appropriate. We take into account the protection of data during development and selection of hardware, software and processes in accordance with the principles of privacy by design and privacy by default (art. 25 GDPR).
3.2. The data transmission between your browser and our server is encrypted.
4. Cooperation with data processors and third parties
4.1. We only disclose, transfer or grant access to the Data other persons and enterprises (data processors or third parties) in connection with our processing where a legal basis exists (for example where the transfer to third parties is necessary for the performance of a contract pursuant to art. 6 (1) lit b. GDPR), if you have given us consent, if we are required by law or if we have a legitimate interest to do so (e.g. webhosting by third party providers).
4.2. Where we engage third parties to process data on our behalf we conclude data processing agreement pursuant to art. 28 GDPR.
5. Data transfer to third countries
If we process data in a third country (i.e. outside of the European Union or the European Economic Area) ourselves or by engaging a service provider or through disclosure or transfer to third parties we will only do so to perform a contract, based on consent, if required by law or to pursue a legitimate interest. Unless otherwise permitted by law or by contract we process Data or have data processed on our behalf only if the requirements of art. 44 et seqq. GDPR are met. This means that special safeguards like an official assessment that the level of data protection in a specific country is equivalent to that in the EU (e.g. for the USA the „Privacy Shield“) are in place or the processor or third party has agreed to observe officially sanctioned special contractual obligations („standard contractual clauses“).
6. Rights of the data subject
6.1. You have the right to obtain from the controller confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data in accordance with art. 15 GDPR.
6.2. You have the right to obtain from the controller without undue delay the rectification of inaccurate and the completion of incomplete personal data concerning you in accordance with art. 16 GDPR.
6.3. Subject to the requirements of art. 17 GDPR you have the right to obtain from the controller the erasure of personal data concerning you without undue delay, alternatively to obtain restriction of processing subject to the requirements of art. 18 GDPR.
6.4. You have the right to receive the personal data concerning you, which you have provided to us and to transmit those data to another controller subject to the requirements of art. 20 GDPR.
6.5. You also have the right to lodge a complaint with a competent supervisory authority pursuant to art. 77 GDPR.
7. Right to withdraw consent
You have the right to withdraw consent for the future pursuant to art. 7 (3) GDPR.
8. Right to object
If we process Data based on a legitimate interest pursuant to art. 6 (1) lit f. GDPR you have the right object to future processing in accordance with art. 21 GDPR, particularly to processing for the purpose of direct marketing.
9. Cookies and right to object in the case of direct marketing
10. Data retention and deletion
10.1. We delete or restrict data processed in accordance with art. 17 and 18 GDPR. Unless explicitly stated otherwise in this Privacy Notice we delete personal data when it is no longer necessary for the purpose of the processing and no legal retention periods require storage. The processing will be restricted if the data are not deleted because they are necessary for other and lawful purposes. This means that data will be restricted and not processed for other purposes. This applies for example to data stored to comply with retention periods under commercial or tax law.
10.2. We are legally required to retain commercial records for 6 years pursuant to § 257 (1) German Commercial Code (trading books, inventories, opening balance sheets, annual accounts, commercial letters, accounting records, etc.) and for 10 years pursuant to § 147 (1) German Tax Code (books, records, management reports, accounting records, commercial letters, documents relevant for tax assessment, etc.).
11. Performance of contractual obligations
11.1. We process inventory data (such as names and addresses as well as contact information of uses), contract data (goods and services purchased, contact person, payment information) for the purpose of performing our contractual obligations, art. 6 (1) lit. b. GDPR.
11.2. We delete this data after statutory or contractual warranty periods have lapsed. The necessity of the data for this purpose is evaluated every three years. Where legal data retention periods apply the data will be deleted after those have lapsed (six years for retention periods under commercial law, 10 years for retention periods under tax law).
12. Contacting us
12.1. If you contact us by email or via our contact form, the data you provide will be processed to handle your inquiry pursuant to art. 6 (1) lit. b. GDPR.
12.2. The data you provide may be entered into a Customer-Relationship-Management System (“CRM System”) or request management system.
12.3. We delete your request and the data provided therein once they are no longer necessary. We evaluate the necessity every two years. Where legal data retention periods apply the data will be deleted after those have lapsed (six years for retention periods under commercial law, 10 years for retention periods under tax law).
This website is hosted by a hosting provider. Our hosting provider processes inventory, contact, content, usage and meta and communication data (e.g. device information, IP address) of website users. The legal basis for this processing is art. 6 (1) 1 lit. f. GDPR. Our legitimate interest is to provide our online services efficiently and in a secure manner.
14. Collection of access data and log files
14.1. Our hosting provider collects data (server log files) on the basis of our legitimate interest pursuant to art. 6 (1) lit. f. GDPR each time you connect to the server on which the online service is hosted. The logged data contains website visited, name of the file, date and time of request, data volume transmitted, notification on successful request, web browser including version, operating system of user, referrer URL (the website previously visited), IP address and access provider making the request.
14.2. The data is stored in the log files for security purposes (e.g. to investigate misuse and fraud) for a maximum period of 12 days and are then deleted. Not deleted are data whose retention is necessary for evidentiary purposes. Such data will be stored until the issue under investigation has been resolved and are then deleted.
15. Cookies & internet audience measurement
15.1. Cookies are information transmitted to your device’s web browser by our webserver or by the webserver of a third party to be accessed later. Cookies can have the form of small text files or other forms of stored information.
15.3. If you do not want cookies to be stored on your device, we ask you to disable cookies in your browser settings. Stored cookies can be deleted via the browser settings. Disabling cookies in your browser can affect the usability of this website.
16. Google Analytics
16.2. Google is certified under the Privacy Shield and guarantees adherence to EU data protection law ( https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active ).
16.3. Google will use this information on our behalf to evaluate usage of our online services, to create reports on the activities within the online services and to render other services related to the usage of our online services. It is possible to create pseudonymized user profiles based on the data processed.
16.4. We use Google Analytics only with activated IP Anonymisation. This means the User’s IP address within member states of the European Union or in other contracting states to the Agreement on the European Economic Area is shortened. Only in exceptional cases will the complete IP address be sent to a Google server and shortened within the US.
16.5. According to Google the IP address transmitted by your browser is not combined with other data from Google. You can disable the storing of cookies by changing the relevant settings in your browser; In addition, you can prevent Google from collecting the data stored in cookie and relating to your usage of the online services by downloading and installing the browser add-on available under this link: https://tools.google.com/dlpage/gaoptout?hl=en-GB .
17. Google Maps
17.1. We use the web service for displaying interactive maps Google Maps (API) by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”) to show Users our location and help them navigate to us.
17.2. When you visit a sub page of our website where a map from Google Maps is embedded, information relating to your use of our website (e.g. you IP address) is transmitted a Google server in the USA. This happens whether you are logged on to a Google user account or not and also if you do not have a Google account. If you are logged in, your data will be combine with your Google account. If you do not want your usage data to be combined with your Google profile you need to log out of your account before visiting the sub page of our website with an embedded map. Google will store your usage data, create a usage profile (even if you are not logged in) and analyses the data. Google LLC with registered seat in the USA is certified for the „Privacy Shield“ and guarantees adherence to European data protection law.
17.4. You can review the terms of service of Google here http://www.google.de/intl/de/policies/terms/regional.html, the additional terms for Google Maps here: https://www.google.com/intl/de_US/help/terms_maps.html
18. Social Media Profiles
18.1. We maintain online presences in social media networks and platforms in order to be able to communicate with and to inform customers, potential customers and users in general who are members of these networks and platforms of our products and services.
18.2. User data can be processed outside the European Union. As a consequence, it can for example be more difficult for users to assert their rights. US service providers who are certified under the EU-US Privacy Shield have committed themselves to maintaining the data protection standards of the EU.
18.3. User data is also likely used for marketing and market research. It is possible e.g. to create usage profiles based on user behaviour and interests derived from it. Such usage profiles can then be used to show advertisements which presumably interest within as well as outside of the social media platforms. For this purpose, cookies are usually created on the user’s device in which user behaviour and interest are stored. Usage profiles can also contain data which is independent of the device used by the user (in particular when Users are members of the social media platform and are logged in).
18.4. We process your personal data based on a legitimate interest in informing our users and communicating with our users (art. 6 (1) 1 lit. f. GDPR. If users are asked by the respective service provider to consent to the processing (e.g. by requiring checking a box or click a button) the legal basis for the processing is art. 6 (1) lit. a., art. 7 GDPR.
18.5. For detailed information on the processing and ways to object to processing (Opt-Out), please visit the below linked to information provided by the service provider.
18.6. We note that data subject access requests and other data subject rights are best directed at the service provider. Only the service provider has access to a user’s data and can take action and respond to requests for information. If you are unable to address you issue successfully, you can turn to us for support.
18.7. We maintain a social media profile at Facebook (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) – Privacy Notice: https://www.facebook.com/about/privacy/, Opt-Out: https://www.facebook.com/settings?tab=ads and http://www.youronlinechoices.com, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active.
19. Job applicant data
19.1. We process data relating to job applicants only for the purpose and during the recruitment in accordance with legal requirements. We process the data to fulfil our pre-contractual obligations during the recruitment process. The legal basis for this processing is art. 6 (1) 1 lit. b., art. 6 (1) 1 lit. f. GDPR and § 26 German Federal Data Protection Act.
19.2. The provision of job applicant data is necessary for conducting the recruitment process. If we offer submitting job applications via web form, necessary data will be indicated. Otherwise, the job posting will inform on the necessity of data. In general, information about the person, mail and contact addresses and the documents belonging to an application such cover letter, CV, certificates and references are necessary. Applicants may provide additional information voluntarily.
19.3. Where during the recruitment process special categories of personal data pursuant to art. 9 (1) GDPR (e.g. data concerning health, disability status or ethnic origin) are provided voluntarily, the legal basis for the processing of such data is art. 9 (2) lit. b. GDPR. Where we request special categories of personal data pursuant to art. 9 (1) GDPR during the recruitment process (e.g. data concerning health to the extent necessary to assess the ability to exercise a profession) the legal basis is art. 9 (2) lit. a. GDPR.
19.4. If available on our website, applicants can submit applications through an online form. The data transmission will be encrypted using state of the art encryption methods.
19.5. Applicants can submit applications via email or post. Email are generally not encrypted. It is the applicant‘s responsibility to ensure proper encryption. We are not responsible for the transport of an email between the sender and our receipt on our server. We therefore recommend using an online form or sending applications by post.
19.6. We may continue using the data provided by the applicant for the purpose of an employment in case the application is successful. Otherwise, if the application was not successful, the applicant’s data will be deleted. An applicant’s data will also be deleted if the applicant withdraws his or her application, which may be done at any time.
19.7. The data will be deleted, a justified withdrawal of consent by the applicant notwithstanding, after a period of six months after the decision on the application. This allows us to answer follow-up questions regarding the application and document compliance with the German Equal Protection Act. Documentation regarding potential reimbursement of travel expenses will be archived in accordance with retention periods under German tax law.