1. Name and address of the controller
The controller in the sense of the General Data Protection Regulation and other national data protection legislation of the member states, as well as other data protection provisions, is:
W. Zimmermann GmbH & Co. KG, Riederstraße 7, 88171 Weiler-Simmerberg
Name and address of the data protection officer:
W. Zimmermann GmbH & Co. KG
Datenschutzbeauftragter
Riederstraße 7
88171 Weiler-Simmerberg
Germany
Phone: +49 8322 18-0
E-mail: datenschutzbeauftragter@geigergruppe.de
Data subjects may contact our data protection officer directly with any questions and suggestions regarding data protection.
2. General information on data processing
2.1 Scope of processing personal data
We generally process the personal data of our users only insofar as this is required to provide an operative website and for our contents and services. Processing of the personal data of our users regularly takes place only following consent of the user. An exception applies in those cases when obtaining consent beforehand is not possible for valid reasons, or data processing is permitted by law.
2.2 Legal basis for processing personal data
As far as we obtain consent from a data subject for processing operations of personal data, Article 6(1)(a) EU General Data Protection Regulation (GDPR) serves as the legal basis.
When processing personal data is required for the performance of a contract to which the data subject is the contractual party, Article 6(1)(b) GDPR serves as the legal basis. This also applies to processing operations that are necessary for conducting pre-contractual measures.
When processing of personal data is required for compliance with a legal obligation to which our company is subject, Article 6(1)(c) GDPR serves as the legal basis.
In the event that vital interests of the data subject or another natural person make processing of personal data necessary, Article 6(1)(d) GDPR shall serve as the legal basis.
When processing is required to maintain a legitimate interest of our company or a third party, and when the interests, fundamental rights and freedoms of the data subject do not outweigh the former interest, Article 6(1)(f) GDPR serves as the legal basis for processing.
2.3 Data erasure and storage period
The personal data of the data subject will be erased or blocked as soon as the purpose for storage lapses. In addition, storage can take place if provided for by European or national legislators in EU ordinances, laws or other regulations to which the controller is subject. Blocking or erasure of data is also carried out when a storage period stipulated in the standards referred to expires unless there is a need for further data storage for the conclusion of a contract or performance of a contract.
3. Provision of the website and creation of logfiles
3.1 Description and scope of data processing
With every access of our website, our system automatically collects data and information from the computer system of the accessing computer.
The following data is collected:
- information about the browser type and version used
- the operating system of the user
- the Internet service provider of the user
- the IP address of the user
- the date and time of the access
- websites from which the system of the user is referred to our website
- websites which are accessed from the user's system via our website
The log files contain IP addresses or other data that enable an assignment to a user. This could be the case, for example, if the link to the website from which the user is referred to the website or the link to the website to which the user switches contains perso
nal data. The data are also stored in our system’s log files. Storage of these data together with other personal data of the user does not take place.
3.2 Legal basis for data processing
The legal basis for the temporary storage of data and log files is Article 6(1)(f) GDPR.
3.3 Purpose of data processing
The temporary storage of the IP address by the system is necessary to allow provision of the website to the user's computer. This requires the user’s IP address to be stored for the duration of the session.
Storage in log files takes place to ensure the website’s functionality and to ward off attacks. In addition, the data are used to optimize the website and to ensure the security of our information technology systems. Data analysis for marketing purposes does not occur in this context.
According to Article 6(1)(f) GDPR, these purposes also represent our legitimate interest in data processing.
3.4 Storage period
The data will be deleted as soon as they are no longer required to achieve the purpose of their collection. If data are collected for the provision of the website, this is the case when the respective session has ended.
If the data are stored in log files, this is the case after seven days at the latest. Storage beyond that time is possible. In this case, the users’ IP addresses are deleted or defamiliarized so that an association with the accessing client is no longer possible.
3.5 Means of objection and elimination
The collection of data for the provision of the website and the storage of data in log files is imperative for the operation of the website. Consequently, the user cannot object.
4. Use of cookies
4.1 Description and scope of data processing
Our website uses cookies. Cookies are text files that are stored in the Internet browser or by the Internet browser on the user's computer system. When a user accesses a website, a cookie may be stored on the user's operating system. This cookie contains a characteristic string which enables the browser to be clearly identified when the website is reaccessed.
We use cookies to make our website more user-friendly. Some elements of our website require the accessing browser to be identified even after a page change.
For more information on which cookies are stored, how long and with what content, please refer to the information in the consent dialog of the cookie settings. To do this, click the (i) next to the relevant services.
Go to cookie settings
4.2 Legal basis for data processing
The legal basis for processing personal data using technically necessary cookies is Article 6(1)(f) GDPR.
The legal basis for processing personal data using cookies for analysis purposes is Article 6(1)(a) GDPR if the user has consented to this.
4.3 Purpose of data processing
The purpose of using technically necessary cookies is to facilitate the use of websites for users. Some functions of our website cannot be provided without cookies. For these functions, the browser must be recognized again even after a change of pages.
We need cookies for the following applications:
- saving the consent granted
- remembering search terms
- saving the selected page language
The user data collected by technically necessary cookies will not be used to create user profiles.
The use of other cookies is carried out to improve the quality of our website and its contents. We learn how the website is used on the basis of the analysis cookies, and can thus constantly optimize our offer.
According to Article 6(1)(f) GDPR, these purposes also represent our legitimate interest in processing personal data.
4.4 Storage period, means of objection and elimination
Cookies are stored on the user's computer and transmitted to our website from there. Therefore, you, as a user, have full control over the use of cookies. By modifying the settings in your Internet browser, you can disable or restrict the transmission of cookies. Previously stored cookies can be deleted at any time. This can also be done automatically. If you disable cookies for our website, you may no longer be able to use all of the website’s features to their full extent.
5. Contact form and e-mail contact
5.1 Description and scope of data processing
Our website offers a contact form that can be used to establish contact electronically. If a user takes this opportunity, the data entered in the input mask will be transmitted to us and stored. These data are:
Within the framework of the registration process, we obtain your consent to data processing and refer to this privacy policy.
Alternatively, you can contact us via the e-mail address provided. In this case, the user’s personal data transmitted in the e-mail will be stored.
There will be no transmission of data to third parties in this context. The data will be used exclusively for processing the conversation.
5.2 Legal basis for data processing
The legal basis for data processing under the presence of consent by the user is Article 6(1)(a) GDPR. The legal basis for processing data transmitted in the context of sending an e-mail is Article 6(1)(f) GDPR. If the contact aims at the conclusion of a contract, the additional legal basis for processing is Article 6(1)(b) GDPR.
5.3 Purpose of data processing
Processing of personal data from the input mask solely serves for processing your outreach. In the event of contacting via e-mail, this also represents the required legitimate interest in processing the data.
The other personal data processed during the transmission process are intended to prevent abuse of the contact form and ensure the safety of our information technology systems.
5.4 Storage period
The data will be erased as soon as they are no longer required to fulfill the purpose of their collection, and there are no other statutory retention periods.
5.5 Means of objection and elimination
Users can revoke their consent to the processing of personal data at any time. If users contact us by e-mail, they can object to the storage of their personal data at any time. The conversation cannot be continued in such cases.
6. Use by third-party tools
6.1 Scope of processing personal data by third parties
In order to provide and continuously improve our services, we rely on the services of the following third-party providers, which may also process personal data. We have selected these third-party providers carefully and following the provisions of the GDPR.
6.1.1 Google Maps
Unless otherwise stated in this privacy policy, the operator of all Google services mentioned here is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland.
We have integrated the “Google Maps” service via API in order to be able to display geographical
information. Using Google Maps allows Google to collect, process and use data about your use of the service. By using Google Maps, information about the use of this website, including your IP address and the (start) address entered as part of the route planner function, may be transmitted to Google in the USA. Google sends the map's content directly to the user’s browser and, from there, integrates it into the website. We do not have any influence on the amount of data Google collects in this way. We also have no influence on the further processing and use of the data by Google and, therefore, cannot accept any responsibility for this. Please refer to Google’s privacy policy for more information about how Google processes your data.
Google Maps collects and processes the following data:
- IP address
- location information
- usage data
- date and time of the visit
- URLs
The legal basis of processing is Article 6(1)(a) GDPR. Consent is voluntary and can be refused or revoked at any time with effect for the future.
The personal data is stored for as long as it is required to fulfill the purpose of processing. The data will be deleted as soon as they are no longer required to fulfill the purpose of their collection.
In addition to Google Ireland Limited, the data may be transmitted to the following recipients as part of processing:
– Google LLC.
– Alphabet Inc.
Google may transfer data to third countries, such as the USA, in the context of processing. We would like to point out that, in the opinion of the European Court of Justice, there is currently no adequate level of protection for data transfers to the USA. This may be associated with various risks to the legality and security of data processing. So-called SCC generally guarantee the security of the transfer. This is intended to ensure that the processing is subject to a level of security that complies with the GDPR. If the SCC are insufficient, consent is obtained in advance following Article 49(1)(a) GDPR.
With the SCC, Google submits to the European level of data protection when processing the relevant data, even if this data is stored and processed in the USA. The SCC are based on an implementing decision of the EU Commission, which is available here: https://eurlex.europa.eu/eli/dec_impl/2021/914/oj?locale=de.
The Google Ads Data Processing Terms with reference to the SCC are available here: https://business.safety.google/intl/de/adsprocessorterms/.
If you want to learn more about Google's data processing, please go to: https://policies.google.com/privacy?hl=de .
6.1.2 Google Analytics
We use the analysis tracking tool Google Analytics (GA) by the US company “Google Inc” on our website. Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland) is responsible for all Google services for the European area.
Google Analytics collects data about your actions on our website, such as clicking on a link, and transmits this to Google Analytics. This is used to create reports that allow us to better customize our website to the expectations of website visitors.
These reports include, among others:
- target group reports
- ad reports
- acquisition reports
- behavior reports
- conversion reports
- real-time reports
Google Analytics uses the cookie to recognize a repeat visit.
The storage period is 14 months, and for “Universal Analytics” 26 months. After this period, the user data is deleted.
The legal basis of processing is A
rticle 6(1)(a) GDPR. Consent is voluntary and can be refused or revoked at any time with effect for the future.
The personal data will be stored until the purpose of processing has been fulfilled and deleted as soon as they are no longer required to fulfill the purpose.
In addition to Google Ireland Limited, the data may be transmitted to the following recipients as part of processing:
– Google LLC.
– Alphabet Inc.
Google may transfer data to third countries, such as the USA, in the context of processing. We would like to point out that, in the opinion of the European Court of Justice, there is currently no adequate level of protection for data transfers to the USA. This may be associated with various risks to the legality and security of data processing. So-called SCC generally guarantee the security of the transfer. This is intended to ensure that the processing is subject to a level of security that complies with the GDPR. If the SCC are insufficient, consent is obtained in advance following Article 49(1)(a) GDPR.
With the SCC, Google submits to the European level of data protection when processing the relevant data, even if this data is stored and processed in the USA. The SCC are based on an implementing decision of the EU Commission, which is available here: https://eurlex.europa.eu/eli/dec_impl/2021/914/oj?locale=de.
The Google Ads Data Processing Terms with reference to the SCC are available here: https://business.safety.google/intl/de/adsprocessorterms/.
If you want to learn more about Google's data processing, please go to: https://policies.google.com/privacy?hl=de .
6.1.3 YouTube
We have embedded YouTube videos on our website, made available via a plugin by Google Ireland Ltd. in Ireland ("YouTube"). Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland) is responsible for all Google services for the European area.
We use the “extended data protection settings” for embedded YouTube videos, i.e., YouTube does not set any cookies.
When accessing videos, the following data, among others, is transmitted to YouTube:
· IP address,
· interactions of users who have been referred to the company's website via an ad
By combining the IP address and page activity, Google can create a personalized user profile.
The legal basis of processing is Article 6(1)(a) GDPR. Consent is voluntary and can be refused or revoked at any time with effect for the future.
The personal data will be stored until the purpose of processing has been fulfilled and deleted as soon as they are no longer required to fulfill the purpose.
In addition to Google Ireland Limited, the data may be transmitted to the following recipients as part of processing:
– Google LLC.
– Alphabet Inc.
When using Google, personal data is transferred to a third country outside the EU. The transfer takes place based on an EU adequacy decision (Data Privacy Framework, DPF). As part of the DPF, the EU Commission has determined that an adequate level of data protection also exists for US companies that have undergone a specific (self-)certification process. This is the case for Google: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt000000001L5AAI&status=Active
Alternatively, we guarantee that suitable safeguards are provided for the transfer in accordance with Article 46 GDPR. We will be happy to provide you with proof of suitable safeguards (standard contractual clauses) at any time upon request. If the SCC are ins
ufficient, consent is obtained in advance following Article 49(1)(a) GDPR.
With the SCC, Google submits to the European level of data protection when processing the relevant data, even if this data is stored and processed in the USA. The SCC are based on an implementing decision of the EU Commission, which is available here: https://eurlex.europa.eu/eli/dec_impl/2021/914/oj?locale=de.
The Google Ads Data Processing Terms with reference to the SCC are available here: https://business.safety.google/intl/de/adsprocessorterms/.
If you want to learn more about Google's data processing, please go to: https://policies.google.com/privacy?hl=de.
6.1.4 Usercentrics
We use the Consent Management Platform (CMP) Usercentrics on our website. The service provider is the German company Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany. If you want to learn more about the data processed using Usercentrics, please refer to their privacy policy at https://usercentrics.com/privacy-policy/.
6.2 Legal basis for processing personal data
The legal basis of processing is Article 6(1)(a) GDPR. Consent is voluntary and can be refused or revoked at any time with effect for the future.
6.3 Purpose of data processing
Unless specified otherwise, processing of users' personal data allows us, among other things, to analyze the surfing behavior of our users. The analysis of the data obtained allows us to compile information about the use of the individual components of our website. This helps us to improve our website and its user friendliness continuously. According to Article 6(1)(f) GDPR, these purposes also represent our legitimate interest in processing the data. By anonymizing the IP address, the interest of users in the protection of their personal data is sufficiently accounted for.
6.4 Storage period
Unless specified otherwise, the data will be deleted as soon as they are no longer required for our recording purposes.
6.5 Means of objection and elimination
Unless specified separately for the individual services, cookies are stored on the user's computer and transmitted by it to us and/or the third-party providers. The user can – also automatically – disable or restrict the creation or transmission of cookies in their browser settings and delete cookies that have already been saved. Without cookies, you may no longer be able to use all of the website’s features.
When opting out, another cookie is set that tells us not to store the user's data If the user deletes this cookie, the opt-out cookie must be set again.
7. Rights of the data subject
If your personal data are processed, you will be considered a data subject within the meaning of the GDPR and have the following rights against the controller:
7.1 Right of access
You can request a confirmation from the controller whether we process personal data concerning you.
If there is such processing, you can request the following information from the controller:
- the purposes for which the personal data are processed;
- the categories of personal data which are processed;
- the recipients or categories of recipients to whom the personal data concerning you have been disclosed or will be disclosed;
- the planned storage period of personal data concerning you or, if specific details on this are not possible, criteria for determining the storage period;
- the existence of a right to rectification or erasure of
personal data concerning you, the right to restriction of processing by the controller or a right to object to this processing;
- the existence of a right of appeal to a supervisory authority;
- all available information about the origin of the data if the personal data are not collected from the data subject;
- the existence of automated decision-making, including profiling according to Article 22(1) and (4) GDPR and – at least in these cases – meaningful information about the logic involved as well as the scope and desired effects of such processing for the data subject.
You have the right to demand information on whether or not personal data concerning you are transmitted to a third country or an international organization. In this context, you may request to be informed about the appropriate safeguards according to Article 46 GDPR in connection with the transmission.
7.2 Right to rectification
You have the right to rectification and/or completion against the controller if the processed personal data concerning you are inaccurate or incomplete. The controller shall rectify this immediately.
7.3 Right to restriction of processing
On condition of the following, you can demand the restriction of processing of the personal data concerning you:
- if you challenge the accuracy of the personal data concerning you for a period which allows the controller to check the accuracy of the personal data;
- processing is unlawful, and you dismiss the erasure of the personal data and instead demand the restriction of the use of the personal data;
- the controller no longer needs the personal data for processing, but you need them for the enforcement, exercise or defense of legal claims, or
- if you have objected to processing in accordance with Article 21 (1) GDPR and it has not yet been decided whether the controller’s legitimate reasons outweigh your reasons.
If the processing of personal data concerning you has been restricted, these data – apart from storage – can only be processed with your consent or for the enforcement, exercise or defense of legal claims, or the protection of the rights of another natural or legal person, or reasons of substantial public interest of the European Union or of a member state.
If the restriction of processing has been limited according to the prerequisites mentioned above, you will be informed by the controller before the restriction is rescinded.
7.4 Right to erasure
7.4.1 Obligation for erasure
You can request the controller to erase the personal data concerning you immediately, and the controller will be obliged to erase these data immediately if one of the following reasons applies:
- The personal data concerning you are no longer necessary for the purposes for which they were collected or processed in any other way.
- You revoke your consent on which the processing was based according to Article 6(1)(a) or Article 9(2)(a) GDPR, and there is no other legal basis for processing.
- You object to processing according to Article 21(1) GDPR, and there are no other legitimate reasons for processing, or you object to processing according to Article 21(2) GDPR.
- The personal data concerning you have been processed unlawfully.
- The erasure of the personal data concerning you is required for compliance with a legal obligation according to European Union law or the law of the member states to which the controller is subject.
- The personal data concerning you have been collected in relation to the offer of information society services in accordance with Article 8(1) GDPR.
7.4.2 Information to third parties
If the controller has disclosed
the personal data concerning you and if they are obliged to erase these data according to Article 17(1) GDPR, they shall, taking into account the available technology and implementation costs, take the appropriate measures, also of a technical nature, to inform the persons responsible for data processing that you as the data subject have requested the erasure of all links to these personal data or of copies or replications of these personal data.
7.4.3 Exceptions
The right to erasure does not apply if processing is required
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation requiring processing in accordance with the law of the European Union or the member states to which the controller is subject, or for the performance of a task carried out in the public interest, or in the exercise of public authority vested in the controller;
- on grounds of public interest in the field of public health pursuant to Article 9(2)(h) and (i) and Article 9(3) GDPR;
- for the enforcement, exercise or defense of legal claims.
7.5 Right to be informed
If you have enforced the right to rectification, erasure or restriction of processing against the controller, they are obligated to notify all recipients to whom the personal data concerning you have been disclosed about this rectification, erasure or restriction of processing of the data unless this proves impossible or involves disproportionate effort.
You have the right against the controller to be informed about these recipients.
7.6 Right to data portability
You have the right to obtain the personal data concerning you which you have provided to the controller in a structured, common and machine-readable format. You also have the right to transmit those data to another controller without hindrance from the controller to whom the personal data have been provided if
- processing is based on consent according to Article 6(1)(a) GDPR or Article 9(2)(a) GDPR or on a contract according to Article 6(1)(b) GDPR and
- processing takes place using automated procedures.
In exercising this right, you also have the right to obtain that the personal data concerning you are directly transferred to another controller by a controller insofar as this is technically feasible. This must not affect any civil liberties and rights of other persons.
The right to data portability does not apply to the processing of personal data required for the performance of a task in the public interest or in the exercise of public authority vested in the controller.
7.7 Right to object
You have the right to object to the processing of personal data concerning you collected according to Article 6(1)(e) or (f) GDPR for reasons arising from your specific situation at any time; this also applies to profiling based on these provisions.
The controller will no longer process your personal data unless they can demonstrate compelling legitimate grounds for processing which override your interests, rights, and freedoms or for the enforcement, exercise, or defense of legal claims.
If the personal data concerning you will be processed for purposes of direct advertising, you have the right to object to the processing of personal data concerning you for the purposes of such advertising at any time; this also applies to profiling in so far as this is connected with such direct advertising.
If you object to processing for direct advertising purposes, the personal data concerning you will no longer be processed for these purposes.
In the context of the offer of information society services – notwithstanding Directive 2002/58/EC – you have the option to exercise your right to objec
t using automated processes in which technical specifications are used.
7.8 Right to revoke your consent to the privacy policy
You can revoke your consent to the privacy policy at any time. The revocation of consent does not affect the legality of processing carried out until the revocation on the basis of the consent granted.
7.9 Automated individual decision-making, including profiling
You have the right not to be subjected to a decision solely based on automated processing – including profiling – which takes legal effect against you or significantly impacts you in a similar way. This does not apply if the decision
- is required for the conclusion or performance of a contract between you and the controller,
- due to statutory provisions of the European Union or the member states to which the controller is subject, is admissible, and these statutory provisions contain appropriate measures in order to safeguard your rights and freedoms as well as your legitimate interests or
- takes place with your explicit consent.
However, these decisions must not be based on special categories of personal data according to Article 9(1) GDPR unless Article 9(2)(a) or (g) GDPR applies and adequate measures for the protection of the rights and freedoms as well as your legitimate interests have been taken.
With regard to the first and the latter cases, the controller takes appropriate measures in order to safeguard the rights and freedoms as well as your legitimate interests, which includes at least the right to obtain the intervention of a person on the part of the controller, the right to present of one's position and the right to challenge the decision.
7.10 Right to appeal to a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to appeal to a supervisory authority, especially in the member state of your place of residence, your place of work or the location of the alleged infringement, if you think that the processing of personal data concerning you infringes the GDPR.
The supervisory authority to which you have appealed informs the claimant about the complaint’s status and results, including the possibility of a judicial remedy according to Article 78 GDPR.