Data-protection information for the website of Wilhelm Schäfer GmbH
Valid from 25 May 2018
Protection of your privacy is very important to us. For this reason, we comply with national and European data protection regulations when processing your data. Personal data as defined in this privacy statement includes all information relating to you, e.g. your name, address, e-mail and IP address, user behaviour.
Through the data-protection information outlined below, we inform you about our processing of your personal data and provide an overview of your privacy rights. The precise data that are processed and the way in which these data will be used in individual cases essentially depend on the services used, applied or agreed.
1 Obligation to provide information according to Art. 13 GDPR
The full wording of the obligation to provide information is available under the following link: Obligation to provide information.
2 Controller and data protection officer
The controller under Art. 4 (7) of the General Data Protection Regulation (GDPR) or service provider under Art. 13 German Telemedia Act (TMG) is:
Wilhelm Schäfer GmbH
D-64646 Heppenheim, Germany
Data Protection Officer of Wilhelm Schäfer GmbH:
Helbig Datenschutz GmbH
91207 Lauf an der Pegnitz
Tel.: +49 (0) 9 12 37 02 75-10
3 Source of personal data
We process personal data that we collect when you visit our website or contact us by e-mail or that you submit to us in a contact form.
4 Categories of personal data processed by us:
(1) If you only visit or use our website for the purpose of informing yourself, i.e. if you do not register or otherwise submit information, we only collect the personal data transmitted by your browser to our server. If you wish to view our website, we collect the following data, which is technically necessary for us to display our website and ensure its stability and security:
- Browser type and version
- Operating system used
- Referrer URL
- Host name of the computer accessing our site
- Date and time of server enquiry
- Pages accessed
- Log files
- Status code
- Data volume
- User agent
- IP address
These data are used exclusively for internal statistical purposes.
(2) In addition to the above data, we store cookies on your computer when you use our website. Cookies are small text files which are placed on your computer, assigned to your web browser and send specific information back to the originating website. Cookies cannot execute programs or infect your computer with malware. Their purpose is to improve the usability and effectiveness of the overall Internet presence.
(4) Most browser settings automatically accept cookies. You can disable cookies in your browser at any time or change your browser settings to receive notification whenever cookies are sent to your device. However, please note that in this case you may not be able to use the full range of functions offered by this website.
(5) The data collected are stored separately from any further data that you may have provided. In particular, data from cookies are not linked to any further data.
5 External hosting
This website is hosted by an external service provider (host). The personal data recorded on this website are stored on the host servers. These data mainly include IP addresses, contact enquiries, meta and communication data, contract data, contact data, names, website hits and other data that are generated via a website.
A host is used for the purposes of execution of a contract with prospective and existing customers (Art. 6 (1) lit. b GDPR) and the legitimate interests of secure, fast and efficient provision of our online offering by a professional provider (Art. 6 (1) lit. f GDPR).
Our host will only process your data to the extent necessary for performance of its contractual obligations and will comply with our instructions in relation to these data.
Conclusion of a data processing contract
To ensure processing complies with data-protection regulations, we have concluded a data-processing contract with our host.
6 Other features and offerings on our website
(1) In addition to use of our website purely for information purposes, we offer various services which you can use if so interested. To do so, you generally need to submit further personal data, which we use to provide the requested service and which are governed by the above data protection principles.
(2) When you contact us by e-mail or using a contact form, we will store the data provided by you (your e-mail address, your first and last names, your address and any further personal data provided voluntarily) in order to answer your questions. Given this, processing of any data entered in the contact form is exclusively based on your consent (Art. 6 (1) lit. a GDPR). We will not share this data without your consent. We will erase any data collected in this context as soon as their storage is no longer required, you request us to erase such data, or you withdraw your consent to our storage of such data by sending us an informal e-mail in this respect. Or we restrict processing if we are required by law to retain data. Withdrawal of your consent will not affect the lawfulness of data processing up to your withdrawal.
(3) We offer you the possibility to submit product enquiries through our website. To do so, you must provide the following personal data: Your first and last names, your e-mail address, your phone number and your postcode. You can also provide further personal data on a voluntary basis.
Withdrawal of your consent to processing of personal data
Many processing operations require your explicit consent. You have the right to withdraw your consent at any time by simply sending us an informal e-mail in this respect. Withdrawal of consent will not affect the lawfulness of data processing up to the time of withdrawal.
Right to object to data collection on grounds relating to a particular situation and for direct marketing purposes (Art. 21 GDPR)
If data processing is based on Art. 6 (1) lit. e or f GDPR, you are entitled to object at any time to the processing of your personal data on grounds relating to your particular situation; the same applies to profiling based on those provisions. The legal basis for processing is provided in this privacy statement. If you object to data processing, we will desist from processing your personal data unless we can demonstrate compelling legitimate grounds for data processing which override your interests, rights and freedoms, or unless processing is for the establishment, exercise or defence of legal claims (objection according to Art 21 (1) GDPR).
If your personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing; this also includes profiling to the extent that it is related to such direct marketing. Where you object to processing for direct marketing, your personal data will no longer be processed for such purposes (objection according to Art. 21 (2) GDPR).
SSL or TLS encryption
This website uses SSL or TLS encryption for security reasons and to protect the transmission of confidential information, such as purchase orders or enquiries, which you send to us in our capacity as website operator. If the website connection is encrypted, the address bar of your browser changes from “http://” to “https://” and a padlock icon is displayed in the bar.
When SSL and/or TLS encryption are activated, third parties cannot decipher the information that you transmit to us.
Enquiries by e-mail, telephone or fax
If you contact us by e-mail, telephone or fax, your enquiry, including all personal data contained therein (name, enquiry message) will be stored and processed by us for the purpose of processing your request. We will not share this data without your consent.
In as far as your enquiry is related to the performance of a contract or the implementation of pre-contractual measures, these data will be processed on the basis of Art 6 (1) lit. b GDPR. In all other cases, processing will be based on your consent (Art. 6 (1) lit. a GDPR) and/or our legitimate interests (Art. 6 (1) lit. f GDPR), since we have a legitimate interest in ensuring effective processing of all enquires transmitted to us.
We will store all personal data submitted to us by means of contact enquiries until you request the erasure of such data or withdraw your consent to the storage of such data or until the purpose of storage of such data no longer applies (e.g. after completion of processing of your request). Mandatory legal obligations, particularly statutory retention periods, will remain unaffected.
7 Google Universal Analytics with IP anonymisation
This website uses features of Google Analytics, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Google Analytics uses ‘cookies’, text files stored on your computer, to help us analyse how you use our website. The information generated by the cookie about your use of this website is transmitted to servers in the USA by Google and stored there.
The storage of Google Analytics’ cookies on your computer and the use of this analytics tool are based on Art. 6 (1) lit. f GDPR. The website operator has a legitimate interest in analysing user behaviour to optimise both its web offering and its advertising. Provided the website has requested appropriate consent (e.g. your consent to the storing of cookies), processing of such data is based exclusively on Art. 6 (1) lit. a GDPR; you can withdraw this consent at any time.
We have activated the “IP anonymisation” feature on this website. Given this, Google will truncate your IP address in Member States of the European Union and other countries belonging to the European Economic Area before it is transmitted to the USA. The full IP address is only sent to Google servers in the USA and truncated there in exceptional cases. On behalf of the website provider, Google will use this information for the purposes of analysing your use of the website, compiling reports on website activity and supplying the website provider with other services related to website activity and internet usage. Google will not associate the IP address transmitted by your browser within the operations of Google Analytics with any other data held by Google.
You may prevent cookies from being installed by selecting the appropriate settings on your browser. However, please note that in this case you may not be able to use the full range of functions of this website. Furthermore, you can prevent Google from collecting and processing the data of your use of our website generated by the cookies (including your IP address) by downloading and installing the browser plugin from the following link: https://tools.google.com/dlpage/gaoptout?hl=en.
Objection to data collection
Click the link below to prevent collection of your data by Google Analytics. Clicking this link sets an opt-out cookie which prevents your data from being tracked when you visit this website in the future. Deactivate Google Analytics
We have concluded a data processing contract with Google and are in full compliance with the strict regulations for using Google Analytics established by the German data protection authorities.
Google Analytics Demographics Reporting
This website uses Google Analytics Demographics Reporting. This feature supports the compilation of reports that include information on the age, gender and interests of website visitors. These data originate from interest-based advertising by Google and visitor data from third parties. These data cannot be associated with a certain individual. You can disable this feature at any time by changing your Google account display settings or by generally objecting to collection of your data by Google Analytics as described in the “Objection to data collection” section.
Data at user or event level stored by Google and linked to cookies, user IDs or advertising IDs (e.g. double-click cookies, Android advertising ID) will be anonymised or erased after 14 months. More information can be found at the following link: https://support.google.com/analytics/answer/7667196?hl=en
8 Use of the Shariff solution for Facebook social media plugins
(3) The plugin provider stores these data in the form of usage profiles and uses them for the purposes of advertising, market research and/or needs-based design of its own website. This type of analysis is primarily performed (including for users who are not logged in) to display needs-based advertising and inform other social-network users of your activities on our website. You have the right to object to the development of such usage profiles. However, to exercise this right you need to contact the respective plugin provider. Through the plugin, we offer you the possibility to interact with social networks and other users, enabling us to improve our offer and increase its interest for you.
(4) The data are shared irrespective of whether you have an account with the plugin provider or whether you are logged in. If you are logged into the plugin provider, your data will be assigned directly to your account with the plug-in provider. If you click the activated button and, for example, link the page, the plugin provider will also save this information in your user account and share it publicly with your contacts. We recommend that you regularly log out from social networks, particularly before you activate the button, to prevent data from being assigned to your profile with the plugin provider.
(5) Further information about the purpose and scope of collection and processing of data by the plugin provider can be found in the provider’s privacy statement, where you will also find information about your rights in this context and possible settings to protect your privacy.
(6) Address of the provider and URL including privacy statement. Facebook Inc., 1 Hacker Way, Menlo Park, California 94025, USA, http://www.facebook.com/policy.php; further information about data collection: http://www.facebook.com/help/186325668085084, http://www.facebook.com/about/privacy/your-info-on-other#applications and http://www.facebook.com/about/privacy/your-info#everyoneinfo.
Facebook plugins are used on the basis of Art. 6 (1) lit. f GDPR. The operator of the website has a legitimate interest in ensuring maximum visibility in social media. Provided the website has requested your consent, processing of such data is based exclusively on Art. 6 (1) lit. a GDPR; you can withdraw your consent at any time.
9 YouTube with extended data protection mode
Our website uses YouTube plug-ins. The pages are operated by Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.
We use YouTube in the extended data protection mode. According to YouTube, in this mode YouTube will not store any information about visitors to this website before they watch a video. However, the extended data protection mode does not necessarily exclude sharing of personal data with partners of YouTube. For example, YouTube connects to the Google DoubleClick network irrespective of whether you watch a video or not. Provided the website has requested your consent, processing of such data is based exclusively on Art. 6 (1) lit. a GDPR; you can withdraw your consent at any time.
As soon as you start a YouTube video on our website, our website connects to the YouTube servers. This informs the YouTube server about the pages of our website that you visited. If you are logged in to your YouTube account, YouTube can assign your surfing preferences directly to your personal profile. You can prevent this by logging out from your YouTube account.
When a YouTube video is started, YouTube can also store various cookies on your device. These cookies enable YouTube to collect information about your visits to our website. This information is used for purposes including collection of video statistics, improvement of usability and prevention of attempted fraud. The cookies will be stored on your device until you erase them.
When a YouTube video is started, further data processing operations may be triggered which are beyond our control.
We use YouTube to provide an attractive presentation of our online offering. This is a legitimate interest as defined in Art. 6 (1) lit. f GDPR.
10 Google Web Fonts
11 Integration of Google Maps
(1) This website uses the Google Maps map service via an API. Google Maps is provided by Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland. Using Google Maps allows us to display interactive maps directly on our website and enable convenient use of the map function. This is a legitimate interest as defined in Art. 6 (1) lit. f GDPR. Provided the website has requested your consent, processing of such data is based exclusively on Art. 6 (1) lit. a GDPR; you can withdraw your consent at any time.
(2) When you visit our website, Google will be informed that you have visited the respective page of our website. In addition, the data specified in Section 3 of this Privacy Statement will be transmitted. Transmission is not dependent on whether you are logged into, or have, a user account which is provided by Google. If you are logged into Google, your data will be assigned directly to your account. This data transmission does not fall under the control of the provider of this website. If you do not wish data to be assigned in this way, you must log out before activating the button. Google stores these data in the form of usage profiles and uses them for the purposes of advertising, market research or needs-based design of its own website. This type of analysis is primarily performed (including for users who are not logged in) to provide needs-based advertising and inform other social-network users of your activities on our website. You have the right to object to the development of such user profiles. However, to exercise this right you need to contact Google.
(3) Further information about the purpose and scope of the collection and processing of data by the plugin provider can be found in the provider’s privacy policies, where you will also find information about your rights in this context and possible settings to protect your privacy. https://policies.google.com/privacy?hl=en&gl=en. Google also processes your personal data in the USA and has signed up to the EU-US Privacy Shield.
12 Use of our online shop
(1) To order from our online shop, you must provide the personal data we need to conclude a contract with you and process your order. All mandatory details that are necessary for the processing of the contracts are marked as such; all other details are voluntary. We use the data submitted by you to process your order. To do so, we may share your payment information with our house bank.
We may also process the data submitted by you to inform you about other interesting products in our portfolio or send you e-mails containing technical information.
(2) Under commercial and tax regulations, we are under the obligation to store your address, payment and order details for a period of ten years. However, after two years we will restrict processing of these data, i.e. from then on the data will only be retained for compliance with legal requirements.
(3) To prevent unauthorised access of your personal data, in particular financial data, by third parties, the order process is encrypted using TLS technology.
13 Use of our supplier portal
(1) If you wish to use our portal, you need to register by entering the following personal details:
- E-Mail address
- Password of your choice
We use a double-opt-in registration process, i.e. your registration is only complete when you have confirmed it by clicking the link in the confirmation e-mail sent to you for this purpose. If you fail to confirm your registration within 24 hours, it will be automatically erased from our database. Entry of the above data is mandatory; submission of all other data is voluntary and can be made by using our portal.
(2) When you use our portal, we will store all data necessary for contract performance, including any information relating to your payment method, until you permanently erase your account. We will also store the voluntary data provided by you for as long as you use our portal, unless you erase them beforehand. All information can be managed and changed in the protected customer area.
(3) To prevent unauthorised third parties from accessing your personal data, particularly your financial data, the connection is encrypted using TLS technology.
14 Categories of recipients of personal data
(1) We commission carefully selected service providers to carry out individual processes and services from the foregoing in compliance with the data-protection regulations. These external service providers must follow our instructions and are checked at regular intervals. They will not disclose your data to any third parties.
(2) We will only disclose your information to other recipients where this is required to comply with a legal obligation, where you have given your consent or where we are authorised to disclose your information. If these criteria are fulfilled, potential recipients of personal data include, but are not limited to:
- Public bodies and institutions (e.g. financial authorities, law enforcement authorities) in case of a statutory or regulatory obligation.
- Other companies or similar institutions to which we transmit your personal data on the basis of our business relations.
15 Purposes and legal grounds for the processing of personal data
We process your personal data in compliance with the applicable legal data-protection regulations. Processing is lawful if the following conditions have been fulfilled:
Consent (Art. 6 (1) lit. a GDPR)
Processing of personal data is lawful if the data subject has consented to processing for specified purposes (e.g. processing of your enquiry, use of data for marketing purposes) etc. Data subjects can withdraw their consent at any time with future effect. This also applies to the withdrawal of consent provided to us before 25 May 2018, i.e. before applicability of the GDPR.
For performance of a contract (Art. 6 (1) lit. b GDPR)
We process personal data to perform our contractual duties or implement pre-contractual measures which are required in connection with an enquiry or use of our webshop. The purposes of data processing result primarily from your enquiry or order.
For compliance with legal obligations (Art. 6 (1) lit. c GDPR)
Wilhelm Schäfer GmbH is subject to various legal obligations. These include, but are not limited to:
- Retention obligations established by tax law and commercial law, e.g. according to the German Commercial Code (Handelsgesetzbuch, HGB) and Tax Code (Abgabenordnung, AO).
- Compliance with control and reporting duties as defined in tax law.
- Within the scope of balancing of interests (Art. 6 (1) lit. f GDPR).
We process your personal data beyond the extent required to fulfil our obligations under the contract where this is necessary to pursue our legitimate interests or the legitimate interests of third parties. Examples:
- Assertion of legal claims and defence in legal disputes
- Guaranteeing of IT security and IT operation
- Analysis and improvement of the use of our website
- For the purpose of using social-media plug-ins
16 Intention to transfer personal data to a third country or an international organisation
Personal data are only actively transferred to a third country if this has been expressly indicated within the scope of the above services.
17 Criteria for defining the period for which the personal data will be stored
(1) The data will be stored according to the legal regulations for data processing, taking legal retention periods into account. We exclusively process and use your data for the purposes for which you have given your consent and for as long as these data will be needed for these purposes.
(2) If your personal data are no longer necessary for this purpose or to comply with legal requirements, they are generally erased unless their temporary and, if necessary, restricted processing is required for the following purposes:
- Compliance with retention duties under commercial and tax law: Examples in this context include the German Commercial Code (Handelsgesetzbuch, HGB) and the Tax Code (Abgabenordnung, AO), which require retention and documentation periods of up to ten years.
- Retention of evidence in line with the legal statutes of limitation: Under Art. 195 et seq. of the German Civil Code (BGB), the regular period of limitation is three years but can be up to 30 years under exceptional circumstances.
18 Your data-protection rights
(1) Every data subject has the right of access in accordance with Art. 15 GDPR and the right to rectification in accordance with Art. 16 GDPR, the right to erasure in accordance with Art. 17 GDPR, the right to restriction of processing in accordance with Art. 18 GDPR, the right to object as set forth in Art. 21 GDPR and the right to data portability defined in Art. 20 GDPR. The restrictions set forth in Articles 34 and 35 of the German Data Protection Act (Bundesdatenschutzgesetz, BDSG) apply to the right of access and the right of erasure. In addition, data subjects have the right to lodge a complaint with the competent data supervisory authority (Art. 77 GDPR in conjunction with Art. 19 GDPR).
(2) You have the right to withdraw your consent to the processing of your personal data provided to us at any time with future effect. This also applies to the withdrawal of consent provided to us before 25 May 2018, i.e. before the application date of the General Data Protection Regulation.
(3) You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data based on Art. 6 (1) lit. e GDPR (processing for a task carried out in the public interest) and Art. 6 (1) lit. f GDPR (data processing based on a balancing of interests).
If you object to data processing, we will desist from processing your personal data unless we can demonstrate compelling legitimate grounds for data processing which override your interests, rights and freedoms, or unless processing is for the establishment, exercise or defence of legal claims.
The objection to processing can be informal and should be addressed to
Wilhelm Schäfer GmbH
D-64646 Heppenheim, Germany
19 Obligation to provide personal data and possible consequences of non-provision of personal data
When using our offers, you need to provide the personal data necessary to fulfil the relevant purpose or which we are legally required to collect. Without these data, we will generally not be able to conclude or execute our contract with you.
20 Automated decision-making, including profiling
We do not generally make use of automated decision-making as set forth in Art. 22 GDPR with the purpose of establishing and implementing the business relationship. Should we make use of automated decision-making in individual cases, we will inform you separately of this fact where required by law to do so.
21 Amendment of privacy statement
Our services are continually developed and improved. Given this, new features may be added. Should this influence the processing of your personal data, we will provide timely information in our privacy statement.
22 Own services
On our website, we also offer you the possibility to apply for a job with us (e.g. by e-mail or regular post service or using our online recruitment form). Below we inform you of the scope, purpose and use of your personal data collected in connection with the job application process. We assure you that our collection, processing and use of your data is in compliance with the applicable data-protection law and all other legal regulations and that we will keep your data strictly confidential.
Scope and purpose of the collection of data
If you submit a job application, we process all associated personal data (e.g. your contact and communication data, application documents, notes made in connection with job interviews etc.) in as far as necessary for decision-making about employment. The legal basis for this is Art. 26 of the amended German Data Protection Act (BDSG-neu) (initiation of employment), Art. 6 (1) lit. b GDPR (general initiation of a contract) and – in as far as you have given your consent – Art. 6 (1) lit. a GDPR. Your consent can be withdrawn at any time. Your personal data will only be transferred to people inside our company who are involved in the processing of your job application.
If your job application is successful, the data you have submitted will be stored in our data processing systems on the basis of Art. 26 BDSG-neu and Art. 6 (1) lit. b GDPR for the purpose of executing the employment relationship.
Data retention period
If we cannot offer you a job or if you reject our job offer or withdraw your application, we reserve the right to store the data submitted by you for a period of 6 months from the end of the application process (rejection or withdrawal of application) on the basis of our legitimate interests (Art. 6 (1) lit. f GDPR). On expiry of this period, the data will be erased and any physical application documents destroyed. Retention primarily serves the purpose of evidence in case of a legal dispute. If it becomes clear that the data will still be required after expiry of the 6-month period (e.g. on the grounds of impending or pending legal action), erasure will not take place until the purpose of continued retention no longer applies.
Your data may also be retained for a longer period if you have given us your consent (Art 6 (1) lit. a GDPR) or if legal obligations of retention prevent the erasure of such data.
Inclusion in the pool of candidates
If we do not offer you a job, there may still be the possibility of inclusion in our pool of candidates. In this case all documents and data from your application will be transferred to the pool of candidates so that we can contact you if the right vacancy opens up.
Inclusion in the pool of candidates is based exclusively on your express consent (Art. 6 (1) lit. a GDPR). Your consent is voluntary and bears no relation to the ongoing job application process. Data subjects can withdraw their consent at any time. In this case, their data will be irrevocably erased from the pool of candidates unless there are legal grounds for retention.
Your data will be irrevocably erased from the pool of candidates two years after giving your consent at the latest.
As at: 30 April 2020