Data Privacy Statement
according to Articles 13 and 14, General Data Protection Regulation (GDPR)
Responsible Party:
Georg H. Luh GmbH
Schöne Aussicht 39
65396 Walluf
Germany
Companies House Registration Wiesbaden HRB 17.501
Managing Director: Klaus Rathberger
Contact: Telephone: +49 (0) 6123 7980 or Email: office@luh.de
As of 01st May 2018
- Basic Information on Data Processing and the Legal Basis
- The objective of this data privacy statement is to inform about the type, scope and purpose of processing personal data as part of our business activities and our business-related web pages, functions and content (in the following referred to as 'Website'). This data privacy statement shall apply independently of the domains, systems, platforms and devices (e.g. desktop or mobile device) used to execute the online offer.
- With regard to the used terminology (such as 'personal data' or 'processing', we refer to the definitions in Article 4 GDPR.
- Part of the personal data processed as part of our business activities are subscriber/user data (e.g. names and addresses of contact persons), contract data (e.g. utilized services and the names of the person in charge of customer service) and recorded interests in our products and content data (e.g. user entries in the contact form).
- The term 'user' shall comprise all categories of data subjects who are affected by the data processing. This includes our business partners, customers, interested parties and miscellaneous Website visitors. The used terminology such as 'user' shall be understood as gender-neutral.
- We always comply with all relevant data privacy regulations when we process personal user data. Consequently, we process user data only when and as long as we are in possession of a legally valid permission from the user. This applies in particular when the data processing is required by law or for the execution of our contractual performance (e.g. order processing). We process user data only with permission of the user in all these instances and for the pursuit of our own legitimate interests. Our interests comprise the analysis, optimization and the economic operation as well as the security of our Website as defined by Article 6 para. 1, lit. f GDPR. We use the data to send our customers target group-specific or product-specific information. For this purpose, we collect access data and use services of third-party providers.
- We hereby state that Article 6, para. 1, lit. a GDPR are the legal basis for statements of consent; Article 6 para. 1, lit. b GDPR is the legal basis for data processing for the purpose of performing contractual duties and procedures; Article 6 para. 1, lit. c GDPR is the legal basis for the performance of our legal obligations; Article 6 para. 1 lit. f GDPR is the legal basis for data processing in pursuit of our legitimate interests.
- Security Measures
- We implement state-of-the-art organizational, contractual and technical security measures to ensure compliance with the data privacy laws and to protect the data we process from incidental or wilful manipulation, loss, destruction and from access by unauthorized persons.
- Data Transfer to Third Parties and Third-Party Providers
- Any transfer of data to third parties occurs within the confines of the law exclusively. We pass user data to third parties only if required for contractual purposes according to Article 6 para. 1, lit. b GDPR or pursuant to Article 6 para. 1, lit. f GDPR based on our legitimate interests in the economic and effective operation of our business.
- In case we engage subcontractors to provide services to customers, we will take suitable precautions as well as proper technical and organisational measures to protect the personal data as prescribed by law.
- Performance of Contractual Services
- We process user data (e.g., names and addresses and contact data of users), contract data (e.g. used services, names of contact persons and payment information) for the performance of our contractual obligations and services according to Article 6 para. 1, lit b GDPR.
- We process user data (e.g. visited web pages containing our online offers or shown user interest in our products) and content (e.g. contact form entries) and put them into a user profile. This allows us to send product information to our users, which is for example based on the prior use of our services.
- Establishing Contact with the Georg H. Luh GmbH
- When you contact us via online contact form or by email, we will process your personal information (user data). This enables us to respond to your enquiry according to Article 6, para. 1, lit. b GDPR.
- We store these user data in our Customer Relationship Management System and/or in our enterprise resource planning (ERP) system.
- We use both systems to pursue our legitimate interests (the efficient and quick response to a user enquiry). To respond efficiently, we entered into an agreement containing so-called standard provisions. In this agreement, the providers agreed to process the user data according to our instructions exclusively. They also agreed to comply fully with the EU data protection provisions
- Collecting Access Data and Log Files
- In the pursuit of our legitimate interests as specified in Article 6 para. 1, lit. f GDPR, we collect data by creating a record of every user login to our server, which handles the respective service (server log files). The access data include the name of the queried web page, the file, date and time of the query, the transmitted data volume, the notification of the successful query, the browser type and version, the operating system of the user's computer, the referring web page, the IP address and the enquiring provider.
- For security reasons (e.g. to find out about misuse or fraud), log file data are stored for no longer than seven (7) days before they are deleted. Excluded from this deletion rule are data, which are stored as evidence until the final clarification of the incident.
- Google Analytics
- To pursue our legitimate interests (i.e. interests in the analysis, optimisation and economic operation of our website as defined by Article 6 para. lit. f GDPR), we use Google Analytics, a web analysis service offered by Google Inc. ('Google'). Google uses cookies. Usually, the information on the use of the web page via the cookie is stored on a server in the USA owned by Google.
- Google is certified under the Privacy Shield Framework, thereby guaranteeing compliance with the European privacy protection laws (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
- Google will use this information for our account to analyse the use of our Website by the users. Google will report the activities on our Website to us and perform further services in context with the Internet use. In the process, Google is able to create pseudonymous user profiles.
- We use the Google Analytics results with the IP anonymisation turned on. That means Google shortens the user IP addresses within the borders of the EU member states or in other signatory states of the European Economic Area. The transmission of the full IP address to a US server owned by Google and the truncation of the IP address on the Google server happen only as a matter of exception.
- Google receives the IP addresses from the users' browsers. Google does not mingle these IP addresses with other data on Google servers. Users are able to change the browser settings on their computers thus preventing the storage of cookies on their computers. Furthermore, the users may also prevent the collection of data relating to the use of the online offers and the downloading of cookies as well as the processing of these data by Google by installing the following browser plug-in on their computers: http://tools.google.com/dlpage/gaoptout?hl=de.
- For further information on the utilisation of your data by Google as well as information on settings and opportunities to lodge objections please visit the following Google Website: https://www.google.com/intl/de/policies/privacy/partners ('How Google uses data when you use our partners' sites or apps'), http://www.google.com/policies/technologies/ads ('How Google uses cookies in advertising'), http://www.google.de/settings/ads ('Control the Ads You See').
- Google Marketing Services: Google AdWords
- In pursuit of our legitimate interests (i.e. our interests in the analysis, optimisation and economic operation of our online offers as defined by Article 6, para. 1, lit. f GDPR), we use the marketing services (in short: Google Marketing Services') of the Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (in the following referred to as 'Google').
- Google is certified under the Privacy Shield Framework, thereby guaranteeing compliance with the European privacy protection laws (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
- The Google Marketing Services enable us to target our online ads. The service presents only ads to users, which are of potential interest to the individual user.
- Google Marketing Services process user data pseudonymously. That means, Google processes the relevant, cookie-related data within the pseudonymous user profiles rather than the names or email addresses of users. From Google's point of view, Google does not send ads to identifiable persons but rather to cookie owners regardless of who these cookie owners are. This does not apply if the user has explicitly allowed Google to process his/her data without pseudonymisation. The Google Marketing Services collect information about the user. The service then transmits these data to Google for storage on Google servers in the USA.
- The Georg H. Luh GmbH uses the Google Marketing Service 'Google AdWords' for advertising purposes. In the case of AdWords, every AdWords customer receives a different 'conversion cookie'. Therefore, AdWords customers are unable to trace cookies via the websites. The information obtained with the help of cookies serves to compile conversion statistics for AdWords customers who opted for conversion tracking. AdWords customers learn about the total number of users who clicked on their ad and were directed to the page with the conversion tracking tag. However, these customers do not receive any personal information, which could be used for the identification of users.
- We are also able to use the 'Google Optimizer' service. The Google Optimizer tool allows us to track and understand the effects of changes to ad elements on a website (such as changing the form fields, the design or other elements) through so-called 'A/B testing'. Advertisers store cookies in the computers of users to enable these tests. In the analytical processes, only pseudonymous user data are used.
- Another tool that is available to us is 'Google Tag Manager'. The tool helps to integrate and manage the Google Analysis and Marketing Services in our Website.
- You find more information sources on the ways Google uses data for marketing purposes in this overview: https://www.google.com/policies/technologies/ads. Please retrieve the Google Data Privacy Statements here: https://www.google.com/policies/privacy .
- If you want to object to the use of interest-related advertising by Google Marketing Services, please use the opt-out settings published by Google here: http://www.google.com/ads/preferences.
- Newsletter/Email
- The following notes inform you about the content of our Newsletter as well as the login, distribution, the statistical analysis and your right to lodge objections. With your newsletter subscription, you consent to receiving the newsletter using the described procedure.
- Newsletter Content: Our company sends newsletters, emails and other electronic messages of advertising character (in the following referred to as 'Newsletter') only with your consent or a legal permit. To the extent that the subscription form to our Newsletter describes the content of our newsletters in realistic terms, this content shall be material for the user's consent. Regarding all else, our Newsletters contain information on our products, offers, events and our company.
- Double Opt-in and Logging: Users subscribe to our Newsletter using the so-called double opt-in procedure. That means, after your subscription using the web form, you will receive an email, in which we will ask you to confirm your subscription. This confirmation is necessary so that nobody can subscribe using somebody else's email address. We will store your Newsletter subscription to satisfy the legal requirements for mailing newsletters. The stored subscription data shall include the time of subscription as well as your IP address. We will also store changes to your subscription data with the Newsletter dispatch service.
- Dispatch Service Provider: The dispatch service CleverReach GmbH & Co. KG, Mühlenstr. 43, 26180 Rastede (Germany) will send the Newsletter to you. In the following, we will refer to the CleverReach Company as 'Dispatcher'. You find the data privacy provisions of the Dispatcher here: www.cleverreach.com/de/datenschutz/
- Furthermore, the Dispatcher may use these data for his own information to optimise the dispatch service and the representation of the Newsletter or for statistical purposes or to determine the destination country. The Dispatcher shall use the user data in pseudonymised form, i.e. without mapping the user to an IP address. However, the Dispatcher shall not use the data of our Newsletter subscribers to write to the subscribers himself and shall not pass the subscriber data to third parties.
- Login Information: Providing us with your email address is sufficient to subscribe to our Newsletter. We like to address our subscribers personally in our Newsletter. However, providing us with your name is optional.
- Data Collection for Statistical Purposes and Analyses: The Newsletters contain a 'web beacon'. The beacon is an image file. Upon opening this file, the Dispatcher's server will call up the file. In this process, the Dispatcher will first retrieve technical information followed by browser and system information, including your IP address and the time of retrieval. This information serves the technical improvement of the dispatch service. To this end, we use technical data or information on the target groups and their reading habits based on their call-up location (traceable with the help of the IP address) or the access time. The collected statistical data also let us know whether and when the user opened the Newsletter and which links the user clicked. For technical reasons, it is possible to map these data to the individual Newsletter recipients. However, neither the Dispatcher nor our company wants to watch individual users. Instead, we are interested in the reading habits of our users and want to adapt our Newsletter content to their interests and provide a variety of content.
- We hired the Dispatcher, collect and analyse statistical data and log the subscription data to satisfy our own legitimate interests pursuant to Article 6, para. 1, lit. f GDPR. We are interested in providing a user-friendly and secure Newsletter system, which meets the expectations of our customers and serves our business interests.
- Cancellation: You may cancel your Newsletter subscription at any time, i.e. you may revoke your consent to receiving the Newsletter at any time. This shall also cancel your consent to the Newsletter dispatch by the Dispatcher and the use of your data for statistical analyses. Unfortunately, the separate cancellations of the dispatch services and the statistical analysis are not feasible. If you want to cancel your Newsletter subscription, please use the link at the end of every Newsletter. In the event the user subscribed to the Newsletter only and cancels his/her subscription, we will delete all personal data.
- Users' Rights
- Upon request, users have the right to receive free information on the personal data stored about them in our database.
- Users also have the right to the correction of faulty data, to placing restriction on the use and processing of their personal data, to the deletion of their data and if applicable, to claiming their right to the portability of their data. In case the user suspects unlawful processing of his/her data, the user has the right to file a complaint with the supervisory authority (The Hessian Data Protection Representative, Postfach 3163, 65021 Wiesbaden (Germany), Email: Poststelle@datenschutz.hessen.de, Telephone: +49 (0) 6111 4080).
- Users may also revoke their consent (on principle, effective on a future date).
- Deletion of Data
- We delete stored data as soon as they no longer serve any purpose and providing we are not bound by statutory obligation to retain the data. In the event user data are not deleted because they are required for other, legally permissible purposes, we will restrict the processing of these data. In such a case, the data are blocked from processing for any purpose. For example, this applies to user data, which must be preserved for tax or business accounting reasons.
- According to statutory provisions, data are stored for six (6) years according to § 257 para. 1 HGB/German Commercial Code (trading books, inventories, opening balance sheets, annual financial statements, business letters, accounting records etc.); some data are stored for ten (10) years according to § 147 para. 1 AO/German Fiscal Code (books, documents, management reports, accounting records, business letters, documentation relevant for tax purposes etc.)
- The Right of Objection
- As prescribed by law, users may object to the future processing of their personal data at any time. Users may object in particular against the processing of their data for the purpose of direct advertising.
- Amendments to the Data Privacy Statement
- We reserve the right to amend this Data Privacy Statement to adapt it to changing legal standards or to changes in services or data processing. However, this shall apply only with regard to statements pertaining to data processing. Providing user consent is required or elements of the data privacy statement contain provisions, which are part of the contractual relationship with the users, this data privacy statement shall be amended only with the consent of the users.
- We ask the user to keep informed about the content of the data privacy statement.