Data Protection Statement according to the GDPR
I. Name and address of the controller
The controller within the meaning of the General Data Protection Regulation and other national data protection laws of the Member States and other provisions under data protection law is
Fa. Held GmbH
An der Ostrach 7
87545 Burgberg-Erzflöße
Tel.: (08321) 6646-0
E-Mail: info@held.de
Website: www.held.de
II. Name and address of the data protection officer
The controller’s data protection officer:
Kanzlei Menz & Partner, Herr Stephan Thomae
Edisonstraße 2
87437 Kempten
Tel.: 0831 9608730
E-Mail: stephan.thomae@menzundpartner.de
Website: www.menzundpartner.de
III. General information on processing activities
1. Scope of processing of personal data
We generally only process personal data of our users if this is required to provide a functional website or our contents and services. Processing of personal data of our users shall usually only take with the user’s consent. A derogation shall apply in such cases where collection of advance consent is not possible for factual reasons and where processing of the data is permitted by the law.
2. The legal basis for processing of personal data
As far as we collect the consent of the data subject for processing activities of personal data, sect. 6 para. 1 lit. a of the EU General Data Protection Regulation (GDPR) serves as the legal basis.
For legal processing of personal data that is required to perform a contract of which the data subject is a party, sect. 6 para. 1 lit. b GDPR serves as the legal basis. This also applies to processing activities that are required to perform pre-contractual measures.
As far as processing of personal data is required to perform a legal obligation that our company is subject to, sect. 6 para. 1 lit. c GDPR serves as the legal basis.
If any vital interests of the data subject or any other natural person require processing of personal data, sect. 6 para. 1 lit. d GDPR serves as the legal basis.
If processing is required to maintain a legitimate interest of our company or a third party and if the interests, fundamental rights and fundamental freedoms of the data subject do not override the former interest, sect. 6 para. 1 lit. f GDPR serves as the legal basis for processing.
3. Data erasure and storage duration
The personal data of the data subject will be erased or blocked as soon as the purpose of storage is removed. Storage may further take place when this is stipulated by the European or national legislator in regulations under Union law, laws or other rules that the controller is subject to. Blocking or erasure of the data shall also take pace if a storage period required by the standards named expires, except if further storage of the data is required for conclusion of a contract or performance of a contract.
IV. Provision of the website and compilation of log files
1. Description and scale of processing activities
Every time you call our website, our system will automatically record data and information from the computer system of the calling computer.
The following data will be collected in the course of this:
(1) Information on the browser type and the version used
(2) The user’s operating system
(3) The user’s internet service provider
(4) The internet protocol address of the user
(5) The date and time of the access
(6) The websites from which the user’s system reaches our website
(7) Websites that the user’s system called up on our website
The data are also stored in our system’s log files. This does not apply to the user’s internet protocol address or other data that permit association of the data with the user. These data will not be stored together with any other personal data concerning the user.
2. Legal basis for processing activities
The legal basis for temporary storage of the data is sect. 6 para. 1 lit. a GDPR.
3. Purpose of processing activities
The temporary storage of the internet protocol address by the system was necessary in order to make it possible to send the website to the user’s computer. For this, the user’s internet protocol address must remain stored for the duration of the session.
These purposes also reflect our legitimate interest in the processing activities in accordance with sect. 6 para. 1 lit. f GDPR.
4. Duration of storage
The data are deleted as soon as they are no longer required to achieve the purpose of their collection. If data are recorded for provision of the website, this is the case when the respective session is ended.
5. Right to object and removal option
Collection of the data for provision of the website and recording of the data in log files is mandatory for operation of the website. Accordingly, the user cannot object to this.
V. Use of cookies
a) Description and scale of processing activities
Our website uses cookies. Cookies are text files that are stored in the web browser or on the user’s computer system by the web browser. If a user calls up a website, a cookie can be stored on the user’s operating system. This cookie contains a characteristic character sequence that permits unique identification of the browser when calling up the website again.
We use cookies in order to make our website more user-friendly. Some elements of our website require identification of the calling browser even after a page change.
The cookies store and transmit the following data and information:
(1) Language settings
(2) Items in a shopping basket
(3) Log-in information
b) Legal basis for processing activities
The legal basis for processing of personal data using cookies is sect. 6 para. 1 lit. a GDPR.
c) Purpose of processing activities
The purpose of using technically necessary cookies is simplifying use of websites for the users. Some functions of our website cannot be offered without using cookies. For this, the browser must be recognised after a page change as well.
We need cookies for the following applications:
(1) Shopping cart
(2) Taking over language settings
(3) Remembering search terms
The user data collected by the technically necessary cookies are not used to compile user profiles.
These purposes also reflect our legitimate interest in processing the personal data in accordance with sect. 6 para. 1 lit. f GDPR.
d) Duration of storage, objection and removal option
Cookies are stored on the user’s computer and transmitted to our page by it. Therefore, you as the user also have the full control of use of cookies. By changing the settings in your web browser, you can deactivate or limit transmission of cookies. Already-stored cookies can be erased at any time. This can also be done automatically. If cookies are deactivated for our website, it may not be possible to use all functions of the website in full.
VI. Newsletter
1. Description and scale of processing activities
Our website offers the option of subscribing to a free newsletter. When you register for the newsletter, the data from the input screen will be transmitted to us. The email address is the only mandatory input.
The following data are also collected when you register:
Date and time of the registration
Your consent to processing of the data is collected within the context of the registration process and this data protection statement is referred to.
Data will not be forwarded to any third parties in connection with processing activities for sending of newsletters. The data will only be used for sending out the newsletter.
2. Legal basis for processing activities
The legal basis for processing of the data after registration for the newsletter by the user is sect. 6 para. 1 lit. a GDPR if the user’s consent is given.
3. Purpose of processing activities
Collection of the user’s email address serves to deliver the newsletter. Collection of other personal data within the context of registration serves to prevent abuse of the services or the email address used.
4. Duration of storage
The data are deleted as soon as they are no longer required to achieve the purpose of their collection. According to this, the user’s email address is stored for as long as the subscription to the newsletter is active. The other personal data collected within the context of the registration process are usually deleted after a period of seven days.
5. Right to object and removal option
The subscription to the newsletter can be terminated at any time by the user concerned. For this purpose, there is a corresponding link in every newsletter. This also permits revocation of the consent to storage of personal data collected during registration.
VII. Registration
1. Description and scale of processing activities
On our website, we offer users the option of registering under indication of personal data. The data are entered in an input field and transmitted to us and stored. The data will not be passed on to any third parties. The following data are collected within the context of the registration process:
(1) Name
(2) Email address
(3) Street and no.
(4) Postal code
(5) Town
(6) Country
(7) Phone
Within the context of the registration process, the user’s consent to processing of these data is collected.
2. Legal basis for processing activities
The legal basis for processing of the data is the presence of the user’s consent in accordance with sect. 6 para. 1 lit. a GDPR. If registration serves to perform a contract the party of which the user is or the execution of pre-contractual measures, the additional legal basis for processing of the data is sect. 6 para. 1 lit. b GDPR.
3. Purpose of processing activities
Registration of the user is required for providing certain contents and services on our website. Registration of the user is required to perform the contract or to perform pre-contractual measures.
4. Duration of storage
The data are deleted as soon as they are no longer required to achieve the purpose of their collection.
This is the case for the data collected during the process of registration if registration on our website is cancelled or changed.
This is the case during registration for performance of a contract or performance of the pre-contractual measures if the data are no longer required in order to perform the contract. Even after the end of the contract, it may be necessary to store personal data of the contract partner in order to meet contractual or statutory obligations.
5. Right to object and removal option
You as the user have the option of ending your registration at any time. You can have the data stored concerning you changed at any time.
If the data are required to perform a contract or to perform any pre-contractual measures, premature erasure of the data is only possible as far as no contractual or statutory obligations preclude erasure.
VIII. Contact form and email contact
1. Description and scale of processing activities
Our websites have a contact form that can be used for electronic contact. If a user uses this option, the data entered into the input screen will be transmitted to us and stored. These data are:
(1) Name
(2) Email address
(3) Street and no.
(4) Postal code
(5) Town
(6) Country
(7) Phone
Your consent to processing of the data is collected within the context of sending and this data protection statement is referred to.
Alternatively, contact via the provided email address is possible. In such a case, the user’s personal data transmitted in the email will be stored.
No data will be passed on to any third parties in this context. The data are only used for processing of the conversation.
2. Legal basis for processing activities
The legal basis for processing of the data is the presence of the user’s consent in accordance with sect. 6 para. 1 lit. a GDPR.
The legal basis for processing of the data transmitted in the scope of transmission of an email is also sect. 6 para. 1 lit. f GDPR. If the email contact is targeted at conclusion of a contract, sect. 6 para. 1 lit. b GDPR shall be an additional legal basis for processing.
3. Purpose of processing activities
Processing of the personal data from the input screen serves only to process your contact. In case of contact by email, this is also the required legitimate interest in processing of the data.
The other personal data processed while sending serves to prevent abuse of the contact form and to ensure the security of our information-technical systems.
4. Duration of storage
The data are deleted as soon as they are no longer required to achieve the purpose of their collection. This is the case for the personal data from the input screen of the contact form and those transmitted by email when the respective conversation with the user has ended. The conversation is ended when the circumstances show that the corresponding matter has been finally completed.
The personal data collected additionally when sending will be deleted at the latest after a period of seven days.
5. Objection right and removal options
The user has the option at any time to withdraw his or her consent to processing of the personal data. If the user contacts us by email, he or she may object to storage of his or her personal data at any time. In this case, the conversation cannot be continued.
Any personal data stored in the scope of the contact will be deleted in such a case.
IX. Rights of the data subject
If any personal data of you are processed, you are a data subject within the meaning of GDPR and you have the following rights towards the controller:
1. Information rights
You may demand that the controller confirm whether any personal data concerning you are processed by us. In case of such processing, you may demand the following information from the controller:
(1) the purposes for which the personal data are processed;
(2) the categories of personal data that are processed;
(3) the recipient or the categories of recipients towards which personal data concerning you have been disclosed or will be disclosed in future;
(4) the planned duration of the storage concerning your data or, if no specific information on this can be provided, criteria for specification of the storage term;
(5) the existence of a right to rectification or erasure of the personal data concerning you, a right to restriction of processing by the controller or a right to object to this processing;
(6) the existence of the right to complain to a supervisory authority;
(7) all information available concerning the origin of the data when the personal data are not collected from the data subject;
(8) the existence of automated decision-making, including profiling in accordance with sect. 22 para. 1 and 4 GDPR and – at least in such cases – indicative information concerning the logic involved and the scope and intended effects of such processing for the data subject.
You have the right to be informed on whether the personal data concerning you are transmitted to a third country or an international organisation. In this context, you may demand provision of information about suitable safeguards pursuant to sect. 46 GDPR in connection with transmission.
2. Right to rectification
You have a right to rectification and/or completion towards the controller, provided that the personal data processed concerning you are inaccurate or incomplete. The controller shall rectify them without undue delay.
3. Right to restriction of processing
You may demand restriction of processing of the personal data concerning you under the following conditions:
(1) if you dispute the accuracy of the personal data concerning you for a duration that enables the controller to verify the accuracy of the personal data;
(2) processing is illegal and you reject erasure of the personal data and demand restriction of use of the personal data instead;
(3) the controller no longer requires personal data for purposes of processing, but you need them for assertion, exercising or defending legal claims, or
(4) if you have objected to processing according to sect. 21 para. 1 GDPR and it is not certain yet whether the legitimate reasons of the controller override your reasons.
Where processing of the personal data concerning you has been restricted, such personal data must – with the exception of storage – only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
If the restriction of processing was limited according to the above conditions, you will be informed by the controller before the restriction is revoked.
4. Right to erasure
a) Erasure obligations
You may demand that the controller erase the personal data concerning you without undue delay and the controller shall have the obligation to erase such data without undue delay where one of the following grounds applies:
(1) The personal data concerning you are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
(2) You withdraw consent on which the processing was based according to sect. 6 para. 1 lit. a or sect. 9 para. 2 lit. a GDPR and there is no other legal basis for the processing.
(3) You object to processing in accordance with sect. 21 para. 1 GDPR and there are no overruling legitimate grounds for processing, or you object to processing in accordance with sect. 21 para. 2 GDPR.
(4) The personal data concerning you have been unlawfully processed.
(5) Erasure of the personal data concerning you is required for compliance with a legal obligation under Union or Member State law to which the controller is subject.
(6) The personal data concerning you have been collected in relation to the offer of information society services referred to in sect. 8 para. 1 GDPR.
b) Information to third parties
Where the controller has made the personal data concerning you public and is obligated pursuant to sect. 17 para. 1 GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing of the personal data that you as the data subject have requested the erasure of by such controllers of any links to, or copy or replication of, those personal data.
c) Derogations
The right to erasure shall not apply if processing is required
(1) to exercise the right to freedom of expression and information;
(2) for compliance with a legal obligation which requires processing by Union or Member State law to which we are subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(3) for reasons of public interest in the area of public health in accordance with sect. 9 para. 2 lit. h and i as well as sect. 9 para. 3 GDPR;
(4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with sect. 89 para. 1 GDPR in so far as the right referred to in lit. a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(5) for the assertion, exercise or defence of legal claims.
5. Right to provision of information
If you have asserted a right to rectification, erasure or restriction of processing towards the controller, the controller is obligated to inform all recipients to whom the personal data concerning you were disclosed of this rectification or erasure of data or restriction of processing, except if this turns out to be impossible or subject to unreasonable effort.
You are due the right to provision of information about such recipients by the controller.
6. Right to data portability
You have the right to receive the personal data concerning you that you have provided to the controller in a structured, common and machine-readable format. In addition to this, you have the right to have these data transmitted to another controller without any impairment by the controller to whom the personal data were provided, as long as
(1) processing is based on consent in accordance with sect. 6 para. 1 lit. a GDPR or sect. 9 para. 2 lit. a GDPR or a contract in accordance with sect. 6 para. 1 lit. b GDPR and
(2) the processing is carried out by automated means.
In exercising this right, you further have the right to demand that the personal data concerning you be transmitted directly from one controller to another, where technically feasible. Freedoms and rights of other persons must not be impaired by this.
That right to data portability shall not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
7. Right to object
You shall have the right to object, on grounds relating to your particular situation, at any time, to processing of personal data concerning you which is based on sect. 6 para. 1 lit. e or f GDPR, including profiling based on those provisions.
The controller shall no longer process the personal data concerning you unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
Where personal data concerning you are processed for direct marketing purposes, you shall have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
If you object to processing for direct marketing purposes, the personal data concerning you shall no longer be processed for such purposes.
You have the option to exercise the right to object in connection with use of information society services, irrespective of directive 2002/58/EC, where technical specifications are used.
8. Right to object to the declaration of consent under data protection law
You have the right to revoke your declaration of consent under data protection law at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
9. Automated decision in an individual case, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This shall not apply if the decision
(1) is necessary for entering into, or performance of, a contract between you and the controller,
(2) is authorised by provisions of Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and your legitimate interests or
(3) is made with your explicit consent.
However, such decisions shall not be based on special categories of personal data referred to in sect. 9 para. 1 GDPR, unless sect. 9 para. 2 lit. a or g GDPR applies and suitable measures to safeguard the rights and freedoms and your legitimate interests are in place.
Regarding the cases referred to in (1) and (3), the data controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
10. Right to complain to a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 GDPR.