Name and contact of the controller under Article 4 (7) GDPR
Ätztechnik Herz GmbH & Co. KG
Industriegebiet Kilbigswasen 4
78736 Epfendorf am Neckar
Telephone: [+49] 07404-9214-0
Fax: [+49] 07404-9214-30
Data Protection Officer
Name: Dirk Hellmich
Address: Bechtle IT Systemhaus Konstanz, Schützenstrasse 84, 78315 Radolfzell
Security and protection of your personal data
We feel it is our foremost responsibility to guard the confidentiality of the personal data you have provided and protect them from unauthorised access. Therefore, we use the utmost care and up-to-date security standards to guarantee maximal protection of your personal data.
As a company governed by private law, we are subject to the provisions of the European General Data Protection Regulation (GDPR) and the regulations of the Federal Data Protection Act (BDSG). We have taken technical and organisational measures that ensure that both we and our external service providers observe data protection provisions.
The legislature demands that personal data be processed legally, in good faith, and in a manner that is transparent for the data subject (“legality, processing in good faith, transparency”). To guarantee this will occur, we wish to inform you about the individual statutory definitions used in this data privacy statement:
1. Personal data
“Personal data” means all information related to an identified or identifiable natural person (“data subject”). A natural person is deemed “identifiable” if they can be directly or indirectly identified, especially by allocating them to an identifier such as a name, ID number, location data, an online identifier, or to one or more particular characteristics which express this natural person’s physical, physiological, genetic, mental, economic, cultural or social identity.
“Processing” means any operation executed with or without the help of automatic procedures, or any such series of operations in connection with personal data, such as collecting, recording, organising, filing, storing, adjusting or altering, reading, requesting, using, disclosing through transmission, dissemination or another form of provision, comparing or connecting, restricting, deleting or destroying such data.
3. Restriction of processing
“Restriction of processing” means marking stored personal data with the goal of restricting its processing in the future.
“Profiling” means any type of automatic processing of personal data in which those data are used to assess certain personal aspects related to a natural person, especially to analyse or predict aspects regarding their work performance, economic situation, health, personal preferences, interests, reliability, behaviour, abode or change of location.
“Pseudonymisation” means processing personal data to prevent them from being linked to a specific data subject without drawing on additional information, provided this additional information is retained separately and subject to technical and organisational measures that guarantee that the personal data cannot be allocated to an identified or identifiable natural person.
6. File system
“File system” means any structured collection of personal data which is accessible according to certain criteria, regardless of whether that collection is kept centrally or peripherally, or arranged according to functional or geographic aspects.
“Controller” means a natural person or legal entity, government agency, institution or other agency which, alone or in conjunction with others, decides on the purpose and means of processing personal data. If the purpose and means of that processing are prescribed by the law of the European Union or its member states, those laws may also prescribe who the controller must be or the specific criteria according to which the controller must be named.
“Processor” means a natural person or legal entity, government agency, institution or other agency which processes personal data on behalf of the controller.
“Recipient” means a natural person or legal entity, government agency, institution or other agency to which personal data are disclosed, regardless of whether that recipient is a third party. However, authorities who obtain personal data due to a specific investigation mandate under the law of the European Union or its member states are not deemed recipients. The authorities named process that data according to applicable data protection provisions and the purpose of the processing.
10. Third party
“Third party” means a natural person or legal entity, government agency, institution or other agency, besides the data subject, the controller, the processor and the people for whom the controller or the processor are directly responsible, who are authorised to process the personal data.
“Consent” from the data subject means any expression of intent which is voluntarily and unmistakeably given for the case at hand, in an informed manner, in the form of a declaration or other unambiguous affirming action, with which the data subject makes understood that that party agrees to the processing of the personal data concerning them.
Legality of processing
The processing of personal data is legal only if it has a legal basis. In accordance with Article 6 (1) (a–f) GDPR, the particular legal bases for processing can be:
- the data subject has consented to the processing of the personal data concerning them for one or more specific purposes;
- processing is necessary to fulfil a contract to which the data subject is party, or to execute pre-contractual measures on the data subject’s request;
- processing is necessary to fulfil a legal obligation to which the controller is subject;
- processing is necessary to protect vital interests of the data subject or another natural person;
- processing is necessary to carry out a task in the public interest or in the exercise of public authority vested in the controller;
- processing is necessary to guard the legitimate interests of the controller or a third party, unless this need is outweighed by the interests or basic rights and freedoms of the data subject which require that the personal data be protected, especially if the data subject is a child.
Information about the collection of personal data
(1) In the following, we will inform you about the collection of personal data when you use our website. Examples of personal data include name, address, email addresses and user behaviour.
(2) If you contact us through email or a contact form, we will store the data you communicate (your email address and possibly your name and telephone number) to answer your questions. We will delete the data accumulated in this context as soon as storage is no longer necessary, or processing will be restricted if statutory retention requirements exist.
Collection of personal data when you visit our website
If you are using our website only for informational purposes and thus do not register or otherwise transmit information to us, we will collect only the personal data that your browser transmits to our server. If you would like to look at our website, we will collect the following data, which are technically necessary for us to show you our website and guarantee its stability and security (legal basis is Art. 6 (1) (1) (f) GDPR):
- IP address
- Date and time of request
- Time zone difference to Greenwich Mean Time (GMT)
- Contents of the request (specific page)
- Access status / HTTP status code
- Data quantity transferred each time
- Website from which the request comes
- Operating system and its interface
- Language and version of the browser software.
(1) In addition to the aforementioned data, cookies will be stored on your computer when you use our website. Cookies are small text files which are stored on your hard drive by the browser you use and which send certain information to the party who sent the cookies. Cookies cannot execute programmes or transmit viruses to your computer. They serve only to make the internet services more user-friendly and effective as a whole.
(2) This website uses the following types of cookies, whose scope and functionality is explained in the following:
- Transient cookies (a.)
- Persistent cookies (b.).
- Transient cookies are deleted automatically when you close your browser. They particularly include session cookies. These store what is known as a “session ID”, with which various requests of your browser can be allocated to the joint session. This lets us recognise your computer whenever you revisit our website. Session cookies are deleted when you log out or close your browser.
- Persistent cookies are deleted automatically after a specified period, which can differ according to the cookie. You can delete the cookies in your browser’s security settings at any time.
- You can configure your browser settings accordingly, and, for example, reject the acceptance of third-party cookies or all cookies. Cookies known as “Third-party cookies” are set by a third party—not by the actual website you are currently visiting. Please note that if you deactivate cookies you might not be able to use all this website’s functions.
- The flash cookies used are not recorded through your browser, but through your flash plug-in. Furthermore, we use HTML5 storage objects, which are placed in your end device. These objects store the necessary data regardless of which browser you use, and have no automatic expiration date. To prevent the flash cookies from being processed, you must install an appropriate add-on, such as “Better Privacy” for Mozilla Firefox (https://addons.mozilla.org/de/firefox/addon/betterprivacy/) or the Adobe Flash Killer Cookie for Google Chrome. You can prevent the use of HTML5 storage objects by using your browser’s private mode. We also recommend manually deleting your cookies and your browser history periodically.
Additional functions and services of our website
(1) Besides the purely informative use of our website, we offer various services which you can use if interested. To do so, you must usually provide additional personal data which we use to render the service in question and to which the aforementioned principles of data processing apply.
(2) We will sometimes use external service providers to process your data. We have selected and commissioned them carefully. They are bound by our instructions and are supervised periodically.
(3) We may also forward your personal data to third parties if we offer services in conjunction with partners, such as special offers, sweepstakes, and contract conclusions. You can obtain additional information by providing your personal data or reading the description below the offer.
(4) If our service provider or partner is domiciled in a state outside the European Economic Area (EEA), we will include any consequences this entails in the offer description.
By providing your consent, you may subscribe to our newsletter to receive updates on services which may interest you. The advertised goods and services are named in the declaration of consent.
(2) When you register for our newsletter, we use a double opt-in procedure. This means that after you register we will send you an email, to the address provided, asking you to confirm that you wish to receive the newsletter. If you fail to confirm your registration within 24 hours, your information will be blocked, and after one month will be deleted automatically. Moreover, we will store the IP address you used, and the time of registration and confirmation. The purpose of the procedure is to verify your registration and clear up any misuse of your personal data if necessary.
(3) The only information we need to send the newsletter is your email address. You may also voluntarily disclosure additional data, which will be marked separately and used to address you personally. After you confirm, we will store your email address to send the newsletter. The legal basis is Art. 6(1)(1)(a) GDPR.
(4) You may withdraw your consent to have the newsletter sent, thereby unsubscribing to it, at any time. You can declare your withdrawal by clicking on the link provided in each newsletter email, sending an email to firstname.lastname@example.org, or sending a message to the contact data provided in the Impressum (Legal Notice).
(5) Please note that when we send the newsletter we will evaluate your user behaviour. For this evaluation, the emails sent contain “web beacons” or “tracking pixels”: single-pixel image files which are stored on our website. For the evaluations, we connect the data named under § 3 and the web beacons with your email address and individual ID. All those data will be pseudonymised when collected, so the IDs will not be connected with your additional personal data, ruling out any possibility of identifying you personally. You may object to this tracking at any time by clicking the separate link provided in every email or informing us using another means of contact. The information will be stored as long as you are subscribing to the newsletter. If you deregister, we will store the data only for statistics and in anonymised form.
As a general principle, our services are geared toward adults. People under 18 may not transmit any personal data to us or issue a declaration of consent without the consent of their legal guardian.
Rights of the data subject
(1) Withdrawal of consent
If the processing of your personal data is based on your consent, you have the right to withdraw your consent at any time. Withdrawing your consent will not affect the legality of processing that has already occurred based on your consent.
To exercise your right of withdrawal, you may contact us at any time.
(2) Right to confirmation
You may obtain from the controller confirmation about whether we are processing personal data concerning you. You may demand that confirmation at any time under the contact data specified above.
(3) Right of access
If personal data are being processed, you may at any time demand access to those data and the following information:
- the purposes of processing;
- the categories of personal data being processed;
- the recipients or categories of recipients to whom the personal data are or will be disclosed, especially if those recipients are located in third countries or international organisations;
- if possible, the period planned for storing the personal data, or, if this is impossible, the criteria for determining that period;
- the existence of a right to rectification or erasure of the personal data concerning you, or the restriction of the processing by the controller or a right of objection against this processing;
- the right to complain to a supervisory authority;
- all available information on the origin of the data, if the personal data were not collected from the data subject;
- the existence of automated decision-making, including profiling under Art. 22 (1 and 4) GDPR and—at least in these cases—meaningful information about the logic involved, as well as the implications and sought-after effects such processing would have for the data subject.
If personal data are transmitted to a third country or an international organisation, you may be informed about adequate guarantees in accordance with Article 46 GDPR in connection with that transmission. We will provide one copy of the personal data which are the object of the processing. For all additional copies you request, we may charge a reasonable fee based on administrative costs. If you make the request electronically, the information must be provided in a commonly used electronic form unless you indicate otherwise. The right to receive a copy under paragraph 3 may not impair the rights and freedoms of other people.
(4) Right to rectification
You may also demand that incorrect personal data concerning you be corrected without undue delay. Under consideration of the purposes of the processing, you may demand that incomplete personal data be completed, including by means of a supplementary declaration.
(5) Right to erasure (“right to be forgotten”)
You may demand from the controller that the personal data concerning you be erased without undue delay, and we will be obligated to do so provided one of the following grounds applies:
- The personal data are no longer necessary for the purposes for which they were collected or otherwise processed.
- The data subject withdraws his or her consent on which the processing is based under Art. 6 (1) (a) or Art. 9 (2) (a) GDPR, and there is no other legal basis for the processing.
- The data subject objects to the processing under Art. 21 (1) GDPR and there are no overriding legitimate reasons for the processing, or the data subject objects to the processing under Art. 21 (2) GDPR
- The personal data were illegally processed.
- The personal data must be deleted to fulfill a legal obligation under EU or Member State law to which the controller is subject.
- The personal data were collected in regard to information society services offered in accordance with Art. 8 (1).
If the controller has publicised the personal data and is obligated under paragraph 1 to erase those data, the controller, taking account of available technology and the cost of implementation, will take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
The right to erasure (“right to be forgotten”) does not exist if the processing is necessary:
- to exercise the right to information and freedom of expression;
- to fulfil a legal obligation which requires the processing under EU or Member State law to which the controller is subject, or to carry out a task in the public interest or in the exercise of public authority vested in the controller;
- for reasons of public interest in the area of public health under Article 9 (2) (h and i) and Article 9 (3) GDPR;
- for science or historical research, archiving which lies in the public interest, or statistical purposes under Art. 89 (1) GDPR, insofar as the right mentioned in paragraph 1 is expected to prevent or seriously impair the realisation of this processing’s objectives, or to establish, exercise or defend against legal claims.
(6) Right to restriction of processing
You have the right to demand that we restrict the processing of your personal data if one of the following conditions is met:
- if the data subject disputes that the personal data is correct, for a duration which enables the controller to check its correctness,
- the processing is incorrect and the data subject waives their right to have the personal data erased, instead demanding that the data’s use be restricted;
- the controller of the personal data no longer needs them for the purposes of their processing, but the data subject needs them to assert, exercise or defend against legal claims, or
- the data subject has filed an objection against the processing under Article 21(1) GDPR, provided it has not yet been established whether the legitimate reasons of the controller outweigh those of the data subject.
If the processing has been restricted, these personal data—regardless of their storage—may be processed only (1) with the data subject’s consent, (2) to establish, exercise or defend against legal claims, (3) to protect the rights of another natural person or legal entity, or (4) for reasons of an important public interest of the EU or a member state.
To exercise their right to restriction of processing, the data subject may contact us at any time using the contact data given above.
(7) Right to data portability
You have the right to receive these personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format, and you have the right to transmit these data to another controller without hindrance from the controller to which the personal data were provided, as long as:
- the processing is based on consent under Article 6(1)(a) or Article 9(2)(a) or on a contract under Article 6(1)(b) GDPR and
- the processing occurs with the help of automated procedures.
In exercising this right of data portability under paragraph 1, you may also have the personal data transmitted directly from one controller to another, insofar as this is technically feasible. Exercising the right to data portability does not affect the right to erasure (“right to be forgotten”). This right does not apply to processing which is necessary to carry out a task in the public interest or in the exercise of public authority vested in the controller.
(8) Right to object
You have the right to object at any time, for reasons arising from your particular situation, to personal data concerning you being processed based on Article 6 (1) (e or f) GDPR. This also applies to profiling based on these provisions. The controller will no longer process the personal data unless that party can prove compulsory reasons for doing so that are worth protecting, which outweigh the data subject’s interests, rights and freedoms, or the processing helps to establish, exercise or defend against legal claims.
If the personal data are processed for direct marketing purposes, you may object to that processing at any time. This also applies to any profiling connected to such direct marketing. If you object to having personal data processed for direct marketing purposes, this processing will be discontinued.
In connection with the use of information society services, you may exercise your right to object using an automatic procedure in which technical specifications are used (regardless of Directive 2002/58/EC).
You have the right, for reasons arising from your particular situation, to object to the processing of the personal data concerning you, which occurs for scientific or historical research purposes or for statistical purposes under Article 89 (1), unless that processing is necessary for a task in the public interest.
You may always contact the controller in question to exercise your right to object.
(9)Automatic decision-making in individual cases, including profiling
You have the right not to be subject to a decision based exclusively on automated processing—including profiling—which legally affects or otherwise significantly impairs you. This does not apply if that decision:
- is necessary to conclude or fulfil a contract between the data subject and the controller,
- is permitted under EU or member state law to which the controller is subject and which stipulates reasonable measures for guarding the data subject’s rights, freedoms and legitimate interests, or
- with the express consent of the data subject.
The controller shall take reasonable measures to guard the data subject’s rights, freedoms and legitimate interests, which must include at least the right to obtain human intervention on the part of the controller, to present the data subject’s own point of view, and to contest the decision.
The data subject may always exercise their right to object by contacting the controller in question.
(10)Right to complain to a supervisory authority
Sie haben zudem, unbeschadet eines anderweitigen verwaltungsrechtlichen oder gerichtlichen Rechtsbehelfs, das Recht auf Beschwerde bei einer Aufsichtsbehörde, insbesondere in dem Mitgliedstaat ihres Aufenthaltsorts, ihres Arbeitsplatzes oder des Orts des mutmaßlichen Verstoßes, wenn die betroffene Person der Ansicht ist, dass die Verarbeitung der sie betreffenden personenbezogenen Daten gegen diese Verordnung verstößt.
(11) Right to effective legal remedy
Without prejudice to any available administrative right or judicial remedy, including the right to complain to a supervisory authority under Article 77 GDPR, the data subject has the right to an effective legal remedy if the data subject believes that the rights to which they are entitled under this directive have been breached because the processing of their personal data failed to comply with this directive.
Use of Google Analytics
(2) The IP address transmitted by your browser as part of Google Analytics will not be pooled with other Google data.
(3) You can prevent the cookies from being stored by adjusting your browser settings accordingly, but we must point out that if you do, you might not be able to use all this website’s functions to their full extent. You can also prevent Google from recording and processing the data generated by the cookie which relate to your use of the website (including your IP address) by downloading and installing the browser plug-in available under the following link. http://tools.google.com/dlpage/gaoptout?hl=de.
(4) This website uses Google Analytics with the extension “anonymizeIP”. This means that IP addresses will be further processed in truncated form, thus ruling out any direct connection to a specific person. If the collected data which concern you gain a personal reference, this will be ruled out immediately and the personal data will be erased without undue delay.
(5) We use Google Analytics to analyse the use of our website and improve it periodically. We can use the statistics we gain to improve our services and make them more interesting for you as a user. For the exceptional cases in which personal data is transmitted to the USA, Google participates in the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework. The legal basis for using Google Analytics is Art. 6 (1) sentence 1 f GDPR.
6) Information of the third-party provider: Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001.
Overview of data privacy:
as well as the Data Privacy Statement:
(7) This website also uses Google Analytics for a cross-device analysis of the influx of visitors, which is performed via a user ID. You can deactivate the cross-device analysis of your usage by going to your customer account under “My Data” > “Personal Data”.
Use of social media plug-ins
(1) We currently use the following social media plug-ins: [Facebook]. In doing so, we use the “two-click” solution. That means that whenever you visit our site, no personal data will be initially forwarded to the plug-in’s provider, as a general rule. You’ll recognise the plug-in’s provider by its logo, or by the marking on the tile over its initial letter. You may use the button to communicate directly with the plug-in’s provider. Only if you click the marked field, thereby activating it, will the plug-in’s provider be informed that you have accessed the website in question from our online services. In addition, the data named under § 3 of this declaration will be transmitted. In the case of Facebook and Xing, the IP address will be anonymised immediately after collection, according to the respective providers in Germany. By activating the plug-in, personal data from you will be transmitted to the respective plug-in provider and stored there (with American providers, in the USA). Since the plug-in’s provider collects data through cookies in particular, we recommend that you delete all cookies by adjusting your browser’s security settings before clicking on the greyed-out tile.
(2) We have no influence on the collected data and data-processing operations, and do not know the full extent of the data collection, the purpose of processing, or the storage periods. We also have no information about the deletion of the collected data through the plug-in’s provider.
(3) The collected data which concern you are stored by the plug-in’s provider as a user profile and used for advertisement, market research, or the needs-based design of the provider’s website. The data is used that way in particular (even for users who are not logged in) to present needs-based advertisement and to inform other users of the social network about your activities on our website. You may contact the plug-in’s provider to object to this user profile being formed. We use the plug-in to allow you to interact with social networks and other users, so that we can improve our offerings and make them more interesting for you as a user. The legal basis for using the plug-ins is Art. 6(1)(1)(f) GDPR.
(4) The data will be forwarded regardless of whether you possess an account with the plug-in’s provider and are logged in there. If you are logged in with the plug-in’s provider, the data we have collected will be assigned directly to your account with that provider. If you click the activated button and link the page, for example, the plug-in’s provider will also store this information in your user account and share your contact data publicly. We recommend that you regularly log out after using a social network—but especially before activating the button—since this will allow you to avoid this type of assignment to your profile with the plug-in’s provider.
(5) You can obtain additional information about the purpose and scope of the data collection and how the plug-in’s provider will process that data in the data privacy statements of that provider communicated in the following. There you can also obtain additional information about your rights, and options for adjusting your settings in this regard to protect your privacy.
(6) Addresses of the different plug-in providers, and URLs with their data privacy notices:
Facebook Inc., 1601 S California Ave, Palo Alto, California 94304, USA; http://www.facebook.com/policy.php; further information on data collection: http://www.facebook.com/help/186325668085084, http://www.facebook.com/about/privacy/your-info-on-other#applications as well as http://www.facebook.com/about/privacy/your-info#everyoneinfo. Facebook participates in the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.
Google Inc., 1600 Amphitheater Parkway, Mountainview, California 94043, USA; https://www.google.com/policies/privacy/partners/?hl=de. Google participates in the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.
Twitter, Inc., 1355 Market St, Suite 900, San Francisco, California 94103, USA; https://twitter.com/privacy. Twitter participates in the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.
Inclusion of Google Maps
(1) On this website, we use the services of Google Maps. This means we can show you interactive maps directly on the website and enable you to use the map function comfortably.
(2) When you visit the website, Google is informed that you have accessed the respective subpage of our website. In addition, the data named under § 3 of this declaration will be transmitted. This will occur regardless of whether Google provides a user account into which you are logged, or whether a user account exists. If you are logged in with Google, your data will be assigned directly to your account. To keep this from happening, you must log out of Google before activating the button. Google will store your data as a usage profile and use it for advertising, market research, or to design its website based on user needs. Such use will especially occur (even for users who are not logged in) to render needs-based advertisement and inform other users of the social network about your activities on our website. You may contact Google to object to this user profile being formed.
(3) For additional information about the purpose and scope of the data collection and how the plug-in’s provider will process the data, please read that provider’s data privacy statements. There you can also obtain additional information about your rights in this regard, and options for adjusting your settings to protect your privacy: http://www.google.de/intl/de/policies/privacy. Google also processes your personal data in the USA and participates in the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.