This data protection notice explains the nature, scope and purpose of the processing of personal data (hereinafter referred to as “data”) within our online presence and the associated websites, functions and contents, as well as external online presences, such as our social media profiles (hereinafter jointly called the “online presence”). With respect to the terms used such as “processing” or “responsible authority”, please refer to the definitions in Article 4 of the General Data Protection Regulations (GDPR).
WICKERT Maschinenbau GmbH
Wollmesheimer Höhe 2
D-76829 Landau in der Pfalz
M.A. Stephanie Wickert
Dipl.-Wirt.-Ing. Stefan Herzinger
Link to the imprint: http://www.wickert-presstech.de/typo/inhalt/footer/impressum/
Contact Data Protection Officer: Ronald Fischer, Datenschutz@Wickert-Presstech.de
The types of processed data:
Categories of data subjects
Visitors and users of the online presence (hereinafter referred to as “users”).
Purpose of the processing
“Personal data” refers to all information related to an identified or identifiable natural person (hereinafter referred to as “data subject”): a natural person is considered as being identifiable if they can be directly or indirectly identified via correlation with an identifier such as a name, an ID number, location data, an online identifier (e.g. cookie), or via one or more special characteristics which express the physical, physiological, genetic, psychological, economic, cultural or social identity of this natural person.
“Processing” is every procedure or every chain of such procedures undertaken with or without the help of automatic processes with respect to personal data. The term is very broad and encompasses almost every aspect of data handling.
“Pseudonymisation” is the processing of personal data in such a way that the personal data without the incorporation of additional information can no longer be correlated with a specific data subject, insofar as this additional information is retained separately, and is subject to technical and organisational measures which guarantee that the personal data cannot be correlated with an identified or identifiable natural person.
“Profiling” refers to every type of automatic processing of personal data whereby the personal data is used to evaluate certain personal aspects when referenced to a natural person, and in particular aspects concerning work performance, economic situation, health, personal preferences, interests, reliability, behaviour, whereabouts or change of location of this natural person with the aim of analysing this data or making predictions.
The “responsible authority” refers to natural or legal persons, authorities, organisations or other institutions who solely or jointly reach decisions on the purposes and means used to process personal data.
The “responsible authority” refers to natural or legal persons, authorities, organisations or other institutions who solely or jointly reach decisions on the purposes and means used to process personal data.
“Processing agencies” are natural or legal persons, authorities, organisations or other institutions which process personal data on behalf of the responsible authority.
Fundamental legal basis
Pursuant to Article 13 GDPR, we inform you herewith about the legal basis for our data processing. If the legal basis is not referred to specifically in the Data Protection Notice, the following applies: the legal basis for acquisition of the permission is Article 6 (1) lit. a and Article 7 GDPR, the legal basis for processing to satisfy our services and to implement contractual measures, as well as to answer queries is Article 6 (1) lit. b GDPR, the legal basis for processing to satisfy our legal obligations is Article 6 (1) lit. c GDPR, and the legal basis for processing to uphold our legitimate interests is Article 6 (1) lit. f GDPR. In the event that the vital interests of the data subject or another natural person make the processing of personal data necessary, the legal basis is Article 6 (1) lit. d GDPR.
We implement suitable technical and organisational measures pursuant to Article 32 GDPR to guarantee a level of protection proportionate to the risk, taking into consideration state-of-the-art technology, the implementation costs, and the nature, scope, situation and purposes of the processing, as well as various risk probabilities, and the seriousness of the risk for the rights and freedoms of natural persons.
These measures include in particular safeguarding the confidentiality, integrity and availability of data by controlling the physical access to the data as well as the associated access, entry, forwarding, safeguarding availability, and their separation. Moreover, we have set up procedures which guarantee the upholding of the data subject’s rights, the erasure of data, and reactions to risks affecting the data. In addition, we already take the protection of personal data into consideration during the development, and/or selection of hardware and software, as well as processes pursuant to the data protection principles, by designing technology accordingly and by data-protection-friendly default settings (Article 25 GDPR).
Insofar as we release data to other persons and companies (processing agencies or third parties) as part of our processing of the data, forward this data to them or approve their access otherwise to the data, this is only undertaken on the basis of a legal permit (e.g. when the transmission of the data to a third party such as a payment services provider, pursuant to Article 6 (1) lit. b GDPR is necessary for the fulfilment of contractual obligations), or if you have given permission, or when a legal obligation covers this aspect, or on the basis of our legitimate interests (e.g. the use of representatives, web hosters, etc.).
Insofar as we contract third parties to process the data on the basis of a so-called “job processing agreement” this occurs on the basis of Article 28 GDPR.
Transfer to third countries
Insofar as we process data in a third country (i.e. outside of the European Union (EU) or the European Economic Area (EEA)) or if this takes place as part of the hiring of the services of third parties or the disclosure and/or transfer of data to third parties, this only occurs when this takes place to fulfil our (pre)contractual obligations, on the basis of your approval, or on the basis of a legal obligation, or on the basis of our legitimate interests. Subject to legal or contractual permits, we only process or allow the processing of data in a third country when this complies with the special conditions defined in Article 44 ff. GDPR. This means that the processing takes place e.g. on the basis of special guarantees such as the officially recognised definition of a data protection level corresponding to that in the EU (e.g. by the “Privacy shield” in the USA) or by complying with officially recognised special contractual obligations (so-called “Standard contractual clauses”).
You have the right to demand confirmation whether the affected data is processed, and information on this data, as well as additional information and copies of the data pursuant to Article 15 GDPR.
Pursuant to Article 16 GDPR, you have the right to make additions to your personal data, or to demand rectification of any incorrect data referring to your person.
Pursuant to Article 17 GDPR, you have the right to demand that the relevant data is immediately erased and/or alternatively to restrict the processing of the data pursuant to Article 18 GDPR.
You have the right to demand that the personal data you have made available to us be sent to you pursuant to Article 20 GDPR, or for the data to be transferred to another responsible authority.
Moreover, you have the right pursuant to Article 77 GDPR to appeal to the competent authority.
Right to withdraw consent
You have the right to withdraw your consent with future effect to any consent you may have given pursuant to Article 7 (3) GDPR.
Right to object
You have the right to object at any time to the future processing of your personal data pursuant to Article 21 GDPR. This right to object can be made in particular with respect to processing for the purposes of direct advertising.
Cookies and right to object to direct advertising
“Cookies” are small files retained on the computer of the user. Cookies can store various details. A cookie is primarily used to store information on a user (and/or the device on which the cookie is retained) during or also after the user’s visit to an online presence. Cookies known as temporary cookies or “session cookies” or “transient cookies” are those which are erased when a user leaves the online presence and closes his or her browser. A cookie of this kind can store e.g. the content of a shopping basket in an online shop, or the log-in status. “Permanent” or “persistent” cookies are those which remain retained even after the browser is closed. This enables e.g. the log-in status to be retained when accessed again by the user after several days. In addition, cookies of this kind can store the interests of the user which are used for reach analysis and marketing purposes. “Third-party cookies” are those cookies made available by other providers other than the responsible authority which operates the online presence (otherwise, if only the responsible authority’s cookies are used, these are referred to as “first-party cookies”).
If users do not want cookies to be retained on their computer, they are requested to deactivate the relevant option in the system settings of their browser. Stored cookies can be erased in the system settings of the browser. The exclusion of cookies can lead to restrictions in the functioning of this online presence.
Erasure of data
The data processed by us can be erased or its processing restricted in accordance with Articles 17 and 18 GDPR. Insofar as not explicitly declared as part of this Data Protection Notice, the retained data we hold is erased as soon as the data is no longer required for the specific purpose for which it was retained, and erasure does not violate any legal retention obligations. Insofar as the data is not erased because it is required for other or legally permissible purposes, their processing becomes restricted. This means that the data is blocked and not processed for other purposes. This applies, e.g. to data which has to be retained for commercial law or tax law purposes.
According to the statutory provisions in Germany, retention is maintained particularly for 10 years pursuant to Sections 147 (1) AO, 257 (1) no. 1 and 4, (4) German Commercial Code (HGB) (accounts, records, management reports, accounting receipts, commercial accounts, for relevant tax documents, etc.) and 6 years pursuant to Section 257 (1) no. 2 and 3, (4) German Commercial Code (commercial papers).
Pursuant to the statutory provisions in Austria, retention is in particular for 7 years pursuant to Section 132 (1) BAO (accounting documents, receipts/invoices, accounts, receipts, business documents, lists of revenues and expenses, etc.), for 22 years in the context of real estate, and for 10 years with respect to documents associated with electronically provided services, telecommunications, radio and television services, provided for non-entrepreneurs in EU member countries, and for the mini-one-stop-shop (MOSS).
We process data from applicants only for the purposes and within the framework of the application procedure, in compliance with statutory provisions. The processing of applicant data is undertaken to satisfy our (pre)contractual obligations as part of the application procedure in the sense of Article 6 (1) lit. b GDPR, Article 6 (1) lit. f GDPR, insofar as we are required to process the data, e.g. within the framework of legal proceedings (Section 26 German Data Protection Act (BDSG) applies additionally in Germany).
The application procedure is predicated upon being sent application data by the applicant. The necessary application data – insofar as we make an online form available in which the points are marked – are otherwise detailed in the job description, and generally include details of the person making the application, postal and contact addresses, the documents applicable to the application such as application letter, curriculum vitae and certificates. In addition to these, applicants can voluntarily provide us with additional information.
With the forwarding of their application, applicants automatically declare their approval for the processing of their data for the purposes of the application procedure, according to the nature and scope defined in this Data Protection Notice.
Insofar as special categories of personal data in the sense of Article 9 (1) GDPR were voluntarily disclosed as part of the application procedure, their processing is additionally undertaken pursuant to Article 9 (2) lit. b GDPR (e.g. health data, such as severe handicap, or ethnic background). Insofar as special categories of personal data are requested from applicants in the sense of Article 9 (1) GDPR, their processing is additionally undertaken pursuant to Article 9 (2) lit. a GDPR (e.g. health data where this is directly relevant to be able to pursue the job involved).
Insofar as made available, applicants can also send in their applications via an online form on our website. The data is encrypted according to state-of-the-art technology and transferred to us. Moreover, applicants are also able to send us their applications via email. However, we would like to point out that emails are generally unencrypted and that the applicants must undertake measures themselves to ensure encryption. We are therefore unable to accept any responsibility for the transmission channel of the application between the sender and arrival on our server, and therefore recommend using either an online form or sending the application to us by post – instead of sending the application to us via the online form or via email, applicants still have the option of sending us their application by post.
The data made available to us by the applicant could be further processed by us for the purposes of setting out the employment conditions in the case of a successful application. Otherwise, insofar as the application for a job was unsuccessful, the data from the applicant will be erased. The data from applicants will also be erased when an application is withdrawn, and applicants can make use of this right at any time.
Erasure takes place at the end of a six-month period provisional on the legitimate objection of the applicant to enable us to answer any follow-up questions concerning the application, and to satisfy our verification obligations with respect to the Equal Opportunities Act. Bills submitted for any remuneration of travel costs will be archived in accordance with tax law provisions.
As part of the application, we offer our applicants the opportunity of being included in our “Talent Pool” for a period of two years upon receiving their approval pursuant to Article 6 (1) lit. b and Article 7 GDPR.
The application documents in the Talent Pool are solely processed as part of future job advertisements and the recruitment of employees, and are erased at the latest at the end of the stipulated term. Applicants are informed that giving their approval for incorporation in the Talent Pool is voluntary, has no influence on the ongoing application procedure, and that they can withdraw their consent at any time in the future, as well as object in the sense of Article 21 GDPR.
When making contact with us (e.g. via a contact form, email, telephone or via social media) information on the user will be processed for the purposes of handling the contact inquiry pursuant to Article 6 (1) lit. b GDPR. The user’s data may be retained in a customer relationship management system (CRM system) or a similar inquiry management system.
We erase the inquiries as soon as these are no longer required. We check the need every two years; in addition, the statutory archiving obligations also apply.
Hosting and email dispatch
The hosting services used by us serve to make available the following services: infrastructure and platform services, computing capacity, storage capacity and data bank services, email dispatch, security services, as well as technical maintenance services used by us for the purposes of operating this online presence.
For this purpose, we, and/or our hosting provider, process the inventory data, contact data, content data, contractual data, user data, meta and communications data of clients, interested parties and visitors to this online presence on the basis of our legitimate interests in the efficient and secure management of the availability of this online presence pursuant to Article 6 (1) lit. f GDPR in association with Article 28 GDPR (closing contractual processing contracts).
We and/or our hosting provider, collect data on the basis of our legitimate interests in the sense of Article 6 (1) lit. f GDPR covering every access to the server on which this data is hosted (so-called server log files). The access data includes the name of the website accessed, file, date and time of accessing, volume of data transferred, report on successful retrieval, browser type including version, the user’s operating system, referrer URL (the website visited previously), IP address and the inquiring provider.
Log file information is retained for a maximum period of 7 days for security reasons (e.g. to clarify abuse or fraud) and then erased. Data whose retention is necessary for the purposes of providing evidence, are excluded from this erasure until the respective issue has been finally clarified.
Google Tag Manager is a solution with which we manage so-called website tags via an interface (and thus integrate e.g. Google Analytics as well as other Google marketing services in our online presence. The tag manager itself (which implements the tags) does not process any of the user’s personal data. With respect to the processing of the user’s personal data, we refer you to the following information on Google services.
User regulations: https://www.google.com/intl/de/tagmanager/use-policy.html.
Google is certified as part of the Privacy Shield Treaty and thus provides a guarantee to comply with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
Google will use this information on our behalf to evaluate the use of our online presence by the users, to comply with reports on the activities within this online presence, and to provide us with additional services associated with the use of this online presence and internet usage. This can involve creating pseudonymised user profiles of the users from the processed data.
We only use Google Analytics with activated IP anonymization. This means the IP address of the user will be abbreviated by Google within the member countries of the European Union or in other countries which have signed up to the treaty on the European Economic Area. The complete IP address will only be transferred to Google’s servers in the USA in exceptional cases, where they are then abbreviated.
The IP address determined from the user’s browser will not be compiled with other data held by Google. The user can prevent the storage of cookies by adjusting the settings in their browser software accordingly: users can also prevent the gathering of data on their use of the online presence created by the cookie, and the processing of this data, by Google by downloading and installing the browser plug-in available from the following link: http://tools.google.com/dlpage/gaoptout?hl=de.
More information on the use of data by Google, settings options and objection options are available in Google’s data protection notice (https://policies.google.com/technologies/ads) as well as in the settings for visualising the advertisements placed by Google (https://adssettings.google.com/authenticated).
The user’s personal data is erased or anonymised after 14 months.
Google Universal Analytics
We use Google Analytics in its “Universal-Analytics” version. „Universal Analytics“ is the name of a process used by Google Analytics in which user analysis is undertaken on the basis of a pseudonymised user ID, to thus create a pseudonymised profile of the user with information from the use of various devices (so-called “cross-device tracking”).
We use Google Analytics to show advertisements placed within the web services of Google and its partners only to those users who have also showed an interest in our online presence, or feature specific characteristics (e.g. an interest in specific topics or products determined on the basis of the websites visited), which we transfer to Google (so-called remarketing and Google Analytics audiences). By making use of remarketing audiences, we hope to ensure that our advertisements correspond to the potential interests of the user.
We maintain online presences within social networks and platforms to communicate with customers, interested parties and users active in these networks and platforms, and to inform them here about our services. When accessing the various networks and platforms, the terms and conditions and the data processing regulations of the individual operators apply.
Insofar as not stipulated otherwise within our Data Protection Notice, we process the data of users insofar as these communicate with us within the social networks and platforms, e.g. make comments on our online presences or send us messages.
Integration of services and content provided by third parties
On the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online presence in the sense of Article 6 (1) lit. f GDPR) we make use of the content and service offers from third party providers within our online presence to integrate their contents and services, e.g. videos and typefaces (hereinafter referred to as “content”).
This assumes that the third party providers of this content are aware of the IP address of the user, because the content cannot be sent to their browser without the IP address. The IP address is therefore required for them to be able to present their content. We strive to ensure to only use the kind of content whose provider in each case only uses the IP address to deliver the content. Moreover, third party providers can also use so-called pixel tags (invisible graphics also known as “web beacons”) for statistical or marketing purposes. The pixel tags enable information such as visitor traffic on the pages of this website to be evaluated. The pseudonymised information can also be retained in cookies on the user’s device, and contain amongst other things technical information on the browser and operating system, referring websites, visit times, as well as other details on the use of our online presence, and can also be combined with similar information from other sources.
We may incorporate the videos from the “Vimeo” platform from the provider Vimeo Inc., Attention: Legal Department, 555 West 18th Street New York, New York 10011, USA. Data protection notice: https://vimeo.com/privacy. We would like to point out that Vimeo can use Google Analytics and refer here to the data protection notice (https://www.google.com/policies/privacy), as well as the opt-out options for Google Analytics (http://tools.google.com/dlpage/gaoptout?hl=de) or the Google settings for data usage for marketing purposes (https://adssettings.google.com/.).
We integrate the videos from the “YouTube” platform of the provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data protection notice: https://www.google.com/policies/privacy/, Opt-out: https://adssettings.google.com/authenticated.
We incorporate the typefaces (“Google Fonts”) of the provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data protection notice: https://www.google.com/policies/privacy/, Opt-out: https://adssettings.google.com/authenticated.
We incorporate the maps of the “Google Maps” service from the provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The data processed can include the IP addresses and locations of the users in particular, although this cannot be gathered without the approval of the user (usually regulated within the settings of your mobile device). The data may be processed in the USA. Data protection notice: https://www.google.com/policies/privacy/ , Opt-out: https://adssettings.google.com/authenticated .
Typekit fonts from Adobe
To uphold our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online presence in the sense of Article 6 (1) lit. f GDPR) we use the “Typekit” fonts of the provider Adobe Systems Software Ireland Limited, 4-6 Riverwalk, Citywest Business Campus, Dublin 24, Republic of Ireland. Adobe is certified as part of the Privacy Shield Treaty, and thus provides a guarantee that it complies with the European Data Protection Act (https://www.privacyshield.gov/participant?id=a2zt0000000TNo9AAG&status=Active ).