Privacy Policy
PRIVACY POLICY UNDER THE GDPR
I. NAME AND ADDRESS OF THE CONTROLLER
The controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws of the Member States, as well as other data protection regulations, is:
ENGEL KARTON + PAPIER GMBH
Brookstieg 32
2145 Stapelfeld
Germany
T +49 40 298115 0
F +49 40 298115 99
info@engelkarton.de
www.engelkarton.de
II. NAME AND ADDRESS OF THE DATA PROTECTION OFFICER
The data protection officer of the controller is:
Frank Engel
datenschutz@engelkarton.de
III. GENERAL INFORMATION ON DATA PROCESSING
1. SCOPE OF PROCESSING PERSONAL DATA
We process personal data of our users primarily only to the extent necessary to provide a functional website and our content and services. The processing of personal data generally occurs only with the consent of the user. Exceptions are cases where obtaining prior consent is not feasible for factual reasons and the processing of the data is permitted by legal regulations.
2. LEGAL BASIS FOR PROCESSING PERSONAL DATA
If we obtain consent from the data subject for the processing of personal data, Article 6(1)(a) GDPR serves as the legal basis. For processing personal data necessary to fulfill a contract to which the data subject is a party, Article 6(1)(b) GDPR serves as the legal basis. This also applies to processing operations necessary for the performance of pre-contractual measures. If processing personal data is required to fulfill a legal obligation to which our company is subject, Article 6(1)(c) GDPR serves as the legal basis. If processing is required to protect vital interests of the data subject or another natural person, Article 6(1)(d) GDPR serves as the legal basis. If processing is necessary for the purposes of the legitimate interests pursued by our company or a third party, and the interests, fundamental rights, and freedoms of the data subject do not override the former interest, Article 6(1)(f) GDPR serves as the legal basis.
3. DELETION OF DATA AND STORAGE PERIOD
The personal data of the data subject will be deleted or blocked as soon as the purpose of storage ceases to apply. Further storage may occur if provided for by European or national legislators in Union regulations, laws, or other regulations to which the controller is subject. Data will also be blocked or deleted when a prescribed storage period under the mentioned norms expires, unless there is a need for further storage of the data for contract completion or fulfillment.
IV. PROVIDING THE WEBSITE AND CREATING LOGFILES
1. DESCRIPTION AND SCOPE OF DATA PROCESSING
When our website is accessed, our system automatically collects data and information from the requesting computer system. The following data is collected:
(1) Information about the browser type and version used
(2) The operating system of the user
(3) The Internet Service Provider of the user
(4) The IP address of the user
(5) Date and time of access
(6) Websites from which the user’s system accessed our website
(7) Websites accessed by the user’s system through our website
The data is also stored in the logfiles of our system. Storage of this data together with other personal data of the user does not occur.
2. LEGAL BASIS FOR DATA PROCESSING
The legal basis for the temporary storage of data and logfiles is Article 6(1)(f) GDPR.
3. PURPOSE OF DATA PROCESSING
Temporary storage of the IP address by the system is necessary to deliver the website to the user’s computer. To this end, the IP address of the user must remain stored for the duration of the session. Storage in logfiles is done to ensure the functionality of the website. Additionally, we use the data to optimize the website and ensure the security of our IT systems. Evaluation of the data for marketing purposes does not occur in this context. These purposes also constitute our legitimate interest in data processing according to Article 6(1)(f) GDPR.
4. DURATION OF STORAGE
Data will be deleted as soon as they are no longer required for the purpose of their collection. In the case of data collection for providing the website, this is when the session ends. In the case of data storage in logfiles, this is after a maximum of seven days. Further storage is possible. In this case, the IP addresses of users are deleted or anonymized, so that an association with the requesting client is no longer possible.
5. RIGHT TO OBJECT AND REMOVE
The collection of data for providing the website and the storage of data in logfiles is essential for the operation of the website. Therefore, there is no option for the user to object.
V. CONTACT FORM AND EMAIL CONTACT
1. DESCRIPTION AND SCOPE OF DATA PROCESSING
Our website includes a contact form which can be used for electronic contact. If a user uses this option, the data entered in the input mask will be transmitted to us and stored. This data includes: subject, company, salutation, first and last name, email address, phone number, and your message to us.
VI. RIGHTS OF THE DATA SUBJECT
If personal data is processed by you, you are a data subject under the GDPR, and you have the following rights against the controller:
1. RIGHT TO INFORMATION
You can request confirmation from the controller as to whether personal data concerning you is being processed. If such processing occurs, you can request information from the controller on the following:
(1) The purposes of the processing of personal data;
(2) The categories of personal data being processed;
(3) The recipients or categories of recipients to whom the personal data has been or will be disclosed;
(4) The planned duration of storage of the personal data concerning you or, if specific information is not possible, criteria for determining the storage duration;
(5) The existence of a right to rectification or erasure of the personal data concerning you, a right to restriction of processing by the controller, or a right to object to such processing;
(6) The existence of a right to lodge a complaint with a supervisory authority;
(7) All available information on the source of the data if the personal data was not collected from the data subject;
(8) The existence of automated decision-making, including profiling, according to Article 22(1) and (4) GDPR, and – at least in these cases – meaningful information about the logic involved and the significance and the envisaged consequences of such processing for the data subject. You have the right to be informed whether the personal data concerning you is transferred to a third country or to an international organization. In this context, you can request information about the appropriate safeguards according to Article 46 GDPR related to the transfer.
2. RIGHT TO RECTIFICATION
You have the right to rectification and/or completion from the controller if the personal data concerning you is inaccurate or incomplete. The controller must make the correction promptly.
3. RIGHT TO RESTRICT PROCESSING
Under the following conditions, you can request the restriction of processing of personal data concerning you:
(1) If you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;
(2) The processing is unlawful and you oppose the erasure of the personal data and instead request the restriction of its use;
(3) The controller no longer needs the personal data for the purposes of processing, but you need it for the establishment, exercise, or defense of legal claims; or
(4) If you have objected to processing pursuant to Article 21(1) GDPR and it is not yet clear whether the legitimate grounds of the controller override your reasons.
If the processing of personal data concerning you has been restricted, such data – apart from storage – may only be processed with your consent or for the establishment, exercise, or defense of legal claims or to protect the rights of another natural or legal person or for reasons of substantial public interest of the Union or of a Member State. Before lifting the restriction, the controller will inform you.
4. RIGHT TO ERASURE
a) Obligation to Erase
You can request the controller to erase the personal data concerning you immediately, and the controller is obliged to erase such data immediately, if one of the following reasons applies:
(1) The personal data concerning you is no longer necessary for the purposes for which it was collected or otherwise processed;
(2) You withdraw your consent on which the processing was based according to Article 6(1)(a) or Article 9(2)(a) GDPR, and there is no other legal basis for the processing;
(3) You object to the processing according to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing according to Article 21(2) GDPR;
(4) The personal data concerning you has been unlawfully processed;
(5) Erasure of the personal data concerning you is necessary for compliance with a legal obligation in Union or Member State law to which the controller is subject;
(6) The personal data concerning you was collected in relation to the offer of information society services according to Article 8(1) GDPR.B) INFORMATION AN DRITTE
Hat der Verantwortliche die Sie betreffenden personenbezogenen Daten öffentlich gemacht und ist er gem. Art. 17 Abs. 1 DSGVO zu deren Löschung verpflichtet, so trifft er unter Berücksichtigung der verfügbaren Technologie und der Implementierungskosten angemessene Maßnahmen, auch technischer Art, um für die Datenverarbeitung Verantwortliche, die die personenbezogenen Daten verarbeiten, darüber zu informieren, dass Sie als betroffene Person von ihnen die Löschung aller Links zu diesen personenbezogenen Daten oder von Kopien oder Replikationen dieser personenbezogenen Daten verlangt haben.
C) EXCEPTIONS
The right to erasure does not apply where processing is necessary:
1. For the exercise of the right to freedom of expression and information;
2. To comply with a legal obligation that requires processing under Union or Member State law to which the controller is subject, or to perform a task carried out in the public interest or in the exercise of official authority vested in the controller;
3. For reasons of public interest in the area of public health according to Art. 9(2)(h) and (i) as well as Art. 9(3) of the GDPR;
4. For purposes in the public interest related to archival, scientific, or historical research or for statistical purposes according to Art. 89(1) of the GDPR, provided that the right mentioned in section a) is likely to make the achievement of the objectives of that processing impossible or seriously impair it; or
5. For the establishment, exercise, or defense of legal claims.
5. RIGHT TO NOTIFICATION
If you have requested the correction, erasure, or restriction of processing from the controller, the controller is obliged to inform all recipients to whom your personal data has been disclosed of this correction or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort. You have the right to be informed by the controller about these recipients.
6. RIGHT TO DATA PORTABILITY
You have the right to receive the personal data concerning you that you have provided to the controller in a structured, commonly used, and machine-readable format. You also have the right to transmit this data to another controller without hindrance from the controller to whom the personal data has been provided, provided that (1) the processing is based on consent according to Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR or on a contract according to Art. 6(1)(b) GDPR, and (2) the processing is carried out by automated means. In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. The freedoms and rights of other persons must not be adversely affected. The right to data portability does not apply to the processing of personal data which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
7. RIGHT TO OBJECT
You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data which is based on Art. 6(1)(e) or (f) GDPR; this includes profiling based on those provisions. The controller shall no longer process your personal data unless they demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defense of legal claims. If your personal data is processed for the purpose of direct marketing, you have the right to object at any time to the processing of your personal data for such marketing purposes; this includes profiling to the extent that it is related to such direct marketing. If you object to the processing for direct marketing purposes, your personal data will no longer be processed for such purposes. You also have the option to exercise your right to object in relation to the use of information society services – notwithstanding Directive 2002/58/EC – through automated means using technical specifications.
8. RIGHT TO WITHDRAW CONSENT
You have the right to withdraw your data protection consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
9. AUTOMATED INDIVIDUAL DECISIONS INCLUDING PROFILING
You have the right not to be subject to a decision based solely on automated processing – including profiling – that produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision (1) is necessary for entering into or performance of a contract between you and the controller, (2) is authorized by Union or Member State laws to which the controller is subject, and these laws provide for suitable measures to safeguard your rights and freedoms and legitimate interests, or (3) is based on your explicit consent. However, such decisions must not be based on special categories of personal data under Art. 9(1) GDPR, unless Art. 9(2)(a) or (g) GDPR applies and appropriate measures are in place to protect your rights and freedoms and legitimate interests. Regarding the cases mentioned in (1) and (3), the controller shall implement appropriate measures to safeguard your rights and freedoms and legitimate interests, including at least the right to obtain human intervention from the controller, to present your point of view, and to contest the decision.
10. RIGHT TO COMPLAIN TO A SUPERVISORY AUTHORITY
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or the place of the alleged infringement, if you consider that the processing of your personal data infringes the GDPR. The supervisory authority with which the complaint has been lodged shall inform the complainant of the progress and outcome of the complaint, including the possibility of a judicial remedy under Art. 78 GDPR.