I. Name and address of the controller
The controller as defined by the General Data Protection Regulation, other national data protection laws of the member states, and other data protection provisions:
EX-O-FLEX
Gesellschaft für Kunststofformung mbH
Mattweg 5
D-77971 Kippenheim
Deutschland / Germany
Telefon +49 7825 / 879 46 0
E-Mail: exoflex@exoflex.de
II. Name and address of the data protection officer
We are not obligated to appoint a data protection officer.
III. General information on data processing
1. Extent of the processing of personal data
We collect and use personal data from our users only if necessary to process our contracts. After our contractual obligations have been fulfilled, we will process data only after we have been granted permission to do so. This does not apply if practical circumstances prevent us from obtaining prior consent or we may process the data under statutory provisions.
2. Legal bases for processing personal data
If the data subject permits us to process personal data, Art. 6 (1) a GDPR serves as the legal basis.
If personal data must be processed to fulfil a contract whose contracting party is the data subject, the legal basis is Art. 6 (1) b GDPR. This also applies to processing operations that are necessary to implement pre-contractual measures.
If personal data must be processed to fulfil a legal obligation to which our company is subject, the legal basis is Art. 6 (1) c GDPR.
If the processing is necessary to safeguard a legitimate interest of our company or a third party, and that legitimate interest is not outweighed by the interests, basic rights and freedoms of the data subject, the legal basis will be Art. 6 (1) f GDPR.
3. Data deletion and duration of storage
The data subject’s personal data will be deleted or blocked as soon as the purpose of storage no longer applies. We may also store that data if such storage is provided for through the European or national legislature, in the form of directives under European Union law, statutes or other provisions to which the controller is subject. The data will also be deleted or blocked if a storage period prescribed by the standards mentioned expires, unless the data must be stored for longer to conclude or fulfil a contract.
IV. Provision of the homepage and creation of logfiles
1. Description and extent of the data processing
Whenever our website is accessed, our system automatically collects data and information from the computer system of the accessing computer.
The following data will be collected:
(1) Information on the browser type and the version used
(2) The user’s operating system
(3) The user’s internet service provider
(4) The user’s IP address
(5) Date and time of access
(6) Websites from which the user’s system is directed to our internet site
(7) Websites which are accessed from the user’s system via our website
The data will also be stored in our system’s log files. This data will not be stored together with other personal data of the user.
2. Legal basis for data processing
The legal basis for storing the data and the log files temporarily is Art. 6 (1) f GDPR.
3. Purpose of data processing
The data are stored in log files to ensure the webpage’s functionality. The data also help us optimise the webpage and ensure the security of our IT systems. In this context, the data will not be evaluated for marketing purposes.
These purposes also include our legitimate interest in data processing under Art. 6 paragraph. 1 f GDPR.
4. Duration of storage
If the data are stored in log files, this will normally last a maximum of seven days. Storage past that point is possible. In this case, the user’s IP address will be deleted or distorted so that it can no longer be allocated to the accessing client.
5. Possibility for objection and rectification
Data must be collected for the webpage to be provided, and it must be stored in log files for the internet site to be operated. Consequently, the user may not object to this.
V. Establishing contact through email
1. Description and extent of the data processing
On our internet site, contact can be made via the email address provided. In this case, the user’s personal data transmitted along with the email will be stored. In an email, the user data provided in that email, as well as all other data transmitted from the user’s email programme. In this context, the data will not be forwarded to third parties. The data will be used exclusively to process the visitor’s inquiry.
2. Legal basis for data processing
The legal basis for processing data transmitted when a email is sent is Art. 6 (1) f GDPR. If contact is established to conclude a contract, an additional legal basis for the processing is Art. 6 (1) b GDPR.
3. Purpose of data processing
If contact is established using a email, personal data is processed only to manage the contact that is made. This also constitutes the required legitimate interest in processing the data.
4. Duration of storage
The data will be deleted when it is no longer needed to meet the goal for which it was collected. For personal data sent via a email, this is the case if the respective conversation with the user has ended. The conversation will end when circumstances reveal that the situation concerned has been finally cleared up.
5. Possibility for objection and rectification
The user may at any time revoke their consent to have their personal data processed. If the user contacts us through a email, they can object at any time to having their personal data stored. In such a case, the conversation cannot be continued. If they do object, all personal data that was stored when contact was established will be deleted.
VI. Rights of the data subject
If your personal data is processed, you are the data subject as defined by the GDPR and are entitled to the following fights toward the controller:
1. Right to information
You can demand that the controller confirm whether we are processing personal data concerning you.
If this is the case, you can demand access to the following information from the controller:
(1) the purposes for which the personal data is processed
(2) the categories of personal data being processed
(3) the recipient or categories of recipients to whom the personal data concerning you were or will be disclosed
(4) the planned duration of the storage of the personal data concerning you, or if no specific information is available to this end, the criteria for determining the storage period
(5) the existence of a right to have the personal data concerning you corrected or deleted, a right to restrict its processing through the controller, or a right to object to that processing
(6) the right to complain to a supervisory authority
(7) all available information on the origin of the data, if the personal data was not collected from the data subject
You have the right to demand whether the personal data concerning you are transmitted to a third country or international organisation. In this context, you may demand to be informed about the appropriate guarantees under Art. 46 GDPR in connection with such transmission.
2. Right to correction
If the processed personal data that concerns you is incorrect or incomplete, you have the right against the controller to have it corrected, deleted, or both. The controller must undertake such correction without undue delay.
3. Right to restrict the processing
You can demand that the processing of the personal data concerning you be restricted, under the following conditions:
(1) If you dispute that the personal data concerning you is incorrect, for a duration which enables the controller to check its correctness
(2) The processing is incorrect and you waive your right to have it deleted, instead demanding that its use be restricted
(3) The controller of the personal data no longer needs it for the purposes of its processing, but you need it to assert, exercise or defend against legal claims, or
(4) If you have filed an objection against the processing under Art. 21 (1) GDPR and it has not yet been established whether the legitimate reasons of the controller outweigh your reasons.
If the processing of the personal data concerning you has been restricted, these data – regardless of their storage – may be processed only (1) with your consent, (2) to assert, exercise or defend against legal claims, (3) to protect the rights of another natural person or legal entity, or (4) for reasons of an important public interest of the EU or a member state.
If the processing has been restricted according to the aforementioned conditions, the controller will inform you before that restriction is lifted.
4. Right to deletion
a. Obligation to delete
You may demand from the controller that the personal data concerning you be deleted without undue delay. The controller is obligated to delete these data without undue delay provided one of the following grounds applies:
(1) the personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed;
(2) you withdraw your consent on which the processing is based under Art. 6 (1) a or Art. 9 (2) a GDPR, and there is no other legal basis for the processing;
(3) you object to the processing under Art. (1) GDPR and there are no overriding legitimate reasons for the processing, or you object to the processing under Art. 21 (2) GDPR.
(4) The personal data concerning you was illegally processed.
(5) The personal data concerning you must be deleted to fulfil a legal obligation under EU or member state law to which the controller is subject.
(6) The personal data concerning you was collected in regard to information society services offered pursuant to Art. 8 (1) GDPR.
b. Information to third parties
If the controller has publicised the personal data and is obligated under Art. 17 (1) GDPR to delete that data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the deletion by such controllers of any links to, or copy or replication of, those personal data.
c. Exceptions
The right to deletion does not exist if the processing is necessary:
(1) to exercise the right to information and freedom of expression
(2) to fulfil a legal obligation which requires the processing under
EU or member state law to which the controller is subject, or to carry out a task in the public interest or in the exercise of public authority vested in the controller
(3) for reasons of the public interest in the area of public health under Art. 9 (2) h and i as well as Art. 9 (3) GDPR
(4) for archiving, scientific or historical research purposes in the public interest, or statistical purposes under Art. 89 (1)
GDPR insofar as the right mentioned in section a) is expected to prevent or seriously impair the realisation of the objectives of this agreement, or
(5) to assert, exercise or defend against legal claims.
5. Right to information
If you have asserted your right to correction, deletion or restriction of the processing toward the controller, that controller is obligated to communicate such correction or deletion of the data or restriction of its processing to all recipients to whom the personal data concerning you have been disclosed, unless this proves impossible or would entail a disproportionate effort. You have the right to be informed by the controller about those recipients.
6. Right to data portability
You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format. You also have the right to transmit these data to another controller without hindrance from the controller to which the personal data were provided, as long as:
(1) The processing is based on consent pursuant to Art. 6 (1) a GDPR or Art. 9 (1) a GDPR or on a contract pursuant to Art. 6 (1) b GDPR and
(2) the processing occurs with the help of automated procedures.
In exercising this right, you may also effect that the personal data concerning you are transmitted directly from one controller to another, insofar as this is technically feasible. Doing so must not impair the rights and freedoms of others.
The right to data portability does not apply if personal data must be processed to carry out a task in the public interest or in the exercise of public authority vested in the controller.
7. Right to object
You have the right to object at any time, for reasons arising from your particular situation, if personal data concerning you is processed based on Art. 6 (1) e or f GDPR.
The controller will cease processing the personal data concerning you unless the controller can verify compulsory legitimate grounds for the processing which override your interests, rights and freedoms, or if the processing is done to assert, exercise of defend against legal claims.
If the personal data concerning you are processed for direct marketing purposes, you may object to that processing at any time.
If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes. In connection with the use of information society services, you may exercise your right to object using an automatic procedure in which technical specifications are used (regardless of Directive 2002/58/EC).
8. Right to withdraw the declaration of consent under data protection laws
You have the right to withdraw your declaration of consent under data protection laws at any time. Withdrawing consent will not affect the legality of any processing performed on the basis of that consent before that consent was withdrawn.
9. Automatic decision-making in individual cases
You have the right not to be subject to a decision based exclusively on automated processing, which legally affects or otherwise significantly impairs you. This does not apply if that decision
(1) is necessary to conclude or fulfil a contract between you and the controller,
(2) is permitted under EU or member state law to which the controller is subject and which stipulate reasonable measures for guarding your rights, freedoms and legitimate interests, or
(3) is made with your express consent.
However, these decisions may not be based on special categories of personal data under Art. 9 (1) GDPR unless Art. 9 (2) a or g GDPR apply and reasonable measures have been taken to protect your rights, freedoms and legitimate interests.
Regarding the cases mentioned in (1) and (3), the controller shall take reasonable measures to guard your rights, freedoms and legitimate interests, which must include at least the right to obtain human intervention on the part of the controller, to present your own point of view, and to contest the decision.
10. Right to complain to a supervisory authority
If you believe that the processing of the personal data concerning you breaches the GDPR, you have the right to complain to a supervisory authority – especially in the member state of your abode, your workplace, or the place of the suspected breach – without prejudice to other administrative rights or judicial remedies.
The supervisory authority to which the complaint is submitted shall inform the complainant about the status and results of that complaint, including the possibility for judicial remedy under Art. 78 GDPR.