Table of Contents
-
Name and address of the responsible party
-
Contact information of the Data Protection Officer
-
General information about data processing
-
Rights of the data subject
-
Provision of the website and creation of log files
-
Use of cookies
-
Registration
-
Web shop
-
Payment methods
-
Creditworthiness check
-
Newsletter
-
Email contact
-
Contact form
-
Application via email and application form
-
Corporate image
-
Use of corporate image in professionally oriented networks
-
Content delivery networks
-
Use of Hubspot
1. Name and address of the responsible party
The responsible party in line with the General Data Protection Regulation and other national data protection laws of the member states and other data protection provisions is:
heo GmbH
West Campus 1
76863 Herxheim
Germany
+49(0)7276 92928-0
info@heo.com
https://www.heo.com/
2. Contact information of the Data Protection Officer
The responsible Data Protection Officer is:
DataCo GmbH
Dachauer Straße 65
80335 Munich
Germany
+49 89 7400 45840
www.dataguard.de
3. General information about data processing
1. Scope of personal data processing
We solely process personal data relating to our users where necessary in order to provide a functioning website along with our content and services. The processing of personal data shall only take place with the user's consent. Exclusions to this apply in cases where prior consent cannot be obtained for legitimate reasons and where the processing of data is required by law.
2. Legal basis for processing personal data
Article 6(1)(a) GDPR shall serve as the legal basis for obtaining consent from the data subject to process his or her personal data.
Article 6(1)(b) GDPR shall serve as the legal basis for processing personal data that is necessary for the performance of a contract to which the data subject is party. This also applies to processing required to implement pre-contractual measures.
Article 6(1)(c) GDPR shall serve as the legal basis where processing is necessary for compliance with a legal obligation to which the company is subject.
Article 6(1)(d) GDPR shall serve as the legal basis in the event that processing is necessary in order to protect the vital interests of the data subject or of another natural person.
Article 6(1)(f) GDPR shall serve as the legal basis where processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
3. Data deletion and storage duration
The personal data of the data subject will be deleted or blocked as soon as the purpose of storage ceases to apply. Furthermore, data may be stored if this has been provided for by European or national legislators in EU regulations, laws or other regulations to which the responsible party is subject. The data will also be blocked or deleted if the storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or fulfilment of a contract.
4. Rights of the data subject
As a data subject in line with GDPR whose personal data is collected in the context of the above-mentioned services, you generally have the following rights:
1. Right to information
You have the right to obtain from the controller confirmation as to whether or not personal data concerning you are being processed.
Where that is the case, you can obtain from the controller the following information:
-
the purposes of the processing;
-
the categories of personal data concerned;
-
the recipients or categories of recipient to whom the personal data have been or will be disclosed;
-
the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
-
the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
-
the right to lodge a complaint with a supervisory authority;
-
where the personal data are not collected from the data subject, any available information as to their source;
-
the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
You have the right to obtain information as to whether your personal data is transferred to a third country or to an international organisation. If this is the case, you shall have the right to be informed of the appropriate safeguards pursuant to Article 46 GDPR relating to the transfer.
2. Right to rectification
You shall have the right to request the rectification and/or completion of inaccurate or incomplete personal data concerning you. The controller must perform this rectification without undue delay.
3. Right to restriction of processing
You shall have the right to restrict processing of your personal data where one of the following applies:
-
the accuracy of the personal data is contested by you, for a period enabling the controller to verify the accuracy of the personal data;
-
the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
-
the controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims, or
-
you have objected to processing pursuant to Article 21(1) GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.
Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
If you have obtained restriction of processing pursuant to the above requirements, you shall be informed by the controller before the restriction of processing is lifted.
4. Right to erasure
a) Deletion obligation
You shall have the right to obtain from the controller the erasure of personal data concerning you without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
-
Your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
-
You withdraw your consent on which the processing is based according to Article 6(1)(a) or Article 9(2)(a) GDPR, and where there is no other legal ground for the processing.
-
You object to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) GDPR;
-
Your personal data was unlawfully processed.
-
The erasure of your personal data is required to fulfil a legal obligation according to European Union law or Member State law, under which the controller is governed.
-
Your personal data have been collected in relation to the offer of information society services referred to in Article 8(1) GDPR.
b) Information to third parties
Where the controller has made your personal data public and is obliged pursuant to Article 17(1) GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
c) Exclusions
The right to erasure shall not apply to the extent that processing is necessary
-
for exercising the right of freedom of expression and information.
-
for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
-
for reasons of public interest in the area of public health in accordance with Article 9(2)(h) and (i) as well as Article 9(3) GDPR;
-
for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) GDPR in so far as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing, or
-
to establish, exercise or defend against legal claims.
5. Right to notification
The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.
The controller shall inform the data subject about those recipients if the data subject requests it.
6. Right to data portability
You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format. You shall furthermore have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
-
the processing is based on consent pursuant to Article 6(1)(a) GDPR or Article 9(2)(a) GDPR or on a contract pursuant to Article 6(1)(b) GDPR; and
-
the processing is carried out by automated means.
In exercising this right to data portability, you shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible. The right shall not adversely affect the rights and freedoms of others.
The right to data portability shall not apply to personal data processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
7. Right to object
You shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning you which is based on Article. 6(1)(e) or (f), including profiling based on those provisions.
The controller shall no longer process your personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, you shall have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
If you object to processing for direct marketing purposes, your personal data shall no longer be processed for such purposes.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.
8. Right to withdraw declaration of consent
You have the right to revoke your consent at any time. This withdrawal of consent shall not affect the lawfulness of any processing that has taken place prior to the withdrawal of consent.
9. Automated individual decision-making, including profiling
You shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This shall not apply if the decision
-
is necessary for entering into, or performance of, a contract between you and a data controller,
-
is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests, or
-
is based on your explicit consent.
The decisions referred to shall not be based on special categories of personal data referred to in Article 9(1) GDPR, unless point (a) or (g) of Article 9(2) GDPR applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.
In the cases referred to in points 1. and 3., the data controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
10. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 GDPR.
Our responsible supervisory authority is the Rhineland-Palatinate Data Protection Authority (Landesbeauftragte für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz). You can contact them as follows:
Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz
Hintere Bleiche 34; 55116 Mainz
P.O. Box 30 40, 55020 Mainz
Tel.: +49 (0) 6131 8920-0
Email: poststelle(at)datenschutz.rlp.de
https://www.datenschutz.rlp.de/de/startseite/
5. Provision of the website and creation of log files
1. Description and scope of data processing
Every time you visit our website, our system automatically collects data and information from the computer system of the calling computer.
The following data is collected:
-
Information about browser type and version used
-
The user's operating system
-
The user’s IP address
-
Date and time of access
-
Websites that redirected the user’s system to our webpage
-
Websites retrieved by the user’s system via our website
The data is stored in the log files of our system. This data is not stored together with other personal data of the user.
2. Purpose of data processing
The temporary storage of the IP address by the system is necessary in order to enable the website to be supplied to the user's computer. To do this, the user’s IP address must be saved for the duration of the session.
The storage in log files takes place in order to ensure the functionality of the website. In addition, we use the data to optimise the website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context.
The data processing is based on our legitimate interest.
3. Legal basis for data processing
Article 6(1)(f)GDPR shall serve as the legal basis for the temporary storage of data and log files.
4. Duration of storage
The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended.
If the data is stored in log files, this is the case after seven days at the latest. Storage beyond this is possible. In this case, the IP addresses of the users are deleted or
alienated so that it is no longer possible to assign the accessing client.
5. Right to objection and removal
The collection of the data for the provision of the website and the storage of the data in log files is essential for the operation of the website. The user therefore cannot exercise their right to object in this context.
Use of cookies
1. Description and scope of data processing
Our website uses cookies. Cookies are text files that are stored in the internet browser or by the internet browser on the user’s computer system. When a user calls up a website, a cookie can be stored on the user’s operating system. This cookie contains a characteristic string of characters that enables the browser to be clearly identified when the website is called up again.
We use cookies to make our website more user-friendly. Some elements of our website require that the calling browser can also be identified after changing pages.
The following data is stored and transmitted in the cookies:
-
Login information
We also use cookies on our website that enable an analysis of the surfing behaviour of the users.
In this way, the following data can be transmitted:
The user data collected in this manner is pseudonymised through technical precautions. This prevents data from being assigned to the user. The data is not associated with any of the user's other personal data.
2. Purpose of data processing
The purpose of using essential cookies is to simplify the use of websites for users. Some features of our website will not function without the use of cookies. For this, it is necessary that the browser is recognised even after changing pages.
We need cookies for the following applications:
-
Retaining login status
The user data collected by essential cookies are not used to create user profiles.
Analysis cookies are used to improve the quality of our website and its content. The analysis cookies tell us how the website is used and so we can continuously optimise our service.
Non-essential cookies are used for marketing purposes.
3. Legal basis for data processing
Article 6(1)(a) GDPR shall serve as the legal basis for processing personal data using non-essential cookies.
Article 6(1)(f) GDPR shall serve as the legal basis for processing personal data using essential cookies.
4. Legal basis for processing data on your equipment
Section 25(2) of the Telecommunications and Telemedia Data Protection Act in conjunction with Article 6(1)(f) GDPR shall serve as the legal basis for the use of essential cookies and their associated data processing. This processing serves to increase the user-friendliness of our website and provide our services as desired. Some functions of our website will not function without the use of these cookies. Our legitimate interest in the processing of personal data lies in the reasons mentioned above. Cookies are deleted after your session has ended (e.g. by logging out or closing your browser), or upon expiry of the temporary storage period.
Your consent which you provide via the cookie banner pursuant to Section 25(1) of the Telecommunications and Telemedia Data Protection Act in conjunction with Article 6(1)(a) GDPR shall serve as the legal basis for the use of non-essential cookies. You can revoke your consent with future effect or subsequently reissue your consent by changing the cookie and privacy settings via our online privacy policy information. Alternatively, you can also prevent the use of cookies by changing your browser settings. Please note that these browser settings only apply to the respective browser used. Please read the following descriptions for further information.
5. Duration of storage, right to objection and removal
Cookies are stored on the user’s computer and transferred to our site. As a user, you therefore have full control over the use of cookies. You can deactivate or restrict the transfer of cookies by changing the settings in your internet browser. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it is possible that not all features of the website can be used to their full extent.
If using a Safari browser in Version 12.1 or later, cookies will be automatically deleted after seven days. This also applies to opt-out cookies which are used to prevent tracking activity.
7. Registration
1. Description and scope of data processing
We offer users the opportunity to register with our website by providing personal data. This data is entered into an input field, then transferred and stored by us. This data is not passed on to third parties. The following data are collected as part of the registration process.
-
Salutation
-
Email address
-
Name
-
First name
-
Address
-
Telephone/mobile number
-
IP address of the requesting computer
-
Date and time of registration
-
Excerpt from the Commercial Register; Company name; Business type; VAT ID; Contact person; Fax, Skype, Website, Article preferences, Payment method, Personal message
During the registration process, user consent to the processing of this data is obtained.
2. Purpose of data processing
User registration is necessary in order to fulfil a contract with the user or to implement pre-contractual measures.
Creation of an account to conclude a contract; Contact partner check pursuant to the Money Laundering Act
3. Legal basis for data processing
Article 6(1)(a) GDPR shall serve as the legal basis for processing personal data based on user consent.
If registration is required to conclude a contract to which the user is party, or to implement pre-contractual measures, Article 6(1)(b) GDPR shall serve as an additional basis for processing.
4. Duration of storage
The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected.
This shall apply to the data collected during the registration process for the purpose of fulfilling a contract or to implement pre-contractual measures if this data is no longer required to fulfil the contract. Upon expiry of the contract, it may be necessary to store the personal data of the contract partner for contractual or legal reasons.
5. Right to objection and removal
As a user, you have the option to cancel your registration at any time. You can modify the data stored about you at any time.
Click on “My Account” to delete your user account. Next, click on the “My details” tab. At the bottom, you'll find “Delete customer account now”. By confirming, this will delete your customer account. To modify your details, contact our customer services on +497276 929 28 123 or via info@heo.com
If the data is necessary for the fulfilment of a contract or to implement pre-contractual measures, the early deletion of data is only possible if no contractual or legal
obligations preventing its deletion exist.
Web shop
We offer a web shop on our website. To do this, we use the following web shop software:
in-house development
The website and web shop are hosted on external servers with a service provider contracted by us.
Our service provider is:
1&1 IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany
The servers automatically collect and store information in server log files, which are automatically transferred by your browser when visiting the website. Stored information includes:
-
Browser type and version
-
Operating system used
-
Referrer URL
-
Host name of the accessing computer
-
Date and time of the server request
-
IP address
This data will not be merged with other data sources. The collection of this data is based on Article 6(1)(f) GDPR. The website operator has a legitimate interest in providing a technically error-free and optimised website, for which server log files are collected.
We have concluded an order processing contract with the relevant service provider in which we require that the service provider protects user data and does not pass this on to third parties.
The website server is geographically located in the European Union (EU) or the European Economic Area (EEA).
Payment methods
1. Description and scope of data processing
We offer customers various payment methods for placing orders. Depending on the payment method chosen, we direct customers to the relevant payment service provider. Upon completion of the payment process, we receive the customer’s payment details from the payment service provider or our company bank and process this in our systems for the purpose of invoice creation and accounting.
Credit card payment
Payments can be made using credit card.
If you choose payment via credit card, payment information will be transferred to the payment service provider in order to process the payment. All payment service providers observe the requirements of the “Payment Card Industry (PCI) Data Security Standards” and are certified by an independent PCI Qualified Security Assessor.
The following details are transferred for credit card payments:
-
Purchase amount
-
Date and time of purchase
-
First name and surname
-
Address
-
Email address
-
Credit card number
-
Credit card expiry date
-
Security code (CVC)
-
IP address
-
Phone number/mobile number
Payment details are transferred to the following payment service providers:
-
Braintree
More information about the data protection regulations as well as the right to object and removal with regard to payment service providers is available at: https://www.paypal.com/us/webapps/mpp/ua/privacy-full
PayPal payment
You can choose to pay for your order using the payment service provider, PayPal. In addition to a direct payment method, PayPal also offers purchases on account, by direct debit, credit card and instalments.
The European operating company of PayPal is PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg.
If you choose PayPal as your payment method, the necessary details will be automatically transferred to PayPal to complete the payment process.
This concerns the following details:
-
Name
-
Address
-
Email address
-
Telephone/mobile number
-
IP address
-
Bank details
-
Card number
-
Expiry date and CVC code
-
Number of items
-
Item number
-
Details about goods and services
-
Transaction amount and tax information
-
Details about previous purchasing behaviour
The information transferred to PayPal may be transferred to credit agencies in certain cases. This transfer is for the purpose of performing identity and creditworthiness checks.
PayPal may also transfer your details to third parties where necessary for the purpose of fulfilling contractual obligations or to process the order information. When transferring your personal data within a group of enterprises associated with PayPal, the Binding Corporate Rules are applied which are approved by the relevant supervisory authorities. These are available here:
https://www.paypal.com/de/webapps/mpp/ua/bcr
Other data transfers may be based on contractual safeguarding provisions where required. For further details please contact PayPal.
All PayPal transactions are subject to PayPal’s privacy policy. This is available at:
https://www.paypal.com/de/webapps/mpp/ua/privacy-full/.
Advance payment
If you have selected advance payment, only the data transferred by your bank will be processed on our part. This is purely used to check receipt of payment.
Additional payment options
We also offer payment using the following option:
Invoice
2. Purpose of data processing
Payment information is transferred to payment service providers for the purpose of processing payment, e.g. when you have purchased a product and/or use a service.
3. Legal basis for data processing
Article 6(1)(b) GDPR shall serve as the legal basis for data processing as this is necessary in order to process the concluded purchase agreement.
4. Duration of storage
All payment information and details about any potential chargebacks are only stored for as long as necessary in order to process payment, handle any potential chargebacks, collect receivables and counter fraud.
Furthermore, payment information may be stored for longer in order to comply with statutory retention periods or to pursue a known infringement.
Your personal data will be deleted after the statutory retention period has expired, and no later than after 10 years.
5. Right to objection and removal
You can object to the processing of your payment information at any time by notifying the responsible party or via the payment service provider used. However, the payment service provider used is entitled to process your payment information where necessary for processing payment based on the contract.
Creditworthiness check
1. Description and scope of data processing
We may use credit rating agencies to ensure the creditworthiness of our customers including an analysis of payment history and credit default risk.
We use the following provider to perform credit checks:
-
Coface
The information transferred primarily concerns:
-
First name
-
Surname
-
Address
2. Purpose of data processing
We transfer data for the purpose of carrying out customer credit checks. This is designed to reduce the default rate and protect against credit risk.
3. Legal basis for data processing
Article 6(1)(f) GDPR shall serve as the legal basis for processing customer data for the purpose of credit checks in the case of risky payment methods based on our legitimate interest to safeguard our prepayments.
4. Duration of storage
Your personal data will only be stored for as long as necessary in order to fulfil the purpose stipulated in this privacy policy or where legally required, such as for tax and accounting purposes.
Newsletter
1. Description and scope of data processing
You have the option of subscribing to a free newsletter. Upon subscribing to the newsletter, the following data is transferred to us from the input mask:
-
Email address
During the subscription process, you are required to consent to the processing of your data and accept the privacy policy.
If you purchase goods or services on our website and provide an email address in the process, this may be used by us to send you our newsletter. The newsletter will only be sent as direct advertising for similar goods or services.
No data is passed on to third parties in connection with sending the newsletter. Data is used for the sole purpose of sending the newsletter.
2. Purpose of data processing
The user's email address is collected in order to send the newsletter.
3. Legal basis for data processing
Article 6(1)(a) GDPR shall serve as the legal basis for processing personal data based on user consent during the newsletter registration process.
Article 7(3) of the German Act Against Unfair Competition (UWG) shall serve as the legal basis for sending the newsletter following purchase of goods or services.
4. Duration of storage
The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. The user’s email address will be stored as long as the newsletter subscription is active.
Other personal data collected during the subscription process is typically deleted after seven days.
5. Right to objection and removal
The user can cancel their subscription to the newsletter at any time. A link to unsubscribe is contained in every newsletter.
The user may also revoke their consent to the storage of the data collected about them during the subscription process.
Email contact
1. Description and scope of data processing
You can contact us via the email address provided on our website. The personal data of the user that is transferred to us in the email will be stored.
This data is used for the sole purpose of processing the conversation.
2. Purpose of data processing
In the event of contact via email, we shall have a legitimate interest in processing this data.
3. Legal basis for data processing
Article 6(1)(a) GDPR shall serve as the legal basis for processing personal data based on user consent.
Article 6(1)(f) GDPR shall serve as the legal basis for processing personal data as a result of email communication. If contacting us via email regarding the conclusion of a contract, the legal basis for data processing shall be Article 6(1)(b) GDPR.
4. Duration of storage
The data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected. For personal data sent via email, this shall be the case when the respective conversation with the user has ended. The conversation is considered as ended when it can be derived that the matter has been sufficiently resolved.
Other personal data collected during the process is deleted after seven days at the latest.
5. Right to objection and removal
The user has the right to revoke their consent to the processing of their personal data. If the user contacts us via email, they can object to the storage of their personal data at any time. The conversation can no longer continue in this case.
To revoke your consent or object to the storage of your data, you can contact us at datenschutz@heo.com
All of the personal data saved in connection with contacting us will be deleted in this instance.
13. Contact form
1. Description and scope of data processing
A contact form is provided on our website for the purpose of contacting us electronically. If a user chooses this option, the data provided in the input mask will be transferred to and stored by us.
The following data is stored at the time of sending the message:
-
Email address
-
Name
-
First name
-
IP address of the requesting computer
-
Date and time of registration
-
Customer reference & email
During the subscription process, you are required to consent to the processing of your data and accept the privacy policy.
Alternatively, you can contact us via the email address provided. The personal data of the user that is transferred to us in the email will be stored.
This data is used for the sole purpose of processing the conversation.
2. Purpose of data processing
Personal data from the input mask is processed solely for the purpose of establishing contact. In the event of contact via email, we shall have a legitimate interest in processing this data.
Other personal data processed during the contact period shall serve to prevent misuse of the contact form and to ensure the security of our IT systems.
3. Legal basis for data processing
Article 6(1)(a) GDPR shall serve as the legal basis for processing personal data based on user consent.
Article 6(1)(f) GDPR shall serve as the legal basis for processing personal data as a result of email communication. If contacting us via email regarding the conclusion of a contract, the legal basis for data processing shall be Article 6(1)(b) GDPR.
4. Duration of storage
The data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected. For personal data sent via the contact form input mask and email, this shall be the case when the respective conversation with the user has ended. The conversation is considered as ended when it can be derived that the matter has been sufficiently resolved.
Other personal data collected during the process is deleted after seven days at the latest.
5. Right to objection and removal
The user has the right to revoke their consent to the processing of their personal data. If the user contacts us via email, they can object to the storage of their personal data at any time. The conversation can no longer continue in this case.
To revoke your consent or object to the storage of your data, you can contact us at datenschutz@heo.com
All of the personal data saved in connection with contacting us will be deleted in this instance.
14. Application via email and application form
1. Scope of personal data processing
A contact form is provided on our website for the purpose of contacting us electronically. If an applicant chooses this option, the data provided in the input mask will be transferred to and stored by us. This data includes:
-
Salutation
-
First name
-
Name
-
Address
-
Telephone/mobile number
-
Email address
-
Salary expectations
-
Language skills
-
Curriculum vitae
-
References
-
Photo
-
Title; earliest start date; previous employment; mobility to Herxheim; how the applicant heard about us
During the application process, you are required to consent to the processing of your data and accept the privacy policy.
Alternatively, you can send us your application by email. In this case, we collect your email address and any data you share in the email.
After sending your application, you will receive confirmation from us that your application documents have been received.
Your data is not passed on to third parties. This data is used for the sole purpose of processing your application.
2. Purpose of data processing
Personal data from the application form is processed solely for the purpose of handling your application. In the event of contact via email, we shall have a legitimate interest in processing this data.
Other personal data processed during the application process shall serve to prevent misuse of the application form and to ensure the security of our IT systems.
3. Legal basis for data processing
Article 6(1)(b) Alt. 1 GDPR and Section 26(1)(1) BDSG shall serve as the legal basis for processing your data to initiate a contract at the request of the data subject.
4. Duration of storage
Data may be stored for up to six months upon completion of the application process. Your data will be deleted before this six-month period has expired. Your data may be stored in compliance with current regulations where legally required.
Other personal data collected during the process is deleted after seven days at the latest.
5. Right to objection and removal
The applicant has the right to revoke their consent to the processing of their personal data. If the applicant contacts us via email, they can object to the storage of their personal data at any time. The application can no longer continue in this case.
To modify or delete data, contact our HR department by replying to the email sent to you in response to your application.
All of the personal data saved in connection with your electronic application will be deleted in this instance.
15. Corporate image
Use of corporate image in social networks
Instagram:
Instagram, Part of Facebook Ireland Ltd., 4 Grand Canal Square Grand Canal Harbour, Dublin 2 Ireland
We provide information on our company page and offer Instagram users the opportunity to communicate. If you perform an action on our company Instagram page (such as commenting, posts, likes, etc.) this may result in your personal data (e.g. real name or user profile picture) being made public. Since we typically have no major influence over the processing of your personal data by Instagram in connection with the heo GmbH company page, we cannot accept any liability for the purpose and scope of data processing in this regard.
Our company pages on social networks are used to communicate and exchange information with (potential) customers. In particular, we use our company page to:
We use our company pages to present our company, employees and partners such as customers and manufacturers.
Publications on the company page may include the following content:
-
Product information
-
Competitions
-
Advertising
-
Customer contact
Users are free to publish personal data via activities.
Article 6(1)(a) GDPR shall serve as the legal basis for data processing.
The date generated by the company page is not stored in our systems.
You can object to the processing of your personal data that we collect in connection with using our company Instagram page at any time and exercise your rights as a data subject mentioned in section IV. of this privacy policy. Simply send an informal email to datenschutz@heo.com. Further information about the processing of your personal data by Instagram and your right to object is available here:
Instagram: https://help.instagram.com/519522125107875
Twitter:
Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, Ireland
We provide information on our company page and offer Twitter users the opportunity to communicate. If you perform an action on our company Twitter page (such as commenting, posts, likes, etc.) this may result in your personal data (e.g. real name or user profile picture) being made public. Since we typically have no major influence over the processing of your personal data by Twitter in connection with the heo GmbH company page, we cannot accept any liability for the purpose and scope of data processing in this regard.
Our company pages on social networks are used to communicate and exchange information with (potential) customers. In particular, we use our company page to:
We use our company pages to present our company, employees and partners such as customers and manufacturers.
Publications on the company page may include the following content:
-
Product information
-
Competitions
-
Advertising
-
Customer contact
Users are free to publish personal data via activities.
Article 6(1)(a) GDPR shall serve as the legal basis for data processing.
The date generated by the company page is not stored in our systems.
You can object to the processing of your personal data that we collect in connection with using our company Twitter page at any time and exercise your rights as a data subject mentioned in section IV. of this privacy policy. Simply send an informal email to datenschutz@heo.com. Further information about the processing of your personal data by Twitter and your right to object is available here:
Twitter: https://twitter.com/de/privacy
YouTube:
YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, United States
We provide information on our company page and offer YouTube users the opportunity to communicate. If you perform an action on our company YouTube page (such as commenting, posts, likes, etc.) this may result in your personal data (e.g. real name or user profile picture) being made public. Since we typically have no major influence over the processing of your personal data by YouTube in connection with the heo GmbH company page, we cannot accept any liability for the purpose and scope of data processing in this regard.
Our company pages on social networks are used to communicate and exchange information with (potential) customers. In particular, we use our company page to:
We use our company pages to present our company, employees and partners such as customers and manufacturers.
Publications on the company page may include the following content:
-
Product information
-
Competitions
-
Advertising
-
Customer contact
Users are free to publish personal data via activities.
Article 6(1)(a) GDPR shall serve as the legal basis for data processing.
The date generated by the company page is not stored in our systems.
You can object to the processing of your personal data that we collect in connection with using our company YouTube page at any time and exercise your rights as a data subject mentioned in section IV. of this privacy policy. Simply send an informal email to datenschutz@heo.com. Further information about the processing of your personal data by YouTube and your right to object is available here:
YouTube: https://policies.google.com/privacy?gl=DE&hl=de
16. Use of corporate image in professionally oriented networks
1. Scope of data processing
We use the benefits of company pages on professional networks. We have company pages on the following professional networks:
LinkedIn:
LinkedIn, Unlimited Company Wilton Place, Dublin 2, Ireland
XING:
XING SE, Dammtorstraße 30, 20354 Hamburg, Germany
We provide information on our page and offer users the opportunity to communicate.
The company page is used for applications, information/PR and active sourcing.
We have no information about how these companies process your personal data in connection with our company page. Further information can be found in the respective privacy policies:
LinkedIn:
https://www.linkedin.com/legal/privacy-policy?trk=hb_ft_priv
XING:
https://privacy.xing.com/de/datenschutzerklaerung
If you perform an action on our company page (such as commenting, posts, likes, etc.) this may result in your personal data (e.g. real name or user profile picture) being made public.
2. Legal basis for data processing
Article 6(1)(f)GDPR shall serve as the legal basis for the processing of your data in connection with the use of our company page.
3. Purpose of data processing
Our company page enables us to inform users about our services. Users are free to publish personal data via activities.
4. Duration of storage
We store the activities and personal data published by you on our company page unless you revoke your consent. We furthermore observe the statutory retention periods.
5. Right to objection and removal
You can object to the processing of your personal data that we collect in connection with using our company page at any time and exercise your rights as a data subject mentioned in section IV. of this privacy policy. Simply send us an informal email to the email address provided in this privacy policy.
Further information about your right to object and removal is available here:
LinkedIn:
https://www.linkedin.com/legal/privacy-policy?trk=hb_ft_priv
XING:
https://privacy.xing.com/de/datenschutzerklaerung
17. Content delivery networks
CloudFlare
1. Description and scope of data processing
We use features of the CloudFlare content delivery network registered at CloudFlare Germany GmbH, Rosental 7, 80331 Munich, Germany (hereinafter: CloudFlare). A content delivery network (CDN) is a network of regional servers connected via the internet with which content – particularly large media files such as videos – is delivered. CloudFlare offers web optimisation and security services which we use to improve our website loading times and to protect it against misuse. When you visit our website, a connection is established with the CloudFlare servers in order to retrieve content. Personal data may be stored in server log files and analysed, which typically includes user activity (including which pages were visited) and device and browser information (particularly IP address and operating system). Further information about the collection and storage of data by CloudFlare is available here:
https://www.cloudflare.com/de-de/privacypolicy/
2. Purpose of data processing
The use of CloudFlare features is intended to deliver and speed up online applications and content.
3. Legal basis for data processing
The collection of this data is based on Article 6(1)(f) GDPR. The website operator has a legitimate interest in providing a technically error-free and optimised website, for which server log files are collected.
4. Duration of storage
Your personal data will only be stored for as long as necessary in order to fulfil the purpose stipulated in this privacy policy or where legally required.
5. Right to objection and removal
Information about your right to objection and removal with CloudFlare is available at:
https://www.cloudflare.com/de-de/privacypolicy/
Use of HubSpot
1. Scope of processing of personal data
We use functions of HubSpot Inc., 2nd Floor, 25 First Street, Cambridge, MA 02141, USA (Hereinafter referred to as HubSpot).
Hubspot is certified under the US-EU Data Privacy Framework and therefore ensures an adequate level of protection.
With Hubspot we cover various aspects of online marketing (newsletters and automated mailings, e.g. to provide downloads), reporting (especially traffic sources, access, etc. ...), contact management (especially user segmentation & CRM), landing pages and contact forms.
HubSpot sets a cookie on your computer. This allows personal data to be stored and evaluated, in particular the user's activity (in particular which pages have been visited and which elements have been clicked on), device and browser information (in particular the IP address and the operating system), data on the advertisements displayed (in particular which advertisements have been displayed and whether the user has clicked on them) and also data on advertising partners (in particular pseudonymised user IDs).
Further information on the collection and storage of data by HubSpot can be found at:
https://legal.hubspot.com/privacy-policy
2. Purpose of data processing
The use of the HubSpot Plug-In serves exclusively for the optimization of our marketing.
3. Legal basis for the processing of personal data
The legal basis for the processing of personal data with regard to email marketing, newsletters and user tracking is generally the consent of the user in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR.
The legal basis for the processing of personal data in the context of our contact management and responding to customer inquiries is Art. 6 para. 1 sentence 1 lit. b GDPR.
4. Duration of storage
Your personal information will bestored for as long as is necessary to fulfill the purposes described in this Privacy Policy or as required by law, e.g. for tax and accounting purposes.
5. Exercising your rights
You have the right to revoke your declaration of consent under data protection law at any time. The revocation of the consent does not affect the lawfulness of the processing carried out on the basis of the consent up to the revocation.
You can prevent HubSpot from collecting and processing your personal data by preventing the storage of cookies from third parties on your computer, by using the "Do Not Track" function of a supporting browser, by deactivating the execution of script code in your browser or by installing a script blocker such as NoScript (https://noscript.net/) or Ghostery (https://www.ghostery.com) in your browser.
You can find further information on objection and removal options against HubSpot at:
https://legal.hubspot.com/privacy-policy
You can also find further information on objection and removal options against HubSpot at:
https://legal.hubspot.com/privacy-policy
Right of modification:
We reserve the right to modify this privacy policy at any time. The privacy policy is updated regularly and all changes are automatically published on our website.
Use of Hotjar
1. Scope of processing of personal data
We use the Hotjar web analysis service of Hotjar Ltd, Level 2, St Julian's Business Centre, 3, Elia Zammit Street, St Julian's STJ 1000, Malta (Hereinafter: Hotjar). Hotjar uses cookies, i.e. small text files, which are stored locally in the cache of your web browser on your end device and which enable an analysis of the use of our online presence by you. Personal data can thus be stored and evaluated, in particular the user's activity (in particular which pages have been visited and which elements have been clicked on), device and browser information (in particular the IP address and the operating system) and a tracking code (pseudonymised user ID). The information thus collected will be transferred by Hotjar to a server in Ireland and stored there in an anonymised form. Further information on the collection and storage of data by Hotjar can be found at:
https://www.hotjar.com/legal/policies/privacy
2. Purpose of data processing
The use of the Hotjar Plug-In serves to better understand the needs of our users and to optimize the offer on this online presence.
3. Legal basis for the processing of personal data
The legal basis for the processing of personal data is the user's given consent in accordance with Art. 6 (1) (a) GDPR.
4. Duration of storage
Your personal information will be stored for as long as is necessary to fulfill the purposes described in this Privacy Policy or as required by law.
5. Exercising your rights
You have the right to revoke your declaration of consent under data protection law at any time. The revocation of the consent does not affect the lawfulness of the processing carried out on the basis of the consent up to the revocation.
You can prevent Hotjar from collecting and processing your personal data by preventing the storage of third-party cookies on your computer, by using the "Do Not Track" function of a supporting browser, by deactivating the execution of script code in your browser, or by using a script blocker such as a "Do Not Track" function.B. Install NoScript (https://noscript.net/) or Ghostery (https://www.ghostery.com) in your browser.
With the following link you can deactivate the use of your personal data by Hotjar:
https://www.hotjar.com/legal/compliance/opt-out
For more information on objection and removal options against Hotjar please visit:
https://www.hotjar.com/legal/policies/privacy
Hosting
In addition, we use another service provider to host some of our subdomains.
Our service provider is:
Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany
For further information on the processing of personal data by Hetzner please see:
https://www.hetzner.com/legal/privacy-policy
The servers automatically collect and store information in so-called server log files, which your browser automatically transmits when you visit the website. The stored information is:
-
Information about the browser type and the version used
-
The user's operating system
-
The Internet service provider of the user
-
Date and time of access
-
Websites from which the user's system accessed our website
-
Websites the user's system accessed through our website
This data will not be merged with other data sources. The data is collected on the basis of Art. 6 (1) (f) GDPR. The website operator has a legitimate interest in the technically error-free presentation and optimization of his website -and server log files are therefore recorded.
The server of the website is geographically located in Germany.
We, heo GmbH, take the protection of your personal data very seriously and adhere strictly to the rules of data protection law. On this website, personal data will only be collected to the extent which is technically necessary. Under no circumstances will the data collected be sold or passed on to third parties. The following declaration provides an overview of how we ensure the protection of your data and for which purpose data is collected.