Information on the processing of personal data

We, the company EPflex Feinwerktechnik GmbH (hereinafter referred to as “the company”, “we” or “us”), thank you for visiting our website and for your interest in our company and our services. Your personal data will only be processed in accordance with the provisions of German and European data protection law.

 

Data protection law requires us, as the data controller, to ensure the protection of your personal data through a variety of measures. One of these obligations is to inform you transparently about the nature, scope, purpose, duration and legal basis of data processing (cf. Art. 13 and 14 (EU) GDPR). In the following text, we also refer to you, as the person affected by data processing, as “customer”, “user”, “you”, or “data subject”. In this privacy policy, we inform you about the way in which your personal data is processed by us.

 

Our privacy policy has a modular structure. It consists of a General Section that covers all processing of personal data and processing situations that come into play and a Special Section, whose content only relates to the specific processing situation specified in it. We may also use this online document to inform you about processing operations that do not primarily take place on the website. These can be found in the Special Section of the document. If you want to navigate quickly in the document, many browsers offer a search function via the key combination “CTRL+F”.

 

Definitions

Following the example of Art. 4 EU GDPR, this document is based on the following definitions:

 

“Personal data” (Art. 4 (1) EU GDPR) means any information relating to an identified or identifiable natural person (“data subject”). A person is identifiable if they can be identified directly or indirectly, in particular by association with an identifier such as a name, an identification number, an online identifier, location data or with the aid of information about their physical, physiological, genetic, mental, economic, cultural or social identity characteristics. A person can also be identifiable through the linking of such information or other additional knowledge. The origin, form or embodiment of the information does not matter (photos, video or audio recordings can also contain personal data).

 

“Processing” (Art. 4 (2) EU GDPR) means any operation that is performed on personal data, regardless of whether any automated (i.e. technology-supported) means are employed. This includes, in particular, the collection (i.e., acquisition), recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, restriction, erasure or destruction of personal data, as well as any changes of the objective or purpose on which the data processing was based originally.

 

“Controller” (Art. 4 (7) EU GDPR) means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

 

“Third party” (Art. 4 (10) EU GDPR) means any natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who are authorized to process the personal data under the direct responsibility of the controller or processor.

 

“Processor” (Art. 4 (8) EU GDPR) means a natural or legal person, public authority, agency or body which processes personal data on behalf of the controller, in particular in accordance with the controller’s instructions (e.g., an IT service provider). In particular, a processor is not a third party within the meaning of data protection law.

 

“Consent” (Art. 4 (11) EU GDPR) of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes in the form of a statement or another clear affirmative action by which the data subject signifies their agreement to the processing of personal data relating to them.

 

Name and address of the controller

Please refer to the imprint information on our website for the entity responsible for processing your personal data within the meaning of Art. 4 (7) EU GDPR, as well as for contact details and other information about our company.

 

Contact details of the data protection officer

Our data protection team, consisting of data protection coordinators and our data protection officer, are available at all times to answer any questions you may have and to act as your point of contact on the subject of data protection at our company.

 

You can reach the data protection team:

 

  • By sending regular mail to our address given in the imprint with the addition “Data protection team”
  • By e-mail to datenschutz(at)epflex.com

 

Your rights

You can exercise your rights as a data subject regarding your processed personal data at any time by contacting us using the contact details specified above. You can make it easier for us to respond to your request by contacting the data protection team directly.

 

As the data subject, you have the right:

 

  • to request information about your data processed by us in accordance with Art. 15 EU GDPR. In particular, you can request information about the processing purposes, the category of data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, processing restriction or objection, the existence of a right to complain, the origin of your data insofar as it has not been collected by us, as well as the existence of automated decision-making including profiling and, if applicable, meaningful information about its details;
  • in accordance with Art. 16 EU GDPR, to request the correction of incorrect data or the completion of incomplete data stored by us without delay;
  • in accordance with Art. 17 EU GDPR, to request the deletion of your data stored by us, unless the processing is necessary for exercising the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defense of legal claims;
  • to request the restriction of processing of your data in accordance with Art. 18 EU GDPR, insofar as the accuracy of the data is contested by you or the processing is unlawful;
  • in accordance with Art. 20 EU GDPR, to receive your data that you have provided to us in a structured, commonly used and machine-readable format or to request the transmission to another controller (“data portability”);
  • in accordance with Art. 21 EU GDPR, to object to the processing insofar as the processing is based on Art. 6 (1) (e) or (f) EU GDPR. In particular, this is the case if the processing is not necessary for the fulfilment of a contract concluded with you. Unless this is an objection against direct advertising, when you exercise your right to issue such an objection, we ask that you explain the reasons why we should not process your data as we have done. In the event that your objection is justified, we will review the factual situation and either discontinue/adjust the data processing or provide you with our compelling legitimate grounds on the basis of which we will continue the processing. For many services on our websites that process personal data on the basis of Art. 6 (1) (f) EU GDPR, the objection can be implemented technically via technologies that are available or can be installed in the data subject’s browser, e.g., through the blocking of JavaScripts or cookies;
  • in accordance with Art. 7 (3) EU GDPR, to revoke your consent – your clear affirmative act establishing a freely given, informed and unambiguous indication of your agreement to the processing of personal data relating to you for one or more specific purposes – that you have issued to us in the past (including before the EU GDPR entered into force, i.e., before May 25, 2018). This has the consequence that we will no longer be able to process your data on the basis of this consent in the future, and
  • to complain to the data protection supervisory authority responsible for us about the processing of your personal data in our company in accordance with Art. 77 EU GDPR.

Legal bases of data processing

In essence, the processing of personal data is only permitted by law if it falls under one of the following justifications:

 

Art. 6 (1) (a) EU GDPR (“Consent”): If the data subject has indicated – voluntarily, in an informed manner and unambiguously, by means of a statement or another unambiguous affirmative act – that they consent to the processing of personal data relating to them for one or more specific purposes;

 

Art. 6 (1) (b) EU GDPR (“Contract”): If the processing is necessary for the performance of a contract to which the data subject is party, or for the performance of pre-contractual measures taken upon the request of the data subject;

 

Art. 6 (1) (c) EU GDPR (“Legal obligation”): If the processing is necessary for compliance with a legal obligation to which the controller is subject (e.g. a legal obligation to keep records);

 

Art. 6 (1) (d) EU GDPR: If the processing is necessary to protect the vital interests of the data subject or of another natural person;

 

Art. 6 (1) (e) EU GDPR: If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or

 

Art. 6 (1) (f) EU GDPR (“Legitimate interests”): If the processing is necessary to protect the legitimate (in particular, legal or economic) interests of the controller or a third party, except where such interests are overridden by the conflicting interests or rights of the data subject (in particular if the data subject is a child). Insofar as the processing of personal data is based on Art. 6 (1) (f) EU GDPR, the aforementioned purposes also represent our legitimate interests.

 

We indicate the respectively applicable legal bases for the processing operations carried out by us below. Processing may also be based on several legal bases.

 

Data deletion and storage period

For the processing operations we perform, we indicate below in each case how long the data will be stored by us and when it will be deleted or blocked. In the event that consent is granted, the data deletion and storage period information specified in the consent request is decisive. Unless an explicit storage period is specified below, your personal data will be deleted or blocked as soon as the purpose or legal basis for the storage no longer applies. As a rule, your data will only be stored on the territory of the Federal Republic of Germany, in a member state of the European Union (EU) or in another contracting state of the Agreement on the European Economic Area (EEA). Possible exceptions to this and the corresponding processing operations are outlined in the following sections. However, the data may be stored beyond the specified time in the event of a (potential) legal dispute with you or other legal proceedings, or if storage is required by legal regulations with which we must comply as the data controller (e.g., § 257 HGB, § 147 AO). If the storage period prescribed by legal regulations expires, the personal data will be blocked or deleted unless further storage by us is necessary and there is a legal basis for this.

 

Data security: Website, e-mail, fax

We use technical and organizational security measures in order to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorized access by third parties (e.g., TLS encryption for our website), taking into account the state of the art, the implementation costs and the scope, context and purpose of the processing, as well as the existing risks (including their probability and impact) for the data subject. Our security measures are continuously improved in line with technological developments.

 

For secure data transmission on the Internet, we use the hybrid encryption protocol Transport Layer Security (TLS), more widely known by its predecessor name Secure Sockets Layer Software (SSL). This software encrypts the information that is transmitted by you. All information relevant to data protection is stored in encrypted form in a protected database.

 

Please note that the confidentiality of e-mail communication cannot be guaranteed. Although we offer transport encryption (TLS) through our mail servers, confidentiality may depend on various mail relay servers over which we have no control: Whether they also use TLS and whether they analyze the emails is beyond our control.

 

When you send us a fax, the transmission takes place via the Internet Protocol (FoIP). From a technical standpoint, the transmission is identical to sending an e-mail or retrieving website data. We do not know whether an IP-based service encrypts data; therefore, the confidentiality of the sent data is not guaranteed. We do not recommend that you send sensitive data by fax.

 

We would be happy to provide you with more detailed information on request. Please contact our data protection team.

 

Cooperation with processors

As any other large company, we also make use of external service providers to support us with our business operations, for example with regard to IT, logistics, telecommunications: Package delivery, the dispatch of letters or e-mails, analysis of our databases, advertising activities, payment processing, sales and marketing. These service providers have access to the personal data they need in order to perform their tasks. However, they may not use this data for any other purpose. Processors will only act on our instructions and are contractually obligated to comply with the data protection provisions in accordance with Art. 28 EU GDPR. Processors are not third parties.

 

Prerequisite for the transfer of personal data to third countries

In the course of our business relationships, your personal data may be transferred or disclosed to third-party companies. These can also be located outside the European Economic Area (EEA), i.e. in third countries. Such processing is carried out exclusively for the fulfillment of contractual and business obligations and to maintain your business relationship with us. You can find information about the respective details of the transfer at the relevant points below.

The European Commission certifies that certain countries offer data protection comparable to the EEA standard by means of the so-called adequacy decisions. However, in other third countries to which personal data may be transferred, there may not be a consistently high level of data protection due to a lack of legal regulations. Insofar as this is the case, we ensure that data protection is guaranteed to an adequate extent. This is made possible by binding company regulations, standard contractual clauses of the European Commission for the protection of personal data, certificates or recognized codes of conduct. Please contact our data protection team if you would like to obtain more information on this.

 

Automated decision making

We do not intend to use any personal data collected from you for any automated decision making process (including profiling).

 

Obligation to provide personal data

We do not make the conclusion of contracts with us dependent on your provision of personal data to us in advance. As a customer, you are under no legal or contractual obligation to provide us with your personal data; however, we may only be able to provide certain services to a limited extent or not at all if you do not provide us with the necessary data. If this should be the case – by way of exception – within the scope of the products or processing procedures presented below, you will be notified of this separately.

 

Legal obligation to transmit certain data

Under certain circumstances, we may be subject to a specific legal or statutory obligation to provide the lawfully processed personal data to third parties, in particular to public bodies (Art. 6 (1) (c) EU GDPR).

 

Changes to the privacy policy

This document is reviewed regularly in the context of the ongoing development of data protection law, as well as technological or organizational changes, to determine whether it needs to be adapted or supplemented. We reserve the right to change this privacy policy at any time with effect for the future in compliance with the applicable data protection regulations. We will publish the changes here. Current status: February 23, 2022

 

Information on the processing of personal data in special processing operations

The following sections describe processing operations grouped by different categories of persons whose data is processed (“data subjects”).

 

Website visitors

Information about our company and the services we offer can be found in particular at www.epflex.com and at the associated sub-pages (hereinafter jointly: “websites”). When you visit our websites, your personal data will be processed.

 

Your data will only be processed for as long as necessary to achieve the above-mentioned processing purposes; the legal bases specified in the context of the processing purposes apply accordingly. Third parties engaged by us will store your data on their systems for as long as necessary in connection with the provision of services to us in accordance with the respective orders.

 

The following categories of recipients, which are primarily processors, may receive access to your personal data:

 

Service providers responsible for the operation of our website and the processing of data stored or transmitted through the systems (e.g., for data center services, payment processing, IT security). The legal basis for the transfer here is Art. 6 (1) (b) or (f) EU GDPR, insofar as these are not processors;

 

Government agencies/authorities, insofar as this is necessary to fulfill a legal obligation. The legal basis for the transfer here is Art. 6 (1) (c) EU GDPR;

 

Persons engaged to conduct our business operations (e.g., auditors, banks, insurance companies, legal advisers, regulators, parties involved in acquisitions or the formation of joint ventures). The legal basis for the transfer here is Art. 6 (1) (b) or (f) EU GDPR.

 

Beyond that, we will only disclose your personal data to third parties if you have given your express consent for us to do so in accordance with Art. 6 (1) (a) EU GDPR.

 

Personal data processed on the website/log data

During informational use of the websites, the following categories of personal data are collected, stored and processed by us. When you visit our websites, log data records (also known as server log files) are stored temporarily and anonymously on our web server. These contain the following information, in particular:

 

  • the page from which the page was requested (i.e., the referrer URL)
  • the name and URL of the requested page
  • the date and time of the request
  • the description of the type, language and version of the web browser used
  • the IP address of the requesting computer
  • the amount of data transferred
  • the operating system
  • a message indicating whether the request was successful (access status/HTTP status code)
  • the GMT time zone difference

 

Log data is processed for statistical purposes and to improve the quality of our website, in particular with regard to the stability and security of the connection (the legal basis is Art. 6 (1) (f) EU GDPR).

 

It is possible that we may briefly process further information provided to our web servers by your operating system, your browser and/or other software on your end in the short term to provide you with the respective web pages. The legal basis here is also Art. 6 (1) (f) EU GDPR.

 

Services to store information on your end device or to access information already stored on your end device (cookies, plugins, JavaScript …)

On our websites, we use services and technologies to store information on your end device and/or technologies to access information that is already stored on your end device. These technologies can include, for example, cookies. Cookies are text files and/or entries in the browser’s own database that are assigned by the browser using a characteristic string. When cookies are assigned, a certain amount of information flows between the web location that sets the cookie and your end device.

 

Cookies and other services may contain data that makes it possible to recognize the device being used. In some cases, cookies and other technologies only contain information about user settings that cannot be linked to a specific person.

 

It may be possible to refuse or technically disable some services, insofar as this is supported by your browser. However, we would like to point out that in this case you will not be able to use all functions of our website to their full extent.

 

The help function in the menu bar of most web browsers explains, for example, how to prevent your browser from accepting new cookies, how to let your browser know when you receive a new cookie, as well as how to delete all received cookies. In addition, you can modify your browser in such a way that certain technologies that are required by the services are not run in your browser (e.g. JavaScript). Insofar as the services on our websites process personal data on the basis of Art. 6 (1) (f) EU GDPR, an objection can thus be implemented in a technical manner by using these browser functions and technologies.

 

With regard to the functionality of services, a distinction is made between:

 

Technical services: These services are essential so that visitors can navigate around the website and use basic functions and to ensure the security of the website; they do not collect information about you for marketing purposes, nor do they store information about which web pages you have visited;

 

Performance services: These services collect information about how you use our website, which pages you visit and, for example, whether any errors occur during website use; they do not collect information that could identify you – all information collected is anonymous and is used only to improve our website and find out what is of interest to our users;

 

Advertising, targeting & sharing services, social media plugins: These services are used to offer the website user tailored advertising on the website or offers from third parties and to measure the effectiveness of these offers. These services may also be used to improve the interactivity of our website with other services (e.g., with social networks).

 

What all services have in common is that they store information on your end device and/or access information that is already stored on your end device.

 

In contrast to the functional distinction between services, the legislator only distinguishes between two purposes of services:

 

  1. Services that are necessary to execute the transmission of a message via a public telecommunications network and/or that are absolutely necessary for the provider of a telemedia service to be able to provide a telemedia service expressly requested by the user. The necessity can be based on technical, legal, economic, operational requirements and/or on contractual agreements.
  2. Services for all other purposes.

 

Any use of services that are absolutely necessary from a technical, legal, economic, operational and/or contractual point of view in order to provide an explicitly requested service may be based on a legal basis other than consent in accordance with Art. 6 (1) (a) EU GDPR.

 

General services on the website

We currently use the following services from the services described above. Insofar as the processing is based on consent in accordance with Art. 6 (1) (a) EU GDPR, we also state the manner in which consent is requested.

 

Service: Contact form

When you use contact forms, the data you provide will be processed (e.g., gender, surname and first name, address, company, e-mail address and the time of transmission). Contact form data is processed to handle inquiries; the legal basis here is provided by Art. 6 (1) (b) or (f) EU GDPR.

 

Google (and Alphabet, as applicable) services, products and technologies

In this section, we have grouped together services offered by Alphabet Inc. (a listed U.S. holding company) and, in particular, by Google, which is part of the holding company.

 

Service: Google Maps

This website uses the Google Maps service to display maps and site plans; Google Maps is operated by the company Google Ireland Limited, registration number: 368047, Gordon House, Barrow Street, Dublin 4, Ireland.

 

Processing will only take place if you have given your consent in accordance with Art. 6 (1) (a) EU GDPR. Additional information on this possible processing can be found in the consent query in the Consent Management Tool.

 

Insofar as consent has been given, each time you access the Google Maps service, information will be stored and read on your end device in order to process user settings and data when displaying the page on which Google Maps is integrated.

 

Service: Google Tag Manager

Our websites use the Google Tag Manager service, operated by the company Google Ireland Limited, registration number: 368047, Gordon House, Barrow Street, Dublin 4, Ireland. Processing will only take place if you have given your consent in accordance with Art. 6 (1) (a) EU GDPR. Additional information on this possible processing can be found in the consent query in the Consent Management Tool.
Insofar as consent has been given, we can use Google Tag Manager to load JavaScript instructions and other services. In this case, information is transferred to Google servers and stored there. The server locations are also in the USA. Google may pass this information on to its contractual partners. More information about Google Tag Manager can be found at: http://www.google.de/tagmanager/faq.html and http://www.google.de/tagmanager/use-policy.html

 

Service: Google reCAPTCHA

Our websites use the Google reCAPTCHA service, operated by the company Google Ireland Limited, registration number: 368047, Gordon House, Barrow Street, Dublin 4, Ireland. Processing will only take place if you have given your consent in accordance with Art. 6 (1) (a) EU GDPR. Additional information on this possible processing can be found in the consent query in the Consent Management Tool.

Insofar as consent has been given, we can use reCAPTCHA to check whether data is entered on our websites (e.g. in a contact form) by a human or by an automated program. For this purpose, reCAPTCHA analyzes the behavior of website visitors based on various parameters. This analysis starts automatically. reCAPTCHA evaluates various types of information for its analysis (e.g., the IP address, the time spent by the website visitor on the website or mouse movements of the user). The data collected in the course of the analysis is forwarded to Google.

 

Service: Google Web Fonts/ external fonts

Our websites use the Google Web Fonts service, operated by the company Google Ireland Limited, registration number: 368047, Gordon House, Barrow Street, Dublin 4, Ireland. Processing will only take place if you have given your consent in accordance with Art. 6 (1) (a) EU GDPR. Additional information on this possible processing can be found in the consent query in the Consent Management Tool.

Insofar as consent has been given, Google Web Fonts can be used to provide a consistent representation of fonts. When you access a page, your browser loads the required web fonts into its browser cache in order to display texts and fonts correctly. For this purpose, the browser you use must connect to Google’s servers. As a result, Google gains knowledge that our website was accessed via your IP address.

 

Job applications

You can apply for a job at our company in various ways. Regardless of how you submit your application, your application data will be processed exclusively for the purpose of handling your application and will be stored for a maximum of six months after the end of the selection process, after which it will be deleted unless you give us your consent to further processing in a talent pool.

 

In the context of applications, we process the following personal data from you:

 

  • all data that you have provided to us in the course of the application process (e.g. in your application documents or interviews)
  • if applicable, supplementary data that we have lawfully collected in the course of the application process (e.g., from public sources, such as professional networks)
  • this may also include special categories of personal data (e.g. information on severe disabilities, racial and ethnic origin, religious or ideological beliefs, or trade union membership), provided that these have been transmitted to us in one of the two aforementioned ways.

 

The legal basis is the decision on the establishment of an employment relationship or, after the establishment of an employment relationship, its implementation according to §26, para. 1 BDSG-new and Art. 6 (1) (b) EU GDPR.

 

Service: Applications by e-mail

You have the possibility to apply for a job at our company by e-mail. Please send your application materials to bewerbung@epflex.com. Please note that we cannot guarantee the confidentiality of your data when you apply by e-mail. Although we offer transport encryption (TLS) through our mail server, the confidentiality of e-mail messages may depend on various mail relay servers over which we have no control. Whether they also use TLS and whether they analyze the e-mails is beyond our knowledge and influence. If you have any concerns in this regard, please use regular mail for your application.

 

Business partners and visitors seeking information

You have the possibility to contact us by phone, fax or e-mail. Please also refer to the section “Data security: Website, e-mail, fax”.

 

When contact is made by telephone, we collect caller identification information (caller IDs). This means that unless your phone number is suppressed or blocked, we will see the phone number you are calling us from. The phone number, call date and call time are automatically stored by our phone system and are only used to call you back if you have requested us to do so or if your call is dropped due to technical problems. This data is deleted after 4 weeks at the latest. We do not record calls.

 

If you contact us by e-mail, your e-mail address will be stored and used for the purpose you have specified to us in the e-mail message (e.g., for ordering a product). The same applies if you contact us by fax.

 

When you order products from us or request information materials, we create a customer account for you. The customer account contains the following data:

 

  • the name and contact details of the company for which you are placing the order
  • your first name and last name as the contact person
  • For each order processed through this customer account, we store:
  • the order date and the delivery date
  • all ordered products
  • the current order status

 

This data is required to execute your order and/or respond to your inquiry and will only be processed for this purpose (Art. 6 (1) (b) or (f) EU GDPR). Unless stated otherwise, the deletion periods for this data are based on the statutory retention obligations to which we are subject.