Data Privacy Statement
Thank you very much for your interest in our company. Data protection is extremely important to the C. u. A. HEIDERICH GmbH Management Board. In principle, it is possible to use the C. u. A. HEIDERICH GmbH website without having to provide any personal information whatsoever. However, in the event that a data subject wishes to take advantage of particular services offered by our company, the processing of personal data may be necessary. If it is necessary to process personal data and there is no legal basis in place for such a processing, we will generally obtain consent from the data subject.
The processing of personal data such as the name, postal address, e-mail address or telephone number of an data subject is always performed in accordance with the General Data Protection Regulation and in compliance with the country-specific data privacy regulations to which C. u. A. HEIDERICH GmbH is subject. With this data privacy statement, our company wishes to notify the public regarding the type, scope and purpose of the personal data that we collect, use and process. Furthermore, this data privacy statement also informs data subjects of their rights.
As the controller, C. u. A. HEIDERICH GmbH has implemented several technical and organisational measures in order to ensure consistent protection of the personal data which is processed via this website. However, Internet-based data transfers can be subject to security loopholes so that complete protection cannot be guaranteed. Therefore, each data subject may also transfer personal data using alternative methods such as via telephone.
The C. u. A. HEIDERICH GmbH data privacy statement is based on the notions that were used by the European body responsible for issuing regulations and directives whilst issuing the General Data Protection Regulation (GDPR). Our data privacy statement should be easy to read and understandable to the public as well as our customers and business partners. In order to ensure this, we would like to explain some utilised terms in advance.
Please find some of the terms that we have used in this data privacy statement below:
a) Personal data
Personal data refers to all information that concerns an identified or identifiable natural person (subsequently referred to as an "data subject"). The term identifiable concerns a natural person that can be directly or indirectly identified, particularly through allocation to an identifier such as a name, to an identifiable number, to location data, to an online ID or to one or several particular characteristics that are an expression of the physical, physiological, genetic, mental, economic, cultural or social identity of this natural person.
b) Data subject
The data subject is every identified or identifiable natural person whose personal data has been processed by the controller.
The term processing refers to all operations – with or without the assistance of automated procedures – or all such sets of operations in connection with personal data such as the collection, recording, organisation, arrangement, storage, adaptation or modification, reading, querying, use, publication by means of transfer, distribution or other form of provision, comparison or linking, restriction, deletion or destruction.
d) Processing restriction
Processing restriction refers to the marking of stored personal data with the aim of limiting its processing in the future.
Profiling refers to any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Pseudonymisation is the processing of personal data in such a manner that it can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
The term controller refers to the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of this processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
h) Order processor
The order processor refers to a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
The term recipient refers to a natural or legal person, public authority, agency or another body, to which the personal data is disclosed, irrespective of whether this is a third party or not. However, public authorities which may receive personal data within the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.
j) Third party
The term third party refers to a natural or legal person, public authority, agency or body other than the data subject, the controller, the order processor and persons who, under the direct authority of the controller or order processor, are authorised to process personal data.
Consent refers to any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
2. Name and address of the body responsible for processing
The controller within the context of the General Data Protection Regulation, other applicable data protection laws within the member states of the European Union and other determinations pertaining to data protection is:
C. u. A. HEIDERICH GmbH
Breckerfelder Straße 196
Tel.: +49 2333 7900-0
3. Name and address of the Data Protection Officer
The Data Protection Officer from the controller is:
Tel.: +49 2333 60450-6
All data subjects may directly contact our Data Protection Officer at any time in the event of questions and queries.
5. Recording of general data and information
Each time the C. u. A. HEIDERICH GmbH website is visited by an data subject or automated system, it collects a range of general data and information. This general data and information is saved in the server log files. The following information may be collected: (1) Browser types and versions used, (2) the operating system used by the accessing computer, (3) the website from which an accessing system visits our website (so called referrers), (4) the sub-websites, which are accessed via an accessing system on our website, (5) the date and time of access to our website, (6) an Internet web protocol address (IP address), (7) the Internet service provider of the accessing system and (8) other similar data and information, which is used to protect our information technology systems against possible attacks.
When using this general data and information, C. u. A. HEIDERICH GmbH does not draw any conclusions about the data subject. In fact, this information is needed in order to: (1) deliver the contents of our website correctly, (2) optimise the content of our website as well as the advertising for it, (3) ensure long-term functionality of our information technology systems and the technology on our website as well as (4) provide law enforcement authorities with necessary information related to criminal prosecution in case of a cyber attack. On the one hand, this anonymously collected data and information is therefore evaluated by our company, C. u. A. HEIDERICH GmbH statistically and, on the other hand, to increase data protection and data security in our company to ultimately ensure the best possible level of protection for the personal data processed by us. The anonymous data of the server log files are stored separately from all personal data provided by an data subject.
6. Contact options via the website
As a result of statutory regulations, the C. u. A. HEIDERICH GmbH website contains information which enables quick electronic contact with our company as well as immediate communication with us which also includes a general address for so-called electronic post (e-mail address). If an data subject contacts the controller via e-mail or contact form, the transferred personal data from the data subject is automatically stored. Such personal data voluntarily transferred by an data subject to the controller will be saved for processing purposes or in order to contact the data subject. No personal data will be forwarded to third parties.
7. Routine deletion and blocking of personal data
The controller processes and stores personal data belonging to the data subject only for the period necessary to achieve the purpose of the storage or, if required by the European legislative and regulatory authorities, or laid down in another law or regulation to which the controller is liable.
If the purpose of the storage ceases to apply or if a storage period prescribed by the European directives and regulations or by any other relevant legislator expires, the personal data will be routinely blocked or deleted in accordance with the statutory provisions.
8. Rights of the data subject
a) Right to confirmation
Thanks to the European legislative and regulatory authorities, each data subject has the right to obtain confirmation from the controller as to whether or not personal data concerning them are being processed. If an data subject wishes to utilise this right of confirmation, they can contact an employee of the controller at any time.
b) Right to information
Thanks to the European legislative and regulatory authorities, all persons affected by the processing of personal data shall have the right to obtain information concerning the personal data stored about them and to get a copy of such information from the controller at any time and free of charge. Furthermore, the European legislative and regulatory authorities have granted the data subject rights on the following information:
The processing purposes
The categories of personal data to be processed
The recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations
Where possible, the planned period for which the personal data will be stored, or, if this is not possible, the criteria used to determine this period
the existence of a right to correct or delete the personal data concerning you or a right to restrict processing by the responsible person and a right to object to such processing
the existence of a right to lodge a complaint with a supervisory authority
if the personal data was not collected from the data subject: all of the available information about the origin of the data
the existence of an automated decision-making; including profiling according to Article 22, Paras. 1 and 4 of the GDPR and – at least in these cases – meaningful information about the logic involved as well as the significance and the envisaged consequences of such processing for the data subject
Furthermore, the data subject also has right of access to information as to whether personal data has been transferred to a third country or to an international organisation. If that is the case, the data subject shall also have the right to be informed of the appropriate safeguards relating to the transfer.
If an data subject wishes to utilise this right of access, they can contact an employee of the controller at any time.
c) Right to correction
Thanks to the European legislative and regulatory authorities, all persons affected by the processing of personal data shall have the right to demand immediate correction of incorrect personal data concerning them. Furthermore, whilst taking the purposes of the processing into consideration, the data subject shall also have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
If an data subject wishes to utilise this right of correction, they can contact an employee of the controller at any time.
d) Right to deletion (right to be forgotten)
Thanks to the European legislative and regulatory authorities, all persons affected by the processing of personal data shall have the right to have the information concerning the personal data stored about them deleted immediately if one of the following reasons applies and provided that processing is not required:
The personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed.
The data subject withdraws their consent on which the processing is based according to Art. 6, Para. 1, letter a of the GDPR or Article 9, Para. 2, letter a of the GDPR and where there is no other legal ground for the processing.
The data subject objects to the processing pursuant to Article 21, Para. 1 of the GDPR and there are no overriding legitimate grounds for the processing or the data subjects objects to the processing pursuant to Article 21, Para. 2 of the GDPR.
The personal data was processed unlawfully.
Deletion of the personal data is required to fulfil a legal obligation under union law or the law of the member states to which the responsible person is subject.
The personal data was collected in relation to the offered information society services according to Art. 8, Para. 1 of the GDPR.
If one of the aforementioned reasons applies and an data subject would like to demand deletion of their personal data which has been stored by C. u. A. HEIDERICH GmbH, they can contact an employee of the controller at any time. The C. u. A. HEIDERICH GmbH employee will arrange for the deletion request to be fulfilled promptly.
If the personal data has been made public by C. u. A. HEIDERICH GmbH and our company, as the controller, is, according to Article 17, Para. 1 of the GDPR, obliged to delete the personal data, C. u. A. HEIDERICH GmbH, will, whilst taking account of available technology and the cost of implementation into consideration, take reasonable steps, including technical measures, to inform other controllers of the disclosed personal data that the data subject has requested the deletion of all links to such personal data or of copies or replications of such personal data from these other controllers providing that processing is not necessary. The C. u. A. HEIDERICH GmbH employee will make the necessary arrangements on a case-by-case basis.
e) Right to processing restriction
Thanks to the European legislative and regulatory authorities, all persons affected by the processing of personal data shall have the right to restrict processing from the controller if one of the following reasons applies:
The accuracy of the personal data is disputed by the data subject and for a period that enables the controller to check the accuracy of the personal data.
The processing is unlawful, the data subject refuses deletion of the personal data and instead requests restriction in the use of the personal data.
The controller no longer needs the personal data for the purposes of processing but the data subject requires it in order to establish, exercise or defend legal claims.
The data subject has objected to processing according to Art. 21, Para. 1 of the GDPR and it has not yet been determined whether the legitimate reasons of the controller take priority over those of the data subject.
If one of the aforementioned requirements applies and an data subject would like to demand restriction of personal data which has been stored by C. u. A. HEIDERICH GmbH, they can contact an employee of the controller at any time. The C. u. A. HEIDERICH GmbH employee will make the necessary arrangements for the processing restriction.
f) Right to data transmissibility
Thanks to the European legislative and regulatory authorities, all persons affected by the processing of personal data shall have the right to obtain the personal data affecting them, which was made available to the controller by the data subject, in a structured, accessible and machine-readable format. They also have the right to transmit this data to another controller without hindrance from the controller to which the personal data has been provided insofar as the processing is based on consent according to Art. 6, Para. 1, letter a of the GDPR or Art. 9, Para. 2, letter a of the GDPR or a contract according to Art. 6, Para. 1, letter B of the GDPR and the processing is carried out by automated means provided that the processing is not required in order to fulfil a task that is in the public interest or in the exercise of official authority which was assigned to the controller.
In exercising the right to data transferability according to Art. 20, Para. 1 of the GDPR, the data subject also has the right to have the personal data concerning them transferred directly from one responsible person to another where technically feasible and providing that the rights and freedoms of other persons are not violated.
The data subject can utilise their right to data transferability at any time by contacting a C. u. A. HEIDERICH GmbH employee.
g) Right to opposition
Thanks to the European legislative and regulatory authorities, all persons affected by the processing of personal data shall, for reasons the arise due to their particular situation, have the right to object to the processing of the personal data concerning them as a result of Art. 6, Para 1, letter e or f of the GDPR at any time. This also applies to profiling based upon these determinations.
In the event of an objection, C. u. A. HEIDERICH GmbH shall no longer process the personal data concerning you unless we can demonstrate compelling and legitimate grounds for processing which outweigh the interests, rights and freedoms of the data subject or if processing serves to enforce, exercise or defend legal claims.
If C. u. A. HEIDERICH GmbH processes personal data for the purpose of carrying out direct advertising, the data subject has the right at any time to object to processing of the personal data for the purposes of such advertising. This also applies to profiling if it is in conjunction with such direct advertising. If the data subject contacts C. u. A. HEIDERICH GmbH to object to processing for the purposes of direct advertising, C. u. A. HEIDERICH GmbH will no longer process the personal data for these purposes.
For reasons relating to their particular situation, the data subject has the right to object to the processing of personal data performed by C. u. A. HEIDERICH GmbH for scientific or historical research purposes or for statistical purposes according to Art. 89, Para. 1 of the GDPR unless such processing is required to fulfil a task that is in the public interest.
The data subject can utilise their right to object at any time by contacting a C. u. A. HEIDERICH GmbH employee directly or other employee at any time. Furthermore, the data subject is, in connection with the use of information society services – notwithstanding Directive 2002/58/EC, permitted to exercise their right of objection by automated means where technical specifications are used.
h) Automated decisions on a case-by-case basis, including profiling
Thanks to the European legislative and regulatory authorities, all persons affected by the processing of personal data shall not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly restricts them provided that the decision (1) is not necessary for entering into, or the performance of, a contract between the data subject and controller or (2) is not authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights, freedoms and legitimate interests, or (3) is not based on the data subject's explicit consent.
If the decision (1) is necessary for entering into or the performance of, a contract between the data subject and the controller or (2) is based on the data subject's explicit consent, C. u. A. HEIDERICH GmbH shall take appropriate measures to protect rights and freedoms as well as the legitimate interests of the data subject, which at least includes the responsible person's right to request someone’s intervention, present their own point of view and contest the decision.
If an data subject wishes to utilise rights in terms of automated decisions, they can contact an employee of the controller at any time.
i) Right to withdrawal of a declaration of consent
Thanks to the European legislative and regulatory authorities, all persons affected by the processing of personal data shall have the right to withdraw consent for the processing of personal data at any time.
If an data subject wishes to utilise their right to withdraw consent, they can contact an employee of the controller at any time.
9. Data privacy in applications and during the application process
The controller collects and processes the personal data of applications for the purpose of implementing the application process. This processing may also be carried out electronically. This is particularly the case when an applicant electronically submits their application documents to the controller, e.g. via e-mail or via an Internet form located on the website. If the controller concludes an employment contract with an applicant, the data transferred in order to process the employment relationship will be stored in compliance with the statutory regulations. If the controller does not conclude an employment contract with the applicant, the application documents will be automatically deleted two months following the announcement that no contract will be offered provided that no other justified interests for the controller the data prevents the documents from being deleted. An example of other justified interests in this context is the burden of proof that a process has been implemented in line with the German General Equal Treatment Act (AGG).
10.Data privacy regulations concerning the utilisation and use of Google Analytics (with anonymisation function)
The controller has integrated Google Analytics components (with anonymisation function) on this website. Google Analytics is a web analysis service. The term "web analysis" refers to the recording, collection and evaluation of data pertaining to the behaviour of visitors to websites. Amongst other things, a web analysis service collects data concerning which website the data subject used to access our website (referrer), which sub-pages they visited as well as the frequency and duration for which sub-page was viewed. A web analysis is primarily used to optimise a website and to perform a cost-benefit analysis of Internet advertising.
The operator of Google Analytics components is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.
The controller uses the "_gat._anonymizeIp" extension for the Google Analytics web analysis. This extension is used to abbreviate and anonymise the IP address of the data subject's Internet connection if our website is accessed from a member state of the European Union or other treaty state which is part of the Agreement on the European Economic Area.
The objective of Google Analytics components is to analyse visitor flows to our website. Amongst other things, Google uses the obtained data and information to evaluate the use of our website in order to compile online reports which illustrate the activities on our website for us and in order to provide other services in connection with the use of our website.
Google Analytics places a cookie on the information technology system of the data subject. The definition of cookies has already been provided above. By placing the cookie, Google is able to analyse the use of our website. Each access to one of the individual pages of this website, which is operated by the controller and into which a Google Analytics component was integrated, the Internet browser on the information technology system of the data subject will automatically submit data through the Google Analytics component for the purpose of online analysis. Within the context of this technical procedure, Google gains knowledge of personal data such as the IP address of the data subject that Google, amongst other things, uses to understand the origin of visitors and clicks and subsequently enable commission settlements.
The cookie is used to store personal data such as the access time, the location from which the access was made, and the frequency of visits of our website by the data subject. With each visit to our website, this personal data, including the IP address of the Internet connection used by the data subject, will be transmitted to Google in the United States of America. Google stores this personal data in the United States of America. In some circumstances, Google may pass this personal data collected through the technical procedure to third parties.
As already described above, the data subject can prevent our website from placing cookies at any time by adjusting the settings of your Internet browser and consequently reject the placing of cookies on a permanent basis. Such an adjustment to the used Internet browser would also prevent Google Analytics from placing a cookie on the information technology system of the data subject. Furthermore, a cookie that has already been placed can be deleted at any time via the Internet browser or other software program.
Further information and the valid data privacy regulations of Google are available online at https://www.google.de/intl/de/policies/privacy/ and http://www.google.com/analytics/terms/de.html.Google Analytics is described in closed detail via the following link https://www.google.com/intl/de_de/analytics/.
11.Legal basis for processing
Art. 6 I lit. a of the GDPR serves as the legal basis for processing operations for which we obtain consent for a specific processing purpose. If the processing of personal data is necessary for the performance of a contract to which the data subject is party as is the case, for example, when processing operations are necessary for the supply of goods or to provide any other service, the processing is based on Article 6 I lit. b of the GDPR. The same applies to such processing operations which are necessary for carrying out pre-contractual measures, for example in the case of inquiries concerning our products or services. If our company is subject to a legal obligation by which processing of personal data is required, such as for the fulfilment of tax obligations, the processing is based on Art. 6 I lit. c of the GDPR. In rare cases, the processing of personal data may be necessary to protect the vital interests of the data subject or of another natural person. For example, this would be the case if a visitor were injured in our company and their name, age, health insurance data or other vital information would have to be passed on to a doctor, hospital or other third party. In such a case, the processing would be based on Art. 6 I lit. d of the GDPR. Finally, processing operations could be based on Article 6 I lit. f of the GDPR. This legal basis is used for processing operations which are not covered by any of the abovementioned legal grounds, if processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. Such processing operations are particularly permissible because they have been specifically mentioned by the European legislator. The legislator considered that a legitimate interest could be assumed if the data subject is a client of the responsible person (Recital 47, Sentence 2 of the GDPR).
12.Legitimate processing interests pursued by the controller or by a third party
If the processing of personal data is based on Article 6 I lit. f of the GDPR, our legitimate interest is to carry out our business in favour of the well-being of all our employees and the shareholders.
13.Duration for which the personal data is stored
The criterion for the storage period of personal data is the respective statutory retention period. The respective data is routinely deleted following expiration of the respective deadline provided that it is no longer required to fulfil or initiate the contract.
14.Provision of personal data as statutory or contractual requirement; requirement necessary for conclusion of a contract; obligation of the data subject subject to provide the personal data; possible consequences of failure to provide such data
We clarify that the provision of personal data is partly required by law (e.g. tax regulations) or can also result from contractual provisions (e.g. information on the contractual partner). In order to conclude a contract, it may sometimes be necessary for the data subject to provide us with personal data, which must subsequently be processed by us. For example, the data subject is obliged to provide us with personal data when our company concludes a contract with them. The non-provision of the personal data would have the consequence that the contract with the data subject could not be concluded. Before personal data is provided by the data subject, they must contact one of our employees. The employee informs the data subject whether the provision of the personal data is required by law or contract or is necessary for the conclusion of the contract, whether there is an obligation to provide the personal data and the consequences of non-provision of the personal data.
15.Existence of automated decision-making
As a responsible company, we do not use automatic decision-making or profiling.