DATA PRIVACY STATEMENT
This statement contains information for you, as a visitor or user of our webpages, on which personal data we collect. It details the scope, purpose and legal basis of our collection and use of personal data. Furthermore, we advise you on your rights with respect to the applicable data privacy laws and who you may contact in case of questions and any possible complaints.
A. Name and contact details of the controller
data M Sheet Metal Solutions GmbH
legally represented by the managing directors:
Albert Sedlmaier, Stefan Freitag and Maximilian Sedlmaier
Am Marschallfeld 17, 83626 Valley (Oberlaindern)
Federal Republic of Germany
Telefon: +49 8024 640 0
Telefax: +49 8024 640 300
B. Responsible supervisory authority
The local supervisory authority for the processing of data protection enquiries and complaints responsible for private enterprises, including our company, is
You may find a list of all German federal data protection officers and their contact details at: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html.
The definitions used in this data privacy statement are based predominantly on the definitions published by the European legislators in article 4 of the GDPR.
In this data privacy statement we use, among others, the following definitions:
- ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- ‘data subject‘ means any identified or identifiable natural person whose personal data are processed by the controller. A natural person may, for example, be identified by their name, address and date of birth. A natural person is identifiable by means of e.g. a customer number, tax code or ID card number.
- ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- ‘cross-border processing’ means either (a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or (b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
- ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
- ‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future.
- ‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
- ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
- ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
- ‘other controllers‘ (not defined in GDPR) means controllers, who process the publicly available personal data of data subjects.
- ‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
- ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
- ‘third party countries‘ (not defined in GDPR) means all countries, where the GDPR is legally not binding, effectively all countries which are not members of the European Union (EU). This includes member states of the European Economic Area (EEA) Iceland, Liechtenstein and Norway as long as they have not adopted the GDPR (see www.efta.int/eea-lex/32016R0679), as well as from 30th March 2019 (00.00 hours CET) the United Kingdom, i.e. England, Scotland, Wales and Northern Ireland according to the communication of the EU commission of 9th January 2018 with regard to the impact of ‘Brexit’ on data exchanges between the EU and Great Britain.
- ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
- ‘information society service’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council
- ‘enterprise’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity.
- ‘union‘ (not defined in GDPR) means the European Union (EU). For the EU member states and their current number see https://europa.eu/european-union/about-eu/countries_en
- ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
- ‘web analytics‘ (not defined in GDPR) means the survey, collection and analysis of data relating to the behavior of visitors of webpages. Web analytics services records, among other data, which webpage was visited before the current page is viewed (referrer), which sub-pages of a webpage were viewed or how many times and for how long sub-pages were viewed. Web analytics are predominantly used to analyse the behaviour of visitors of a webpage and its sub-pages in order to optimize this webpage and its content.
D. Collection and storage of personal data including nature, scope and purpose of its processing
1. Legal basis for the processing of personal data
- Art. 6 (1a) of the GDPR forms the legal foundation for the processing of personal data whenever we request the agreement of a data subject to processing of their personal data.
- Art. 6 (1b) of the GDPR forms the legal foundation for the processing of personal data which is necessary for the fulfillment of a contract between the data subject and our company. This also applies to processing of personal data prior to entering into a contract following a request, e.g. relating to our products and/or services, by the data subject.
- Art. 6 (1c) of the GDPR forms the legal foundation for processing, if this is necessary for compliance with a legal obligation, e.g. relating to commercial or fiscal law, to which our company is subject.
- Art. 6 (1d) of the GDPR forms the legal foundation for processing, if this is necessary in order to protect the vital interests of the data subject or of another natural person. For example, this may become necessary, in case an employee of one of our customers is injured on our premises and it becomes necessary to pass on their name, age, data relating to their health insurance or other vital information to a physician, a hospital or other third parties.
- Art. 6 (1e) of the GDPR forms the legal foundation for processing, if this is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in our company.
- Art. 6 (1f) of the GDPR forms the legal foundation for processing, if this is necessary for the purposes of the legitimate interests pursued by our company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. In particular, our company is permitted to carry out such processing as it is specifically cited by the European legislators in recital 47 (2) of the GDPR.
2. Erasure and blocking of data and duration of storage
The personal data of the data subject are erased or blocked as soon as the purpose for storage terminates. In addition, this data may be stored, if this is required by a legal obligation of the European or member state legislators to which the controller is subject. The erasure or blocking of personal data is also conducted, if this is required by the expiration of time limits on storage specified in such legal obligations, unless the continued storage is mandatory e.g. for the conclusion or fulfillment of a contract or for the compliance with safekeeping duties as for example specified in Art. 257 of the German code of commercial law (Handelsgesetzbuch) and Art. 147 of the German fiscal code (Abgabenordnung).
3. Transfer of data
We do not transfer your personal data to third parties for any purpose other than those detailled below. We only transfer your personal data to third parties, if
- according to Art. 6 (1)(1a) GDPR, you have explicitly consented to this transfer;
- according to Art. 6 (1)(1b GDPR, the transfer is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- according to Art. 6 (1)(1f) GDPR, the transfer is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data;
- our company, as the operator of this website and controller as specified by the GDPR, is entitled or required to conduct the transfer by law and/or judicial or official order. In particular, this may include disclosures for the purpose of prevention of threats to public safety or criminal prosecutions, according to Art. 24 of the German data protection law (Bundesdatenschutzgesetz).
4. Collection of personal data while viewing our webpages
While using our web page purely for accessing information, i.e. you do not register or provide information in any other way, but you only view our web page and its sub-pages, we do not collect any personal data beyond that transferred by your internet browser to our web server.
During every access of our web pages the browser used on your device automatically sends data to our web server. These data are temporarily stored by our web server in server logfiles.
The following content is collected without your direct intervention and stored until it is automatically erased:
- the type and version of browser used,
- the operating system of the accessing system,
- the time and date of access of our web page and its sub-pages,
- the web page from which the accessing system was referred to our web pages (the referrer),
- name and URL of downloaded files,
- access status and HTPP status code,
- the transferred data volume,
- the IP address,
- and related data and content for the purpose of counteracting possible attacks targeting our IT systems.
We process these data and content for the following purposes and for the following storage time:
- to ensure unobstructed access of our web pages,
- to ensure the permanent functional capability, stability and security of our web pages,
- to optimise our web pages through adaptations, enhancements and removal of detected errors,
- to analyse system security and stability as well as safeguarding the security of our IT systems and the ability to provide relevant information to criminal prosecution agencies in case of attacks targetting our systems,
- for other administrative purposes.
Art. 6 (1)(1f) GDPR is the legal foundation for the temporary storage of these data and content. The purposes detailled above justify our legitimate interest in collecting and processing these data.
The data mentioned above are erased as soon as they are no longer required for achieving the purpose of their collection. Data used for the provision of our web pages are erased when the relevant session terminates.
You consent to electronic communications with us as soon as you contact us by email or by using one of our contact forms.
In case you contact our company by email we store the data you provide (your email address, possibly your name and telephone number) in order to answer your enquiry. After the storage of these data is no longer required, we erase it or restrict its processing, if its safekeeping is required by legal obligations our company is subject to. Art. 6 (1)(1f) GDPR is the legal foundation for the processing of data provided by email. If the purpose of the email contact is the conclusion of a contract or the performance of a contract or steps at the request of the data subject prior to entering into a contract, then Art. 6 (1)(1b) compliments the legal basis for processing these data.
Our web pages contain contact forms with input fields which may be used to approach our company. The data provided by a user in these input fields is transferred to us and stored. These data may regularly contain, depending on whether the user is already registered with us (e.g. a customer for software maintenance), the following contents:
- customer number or name / company,
- email address,
- address and country,
- message text
In the interest of data thrift, the completion of only those input fields necessary for communication or the purpose of the individual form is mandatory while other fields may be optionally completed. These date are used exclusively for answering the question posed by the user and further enquiries by us or the user in this context. No data are transferred to a third party.
Art. 6 (1)(1a) GDPR is the legal foundation for this processing, if the user consents to the processing. This is completed by Art. 6 (1)(1b) GDPR in case of a registered user with a contractual relationship (e.g. a customer for software maintenance).
The data collected in the individual contact forms are erased as soon as they are not required anymore for achieving the purpose of their collection. For personal data provided by the user in the input fields, this is the case when the conversation with the user necessary for the processing and completion of their enquiry terminates.
6. Collection of personal data when registering for our newsletter
You may register for our free newsletter, consenting explicitly to this registration. For registration we use the contact form on our web pages with a double opt-in process. This means, after registration you will receive an email to the email address you provided, asking you to confirm your registration. In case we do not receive this confirmation within 7 hours, your data are blocked and erased after one week. The only mandatory field for newsletter registration is your email address. The provision of further, separately marked data in the input fields of the registration form is voluntary and are used to address you personally. After receiving your confirmation we store your email address as well as the used IP address and the time of your registration and confirmation. We store your data exclusively for the purpose of providing you with the newsletter as well as the ability to prove your registration and confirmation and to resolve any possible incidents of misuse of your personal data. Art. 6 (1)(1a) GDPR is the legal foundation for the collection and storage of these data. We do not transfer these personal data collected for registering for our newsletter to any third party.
Your email address is stored as long as your newsletter registration remains active. You may cancel your consent declaration, which you provided at the time of registration, at any time and thereby stop receiving our newsletter.
- To cancel, click on the ‘cancel’-link contained in every newsletter email or send an email to firstname.lastname@example.org or send a fax or call us. You may find the relevant contact details in the imprint of our webpages.
The cancellation does not impinge on the legality of the data processing up to this point. After we receive your cancellation request, we automatically erase all personal data collected for newsletter registration.
Normally cookies contain the name of the issuing domain, information on the ‘age’ of the cookie and an identification in the form of an alphanumeric string. Cookies allow our webserver to identify the device of the user and allow immediate access to any possible presets. Using cookies we, as operators of the web pages, obtain certain information, in particular the IP address of the user.
a) Temporary cookies are deleted when you close your browser. In particular this includes session cookies. These cookies store a session ID which allows us to assign individual requests of your browser to a common session. Session cookies are deleted when you log out of your user account or close your browser.
b) Permanent cookies are deleted automatically after a set time, which may differ for different cookie types. These cookies also allow us to optimize the usability of our webpage and its sub-pages: In case you visit our webpage again to use the information we provide and our services, you are recognized automatically as a previous visitor and so you do not have to repeatedly provide previous inputs and settings.
Most browsers accept cookies automatically. However, you may use the security settings of your browser to delete cookies, also those of third parties. You may also change the settings of your browser such that no cookies, also cookies of third parties, are stored in your device or that a warning is displayed each time before a new cookie is created. Please refer to the operating instructions of your browser for further information.
In connection to these settings we would like to point out that the complete deactivation or blocking of cookies may prevent you from using all functionality of our and of other webpages you may visit.
8. Use of Google Analytics
Our webpage uses Google Analytics (in the following referred to as 'Universal Analytics'), an analysis service of the US company Google LLC. (https://www.google.de/intl/en/about/), 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (in the following ‘Google’).
Using Universal Analytics, it is possible to associated data, sessions and interactions on several devices with a pseudomised user ID and thus to analyse user activities independent of devices.
We use Universal Analytics with the code extension ‘anonymizeIP’. This code extension ensures that IP addresses are collected only in shortened form. The last 8 bit are cut and only the shortened IP address is further processed. This prevents that a data subject can be inferred using the IP address. The IP address provided by your browser to Universal Analytics is not combined with other data by Google.
Google uses this information on our behalf as operator to these webpages to analyse your use of our webpages, to compile reports on webpage activities and to provide other services to us relating to webpage use for purposes of market research and to further enhance our webpages. These data are transferred to third parties if this is legally required or if third parties process the data on your behalf.
We use Universal Analytics to analyse frequency of use and the use of our webpages in general in order to further optimise the quality and contents of our webpages. Using these statistical data we can enhance our offer to you and make it more interesting for you. Art. 6 (1)(1f) GDPR is the legal foundation for using Google Analytics.
Changing the relevant settings of your browser you may prevent the storage of these cookies and also permanently block cookies. We would like to advise you that this may prevent you from using some of the functionality of our webpages.
Furthermore, you may prevent the collection of the data relating to your use of this webpage (including your IP address) generated by this cookie and their processing by Google by downloading and installing the browser add-on available at https://tools.google.com/dlpage/gaoptout?hl=en. As described there, you download a plug-in that enables you to deactivate Universal Analytics using an opt-out cookie.
Alternatively, in particular for browsers on mobile devices, you can apply the opt-out for Universal Analytics for our webpages on all devices used by you.
- Click here to deactivate Universal Analytics
Please note, that the opt-out cookie stored on your device only applies to the browser used by you and only to our webpages. In case you delete the cookies in your browser, you must again store the opt-out cookie for it to work.
- in the data protection declaration of Google LLC, valid from 25th May 2018, at https://policies.google.com/privacy?hl=en
- regarding the cookie types used by Google at https://policies.google.com/technologies/types?hl=en
In rare case, in which personal data are transferred to the USA, Google submits to the EU-US Privacy Shield Agreement. Google is in possession of Privacy Shield Certification. You may find Google’s certificate at https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI.
- You may find information with regard to the EU-US Privavy Agreement at: https://www.privacy-shield.gov/EU-US-Framework
- You may find information (in German) for data subjects and which rights are granted to them under the EU-US Privacy Shield in case their personal data are transferred on the basis of the Eu-US Privacy Shield Agreement to a certified US enterprise on the webpages of the Bavarian data protection agency at https://www.lda.bayern.de/de/international.html.
9. Use of ‚Matomo‘
Art. 6 (1) (1f) GDPR provides the legal foundation for the use of the open source software Matomo (previously Piwik) which we operate on our web server located in Germany. We use this tool to statistically analyse the use of our webpages and to tailor the design of our webpages to the needs of its users. However, we do not use the web analytics services of InnoCraft Ltd., based in New Zealand. This company does not process any data on our behalf. We conduct the analysis of these data ourselves.
For this, cookies are used (see 7 above) which, among other uses, allow your internet browser to be recognized. The data collected with the help of Matomo software (including anonymized IP addresses) are transferred to our server and are combined and stored in pseudonymized user profiles and processed. The logfiles contain sensitive data and are stored exclusively on our server located and operated in Germany.
We use the Matomo tool with the extension ‚AnonymizeIP‘. This shortens IP addresses for further processing and therefore a data subject cannot be inferred. The data generated by the cookie are not used to personally identify the user of our webpages and are not combined with any personal data of the owner of the pseudonym. Under no circumstances is the IP address combined with other data relating to the user. The IP addresses are anonymised (IP-masking) prior to storage and so no attribution is possible. The data are not transferred to third parties.
Should you disagree to the storage and analysis of these data relating to the visit of our webpages, then you may cancel this storage and processing at any time. For this, you may decide whether or not a unique web analysis cookie may be placed in your browser, allowing us as operator of the webpages to collect and analyse various statistical data.
An opt-out cookie will be placed in your browser which prevents any further collection by Matomo of session data relating to your visit of our webpages. Please note, the opt-out cookie stored in your browser only applies to the browser used by you and only for our webpages. In case you delete all cookies in your browser you need to again store the opt-out cookie for it to work.
10. Integration of ‚Vimeo‘ video clips
Our webpages integrate video clips provided by http://vimeo.com. Vimeo is a internet portal operated by the US enterprise Vimeo LLC located in 555 West 18th Street, 10011 New York, USA.
Art. 6 (1)(1f) GDPR forms the legal foundation for the use of these components with the purpose of storing video clips in the Vimeo platform with the aim of providing an appealing visual impression of our products and services.
Each access of a sub-page of our webpages which contains a Vimeo component results in a direct connection of your browser and a server of Vimeo, Inc. in the USA. Your browser will be automatically asked to download from Vimeo an appropriate visualization of the component. Vimeo may also place cookies (see 7 above) on your device.
Furthermore, Vimeo allows the use of certain other functionality, e.g. the ranking and sharing with others of videos. For this it may become necessary for you to log into your user account at Vimeo or other third parties in order for Vimeo or these other third parties to connect the information you provide with your user account. This functionality is provided exclusively by Vimeo or other third parties. Therefore we recommend that you familiarise yourself also with their respective data privacy statements (see 10.2 below) before you use these services.
In case you access our webpages and you are logged in with Vimeo at the same time, Vimeo will track during your entire visit which sub-pages in our webpage you view and will associate this information including your IP address with your personal account at Vimeo. For example, if you click the ‘play’ button or leave comments, then this information will be transferred to your personal account with Vimeo and stored there. Vimeo always receives information via the Vimeo operating panel that you have visited our website when you are logged into Vimeo at the same time. This is independent of whether or not you click anything on the Vimeo operating panel or leave comments. Our company does not receive any information on the data collected by Vimeo or third parties and cannot exert any influence on their processing.
In case you have an account with Vimeo and do not wish Vimeo to collect data, via our webpages, relating to your behaviour while visiting our webpages or sub-pages and to combine these with the data in your personal account with Vimeo, then you must log out of your Vimeo account before visiting our webpages.
- Vimeo provides hints relating to data protection which also explain the collection and processing of data by Vimeo. You may find these at: https://vimeo.com/privacy
11. Integration of ‚YouTube‘ video clips
YouTube is an internet portal for the upload of all types of video clips, music videos, trailers, movies and television clips or video clips produced by users. The viewing of, rating of and commenting on these video clips is also free of charge. YouTube is provided by the US enterprise YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. YouTube LLC is a subsidiary of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
On our webpages we integrate YouTube components (‘plug-ins’) which are stored at http://www.YouTube.com and can directly be accessed from our webpages. We integrate these components using the ‘extended data protection mode’, which implies that no data relating to you as the user are transferred to YouTube, unless you play any video clips. Only when you play video clips, will the data detailed in 11.2 be transferred to YouTube. We do not control this data transfer.
Art. 6 (1)(1f) GDPR forms the legal foundation for the use of these components with the aim of providing an appealing visual impression of our products and services. This constitutes a legitimate interest as defined by this regulation.
Following access of a sub-page of our webpages which contains a YouTube component, this component instructs your browser to automatically download a representation of this component. As a result, YouTube and Google gain information on which particular sub-page of our webpages you access. In addition, the data specified in section E 4.2 of this statement are transmitted to YouTube and Google. This transfer takes place independent of whether or not you play a YouTube video clip and whether or not you own a personal account with YouTube and whether or not you are logged into that account. However, if you are logged into your personal account with YouTube at the time of visiting our webpages, then these data are directly assigned to your account. YouTube stores these data in the form of user profiles and processes them for the purposes of marketing, market research and user-optimised design of its webpages. Even for users not logged into a YouTube account this analysis is used in particular to provide user-optimised advertising.
In case you own a personal account with YouTube, but do not wish to transfer these data, including a connection with your profile, to YouTube and Google, you may prevent this transmission by logging out of your personal account with YouTube before accessing our webpages.
You also have the right to object to the creation of user profiles. However, you need to exercise this right directly with YouTube LLC.
- YouTube publishes data protection regulations at https://www.youtube.com/t/privacy and https://policies.google.com/privacy?hl=en. These provide you with information on the collection, processing and use of personal data by YouTube and Google. There you may also find further information regarding your rights and settings to protect your privacy.
12. Use of 'Google Tag Manager'
We use Google Tag Manager to manage tags for our webpages. Tags are small code elements, used in particular to measure visitor traffic and user behaviour on our webpages. According to Google no cookies are used and no personal data is collected. Google Tag Manager may trigger other tags which may collect data. However, according to Google, Tag Manager does not access these data. In case cookies are deactivated for the domain or individually, then this deactivation remains in place for all tracking tags as long as these are implemented with Google Tag Manager.
- You may find more information on Google Tag Manager at https://www.google.com/analytics/tag-manager/.
E. Data security
In order to make your visit of our webpages as secure as possible, we use the widespread Transport Layer Security (TLS) encryption protocol with the highest security level supported by your browser. You may recognize the encrypted transfer of individual webpages by noting the change from
https:// in the address bar of your browser and the closed lock symbol in the lower status bar of your browser. Data you provide in contact forms will thus be encrypted before transfer and securely transferred from your browser to our server.
Furthermore, we employ appropriate technical and organizational security measures in order to protect your personal data against accidental or deliberate manipulation, partial or complete loss, damage or unauthorized access, alteration or dissemination by third parties. We continuously improve these security measures in step with technical developments.
F. Rights of the data subject
Whenever your personal data are processed, you, as the data subject, have the following rights under the GDPR with regard to these personal data:
1. Right of access by the data subject (Art. 15 GDPR)
You may obtain from the controller confirmation as to whether or not personal data concerning you are being processed by us. If this is the case, you may request disclosure from the controller of your personal data and the following information:
- the purposes of the processing of these personal data;
- the categories of personal data concerned;
- the recipients or categories of recipient to whom the personal data have been or will be disclosed;
- where possible, the envisaged period for which your personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request rectification or erasure of your personal data or restriction of processing of your personal data by us or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- where the personal data are not collected from the data subject, any available information as to their source;
- the existence of automated decision-making, including profiling, referred to in Art. 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
You have the right to be informed whether your personal data are transferred pursuant to Art. 44 GDPR to a third country or to an international organization (as defined in Art. 4 (26) GDPR). In connection to such a transfer you may demand to be informed of the appropriate safeguards pursuant to Art. 46 GDPR relating to this transfer.
2. Right to rectification and/or completion (Art. 16 GDPR)
You have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you and to have incomplete personal data completed.
3. Right to erasure / ‚right to be forgotten‘ (Art. 17 GDPR)
You have the right to obtain from the controller the erasure of personal data concerning you without undue delay and we shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
- you withdraw consent on which the processing is based according to point (a) of Art. 6(1), or point (a) of Art. 9(2) GDPR, and where there is no other legal ground for the processing.
- you objecty to the processing pursuant to Art. 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21(2)
- your personal data have been unlawfully processed.
- your personal data have to be erased for compliance with a legal obligation in Union or Member State law to which we are subject.
- your personal data have been collected in relation to the offer of information society services referred to in Art. 8(1) GDPR.
3.2 Information of third parties Where we have made the personal data public and we are obliged pursuant to paragraph 1 to erase the personal data, we, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
3.3 Exemptions from the right to erasure
The right to erasure shall not apply to the extent that processing is necessary:
- for exercising the right of freedom of expression and information (Art. 17 (3a) GDPR);
- for compliance with a legal obligation which requires processing by Union or Member State law to which we are subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in us as the controller (Art. 17 (3b) GDPR);
- for reasons of public interest in the area of public health in accordance with points (h) and (i) of Art. 9(2) as well as Art. 9(3) GDPR;
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89(1) GDPR in so far as the right referred to in Art. 12(1) GDPR is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
- for the establishment, exercise or defence of legal claims (Art. 17 (3e) GDPR).
4. Right to restriction of processing (Art. 18 GDPR)
You shall have the right to obtain from us restriction of processing of your personal data where one of the following applies:
- the accuracy of your personal data is contested by you, for a period enabling the us to verify the accuracy of the personal data;
- the processing is unlawful and the you oppose the erasure of the personal data and request the restriction of their use instead;
- we no longer need the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims; or
- the data subject has objected to processing pursuant to Art. 21(1) GDPR pending the verification whether our legitimate grounds override those of you.
Where processing of your personal data has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
In case you have obtained restriction of processing pursuant to the above, you shall be informed by us before the restriction of processing is lifted.
5. Right to notification (Art. 19 GDPR)
In case you have exercised your right to rectification, erasure or restriction of processing of your personal data by us, we shall communicate that you have exercised your right to rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.
6. Right to data portability (Art. 20 GDPR)
You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from us as the controller, to which the personal data have been provided, where:
- the processing is based on consent pursuant to point (a) of Art. 6(1) or point (a) of Art. 9(2) GDPR or on a contract pursuant to point (b) of Art. 6(1) GDPR and
- the processing is carried out by automated means.
The exercise of the right referred to above shall be without prejudice to Art. 17 (right to erasure). Furthermore, in exercising your right to data portability pursuant to the above, you have the right to have your personal data transmitted directly from one controller to another, where technically feasible.
Freedoms and rights of other legal persons must not be infringed by the above. The right to data portability shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
7. Right to object (Art. 21 (1) and (2) GDPR)
You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on point (e) or (f) of Art. 6(1), including profiling based on those provisions (Art. 21 (2) GDPR). We shall no longer process your personal data unless we are able to demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims. Where your personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing (Art. 21 (2) GDPR). When you object to processing for direct marketing purposes, your personal data shall no longer be processed for such purposes.
- Should you wish to exercise your right to object according to Art. 21 (1) or (2) GDPR, an email to email@example.com is sufficient to declare your objection. You may also send your objection by fax, letter or telephone using the contact details provided in section A above or in the imprint of these webpages.
You also have the opportunity, in the context of the use of information society services, and notwithstanding Directive 2002/58/EC of 12th July 2002 (data protection directive for electronic communication), to exercise your right to object by automated means using technical specifications.
8. Right to withdraw consent to the processing of personal data (Art. 7 Abs. 3 GDPR)
You have the right to withdraw your consent to the processing of your personal data at any time without stating reasons. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. This implies that your witdrawal of consent has no retroactive effect. However, it means that we will terminate processing of your personal data.
- Should you wish to exercise your right to withdraw consent, an email to firstname.lastname@example.org is sufficient to declare your withdrawal. You may also send your withdrawal by fax, letter or telephone using the contact details provided in section A above or in the imprint of these webpages.
You also have the opportunity, in the context of the use of information society services, and notwithstanding Directive 2002/58/EC of 12th July 2002 (data protection directive for electronic communication), to exercise your right to withdraw consent by automated means using technical specifications.
9. Automated individual decision-making, including profiling (Art. 22 GDPR)
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. The above shall not apply if the decision:
- is necessary for entering into a contract between the data subject and the data controller;
- is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
- is based on the data subject’s explicit consent.
Decisions referred to above shall not be based on special categories of personal data referred to in Art. 9(2)1) GDPR, unless point (a) or (g) of Art. 9(2) GDPR applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place. In the cases referred to in points (1) and (3) above, the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
10. Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)
Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 GDPR.
G. Timeliness of and changes to this data privacy statement
This data privacy statement is currently valid as of May 2018.
Due to the further development of our web pages and the offers contained therein or because of changes to the GDPR and/or because of country-specific changes to data protection laws or official directives, it may become necessary to change this data privacy statement. You may obtain and print the most up to date data privacy declaration from our webpages at any time.
Data privacy statement of data M Sheet Metal Solutions GmbH – May 2018