DATA PROTECTION / PRIVACY POLICY
Name/Company: ATH-Heinl GmbH & Co. KG
No., street: Gewerbepark 9
Town/city, postcode, country: Illschwang, 92278, Germany
Commercial register/no.: District Court Amberg HRA 1799
Managing Director(s): Evi Heinl, Hans Heinl, Anja Antikidis-Heinl, Corinna Heinl
Telephone number: +49 9666 18801-00
E-mail address: info@ath-heinl.de
Data Protection Officer: datenschutzbeauftragter@ath-heinl.de
Last updated: 18.02.2021
- Basic information on data processing and legal bases
- This privacy policy provides you with an explanation of the type, scope and purpose of personal data processing within our online offering and associated websites, features and content (hereinafter collectively referred to as the “Online Offering” or “Website”). The privacy policy applies to all domains, systems, platforms and devices (including desktops and mobiles) where our Online Offering is accessed.
- For the terminology used, such as “personal data” and “processing”, we refer to the definitions in article 4 of the General Data Protection Regulation (GDPR).
- Users’ personal data processed as part of our Online Offering include inventory data (e.g. customers’ names and addresses), contract data (e.g. services used, employees’ names, payment information), usage data (e.g. the webpages visited within our Online Offering, interest in our products) and content data (e.g. entries in the contact form).
- The term “user” includes all categories of data subject affected by data processing. This includes our business partners, customers, interested parties and other visitors to our Online Offering. All terms used should be understood as gender-neutral.
- We only process users’ personal data in compliance with the relevant data protection regulations. That means that user data is only processed if we have legal authorisation to do so. That is particularly the case if data processing is necessary or is required by law in order for us to provide our contractual services (e.g. to process orders) and online services, users have given their consent, and it is required by our legitimate interests (i.e. our interest in the analysis, optimisation and commercial operation and security of our Online Offering, within the meaning of article 6(1)(f) GDPR, particularly for range measurement, creating profiles for advertising and marketing purposes, collecting access data and using the services of third-party providers).
- It should be noted that the legal basis for consent is articles 6(1)(a) and 7 GDPR, the legal basis for processing so that we can fulfil our services and carry out contractual requirements is article 6(1)(b) GDPR, the legal basis for processing so that we fulfil our legal obligations is article 6(1)(c) GDPR, and the legal basis for processing so that we safeguard our legitimate interests is article 6(1)(f) GDPR.
- Security measures
- We take the most up-to-date organisational, contractual and technical security measures to ensure that we comply with the provisions of data protection laws and protect the data we process against accidental or deliberate manipulation, loss, destruction or access by unauthorised persons.
- In particular, the security measures include the encryption of data transferred between your browser and our server.
- Transferring data to third parties and third-party providers
- We only transfer data to third parties as part of statutory requirements. We only transfer user data to third parties if this is necessary for contractual purposes, on the basis, for example, of article 6(1)(b) GDPR, or on the basis of our legitimate interest in the effective commercial operation of our business, in accordance with article 6(1)(f) GDPR.
- If we use subcontractors to provide our services, we take suitable legal precautions and appropriate technical and organisational measures to ensure that personal data is protected, in accordance with the relevant statutory provisions.
- If, as part of this privacy policy, content, tools or other resources are used by other providers (hereinafter jointly referred to as “Third-Party Providers”) with registered offices in a third country, it should be assumed that data will be transferred to the country where the Third-Party Providers have their registered offices. Third countries are countries where the GDPR is not directly applicable, i.e., in general, countries outside the EU or the European Economic Area. Data is transferred to third countries either when there is an adequate level of data protection, the user has given consent, or another legal authorisation has been obtained.
- Providing contractual services
- We process inventory data (e.g. users’ names, addresses and other contact details), contract data (e.g. services used, names of contacts, payment information) in order to fulfil our contractual obligations and provide our services in accordance with article 6(1)(b) GDPR.
- Users have the option of creating a user account where they can see their orders. Users are provided with the required mandatory information during the registration process. User accounts are not publicly accessible and cannot be indexed by search engines. If users close their user accounts, the data in the accounts is deleted, unless it needs to be retained for commercial or tax purposes, in accordance with article 6(1)(c) GDPR. It is users’ responsibility to save their data before the end of the contract. We are entitled to delete all user data stored during the lifetime of the contract in such a way that it cannot be recovered.
- When users register, and whenever they log in and use our online services, we store their IP address and the time the user activity takes place. We store the data on the basis of our legitimate interests, and to protect users against fraud or any other unauthorised use. We do not generally transfer the data to third parties, unless we need to do so in order to pursue an entitlement or unless there is a legal obligation to do so in accordance with article 6(1)(c) GDPR.
- We process usage data (e.g. webpages visited in our Online Offering, interest in our products) and content data (e.g. entries in the contact form or a user profile) to advertise in a user profile, by showing users items such as product information based on the services they have previously used.
- Contacting us
- When users contact us (using the contact form or email), the information provided is processed in order to allow us to deal with the contact enquiry, in accordance with article 6(1)(b) GDPR.
- User information may be saved in our Customer Relationship Management system (“CRM system”) or a similar enquiry organisation system.
- Comments and other contributions
- If users leave comments or other contributions, their IP addresses are stored for seven days on the basis of our legitimate interest, within the meaning of article 6(1)(f) GDPR.
- This is done for reasons of our safety and security in case someone leaves illegal content in comments and posts (insults, banned political propaganda, etc.). If this happens, we can be prosecuted for the comment or contribution and are therefore interested in finding the identity of the person involved.
- Collecting access data and log files
- We collect data every time the server where this service is located is accessed (on server log files) on the basis of our legitimate interests, within the meaning of article 6(1)(f) GDPR. The access data includes the name of the website visited, the data file, the date and time of the visit, the volume of data transferred, notification that access was successful, the browser type and version, the user's operating system, the referrer URL (the website visited previously), the IP address and the requesting provider.
- For security reasons (e.g. to investigate improper use or fraud), log file information is stored for a maximum of seven days and is then deleted. Data that needs to be stored for longer to be kept as evidence will not be deleted until final clarification about the incident in question has been provided.
- Cookies and range measurement
- Cookies are information that is transferred from our web server or third-party web servers to users’ web browsers and stored there for retrieval at a later time. Cookies may be small data files or other types of information storage.
- We use “session cookies”, which are only stored for the duration of a visit to our Online Offering (to enable both your login status or the shopping cart functions to be stored and our Online Offering to be used). A session cookie contains a randomly generated unique identification number, known as a session ID. A cookie also contains information about where it comes from and how long it is stored for. These cookies cannot store any other data. Session cookies are deleted when you finish using our Online Offering and either log out or close the browser, for example.
- As part of this privacy statement, we inform users about how cookies are used as part of pseudonymous range measurement.
- If users do not want cookies to be stored on their computer, they are asked to disable the relevant option in their browser’s system settings. Stored cookies can be deleted in the browser’s system settings. Excluding cookies might mean that access to the features in this Online Offering is restricted.
- You can reject cookies used for range measurement and advertising purposes via the Network Advertising Initiative’s opt-out page (http://optout.networkadvertising.org/)
and on the American website (http://www.aboutads.info/choices) or the European website (http://www.youronlinechoices.com/uk/your-ad-choices/).
Please note the requirements for using Google Analytics: IP anonymisation needs to be enabled (https://support.google.com/analytics/answer/2905384?hl=de) and the “data processing amendment” in the Google Analytics administration area accepted.
- Google Analytics
- We use Google Analytics, a web analysis service provided by Google Inc. (“Google”), on the basis of our legitimate interests (i.e. our interest in the analysis, optimisation and commercial operation of our Online Offering, within the meaning of article 6(1)(f) GDPR). Google uses cookies. The information generated by the cookies about how the user uses the Online Offering will usually be transferred to a Google server in the USA and stored there.
- Google is certified under the Privacy Shield agreement, thereby providing a guarantee that it will comply with European data protection legislation (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
- Google will use this information on our behalf to analyse how users use our Online Offering, compile reports on the activities within this Online Offering, and provide us with other services related to use made of this Online Offering and the internet. In the process, pseudonymous user profiles may be created from the data processed.
- We use Google Analytics in order to display the advertisements placed by Google’s advertising services and those belonging to its partners solely to those users who have also shown an interest in our Online Offering or who demonstrate specific characteristics (e.g. an interest in certain topics or products that are based on the webpages visited) that we transfer to Google (known as “remarketing”, or “Google Analytics Audiences”). With the help of Remarketing Audiences, we would also like to ensure that our advertisements match users’ potential interests, but are not annoying.
- We only use Google Analytics with IP anonymisation enabled. This means that Google shortens users’ IP addresses within member states of the European Union or other signatories to the Agreement on the European Economic Area before sending it to the USA. Only in exceptional cases will the full IP address be sent to a Google server in the USA and shortened there.
- Google will not link the IP address sent by your browser to any other data. Users can prevent their cookies being stored by using the relevant settings in their browsers; users can also prevent Google from collecting and processing the data generated by the cookies relating to their use of the Online Offering by downloading and installing the browser plug-in available via the following link: http://tools.google.com/dlpage/gaoptout?hl=de.
- You can find more information about Google’s use of data, settings options and how to reject cookies on Google’s website: https://www.google.com/intl/en/policies/privacy/partners(“How Google uses information from sites or apps that use our services”), http://www.google.com/policies/technologies/ads (“How Google uses cookies in advertising”), http://www.google.de/settings/ads (“Control the information Google uses to show you ads”).
- Google Re/marketing services
- We use marketing and remarketing services (“Google marketing services” for short) from Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, (“Google”) on the basis of our legitimate interests (i.e. our interest in the analysis, optimisation and commercial operation of our Online Offering, within the meaning of article 6(1)(f) GDPR).
- Google is certified under the Privacy Shield agreement, thereby providing a guarantee that it will comply with European data protection legislation (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
- Google marketing services allow us to display advertisements for and on our Website in a more targeted manner so that we only present users with advertisements that are likely to match their interests. The process where users are shown advertisements for products in which they have shown an interest on other websites is known as “remarketing”. When our webpages and others where Google marketing services are enabled are accessed, Google immediately executes a Google code and (re)marketing tags (invisible graphics or code, also known as “web beacons”) are embedded on the Website. With the help of the tags, an individual cookie, i.e. a small file, is stored on users’ devices (similar technologies can also be used instead of cookies). The cookies can be placed by different domains, including google.com, doubleclick.net, invitemedia.com, admeld.com, googlesyndication.com or googleadservices.com. The file records which webpages users have visited, which content they are interested in and what they have clicked on, as well as technical information about browser and operating systems, referring websites, visit times and other information about how the Online Offering is used. Users’ IP addresses are also recorded. You should be aware that, as part of Google Analytics, IP addresses will be shortened within member states of the European Union or other signatories to the Agreement on the European Economic Area, and only in exceptional cases will they be transferred in their full form to a Google server in the USA and shortened there. Google will not merge IP addresses with any other user data it has collected. Google may combine the information with information from other sources. If users go on to visit other websites, personally customised advertisements may be displayed in line with their interests.
- User data is processed pseudonymously as part of Google marketing services. This means, for example, that Google does not store and process users’ names or email addresses, but processes the relevant cookie-related data within pseudonymous user profiles. From Google's point of view, this means that advertisements are not managed and displayed for a specific individual, but for the cookie owner, regardless of who the cookie owner is. This will not apply if users have expressly allowed Google to process the data without pseudonymisation. The user information collected by Google marketing services is transferred to Google and stored on Google’s servers in the USA.
- The Google marketing services we use include the online advertising program “Google AdWords”. Every Google AdWords customer receives a different “conversion cookie”. As a result, cookies cannot be tracked via AdWords customers’ websites. The information obtained from the cookie is used to create conversion statistics for AdWords customers who have opted for conversion tracking. AdWords customers find out the total number of users who clicked on their advertisement and were redirected to a page with a conversion tracking tag. But they do not receive any information that allows users to be personally identified.
- We can embed third-party advertisements using Google marketing services’ “DoubleClick”. DoubleClick uses cookies that enable Google and its partner websites to display advertisements based on users’ visits to this Website or other websites on the internet.
- We can embed third-party advertisements using Google marketing services’ “AdSense”. AdSense uses cookies that enable Google and its partner websites to display advertisements based on users’ visits to this Website or other websites on the internet.
- We can also use the “Google Optimizer” service. Google Optimizer allows us to use what is known as “A/B testing” to understand how various changes to a website have an impact (e.g. changes to the input fields, the design, etc.). In order to carry out these tests, cookies are stored on users’ devices. Only pseudonymous user data is processed.
- We can also use “Google Tag Manager” to embed and manage Google analysis and marketing services on our Website.
- For further information on how Google uses data for marketing purposes, visit the overview page at: https://www.google.com/policies/technologies/ads. Google’s privacy policy can be accessed at https://www.google.com/policies/privacy.
- If you would like to reject the personalised advertising provided by Google marketing services, you can use the settings and opt-outs provided by Google at: http://www.google.com/ads/preferences
- Facebook social plugins
- On the basis of our legitimate interests (i.e. our interest in the analysis, optimisation and commercial operation of our Online Offering, within the meaning of article 6(1)(f) GDPR), we use social plugins (“Plugins) from Facebook.com, which operates from Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”). The plugins can display interaction elements or content (e.g. videos, graphics or text contributions) and are identifiable from one of the Facebook logos (white “f” on a blue tile, the phrase “like” or a “thumbs up” sign) or are labelled as “Facebook Social Plugins”. The list of Facebook social plugins and what they look like can be found at: https://developers.facebook.com/docs/plugins/
- Google is certified under the Privacy Shield agreement, thereby providing a guarantee that it will comply with European data protection legislation (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).
- When users access features in this Online Offering that contain plugins of this kind, their devices establish a direct connection with Facebook’s servers. Facebook transfers the content of plug-ins directly to users’ devices, where it is embedded in the Online Offering. In the process, pseudonymous user profiles may be created for users from the data processed. We have no control over the exact amount of data that Facebook collects using this plugin and so the information we provide to users is based on what we know.
- By embedding the plugins, Facebook receives information about which webpages users have accessed in the Online Offering. If users are logged into Facebook, Facebook can link the visit to their Facebook accounts. When users interact with plugins, by clicking on ‘Like’ or making a comment, the relevant information is transferred directly from their devices to Facebook and stored there. If users do not have a Facebook account, Facebook may still find their IP addresses and store them. According to Facebook, only anonymised IP addresses are stored in Germany.
- The purpose and scope of data collection and Facebook’s additional processing and use of the data, as well as related rights and settings options to protect users’ privacy can be found in Facebook’s data policy: https://www.facebook.com/about/privacy/
- If users have a Facebook account and do not want Facebook to collect their data via this Online Offering and link it to their account data stored on Facebook, they need to log out of Facebook before using our Online Offering and delete their cookies. Additional information on settings and opportunities to object to the use of data for advertising purposes can be found in Facebook profile settings: https://www.facebook.com/settings?tab=ads or on the American website http://www.aboutads.info/choices/ or the EU website http://www.youronlinechoices.com/. The settings are the same, irrespective of the platform used, i.e. they apply on all devices, such as desktop computers or mobile devices.
- Disabling Facebook’s Custom Audiences and Facebook Marketing Services’ Facebook pixel function
- The “Facebook pixel”, operated by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, or, if you are based in the EU, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”), is used in our Online Offering on the basis of our legitimate interest in the analysis, optimisation and commercial operation of our Online Offering.
- Google is certified under the Privacy Shield agreement, thereby providing a guarantee that it will comply with European data protection legislation (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).
- Using the Facebook pixel, Facebook is able to designate the visitors to our Online Offering as a target group for advertisements (known as “Facebook ads”). We therefore use the Facebook pixel to display our Facebook ads to Facebook users who have also shown an interest in our Online Offering or who demonstrate specific characteristics (e.g. an interest in certain topics or products that are based on the websites visited) that we transfer to Google (known as “Custom Audiences”). With the help of the Facebook pixel, we would also like to ensure that our Facebook ads match users’ potential interests, but are not annoying. With the help of the Facebook pixel, we can also understand the effectiveness of Facebook ads for statistical and market research purposes by seeing whether users are redirected to our Website after they click on a Facebook advertisement (known as “Conversion”).
- Facebook embeds the Facebook pixel as soon as you visit our Website by storing a cookie, i.e. a small file, on your device. If you then log in to Facebook or visit Facebook while you are logged in, the visit to our Online Offering will be recorded in your profile. The data we collect about you is anonymous, so it does not allow us to draw any conclusions about the identity of the user. However, Facebook stores and processes the data so that a connection can be made to the relevant user profile, which can be used by Facebook and for our own market research and advertising purposes. If we transfer data to Facebook for matching purposes, it will be encrypted locally on the browser and only sent to Facebook via a secure https connection. The sole purpose of this activity is to match the data with the same data encrypted by Facebook.
- When we use the Facebook pixel, we also use the additional “advanced matching” function (this involves data such as users’ telephone numbers, email addresses or Facebook IDs) to create target groups (“Custom Audiences” or “Lookalike Audiences”) transferred to Facebook (encrypted). Further information about “advanced matching” can be found at: https://www.facebook.com/business/help/611774685654668)
- We also use Facebook, Inc’s “Custom Audiences from file” procedure on the basis of our legitimate interests. In this instance, newsletter recipients’ email addresses are uploaded to Facebook. The uploading process is encrypted. The upload is used solely to identify who should receive our Facebook advertisements. We want to ensure that the advertisements are only shown to users who are interested in our information and services.
- Facebook processes the data within the parameters of its own data policy. General information on how Facebook ads are displayed to users can be found in Facebook’s data policy: https://www.facebook.com/policy.php. Specific information about the Facebook pixel and how it works can be found in the Facebook help centre: https://www.facebook.com/business/help/651294705016616
- You can object to your data being collected by the Facebook pixel and to your data being used for Facebook ads to be displayed. To adjust which types of advertisement are shown to you on Facebook, you can access the following Facebook page and follow the instructions on managing the settings for personalised advertising: https://www.facebook.com/settings?tab=ads. The settings are the same, irrespective of the platform used, i.e. they apply on all devices, such as desktop computers or mobile devices.
- In order to prevent your data being collected by the Facebook pixel on our Website, please click on “Change cookie settings” at the top of the page.
- You can reject cookies used for range measurement and advertising purposes via the Network Advertising Initiative’s opt-out page (http://optout.networkadvertising.org/) and on the American website (http://www.aboutads.info/choices) or the European website (http://www.youronlinechoices.com/uk/your-ad-choices/).
- Newsletter
- In this section, we provide you with information about the content of our newsletter, the processes by which you register, the newsletter is sent to you, and statistical analyses are carried out, along with your right to object. By subscribing to our newsletter, you are declaring that you agree to receive the newsletter and accept the processes described.
- Content of the newsletter: we send newsletters, emails and other electronic notifications containing advertising information (hereinafter the “newsletter”) only with either the recipient’s consent or legal permission to do so. If the content of the newsletter is specifically described when users register for the newsletter, this is considered as users giving their consent. Our newsletters contain information about our products, offers, and promotions and about our company.
- Double opt-in and logging: Registering for our newsletter involves a double opt-in procedure. This means that after you register, you will receive an email that will ask you to confirm your registration. This confirmation is necessary so that no-one is able to register with someone else’s email address. A log is kept of newsletter registrations so that we can provide evidence that the registration process conforms with statutory requirements. This will also include storing the registration and confirmation times and your IP address. Any changes to your data as stored by the shipping service providers will also be logged.
- Email marketing service: We do not currently use an email marketing service.
- The email marketing service can also use this data in pseudonymous form, i.e. without assigning it to a user, in order to optimise or improve its own services, e.g. to optimise provision or the appearance of the newsletter from a technical perspective, or for statistical purposes to identify the recipients’ countries of origin. The email marketing service cannot make a record of our newsletter recipients’ data or pass it on to third parties.
- Registration data: You will only need to provide your email address to register for the newsletter. We will also give you the option of providing a name so that we can address you personally in the newsletter.
- Statistical survey and analyses - The newsletters contain a “web beacon”, i.e. a pixel-sized file that is retrieved from the email marketing service’s server when the newsletter is opened. When the file is retrieved, technical information is collected, including information about the browser, your system, your IP address and the time it is retrieved. This information is used to improve services from a technical perspective, based on technical data or the target groups and their reading behaviour, using the locations where the file is retrieved (which can be found with the help of the IP address) or the time of access. The statistical surveys also include identifying whether the newsletters are opened, when they are opened and which links are clicked on. For technical reasons, this information can be assigned to the individual newsletter recipients. However, we have no desire to monitor individual users, and nor does the email marketing service. The analyses are more useful in helping us identify our users’ reading habits and adjust the content we provide to them or send different content based on users’ interests.
- Cancellation/withdrawal - You can cancel our newsletter at any time, i.e. you can withdraw your consent. Your consent to the email marketing service to send the newsletter and your consent to the statistical analyses will end at the same time. Unfortunately, you cannot separately withdraw your consent for the email marketing service to send the newsletter and your consent to the statistical analyses. You will find a link to enable you to cancel the newsletter at the end of each newsletter. If users only register for the newsletter and then cancel their registration, their personal data will be deleted.
- Integrating third-party services and content
- We integrate content or services from third-party providers within our Online Offering, based on our legitimate interests (i.e. our interest in the analysis, optimisation and commercial operation of our Online Offering within the meaning of article 6(1)(f) GDPR), including videos or fonts (hereinafter referred to as the “Content”). This is based on the assumption that the third-party providers of this Content make a record of users’ IP addresses, as they would not be able to send the Content to users’ browsers without their IP addresses. IP addresses are therefore required in order for this content to be displayed. We make every effort to only use Content where the providers only use the IP addresses to deliver the Content. Third-party providers can also use pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. The “pixel tags” can be used to analyse information such as visitor traffic on the pages of this Website. The pseudonymous information can also be stored in cookies on the user’s device and, amongst other data, may contain technical information about the browser and operating system, the referring websites, the length of time the website was accessed, and other information about how our Online Offering is used, and can also be linked to similar information from other sources.
- The following example provides an overview of third-party providers and their Content, along with links to their privacy policies, which contain further information on data processing and, in some cases mentioned above, options to object to data processing (opt-outs): If our customers use third-party payment services (such as PayPal or Klarna’s Pay Now), the third-party providers’ terms and conditions and privacy policies will apply, and can be accessed from their websites or transaction apps.
External fonts from Google, Inc., https://www.google.com/fonts (“Google Fonts”). Google Fonts is integrated via access to a Google server (usually in the USA). Privacy policy: https://www.google.com/policies/privacy/, opt-out: https://www.google.com/settings/ads/
Maps provided by the “Google Maps” service of the third-party provider, Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy policy: https://www.google.com/policies/privacy/, opt-out: https://www.google.com/settings/ads/
Videos on the “YouTube” platform of the third-party provider, Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy policy: https://www.google.com/policies/privacy/, opt-out: https://www.google.com/settings/ads/
Google+ functions are integrated into our Online Offering. These functions are provided by the third-party provider, Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. If you are logged into your Google+ account, you can link the contents of our pages to your Google+ profile by clicking on the Google+ button. This enables Google to assign your visit to our Website to your user account. Please note that, as the provider of the pages, we are not aware of the content of the data transferred or how Google+ uses it. Privacy policy: https://www.google.com/policies/privacy/, opt-out: https://www.google.com/settings/ads/
Instagram functions are integrated into our Online Offering. These functions are provided by Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA. If you are logged into your Instagram account, you can link the contents of our webpages to your Instagram profile by clicking on the Instagram button. This enables Instagram to assign your visit to our Website to your user account. Please note that, as the provider of the pages, we are not aware of the content of the data transferred or how Instagram uses it. Privacy policy:
http://instagram.com/about/legal/privacy
Our Online Offering uses LinkedIn functions. The provider is the LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA. Each time you visit one of our webpages that contains LinkedIn functions, it will connect to LinkedIn’s servers. LinkedIn will be informed that you have visited our Website from your IP address. If you click on the LinkedIn “Recommend” button and are logged into your LinkedIn account, LinkedIn is able to assign your visit to our Website to you and your user account. Please note that, as the provider of the pages, we are not aware of the content of the data transferred or how LinkedIn uses it. Privacy policy: https://www.linkedin.com/legal/privacy-policy, opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out
We use social plugins from Pinterest, which is operated by Pinterest Inc., 635 High Street, Palo Alto, CA, 94301, USA (“Pinterest”). When you access a webpage that contains a Pinterest plugin, your browser establishes a direct connection to the Pinterest servers. The plugin transfers log data to the Pinterest server in the USA. The log data may include your IP address, the address of the websites you have visited that also contain Pinterest functions, your browser type and settings, the date and time of access, and how you use Pinterest and its cookies. Privacy policy: https://about.pinterest.com/de/privacy-policy
Twitter functions are integrated into our Online Offering. These functions are provided by Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. When you use Twitter and the “Retweet” function, the websites you visit are linked to your Twitter account and disclosed to other users. This data is also transferred to Twitter. Please note that, as the provider of the pages, we are not aware of the content of the data transferred or how Twitter uses it. Twitter’s privacy policy can be found at https://twitter.com/privacy. You can change your Twitter privacy settings in account settings at https://twitter.com/account/settings.
External code from the JavaScript framework “jQuery” is provided by the third-party provider jQuery Foundation, at https://jquery.org
- Users’ rights
- Users have the right to request, free of charge, information about the personal data that we have stored on them.
- Where applicable, users also have the right to rectify inaccurate data, restrict processing and have their personal data deleted, exercise their rights to data portability and, if data is processed unlawfully, lodge a complaint with the competent supervisory authority.
- Users can also withdraw their consent to data processing, usually with immediate effect.
- Deleting data
- The data we store will be deleted as soon as it is no longer required for its intended use and deleting the data does not conflict with any statutory requirements to retain it. If users’ data is not deleted because it is required for other purposes, including lawful purposes, processing of the data will be restricted in scope. In other words, the data will be inaccessible and not processed for other purposes. This applies to user data that has to be kept for reasons related to commercial or tax legislation, for example.
- Data must be stored for six years in accordance with section 257(1) German Commercial Code (HGB) (trading books, inventories, opening balance sheets, annual financial statements, trade letters, accounting records, etc.) and for ten years in accordance with section 147(1) German Fiscal Code (AO) (accounts, records, situation reports, accounting records, trade and business letters, tax-related documentation, etc.).
- The right to object
- In accordance with statutory requirements, users are able, at any time, to object to their personal data being processed further. In particular, they can object to processing for direct marketing purposes.
- Amendments to the privacy policy
- We reserve the right to amend the privacy policy to adapt it to altered legal situations or changes to services and data processing. This only applies to our data processing policy, however. If users’ consent is required or if parts of the privacy policy include provisions from the contract with users, amendments will only be made with users’ consent.
- Users are requested to keep themselves regularly updated about the information contained in the privacy policy.
- Information about further processing procedures
- Specific information about the application process
-- Data affected: application information
-- Purpose of processing: to carry out the application process
-- Categories of recipients: public bodies where there are overriding statutory provisions; external service providers or other contractors; other external bodies if data subjects have given their consent or data transfer is permitted for a compelling interest.
-- Data transfers to third countries: processors from outside the European Union can also be used as part of the process of executing the contract.
-- Length of time data is stored for: application data is usually deleted within six months after you receive notification of our decision, unless you have given consent for the data to be stored for longer.
-- Processing activities: the data is transferred internally to the Controller for processing. - Specific information about the processing of customer data/potential customer data (including forms on the Website)
-- Data affected: data disclosed in order to execute the contract; any additional data for processing based on your explicit consent.
-- Purpose of processing: to execute / initiate the contract.
-- Categories of recipients: public bodies where there are overriding statutory provisions; external service providers or other contractors; other external bodies if data subjects have given their consent or data transfer is permitted for a compelling interest.
-- Data transfers to third countries: processors from outside the European Union can also be used as part of the process of executing the contract.
-- Length of time data is stored for: the length of time for which data is stored is based on the statutory requirements for retaining data and is generally ten years.
-- Processing activities: the data is transferred internally to the Controller for processing. We also intend to transfer the data to an MSA authorised dealer. - Specific information about the processing of employee data
-- Data affected: data disclosed in order to execute the contract; any additional data for processing based on your explicit consent.
-- Purpose of processing: to execute the contract
-- Categories of recipients: public bodies where there are overriding statutory provisions; external service providers or other contractors; other external bodies if data subjects have given their consent or data transfer is permitted for a compelling interest.
-- Data transfers to third countries: processors from outside the European Union can also be used as part of the process of executing the contract.
-- Length of time data is stored for: the length of time for which data is stored is based on the statutory requirements for retaining data and is generally ten years.
-- Processing activities: the data is transferred internally to the Controller for processing. - Specific information about the processing of supplier data
-- Data affected: data disclosed in order to execute the contract; any additional data for processing based on your explicit consent.
-- Purpose of processing: to execute the contract
-- Categories of recipients: public bodies where there are overriding statutory provisions; external service providers or other contractors; other external bodies if data subjects have given their consent or data transfer is permitted for a compelling interest.
-- Data transfers to third countries: processors from outside the European Union can also be used as part of the process of executing the contract.
-- Length of time data is stored for: the length of time for which data is stored is based on the statutory requirements for retaining data and is generally ten years.
-- Processing activities: the data is transferred internally to the Controller for processing.
- Specific information about the processing of applications from new dealers
We will transfer personal data collected as part of this contract that relates to the application for, and execution and completion of, this business transaction, and will transfer data regarding fraudulent conduct or conduct that breaches the contract to CRIF Bürgel GmbH, Radlkoferstraße 2, 81373 Munich.
The legal bases for transferring this data are articles 6(1)(b) and 6(1)(f) General Data Protection Regulation (GDPR). Data may only be transferred in accordance with article 6(1)(f) GDPR if required in order to safeguard the legitimate interests of our company or third parties, but must not override the interests or fundamental rights and freedoms of data subjects, who require their personal data to be protected. Sharing data with CRIFBÜRGEL also allows legal obligations to conduct creditworthiness checks on customers to be carried out (sections 505a and 506 German Civil Code).
CRIFBÜRGEL processes the data it receives and uses it for building profiles (known as scoring) in order to provide its partners in the European Economic Area and Switzerland and, where applicable, other third countries (where an adequacy decision has been provided by the European Commission) with information about its creditworthiness rating for private individuals. Further information about the work of CRIFBÜRGEL can be found in the CRIFBÜRGEL information sheet or consulted online at crifbuergel.de/de/datenschutz.
Please note the following mandatory information:
the European Commission operates an Online Dispute Resolution platform, which can be found at http://ec.europa.eu/consumers/odr/.
Duty to provide information, in accordance with section 36 Consumer Dispute Resolution Act (VSBG):
We are neither willing nor obliged to participate in a dispute resolution procedure before a consumer arbitration board.