Privacy Notice

1. General

At Harro Höfliger Verpackungsmaschinen GmbH, we take the protection of your personal data very seriously. Your privacy is important to us. We process your personal data in compliance with the relevant applicable legal data protection requirements for the purposes listed below. Personal data within the meaning of this Privacy Notice is any information relating to you.

In the following, you will learn how we handle this data. For reasons of clarity, we have divided our Privacy Notice into different sections.

2. Data controller and contact details for the data protection officer

The controller responsible for processing your personal data is:
Harro Höfliger Verpackungsmaschinen GmbH
Helmholtzstr. 4
71573 Allmersbach im Tal
Germany

If you have any questions on data protection or would like to make a comment (for instance, regarding accessing or updating your personal data), you may also contact our data protection officer.
Name:     Steffen Zimmer
Phone:     +49 7127 928 94 0
Email:    info@zimmeredv.de

3. Source of data collection

We process personal data collected directly from you.
Where required for the provision of our services, we will process personal data legitimately obtained from other organizations or other third parties (such as credit bureaus, mailing list brokers). We also process personal data which we have legitimately taken, received, or acquired from publicly accessible sources (such as telephone directories, commercial registers, registers of association, population registers, debtors lists, real estate registers, the press, the Internet, and other media) and which we are allowed to process.

4. Purposes with a legal basis

We process personal data in compliance with the provisions of the General Data Protection Regulation
(GDPR), the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG), and other applicable data protection regulations (see details below). The answer to the questions of what specific data is processed and how it is used will largely depend on the services requested or agreed. Please consult the relevant contract documents, forms, a declaration of consent, and/or any other information provided to you (e.g., when you use our website or in our general terms and conditions) for further details or additional information on the purposes of data processing.

Purposes relating to the performance of a contract or to steps taken prior to entering into a contract (Article 6 (1) (b) GDPR)

Personal data is processed in order to perform our contracts with you and execute your orders, or to take steps and actions in the context of pre-contractual relationships, e.g., with prospective clients. This primarily includes the following: contract related communication with you, relevant billing and associated payment transactions, the ability to provide evidence of orders and other agreements, and quality control through the relevant documentation, goodwill procedures, measures to manage and optimize business processes and to comply with our general duties of care, management and control through affiliated companies; statistical analyses of corporate management, cost recording and controlling, reporting, internal and external
communication, emergency management, billing and tax evaluation of operational services, risk management, assertion of legal claims and defense in case of legal disputes; ensuring IT security (including system or plausibility tests) and general security, ensuring compliance with and exercising house rules (e.g., through access controls); safeguarding the integrity, authenticity, and availability of data, preventing and solving criminal offenses, and control through supervisory boards and other control bodies (e.g., internal auditing).

Purposes in the context of our legitimate interests or those of third parties (Article 6 (1) (f) GDPR)

We may process your data for other purposes than those relating to the actual performance of the contract or to steps taken prior to entering into a contract if such processing is necessary in order to safeguard our legitimate interests or those of third parties, in particular for the purposes of

• advertising or market research or opinion polling, to the extent that you have not objected to the use of your data;
• reviewing and optimizing our methods of requirements analysis;
• further developing our services and products, and our existing systems and processes;
• enriching our data, including by using or researching data that is publicly accessible;
• statistical analyses or market analysis; benchmarking;
• asserting legal claims and conducting the defense in case of a legal dispute which
• is not directly linked to the contractual relationship;
• storing restricted data, where its erasure is impossible or would involve a disproportionate effort due to the special nature of its storage;
• developing scoring systems or automated decision-making processes;
• preventing and solving criminal offenses, where this is not done exclusively to comply with legal requirements;
• ensuring building and system security (e.g., through access controls), where this goes beyond the general duties of care;
• internal and external inspections and security audits;
• the potential listening in to or recording  of telephone conversations for quality control and training purposes;
• acquiring and maintaining official certifications or certifications under private law;
• ensuring compliance with and exercising house rules by taking appropriate steps (such as CCTV) and securing evidence where a criminal offense has been committed and the prevention thereof.

Purposes for which you have given your consent (Article 6 (1) (a) GDPR)

Your personal data may also be processed where you have given your consent to the processing for specific purposes (e.g., using your email address for marketing). You are generally entitled to withdraw your consent at any time. This also applies to the withdrawal of declarations of consent that you made to us before the application of the GDPR, i.e., before May 25, 2018. Information on the purposes of the processing and on the consequences of withdrawing or refusing your consent is provided separately in the relevant text of the consent form. A general rule is that the withdrawal of consent applies only to the future. Processing that took place before the withdrawal will not be affected and will remain lawful.

Purposes of compliance with legal requirements (Article 6 (1) (c) GDPR) or performance of a task carried out in the public interest (Article 6 (1) (e) GDPR)

As any person or entity involved in economic activities, we, too, are subject to a range of legal obligations. These are primarily legal requirements (e.g., commercial and fiscal laws), but may also be of a supervisory or other official nature. The purposes of data processing may also include the fulfillment of inspection and notification obligations and the archiving of data for data protection and data security purposes, as well as audits carried out by fiscal and other authorities. In addition, the disclosure of personal data may become necessary in the context of measures taken by authorities or courts in order to gather evidence or enforce civil law claims or for criminal prosecution.
 

Scope of your duties to provide data to us

You only have to provide us with data that is required to enter into and implement a business relationship with us or to establish a pre-contractual relationship with us or data that we are required by law to collect. Without this data, we will usually not be able to sign or perform a contract with you. This may also refer to data required later on in the course of the business relationship. If we are asking you for any data beyond this scope, we will indicate this to be information provided on a voluntary basis.

5. Source and categories of data not collected directly from you

Where required for the provision of our services, we will process personal data legitimately obtained from other organizations or other third parties. We also process personal data which we have legitimately taken, received, or acquired from publicly accessible sources (such as telephone directories, commercial registers, registers of association, population registers, debtors lists, real estate registers, the press, the Internet, and other media)  and which we are allowed to process. Relevant personal data categories may be the following:

• data relating to your person (name, date of birth, place of birth, nationality, marital status, profession/sector, and similar data)
• contact data (address, email address, telephone number, and similar data)
• payment confirmation/confirmation of cover for bank and credit card history of customers
• data on your use of the telecommunications media we offer (e.g., time of access to our websites, apps, or newsletter, our web pages/links or entries you clicked on, and similar data)
• video/image recordings

6. Recipients or categories of recipients of your data

Within our company, only those internal offices or organizational units will receive your data which require such data to enable us to comply with our contractual and legal duties or which require such data in order to deal with and implement our legitimate interest.
Your data will be transferred to external bodies only

• in connection with executing the contract;
• for purposes of fulfilling legal obligations which require us to notify, report, or transfer data, or where the transfer of the data is in the public interest (see point 2.4);
• to the extent that external service providers process data on our behalf, acting as a processor or as an assignee of a function/functions (e.g. ; data centers, support/maintenance of EDP/IT applications, archiving, document processing, call center services, compliance services, controlling, data validation or data plausibility tests, data destruction, purchase/procurement, customer administration, lettershops, marketing, media technology, research, risk controlling, billing, telephony, website management, auditing services, banks and financial institutions, printers or data disposal companies, couriers, logistics);
• on the basis of our legitimate interest or the legitimate interest of the third party in the context of the purposes listed above (e.g., transfer to public authorities, credit bureaus, debt collection agencies, lawyers, courts, consultants, subsidiaries, or committees and supervisory/monitoring bodies);
• where you have given your consent to the transfer of the data to third parties.

We will not transfer your data to any third parties other than in the cases set out above. If we contract service providers to process data on our behalf, your data will be subject to the same security standards as if it was processed by us. In all other cases, the recipients of the data may not use it for any other purposes than those for which the data was transferred to them.

7. Period for which your data is stored

We process and store your data for the duration of our business relationship with you. That includes the period during which steps are taken to enter into a contract (pre-contractual legal relationship) as well as the execution of a contract.

Moreover, we are subject to various duties of retention and documentation, some of which arise from the German Commercial Code (Handelsgesetzbuch, HGB) and the German Fiscal Code (Abgabenordnung, AO). The periods of retention or documentation specified thereunder are up to ten years beyond the end of the business relationship or the pre-contractual legal relationship.

There may also be special legal provisions that require us to store the data for longer, such as the need to retain evidence within the scope of statutory limitation periods. According to Sections 195 et seq. of the German Civil Code (Bürgerliches Gesetzbuch, BGB), the standard limitation period is three years; however, limitation periods of up to 30 years may be applicable in some cases.

If the data is no longer needed for the purposes of fulfilling contractual or legal obligations and rights, it will be erased on a regular basis unless the processing has to be continued – for a limited period – for the purposes arising from an overriding legitimate interest. Such an overriding legitimate interest exists also, for instance, where erasing the data is impossible or would involve a disproportionate effort and where appropriate technical and organizational measures ensure that the data cannot be processed for other purposes.

8. Your rights

Under certain circumstances, you may exercise your data protection rights against us.

• Under Article 15 GDPR you have the right to access any data that we hold about you (potentially with the restrictions set out in Section 34 BDSG).
• If you request data that we hold about you to be rectified, we will do so as per Article 16 GDPR, if that data is wrong or inaccurate.
• If you request your data to be erased on the grounds set out in Article 17 GDPR, we will do so unless such erasure is precluded by other legal regulations (e.g., legal retention periods or the restrictions set out in Section 35 BDSG) or by an overriding interest on our part (e.g., the defense of our rights and claims).
• Taking account of the conditions set out in Article 18 GDPR, you may request us to restrict the processing of your data.
• Pursuant to Article 21 GDPR you may also object to the processing of your data, whereupon we must stop processing your data. However, this right to object only applies in very specific circumstances relating to your personal situation, and our own rights may potentially preclude your right to object.
• Where the conditions set out in Article 20 GDPR are met, you also have the right to receive your data, or transfer it to a third party, in a structured, commonly used, and machine-readable format.
• You also have the right to withdraw consent given to us for the processing of your personal data at any time with future effect (see point 2.3).
• In addition, you have the right to lodge a complaint with a data protection supervisory authority (Article 77 GDPR). We recommend however that you always contact our data protection officer first if you have a complaint.
• Your requests for exercising your rights should, where possible, be made in writing or via email to the address stated above or should be addressed directly to our data protection officer in writing or via email.

Special notice regarding your right to object under Article 21 GDPR

You have the right to object to the processing of your data at any time, where it is carried out on the basis of Article 6 (1) (f) GDPR (data processing on the basis of a balancing of interests) or Article 6 (1) (e) GDPR (data processing in the public interest), if you have reasons to do so that arise from your particular situation.

This applies also to profiling as defined in Article 4 (4) GDPR based on this provision. If you object, your personal data will no longer be processed unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or unless the processing is carried out for the establishment, exercise or defense of legal claims.

We may also process your personal data for the purposes of direct marketing. If you do not wish your personal data to be used for marketing, you have the right to object to it at any time; this applies also to profiling to the extent that it is related to such direct marketing. We will respect such objection in the future. We will no longer use your data for direct marketing purposes if you object to the processing for such purposes.

There are no particular requirements as to the format of the objection, but it should be addressed, if possible, to
Harro Höfliger Verpackungsmaschinen GmbH, Helmholtzstr. 4, 71573 Allmersbach im Tal, Germany
datenschutz@hoefliger.de