DATA PROTECTION

CONTENTS

1 General information
2 Scope of application
3 Contact details of the controller
4 Contact details of the data protection officer
5 International data protection laws
6 Definitions
6.1 Personal data
7 Storage period
8 Rights of the data subject
8.1 Right of access pursuant to Art. 15 GDPR
9 Legal bases of the processing
9.1 Consent
10 Data processing by this website
10.1 Collection of general data and information
10.2 External hosting
10.3 Contact, contact options
10.4 Social media
10.5 Application procedure
11 Minors
12 Copyright to the privacy policy

1 GENERAL INFORMATION

This privacy policy was last updated on 3 November 2023 and informs you about the type, scope, legal basis and purpose of the processing of your personal data by us.

On the one hand, this information relates to the processing of personal data on or through our website. On the other hand, you will receive information about the processing of your personal data in other internal and external processes of our company. If necessary, you will receive additional information on further processing in an appropriate manner. For example, if we use your personal data to register your visit to us on site, you will also be informed on site.

We take the protection of your personal data very seriously and treat your personal data confidentially and in accordance with the statutory national and European regulations as well as the requirements and recommendations of the state data protection authority responsible for us, the State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia Website, Kavalleriestraße 2-4 in 40213 Düsseldorf. We reserve the right to also implement the published recommendations of other data protection authorities if, in our opinion, this can better ensure the protection of your personal data. The same applies to publications in literature and case law.

Please note that the absolute security of your data can never be guaranteed 100 per cent. There is always a risk that unauthorised persons may illegally access your data or use it to contact us. There is also the possibility of data loss, whether by employees, former employees or service providers, whether through carelessness or intent. We also cannot rule out the possibility that a provider or an affiliated company may share your data with other companies or have it processed by other companies without our knowledge. Likewise, we cannot rule out the possibility that data processing by providers may take place in whole or in part in a third country without our consent, where an adequate level of data protection may not be guaranteed. Please therefore also take the time to read our information on data processing in third countries in this privacy policy. Our aim is to raise your awareness of your responsibility when handling your personal data and the data of others. If you notice any signs of possible misuse of your data, we urge you to inform us immediately. The protection of your data is of the utmost importance to us and we will do everything in our power to ensure its security.

For the sole purpose of better readability, gender-specific spelling has been omitted. All personal designations in this "Information on data protection" (e.g. customer, controller, data subject, data protection officer) are therefore to be understood as gender-neutral.

2 SCOPE OF APPLICATION

With this data protection information (also "data protection declaration", "data protection information") we inform you in accordance with Art. 12 ff. GDPR about which of your personal data we process (definition of the terms "personal data", "processing": see below) in order to display this website and to be able to use the functions of the website.

We also inform you about the other processes associated with the presentation of the website or the functions used (hosting, newsletter, etc.). If and insofar as we process personal data in other processes (telephone system, guest WLAN, video surveillance, etc.), you will receive further information in a timely and comprehensive manner. This information may also be provided on this website; we will therefore also inform you about the way in which we provide the information in the further processes.

This data protection information also applies to our other online presences (e.g. websites, landing pages, shops, social media presences) as well as to other processes, insofar as we expressly refer to this data protection information.

3 CONTACT DETAILS OF THE CONTROLLER

The controller for the processing of data on this website within the meaning of the General Data Protection Regulation (GDPR), other data protection laws applicable in the Member States of the European Union and other provisions of a data protection nature is

Loddenkemper Raumsysteme GmbH & Co KG
Am Landhagen 85
D-59302 Oelde

You can contact us at any time if you have questions about this data protection notice or wish to assert rights.

4 CONTACT DETAILS OF THE DATA PROTECTION OFFICER

You - and any other data subject - can contact our data protection officer directly, verbally or in writing at any time with any questions or suggestions regarding data protection

Michael Ochsenfeld, Bahnhofsallee 9, Hildesheim, telephone: 05121102210, e-mail: michael.ochsenfeld(at)ochsenfeld.com

contact.

5 INTERNATIONAL DATA PROTECTION LAWS

In addition to the GDPR, the BDSG and other national laws, we also take other international regulations into account:

Swiss Federal Act on Data Protection (FADP), implementing provisions of the Data Protection Ordinance (DPO), recommendations of the Federal Data Protection and Information Commissioner (FDPIC), as amended (Switzerland).

If the provisions of the individual laws and ordinances overlap or if a legal regulation guarantees more extensive or better protection, we give preference to the regulation which, in our opinion, guarantees better protection of personal data, unless the application of a regulation is mandatory and/or an alternative use is not possible.

6 DEFINITIONS OF TERMS

In this Privacy Policy ("Privacy Policy"), we use, among other things, the terms defined in the European General Data Protection Regulation (GDPR), OJ L 119 of 4 May 2016, p. 1-88 (in the version applicable at the time this Privacy Policy was prepared) and the German Federal Data Protection Act (BDSG) in the version of 30 June 2017; (BGBl. I p. 2097), last amended by Art. 12 G of 20 November 2019; (BGBl. I p. 1626, 1633).

Insofar as additional terms are used in this privacy policy that are derived from other laws or serve the understanding of this privacy policy, we have explained them in the following text.

6.1 PERSONAL DATA

Personal data means any information relating to an identified or identifiable natural person (hereinafter referred to as "data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (cf. Art. 4 No. 1 GDPR).

Personal data includes, for example, the name, address, account or telephone number, but also the IP address or ID number.

6.2 DATA SUBJECT

A data subject is any identified or identifiable natural person whose personal data is processed by the controller (cf. Art. 4 No. 1 GDPR).

A data subject is, for example, the user of the website or the customer, client, patient, etc. of a company.

6.3 PROCESSING

Processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (cf. Art. 4 No. 2 GDPR).

Processing therefore occurs when we collect, disclose, store or erase personal data.

6.4 DELETION

In data protection law, a distinction is made between "erasure" and "destruction" of personal data (cf. e.g. Art. 4 No. 2 at the end ".... erasure or destruction").

The erasure of data refers to the removal of data from an electronic system or database. Deleted data can usually be recovered as long as no special measures have been taken to permanently overwrite or destroy it. In many cases, deletion means that the data is first moved to the recycle bin or the "Deleted Items" folder, from where it can later be permanently deleted. Deleted data can be restored - albeit with considerable effort - but it is not easily accessible or usable after deletion.

6.5 ERASURE

In data protection law, a distinction is made between "erasure" and "destruction" of personal data (cf. e.g. Art. 4 No. 2 at the end ".... erasure or destruction").

The destruction of data is a physical process in which data is destroyed in such a way that it cannot be recovered. This can be done, for example, by shredding paper documents or overwriting electronic data carriers with special software. The destruction of data ensures that no traces of the information remain and that it can no longer be reconstructed.

6.6 END USER

An end user is any natural or legal person who utilises a public telecommunications service (e.g. Internet access services) without providing a public telecommunications network or a publicly accessible telecommunications service.

6.7 RESTRICTION OF PROCESSING

Restriction of processing is the marking of stored personal data with the aim of restricting its future processing (cf. Art. 4 No. 3 GDPR).

For example, if you contact us and inform us that your data is incorrect, we will restrict the processing of your data in order to check the accuracy of the data (cf. Art. 18 para. 1 lit. b GDPR)

6.8 PROFILING

Profiling is any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements (cf. Art. 4 no. 4 GDPR).

Profiling would be, for example, the assessment of your economic situation based on your purchasing behaviour.

6.9 PSEUDONYMISATION

Pseudonymisation is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person (cf. Art. 4 No. 5 GDPR).

Pseudonymisation is given, for example, if the personal data is replaced by a customer number, for example. Without knowing which customer number has been assigned to which customer, it is not possible to assign the data to a specific person (customer).

6.10 ANONYMISATION

Anonymisation is the complete and irreversible removal of the personal reference of the data.

If, for example, all customer contact data is overwritten with random numbers and there is no record of which number was assigned to which customer, the data can no longer be assigned to a person.

Anonymised data is not subject to the rules of the GDPR and the BDSG due to the lack of personal reference (cf. Recital 26 GDPR).

6.11 "CONTROLLER" OR "CONTROLLER RESPONSIBLE FOR THE PROCESSING"

The controller or data controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law (cf. Art. 4 No. 7 GDPR).

The controller for the processing of data when using this website is the provider of this website (see contact details of the controller).

6.12 PROCESSOR

A processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (cf. Art. 4 No. 8 GDPR).

For example, we use a so-called hoster as a processor, i.e. a company that stores our website on its own servers. If, for example, you enter your personal data (e.g. name, email address, etc.) via a contact form, this data is stored on the hoster's server. The hoster only processes the data in the way that we have contractually agreed with it. It therefore processes the data "on our behalf" and is therefore a "processor".

6.13 RECIPIENT

Recipient is a natural or legal person, public authority, agency or other body to whom personal data is disclosed, whether or not it is a third party. However, public authorities which may receive personal data in the framework of a particular enquiry in accordance with Union or Member State law shall not be regarded as recipients (cf. Art. 4 No. 9 GDPR).

Recipients of this privacy policy are, for example, you.

6.14 THIRD PARTY

Third party is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

A third party is, for example, an authority that accesses data on the basis of a legal authorisation (cf. Art. 4 No. 10 GDPR).

6.15 CONSENT

Consent is any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her (cf. Art. 4 No. 11, Art. 7 GDPR).

For example, you give us your consent when you place your order - you then consent to us processing the data you have provided so that we can fulfil your order.

6.16 CONTENT DELIVERY NETWORK (CDN)

A content delivery network (CDN) is a network of servers that are connected via the Internet and send data to end devices. A CDN can consist of several thousand regionally distributed servers that deliver data as quickly as possible according to certain rules. The main advantage of a CDN is that not only the server on which our website is stored (hosted), for example, delivers the required data (e.g. text or images), but many servers at the same time. This means that our website can be displayed to you much faster.

For the CDN to work, it requires data such as browser type, IP address, screen resolution, etc.

If you do not want to use the CDN, you can install a JavaScript blocker (e.g. Sybu https://sybu.co.za or NoScript https://noscript.net) on the end device you are using. Delivery of the website may then be slower.

6.17 TERMINAL EQUIPMENT

By the term "terminal equipment" we mean any equipment connected directly or indirectly to the interface of the telecommunications network you are using to send, process or receive messages or data, regardless of the type of connection (wire, electromagnetic, etc.).

6.18 MOBILE TERMINALS

The term "mobile devices" refers to all Internet-enabled devices that are not stationary but mobile, i.e. movable. These can be smartphones, tablets, etc., for example.

6.19 WEBSITE

By "website" (also: web presence, internet presence, web presence, etc.) we mean the presence of a provider that can be reached under an individual web address. A website can be displayed with browsers. It is comparable to a "house" at a specific address (domain) and usually has several web pages (i.e. "rooms"). In addition to the web application (homepage), other services such as e-mail, storage space, etc. can be used.

6.20 IP ADDRESS

The IP address is the unique address (e.g. 216.58.190.0) of the computer or end device you are using, similar to a postal address. According to a decision of the European Court of Justice (judgement of 19 October 2016, ref.: C-582/14), IP addresses are personal data (see also recital 30 GDPR). It follows that the GDPR and the BDSG also apply to IP addresses.

The IP address is used to deliver data to your computer. You can find out the IP address of your computer in the network using the "ipconfig" command or you can also research it online (e.g. at https://www.heise.de/netze/tools/meine-ip-adresse/) Your IP address will be transmitted to the provider.

6.21 JAVA, JAVASCRIPT

Java is a platform-independent programming language developed in 1995 by the US company Sun Microsystems Inc, Santa Clara, USA (now part of Oracle Corporation, Austin, USA), whose language specification is constantly being further developed. Today, Java is not only used by web browsers, but also in cars, hi-fi systems and other electronic devices.

JavaScript (JS for short) is a scripting language that was developed in 1995 by Brendan Eich for dynamic HTML in web browsers. JS extends the possibilities of HTML. JavaScript was developed independently of Java and differs in many ways.

6.22 COOKIES

Cookies are small data packets in the form of text files that are used to temporarily store certain information on your end device. This makes it possible, for example, to recognise your computer when you visit our website again or to save content in forms or your shopping basket. Tracking services use cookies to store collected information.

There are two types of cookies: Transient cookies are automatically deleted when you close your web browser. These include session cookies, which store a session ID to allocate requests in your current session. This makes it possible to recognise your end device when you visit our website again. Session cookies are deleted when you log out or close the browser. Persistent cookies, on the other hand, are deleted after a specified period of time, the duration of which varies depending on the cookie.

Technically necessary cookies are essential in order to display the website correctly. These include, for example, shopping basket cookies, login cookies and language selection cookies.

If you do not want cookies to be stored, you can deactivate the corresponding settings in your web browser. You can delete existing cookies in the browser settings. Detailed instructions can be found in the help sections of your browser under the following links:

- Edge: [Link]

- Firefox: [Link]

- Chrome: [Link]

- Safari: [Link]

- Opera: [Link ]

In addition, you can prevent the collection and forwarding of personal data by deactivating ("blocking") JavaScript in your browser. It is also possible to install script blockers that prevent the execution of certain code. Script blockers can be found under the following links:

- addons.mozilla.org/de/firefox/addon/noscript/

- noscript.net

- www.ghostery.com

- chrome.google.com/webstore/detail/umatrix/ogfcmafjalglgifnmanfmnieipoejdcf

Further information on cookies and their use can be found at the Bundesverband Digitale Wirtschaft (BVDW) e. V. at [www.bvdw.org](www.bvdw.org). Additional information is available on the BVDW e. V. website [https://meine-cookies.org/ ].

We use a separate tool - a so-called cookie consent tool - to obtain and document any consent you may need for the processing of cookies.

6.23 COOKIE CONSENT TOOL

Cookie consent tools ("consent") manage the consent you have given for the use of certain technically unnecessary tools.

Before using tools that require cookies, you will be informed about the cookies you want in a pop-up window. You can then decide whether and with which cookies you agree or not.

Your decision will then be saved for a period of up to twelve months. Personal data, such as your IP address - as well as a pseudonymous user ID, the time of consent and the selection, etc.) are used. This data is stored either in a cookie on your end device or on the server we use.

You can adjust or revoke your consent at any time.

The use of the cookie consent tool is based on our legitimate interest in operating the website in an efficient and legally compliant manner. Without its use, it is not possible for us to request the necessary consent and document the user's decision. We require the documentation in accordance with Art. 5 para. 2 GDPR in order to be able to prove that we operate the website in accordance with the applicable law. Further information can be found in the explanations of the cookie consent tool used.

6.24 WEB BEACONS

Web beacons are not graphics in HTML emails or on websites. The image is usually only 1 × 1 pixel in size, often transparent or designed in the same colour as the background and therefore invisible or barely visible.

When the document is loaded, the web beacon is loaded from a server and the download is registered there. This can then be used to determine whether the document has been loaded, e.g. whether the e-mail has been opened.

You can prevent the use of web beacons if, for example, you open the email offline, do not open the email as an HTML email or block external graphics with your email programme.

You can also use tools that recognise and block web beacons, e.g.

- Privoxy - https://www.privoxy.org/

- Proxomitron - https://www.proxomitron.info/

Further information can be found in the explanations of the "web beacons" used.

6.25 THIRD COUNTRIES, TRANSFER OF DATA TO THIRD COUNTRIES

The term "third countries" or "third countries" refers to countries that do not belong to the European Union (i.e. Belgium, Bulgaria, Romania, Czech Republic, Denmark, Germany, Estonia, Greece, Spain, France, Ireland, Italy, Cyprus, Latvia, Lithuania, Luxembourg, Hungary, Malta, Netherlands, Austria, Poland, Portugal, Slovenia, Slovakia, Finland and Sweden, as of 3 November 2023) or the European Economic Area (member states of the EU as well as Iceland, Liechtenstein and Norway, as of 3 November 2023).

In addition to the United States of America (USA), India, China, Russia, Brazil, South Africa and Australia, there are around 160 other countries (as at 3 November 2023) that are potential third countries.

Data transfers to third countries are lawful under the strict legal requirements (cf. Art. 44 et seq. GDPR) if, among other things

- either the European Commission has determined in accordance with Art. 45 para. 3 GDPR that an adequate level of data protection exists in the third country. Such so-called adequacy decisions exist for Andorra, Argentina, Canada (only commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, Japan and the United Kingdom (as of 3.11.2023). An overview of the adequacy decisions adopted is provided by the European Commission.

- or if the data recipient provides appropriate safeguards to protect the personal data and the data subjects have enforceable and effective legal remedies (Art. 46 para. 1 GDPR).

Pursuant to Art. 46 para. 2 GDPR, such appropriate safeguards include the use of the Commission's standard data protection clauses (Art. 46 para. 2 lit. c, Art. 93 para. 2 GDPR). These standard data protection clauses or standard contractual clauses (SCCs) are templates provided by the EU Commission. You can find these clauses here: https://eur-lex.europa.eu/eli/dec\_impl/2021/914/oj?locale=en. The clauses used ensure that personal data is also processed in the third country concerned at a level of data protection that corresponds to the European level.

The "Trans Atlantic Data Privacy Framework" (TADPF) has applied to data transfers to the USA since 10 July 2023. The TADPF introduces new binding guarantees for US recipients of data. These include the restriction of access to data of EU citizens by US intelligence services and the establishment of the Data Protection Review Court (DPRC), a supervisory authority that is also accessible to non-US citizens. The DPRC can also order the deletion of data in the event of violations. The TADPF is regularly reviewed by the European Commission together with representatives of the European data protection authorities and the relevant US authorities. The first review is scheduled to take place within one year of the TADPF coming into force.

The TADPF has the effect of an adequacy decision pursuant to Art. 45 para. 1 GDPR and applies with immediate effect to US companies participating in the TADPF. Additional legitimisation instruments such as standard contractual clauses (SCCs) are therefore no longer required for data exports to US recipients, as the USA is once again considered a safe third country. However, US companies must carry out self-certification and undertake to comply with certain data protection obligations in order to benefit from the effects of the TADPF. The current status can be viewed from 17/07/2023 at https://www.dataprivacyframework.gov/s/ can be viewed.

Data transfer is also permitted if the data subject has consented to the transfer in accordance with Art. 49 para. 1 lit. a GDPR or if the transfer is necessary for the conclusion or fulfilment of a contract concluded by the controller with another natural or legal person in the interest of the data subject (Art. 49 para. 1 lit. c GDPR) or if another exception to Art. 49 GDPR applies.

If we work with providers that are either based in a third country or process data in a third country (e.g. in the USA), we ensure compliance with the legal requirements and check this regularly. We also only work with providers who have concluded the necessary contracts with us.

Should we need or wish to deviate from this in exceptional cases, we will inform you accordingly and seek your consent.

6.26 ADVERTISING

Advertising is a form of communication in which companies or organisations disseminate messages or information about their products, services or brands to potential customers or target groups via various media channels (banner ads on websites, social media ads, video ads, etc.). The main aim of advertising is to raise awareness of a product or service, arouse interest among potential customers and ultimately promote the sale or use of the advertised offer.

7 STORAGE PERIOD

In principle, we only store personal data for as long as is necessary for the processing of the data ("storage period"). Once this period has expired, the data is generally deleted automatically.

The necessity of storage also depends on retention periods prescribed by law or ordered by authorities. These can be, for example, tax regulations or regulations under commercial law. Retention periods may also result from contractual regulations (e.g. information on the contractual partner). The data will therefore only be deleted in compliance with the statutory, official and, if applicable, judicial requirements for the storage or deletion of personal data.

Sometimes it may be necessary for a contract to be concluded for a data subject to provide us with personal data that must subsequently be processed by us. For example, the data subject is obliged to provide us with personal data if our company concludes a contract with them. Failure to provide the personal data would mean that the contract with the data subject could not be concluded.

8 RIGHTS OF THE DATA SUBJECT

The applicable data protection law grants you comprehensive data subject rights vis-à-vis the controller with regard to the processing of your personal data (rights of access and intervention, etc.), about which we inform you below:

8.1 RIGHT TO INFORMATION PURSUANT TO ART. 15 GDPR

You have the right to obtain from the controller confirmation as to whether or not personal data concerning you is being processed by the controller ("right to confirmation"). Furthermore, you have a right to information about

- the purposes of the processing;

- the categories of personal data being processed

- the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations

- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period

- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing

- the existence of the right to lodge a complaint with a supervisory authority

- if the personal data are not collected from the data subject: All available information about the origin of the data;

- the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Furthermore, you have a right to information as to whether personal data has been transferred to a third country or to an international organisation. If this is the case, you also have the right to obtain information about the appropriate safeguards in the context of the transfer.

If you would like to exercise this right to information, you can contact us or our data protection officer at any time.

8.2 RIGHT TO RECTIFICATION PURSUANT TO ART. 16 GDPR

You have a right to immediate correction of incorrect data concerning you and/or completion of your incomplete data stored by us; the correction or completion must take place immediately.

8.3 RIGHT TO ERASURE PURSUANT TO ART. 17 GDPR

You have the right to obtain the erasure of personal data concerning you without undue delay where one of the following grounds applies and insofar as the processing is not necessary

- The personal data have been collected or otherwise processed for such purposes for which they are no longer necessary.

- The data subject withdraws consent on which the processing is based according to point (a) of Article 6(1) of the GDPR, or point (a) of Article 9(2) of the GDPR, and where there is no other legal ground for the processing.

- The data subject objects to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) GDPR.

- The personal data have been processed unlawfully.

- The personal data must be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.

- The personal data have been collected in relation to the offer of information society services referred to in Article 8(1) GDPR.

If one of the aforementioned reasons applies, and a data subject wishes to request the erasure of personal data stored by us, he or she may contact us at any time.

If the personal data has been made public and our company is obliged to delete the personal data in accordance with Art. 17 para. 1 GDPR, we shall take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform other data controllers who process the published personal data, that the data subject has requested the deletion of all links to this personal data or of copies or replications of this personal data from these other data controllers, insofar as the processing is not necessary.

8.4 RIGHT TO RESTRICTION OF PROCESSING PURSUANT TO ART. 18 GDPR

You have the right to request the restriction of the processing of your personal data as long as the accuracy of your data, which you dispute, is being verified, if you refuse to delete your data due to unauthorised data processing and instead request the restriction of the processing of your data, if you need your data for the assertion, exercise or defence of legal claims after we no longer need this data after the purpose has been achieved or if you have lodged an objection for reasons of your particular situation, as long as it is not yet clear whether our legitimate reasons prevail;

If the processing of personal data concerning you has been restricted, this data - apart from its storage - may only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. If the restriction of processing has been restricted, you will be informed by the controller before the restriction is lifted.

Right to information pursuant to Art. 19 GDPR

If you have exercised your right to rectification, erasure or restriction of processing, the controller is obliged to notify all recipients to whom your personal data has been disclosed of this rectification or erasure of the data or restriction of processing, unless this is impossible or involves a disproportionate effort. You also have the right to be informed about these recipients.

8.5 RIGHT TO DATA PORTABILITY PURSUANT TO ART. 20 GDPR

You have the right to receive the personal data you have provided to us in a structured, commonly used and machine-readable format or to request that it be transmitted to another controller, insofar as this is technically feasible.

8.6 RIGHT TO CANCELLATION PURSUANT TO ART. 7 ABS. 3 GDPR

You have the right to object at any time to the processing of personal data concerning you which is carried out on the basis of Art. 6 para. 1 lit. e or f GDPR; this also applies to profiling based on these provisions.

You also have the right to revoke your declaration of consent under data protection law at any time with effect for the future. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

In the event of an objection, we will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

If we process personal data for the purpose of direct marketing, you have the right to object at any time to the processing of personal data for the purpose of such marketing. This also applies to profiling insofar as it is associated with such direct advertising. If you object to direct marketing, we will no longer process your personal data for these purposes. However, we reserve the right to store your data in a so-called blacklist so that we can ensure that you are not the recipient of advertising from us in the future. The maintenance of a blacklist and thus the processing of your personal data is based on our legitimate interests (Art. 6 para. 1 lit. f GDPR). By maintaining the blacklist, we have an interest in ensuring that you are no longer the recipient of our advertising following your objection.

You also have the right to object, on grounds relating to your particular situation, to the processing of personal data concerning you for scientific or historical research purposes or statistical purposes pursuant to Article 89(1) GDPR, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

You can contact us directly to exercise your right to object. You are also free to exercise your right to object in the context of the use of information society services, notwithstanding Directive 2002/58/EC, by means of automated procedures using technical specifications.

8.7 RIGHT TO LODGE A COMPLAINT PURSUANT TO ART. 77 GDPR

Without prejudice to any other administrative or judicial remedy or appeal, you have the right to lodge a complaint with a supervisory authority. You can contact the supervisory authority of your place of residence, your place of work or the place of the alleged infringement if you believe that the processing of your personal data violates data protection regulations. The State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia, Kavalleriestraße 2-4 in 40213 Düsseldorf is responsible for the provider of this website. You can also contact this authority.

9 LEGAL BASES OF THE PROCESSING

All data processing is based on a valid legal basis (cf. Art. 5 para. 1 lit. a GDPR - principle of lawfulness/principle of lawfulness. We process personal data either on the basis of consent, to fulfil a contract or a legal obligation or on the basis of our legitimate interest.

9.1 CONSENT

If you have consented to data processing, we process your personal data on the basis of Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR if special categories of data pursuant to Art. 9 para. 1 GDPR (e.g. Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation) are processed.

In the event of express consent to the transfer of personal data to third countries, data processing is also carried out on the basis of Art. 49 para. 1 lit. a GDPR. If you have consented to the storage of cookies or access to information on your end device or information stored there, the data processing is also carried out on the basis of Section 25 (1) of the German Data Protection Act (TTDSG). Consent can be revoked at any time.

9.2 FULFILMENT OF A CONTRACT

If the processing of personal data is necessary for the **fulfilment of a contract** to which you are a party (e.g. in the case of a purchase or consulting contract), the processing is based on Art. 6 para. 1 lit. b GDPR. The same applies to such processing operations that are necessary for the performance of pre-contractual measures, for example in cases of enquiries about our products or services.

9.3 LEGAL OBLIGATION

If our company is subject to a legal obligation that requires the processing of personal data, such as for the fulfilment of tax obligations, the processing is based on Art. 6 para. 1 lit. c in conjunction with. Para. 3 GDPR.

9.4 VITAL INTERESTS

In rare cases, the processing of personal data may be necessary to protect the vital interests of the data subject or another natural person. This would be the case, for example, if you were injured during a visit to our company and we then had to pass on your name to a doctor, hospital or other third party. The processing would then be based on Art. 6 para. 1 lit. d GDPR.

9.5 LEGITIMATE INTEREST

Processing may also be based on a so-called legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. Processing operations that are not covered by any of the aforementioned legal bases are based on this legal basis if the processing is necessary to safeguard a legitimate interest of our company (e.g. intention to make a profit, presentation of the company, etc.) or a third party, provided that the interests, fundamental rights and freedoms of the data subject do not prevail. The balancing of any conflicting interests is always a case-by-case assessment and decision, whether process- or system-related.

According to EC 47 sentence 2, there is a legitimate interest in data processing if the data subject is a customer of the controller or the processing of personal data is necessary for the prevention of fraud, etc. (cf. EC 47 sentence 6). (cf. EC 47 sentence 6) or for direct marketing purposes (cf. EC 47 sentence 7).

10 DATA PROCESSING THROUGH THIS WEBSITE

10.1 COLLECTION OF GENERAL DATA AND INFORMATION

Our website collects a range of general data and information each time it is accessed. This general data and information is stored in the server log files. The following can be recorded

- Browser types and versions used,

- the operating system used by the accessing system

- the website from which an accessing system reaches our website (so-called referrer URL)

- the sub-websites which are accessed via an accessing system on our website

- the date and time of access to the website

- the amount of data sent in bytes

- an internet protocol address (IP address)

- the internet service provider of the accessing system and

- other similar data and information used for security purposes in the event of attacks on our information technology systems.

This data is not merged with other data sources. The data is always anonymised, but it is possible that we are not allowed or able to anonymise it due to legal, official or judicial requirements.

The basis for the collection of general data and information when you visit our website is Art. 6 para. 1 lit. b GDPR, which permits the processing of data for the fulfilment of a contract or pre-contractual measures. If you do not conclude a contract with us or no pre-contractual measures are necessary, we process the data on the basis of Art. 6 para. 1 lit. f GDPR (so-called "legitimate interest"). Insofar as we are legally obliged to process data, the processing is carried out on the basis of Art. 6 para. 1 lit. c GDPR. If we request your consent to processing, the legal basis for data processing is Art. 6 para. 1 lit. a, 4 no. 11, 7, 9 GDPR.

We do not use the above-mentioned information to draw conclusions about the data subject, but to

- deliver the content of our website correctly

- optimise the content of our website and the advertising for it

- to ensure the long-term functionality of our information technology systems and the technology of our website, and

- to provide law enforcement authorities with the information necessary for criminal prosecution in the event of a cyber attack.

This anonymously collected data and information is therefore analysed by us both statistically and with the aim of increasing data protection and data security in our company in order to ensure an optimal level of protection for the personal data we process.

The anonymous data of the server log files are stored separately from all personal data provided by you. It is therefore not possible to draw any conclusions about you. For example, we cannot determine which browser type you are using. We only have data on which browser types were used by visitors in a certain period of time.

If, for example, a visitor logs into the customer area incorrectly several times, we store the IP address - which is a personal date - in order to recognise (hacker) attacks on our system and ward them off in good time.

If we have concrete evidence of unlawful use of our website, we will subsequently check the server log files and use the data, for example, to file a criminal complaint or assert civil law claims.

If personal data is stored in log files, it will be deleted no later than seven days after use. Longer storage is possible if, for example, unlawful use has been detected and we wish to pursue this misconduct. The data is deleted as soon as it is no longer required to fulfil the purpose for which it was collected.

10.2 EXTERNAL HOSTING

Our website is technically hosted and stored by an external service provider ("hoster"). The personal data collected on this website is therefore stored directly on the hoster's servers and not on servers maintained directly by us.

The hoster is used for the purpose of fulfilling contracts with our customers or initiating contracts with potential customers (Art. 6 para. 1 lit. b GDPR) and in our interest in the secure, fast and efficient provision of our online offering and the presentation of our company and our services by a professional provider (so-called "legitimate interest" within the meaning of Art. 6 para. 1 lit. f GDPR).

When weighing our interests against your interests, in particular your right to informational self-determination, we have come to the conclusion that our interests prevail; the interference with your rights is minimal. You are also free to use our service or not and to disclose data.

Our hoster processes your data only to the extent necessary to fulfil its contractual obligations to us. We have concluded a contract with the hoster for the processing of personal data on our behalf (so-called "order processing contract") and thus comply with the strict requirements of the General Data Protection Regulation, the Federal Data Protection Act and other laws (e.g. Telemedia Act, Telecommunications Act, Telecommunications Telemedia Data Protection Act). Data is only processed by the hoster on our instructions and within the framework of the applicable laws; in particular in compliance with the protection of your data.

We work together with the hoster plehn.cloud, Gretescher Weg 58, 49084 Osnabrück (Germany). Further information can be found on the provider's website, in particular in the privacy policy or in the information on data protection.

10.3 CONTACT, CONTACT OPTIONS

Due to legal regulations, the website contains information that enables quick electronic contact to our company and direct communication with us, which also includes a general address for so-called electronic mail (e-mail address).

If a data subject contacts the controller by email or via a contact form, the personal data transmitted by the data subject is automatically stored. Such personal data transmitted on a voluntary basis by a data subject to the controller are stored for the purposes of processing or contacting the data subject. This personal data is not passed on to third parties.

If you contact us by e-mail, telephone or fax, your enquiry including all personal data (name, enquiry) will be stored and processed by us for the purpose of processing your request. We will not pass on this data without your consent.

This data is processed on the basis of Art. 6 para. 1 lit. b GDPR if your enquiry is related to the fulfilment of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the enquiries addressed to us (Art. 6 para. 1 lit. f GDPR) or on your consent (Art. 6 para. 1 lit. a GDPR) if this has been requested.

The data you send to us via contact requests will be stored by us until you ask us to delete it, revoke your consent to storage or the purpose for data storage no longer applies (e.g. after your request has been processed). Mandatory statutory provisions - in particular statutory retention periods - remain unaffected.

10.4 SOCIAL MEDIA

Social media channels (also known as social networks) are platforms (websites or apps) through which logged-in or registered users can provide content and share it with the general public or in groups to which only certain users have access, and can also network with other users. We use social media channels to present and optimise our corporate services, for advertising and marketing purposes and to maintain contact with our visitors, interested parties, applicants, partners and suppliers.

When you use our social media channel, personal data that you provide (e.g. title, gender, name, email addresses, contact details, etc.) and other personal data (e.g. data on usage behaviour, IP address) is processed, i.e. collected, stored, evaluated, deleted, etc.

If you share media, e.g. publish photos, texts or videos, these are generally stored by the provider. The processing is carried out by the provider of the social media channel. The data is analysed by the provider for purposes such as developing marketing and advertising strategies for the provider itself or for other companies and drawing conclusions about your interests, needs and purchasing behaviour. As a rule, cookies are stored on your mobile device for this purpose.

We therefore also provide you with information on cookies and your rights in this privacy policy; the information and notices (e.g. on the right to object) naturally apply. We recommend that you also carefully read the provider's data protection notices and declarations. There you will also find the necessary information on which data is processed, how long data is stored and what rights you have vis-à-vis the provider.

Only use the social media channel if you have read and understood the data protection information.

We ourselves have no significant influence on the processing of data by the respective provider. In particular, we do not know whether and how the data is processed, especially whether data is passed on to affiliated or third-party companies, but must rely on the information provided by the provider. We also cannot ensure that the data is not processed in third countries outside the EU for which an adequate level of protection for your data is not or cannot be guaranteed. Providers generally refuse to carry out checks or audits, including on site if necessary. You should therefore inform yourself about other possible risks if you make your data available to third parties or the public (all users of a social media channel). Often you can no longer delete data completely if you want to - e.g. because another user has stored the data in such a way (e.g. on their local storage medium) that you cannot access it or because you have no knowledge of the user, the storage and the storage location.

You should therefore handle your data and the data of other people (especially children) responsibly. If you yourself have a profile with a social media channel provider, the personal data generated through the use of our social media channel may also be linked to your profile by the provider. Depending on the social media channel or provider, the personal data may also be recognised by other users of the channel and may also be processed for their own purposes.

With some providers, you can decide for yourself which personal data can be seen by third parties in the settings provided for this purpose. Find out how you can protect your personal data. We assume that you are aware that your personal data is always at risk when using the Internet. We therefore strongly recommend that you take care of your personal data yourself. You should also only disclose personal data of third parties with their prior consent (e.g. in the case of images or texts).

10.4.1 CONTRACT WITH THE PROVIDER FOR THE PROTECTION OF YOUR PERSONAL DATA

In its judgement of 29 July 2019 (case number C-40/17 - Fashion ID - published in the ECJ's digital collection curia.europa.eu/juris/liste.jsf), the European Court of Justice ruled that in certain cases the operator of the social media platform is jointly responsible with the website operator within the meaning of Art. 26 GDPR. Where this is the case, we have concluded a corresponding agreement with the provider. We process the personal data in compliance with the agreement. If the provider makes the contract text publicly accessible, we have linked it for you below. You can then also use the contract text to check whether you accept data processing. If you do not agree, please do not use the channel.

10.4.2 LEGAL BASIS OF THE PROCESSING

If you have consented to the processing of your data, this consent is also the legal basis for data processing (Art. 6 para. 1 lit. a, Art. 4 no. 11, Art. 7 GDPR) when using the social media channel. In addition, your data is also processed on the basis of our legitimate interest (Art. 6 para. 1 lit. f GDPR) in fast and good communication with you or others. We have designed our website and the integration of social media channels in such a way that you are informed in good time (e.g. when you click on a button) that data will be transferred to the provider. We only use social media channels in such a way that your data is only transferred to the provider once you have given your consent.

10.4.3 POSSIBLE DATA PROCESSING IN THIRD COUNTRIES

We cannot rule out the possibility that personal data may also be processed in third countries, in particular the USA. Please also note our information on data processing in third countries (see above).

10.4.4 CHANNELS USED

In the following summary you will find further information on the channels we use

Facebook (provider: Meta Platforms Ireland Limited, address: 4 Grand Canal Square, Dublin 2 Ireland, website: https://de-de.facebook.com/, privacy policy: https://de-de.facebook.com/help/568137493302217)

LinkedIn (Provider: LinkedIn Ireland Unlimited Company, address: Wilton Place, Dublin 2, Ireland Ireland, Website: https://de.linkedin.com/, privacy policy: https://de.linkedin.com/legal/privacy-policy)

Pinterest (Provider: Pinterest Inc., address: 651 Brannan Street, San Francisco, CA, 94107 USA, website: https://www.pinterest.com, privacy policy: https://policy.pinterest.com/de/privacy-policy)

10.5 APPLICATION PROCEDURE

We offer you the opportunity to apply online on our website. You will need to provide personal data in order to take part in the application process. This data may include personal master data such as first name, surname, address, date of birth, contact details such as telephone number or e-mail address as well as data relating to your educational and/or professional background such as school and work references, data on training, internships or previous employers.

This data may originate from an application form that you complete online on the application platform or from the documents you provide, such as a cover letter, CV, application photo, certificates or other evidence. Data that is mandatory for participation in the application process is labelled accordingly as mandatory information. Unless a third-party provider whose service we use to provide the online application function is named in this privacy policy, the data will not be passed on to third parties.

We process the above data for the purpose of carrying out the application process. If you have given us your consent, the legal basis for processing the data is Art. 6 para. 1 sentence 1 lit. a GDPR. Insofar as the processing of the above data takes place for the initiation of contractual relationships, the legal basis is Art. 6 para. 1 sentence 1 lit. b GDPR, Art. 88 para. 1 i.V.m. § Section 26 para. 1 sentence 1 BDSG. The application process ends when you are informed by us or after a period of twelve months. Once the application process has ended, we will generally delete your data within a further six months.

The data will generally be deleted as soon as it is no longer required to fulfil the purpose for which it was collected or the purpose has already been achieved. However, the data will not be deleted if we are obliged to continue to store the data due to legal or official requirements. Your data will also not be erased if further processing of your personal data is necessary for the establishment, exercise, defence or defence of legal claims. In this case, we have a legitimate interest in the further processing of your personal data. The legal basis in this case is Art. 6 para. 1 sentence 1 lit. f GDPR, as we have a legitimate interest in asserting or defending legal claims, etc.

In the event that an employment relationship, training relationship, internship or other employment relationship is established following the application process, the data will initially continue to be stored and transferred to the personnel file.

As part of the application process, you should only provide us with the personal data that is necessary for participation in the application process and its realisation. There is no legal or contractual obligation to provide data, unless there is an obligation to apply for other reasons (e.g. official request, etc.). However, we would like to point out that we cannot carry out the application process without this data and cannot consider your application. The same applies in the event of an objection to the processing of your data. If you are obliged to apply, we will inform the respective organisation of the application or the objection to processing if this makes it impossible for us to carry out the application process.

We also offer you the option of having your application saved in an application pool. This gives you the opportunity for us to consider your application beyond the specific reason for your application in the context of other future application procedures. The storage of your application in the application pool requires your consent, which we will request on a case-by-case basis. The legal basis for processing (inclusion in the applicant pool) is Art. 6 para. 1 sentence 1 lit. a GDPR if consent has been given. You can revoke the consent you have given us at any time with effect for the future (cf. Art. 7 para. 3 GDPR; see additional information in the "Consents" section).

10.6 WEB ANALYTICS

Web analysis services enable us to analyse the behaviour of website visitors. The website operator receives various usage data, such as page views, length of visit, operating systems used and origin of the user. This data may be summarised in a profile that is assigned to the respective user or their end device.

The web analysis service we use, Matomo, enables us to analyse the use of our website using statistics. This enables us to constantly improve our website and make it more attractive for you as a user*.

We use Matomo with an extension to anonymise IP addresses. By automatically shortening the IP address before further processing, it is not possible to draw any conclusions about a specific person; the data is not merged with other data collected by us, nor is it passed on to third parties.

If our website or individual pages of it are accessed, the following data is stored:

two bytes of the IP address of the accessing system (anonymised)
Your location (country)
Date and time of access
operating system used
Type and version of the browser you are using
the specific website accessed
the website from which your visit originates (referrer URL), unless your browser prohibits this
Pages and files of our website
the time spent on our website
the frequency of visits to our website or individual pages visited
the website you visit after ours if you follow an external link we have placed.
Tracking takes place without the use of cookies.

The hosting and thus the storage and processing of collected data is carried out by us (plehn.cloud) at Vautron AG in Regensburg - a German company without a foreign parent company, exclusively in Germany on German servers.

Objection to the use of the anonymisation tool Matomo

If you no longer agree to the anonymous storage and analysis of your visit data, you can object to the use and storage at any time by clicking below.

By means of a so-called opt-out cookie (deactivation cookie), which is stored in your browser, it is technically ensured that no more session data is collected.

To prevent the further use of Matomo, you have the option of activating the opt-out plug-in described above by unchecking the box below:

If you do not give us your consent to the Matomo cookie request, the "Do not Track" function will be activated in our Matomo installation. If your browser supports this function and you have activated this function in your browser settings, Matomo will not collect any data, even if the aforementioned deactivation cookie is not used.

11 MINORS

Our services are not directed to children under the age of 13. We do not knowingly collect information from children under the age of 13. If you are under the age limit, do not use the Services and do not provide us with your Personal Data. If you are a parent of a child under the age limit and you become aware that your child has provided us with personal data, please contact our data protection officer (see above for contact details) or us directly immediately so that we can take the necessary steps, such as blocking or deleting the data.

12 COPYRIGHT TO THE PRIVACY POLICY

The copyright to this privacy policy lies with

c/o

OCHSENFELD+COLL Attorneys at Law

Bahnhofsallee 9, 31134 Hildesheim, Germany

Telephone +49 (0) 5121 10221-0

Fax +49 (0) 5121 10221-22

Duplication, processing, distribution and any form of commercialisation of such material beyond the scope of the copyright law and a contract of use shall require the prior written consent of Datenschutz Manufaktur. Anyone who violates copyright law, e.g. by using texts or parts of texts without written consent, is liable to prosecution and must expect a warning with costs and claims for damages.

If you are of the opinion that this data protection declaration is incorrect, in particular incomplete, please contact us so that we can remedy the situation immediately

PRODUCTS