- Sect. 1: Controller for Data Processing and Data Protection Officer; Scope
- Sect. 2: General PrinciplesofProcessing Personal Data
- Sect. 3: Log-Data and Cookies when using our WEBSITE
- Sect. 4: Additional Features and Options (Contact, Newsletter, Online-Catalogue, Training Courses, Applications)
- Sect. 5: Statistical and Marketing Tools (Google Analytics, DoubleClick by Google, Google Tag Manager)
- Sect. 6: Third Party Content (Monotype Web Fonts, Youtube)
- Sect. 7: Data Security
- Sect. 8: Your Rights
1. Controller for Data Processing and Data Protection Officer; Scope
(1) We, the company RAFI GmbH & Co. KG, Ravensburger Strasse 128-134, 88276 Berg / Ravensburg, Germany, Tel.: +49 751 89-0, Fax: +49 751 89-1300, E-Mail: firstname.lastname@example.org, are the Data Controller for the processing your personal data as a user of our website, available at www.rafi.de (hereinafter referred to as „WEBSITE (“you”) in accordance with Art. 4 No. 7 General Data Protection Regulation (GDPR). If you are an applicant or intern/trainee, we hereby also inform you about the handling of your personal data in our specially designed area for applicants.
(2) Our external Data Protection Officer is Mr. Dr. Norbert Kuhn, Heustrasse 3, 70174 Stuttgart, Germany, E-Mail: email@example.com.
(3) Hereinafter, in the context of our information obligations, we would like to inform you in detail about the ways in which we process your personal data when visiting our WEBSITE and the use of our other features and options (hereinafter referred to as “Services”) on our WEBSITE. Furthermore, we would like to inform you about the associated protective measures, which we have taken by implementing both technical and organizational methods with regard to our WEBSITE as well as your rights relating to processing your personal data.
2. General Principles of Processing of Personal Data
(1) „Personal data“ means any information relating to an identified or identifiable natural person (‘data subject’). Your personal data therefore includes all data that can be directly or indirectly assigned to your person such as your name, your address, your phone number or your e-mail address.
(2) Personal data is processed by us primarily if and to the extent
- you have given us your consent to the processing personal data for one or several specific purposes (Article 6 (1) Subpar. 1 a) GDPR), or
- the processing is necessary for the performance of a contract to which you are a party or for the performance of pre-contractual actions at your request (Article 6 (1) Subpar. 1 b) GDPR), or
- the processing of data is necessary to fulfill a legal obligation to which we are subjected (Article 6 (1) Subpar. 1 c) GDPR), or
- the processing of data is necessary to ensure our legitimate interests or those of a third party, unless your interests or fundamental rights and freedoms requiring the protection of your personal data prevail (Article 6 (1) Subpar. 1 f) GDPR).
3. Log-Data and Cookies when using our WEBSITE
(1) In connection with the use of our WEBSITE we will collect those data that your internet browser automatically transmits to our server. The following data is collected hereby:
- IP address of the network access device of the respective requesting computer
- Date and time of the request (in GMT)
- Time zone difference to Greenwich Mean Time (GMT)
- Content of the requirement (concrete page)
- Access Status / HTTP status code
- Each transmitted amount of data
- Website from which the request comes
- Operating system and its interface
- Language and version of the browser software
(2) This information is technically necessary for us to ensure you can use the WEBSITE and make sure it functions properly, in particular to display the WEBSITE and to ensure the security and stability of the WEBSITE. There is no link between this data and personal data of a specific natural person. Our legitimate interest lies in a functioning WEBSITE. The legal basis is Art. 6 (1) Subpar. 1 f) GDPR.
(3) We will delete this data as soon as it is no longer necessary for the purpose of its collection. A storage of your IP address will last up to seven days in its entirety, thereafter in anonymized form. Your IP address will be reduced by the last octet (or a corresponding subsegment in the case of IPv6). The temporary storage of the IP address by our system is necessary in order to remedy disruptions of our WEBSITE and to avert dangers. In all other cases, the deletion takes place when the respective session has ended.
4. Other Features and Offers
In connection with various services on our WEBSITE, which you may use if you are interested, you usually have to provide further personal data. Here is what that means respectively:
4.1 Ordering Brochures and Contact/Feedback
(1) If you contact us, e.g. when ordering our printed flyers, brochures and / or catalogs or to provide us with your feedback, the processing of your voluntarily communicated contact information (e.g. first name, surname, e-mail address, telephone number) will be used to answer your inquiries and / or suggestions via the contact form, e-mail or otherwise. The processing of your data is only for processing the contact as well as to prevent misuse and ensure the security of our information technology systems.
(2) The legal basis for the processing of the data is Art. 6 (1) Subpar. 1 f) GDPR. If your message aims to conclude a contract, then additional legal basis for the processing of your data is Art. 6 (1) Subpar. 1 b) GDPR.
(3) Insofar as the deletion of your personal data does not violate statutory retention periods, we will delete them as soon as they are no longer necessary for the purpose of their collection.
4.2 Subscription to our Newsletter
(1) With your consent, you can subscribe to our newsletter, which informs you about our latest interesting offers and activities. The advertised offers and activities are mentioned in the declaration of consent.
(3) To register for our newsletter, we use the so-called double opt-in procedure. This means that after you have registered, we will send you an e-mail to the e-mail address listed in which we ask you to confirm that you wish to receive the newsletter. If you do not confirm your registration within 24 hours, your information will be blocked and automatically deleted after one month. In addition, we store your IP addresses and times of registration and confirmation.
(4) The only requirement for sending the newsletter is your e-mail address. The specification of additional, separately tagged data is voluntary and will be used to address you personally. After your confirmation, we will save your e-mail address for sending you the newsletter. The legal basis is Art. 6 (1) Subpar. 1 a) GDPR
(5) You can revoke your consent to the sending of the newsletter at any time and unsubscribe from the newsletter. You can revoke by clicking on the link provided in each newsletter, by e-mail to firstname.lastname@example.org or by sending a message to the contact details mentioned in Sect. 1 at any time. You may also unsubscribe via this link: www.rafi.de/de/meta/konto/newsletter/.
(6) We will delete your data as soon as it is no longer necessary to achieve the purpose of its collection, your e-mail address becomes unreachable or if you revoke your consent to the sending of newsletters. Your data is therefore stored as long as the subscription to the newsletter is active.
4.3 Contact Form for our B2B Online Catalog
(1) If you would like to send us an inquiry or message (e.g. about our products) via our B2B online catalog (eCatalog), the processing of your voluntarily provided contact data (e.g. first and last name, address, telephone number, fax, e-mail-address etc.) for replying to your message sent via the contact form. Your e-mail address is sufficient for a contact request or the request for information material. If you request an offer, it is necessary that you provide us with further data necessary for the preparation of the offer.
(2) The legal basis is Art. 6 (1) Subpar. 1 (f) GDPR. If your message is aimed at the conclusion of a contract (for example, because you request an offer), then an additional legal basis for the processing of your data is Art. 6 (1) Subpar. 1 (b) GDPR.
(3) We may also process the information you provide to inform you of other interesting offers or to provide you with technical information e-mails. The legal basis for this is Art. 6 (1) Subpar. 1 (f) GDPR.
(4) Insofar as it does not violate statutory retention periods regarding your personal data, we will delete the data as soon as they are no longer required to achieve the purpose for which they were collected.
4.4. Registration for our Training Courses
(1) If you want to register for a training course on our WEBSITE, it is necessary for the conclusion of the contract that you provide your personal data in order to process your registration. Mandatory information required for registration is marked accordingly, all non-marked information is voluntary. We also process the voluntary data you provide to process your registration. The legal basis for this is Art. 6 (1) Subpar. 1 (b) GDPR and Art. 6 (1) Subpar. 1 (f) GDPR for the voluntary data you provided.
(2) Insofar as it does not violate statutory retention periods regarding your personal data, we will delete them as soon as they are no longer required to achieve the purpose for which they were collected. Due to commercial and tax law requirements, we are obliged to save your address and order data for a period of ten years.
4.5. Job Applications
(1) The application process on our WEBSITE is carried out using software to process the application data from softgarden e-Recruiting GmbH, Tauentzienstr. 14, 10789 Berlin, Germany ("softgarden"). softgarden processes the data on our behalf.
(2) For more information about softgarden and the purpose and scope of data collection and processing as part of the application process, please refer to the data protection declaration for the application process, available at: https://rafi.softgarden.io/de/data-security.
(3) You can find the applicant information from us according to Art. 13, 14 GDPR on our WEBSITE at: https://www.rafi.de/fileadmin/user_upload/rafi_de/Medien/Unternehmen_und_Arbeitgeber/00_Information_Bewerberdaten__22.11.2019_.pdf
5. Statistics and Marketing Tools
(1) Our WEBSITE uses the web analysis service ‘etracker’ from etracker GmbH (Erste Brunnenstrasse 1, 20459 Hamburg, Germany; “etracker”), to analyze the use of our WEBSITE and enable us to regularly improve it.
(2) To do this, we don’t use any cookies as standard. We would obtain your explicit consent separately in advance if we were to use analysis and optimization cookies. If this is the case and if you agree, then cookies are used which allow a statistical analysis of the use of the application. Cookies are small text files that are stored by the internet browser on the user’s terminal device. etracker cookies do not contain any information that enables identification of a user.
(3) The data generated with etracker is processed and stored exclusively in Germany and is therefore subject to strict German and European data protection laws and standards. etracker has been independently audited and certified in this regard and awarded the ePrivacyseal data protection seal of approval.
(4) If you agree to the analysis and optimization cookies, then they will be processed on the basis of this consent according to Art. 6 (1) sub-section 1 letter a GDPR. You can revoke this at any time with effect for the future, e.g. via the buttons “Change your consent” or “Revoke your consent” in our cookie declaration [https://www.rafi.de/cookie-erklaerung].
(5) The data will otherwise be processed based on our legitimate interest according to Art. 6 (1) sub-section 1 letter f GDPR. Our legitimate interest is the optimization of our WEBSITE to improve our offer and to make it more interesting for you as a user. As the privacy of our customers is important to us, data that may allow a reference to an individual person, such as the IP address, login, or device identifiers, is anonymized or pseudonymized as soon as possible. No other use, combination with other data or disclosure to third parties will take place.
(6) You will find further information on data protection at etracker here.
You may object to the aforementioned data processing based on our legitimate interest at any time. An objection will have no adverse consequences.
6. Third-Party Content
6.1 Web Fonts by Monotype
(1) Our WEBSITE uses so-called web fonts provided by Monotype Inc., Monotype, 600 Unicorn Park Drive, Woburn, MA 01801, USA (Fonts.net). (“Monotype”).
(2) The tracking code of the web fonts does not collect, process or save any personal data. When you access our WEBSITE, Monotype collects the project identification number of the web font (anonymized), the URL of the licensed website linked to a customer number to identify the licensee and the licensed web fonts, and the URL of the previously visited page.
(3) Monotype stores the anonymized project identification number of the web fonts in encrypted log files with such data for a period of 30 days in order to determine the monthly number of page views. After such determination and storage of the number of page views, the log files are deleted.
(4) Monotype shares anonymized data with subsidiaries and affiliates.
(2) By playing YouTube videos on our WEBSITE, YouTube receives the information that you have accessed the corresponding sub-page of our WEBSITE. In addition, the data mentioned under Sect. 3.1 of this Policy will be transmitted. This happens regardless of whether YouTube provides a user account that you are logged in to, or if there is no user account. When you are logged in to Google, your data will be assigned directly to your account. If you do not wish your profile to be assigned on YouTube, you must log out before activating the button. YouTube stores your data as user profiles and uses them for purposes of advertising, market research and / or custom design of its website. Such an evaluation is carried out in particular (even for users who are not logged in) to provide appropriate advertising and to inform other users of the social network about their activities on our WEBSITE. You have the right to object to the creation of these user profiles, and you must address YouTube directly to exercise that.
(3) The legal basis for using YouTube on our WEBSITE is your consent in accordance with Art. 6 (1) subpara. 1 (a) GDPR. You can withdraw your consent at any time with future effect e.g. revoke with the buttons "change your consent" or "revoke your consent" in our cookie statement [https://www.rafi.de/en/cookie-declaration/].
(4) Google processes your personal data in the US and has subjected itself to the EU-US Privacy Shield, www.privacyshield.gov/EU-US-Framework.
7. Data Security
(1) We use technical and organizational security measures to protect accruing or collected personal data, in particular against accidental or intentional manipulation, loss, destruction or against the attack of unauthorized persons. Our security measures are continuously improved in line with technological developments.
(2) Our WEBSITE is encrypted using SSL technology to prevent access by unauthorized third parties. You can recognize the secure transmission by the protocol name "https: //" in the URL line.
8. Your Rights
(1) With regard to the processing of personal data concerning you, you are entitled to the rights listed below in a)-h) under the legal preconditions. Please contact the Data Protection Officer or us for this. The contact details can be found under Sect. 1.
a) Right to Information
Subject to Art. 15 GDPR you can require a confirmation as to whether personal data concerning you are processed by us. In this case, according to Art. 15 (1) GDPR, you have the right to obtain information about the processing purposes, the categories of personal data processed, the recipients or categories of recipients to whom we have disclosed or will disclose the personal data, the planned retention period or the criteria for the personal data determining the retention period, the right of rectification or deletion of your personal data, as well as restriction of processing or objection to processing, the existence of a right to complain to a supervisory authority, the origin of the data, if we have not collected your data from you, existence of an automated decision-making including profiling and according to Art. 15 (2) GDPR the right to be informed about the appropriate guarantees according to Art. 46 GDPR in connection with the transfer of personal data to third countries.
b) Right to Rectification
According to Art. 16 GDPR you can demand the immediate correction and / or considering the purpose of the processing the completion of your personal data, if your data is incorrect or incomplete.
c) Right to Deletion
According to Art. 17 GDPR you can require the immediate deletion of your personal data, provided that there is a reason under Art. 17 (1) a) - f) GDPR. However, the right to delete your personal data does not exist, in particular, if its processing is required to exercise the right to freedom of expression and information, to fulfill a legal obligation, for reasons of public interest or to assert, exercise or defend legal rights (Art. 17 (3) GDPR).
d) Right to Restriction of Processing
You may restrict the processing of your personal data in accordance with Art. 18 GDPR, as long as we verify the accuracy of your data, if you refuse the deletion of your data due to unlawful processing and instead demand the restriction of the use of your data, if you need your data for the assertion, exercise or defense of legal claims or if you have objected to the processing, as long as it is not certain that our legitimate reasons prevail.
e) Right to Consultation
According to Art. 19 GDPR we communicate any rectification or deletion of your personal data or a limitation of their processing under Art. 16, 17 (1) and 18 GDPR to all recipients to whom your personal data have been disclosed, unless this turns out to be impossible or is associated with a disproportionate effort. According to Art. 19 sent. 2 GDPR you have the right to be informed about these recipients on request.
f) Right to Data Portability
According to Art. 20 GDPR you have the right to receive your personal data, which you have provided us, in a structured, common and machine-readable format and to transmit this data to another person responsible, provided that the further requirements of Art. 20 GDPR exist, in particular, this is technically feasible.
g) Right to Objection
As far as we base the processing of your personal data on the balance of interests according to Art. 6 (1) Subpar. 1 f) GDPR, you can object to the processing according to Art. 21 GDPR. This is the case if, in particular, the processing is not required to fulfill a contract with you, which we present in each case in the above description of the offers. In the event of such an objection, we ask you to explain the reasons why we should not process your personal data as we have done. In the case of your justified objection, we examine the situation and according to Art. 21 (1) sent. 2 GDPR either no longer process the personal data or prove to you our compelling legitimate reasons for the processing that outweigh your interests, rights and freedoms. Further processing is reserved, if the processing serves the assertion, exercise or defense of legal claims.
According to Art. 21 (2) GDPR, you can object to the processing of your personal data for the purpose of advertising and profiling at any time, as far as it is associated with direct advertising.
You can inform us or the Data Protection Officer about your objection under the contact data mentioned in Sect. 1.
h) Right to revoke the Consent
(1) According to Art. 7 (3) GDPR you have the right to revoke any data protection consent granted to us, at any time with effect for the future. However, this does not affect the lawfulness of the processing that took place based on your consent until the time of the cancellation.
(2) If you believe that the processing of your data violates data protection regulations, you have the additional right to complain to a supervisory authority according to Art. 77 GDPR. Please contact a supervisor in the Member State of your place of residence, your work place or the location of the potential breach. An overview can be found here: www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html.
Version: April 1st 2020