This privacy statement is designed to provide users of this website with information, in accordance with the German Federal Data Protection Act and German Telemedia Act, on the type, scope and purpose of the practices implemented by AQORA GmbH, Wassergasse 7, D-91301 Forchheim, (hereinafter known as website operator) to collect and use personal data.
The website operator takes your privacy very seriously, and handles your personal data confidentially and in accordance with the legal regulations.
As the party responsible for processing, the website operator has taken a number of technical and organisational measures to ensure the maximum possible protection of the personal data processed through this website. Internet-based data transfers can, however, have security loopholes, meaning total protection cannot be guaranteed. For this reason, every affected person is also free to send personal data to us via alternative means, such as by telephone.
Name and address of the party responsible for processing
The party responsible as defined by the General Data Protection Regulation, other privacy laws applicable in the European Union member states, and other privacy regulations is:
Tel.: +49 (0)9191 7167670
Fax: +49 (0)9191 7167699
There is only one (the aforementioned) responsible party as defined by Article 26 GDPR.
Data protection officer
bensom GmbH, Ettore-Bugatti-Str.41, 51149 Cologne
Telephone 02203 9804218
Got advice or a complaint regarding privacy at our company? Then please email us at firstname.lastname@example.org or our data protection officer at email@example.com.
II. General information on data processing
1. Scope of personal-data processing
We generally only process our users’ personal data insofar as this is required to provide a functional website and our content and services. Our users’ personal data is frequently only processed with the user’s consent. One exception is cases in which it is not possible to obtain prior consent for practical reasons, and the processing of data is permitted by law.
No data is collected by third parties. As such, all data is requested/collected by us ourselves.
2. Handling personal data
When you visit our website, we only collect your personal data (such as name, telephone number, email address) if this is necessary to use certain services or handle your requests and orders.
The only third parties this data is shared with are external service providers hired by us, and this is only to process your requests and run the website. These parties are contractually obliged to uphold privacy laws.
We will not, however, sell your personal data to third parties, or otherwise market it to third parties for commercial or non-commercial purposes.
AQORA expressly wishes to advise that transmitting data on the Internet (e.g. when communicating by email) can involve security loopholes, and that it is impossible to protect against access by third parties.
You can also use our website without entering personal details. Please note, however, that this may then mean certain services, e.g. the processing of your requests and orders, become unavailable.
If you have any questions about the way in which we process your personal data (e.g. name, email address), you are welcome to contact AQORA any time at firstname.lastname@example.org.
Upon request, we will also be glad to tell you which of your personal data has been collected, and how this has been processed. To do this, we need a written request signed personally by you. If you have any questions beforehand, you are welcome to send your enquiry to email@example.com. You may also revoke your consent to the use of your collected personal data at any time. This will take effect for the future, but cannot be applied retrospectively. Please advise us of your revocation by firstname.lastname@example.org.
3. Legal basis for processing personal data
Insofar as we obtain consent from the affected person to process personal data, Art. 6 Para. 1 a of the EU General Data Protection Regulation (GDPR) shall serve as the legal basis.
In cases of personal-data processing required to fulfil a contract whose parties include the affected person, Art. 6 Para. 1 b GDPR shall serve as the legal basis. This also applies to processing required for pre-contractual measures.
Insofar as the processing of personal data is necessary in order to fulfil a legal obligation to which our company is bound, Art. 6 Para. 1 c GDPR shall serve as the legal basis.
In the event that vital interests of the affected person or another natural person render it necessary to process personal data, Art. 6 Para. 1 d GDPR shall serve as the legal basis.
If the processing is required in order to protect our company’s or a third party’s justified interest, and the affected party’s interests, basic rights and basic freedoms do not outweigh the aforementioned interest, Art. 6 Para. 1 f GDPR shall serve as the legal basis for the processing.
A justified interest of the party responsible for processing is specifically considered as being the right to advertising here (see recital 47 GDPR).
4. Data deletion and storage duration
The affected person’s personal data is deleted or locked as soon as there is no further need for it to be stored. It may also be stored if this has been stipulated by European or national legislators in EU regulations, laws or other directives governing the party responsible for processing. Data is also locked or deleted if a storage deadline stipulated by the aforementioned regulations elapses, unless it needs to keep being stored in order for a contract to be concluded or fulfilled.
5. SSL encryption
In order to provide the best possible protection for the data you send, the website operator uses SSL encryption. You will be able to recognise connections encrypted in this way from the “https://” prefix in the URL in your browser’s address bar. Unencrypted sites are denoted by “http://”.
Thanks to the SSL encryption, no data you send to this website – e.g. as part of requests or logins – can be read by third parties.
III. Providing the website and creating log files
1. Description and scope of data processing
Every time our website is retrieved, our system automatically records data and information from the retrieving computer’s system.
The following data is collected here:
The website operator/site provider collects data relating to site hits, and saves this as “server log files”. The following data is logged in this way:
· Website visited
· Time of access
· Quantity of data sent in bytes
· Source/Link from which the user accessed the site
· Browser used
· Operating system used
· IP address used (anonymised)
The collected data is only used for statistical analyses and to improve the website. However, the website operator reserves the right to subsequently review the server log files if there is concrete evidence of illegal use.
The server log files only contain encrypted IP addresses; they do not contain any other data which can be linked to a user.
The data is also stored in our system’s log files. This does not affect the user’s IP addresses or other data enabling the data to be linked to a user. This data is not stored with any of the user’s other personal data.
2. Legal basis for data processing
The legal basis for temporarily storing data is Art. 6 Para. 1 f GDPR.
3. Purpose of data processing
The encrypted IP address needs to be temporarily stored by the system to enable the website to be delivered to the user’s computer. This requires the user’s encrypted IP address to remain stored for the duration of the session.
These purposes also tie in with our justified interest in processing data under Art. 6 Para. 1 f GDPR.
4. Duration of storage
The data is deleted as soon as it is no longer necessary to fulfil the purpose of its collection, or within no more than 14 days of collection. In the event the data is recorded for the purpose of providing the website, this is the case when the respective session has ended.
5. Ability to disallow and remove
The recording of data to provide the website, and the storage of data in log files, is imperative for operating the website. As such, there is no option for the user to disallow this.
IV. Contact form and email contact
1. Description and scope of data processing
Our website contains a contact form which may be used to contact us electronically. If a user chooses this option, the data entered into the mask is sent to and stored by us. This data is as follows:
· Company name
· Phone number
· Email address
The following data is also stored at the time the message is sent:
(1) The user’s encrypted IP address
(2) The date of registration
Alternatively, you may contact us via the email address provided. In this case, the user’s personal data sent with the email is stored.
The data is not shared with third parties in this context. The data is only used to process the conversation.
2. Legal basis for data processing
The legal basis for processing data is Art. 6 Para. 1 a GDPR, insofar as the user has consented to this.
The legal basis for processing the data transmitted when sending an email is Art. 6 Para. 1 f GDPR. If the purpose of the email contact is to conclude a contract, the additional legal basis for the processing is Art. 6 Para. 1 b GDPR.
3. Purpose of data processing
The processing of personal data from the input mask serves purely to address the contact enquiry. If the contact is made by email, this also involves the required, justified interest in processing data.
The other personal data processed during sending serves to prevent abuse of the contact form, and to secure our IT systems.
4. Duration of storage
The data is deleted as soon as it is not longer required for the purpose of its collection. This is the case for the personal data from the contact form mask, and data sent by email, if the respective conversation with the user has ended. The conversation is deemed ended if the circumstances indicate that the relevant matter has been definitively settled.
The additional personal data collected during sending is deleted within no more than seven days.
5. Ability to disallow and remove
The user can revoke their consent to the processing of personal data at any time. If the user contacts us by email, they may disallow the storage of their personal data at any time. The conversation cannot be continued in this case.
Please advise us of your revocation by emailing email@example.com. In this case, all personal data stored during the contact process is deleted.
6. Share buttons
Our website acwa-service.de uses the privacy-secure “Shariff” button for the “social share buttons”. When you visit our website, it does not connect to the servers of social networks such as Facebook, Google+, Twitter, XING or LinkedIn. Only by clicking the icon of a “share button” are you redirected to the provider’s service, and your data sent to the selected social network. If you do not click a “share button”, no data is exchanged between you and the aforementioned social networks. On our website, we offer privacy-secured “social share buttons” for the following services: Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA. “Tweet” button from Twitter Inc., 795 Folsom St., Suite 600, San Francisco, CA 94107, USA. “+1” button from Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. “Recommended” button from LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA. “Share” button from XING AG, Gänsemarkt 43, 20354 Hamburg, Germany.
V. Rights of the affected person
The following list covers all of the affected person’s rights under the GDPR. Rights with no relevance to our website do not need to be cited, meaning the list can be shortened.
If your personal data is processed, you are an affected party as defined by the GDPR, and you are entitled to assert the following rights against the party responsible:
1. Right to information
You can ask the party responsible to provide confirmation as to whether or not personal data relating to you is processed by us.
If it is, you can ask the party responsible to provide the following information as per Article 15 GDPR:
· The purposes for which the personal data is processed;
· The categories of personal data processed;
· The recipients/categories of recipients to whom your personal data has been or is still being disclosed;
· The planned storage duration of your personal data or, if it is not possible to provide concrete information here, criteria for establishing the storage duration;
· The existence of a right to correct or delete your personal data, a right to limit the processing of data by the party responsible, or a right to object to this processing;
· The existence of the right to complain to a supervisory authority;
· All available information about the data’s origin – if the personal data is not collected from the affected person;
· The existence of an automated decision-making process as per Art. 22 Para. 1 and 4 GDPR and – at least in these cases – detailed information about the logic involved, and the consequences and desired impacts of such processing for the affected person.
You are entitled to ask for information on whether your personal data is sent to a third country or an international organisation. In this context, you can ask to be informed about the appropriate guarantees in place as per Art. 46 GDPR in relation to the transmission.
2. Right to correction
In accordance with Article 16 GDPR, you are entitled to have the party responsible correct and/or complete your personal data, insofar as said data is incorrect or incomplete. The party responsible must perform the correction immediately.
3. Right to restrict processing
In accordance with Art. 18 GDPR, you can ask for the processing of your personal data to be restricted under the following conditions:
· If you dispute the accuracy of your personal data for a duration enabling the party responsible to review the data’s accuracy;
· The processing is unlawful and you refuse to have your personal data deleted, instead asking for its use to be restricted;
· The party responsible no longer needs the personal data for processing, but you need it to assert, exercise or defend legal claims, or
· If you have lodged an objection to the processing under Art. 21 Para. 1 GDPR, and it is not yet clear whether the responsible party’s justified arguments outweigh your arguments.
If the processing of your personal data has been restricted, this data – apart from the storage thereof – may only be processed with your consent, to assert, exercise or defend legal claims, to protect the rights of another natural person or legal entity, or based on an important public interest of the European Union or a member state.
If the processing restriction has been enforced under the aforementioned conditions, you will be informed by the party responsible before the restriction is lifted.
4. Right to deletion
a) Deletion obligation
In accordance with Article 17 GDPR, you may ask the party responsible for your personal data to be immediately deleted, and the party responsible is obliged to comply with this if one of the following arguments applies:
· Your personal data is no longer necessary for the purposes for which it was collected or otherwise processed.
· You revoke your consent serving as the basis for the processing as per Art. 6 Para. 1 a or Art. 9 Para. 2 a GDPR, and there is no other applicable legal basis for the processing.
· You lodge an objection to the processing as per Art. 21 Para. 1 GDPR, and there are no overriding, justified arguments for the processing, or you lodge an objection to the processing as per Art. 21 Para. 2 GDPR.
· Your personal data has been processed unlawfully.
· Your personal data must be deleted in order to comply with a legal obligation under EU law or the law of the member states governing the party responsible.
· Your personal data has been collected in relation to services offered by the information society as per Art. 8 Para. 1 GDPR.
b) Informing third parties
If the party responsible has publicly disclosed your personal data, and is obliged to delete it under Art. 17 Para. 1 GDPR, it will implement (technical) measures, taking into account the technology available and implementation costs, to inform parties responsible for processing personal data that you, as the affected person, have asked them to delete all links to this personal data or copies or replicas of this personal data.
The right to deletion does not apply if the processing is necessary
· In order to exercise the right to freedom of expression and information;
· In order to fulfil a legal obligation requiring processing under the law of the European Union or the member states governing the party responsible, or to complete a task assigned to the party responsible, which involves serving the public’s interest or exercising public authority;
· For reasons for public interest in the area of public health as per Art. 9 Para. 2 h and I, and Art. 9 Para. 3 GDPR;
· For archiving purposes in the public’s interest, scientific or historical research purposes, or statistical purposes as per Art. 89 Para. 1 GDPR, insofar as the law stated under section a) is not likely to make it impossible or significantly difficult to achieve the goals of this processing, or
· In order to assert, exercise or defend legal claims.
5. Right to notification
If you have asserted your right to correct, delete or restrict processing against the party responsible, this party is obliged to advise this correction or deletion of data, or restriction of processing, to all recipients to whom your personal data has been disclosed, unless this proves to be impossible or involves unreasonable expense.
You are entitled to have the party responsible inform you of these recipients.
6. Right to data transmissibility
In accordance with Article 20 GDPR, you are entitled to receive your personal data, which you have provided to the party responsible, in a structured, conventional, machine-readable format. You are also entitled to send this data to another party responsible, without challenge from the original responsible party who received the personal data, if
· The processing is based on a consent as per Art. 6 Para. 1 a GDPR or Art. 9 Para. 2 a GDPR, or on a contract as per Art. 6 Para. 1 b GDPR, and
· The processing is performed using automated methods.
When exercising this right, you are also entitled to have your personal data sent directly from one responsible party to another, insofar as this is technically feasible. This must not affect the freedoms or rights of other persons.
The right to data transmissibility does not apply to the processing of personal data required to complete a task assigned to the responsible party and which serves public interest or exercises public authority.
7. Right to objection
You are entitled to object to your data being processed under Art. 6 Para. 1 e or f GDPR at any time, for reasons based on your particular situation. The party responsible will no longer process your personal data, unless it can prove mandatory, defence-worthy arguments for processing which outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
If your personal data is processed for the purpose of direct advertising, you are entitled to object to the processing of your personal data for advertising, insofar as this involves said direct advertising.
If you object to the processing for direct-advertising purposes, your personal data will no longer be processed for these purposes.
In the context of using services of the information society – irrespective of Directive 2002/58/EC –, you can exercise your right to objection via automated processes in which technical specifications are used.
8. Right to revoke privacy consents
In accordance with Article 7 (3) GDPR, you are entitled to revoke your privacy consents at any time. Doing so will not affect the legitimacy of the processing performed based on the consent prior to the revocation.
9. Automated decisions in individual cases, including profiling
Profiling, analyses of personal aspects, predictions, or automated individual decisions as defined by Art. 4 No. 4 GDPR are not performed.
10. Right to complain to a supervisory authority
Irrespective of other administrative or judicial legal remedies, you are entitled, under Article 77 GDPR, to complain to a supervisory authority, particularly in the member state serving as your primary place of residence or work, or the place of alleged breach, if you believe the processing of your personal data breaches the GDPR.
Find the contact details at www.lda.bayern.de/de/index.html. You are welcome to get in touch with us first before contacting the supervisory authority; our data protection officer will attend to your matter promptly and in detail. If we cannot assist you further, you can then still contact the supervisory authority.
The supervisory authority with which the complaint is lodged will inform the complainant of the progress and results of the complaint, including the possibility of judicial remedies as per Art. 78 GDPR.
Version: 25 May 2018