As the controller, we hereby meet our own information and disclosure obligation by informing users about the nature, scope, purpose and other relevant information regarding the processing of personal data. We initially provide general information relating to all processing operations or which may constitute superordinate regulations on that account. We then provide information about individual processing operations.
With regards to the terms “personal data”, “processing”, “controller”, “data subject”, “third party” and others, we refer to the provisions of Regulation (EU) 2016/679 (GDPR) and the German Federal Data Protection Act (BDSG), in particular Art. 4 GDPR. For the term “data subject”, we also use “person concerned” or “user".
These privacy notices may be customised on certain occasions or due to regular review. We therefore recommend that you regularly read the information on this website.

Last reviewed: May 2020

A - General
1. Scope
2. Responsible authority and Data Protection Officer contact information
3. Recipient and forwarding of data
4. General criteria for determining the retention period (deletion periods)
5. Use of automated decisions in individual cases or profiling
6. Third-country processing “EU-US Privacy Shield”

B - Rights of persons concerned (data subject rights)
1. General rights of persons concerned
2. Withdrawal of consent
3. Right to object

C - Provision of online offerings and other media services
1. Provision of online offerings and web hosting
2. Information about cookies, web beacons and tracking pixels
3. Integration and use of external services from third-party providers
4. Analysis, tracking and marketing
5. Contact form

D - Online presence with social media
1. Facebook - Social network: https://www.facebook.com
2. LinkedIn - Social network: https://www.linkedin.com

E - Processing as part of our company activities
1. Processing for the provision of services and contract execution
2. Establishing contact and general communication
3. Newsletter and direct advertising
4. Web conferencing Online meetings, video / voice conferences and webinars
5. Accounting, controlling and payment processing
6. Statistics and evaluations within the scope of the business activity
7. Holding events and trade fairs
8. Taking photos and videos at events
9. Establishment, exercise or defence of legal claims

F - Applications and recruitment of employees
1. Processing of applications
2. Active recruiting – Identification of potential applicants

1. Scope
This privacy policy particularly applies to this online offering, as well as our online presences which refer to this privacy policy, including the online presence of third party providers.
Moreover, this privacy policy also applies to the further processing described here as part of our operations and activities. We refer to this privacy policy to simplify access and to comply with the requirement to ensure clarification and transparency.
For offerings from other providers that are reached through links, for example, their privacy policy is applicable.

2. Responsible authority and Data Protection Officer contact information
KRINNER Schraubfundamente GmbH
Passauer Str. 55
D-94342 Straßkirchen

Telephone: +49 9424 94 0180
Email: service(at)krinner-schraubfundamente.com

Data protection officer contact information:
By post: Postal address above with the addition “FAO Data Protection Officer”
Email: dsb(at)krinner.com

3. Recipient and forwarding of data
a) Forwarding of data
Personal data is regularly processed by us as the controller. As part of the performance of our activities, however, it may be necessary to forward or disclose personal data to third parties, in particular if, based on the aforementioned legal basis, one of the following reasons exists:

• It is necessary for the fulfilment of a contract with the person concerned or for executing steps at the request of the person concerned prior to entering into a contract (Art. 6 Para. 1 Clause 1 point b GDPR)
• The forwarding is necessary for the establishment, exercise or defence of legal claims and there is no reason to assume that the person concerned has any overriding legitimate interest in the non-forwarding of their own data (Art. 6 Para. 1 Clause 1 point. f GDPR)
• There is a legal obligation to forward the data (Art. 6 Para. 1 Clause 1 point. c GDPR)
• We have obtained a valid consent (Art. 6 Para. 1 Clause 1 point. a GDPR)

Categories of recipients within the framework of our operations and activities may include:

• Postal, telecommunications and transport services providers
• Payment and financial service providers
• Sales and business partners and other persons and companies that provide services
• Public authorities, courts, opponents, other involved parties

Apart from this, we make the person concerned aware if further recipients become involved in the individual processing operations.

b) Job processing by external service providers
To carry out our activities, we also use service providers that have been given direct instructions and are bound by these as order processors for the processing of personal data and who are also considered to be recipients of the data under the data protection regulation. Through a job processing contract, it is ensured that the processing is carried out according to our instructions, that adequate safeguards for compliance with appropriate technical and organisational measures exist and the data subject rights are guaranteed.

In general, we use service providers for the following processing purposes:

• Hosting our online offerings/websites with providers (infrastructure and platform services, computing capacity, storage space and database services)
• Care, maintenance and servicing of the online offerings/websites
• Implementation, care, maintenance and servicing of IT systems
• Document and information management, communication, contact and conferencing systems (e-mail, contacts, appointments, messenger, video conferences, etc.), The processing is also performed on servers in the USA. Compliance with European data protection standards is guaranteed by the certification of the provider by Privacy Shield (https://www.privacyshield.gov/) and/or by the EU Standard Contractual Causes.
• File and data carrier destruction

Apart from this, we make the person concerned aware if further processors are used for the individual processing.

4. General criteria for determining the retention period (deletion periods)
In general, we retain personal data as long as this is necessary for the purposes of the relevant processing, if statutory or regulatory retention periods exist or if we have a legitimate interest in the retention or if the person concerned has consented to us retaining their data.

We retain certain data in line with the following rules for the respective stated duration and erase or destroy it after the stated retention period has expired:

• 3 years: Data and content about legal transactions (including their preparation) provided that this is needed for our disclosure and defence capabilities and for the exercise or defence of any claims made. This also applies to marketing and customer care data provided that this does not fall into another category with a longer retention period.
• 6 years: Received and sent business letters (Section 257 Para. 1 No. 2 and 3, Para. 4 HGB [German Commercial Code])
• 10 years: Documents relevant for taxation, accounting records, trading books (Sections 147 Para. 1 AO [German Fiscal Code], 257 Para. 1 No. 1 and 4, Para. 4 HGB [German Commercial Code])
• 30 years: Data retained under special circumstances in our own or third-party interest, as corresponding periods of limitation or specific retention periods exist (e.g. enforcement orders, specific periods of limitation)

In this case, the start of a period for the retention period is usually the end of the calendar year in which the last event for the relevant processing took place (e.g. order, delivery, end of a contract due to expiration/cancellation, invoicing, receipt of payment).
After the expiration of the retention period, it is verified at the end of the relevant calendar year whether any further retention is required. If any circumstances arise during the retention period (e.g. contract conclusion, negotiations regarding claims, legal disputes, etc.) that result in a longer retention being necessary, these retention periods are extended accordingly.
We indicate any particularities regarding the retention period of specific processing accordingly.

5. Use of automated decisions in individual cases or profiling
Even if we use software-supported processes, our decisions towards persons are usually not only based exclusively on automated processing or a profiling as laid down in Art. 22 GDPR. If we do use a procedure such as this in an individual processing, we will inform the person concerned about this and we will also inform them about the logic, scope and desired effects.

6. Third-country processing “EU-US Privacy Shield”
The transfer of personal data to a third country is subject to certain requirements (Art. 44 et seq. GDPR). These requirements are particularly satisfied if the data protection guidelines in the relevant third country have been deemed adequate in accordance with Art. 45 GDPR or if a suitable guarantee for the adherence to a certain level of data protection can be ensured.
Suitable guarantees include in particular the completion and adherence to the requirements of the EU Standard Contractual Clauses.
The so-called “EU-US Privacy Shield” is particularly important. Providers in the USA can use this to obtain a certification that proves that they adhere to a certain level of data protection (https://www.privacyshield.gov).
With the individual processings we have an obligation to communicate and implement the particular requirements.

1. General rights of persons concerned
If a person is concerned by a processing of personal data by us (e.g. as a user of our online offerings, a customer, a point of contact, an employee or an applicant), they may exercise several rights.

• In accordance with Art. 15 GDPR, the person may request information, in particular, about whether we are processing their personal data This right to information may be restricted under certain circumstances (e.g. Section 34 BDSG [German Federal Data Protection Act])
• They may request the rectification of inaccurate personal data or the completion of any incomplete personal data retained by us in accordance with Art. 16 GDPR
• They may request the erasure of their personal data retained by us within the scope of Art. 17 GDPR
• They may request a restriction of the processing within the framework of Art. 18 GDPR
• In accordance with Art. 20 GDPR, they can obtain a copy of the personal data provided to us or they can request that it be communicated to another responsible person
• They may make use of the right to appeal to a relevant data protection supervisory authority in accordance with Art. 77 GDPR

Depending on the form (email/in writing), content and scope, with the exercising of rights of the persons concerned, we must establish certainty about their entity in order to avoid any misuse. We therefore ask that you bear in mind that we require and may request appropriate proof.
To exercise your rights, please use the contact information indicated above.

2. Withdrawal of consent
If a data processing occurs on the legal basis of a consent given, the consent can be withdrawn.

3. Right to object

With certain types of processing the right to object may be considered.

Below, we will explain the processing operations that are part of the online offerings and media services provided and offered by us.

1. Provision of online offerings and web hosting
Our online offerings are used for general communication, to offer and present information about us and to provide services and duties that we are obliged to perform contractually or as a pre-contractual measure.
Persons concerned are the users of the online offerings, interested parties, applicants, employees and contractual partners.
The legal basis for the data processing is our legitimate interest, which results from the purpose (Art. 6 Para. 1 Clause 1 point. f GDPR). Provided that online offerings are necessary for the fulfilment of a contract with the user or the performance of pre-contractual measures at the user’s request, the legal basis is also Art. 6 Para. 1 Clause 1 point. b GDPR. Only if and insofar as consent has been given, the legal basis is Art. 6 Para. 1 Clause 1 point. a GDPR.
We use a service provider for the provision (hosting) of our online offering, with whom we have entered into a contract for job processing.
We provide further information about the individual processing operations, as well as about other or additional purposes and the legal bases in the appropriate places in this privacy policy.

a) Processing server queries, server log files
Where online offerings are used, we process personal data transmitted by the user’s browser to the server with queries. In doing so, the following data is processed in order to make the relevant online offering and its services available:

• Meta and communication data of the querying computer (IP address of the querying computer and, if necessary, the proxy servers used, date and time, technical information about the query, query status/HTTP status code, transferred data quantities, data about the end device and browser used, etc.)
• User data (URL address of the querying computer and the referrer URL, the URL that the request came from)
• Content data (text, photos, videos, graphics, other data, etc.)

This data will be stored in a log file so that it can be analysed for technical problems and security holes. The log data is erased after 60 days at the latest. In duly justified exceptional cases, the data is retained longer for evidence and analysis purposes and erased once there is no longer a reason for the retention.

b) Website functions for control and provision
To provide certain options for website use, it is necessary to store cookies (s.a.) in the browser to allocate the user to a certain session. In particular, this includes functions such as login, user settings, shopping basket and selection options as well as forms.

c) External links
We also use links to offerings of other providers on our online offerings to optimise functionality and increase user-friendliness The respective provider or operator is responsible for these linked offerings. We do not have any influence on the processing. In this respect, we refer to the privacy notices of the providers of these offerings to get a corresponding idea of the processing.
It is possible that these providers collect data about users, use cookies and also embed additional tracking services from other providers. In addition, it is possible that data can be combined with the user account that users keep with a provider when they are logged into the provider’s service. If users are concerned about this then they should refrain from using the links.

2. Information about cookies, web beacons and tracking pixels
a) General information about cookies
Cookies are small files in which information retained by a website on the user’s end device can be stored. In case of a renewed query, this information is transferred to the website. Cookies are therefore very useful when it comes to the control and functioning of websites as it makes it possible to re-identify the user session, e.g. to assign login data or language settings, but also to clearly assign a shopping basket in a web-shop to a user. However, depending on how they are used, it is also possible to use cookies to observe user behaviour (“tracking”) particularly if “third party cookies” are used, as these make it possible to track a user across different websites.
Cookies have a defined lifetime after which they will be automatically erased (persistent cookies), or they will be erased when the browser session ends (session cookies).
The user can set the use of cookies in their browser by changing their browser settings so that they only accept certain cookies or so that they do not accept cookies at all. Here the user should follow the settings and information provided by the browser manufacturer. However, this may result in specific functionalities being impaired. In addition, cookies can be erased manually from the end device at any time.
We indicate if and what cookies are used for specific processing operations.

c) Purposes of cookies
Cookies can be placed in one of the following categories depending on their purpose.

Essential cookies
Essential cookies are technically necessary to enable the control and essential functions of the website. The most important functions are the settings adopted by the user, authentications (login) and the session status (session cookie).

Cookies for statistics and analysis
Using cookies for statistics and analysis makes it possible to evaluate the use of a website. They allow you to see how a website is used and where the users come from (previously visited pages, how long they spend on the page, etc.). The evaluation of the data provides insight into the user behaviour and is used to improve the content of the website and to optimise advertising campaigns.

Cookies for marketing
Marketing cookies are used to measure the reach of the website and to display optimised advertisements and content to the user based on their behaviour and interests. In addition, so-called third party cookies from partners and service providers are used. These can be used to generate interest profiles based on the information stored within, even if the user calls up another website. They then use these interest profiles to display relevant advertisements or offers. They work by being able to individually identify browsers and devices. Identification of an individual cannot be entirely ruled out here even if the profile generation is usually anonymous.

c) Legal basis for the use of cookies and “consent management”
Usually the use of cookies requires the express consent of the user (Art. 6 Para. 1 Clause 1 point. a GDPR), which is requested from the user through a “consent management” tool when they begin to use the website. This consent can be withdrawn at any time by calling up the “consent management” again. The withdrawal does not affect the legality of the processing done based on the consent given up until the time of the withdrawal.
Essential cookies do not require the users’ consent provided that they are technically necessary and there is a legal basis for their use. The legal basis depends on the functionality of the cookies.

d) Web beacons and tracking pixels
Web beacons and tracking pixels are types of content (mostly small pictures, but also other elements) that are embedded in online content like websites, but also emails, and is loaded when the aforementioned online content is queried. With these cookies, queries and actions can be tracked, e.g. with the newsletter you can see if and when it was called up.
Depending on their purpose, the same principles apply for web beacons as for cookies with regards to consent and legality.

3. Integration and use of external services from third-party providers
We use external services from other providers on our online offerings for various functions and content. Where content on our online offerings are retrieved in this context, queries made by the user’s browser are sent to the servers of the integrated web services to make the relevant functions or contents available.
This means that the users’ IP address has to be processed by the third-party provider. However, the third-party providers can also collect and process other data about the use and the usage behaviour further for statistical or marketing purposes, for example. Data that can be collected by the providers through the call-up includes:

• The public IP address of the query and, where applicable, that of the proxy server used
• The time of the query
• The URL (address) of the request and the URL from which the request was made (referrer)
• The browser used, the operating system and its interface, the language and version of the browser software

It is possible for the provider to gather and process data about the user through tracking techniques (e.g. cookies, web beacons, tracking pixels, etc.). In addition, it is possible that data can be linked to a user account if a registered user is logged into their account with the respective provider. We cannot verify the processing of the data by the third-party providers, but we refer you to the relevant privacy policies of the providers.
The legal basis for the use of services from third-party providers is our legitimate interest in the optimisation of the functionalities and presentation, the user-friendliness, the prevention of cyber-attacks and the protection of our web presence against any misuse (Art. 6 Para. 1 Clause 1 point. f GDPR). Only if and insofar as the user has given consent, the sole legal basis is Art. 6 Para. 1 Clause 1 point. a GDPR. This consent can be withdrawn at any time with effect for the future.

a) Embedding of Google fonts
In our online services, we use fonts from the “Google Fonts” service provided by Google which are directly loaded up on our website when our website is called up by the browser of the user.
In this context, data may also be processed in the USA, a third country. Google guarantees compliance with an adequate level of data protection, also when processing data in the USA, with its certification in accordance with the “EU-US Privacy Shield”: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
USA Headquarters: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
Privacy policy: https://policies.google.com/privacy

b) Embedding of Google Maps
In our online offerings we use the service “Google Maps” provided by Google to display location data and to enable route planning where appropriate. The connection established in this way (link) can be used by Google to determine the website, from which the query was sent, and the IP address to which the directions are to be transmitted. The user’s location can also be determined if this is consented to.
In this context, data may also be processed in the USA, a third country. Google guarantees compliance with an adequate level of data protection, also when processing data in the USA, with its certification in accordance with the “EU-US Privacy Shield”: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
USA Headquarters: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
Privacy policy: https://policies.google.com/privacy

c) Embedding of YouTube videos with extended data protection
We use the service YouTube provided by Google to embed video content in our online offerings or to link to video content. In this context we use the “extended data protection mode”. According to the information given by the provider, the data is only transferred to the provider when the video starts so that the video can be played through our online offerings.
In this context, data may also be processed in the USA, a third country. Google guarantees compliance with an adequate level of data protection, also when processing data in the USA, with its certification in accordance with the “EU-US Privacy Shield”: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
USA Headquarters: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
Privacy policy: https://policies.google.com/privacy

4. Analysis, tracking and marketing
a) Analysis and evaluation of the user behaviour
We use an analysis tool (Matomo) on our online services to evaluate and analyse the user behaviour and to analyse any errors. Visited content, used elements and technical information transferred as part of the page call up (masked IP address, browser, location, etc.) is stored and evaluated in order to gain an insight into user behaviour; user interest and user type so that we can optimise our content.
The data is not processed to clearly identify individuals. In particular, the IP address is masked before being stored which means that the user can no longer be identified (anonymised).
We are solely responsible for the operation and provision of the analysis tools and there is no transfer of data to third parties required.
The legal basis for the processing is our legitimate interest, which results from the aforementioned purpose (Art. 6 Para. 1 Clause 1 point. f GDPR).
You can withdraw your consent to this use by clicking on the following link. A cookie will be used and the web analysis will no longer be performed as long as the cookie is not erased (opt-out).

b) Use of Google Analytics
We use the service “Google Analytics” provided by Google for the evaluation and analysis of the use of our website, as well as for the optimisation of our online offerings. In addition, cookies (s.a.) and other similar procedures which make the users’ use of the online offerings transparent and analysable are used. As a general rule, the information collected about the website user, like browser type/version, operating system used, referrer URL (the previously visited page), host name of the end device, IP address, time of the server query, is transferred to a Google server in the USA for further processing and is stored there. The processing of the created profile data is also regularly done on Google servers in the USA.
The IP anonymisation function is activated, whereby the IP address of the user is usually shortened before being transferred and stored when the website is used in one of the EU member states or one of the other states that is a signatory to the Agreement on the European Economic Area. The IP address is only transferred in its long form and shortened after the transfer in exceptional cases.
The “demographic characteristics” function is used. With this the age, gender and interests of the page visitors can be evaluated using the available data from Google. This data cannot be assigned to any specific individual.
The collected data is always erased after 14 months.
The use of Google Analytics is only done with the express consent of the user (legal basis: Art. 6 Para. 1 Clause 1 point. a GDPR). This consent can be withdrawn at any time by simply calling-up the “consent management” again on this website and withdrawing the changes to the settings. The legality of the processing up until the withdrawal of consent remains unaffected.

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

We are jointly liable for the processing along with the service provider in data protection terms. We have entered into the required data protection agreements with the service provider. For more information and other uses of the data by Google we refer you to the links below which will redirect you to the relevant information from the service provider.
Data may also be processed in the USA, a third country. Google guarantees compliance with an adequate level of data protection, also when processing data in the USA, with its certification in accordance with the “EU-US Privacy Shield”: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active

Privacy policy of the provider: https://policies.google.com/privacy
Information about Google Analytics: https://support.google.com/analytics/answer/6004245
Settings for personalised advertising (users with Google accounts):  https://adssettings.google.com/authenticated

5. Contact form, request form
If you contact us through the provided contact form, we store and process the provided contact information and the information and contents sent to us as part of the establishment of contact so that we can reply to your enquiry.
If you send an inquiry using the request form for specialist companies, we pass on the information provided (contact information and information to the project) on to this specialist company. They will contact you directly.
If you have made a corresponding request, we perform the processing as part of the pre-contractual measures (legal basis Art. 6 Para. 1 Clause 1 point. b GDPR). Additionally, we have a legitimate interest in both responding to requests to or about us and our services and processing data to this end (legal basis Art. 6 Para. 1 Clause 1 point. f GDPR).
With regard to the forwarding of requests to partners, due to the circumstances and information on the form, the forwarding is not only to be expected, but is in the interest of the requesting party.
We erase any data related to this in accordance with our criteria for the retention duration.

6. registration / User setup
On our website, we provide the option of registering / setting up a user account for authentication in order to provide proprietary content or downloads, in particular for our contractual partners and the specialist trade or their contact persons. A registration will only be established on the basis of our invitation or on request with our consent.
The following data is collected when setting up or registering an unser account and while using it: name, email, contact, password (encrypted), technical meta and log data (e.g. device information, IP addresses, log-in date).
The processing takes place within the framework of contractual measures (legal basis Art. 6 Para. 1 Clause 1 b GDPR) or the legitimate interest to only provide information to certain addressees (Art. 6 Para. 1 Clause 1 lit. f GDPR). 
We delete the data in this context in accordance with our criteria for the storage period.

For the purposes of communication with our customers, suppliers and parties interested in our company, as well as for public relations work, representation and information about out services, we maintain an online presence on the platforms of social media providers.
The interests of social media providers usually lies in using the user data to create user profiles and evaluate user behaviour. This data is in turn used for market research and advertising purposes. Cookies are regularly stored on the users’ end devices for this purpose. In addition, user data can be assigned to the relevant profiles if the user is also a member of the social media platform and is regularly logged in there.
The following types of data are processed as part of this: Name, contact information (address, email, telephone), authentication information, content data (video, audio, text), usage data (e.g. visited web pages, interest in contents, access times), technical meta and log data (e.g. device information, IP addresses).
We are jointly liable for data protection along with the social media providers. We do not have direct access to the providers’ data. We would like to point out that it is possible to exercise data subject rights (s.a.) against us and against the provider. It is significantly more efficient to exercise data subject rights against the individual providers listed below. Along with the contact information, you can also find additional links to information about the providers, particularly their privacy policies.
The legal basis for the processing is Art. 6 Para. 1 Clause 1 point. f GDPR, provided that the interest results from the aforementioned purposes. Only if and insofar the necessary consent for processing has been given, the legal basis is Art. 6 Para. 1 Clause 1 point. a GDPR.
The data processed by us is erased immediately after the processing purpose ceases to exist. With regards to the duration of the retention of the data on the respective social networks, we refer you to the respective privacy policies.
Most social media providers are based in a third country outside of the EU. Information about suitable guarantees for ensuring a suitable level of data protection are given below, particularly the certification within the framework of the Privacy Shield (https://www.privacyshield.gov).

1. Facebook – Social Network https://www.facebook.com

EU provider: Facebook Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland

Privacy policy: https://www.facebook.com/about/privacy
Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active
Customisation of ad settings in the user account: : https://www.facebook.com/settings?tab=ads
Objection: https://www.facebook.com/help/contact/2061665240770586

2. LinkedIn – Social Network: https://www.linkedin.com

Provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland

Privacy Policy: https://www.linkedin.com/legal/privacy-policy
Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000L0UZAA0&status=Active
Deactivation of cookies: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out

Below we have provided some information about the processing that we perform as part of our company’s activities and that we also indicate in the corresponding places

1. Processing for the provision of services and contract execution
We process your data or data belonging to the relevant points of contact or contact persons (persons concerned) to render our services to contracting parties and customers, as well as any pre-contractual services based on requests received from interested parties. It is not possible to render services without the necessary data.
Categories of processed data include:

• Personal master data (first names, surname, name affixes, occupation)
• Contact data (company, address, phone numbers, email address)
• Payment information (bank details, information on payment processors)
• Data about contract contents and on contract processing and implementation

We use different service providers as part of our provision of services to whom the respective necessary data is forwarded or disclosed, in particular for the delivery of goods and processing of payments. In addition, data may be transmitted or disclosed to other third parties if this is necessary for the provision of services (e.g. installation, etc.).
The retention period of the data depends on our criteria for determining the retention period. The legal basis of the processing is Art. 6 Para. 1 Clause 1 point. b GDPR.

2. Establishing contact and general communication
If persons (persons concerned) contact us (e.g. in person, through the contact form, by email, phone or even via social media), we store and process the contact information that they provide (in particular, name, address, email address, phone number) and the information and contents transmitted in connection with the contact so that we can respond to their request. The same applies if you provide us with information about yourself during events, at trade fairs or on any other occasion where contact was established (e.g. business card, entry on a mailing list, etc.)
We will erase the data produced in this context once its retention is no longer necessary in accordance with our retention duration criteria.
Where this is an appropriate request by the person concerned, we perform the processing as part of the pre-contractual measures (legal basis Art. 6 Para. 1 Clause 1 point. b GDPR). Otherwise, we have a legitimate interest in both responding to requests to or about us and our services and establishing and cultivating business contacts and processing data to this end (legal basis Art. 6 Para. 1 Clause 1 point. f GDPR).
Only if and insofar as consent has been given in individual cases, the legal basis is Art. 6 Para. 1 Clause 1 point. a GDPR. Consent can be withdrawn at any time with effect for the future, but the legality of any processing up until the moment of withdrawal remains unaffected.

3. Newsletter and direct advertising
We send newsletters and direct advertising (newsletter) to interested parties and, where appropriate, existing customers, in accordance with the applicable legal requirements. The newsletter contains information about new developments in our operating environment and information about our services and products. It is sent at regular intervals and also when needed if there is important information to share.
We only need an email address to send the newsletter. The entry of other selected information is optional and is used so that we can address the newsletter personally and possibly only send information about topics that the concerned person is interested in.
For the newsletter sign up, we use a double-opt-in procedure: After signing up with an email address, we send an email to the address to confirm the registration. This is usually done by using a link in the email. If the registration is not completed within 24 hours, the information is locked and then automatically erased after one month. We store the IP addresses and time of the sign up and confirmation, as well as a potential unsubscription for a duration of 3 years in order to prove this and to be able to clarify any possible misuse of personal data if needed.
When registering and unsubscribing and confirming the registration (opt-in), forms of the "MailChimp" website are used as our newsletter service provider. With regard to the privacy policy of the provider, we refer to the information below.
We evaluate user behaviour with the newsletter so that we can identify the reading habits and interests of our users and adjust our content accordingly. Here the links used and the opening and reading of the newsletter will be evaluated with pseudonyms, as such this information will not be assigned to any specific user profile. Here, web beacons and tracking pixels (s.a.), as well as special links are used.
With an express subscription to the newsletter, the legal basis is the consent in accordance with Art. 6 Para. 1 Clause 1 point. a GDPR.
When the newsletter is sent to existing customers, the legal base is our legitimate interest in advertising (Art. 6 Para. 1 Clause 1 point. f GDPR).

After an unsubscription (revocation/objection), the email address concerned will be stored on a “blacklist” in order to make sure that the user is not sent the newsletter again in the future. The legal basis is the legitimate interest resulting from this (Art. 6 Para. 1 Clause 1 point. f GDPR).

Newsletter service provider: Mailchimp – Platform for email marketing
We use a provider in the USA as a service provider under the scope of a job processing for the management, evaluation and sending of the newsletter.
Data may also be processed in the USA, a third country. The provider guarantees compliance with an adequate level of data protection, also when processing data in the USA, with its certification in accordance with the “EU-US Privacy Shield”: https://www.privacyshield.gov/participant?id=a2zt0000000TO6hAAG&status=Active

Provider: "Mailchimp" https://mailchimp.com - Rocket Science Group, LLC, 675 Ponce De Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA
Privacy policy: https://mailchimp.com/legal/privacy
Agreement on data processing: https://mailchimp.com/legal/data-processing-addendum/

4. Web conferencing Online meetings, video / voice conferences and webinars
We run web conferences as part of our provision of services, as well as for internal and external company communication. The following types of data are processed as part of this: Name, contact information, authentication, technical meta and log data, content data (video, audio, text).
The communications of participants are not usually permanently stored. With webinars, or provided that all participants expressly give their consent, the content data may be recorded.
Recipients are other participants that are needed for the execution and service providers that have been contracted for the execution. Text content (chats and comments) is recorded during certain webinars which are to be recorded or events which are aimed at a public target group, but this recording is announced beforehand. These recordings may be passed on to a certain or public circle of users.
A transmission of personal data to third parties is only done provided that and insofar as it is obviously intended for this, and it is particularly sent to other participants. The participants details must therefore not be their actual personal details, unless this information is required for their participation.
Please be aware that content from “online meetings” and personal meetings is commonly used to communicate information with customers, interested parties or third parties and is therefore intended to be passed on "in the context of the online meeting".
For the preparation, planning, execution and subsequent work (participant confirmation, analysis), we use other providers as job processors so that we can provide these services in a safe, efficient and practical manner. However, we remain responsible for the processing (unless an internet page of a provider is called up, then they are responsible for the processing of this data; a call up on the internet page is only required if a registration needs to be done or if software needs to be downloaded).
The legal basis is the provision of services within the framework of a contractual relationship Art. 6 Para. 1 Clause 1 point. b GDPR; otherwise the legal basis is Art. 6 Para. 1 Clause 1 point. f GDPR, whereby our interest results from the above-mentioned purpose and the advantages connected with this, such as efficiency and resource conservation.

Services for running video conferences:

• Microsoft Teams:
  Provider: Microsoft Corporation, One Microsoft Way, Redmond, Washington 98052, USA
  Representative: Microsoft Ireland Operations, Ltd., Attn: Data Protection, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland
  Privacy policy: https://privacy.microsoft.com/de-de/privacystatement
  Processing:http://www.microsoftvolumelicensing.com/Downloader.aspx?documenttype=OST&lang=German
  
  The service provider is based in a third country (USA), but guarantees the processing on servers within Europe. The protection level of European data protection rights is guaranteed as the EU Standard Contractual Clauses must also be agreed upon in addition to the agreements for the job processing. In addition, the provider is certified in accordance with the Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000KzNaAAK&status=Active

5. Accounting, controlling and payment processing

We process the data of customers, suppliers, service providers, applicants, employees, freelancers and others with whom processes subject to documentation exist or with their points of contact to comply with our legal and contractual obligations as part of our accounting obligations, management control requirements and the handling of payments.

Categories of processed data include:

• Personal master data (first names, surname, name affixes, occupation)
• Contact data (address, phone numbers, email address)
• Contract data which contains the facts of the case
• Payment messaging data and information (bank details, information about payment processors)

We also use service providers as job processors to perform the accounting tasks as part of the processing. In addition, data may be transmitted or disclosed to other third parties if this is necessary to implement the processing or for applicable monitoring purposes to ensure a proper processing (e.g. tax office, tax advisor, public authorities, auditors, lawyers).
With regards to payment processing, the data required for this specific purpose is passed on to the respective payment service provider (banks, payment service providers, etc.).
The retention period of the data depends on our criteria for determining the retention period.
The legal basis for the processing is the applicable legal regulations (Art. 6 Para. 1 Clause 1 point. c GDPR) relating to the compliance with our accounting and financial statement obligations, to ensuring a proper business operation and to ensuring the continued existence of the company, as well as the processing within the framework of contractual relationships (Art. 6 Para. 1 Clause 1 point. b GDPR).

6. Statistics and evaluations within the scope of the business activity
The testing of measures, their effectiveness and results within the scope of our business activity is necessary for our internal controls in order to avert any potential damages from other companies in a timely manner. For this purpose, statistics and evaluations for all our areas of activity are created using the available data. Here personal data is also processed, provided that this is needed for the aforementioned purpose. However, this data will be allocated a pseudonym or it will be made anonymous, provided that this is possible. In particular, a categorisation of data will be used so that an identification of individuals is usually no longer possible.
Persons concerned and data categories used correspond to those which are needed for accounting, controlling and payment processing purposes.
The retention period is determined using the criteria for the retention duration.
The legal basis for the processing is Art. 6 Para. 1 Clause 1 point f GDPR, if the legitimate interests are a result of the purpose. The legal provisions regarding the evaluations, Art. 6 Para. 1 Clause 1 point c GDPR, also come into consideration here.

7. Holding events and trade fairs
For the planning, organisation and execution of events we process names, addresses, contact information (email, telephone) and information about the occupation of participants (exhibitors, visitors) and their contact persons.
We also use other service providers for the planning, organisation and execution within the framework of a processing. In addition, data is passed on to the operators of event venues and organisers provided that and insofar as this is necessary for the running of the event (e.g. registration).
The legal basis for the processing is Art. 6 Para. 1 Clause 1 point. b GDPR, for the execution of the contractual obligations within the framework of the event, as well as our legitimate interest in the effective and high-profile execution of the event (Art. 6 Para. 1 Clause 1 point. f GDPR).
The contact information of exhibitors and their contact persons, where necessary, is published in the list of exhibitors and the event plan. This is done due to our legitimate interest in the running of the event and due to the marketing interests of the exhibitors themselves (Art. 6 Para. 1 Clause 1 point. f GDPR) or, as the case may be, due to any contractual obligations we have with the exhibitors with regards to the publication of information (Art. 6 Para. 1 Clause 1 point. b GDPR).

8. Taking photos and videos at events
At meetings, events, trade fairs and other public occasions, we make film recordings and/or take photographs (recordings) of participants or people present (person concerned) for publicity, company presentation and documentation purposes. The recordings may be published on our homepage, on our social media channels, in our newsletter and in printed media or they may be passed on to the press for any of the above-mentioned purposes.
We will take into consideration the wish of individuals to not be recorded, provided that they express this or make this clearly known to us. To do this, they should make a clear sign to the camera operator or photographer, indicating that they do not want to be recorded, or they should speak to them – even after a possible recording has been made.
Recordings are erased or an erasure is arranged accordingly if it is clearly or presumable not wanted by the person concerned (for example with unfavourable poses or if there is a risk that the recording could be misinterpreted). This particularly applies if situations are represented in a way that could discredit the person concerned or if there is a risk of discrimination, as well as if information about the private sphere of the person concerned may have been recorded.
If the recordings allow any conclusions to be drawn about certain categories of data within the meaning of Art. 9 Para. 1 GDPR, the recordings will only be used if the person concerned has made this information public themselves (e.g. by wearing badges, etc.).
The recordings are erased if the purpose that they were stored for no longer exists. The length of the retention duration can vary between recordings, as certain recordings may be of great interest for archiving purposes.
We may, under certain circumstances, use service providers to prepare the recordings or may acquire recordings from them.
We have a legitimate interest in the processing of film and photo recordings for publicity work and for the documentation and illustration of the mentioned activities.
This means photographs and videos will usually be taken at events and then processed for the required purposes. We will point this out accordingly on invitations and at the events (legal basis Art. 6 Para. 1 Clause 1 point. f GDPR).

Concerned persons can object to the use of the recordings in accordance with Art. 21 GDPR (s.a. right to object).

9. Establishment, exercise or defence of legal claims
When necessary for the establishment, exercise or defence of legal claims, we process the data of the persons involved. This may also result in a change in the relevant purpose of the processing of the personal data.
In this context, data subjects may include:

• Customers, suppliers, interested parties, employees, service providers, public authorities
• Other claimants or opponents
• Contact persons, representatives or agents of the persons mentioned above

In this process, the following categories of data may come into consideration if necessary in a particular case:

• Personal master data (first names, surname, name affixes, date of birth)
• Contact data (addresses, phone numbers, email address)
• Documents, information and data required for the specific purpose
• Special categories of personal data, provided that and insofar as they are required to establish the claims

Depending on the nature of the facts, recipients involved in the processing may include different public authorities, companies or even service providers:

• Service providers to enforce claims (e.g. lawyers, surveyors, collection agencies, etc.)
• Public authorities and courts
• Opponents

Where data is used for the establishment, exercise or defence of legal claims, the relevant retention period may be extended up to the final completion of the procedure, including the relevant enforcement, so as to not jeopardise the achievement of the purpose. If the result is an executable right, the retention period is extended up to 30 years.
The legal basis for the processing is Art. 6 Para. 1 Clause 1 point. f GDPR; Section 24 Para. 1 No. 2 BDSG [German Federal Data Protection Act]. Our legitimate interest is the establishment, exercise or defence of legal claims. With regards to a potentially necessary processing of special categories of personal data the following laws apply; Art. 9 Para. 2 point. f GDPR; Section 24 Para. 2 BDSG [German Federal Data Protection Act].

1. Processing of applications
We process applicant data so that we can carry out the application process. For this, we process the following categories of data:

• Personal master data (first names, surname, name affixes, date of birth, marital status, etc.)
• Contact data (private address, phone numbers, email address)
• Suitability data (information about knowledge and skills, qualifications, assessments)
• Required work permit and residence permit
• Health information, if this is necessary for the performance of a specific activity or if indicated by the applicant for other reasons
• Communication and recording of conversation contents and interviews
• Information freely provided by the person concerned

In principle, the data is collected directly from the applicants during the application process through application documents, interviews, potential suitability tests and questionnaires. However, we also use job fairs and job placements
In addition, we use admissibly collected data made accessible by the persons concerned through publicly accessible sources for professional self-presentation and professional exchange, in particular on platforms such as XING or LinkedIn.
The data is exclusively used to fill the specifically advertised position or for the activities that the person concerned also applied for. We will also consider the application for other positions or activities and will forward the data to other affiliated companies only if the person concerned has given us their express consent to do so. Where necessary, we will ask the persons concerned for their consent. This consent can be withdrawn at any time with effect for the future. If it is not given, this will not have any impact on the application process.
The data is only processed within the company by the bodies and persons required as part of the processing (e.g. executive management, HR department, specialised department). In some cases, we involve other service providers in the application process. If applicant data is processed by these service providers (e.g. recruitment consultants), this is only done as part of a job processing operation.
If no employment relationship is entered into, application documents are erased 6 months after the completion of the application procedure. If a corresponding consent for a longer retention period has been given to us, the data is erased after the expiration of this period at the latest.
If an employment relationship is entered into, the data is then transferred to the personnel file. We provide separate information about processing as part of the employment relationship.
We use the platform of an instruction-bound service provider for application management within the scope of a job processing:

https://krinnerschraubfundamente.recruitee.com/

Platform provider: Recruitee B.V. ("Recruitee"), Keizersgracht 313, 1016EE, Amsterdam, Netherlands

The legal basis for the required processing of applications within the framework of a possible creation of an employment relationship is Section 26 BDSG [German Federal Data Protection Act]; Art. 6 Para. 1 Clause 1 point. b GDPR)

Provided that and insofar as we have been given consent to pass on the data or store it for a longer period of time, the legal basis is Art. 6 Para. 1 Clause 1 point. a GDPR; Section 26 Para. 2 BDSG [German Federal Data Protection Act].

2. Active recruiting – Identification of potential applicants
We process the data of persons that was made accessible by them in publicly accessible sources for professional self-presentation and professional exchange, in particular on platforms such as XING or LinkedIn, to bring our company to the attention of potentially interested parties (persons concerned) and, where appropriate, to motivate them to apply for a position with us.
If any persons appear particularly suitable when looking through this data and if it is apparent that the person may want to be contacted for an adequate job offer, we contact the person.
In doing so, we process the following categories of data, provided that and insofar as it is listed by the data subject on the aforementioned platforms:

• Personal master data (first names, surname, name affixes, date of birth/age)
• Contact data (private address, phone numbers, email address)
• Suitability data (information about knowledge and skills, qualifications, assessments)
• Information freely provided by the person concerned

The data is only processed within the company by the bodies and persons required as part of the processing (e.g. executive management, HR department, specialised department). If we involve third parties in the processing and if the data of data subjects is processed by them (e.g. recruitment consultants), this is only done within the scope of a job processing contract.
If no reply is received from the data subject, the data is erased after 6 months at the latest. When going through our application procedure, we refer to the relevant privacy policies about the processing involved.
The legal basis for the processing is Art. 6 Para. 1 Clause 1 point. f GDPR. Our legitimate interest is hiring suitable employees for the company.