Data privacy notice

Thank you for visiting our website. We are delighted that you are interested in our company. Data protection is of particular importance to the management of Hardenberg-Wilthen AG. Our website can generally be used without your providing any personal data. However, insofar as a data subject wishes to make use of specific services provided by our company via our website, it may be necessary for personal data to be processed. If the processing of personal data is necessary and if there is no legal basis for such processing, we generally seek the data subject’s consent.
At all times, personal data such as a data subject’s name, address, e-mail address, and telephone number are processed in accordance with the General Data Protection Regulation (GDPR) and in compliance with the country-specific data protection regulations applicable to Hardenberg-Wilthen AG. This data privacy notice serves to notify you about the type, scope, and purpose of the personal data which we collect, use, and process. Additionally, this data privacy notice informs data subjects about their rights.
As the controller responsible for data processing, Hardenberg-Wilthen AG has implemented numerous technical and organizational measures to guarantee as comprehensive protection as possible of the personal data processed via our website. Online data transmission can nonetheless entail security vulnerabilities, and as such comprehensive protection cannot be guaranteed. For this reason, all data subjects are also at liberty to submit personal data to us by alternative means, such as by telephone.

1.  Definitions

Hardenberg-Wilthen AG’s data privacy notice is founded on the terms used by the European legislator in the General Data Protection Regulation (GDPR). Our data privacy notice is designed to be easily read and comprehensible both for the general public and for our customers. To guarantee that this is the case, we would first like to explain the terms used.
Among others, we use the following terms in this data privacy notice:
a) Personal data
Personal data are any information relating to an identified or identifiable natural person (hereinafter the “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
b) Data subject
A data subject is any identified or identifiable natural person whose personal data are processed by the controller responsible for processing.
c) Processing
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
d) Restriction of processing
Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future.
e) Profiling
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
f) Pseudonymization
Pseudonymization means the processing of personal data in such a manner that the personal data can no longer be associated with a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not associated with an identified or identifiable natural person.
g) Controller
Controller means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
h) Processor
Processor means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
i) Recipient
Recipient means a natural or legal person, public authority, agency, or another body to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.
j) Third party
Third party means a natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
k) Consent
Consent of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

2.  Name and address of the data processing controller and contact details of the Data Protection Officer

The controller within the meaning of the General Data Protection Regulation, other data protection legislation applicable in Member States of the European Union, and other provisions of a data protection nature is:
Hardenberg-Wilthen AG
Vorderhaus 2
37176 Nörten-Hardenberg
Phone: +49-5503-8020
Fax: +49-5503-802-159
E-mail: marketing@hardenberg-wilthen.de
Internet: www.hardenberg-wilthen.de
The controller has appointed a Data Protection Officer, who can be contacted as follows:
Hardenberg-Wilthen AG
Data Protection Officer
Stephan Viehoff
Vorderhaus 2
37176 Nörten-Hardenberg
Phone: +49-5503-8020
Fax: +49-5503-802-159
E-mail: datenschutz@hardenberg-wilthen.de

Data subjects may contact our Data Protection Officer directly anytime with any questions or suggestions regarding data protection.

3. Collection of general data and information when our website is visited

Our website collects an array of general data and information whenever a page is visited by a data subject or by an automated system. These general data and information are stored in the server’s log files. The following data and information may be collected:
(1) The operating system and interface used by the accessing system
(2) The browser type used including the language and browser software version
(3) The website from which an accessing system was directed to our website (the so-called referrer)
(4) The subpages of our website visited by an accessing system
(5) The date and time at which the website was accessed (incl. time zone difference to Coordinated Universal Time [UTC])
(6) The volume of data transferred
(7) An Internet protocol address (IP address)
(8) The accessing system’s Internet service provider
(9) Other similar data and information which serve as defense in the event of attacks on our information technology systems
Hardenberg-Wilthen AG makes no inferences regarding data subjects when using this general data and information. Rather, this information is needed in order to:
(1) render the content of our website correctly,
(2) optimize the content of our website and advertising thereof,
(3) guarantee the ongoing functionality of our information technology systems and of our website technology,
(4) provide law enforcement authorities with the information required for prosecution in the event of a cyberattack.
These anonymously collected data and information are therefore evaluated statistically on the one hand and, moreover, with a view to increasing data protection and data security at our company in order to ultimately guarantee the optimum level of protection of the personal data we process. The anonymised data of the server log files are stored separately from all the personal data provided by a data subject.

4. Cookies

We use cookies on our website. Cookies are small text files which are added to your computer by us via your Internet browser (e.g. Mozilla Firefox, Microsoft Explorer) when you visit our website and which are stored there either for a session or longer-term (“persistent”).
Many websites and servers use cookies. Many cookies contain a so-called cookie ID. A cookie ID is a cookie’s clear identifier. It is a string of characters with which websites can be associated with the specific Internet browser in which the cookie is stored. This enables the websites and servers visited to distinguish between the data subject’s Internet browser and other Internet browsers containing cookies. A specific Internet browser can be recognized and identified on the basis of the distinct cookie ID.
By using cookies, we can make more user-friendly services available to the users of our website which would not otherwise be possible without cookie placement.
Cookies allow the information and services on our website to be optimized in the interests of the user. As mentioned above, cookies allow us to recognize the users of our website again. The purpose of this recognition is to make it easier for users to use our website.
A number of the functions of our website cannot be made available without the use of technically required cookies. Meanwhile, other cookies allow us to perform various analyses. Among other things, cookies help us to make our website more user-friendly and more efficient for you by allowing us to understand your website usage and determine your preferred settings. Insofar as third parties process information using cookies, they collect the information directly via your Internet browser. Cookies do not cause any damage to your device. They are unable to execute programs and cannot contain viruses.
Various cookies are used on our website, the types and functions of which are explained in more detail below.
Types of cookies used:
Type 1: Session cookies
Our website uses session cookies which are automatically deleted as soon as you close your Internet browser. This type of cookie is technically necessary in order for you to use our website.
Type 2: Persistent cookies
Additionally, persistent cookies are used on our website. Persistent cookies are cookies which are stored in your Internet browser/on your computer system for an extended period even after you have closed your browser. They are reactivated whenever you revisit the website that placed the cookie or whenever the website is recognized again in some other way, e.g. by an advertising network. The information stored in a persistent cookie is then transmitted to the website or the advertising network. The storage period can vary from cookie to cookie. You can delete persistent cookies yourself in your browser settings.
Origin cookies:
First-party cookies
First-party cookies are placed by the operator of the visited website and cannot be read across websites.
Third-party cookies
A third-party cookie is not placed by the operator of the visited website, but by a third party who places their own cookie via the operator’s website. If a third party places a cookie via our website, we bring this to your attention in this data privacy notice.
Functions of the cookies used:
Function 1: Necessary cookies
These cookies are required for technical reasons to enable you to visit our website and use the functions we offer. For example, these are cookies which ensure that the user-specific configuration of the functions of our website as specified by you remain in place across multiple sessions. These cookies also play a part in the safe and correct use of the website.
Function 2: Performance cookies
These cookies help us to analyze website usage and improve our website’s performance and functionality. For example, they collect information about how users use our website, which pages are visited most frequently, or whether error message are being shown on specific pages.
Function 3: Cookies for marketing:
With marketing cookies (of third parties), you can be shown various offers that match your interests. With these cookies, a user’s online activity can be logged over an extended period. The cookies may recognize you across various devices used by you.
Cookies with functions 2 and 3 are only activated if you give your consent to this. You can give your consent by actively selecting “Accept” in the message displayed (possibly after having selected individual cookies or groups of cookies to which you consent). You may revoke your consent anytime, for example by revisiting this consent banner and changing your settings. Your revocation shall not affect the lawfulness of processing based on consent before its withdrawal.
Please note: Should you make use of your right of withdrawal of consent to the use of such cookies, an opt-out cookie will be placed in your Internet browser which blocks the continued collection of data by the website operator or a third party by means of a marketing cookie. Should you delete this opt-out cookie, renewed data collection cannot be prevented. Please acquaint yourself with the lifespan of an opt-out cookie.
If you granted your consent to the use of cookies on the basis of a message displayed by us on the website (“cookie banner”), the lawfulness of their use is founded on point (a) of Article 6 (1) GDPR. The legal basis for technically necessary cookies, i.e. cookies which are required for the seamless functionality of our website, is point (c) of Article 6 (1) GDPR.
The majority of Internet browsers accept cookies as standard by default. You can, however, configure your Internet browser such that it accepts only certain cookies or even no cookies at all. Please note, however, that you may then no longer be able to use functions of our website and that you will instead see warnings or error messages if cookies on our website are deactivated by your browser settings.
Within your browser settings, you can also delete cookies already stored in your Internet browser. Further, you can set your Internet browser to notify you before it stores cookies. As the ways in which the various Internet browsers work can differ, we ask that you consult your Internet browser’s help menu for details of your configuration options. You can find information on the most common Internet browsers here:
·    Google Chrome: https://support.google.com/chrome/answer/95647?hl=en
·    Mozilla Firefox: https://support.mozilla.org/en-US/kb/clear-cookies-and-site-data-firefox
·    Apple Safari: https://support.apple.com/guide/safari/manage-cookies-and-website-data-sfri11471/mac
·    Microsoft Internet Explorer: https://support.microsoft.com/en-us/help/17442/windows-internet-explorer-delete-manage-cookies
For a comprehensive overview of all third-party access to your Internet browser, we recommend that you install a plugin specifically developed for this purpose.
If using a device you share with others which has its Internet browser set to accept cookies, we recommend that you log out in full at the end of your usage.

5. Contacting us

You have the option of contacting us by mail, telephone, fax, or e-mail.
If you contact us by mail, we can process in particular your address details (e.g. last name, first name, street, town/city, postal code), the date and time of receipt, and any data you disclose in your letter.
If you contact us, a secretarial service may process your data and then send them to us following the contact. Depending on the data you provide during this contact, we will then call you back or write to you, contacting you by telephone, fax, or e-mail.
If you contact us by telephone, we will process in particular your telephone number and possibly also, if we request this information in the course of the call, your name, your e-mail address, the time of the call, and details of your reason for calling.
If you contact us by fax, we will process in particular the fax number or sender identifier and any data disclosed in the fax.
If you contact us by e-mail, we will process in particular your e-mail address, the e-mail time stamp, and any data disclosed in your message text (and, if applicable, in attachments).
The purpose of processing the above data is to process your contact request and to be able to contact you so as to respond to your matter. The legal basis for the processing of personal data as outlined here is point (f) of Article 6 (1) GDPR. We have a legitimate interest in enabling you to contact us anytime and in being able to respond to your inquiry.
The personal data are processed only for as long as it takes to process your contact request.

6. Registering on our website

You have the option of registering on our website, which involves disclosing personal data. The specific personal data which are transmitted to us depends on the input screen used for registration. The personal data input by you are collected and stored exclusively for internal use and for our own purposes. We can share the data with one or more processors such as a parcel service provider, who will likewise use the personal data exclusively for an internal purpose which is attributable to us.
Additionally, the IP address provided by your Internet service provider (ISP), the date, and the time will also be store when you register on our website. These data are stored on the basis that this is the only way in which the misuse of our services can be prevented, with these data allowing criminal offenses to be solved, if committed. The storing of these data is therefore necessary for our protection. These data shall generally not be shared with any third parties insofar as there is no legal requirement to do so or their disclosure does not serve the purpose of criminal prosecution.
Your registration involving the voluntary disclosure of personal data allows us to present you with content or services which, by their nature, can only be offered to registered users. Registered persons are at liberty to edit the personal data they provide during registration anytime or have them erased in full from the database.
Upon request, we will tell any data subject which personal data we have stored regarding them. Further, we will rectify or erase personal data upon request insofar as this is not excluded by any statutory record retention obligations. You may contact any of our employees in this regard.

7. Using our online shop

If you wish to place an order in our online shop, the conclusion of a contract is dependent upon your disclosing personal data which are needed by us to process your order. The mandatory information needed in order to process contracts is marked as such, while all other disclosures are voluntary. We will process the data you disclose in order to process your order. This can involve our sharing your payment details with our principal bank or an appointed payment service provider. The legal basis for this is point (b) of Article 6 (1) GDPR.
You have the option of creating a customer account, which involves our saving your data for subsequent purchases. When you create an account, the data you disclose will be revocably stored. You can erase all other data including your user account anytime in the customer area.
We can additionally process the data you disclose to notify you of other interesting products from our portfolio or to send you e-mails containing technical information.
We are obligated by commercial and tax law requirements to store your address, payment, and ordering details for a period of ten years.
The ordering process is encrypted by means of TLS technology to prevent unauthorized third-party access to your personal data, in particular financial data.

8. Data usage when subscribing to an e-mail newsletter

Users of the Hardenberg-Wilthen AG website have the option of subscribing to our company’s newsletter there. The personal data transmitted to us when subscribing to the newsletter depends on the input screen used.
Hardenberg-Wilthen AG notifies its customers and business partners about the company’s offers at regular intervals by means of a newsletter. As a rule, our company newsletter can only be received by a data subject if
(1)  the data subject has a valid e-mail address and
(2)  the data subject signs up to the newsletter mailing list.
For legal reasons, a double opt-in confirmation e-mail is first sent to the e-mail address provided by the data subject for receipt of the newsletter. This confirmation e-mail serves to verify that the owner of the e-mail address authorized receipt of the newsletter as the data subject.
When a data subject subscribes to the newsletter, we will additionally store the IP address of the computer system used at the time of subscription as provided by the Internet service provider (ISP) as well as the date and time of subscription. Collection of these data is necessary in order to be able to subsequently trace the (potential) misuse of a data subject’s e-mail address and therefore serves as legal protection for the processing controller.
The personal data collected in the course of newsletter subscription are used solely for the purpose of newsletter distribution. Further, newsletter subscribers may be notified by e-mail insofar as this is necessary for the running of the newsletter service or for registration purposes, as could be the case in the event of a change in the newsletter offer or a change in the technical conditions.
The personal data collected in relation to the newsletter service are not shared with any third parties (exception: newsletter service providers, see below). A data subject may cancel their newsletter subscription anytime. Consent to the storing of personal data as granted by a data subject for the purposes of newsletter distribution may be revoked anytime. Every newsletter contains a link for the purpose of revoking such consent. Further, newsletter subscription may be canceled anytime directly on our website or by informing us in any other way.

9.       Data privacy notice re application and use of the newsletter service provider LUPCOM media

On our website, you have the option of subscribing to our newsletter.
We use the newsletter service LUPCOM media for the distribution of our newsletter. The service provider is LUPCOM media GmbH, Rahnstädter Weg 33, 18069 Rostock, Germany, phone: +49-381-2035-4933, e-mail: info@lupcom.de, Internet: www.lupcom.de.
Our e-mail newsletter is distributed by this service provider, with whom we share the data you provided upon subscribing to the newsletter. This data disclosure is in accordance with point (f) of Article 6 (1) GDPR and serves our legitimate interest in the use of a promotionally effective, secure, and user-friendly newsletter system. The data you provide in order to receive the newsletter (e.g. e-mail address) are stored on LUPCOM media GmbH’s servers in Germany.
LUPCOM media GmbH uses this information in order to distribute and statistically analyze the newsletter on our behalf. These data are used solely for the statistical analysis of newsletter campaigns. The results of these analyses can be used to better align future newsletters with the recipients’ interests.
If you wish to object to data analysis for statistical evaluation purposes, you must unsubscribe from the newsletter.
We have concluded a processing agreement with LUPCOM media GmbH which obligates LUPCOM media GmbH to protect our customers’ data and to not share them with any third parties.

10.    Newsletter tracking

The newsletters of Hardenberg-Wilthen AG contain so-called tracking pixels. A tracking pixel is a miniature graphic which is embedded in e-mails sent in HTML format to enable log file recording and analysis. This allows for the statistical evaluation of the success or failure of online marketing campaigns. With an embedded tracking pixel, Hardenberg-Wilthen AG can determine whether a data subject opened an e-mail and if so, when, as well as which of the links in the e-mail were clicked on by the data subject.
The personal data collected by means of tracking pixels in the newsletters are stored and evaluated by us in order to optimize newsletter distribution and better align the content of future newsletters with the data subject’s interests. These personal data are not shared with any third parties. Data subjects are at liberty to revoke their declaration of consent granted separately in this regard via the double opt-in procedure anytime. Upon revocation, these personal data will be erased by us. Hardenberg-Wilthen AG automatically interprets the cancellation of a newsletter subscription to be a revocation.

11.    Making contact via the website

In accordance with legal requirements, the Hardenberg-Wilthen AG website contains information which allows for quick electronic contact and direct communication with us, including a general electronic mail (e-mail) address. Insofar as you contact us by e-mail or using a contact form, the personal data you provide will be automatically stored. Such personal data provided voluntarily by you are used for processing purposes or in order to contact you. These personal data are not shared with any third parties.

12.       Routine erasure and blocking of personal data

We process and store your personal data only for as long as is necessary to achieve the purpose of their storage or insofar as this is prescribed in the laws or provisions of the European legislator or of another lawmaker to which we are subject.
If the storage purpose no longer applies or if the retention period prescribed by the European legislator or another competent lawmaker expires, the personal data shall be routinely blocked or erased in accordance with the legal provisions.

13.    Rights of the data subject

a) Right to confirmation
Every data subject has the right granted by the European legislator to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed. If a data subject wishes to exercise this right to confirmation, he or she can contact an employee of the controller anytime.
b) Right of access
Every data subject whose personal data are processed has the right granted by the European legislator to access information free of charge anytime regarding the personal data stored about him or her and to receive a copy of this information. Further, the European legislator affords data subjects access to the following information:
·      The purposes of the processing
·      The categories of personal data concerned
·      The recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations
·      Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period
·      The existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing
·      The right to lodge a complaint with a supervisory authority
·      Where the personal data are not collected from the data subject, any available information as to their source
·      The existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject
Further, the data subject has the right to know whether personal data were transferred to a third country or to an international organization. If so, the data subject additionally has the right to be informed of the appropriate safeguards relating to the transfer.
If a data subject wishes to exercise this right of access, he or she can contact an employee of the controller anytime.
c) Right to rectification
Every data subject whose personal data are processed has the right granted by the European legislator to have inaccurate personal data concerning him or her rectified without undue delay. Further, taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
If a data subject wishes to exercise this right to rectification, he or she can contact an employee of the controller anytime.
d) Right to erasure (right to be forgotten)
Every data subject whose personal data are processed has the right granted by the European legislator to obtain from the controller the erasure of personal data concerning him or her without undue delay where one of the following grounds applies and insofar as the processing is not necessary:
·      The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
·      The data subject withdraws consent on which the processing is based according to point (a) of Article 6 (1) or point (a) of Article 9 (2) GDPR and where there is no other legal ground for the processing.
·      The data subject objects to the processing pursuant to Article 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21 (2) GDPR.
·      The personal data have been unlawfully processed.
·      The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
·      The personal data have been collected in relation to the offer of information society services referred to in Article 8 (1) GDPR.
Insofar as one of the above reasons applies and a data subject wishes to have personal data stored by Hardenberg-Wilthen AG erased, he or she can contact an employee of the controller anytime. The Hardenberg-Wilthen AG employee will see to it that the erasure procedure is performed without undue delay.
Where Hardenberg-Wilthen AG has made the personal data public and is obligated pursuant to Article 17 (1) GDPR to erase the personal data as the controller, taking account of available technology and the cost of implementation, Hardenberg-Wilthen AG shall take reasonable steps, including technical measures, to inform other controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data insofar as its processing is not necessary. The Hardenberg-Wilthen AG employee will initiate the necessary steps on a case-by-case basis.
e) Right to restriction of processing
Every data subject whose personal data are processed has the right granted by the European legislator to obtain from the controller restriction of processing where one of the following applies:
·      The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data.
·      The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead.
·      The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defense of legal claims.
·      The data subject has objected to processing pursuant to Article 21 (1) GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.
Insofar as one of the above applies and a data subject wishes the processing of personal data stored by Hardenberg-Wilthen AG to be restricted, he or she can contact an employee of the controller anytime. The Hardenberg-Wilthen AG employee will initiate the restriction of processing.
f) Right to data portability
Every data subject whose personal data are processed has the right granted by the European legislator to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used, and machine-readable format. Further, he or she has the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent pursuant to point (a) of Article 6 (1) GDPR or point (a) of Article 9 (2) GDPR or on a contract pursuant to point (b) of Article 6 (1) GDPR and the processing is carried out by automated means, insofar as processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Further, in exercising his or her right to data portability pursuant to Article 20 (1) GDPR, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible and insofar as this does not adversely affect the rights and freedoms of others.
The data subject may contact an employee of Hardenberg-Wilthen AG anytime to assert his or her right to data portability.
g) Right to object
Every data subject whose personal data are processed has the right granted by the European legislator to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6 (1) GDPR. This includes profiling based on those provisions.
In the event of an objection, Hardenberg-Wilthen AG shall no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims.
Where Hardenberg-Wilthen AG processes personal data for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing. This includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to Hardenberg-Wilthen AG processing his or her data for direct marketing purposes, the personal data shall no longer be processed for such purposes.
Further, where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89 (1) GDPR, the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
The data subject may contact any employee of Hardenberg-Wilthen AG or another employee directly to exercise his or her right to object. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may additionally exercise his or her right to object by automated means using technical specifications.
h) Automated individual decision-making, including profiling
Every data subject whose personal data are processed has the right granted by the European legislator to not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her insofar as the decision
(1) is not necessary for entering into, or performance of, a contract between the data subject and a data controller, or
(2) is not authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, or
(3) is not based on the data subject’s explicit consent.
If the decision
(1) is necessary for entering into, or performance of, a contract between the data subject and a data controller, or
(2) is based on the data subject’s explicit consent,
Hardenberg-Wilthen AG shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
If the data subject wishes to exercise his or her rights regarding automated decision-making, he or she can contact an employee of the controller anytime.
i) Right to withdraw privacy policy consent
Every data subject whose personal data is processed has the right granted by the European legislator to withdraw his or her consent to the processing of personal data at any time.
If the data subject wishes to exercise his or her right to withdraw consent, he or she can contact an employee of the controller anytime.
j) Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 GDPR.
Contact details of the competent supervisory authority:
Data Protection Commissioner for Lower Saxony
Barbara Thiel
Prinzenstrasse 5
30159 Hanover
Phone: +49-511-120-4500
Fax: +49-511-120-4599
E-mail: poststelle@lfd.niedersachsen.de
Homepage: https://www.lfd.niedersachsen.de

14.    Data protection for applications and during the application process

We collect and process the personal data of applicants for the purpose of handling the application process. This processing may also occur in electronic form. This is the case in particular if an applicant sends us application documents electronically, such as by e-mail or via an online form on the website.
If we conclude a contract of employment with an applicant, the data provided shall be stored for the purpose of processing the employment relationship subject to the legal requirements. If we do not conclude a contract of employment with the applicant, the application documents shall be automatically erased six months after announcement of the decision to reject the applicant insofar as this erasure is not excluded by any other legitimate interests on our part. Another legitimate interest in this context is, for example, the burden of proof in legal proceedings pursuant to Germany’s General Act on Equal Treatment (AGG).

15.    Application and use of Facebook Custom Audiences incl. the Facebook pixel

This website uses the Custom Audiences remarketing function belonging to Facebook Inc. (“Facebook”). This allows users of the website to be shown interest-based advertisements (“Facebook ads”) when visiting the Facebook social network or other websites which likewise use this method. In this way, we pursue our interest in showing you advertising which is of interest to you in order to make our website more interesting for you. Your explicit consent is needed for this.
Facebook Custom Audiences is operated by Facebook Ireland Ltd, 4 Grand Canal Square, Dublin 2, Ireland.
Based on the marketing tools used, your browser automatically establishes a direct link to the Facebook server. We have no influence over the volume of data collected by Facebook due to the use of this tool or over their further use and are therefore notifying you about what we know accordingly: with the incorporation of Facebook Custom Audiences, Facebook is informed that you viewed a page on our website or clicked on one of our ads. If you are registered with a Facebook service, Facebook can associate your visit with your account. Even if you are not registered with Facebook or have not logged in, the service provider can nevertheless gain knowledge of and store your IP address and other identifiers.
The legal basis for the processing of your data is your consent pursuant to point (a) of Article 6 (1) GDPR.
Withdrawing your consent
We use only Facebook Custom Audiences with your consent. Once granted, you can withdraw your consent by
·      preventing cookies from being stored by adjusting your browser software settings; please note that in this case you may not be able to use all of our website’s functions in full;
·      deactivating your consent using our consent tool;
·      deactivating the Facebook Custom Audiences function as a logged-in user at https://www.facebook.com/settings/?tab=ads#.
For more information about data processing at Facebook, go to https://www.facebook.com/about/privacy.

16.    Data protection notice for our Facebook fan page

We run a so-called Facebook fan page on the social media platform Facebook. Facebook Ireland Ltd (“Facebook”) provides us as the operator with Facebook Insights. These are various statistics which provide us with information about how our Facebook fan page is used by its visitors. More information on this can be found at https://www.facebook.com/business/pages/manage#page_insights.
Various types of information provided by you (including personal data) are processed by Facebook to generate these statistics.
We and Facebook have joint controllership regarding processing of the Insights data pursuant to Article 26 GDPR. Facebook produced an updated Page Insights Addendum for the detailed regulation of both parties’ responsibilities, which entered into force on November 28, 2019, and which has applied to the continued use of Facebook pages since then.
In the interests of due transparency, we are providing this information from Facebook below verbatim; you can additionally find this directly at Facebook at https://www.facebook.com/legal/terms/page_controller_addendum.

* * *
Information about Page Insights

When people use the Facebook Products, including Pages, Facebook (also “we” or “us”) collects information as described in Facebook’s Data Policy under “What kinds of information do we collect?” (for information on how we use cookies and similar technologies, see our Cookies Policy).
This includes information about how people use the Facebook Products, such as the types of content that they view or engage with, or the actions they take (see under “Things that you and others do and provide” in Facebook’s Data Policy), as well as information about the devices they use (e.g. IP addresses, operating system, browser type, language settings, cookie data; see under “Device information” in Facebook’s Data Policy). Which information Facebook actually collects depends on whether and how people use the Facebook Products.
As explained in Facebook’s Data Policy under “How do we use this information?”, Facebook also collects and uses information to provide analytics services called Page Insights to Page admins to help them understand how people interact with their Pages and the content associated with them. The processing of personal data for Page Insights might be subject to the joint controllership arrangement (Page Insights Controller Addendum) below.
Data processing for Page Insights
Page Insights are aggregated statistics that are created from certain events logged by Facebook servers when people interact with Pages and the content associated with them.
Such events are made up of varying data points such as the following depending on the specific event:
·       An action. This includes actions like the following (you can see actions available for your Page in your Page’s Insights section):
o  Viewing a Page, post, video, story or other content associated with a Page
o  Interacting with a story
o  Following or unfollowing a Page
o  Liking or unliking a Page or post
o  Recommending a Page in a post or comment
o  Commenting on, sharing or reacting to a Page’s post (including the type of reaction)
o  Hiding a Page’s post or reporting it as spam
o  Hovering over a link to a Page or a Page’s name or profile picture to see a preview of the Page’s content
o  Clicking on the website, phone number, Get Directions button or other button on a Page
o  Having a Page’s event on screen, responding to an event including type of reaction, clicking on a link for event tickets
o  Starting a Messenger communication with the Page
o  Viewing or clicking on items in Page’s shop
·       Information about the action, the person taking the action, and the browser/app used for it such as the following:
o  Date and time of action
o  Country/city (estimated from IP address or imported from user profile for logged in users)
o  Language code (from browser’s http header and/or language setting)
o  Age/gender group (from user profile for logged in users only)
o  Website previously visited (from browser’s http header)
o  Whether the action was taken from a computer or mobile device (from browser’s user agent or app attributes)
o  FB user ID (for logged in users only)
We determine whether people are logged in users of Facebook via cookies in accordance with our Cookies Policy. Only a few events can be triggered by people not logged in to Facebook. This includes visiting a Page or clicking on a photo or video in a post to view it.
Page admins do not have access to the personal data processed as part of events but only to the aggregated Page Insights. Events used to create Page Insights do not store IP addresses, cookie IDs or any other identifiers associated with people or their devices aside from a FB user ID for people logged in to Facebook.
The events logged by Facebook in order to create Page Insights are solely defined by Facebook and cannot be set, changed or otherwise be influenced by Page admins.
Page Insights Controller Addendum
Where an interaction of people with your Page and the content associated with it triggers the creation of an event for Page Insights which includes personal data for whose processing you (and/or any third party for whom you are creating or administering the Page) determine the means and purposes of the processing jointly with Facebook Ireland Limited, you acknowledge and agree on your own behalf (and as agent for and on behalf of any such other third party) that this Page Insights Controller Addendum (“Page Insights Addendum”) applies:
·       You and Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook Ireland”, “we” or “us”; together the “Parties”) acknowledge and agree to be joint controllers in accordance with Article 26 GDPR for the processing of such personal data in events for Page Insights (“Insights Data”). The joint controllership covers the creation of those events and their aggregation into Page Insights that are provided to Page admins. The Parties agree that for any other processing of personal data in connection with a Page and/or the content associated with it for which there is no joint determination of the purposes and means, Facebook Ireland and, as the case may be, you, remain separate and independent controllers.
·       The processing of Insights Data is subject to the provisions of this Page Insights Addendum. They apply to all activities in the course of which Facebook Ireland, its employees or processor(s) process Insights Data.
·       Facebook Ireland’s and your responsibilities for compliance with the obligations under the GDPR with regard to the processing of Insights Data are determined as follows:
o  Facebook Ireland: Facebook Ireland will ensure it has a legal basis for the processing of Insights Data which is set out in Facebook Ireland’s Data Policy (see under “What is our legal basis for processing data?”). Unless specified otherwise in this Page Insights Addendum, between you and Facebook Ireland, Facebook Ireland assumes the responsibility for compliance with the applicable obligations under the GDPR for the processing of Insights Data (including, but not limited to, Articles 12 and 13 GDPR, Articles 15 to 21 GDPR, Articles 33 and 34 GDPR). Facebook Ireland will implement appropriate technical and organizational measures to ensure the security of the processing in accordance with Article 32 GDPR. This does include the measures listed in the Annex below (as updated from time to time, for example to reflect technological developments). All employees of Facebook Ireland involved in the processing of Insights Data are bound by appropriate obligations to maintain the confidentiality of Insights Data.
o  Page admins: You should ensure that you also have a legal basis for the processing of Insights Data. In addition to the information provided to data subjects by Facebook Ireland via the Information about Page Insights, you should identify your own legal basis including the legitimate interests you pursue, if applicable, the responsible data controller(s) on your side including their contact details as well as the contact details of the data protection officer(s) (Article 13(1)(a-d) GDPR), if any.
·       Facebook Ireland will make the essence of this Page Insights Addendum available to data subjects (Article 26(2) GDPR). This is currently done via the Information about Page Insights data which can be accessed from all Pages.
·       Facebook Ireland decides in its sole discretion how to comply with its obligations under this Page Insights Addendum. You acknowledge and agree that only Facebook Ireland has the power to implement decisions about the processing of Insights Data. You also acknowledge and agree that the lead supervisory authority for the joint processing is the Irish Data Protection Commission (notwithstanding Article 55(2) GDPR, where applicable).
·       This Page Insights Addendum does not grant you any right to request the disclosure of personal data of Facebook users that is processed in connection with Facebook Products, including for Page Insights that we provide to you.
·       The Parties designate the communication channels referenced in the Information about Page Insights data or in any subsequent document as contact points for data subjects.
·       If data subjects exercise their rights under the GDPR with regard to the processing of Insights Data against you (Article 26(3) GDPR), or you are contacted by a supervisory authority with regard to the processing of Insights Data, each a “Request”, you will forward all relevant information regarding such Requests to us promptly but within a maximum of seven calendar days. For this purpose, you can submit this form. Facebook Ireland agrees to answer Requests from data subjects in accordance with our obligations under this Page Insights Addendum. You agree to take all reasonable endeavors in a timely manner to cooperate with us in answering any such Request. You are not authorized to act or answer on Facebook Ireland’s behalf.
·       If you use a Page, you agree that any claim, cause of action or dispute that you have against us, which arises out of or relates to this Page Insights Addendum, must be resolved exclusively in the courts of Ireland, that you irrevocably submit to the jurisdiction of the Irish courts for the purpose of litigating any such claim and that the laws of Ireland will govern this Page Insights Addendum, without regard to conflict of law provisions. If you are a consumer who habitually resides in a Member State of the European Union, only 4.4 of our Terms of Service applies.
·       We may need to update this Page Insights Addendum from time to time. By continuing any use of Pages after any notification of an update to this Page Insights Addendum, you agree to be bound by it. If you do not agree to the updated Page Insights Addendum, please stop all use of Pages. If you are a consumer who habitually resides in a Member State of the European Union, only 4.1 of our Terms of Service applies.
·       If any portion of this Page Insights Addendum is found to be unenforceable, the remaining portion will remain in full force and effect. If we fail to enforce any portion of this Page Insights Addendum, it will not be considered a waiver. Any amendment to or waiver of these terms requested by you must be made in writing and signed by us.
·       This Page Insights Addendum applies only to the processing of personal data within the scope of Regulation (EU) 2016/679 (“GDPR”). “personal data”, “processing”, “controller”, “processor”, “supervisory authority” and “data subject” in this Page Insights Addendum have the meanings set out in the GDPR.

Annex: Security
“Applicable Products” includes Facebook Pages and Page Insights.
1.    Organization of Information Security
Facebook has a designated security officer with overall responsibility for security in the organization. Facebook has personnel responsible for oversight of security of the Applicable Products.
2.    Physical and Environmental Security
Facebook’s security measures include controls designed to provide reasonable assurance that physical access to data processing facilities is limited to authorized persons and that environmental controls are established to detect, prevent, and control destruction due to environmental hazards. The controls include:
a.   Logging and auditing of physical access to the data processing facility by employees and contractors;
b.   Camera surveillance systems at the data processing facility;
c.   Systems that monitor and control the temperature and humidity for the computer equipment at the data processing facility;
d.   Power supply and backup generators at the data processing facility;
e.   Procedures for secure deletion and disposal of data, subject to the Applicable Product Terms; and
f.   Protocols requiring ID cards for entry to all Facebook facilities for all personnel working on the Applicable Products.
3.    Personnel
a.   Training. Facebook ensures that all personnel with access to Insights Data undergo security training.
b.   Screening and Background Checks. Facebook has a process for:
i. verifying the identity of the personnel with access to Insights Data; and
ii. performing background checks, where legally permissible, on personnel working on or supporting aspects pertaining to the Applicable Products in accordance with Facebook standards.
c.   Personnel Security Breach. Facebook takes disciplinary action in the event of unauthorized access to Insights Data by Facebook personnel, including, where legally permissible, punishments up to and including termination.
4.    Security Testing
Facebook performs regular security and vulnerability testing to assess whether key controls are implemented properly and are effective.
5.    Access Control
a.   Password Management. Facebook has established procedures for password management for its personnel, designed to ensure passwords are personal to each individual, and inaccessible to unauthorized persons, including at minimum:
i.     password provisioning, including procedures designed to verify the identity of the user prior to a new, replacement, or temporary password;
ii.    cryptographically protecting passwords when stored in computer systems or in transit over the network;
iii.   altering default passwords from vendors;
iv.   strong passwords relative to their intended use; and
v.    education on good password practices.
b.   Access Management. Facebook also controls and monitors its personnel’s access to its systems using the following:
                       i.    established procedures for changing and revoking access rights and user IDs, without undue delay;
                      ii.    established procedures for reporting and revoking compromised access credentials (passwords, tokens etc.);
                     iii.    maintaining appropriate security logs including where applicable with user ID and timestamp;
                     iv.    synchronizing clocks with NTP; and
                      v.    logging the following minimum user access management events:
·     Authorization changes;
·     Failed and successful authentication and access attempts; and
·     Read and write operations.
6.     Communications Security
a.   Network Security
i.     Facebook employs technology that is consistent with industry standards for network segregation.
ii.    Remote network access to Facebook systems requires encrypted communication via secured protocols, and use of multi-factor authentication.
b.   Protection of Data in Transit. Facebook enforces use of appropriate protocols designed to protect the confidentiality of data in transit over public networks.
7.    Vulnerability Management
Facebook institutes and maintains a vulnerability management program covering the Applicable Products that includes definitions of roles and responsibilities for vulnerability monitoring, vulnerability risk assessment, and patch deployment.
8.    Security Incident Management
a.   Facebook maintains a security incident response plan for monitoring, detecting, and handling possible security incidents affecting Insights Data. The security incident response plan at least includes definitions of roles and responsibility, communication, and post mortem reviews, including root cause analysis and remediation plans.
b.   Facebook monitors for any security breaches and malicious activity affecting Insights Data.
* * *

Below you will find important information about the agreement concluded by and between Facebook and us pursuant to Article 26 GDPR.
Joint controllership is held by
Facebook Ireland Ltd
4 Grand Canal Square
Dublin 2
Ireland
and
Hardenberg-Wilthen AG
Vorderhaus 2
37176 Nörten-Hardenberg
Phone: +49-5503-8020
Fax: +49-5503-802-159
E-mail: marketing@hardenberg-wilthen.de
Internet: www.hardenberg-wilthen.de
Facebook has assumed primary responsibility for all data processing obligations pursuant to the GDPR. Specifically, this means:
·      Facebook assumes the necessary information obligations (e.g. pursuant to Article 13 GDPR)
·      Data subject rights can be asserted against Facebook (e.g. right of access or to erasure, objection to data processing, or withdrawal of consent granted)
·      Safeguarding of the technical and organizational measures for data processing
Facebook provides detailed information regarding data processing at www.facebook.com (Article 13 GDPR). To give you an overview of the material information, we also make reference within this data privacy notice to the content and links provided there by Facebook.
Irrespective of Facebook’s primary responsibility, you may also assert your rights directly against us in accordance with the GDPR. We will then forward your inquiry to Facebook using a form made available for this purpose.
You will find Facebook’s legal bases and purposes of processing at https://www.facebook.com/about/privacy/legal_bases and https://www.facebook.com/policy.php.
We have a legitimate interest in being able to track user behavior on our Facebook fan page; accordingly, the legal basis for processing the data is point (f) of Article 6 (1) GDPR. This enables us to record the reach and effectiveness of our activities such as campaigns and posts on the basis of processed statistics. In this way, we can continuously optimize our website and our products and services, as is also the purpose of the processing pursuant to the GDPR.
In particular, Facebook can process the following data:
·      User interaction such as click behavior, posts, likes, video views, page views, etc.
·      Cookies
·      Demographic characteristics such as age, gender, federal state, etc.
·      IP address
·      System and device information (browser type, operating system, etc.)
When you visit our Facebook fan page, the exact processing of your data depends on whether you have a Facebook account or not. If you have an account with Facebook, Facebook can permanently associate the data with your account to learn more about you.
Even if you do not have an account with Facebook, Facebook can still store your data. This can be achieved using cookies. These allow Facebook to store and process information about you even if you do not have a Facebook account. You can find further information about Facebook cookies at https://www.facebook.com/policies/cookies/.
Facebook only provides us with anonymized statistics about the use of our fan page. We can only see how many users have performed which interactions, but not which user has performed a particular action. The Insights data statistics do not, therefore, allow us to draw conclusions about a specific person.
In an annex to the information on Page Insights, Facebook also provides information on the technical and organizational measures taken in accordance with Article 32 GDPR to protect your data.
You can assert your aforementioned rights directly against Facebook or against us in cases of joint controllership.
You can also adjust your settings for the use of cookies at https://www.facebook.com/policies/cookies/. Under the sections “If you have a Facebook Account” (Facebook account available) and “Everyone” (no Facebook account available), you will find information on how you can object to Facebook’s processing.
You can determine the storage duration of the respective cookies via your browser when you display the cookies (usually by clicking on the “i” next to the address bar, e.g. in Firefox or Google Chrome).

17.    Information about Google services

We use various services provided by Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland, on our website. You will find further details regarding the specific Google services used on this website below in this data privacy notice.
The integration of the Google services allows Google to collect and process information (including personal data). It cannot be excluded that Google also transfers this information to a server in a third country.
As stated in Google’s Privacy Shield certification (which is available at https://www.privacyshield.gov/list with the search term “Google”; see also https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI), Google has committed to complying with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework on the collection, use, and storage of personal data from EU Member States and Switzerland respectively. Google (including Google, LLC and its wholly owned subsidiaries in the U.S.) has declared with its certification that it will observe the Privacy Shield principles. You can find further information at https://policies.google.com/privacy/frameworks.
We cannot influence which data Google actually collects and processes. However, Google states that it may process the following information (including personal data):
·      Log data (in particular IP address)
·      Location-related information
·      Unique application numbers
·      Cookies and similar technologies
If you are logged in to your Google account, Google can – depending on your account settings – add the processed information to your account and treat it as personal data. You can find further information at https://policies.google.com/privacy/google-partners.
Among other things, Google states the following:
“We may combine personal information from one service with information, including personal information, from other Google services – for example to make it easier to share things with people you know. Depending on your account settings, your activity on other sites and apps may be associated with your personal information in order to improve Google’s services and the ads delivered by Google.” (https://www.google.com/intl/en/policies/privacy/archive/20171002/)
You can prevent this information from being added directly by signing out of your Google account or by changing the appropriate account settings in your Google account.
You can also change your cookie settings (e.g. delete cookies, block cookies, etc.).
Further information can be found in the Google privacy policy, which is available here: https://www.google.com/policies/privacy/.
For information regarding Google’s privacy settings, please refer to https://privacy.google.com/take-control.html.
The provision of personal data is required neither by law nor contractually, nor is it necessary for the conclusion of a contract. There is also no obligation for you to provide personal data. However, failure to provide data may mean that you are unable to use some of the functions of our website or cannot use them to in full.

18.    Application and use of Google Analytics for Web analytics

We have integrated the component Google Analytics into this website (with the anonymization function). Google Analytics is a Web analytics service. Web analytics is the collection, compilation, and evaluation of data on the behavior of visitors to websites. Among other things, a Web analytics service collects data about the website from which a data subject accessed a website (so-called referrer), which subpages of the website were accessed, or how often and for how long a subpage was viewed. Web analytics is used primarily to optimize a website and for the cost-benefit analysis of online advertising.
The Google Analytics component is operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin, D04 E5W5, Ireland.
We only use Google Analytics with activated IP anonymization (“anonymize IP”). Using this addition, your Internet connection’s IP address is truncated and anonymized by Google if our website is accessed from a Member State of the European Union or from another state that is a party to the Agreement on the European Economic Area.
The purpose of the Google Analytics component is the analysis of visitor flows on our website. Among other things, Google uses the data and information obtained to evaluate the use of our website, to compile online reports for us which show the activities on our website, and to provide further services in connection with the use of our website.
The legal basis for the processing of your data is your consent pursuant to point (a) of Article 6 (1) GDPR.
Google Analytics places a cookie within your system. By placing a cookie, Google is able to analyze the use of our website. Every time you visit an individual page of this website which is operated by us and into which a Google Analytics component has been integrated, your system’s Internet browser is automatically prompted by the respective Google Analytics component to transmit data to Google for the purpose of online analysis. As part of this technical process, Google receives knowledge of personal data such as your IP address, which Google uses, among other things, to trace the origin of visitors and clicks and subsequently to enable commission settlements.
The cookie is used to store personal information such as the time of access, the location from which access was made, and the frequency of your visits to our website. Whenever you visit our website, these personal data, including your Internet connection’s IP address, are transmitted to Google in the United States of America. These personal data are stored by Google in the United States of America. Google may disclose these personal data collected via the technical process to third parties.
You can prevent the placement of cookies by our website anytime with a corresponding setting in the Internet browser used and thus permanently object to the placement of cookies. This setting on the Internet browser used would also prevent Google from placing a cookie within your system. A cookie that has already been placed by Google Analytics can be deleted anytime via the Internet browser or other software programs.
You also have the option of objecting to and preventing the collection of data generated by Google Analytics and related to the use of this website as well as the processing of these data by Google. To do so, you must download and install a browser add-on under the link https://tools.google.com/dlpage/gaoptout. This browser add-on informs Google Analytics via JavaScript that no data and information about visits to websites may be transmitted to Google Analytics. Google treats installation of the browser add-on as an objection. If your system is deleted, formatted, or reinstalled at a later date, you will need to reinstall the browser add-on to disable Google Analytics. If the Browser Add-On is uninstalled or deactivated by you or another person within your sphere of influence, you have the option of reinstalling or reactivating the Browser Add-On.
Further information and the applicable Google privacy policy can be found at https://www.google.de/intl/en/policies/privacy/ and at https://marketingplatform.google.com/about/analytics/terms/us/. Google Analytics is explained in greater detail at https://www.google.com/intl/en_gb/analytics/.
Withdrawing your consent
We only use Google Analytics with your consent. Once granted, you can withdraw your consent by
·      preventing cookies from being stored by adjusting your browser software settings; please note that in this case you may not be able to use all of our website’s functions in full.
·      by downloading and installing the browser plugin available under the following link: http://tools.google.com/dlpage/gaoptout?hl=en
·      by unchecking the consent to Google Analytics in the consent tool to prevent collection by Google Analytics on our website in the future. An opt-out cookie is stored in your browser. Please note that you must activate the opt-out cookie in every browser you use on all of your devices and that you may need to reactivate it if you delete all the cookies in a browser.

19.    Integration of Google Maps

We have incorporated Google Maps into our website. This enable us to show you interactive maps directly within the website and allows you to use the map function at your convenience.
Google Maps is operated by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Google processes your data in the USA and has committed itself to the EU–U.S. Privacy Shield. More information on this can be found at https://www.privacyshield.gov/EU-US-Framework.
When you visit the website, Google is notified that you viewed the subpage in question on our website irrespective of whether you are logged in via a user account provided by Google or whether no user account is used. If you are logged in to Google, your data will be directly associated with your account.
More information on Google’s data processing can be found in the Google data privacy notice at https://policies.google.com/privacy. There, you can also change your personal data protection settings in the data protection center. Additional terms of use for Google Maps can be found at https://www.google.com/intl/en_us/help/terms_maps/.
The legal basis for the processing of your data is your consent pursuant to point (a) of Article 6 (1) GDPR.
Withdrawing your consent
We only use Google Maps with your consent. Once granted, you can withdraw your consent by
·      preventing cookies from being stored by adjusting your browser software settings; please note that in this case you may not be able to use all of our website’s functions in full;
·      deactivating your consent using our consent tool;
·      disabling JavaScript in your browser settings. In this case, however, you cannot use our website or can only use it to a limited extent.
If you do not wish data to be associated with your Google profile, you must log out of Google before clicking on the button. Google records your data as usage profiles and uses it for advertising and market research purposes and/or for needs-based website design purposes. This form of data usage serves in particular to provide needs-based advertising (including to users who are not logged in) and to notify other social network users of your activities on our website. You are at liberty to object to the creation of such user profiles and must contact Google in order to exercise this right.
We do not collect personal data by integrating Google Maps.
You provide your personal data voluntarily, solely on the basis of your consent. If you prevent access, however, this may result in functional restrictions on the website.

20.    Application and use of Instagram

We have incorporated components of the Instagram service into our website. Instagram is a service that qualifies as an audiovisual platform and which allows users to share photos and videos and also to distribute such data in other social networks.
The Instagram services are operated by Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
Whenever an individual page operated by us and featuring an integrated Instagram component (Insta button) is viewed, your system’s Internet browser is automatically prompted by the Instagram component to download a representation of the component in question from Instagram. This technical process allows Instagram to know which specific subpage of our site you are visiting.
If you are logged in to Instagram at the same time, Instagram will recognize which specific subpage you are visiting each time you access our site and for the duration of your visit to our site. This information is collected by the Instagram component and is associated with your Instagram account by Instagram. If you click on an Instagram button integrated into our website, the data and information transmitted with it are associated with your personal Instagram user account and are stored and processed by Instagram.
Whether or not you click on the Instagram component, the Instagram component will inform Instagram whenever you visit our website if you are logged in to Instagram at the same time as accessing our website. If you do not want this information to be sent to Instagram, you can prevent it from being sent by logging out of your Instagram account before visiting our website.
Further information and the applicable Instagram privacy policy can be found at https://help.instagram.com/155833707900388 and at https://www.instagram.com/about/legal/privacy/.

21.    Application and use of Pinterest as a social network

We have incorporated components of Pinterest Inc. into our website. Pinterest is a so-called social network. A social network is a social meeting point operated on the Internet, an online community that usually enables users to communicate with each other and to interact in virtual space. A social network can serve as a platform for the exchange of opinions and experiences or enables the Internet community to provide personal or company-related information. Pinterest enables the users of the social network to publish, among other things, picture collections and single pictures as well as descriptions on virtual pin boards (so-called pinning), which can then be shared (so-called repinning) or commented on by other users.
Pinterest is operated by Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland.
Whenever a Web page operated by us and featuring an integrated Pinterest component (Pinterest plugin) is viewed, your system’s Internet browser is automatically prompted by the Pinterest component to download a representation of the component in question from Pinterest. More information about Pinterest can be found at https://pinterest.com/. This technical process allows Pinterest to know which specific subpage of our site you are visiting.
If you are logged in to Pinterest at the same time, Pinterest will recognize which specific subpage you are visiting each time you access our site and for the duration of your visit to our site. This information is collected by the Pinterest component and is associated with your Pinterest account by Pinterest. If you click on a Pinterest button integrated into our website, Pinterest associates this information with your personal Pinterest user account and stores this personal data.
Whether or not you click on the Pinterest component, the Pinterest component will inform Pinterest whenever you visit our website if you are logged in to Pinterest at the same time as accessing our website. If you do not want this information to be sent to Pinterest, you can prevent it from being sent by logging out of your Pinterest account before visiting our website.
The Pinterest privacy policy, which can be found at https://policy.pinterest.com/en/privacy-policy, provides information regarding the collection, processing, and use of personal data by Pinterest.

22.    Integration of the Trusted Shops Trustbadge

We use the Trustbadge® plugin or widget from Trusted Shops on our website. Trusted Shops is operated by Trusted Shops GmbH, Colonius Carré, Subbelrather Strasse 15c, 50823 Cologne, phone: +49-221-775-366, fax: +49-221-775-3689, e-mail: info@trustedshops.de.
With the Trusted Shops Trustbadge® plugin or widget, we can present a summary of our current profile at Trusted Shops directly on our website. Our website therefore also shows how other users have rated us and what Trusted Shops ranking we have. Last, but not least, its integration enables our profile to be found immediately, allowing you to obtain further information about us and also rate us yourself.
The Trusted Shops plugin or widget is integrated into our website via an interface (“API”) to Trusted Shops using JavaScript. The Trustbadge also places cookies.
When the Trustbadge is called up, the Web server automatically saves a so-called server log file which contains, for example, your IP address, the date and time of access, the volume of data transferred, and the requesting provider (access data) and documents the access. This access data are not evaluated.
Additional personal data are only transferred to Trusted Shops insofar as you have given your consent to this, you decide to use Trusted Shops products after placing an order, or you have already registered for use. In this case, the contractual agreement between you and Trusted Shops applies.
We do not collect any data ourselves if you view the Trustbadge.
The purpose of processing the data is to include a summary of our Trusted Shops profile on our website and in particular to display our Trusted Shops trustmark and any reviews compiled.
We wish to present our profile and our rating at Trusted Shops to visitors to our website. The aim is to enable visitors to gain an initial impression of us. In addition, we have a legitimate interest in ensuring that visitors to our website are directed to our correct profile. In this way, we can prevent visitors from accidentally calling up incorrect Trusted Shops profiles with similar or the same names.
Trusted Shops states that it automatically overwrites the data no later than seven days after the end of your visit to the site.
The legal basis for the processing of your data is your consent pursuant to point (a) of Article 6 (1) GDPR.
Withdrawing your consent
We only use the Trusted Shops Trustbadge with your consent. Once granted, you can withdraw your consent by
·      preventing cookies from being stored by adjusting your browser software settings; please note that in this case you may not be able to use all of our website’s functions in full;
·       deactivating your consent using our consent tool.
You can find the Trusted Shops privacy statement together with the imprint at https://www.trustedshops.eu/legal-notice-privacy.html.

23.    Integration of YouTube videos

We have incorporated components of YouTube into our website. YouTube is an online video portal which allows video publishers to upload video clips free of charge and other users to view, rate, and comment on said videos, likewise free of charge. YouTube permits any kind of video to be published. Consequently, entire movies and TV shows, music videos, trailers, and clips made by the users themselves can be accessed via the online portal.
YouTube is operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin, D04 E5W5, Ireland.
Whenever an individual page operated by us and featuring an integrated YouTube component (YouTube video) is viewed, your system’s Internet browser is automatically prompted by the YouTube component to download a representation of the component in question from YouTube.
More information on YouTube can be found at https://www.youtube.com/about/. This technical process allows YouTube and Google to know which specific subpage of our site you are visiting.
If you are simultaneously logged in to YouTube, this information is collected by YouTube and Google and associated with your YouTube account.
Whether or not you click on a YouTube video, the YouTube component will inform YouTube and Google whenever you visit our website if you are logged in to YouTube at the same time as accessing our website. If you do not want this information to be sent to YouTube and Google, you can prevent it from being sent by logging out of your YouTube account before visiting our website.
YouTube’s published privacy policy, which can be found at https://policies.google.com/privacy, provides information regarding the collection, processing, and use of personal data by YouTube and Google.

24.    Application and use of the PayPal payment method

We have incorporated components of PayPal into our website. PayPal is an online payment service provider. Payments are effected via so-called PayPal accounts, which represent virtual private or business accounts. With PayPal, there is also the option of effecting virtual payments via credit cards if a user does not have a PayPal account. We also process the payment methods “SEPA direct debit” and “invoice” via the service provider PayPal. A PayPal account is managed via an e-mail address, which is why there is no conventional account number. PayPal makes it possible to initiate online payments to third parties or to receive payments. PayPal also acts as a trustee and offers buyer protection services.
PayPal is operated in Europe by PayPal (Europe) S.à r.l. et Cie, S.C.A., 22–24 Boulevard Royal, 2449 Luxembourg.
If you select PayPal as the payment option during the ordering process in our online shop, your data will be automatically transmitted to PayPal. By selecting this payment option, you consent to the transmission of the personal data required for payment processing.
The personal data transmitted to PayPal are usually your first name, last name, address, e-mail address, IP address, telephone number, cell phone number, or other data that are necessary for payment processing. In order to process the purchase contract, personal data related to the respective order are also necessary.
The purpose of transmission of the data is to process payments and prevent fraud. We will transmit personal data to PayPal in particular if there is a legitimate interest in the transmission. The personal data exchanged between PayPal and us may be transmitted by PayPal to credit reference agencies. The purpose of this transmission is to verify identity and creditworthiness.
PayPal may pass personal data on to affiliated companies and service providers or subcontractors insofar as this is necessary to fulfill the contractual obligations or the order data are to be processed.
You have the option of revoking your consent to the handling of personal data from PayPal anytime. A revocation does not affect personal data that must be processed, used, or transmitted for (contractual) payment processing.
PayPal’s current privacy policy can be found at https://www.paypal.com/webapps/mpp/ua/privacy-full.

25.    Application and use of the Sofort credit transfer payment method from Klarna

We have incorporated components of Sofort credit transfers into our website. Sofort is a payment service that allows for cashless payment for products and services online. Sofort represents a technical process via which the online retailer immediately receives a payment confirmation. This enables a retailer to deliver goods, services, or downloads to the customer immediately upon an order being placed.
Sofort is operated by Klarna Bank AB, Sveavägen 46, 111 34 Stockholm, Sweden.
If you select Sofort as the payment option during the ordering process in our online shop, your data will be automatically transmitted to Sofort. By selecting this payment option, you consent to the transmission of the personal data required for payment processing.
When making a purchase using Sofort, the buyer transmits their PIN and TAN to Sofort GmbH (part of the Klarna Group). Sofort then effects a transfer to the online retailer after a technical check of the account balance and access to further data to check the account funds. The online retailer is then automatically notified that a financial transaction has been executed.
The personal data shared with Sofort are your first name, last name, address, e-mail address, IP address, telephone number, cell phone number, or other data that are necessary for payment processing. The purpose of transmission of the data is to process payments and prevent fraud. We will additionally transmit other personal data to Sofort if there is a legitimate interest in the transmission. The personal data exchanged between Sofort and us may be transmitted by Sofort to credit reference agencies. The purpose of this transmission is to verify identity and creditworthiness.
Sofort may pass personal data on to affiliated companies and service providers or subcontractors insofar as this is necessary to fulfill the contractual obligations or the order data are to be processed.
You have the option of revoking your consent to the handling of personal data from Sofort anytime. A revocation does not affect personal data that must be processed, used, or transmitted for (contractual) payment processing.
Sofort’s current privacy policy can be found at https://www.klarna.com/pay-now/privacy-policy/.

26.    Legal basis of processing

Point (a) of Article 6 (1) GDPR serves our company as a legal basis for processing operations for which we obtain consent for a specific processing purpose.
If the processing of personal data is necessary for the performance of a contract to which the data subject is party, such as processing operations necessary for the supply of goods or any other service or consideration, the processing is based on point (b) of Article 6 (1) GDPR. The same applies to processing operations which are necessary in order to effect measures prior to entering into a contract such as inquiries regarding our products or services.
If our company is subject to a legal obligation which makes it necessary for personal data to be processed, for example to fulfill tax obligations, the processing is based on point (c) of Article 6 (1) GDPR.
Finally, data processing may also be founded on point (f) of Article 6 (1) GDPR. Processing operations not covered by any of the aforementioned legal bases are founded on this legal basis if the processing is necessary to safeguard a legitimate interest of our company or of a third party provided that the interests, fundamental rights, and freedoms of the data subject are not overriding. Processing operations of this kind are permitted in particular because they were specifically mentioned by the European legislator. It took the view that a legitimate interest could be assumed if the data subject is a customer of the controller (second sentence of Recital 47 GDPR).
If the processing of personal data is founded on point (f) of Article 6 (1) GDPR, our legitimate interest is the efficient performance of our business activities for the benefit of the well-being of our employees and our shareholders.

27.    Duration of personal data retention

The criterion for the duration of the retention of personal data is the respective legal retention period. After expiration of this period, the corresponding data are routinely deleted if they are no longer required for the fulfillment or initiation of a contract.
Otherwise, specific criteria for the retention period are set out in the individual sections of this privacy policy.

28.    Updating/erasure of your personal data

You have the option of having the personal data provided to us check, amended, or erased anytime by sending an e-mail to datenschutz@hardenberg-wilthen.de. You can also exclude the receipt of further information in the future in this way.
You may also withdraw your consent previously granted anytime with effect for the future.
The stored personal data will be erased if you revoke your consent to their storage.
We process and store your personal data only for as long as is necessary to achieve the purpose of their storage or insofar as this is prescribed in the laws or provisions of the European legislator or of another lawmaker to which we are subject.
If the storage purpose no longer applies or if the retention period prescribed by the European legislator or another competent lawmaker expires, the personal data shall be routinely blocked or erased in accordance with the legal provisions.

29.    Legal or contractual provisions re the provision of personal data

We advise you that the provision of personal data is in part required by law (e.g. tax regulations) or can also result from contractual regulations (e.g. information on the contractual partner). It may sometimes be necessary for a data subject to provide us with personal data in order for a contract to be concluded, with this data consequently needing to be processed by us. For example, the data subject is obligated to provide us with personal data if our company concludes a contract with him or her. Failure to provide the personal data would mean that the contract with the data subject could not be concluded.
Before the data subject provides personal data, the data subject must contact one of our employees. Our employee will notify the data subject on a case-by-case basis as to whether provision of the personal data is required by law or contract or is necessary for the conclusion of the contract, whether there is an obligation to provide the personal data, and what the consequences would be if the personal data were not provided.

30.    Existence of automated decision-making

As a responsible company, we do not employ automated decision-making or profiling.

31.    Notification of amendments

Changes in the law or changes to our internal processes may make it necessary for this privacy policy to be amended.
In the event of such a change, we will inform you of this at least six weeks before it enters into force. You have a general right of withdrawal with regard to consent previously granted.
Please note that (insofar as you do not exercise your right of withdrawal) the version of the privacy policy as amended is valid.
Note: This privacy policy was created using a wide variety of sources, including the links provided within it. Current case law as well as interpretations and comments have been taken into account to the extent known to us.