We are delighted that you are visiting our website. Your privacy and, by association, protection of your personal data are important to us. This is why our business operations comply with the applicable legal regulations relating to data protection and data security. We are very keen to ensure that you feel safe visiting our website. This is why both we and our data protection officer ensure compliance with the stipulations under data protection legislation.
We are aware of the significance of the data you entrust us with and would like to inform you of the following:
- the purposes for which your (personal) data is collected, processed and used,
- how we handle and protect your data,
- who we provide your data to, and
- how you can exercise your rights.
Please read through the explanations below carefully. You can contact our data protection officer if you have any questions. You will find the contact details further on in this privacy policy.
1. Definitions
Data protection is a complex topic. We have compiled some fundamental terms and definitions to make it easier for you to understand this privacy policy.
In simplified terms, “processing” under the terms of Art. 28 of the General Data Protection Regulation (GDPR) is understood to mean a service where personal data is collected, processed and/or used by a service provider (processor according to the GDPR) on the behalf of and under the instruction of the “controller”. Before an order such as this is placed with a service provider, we conclude a special contract with the service provider and implement other measures to protect your personal data.
“Cookies” are small text files which are stored on your terminal device (e.g. computer or smartphone) and save certain settings and data concerning exchange with our system through your browser. A cookie usually contains the name of the visited web page from which the cookie data was sent, information about how old the cookie is, and an alphanumerical ID. Cookies enable the systems to recognise the user’s device and make any default settings immediately available.
A third party is any natural or legal person or agency other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or processor, are authorised to process personal data, cf. Art. 4, Para. 10 of the GDPR. A person is not, therefore, considered a third party if, for example, personal data is disclosed to a service provider during the course of processing according to Art. 28 of the GDPR.
IP addresses are numerical sequences which can be assigned to individual IT devices or a group. In a similar way to postal addresses, the IP is used to be able to assign data to the correct recipient.
“Personal data” is understood to mean all information which relates to an identified or identifiable natural person, particularly their first name and surname, date of birth, email address, postal address, and bank and payment details, as well as health data, cf. Art. 4, Para. 1 of the GDPR.
The “controller” according to Art. 4, Para. 7 of the GDPR is any person or agency who, either alone or together with others, decides on the purposes and means of personal data processing. (In this situation: the website operator).
3. Controller
The controller in relation to your personal data on this website is:
SAHM GmbH + Co. KG
Westerwaldstraße 13
56203 Höhr-Grenzhausen
Phone: +49 26 24 1 88 0
Fax: +49 26 24 1 88 11
Email: sahm@sahm.de
If an agency other than the one mentioned above is the “controller” under the terms of the General Data Protection Regulation, you shall be explicitly and separately informed to this effect, if this is not obvious.
3. Using the website / log files
Every time this website is accessed, data is logged automatically; this also applies to file retrieval (log data). For this purpose, we or the hosting provider (see section 4.2.2) collect and use the technically necessary data to make the website available to you. The technically necessary data transmitted by your browser includes: browser type / browser version, the operating system used, the referrer URL, the pages accessed, the IP address, and the date and time of access.
This data is required to ensure the functionality of the website and to make your visit to this website as pleasant as possible. We reserve the right to analyse the logged data specifically for the purpose of data security. We do not use the technically necessary data to create individual profiles which provide information about your personalised user behaviour. The log data is not linked or merged with other sources of data.
The legal basis for processing the described data – if it is personal – is Art. 6, Para. 1, lit. f of the GDPR. Our legitimate interest is to offer you an appealing, user-friendly and technically functional website.
3.1 Cookies
We use cookies to make it easier for you to use our site. To this end, we firstly use what are known as “session cookies”, which are automatically deleted once the browser session is ended. Secondly, we also use cookies which are stored on your terminal device for a longer period of time and are used to save information about you and your preferences with regard to our website for any visits you might make to our website in future. The collected information relates to technical information such as your browser, a time stamp and a unique ID. Almost all browsers permit general blocking of cookies, the deletion of set cookies or a warning function to prevent / manage the setting of cookies. For more information about the browser settings you can make to manage the setting and administration of cookies, please refer to your browser’s Help file or further instructions issued by your browser provider. Please note that blocking cookies can lead to you being unable to use our website, or to you using it, but with restrictions. Our external data protection officer provides you with guidelines entitled “Receiving alerts for, removing and deleting cookies – data protection with Firefox, Safari, Chrome, Internet Explorer, etc.” on their website (note: external link). If you use another browser, you can also find out about cookies on your browser provider’s website. As a precaution, we have also provided information about the use of cookies when you visit this website.
In accordance with Art. 6 Para. 1 lit. f GDPR, the data processing is based on our legitimate interest in having a user-friendly design of our website and to enable us to optimise our online offering.
3.2 Communication by email, phone, fax or post, or using the contact form
3.2.1 Contact by email, fax, phone or post
If you contact us by email, fax, phone or post, we use your details for contact purposes and to process and respond to your request in a purpose-related manner. Your data is not disclosed to third parties. Your information shall be deleted within an appropriate period of time following completion of our processing activities, provided that there are no other legal regulations to the contrary and your request does not serve the purpose of preparation to conclude a contract.
The legal basis for processing is Art. 6, Para. 1, lit. f of the GDPR. Our legitimate interest lies in appropriately responding to and processing your request. If your request serves the purpose of preparing / initiating the process of concluding a contract with you, Art. 6, Para. 1, lit. b of the GDPR forms an alternative legal basis.
3.2.2 Contact using the contact form
You can contact us by using a contact form provided on the website. If you use the contact form, we collect and store your personal data which you have entered in the input screen (e.g. surname, first name, email address). We only use your data for processing and responding to your request in a purpose-related manner. Your data is not disclosed to third parties. Your information shall be deleted within an appropriate period of time following completion of our processing activities, provided that there are no other legal regulations to the contrary and your request does not serve the purpose of preparation to conclude a contract.
The legal basis for processing is Art. 6, Para. 1, lit. f of the GDPR. Our legitimate interest lies in appropriately responding to and processing your request. If your request serves the purpose of preparing / initiating the process of concluding a contract with you, Art. 6, Para. 1, lit. b of the GDPR forms an alternative legal basis.
3.3 Taking part in prize draws / campaigns
If you take part in a prize draw / campaign (e.g. free entry vouchers for trade fairs) on our website, we shall process your data only for the purpose of holding and settling the prize draw / campaign. Your personal data shall be deleted once the prize draw / campaign has been settled, provided that there are no statutory retention requirements to the contrary. Data is not used for any other purposes or disclosed to third parties.
You are also entitled to request that your data be deleted at any time. To do so, please contact: aktion@sahm.de. Alternatively, you are also welcome to send a fax or letter. If you revoke your consent, your data shall be deleted from the database immediately. Revocation of consent and deletion of your personal participant data shall be confirmed by email upon request. If you revoke your consent before the prize draw / campaign is complete, further participation in the same is therefore excluded.
The legal basis for processing is your consent according to Art. 6, Para. 1, lit. a of the GDPR. You can revoke your consent at any time, with effect for the future.
4. Disclosing your data, using service providers
We collect and use your data in line with the legal requirements and only for our own purposes. Disclosure to “third parties” does not take place unless there is a legal obligation to this effect, you have given your consent to such disclosure, or disclosure is necessary to fulfil a contract concluded between you and ourselves.
4.1 Disclosing your data to handle services
We shall only disclose your data to third parties if doing so is necessary for fulfilling our contractual obligations vis-à-vis you. This includes disclosure of your data to shipping service providers (e.g. Deutsche Post) for the purpose of delivering the orders placed, or disclosure of the required payment data to the payment service providers for the purpose of handling payment. We only disclose the data required for completion of the respective task to the engaged service providers. Further use of your data by the service provider does not take place.
The legal basis for disclosure of data is Art. 6, Para.1, lit. b of the GDPR.
4.2 Using service providers to handle services
Insofar as we engage other service providers to enable provision of the products and services we offer and potentially grant such service providers necessary access to your data, we have naturally concluded a commissioned data processing contract (known as a “CDP contract” for short) according to Art. 28 of the GDPR with our commissioned data processing service providers (known as “processors” for short). We also still remain responsible for protecting your data. By concluding the contract, the engaged service providers shall not be considered “third parties”.
4.2.1 Website management
We have entrusted Formrausch GmbH (Schenkendorfstraße 22, 56068 Koblenz) with the management of our online presence.
4.2.2 Hosting
This site is hosted by the service ‘Heroku’ of the hosting provider Salesforce.com, Inc. (The Landmark @ One Market, Suite 300, San Francisco, California 94105, USA). The privacy policy can be found here: https://www.salesforce.com/company/privacy. Salesforce.com, Inc. is certified under the Privacy Shield Agreement and is committed to European data protection standards. (https://www.privacyshield.gov/participant?id=a2zt0000000KzLyAAK&status=Active).
5. Integration of third-party services and contents
5.1 General
Third-party contents, such as YouTube or Vimeo videos, Google Maps map materials, RSS feeds or graphics from other websites may be integrated into this website based on our legitimate interests (i.e. our interest in analysing, optimising and commercially running our website under the terms of Art. 6, Para. 1, lit. f. of the GDPR). This always requires the provider of such content (hereinafter referred to as the “third-party provider”) to record the user’s IP address. This is because they would generally be unable to send the content to the respective user’s browser without the IP address. The IP address is therefore required to show this content. We strive to only use content from such providers who only use the IP address to deliver content. However, we have no control over whether third-party providers save the IP address for statistical purposes, for example. We shall inform users to this effect as soon as we become aware of such practices.
5.2 Use of Typotheque’s web fonts
We integrate fonts (web fonts) from the provider Typotheque VOF (Zwaardstraat 16, 2584 TX The Hague, Netherlands). This is on the basis of our legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR. When our website is accessed, your browser loads the required web fonts to your browser cache to display texts and font types correctly. This always requires Typotheque VOF to record your IP address, because the contents cannot be sent to your browser without the IP address. The IP address is therefore required to show this content. You can read details about Typotheque VOF’s data processing practices in the Typotheque VOF privacy policy: https://www.typotheque.com/ordering/privacy
5.4 Use of Vimeo
On the basis of our legitimate interests in the sense of Art. 6 para. 1 lit. f GDPR (our legitimate interest is to provide you with an attractive, user-friendly and technically functional website), we include videos from the ‘Vimeo’ platform, a service of Vimeo Inc. (Legal Department, 555 West 18th Street New York, New York 10011, USA [‘Vimeo’ for short]). When you view videos through Vimeo, a connection is established to the Vimeo servers in the USA. By accessing external Vimeo servers in the USA, Vimeo may log and store your IP address, among other things.
It is also possible that Vimeo may place cookies on your computer. If you do not wish cookies to be stored, you can prevent this by making the appropriate settings in your browser (see 3.1). However, we would like to point out that in this case you may not be able to use all functions of our website to their full extent.
For more information on the collection and use of your data by Vimeo, as well as your rights in this regard, please refer to the Vimeo privacy policy at https://vimeo.com/privacy. Vimeo Inc. is certified under the Privacy Shield Agreement and has thus committed to comply with European data protection standards (https://www.privacyshield.gov/participant?id=a2zt00000008V77AAE&status=Active).
6. Social networks and platform
We use a number of social networks and platforms to inform customers and interested parties who are active in the respective networks about our offers and to communicate with them. We use the social media networks / platforms exclusively within the scope of our presence on these sites.
The processing of personal data in the context of social media use also includes processing purposes for market research, advertising and the collection of statistical data. The social media providers can create usage profiles based on usage behaviour (tracking) and use these, among other things, to display interest-based advertising and provide the operator of a social media channel with statistical data on the usage of the services. To record user behaviour and to create and store user profiles, cookies are usually set by the social media service provider and stored on the user’s devices. If you have an account with a social media service and are registered/logged in to it, usage data may be collected and stored regardless of the device you use.
The processing of your personal user data and the data for statistical evaluation of use is based on our legitimate interests (in accordance with Art. 6 Para. 1 lit. f GDPR) in effective user information and communication.
Further information on the scope of the processing of personal data by social media providers, the processing purposes, the deletion periods, the legal basis of the processing as well as your rights and the possibility of adjusting specific settings (opting out), can be found in the data protection notices of the respective social media service providers listed below.
If you wish to obtain information about the processing of your personal data in connection with social media services or to assert your data rights in this context, we would like to point out that this is most effectively possible if you address your request directly to the respective service provider. If you wish to assert your request for information or other rights against us, we will be happy to forward your request to the service provider, as they have access to the relevant user data and can take measures in accordance with your user rights.
When using social media services, the processing of personal user data outside the European Union (EU) cannot be ruled out. The processing of personal data outside the EU involves fundamental risks with regard to the enforcement of the rights of the persons concerned and the maintenance of the general protection goals of data protection. The social media service providers we use regularly process personal data in the USA, i.e. outside the EU. If the US providers used are certified under the EU–US Privacy Shield, they have thus undertaken to comply with EU data protection standards.
Additional information on data protection (external links) of the social media services we use:
We use ‘Facebook’ and ‘Instagram’, provided by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (parent company: Facebook, Inc., 1601 Willow Road, Menlo Park, California, 94025, USA):
- Agreement on joint responsibility with Facebook: https://www.facebook.com/legal/terms/page_controller_addendum
- Privacy policy:
https://www.facebook.com/about/privacy/ and http://instagram.com/about/legal/privacy - To opt-out:
https://www.facebook.com/settings?tab=ads and http://www.youronlinechoices.com, - Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active.
7. Duration of data use / retention
Your personal data is deleted provided that there are no legal retention requirements to the contrary and if you have asserted a claim for deletion, if the data is no longer required to fulfil the purpose pursued by storage, or if storage of the data is impermissible on other legal grounds.
8. Data security / secure data transmission
We would like to explain to you that security loopholes can occur during data transmission over the Internet (e.g. via email). We cannot, therefore, offer complete protection against access by third parties. We back up our IT systems (including the web pages / website) using what are known as technical and organisational measures (known as “TOMs” for short) to protect against unwanted: access, admission, disclosure, entry, loss, dissemination, destruction and alternation by unauthorised individuals.
Your personal data is transmitted securely over the Internet using the Transport Layer Security coding system (128-bit TLS encryption).
9. Rights of the data subject / data protection officer
The contact for protecting your rights as a data subject is our external data protection officer (see below for contact details).
9.1 Right of access
Under the legal requirements set forth in Art. 15 of the GDPR, you can naturally and at any time request information as to whether we process personal data about you. If we do process personal data about you, you can request information about the circumstances and form of processing, and more detailed information about the processed data.
9.2 Right to correction
According to Art. 16 of the GDPR, you can request that incorrect information about you be corrected if you cannot make the change yourself.
9.3 Right to deletion
Under the legal requirements set forth in Art. 17 of the GDPR, you are entitled to request that we delete personal data concerning you without delay. To name but a few examples, the right to deletion does not exist if processing of the personal data is necessary for exercising the right to freedom of expression and information, for fulfilling a legal obligation to which we are subject (e.g. legal retention requirements), or for establishing, exercising or defending legal claims.
9.4 Right to restriction of processing
According to Art. 18 of the GDPR, you can request that processing of your personal data be restricted.
9.5 Right to data portability
Under the requirements set forth in Art. 20 of the GDPR, you are entitled to request that we provide you with the personal data concerning you which we process in a structured, common and machine-readable format.
9.6 Right to object
Under the requirements set forth in Art. 21 of the GDPR, you have the right to object to the processing of your personal data and request that we stop our processing activities. The right to object only exists to the extent stipulated by law. Legitimate interests necessitating further processing may be in conflict with your objection.
9.7 Right of revocation
According to Art. 7, Para. 3 of the GDPR, you can revoke the consent you granted with respect to processing of your personal data at any time and with effect for the future, without incurring any costs exceeding the transmission costs according to the basic tariffs.
9.8 Duty to notify
According to Art. 19 of the GDPR, we are obligated to inform all recipients to whom personal data was disclosed of corrections, deletions and restrictions on processing with regard to your personal data. Exceptions to this rule may exist in this regard if doing so is impossible or would involve a disproportionate effort. We shall provide you with information about these recipients upon request.
9.9 Automated individual decision-making, including profiling
We also guarantee your rights according to Art. 22 of the GDPR. You or your data do not, therefore, form the subject matter of decisions based on automated processing – including profiling – on our website.
9.10 Right to lodge complaints / supervisory authority
According to Art. 77 of the GDPR, you have the right to lodge complaints with a supervisory authority or a competent agency if you have grounds to do so, particularly if you suspect that processing of your personal data is not in accordance with the legal requirements and the stipulations set forth in this privacy policy.
9.11 Data protection officer
If you would like to assert your rights as a data subject, such as your right to delete or block data, please contact our data protection officer – preferably in writing – with sufficient identification:
Brands Consulting | Data Protection & Consulting
Mr Bernhard Brands
Auf dem Hahn 11
D-56412 Niedererbach (Westerwald)
Germany
Website: https://brands-consulting.eu
Email: Sahm@Brands-Consulting.eu
Alternatively, you are also more than welcome to contact the data protection officer using SAHM GmbH + Co. KG’s address:
Data protection officer – personal –
SAHM GmbH & Co. KG
Westerwaldstraße 13
56203 Höhr-Grenzhausen
10. External links and information on the website
We are not liable for external links and third-party sites made accessible in this way. We would further like to point out that the information provided on this website is only for information procurement purposes and does not aim to produce any legal binding effect.
11. Amendments to the privacy policy
To name but a few examples, technological advancement, legal requirements or even modified processes can have an impact on this privacy policy. We therefore reserve the right to amend this privacy policy at any time with effect for the future. You will find the current version of the privacy policy on this website. Please visit the Home page regularly to find out about the applicable provisions.
Last updated: 26.02.2020