Data protection policy
We are delighted that you are interested in our company and products. When it comes to processing of personal data, we take the protection of your privacy very seriously in all of our business processes. For this reason, we have a comprehensive range of technical measures in place to ensure that your data is secure. We keep these measures updated in line with state-of-the art developments.
All personal data that we collect is treated as confidential and only processed in compliance with statutory regulations. Data protection is an integral part of our company policy.
We would like to take this opportunity to point out that our online presence contains links to and from websites operated by other providers. This data protection policy does not apply to any such websites. If you do click on a link to another website, please be aware that we cannot accept any responsibility or liability for any third-party content or data protection terms and conditions. Please check out the data protection terms and conditions applicable to the website before transferring any personal data to it.
Alongside information for visitors to our online presence, this data protection policy also covers the aspects of data protection relevant to our business partners.
A. General data protection information
1. Collection and processing of personal data
Personal data is all information (e.g. address, email address, name, user behaviour, location data, telephone number) relating to you as a natural person (e.g. employee of one of our business partners, sole trader, contractor, consumer).
This could also include order data (e.g. sales data, business partner history), data relating to the fulfillment of our contractual obligations (e.g. payments), information on your financial situation (e.g. credit status data) and other similar data.
This data may be collected in particular within the context of a contractual relationship (e.g. purchase and sale of products, services, works), contact made prior to entering into a contract (e.g. offer preparation, contract negotiation) or any other enquiry (e.g. made online, via email or phone, at a trade fair). If required for the purpose of fulfilling our contractual or legal obligations, we also process personal data that we permissibly gain access to through public sources (e.g. commercial and association registers, the press, the internet) or that we are sent by other authorised third parties (e.g. credit agencies).
As the “controller” according to the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG), Gebr. Heller Maschinenfabrik GmbH, Gebrüder-Heller-Straße 15, 72622 Nürtingen or the respective group company affiliated to it as per Section 15 of the German Stock Corporation Act (AktG) decides how your personal data is used and for what purpose in accordance with the provisions set out in this data protection policy.
3. Purposes of processing
Your personal data is processed for the following purposes:
- Operation and technical administration of our online presence, provision of online services.
- Responding enquiries, initiation, performance or management of business relations with the HELLER Group.
- Fulfillment of contractual and/or legal obligations.
- Customer management.
- Performance of internal processes.
We will also use your personal data for needs-based marketing information (e.g. product surveys) provided that this is permitted under competition law. Moreover, your personal data may also be processed on the basis of a purpose outlined in Section B.
In addition to this, your personal data helps us to get a clear understanding of your interest in our products and allows us to amend our business relationships so that they are more effective for both parties.
4. Legal bases
We process personal data in compliance with the provisions of GDPR and BDSG according to the following legal bases:
Art. 6 (1) (1) (a) GDPR
In some exceptional cases, we will ask for your express consent to the processing of your personal data (e.g. newsletter, advertising). You have the right to withdraw your consent at any time with future effect.
Art. 6 (1) (1) (b) GDPR
The processing of data serves the fulfillment of our duties set out by a contract to which you are party (e.g. purchase, work, service, licence or rental contract) or the execution of steps prior to entering into a contract. As a general rule, we will not be able to conclude, perform or terminate a contract with you, without this data being provided. Nor will we be able to take steps prior to entering into a contract with you even if you request us to do so.
Art. 6 (1) (1) (c) GDPR
Legal obligations may require us to process your data (e.g. monitoring and reporting requirements under tax and social security law, checks by authorities, statutory retention periods).
Art. 6 (1) (1) (f) GDPR
Where necessary, we will process your personal data within the context of our business relations on the basis of a balance of interests. In this case, processing is permitted when it is required in order to safeguard our legitimate interests or those of third parties provided that these interests are not overridden by interests or fundamental rights and freedoms of the data subject requiring the protection of personal data. This applies in the following cases:
- Enforcement or exercising of legal claims or judicial court action, or defence against them.
- Optimisation of business processes (e.g. customer database).
- Minimisation of default risks as part of procurement processes through consultation with credit agencies (e.g. Creditreform).
- Assessment of European and international embargo lists if this goes beyond statutory obligations.
- Implementation of security measures for buildings and systems and preservation of the domiciliary right (e.g. video surveillance, access control).
- Safeguard of network and data security (e.g. prevention of unauthorised access to electronic communication networks, prevention of the distribution of malicious program codes, defence against attacks in the form of targeted server overloading, defence against damage to computers and electronic communication systems).
- Restricted storage of your data if erasure is not possible or requires an unreasonable amount of effort.
5. Your rights
You have the following rights against us relating to your personal data:
- The right to information and access.
- The right to rectification or erasure.
- The right to restriction of processing.
- The right to object to processing.
- The right to data portability.
You also have the right to lodge a complaint about our processing of your personal data with a supervisory authority responsible for data protection.
6. Data transmission
Your personal data will be made accessible to the departments (e.g. Procurement, Accounting, Logistics, Sales) and companies within the HELLER Group that require it for the purposes set out under Section A, Point 3.
Service providers and agents may also be able to access and process your personal data for these purposes. These are in particular external companies specialising in commercial and/or legal consultancy as well as financial, IT and logistics service providers. The following third parties shall give you an example of who may receive your personal data:
- Processors (e.g. cloud providers).
- Insolvency administrators and creditors.
- Public authorities and institutions (e.g. finance and law enforcement authorities, artists' social security fund).
Otherwise, we will not pass your personal data onto third parties unless you have given your consent for us to do so or we are entitled or obliged to do so on the basis of legal provisions and/or official or judicial orders. This may be the case in particular if information needs to be provided as part of criminal proceedings, as a way of preventing danger or in order to enforce intellectual property rights.
We are also authorised to pass your personal data onto third parties if we have partnered with them to put on special offers, run competitions or enter into contracts. In these cases, we will inform you separately and in advance that your data is going to be passed on.
7. Storage period
We process and store your personal data for as long as is necessary for the purposes set out under Section A, Point 3.
This data is then deleted at regular intervals unless it temporarily needs to be processed further in order to comply with statutory retention periods, which may result from the German Commercial Code (HGB) and the German Tax Code (AO) in particular. For example, accounting records need to be kept for ten years and business correspondence for six years. Otherwise, the regular period of limitation is three years, with the option for periods of limitation to be as long as 30 years.
If you allow us to use your personal data for advertising purposes, we will store the personal data required for this purpose until you withdraw your consent to advertising purposes. If we are not processing your personal data for any other purposes, we will erase this data in line with data protection provisions as soon as you give us notice of the withdrawal of your consent.
If you have any questions that have not been answered by this data protection policy or if you would like further information about a specific aspect, please feel free to get in touch with the Data Protection Officer of the HELLER Group at any time:
Heller Holding SE & Co. KGaA
Data Protection Officer
B. Additional information on data protection relating to our online presence
1. Processing of personal data in the event of use for information purposes
If you are using our online presence purely for information purposes, i.e. you do not register or transmit any other information, we will only collect the personal data that your browser transmits to our server in accordance with Article 6 (1) (1) (f) GDPR. If you visit our online presence, we will collect the following data as we need it from a technical point of view to be able to display the online presence to you and guarantee its stability and security:
- IP address.
- Date and time of request.
- Time zone difference from Greenwich Mean Time (GMT).
- Content of request (specific page).
- Access status/HTTP status code.
- Amount of data transmitted.
- Website the request came from (referrer URL).
- Operating system and its interface.
- Type, language and version of browser software.
- Information on device used (user agent).
- Supported browser features (e.g. CSS version, frames/iframes, Java, XML, images).
Beyond using our online presence purely for information purposes, you can also search for contacts and fill in a contact form. You may need to enter further personal data in these cases. If there is the option of voluntarily entering additional information, this will be marked accordingly.
If you get in touch with us via email, we will process the data you enter in order to be able to respond to your enquiry.
2. Analysis of data traffic and behaviour
General information about "cookies"
In addition to processing personal data as outlined in Section B, Point 1, we might collect information about the way in which you use our online presence by using cookies. Cookies are small text files that are stored on your device and save certain settings and data about your browser to be exchanged with our system. As a general rule, cookies contain the name of the domain from which the data is being sent along with information on how old the cookie is and an alphanumeric ID code. Cookies enable our systems to recognise your device and automatically apply any pre-configured settings. A cookie is transmitted to your device's hard drive as soon as you access our online presence. Cookies cannot run programs or transmit viruses to your device.
Use of “Google Analytics” and "Google Tag Manager"
We use IP anonymisation on this online presence, which means that “anonymizeIp()” is added in conjunction with Google Analytics. This means that IP addresses are shortened within EU Member States or in other countries that are party to the Agreement on the European Economic Area before being processed further so that they cannot be linked to specific individuals. Consequently, if the data collected does include a link to specific individuals, this will be immediately removed and the personal data promptly deleted.
Only in exceptional cases the full IP address will be sent to a Google server in the US and shortened there. Google will use this information on our behalf for the purpose of evaluating your use of the online presence, compiling reports on activities on our online presence and providing to us other services relating to the use of the online presence and the internet usage.
The IP address transmitted by your browser in connection with Google Analytics will not be associated with any other Google data.
In the exceptional cases in which your personal data is transmitted to the US, Google is bound by the “EU-US Privacy Shield” (https://www.privacyshield.gov/EU-US-Framework).
This online presence also uses Google Analytics to analyse visitor numbers using a user ID for cross-device tracking. You can disable cross-device tracking by deactivating this feature under “My Data”, “Personal Data” in your Google customer account.
Information on the third-party provider
Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001.
This online presence uses the following types of cookies:
Transient cookies (temporary use)
Transient cookies are automatically deleted when you close your browser. Session cookies are the most common type of transient cookies. They save a session ID that can be used to allocate different requests from your browser to the same session. This means that your device can be recognised when you return to the online presence. Session cookies are deleted when you log out or close your browser.
Persistent cookies (in use for a set amount of time)
Persistent cookies are automatically deleted after a set amount of time has passed. The duration may be different for each cookie. You can delete these cookies at any time via the security settings in your browser.
Third-party cookies (from third-party providers)
Details about the cookies used are provided below:
Purpose: TYPO3 standard session identification. The session itself is used to enable various features on the online presence.
Storage period: Length of the session
Purpose: Used to detect new sessions and/or visits and contains a unique identification code.
Storage period: 24 hours
Purpose: Used to detect new sessions and/or visits and contains a unique identification code.
Storage period: Two years
Storage period: One month
Purpose: Google Analytics cookie. Used to stop tracking through Google Analytics when the Google Analytics opt-out link has been clicked on.
Storage period: 90 years
Consent and ways of restricting cookies
Moreover, you can stop Google from collecting data generated by cookies in relation to your use of the online presence (including your IP address) by downloading and installing the browser plugin available here: http://tools.google.com/dlpage/gaoptout?hl=de.
As an alternative to the browser plugin and for the use of browsers on mobile devices, click here to stop your data from being collected through Google Analytics on this online presence in future (the opt-out function will only apply on this browser and for this domain). An opt-out cookie will be stored on your device. If you delete the cookies from this browser or use a different browser or device, you will have to click on this link again.
Our newsletter is only sent if you have given us your consent in accordance with Art. 6 (1) (1) (a) GDPR. We cooperate with an external service provider to distribute our newsletter.
We use a “double opt-in process” for newsletter subscriptions. Thus, we will send an email to the address you enter when you subscribe asking you to confirm that you would like to start receiving our newsletter. If you do not confirm your subscription within seven calendar days (starting from the moment you subscribe), your information will be automatically deleted. Moreover, we will store your IP address from when you subscribed and submitted confirmation as well as the time at which you subscribed and submitted confirmation. We use this process to verify your subscription and to be able to resolve misuse of your personal data.
The only information you need to provide us with when subscribing to the newsletter is your email address. It is your choice if you provide us with any further information (which is marked as optional). If you do, it will be used to personalise the newsletter for you. Once you have submitted your confirmation, we will store your email address for the purpose of sending you the newsletter until you unsubscribe.
You can withdraw your consent to us sending you the newsletter at any time, meaning you will unsubscribe from the newsletter. You can withdraw by clicking on the link provided in every newsletter email or by sending us an email to email@example.com.
Analysis of your user behaviour
We want to take this opportunity to inform you that we analyse your user behaviour when we send you the newsletter. For analysis purposes, the emails we send you contain web beacons or tracking pixels, which come in the form of 1x1 pixel graphics. As part of our analyses, the data specified in Section B, Point 1 and the web beacons or tracking pixels are linked to your email address and a unique identifier (“ID”). Links in the newsletter use this ID too. The newsletter provider saves the information collected in this way on their server in Germany.
You can object to this form of tracking at any time by clicking on the special link provided in every newsletter email. Alternatively, you can also notify us of your request by sending us an email to firstname.lastname@example.org. The information relating to your user behaviour will be stored until you unsubscribe from the newsletter. Once you have unsubscribed from the newsletter, the data will only be stored in the form of statistics.
This form of tracking will not be possible if you have adjusted the default settings in your email program to stop images from being displayed. In this case, the newsletter will not be displayed completely and you may not be able to use all of the features. If you manually choose for images to be displayed, tracking will commence as described above.
4. Social media
Use of social media plugins
We currently use the following social media plugins on the basis of Art. 6 (1) (1) (f) GDPR: Facebook, LinkedIn, Twitter, Xing, YouTube. We use here what is known as the two-click solution. This means that when you visit our online presence, no personal data will initially be sent to the providers of these plugins. You will be able to recognise the plugin provider from the respective logo. Therefore, we give you the option of communicating directly with the plugin provider. But the plugin provider will not receive any information about you visiting the corresponding page on our online presence unless you click on the button with the relevant logo to activate it. Furthermore, the data specified in Section B, Point 1 is transmitted. In the case of Facebook and Xing, according to the providers in Germany, your IP address will be anonymised immediately after it is collected. When you activate a plugin, your personal data will be transmitted to and stored by the corresponding plugin provider (in the US if the provider is based there). Given that the plugin providers' main method of collecting data will be by using cookies, we recommend that you delete all cookies via your browser's security settings before clicking on the button.
We do not have any influence over the data collected or methods of data processing. Nor do we know the full extent of the data collection, the purposes of processing or the storage periods. We do not have any information about the deletion of the data collected by the plugin provider.
The plugin provider stores the data collected in relation to you in the form of user profiles, which it uses for the purpose of advertising, market research and/or adjusting the design of its website in response to how it is being used. This form of analysis is used in particular (even in the case of users who are not logged in) to display tailored advertising and to notify other people using the social media network of your activity on our online presence. You have the right to object to these user profiles being created. You will need to get in touch with the relevant plugin provider directly to exercise this right. Through these plugins, we are providing you with the option of interacting with the social media networks and other users as a way of improving our online presence and making it more interesting to you as the user.
Data will be transmitted regardless of whether you have an account with the plugin provider and are logged in there. If you are logged in with the plugin provider, the data collected from our online presence will be assigned directly to your account with the plugin provider. If you click on the relevant button and, for example, link to the website, the plugin provider will store this information in your user account too and will share it publicly with your contacts. We recommend that you get in the habit of logging out of social media networks once you have used them and make sure you do this before clicking on the relevant buttons so as to stop the plugin provider from linking information to your account.
You can find further information on the purpose and scope of data collection and processing by the plugin providers by reading their data protection policies, which will also contain more details on your related rights and the settings that are available to allow you to protect your privacy.
Addresses for each of the plugin providers and URL for information on data protection:
Facebook Inc., 1601 S California Ave, Palo Alto, California 94304, USA; www.facebook.com/policy.php. Further information on data collection: www.facebook.com/help/186325668085084, www.facebook.com/about/privacy/your-info-on-other and www.facebook.com/about/privacy/your-info has signed up to the EU-US Privacy Shield, www.privacyshield.gov/EU-US-Framework.
LinkedIn Corporation, 2029 Stierlin Court, Mountain View, California 94043, USA; www.linkedin.com/legal/privacy-policy. LinkedIn has signed up to the EU-US Privacy Shield, www.privacyshield.gov/EU-US-Framework.
New Work SE (previously XING AG), Dammtorstraße 30, 20354 Hamburg, DE; privacy.xing.com/en/privacy-policy.
Share function via “Shariff” buttons
We use the two-click “Shariff” solution here. This has been developed as a way of giving users greater privacy online. It involves the server of the website, which is linked to the server of the relevant social media platform rather than the individual user's browser (e.g. to retrieve the number of “likes”).
You can read more about this here: https://www.heise.de/ct/artikel/Shariff-Social-Media-Buttons-mit-Datenschutz-2467514.html (only available in German language).
Use of YouTube videos
Our online presence includes YouTube videos that are stored on www.YouTube.com and can be played directly from our online presence. These are all integrated in “Privacy-enhanced Mode”, meaning that no data relating to you as the user will be transmitted to YouTube if you do not play the videos. The data specified in Section B, Point 1 will only be transmitted if you play the videos. We do not have any influence over the data being transmitted in this way.
When you visit our online presence, YouTube will be informed that you have visited the specific page of our online presence. The data specified in Section B, Point 1 is transmitted too. This will happen regardless of whether you are logged into a YouTube user account or whether you do not have such an account. If you are logged into Google, your data will be assigned directly to your account. If you do not want your data to be linked to your YouTube profile, make sure that you have logged out before clicking on the button. YouTube stores your data in the form of user profiles, which it uses for the purpose of advertising, market research and/or adjusting the design of its website in response to how it is being used. This form of analysis is used in particular (even in the case of users who are not logged in) to provide tailored advertising and to notify other people using the social media network of your activity on our online presence. You have the right to object to these user profiles being created. You will need to get in touch with YouTube directly to exercise this right.
Google also processes your personal data in the US and has signed up to the EU-US Privacy Shield: www.privacyshield.gov/EU-US-Framework.
Use of Google Maps
We use Google Maps on this online presence. This allows us to display interactive maps directly on our web pages for convenient map functionality.
When you visit our online presence, Google will be informed that you have visited the specific page of our online presence. The data specified in Section B, Point 1 is transmitted here too. This will happen regardless of whether you are logged into a Google user account or whether you do not have such an account. If you are logged into Google, your data will be assigned directly to your account. If you do not want your data to be linked to your Google profile, make sure that you have logged out before clicking on the button. Google stores your data in the form of user profiles, which it uses for the purpose of advertising, market research and/or adjusting the design of its website in response to how it is being used. This form of analysis is used in particular (even in the case of users who are not logged in) to provide tailored advertising and to notify other people using the social media network of your activity on our online presence. You have the right to object to these user profiles being created. You will need to get in touch with Google directly to exercise this right.
Google also processes your personal data in the US and has signed up to the EU-US Privacy Shield: www.privacyshield.gov/EU-US-Framework.