Data Protection Policy

Data protection statement pursuant to the GDPR, applicable from 25 May 2018

 

I.  Name and address of the controller

The controller within the meaning of the General Data Protection Regulation, other Member State national data protection laws and other provisions under data protection law is:

Sihl GmbH
Kreuzauer Str. 33
52355 Düren
Germany
Tel.: 02421 597 0
Email: info@sihl.com
Website: www.sihl.com

II.  Name and address of the data protection officer

The controller’s data protection officer is:

Dragan Stanković
ido stanković
Lütticher Str. 7
52064 Aachen
Germany
Tel.: 0241 590336 0
Email: info@ido-stankovic.de
Website: www.ido-stankovic.de

III.  General information on data processing

1. Scope of the processing of personal data

We process our users’ personal data only to the extent that this is required to provide a functional website and our content and services. Our users’ personal data is usually only processed with the user’s consent. An exception applies in those cases where it is not possible to obtain consent in advance for practical reasons or the processing of data is permitted in accordance with statutory provisions.

2. Legal basis for the processing of personal data

If we obtain consent from the data subject for processing, the legal basis is Article 6(1)(a) of the EU General Data Protection Regulation (GDPR).

If the processing of personal data is required to perform a contract to which the data subject is a party, the legal basis is Article 6(1)(b) GDPR. This also applies to processing required to implement pre-contractual measures.

If personal data has to be processed to comply with a legal obligation to which our company is subject, the legal basis is Article 6(1)(c) GDPR.

If the data subject’s or another natural person’s vital interests necessitate the processing of personal data, the legal basis is Article 6(1)(d) GDPR.

If processing is necessary to safeguard our company’s or a third party’s legitimate interest and if the interests, fundamental rights and freedoms of the data subject do not override the former interest, the legal basis for the processing is Article 6(1)(f) GDPR.

3. Data deletion and storage period

The data subject’s personal data is deleted or blocked once the purpose of storage no longer applies. After this, data may be stored where the European or national legislator provides for this in Union regulations, laws or other provisions to which the controller is subject. Data is also blocked or deleted if a storage period prescribed by the standards mentioned expires, unless it is necessary to continue to store the data for conclusion of a contract or for performance of a contract.

IV.  Provision of the website and creation of log files

1. Description and scope of data processing

Every time our website is accessed, our system automatically records data and information from the requesting computer’s system.

The following data is collected in the process:

  • Information on the browser type and the version used
  • The user’s operating system
  • The user’s internet service provider
  • The user’s IP address
  • Date and time of access
  • Websites from which the user’s system reaches our website
  • Websites that the user’s system accesses via our website

The data is also stored in our system’s log files. This data is not stored together with the user’s other personal data.

2. Legal basis for data processing

The legal basis for the temporary storage of data and log files is Article 6(1)(f) GDPR.

3. Purpose of data processing

The system has to store the IP address temporarily to allow the website to be delivered to the user’s computer. To this end, the user’s IP address must be stored for the duration of the session.

Storage in log files serves to ensure the functionality of the website. We also use the data to improve the website and to guarantee the security of our IT systems. The data is not evaluated for marketing purposes in this context.

Our legitimate interest in data processing pursuant to Article 6(1)(f) GDPR also lies in these purposes.

4. Storage period

Data is deleted once it is no longer required to achieve the purpose of its collection. Where data is recorded in order to provide the website, this is the case when the relevant session ends.

Where data is stored in log files, this is the case after a maximum of thirty days. Further storage is permitted. In such cases, users’ IP addresses will be deleted or distorted such that the data can no longer be assigned to the requesting client.

5. Opportunity to object and delete

The recording of data to provide the website, and the storage of data in log files, is required to operate the website. The user therefore does not have an opportunity to object.

V. Use of cookies

1. Description and scope of data processing

Our website uses cookies. Cookies are text files that are stored on the internet browser or on the user’s computer system by the internet browser. If a user accesses a website, a cookie may be stored on the user’s operating system. This cookie contains a string that allows the browser to be identified clearly when the website is accessed again.

We use cookies to make our website more user-friendly. For some website elements, it must be possible to identify the requesting browser even after the user has moved to a different page.

The following data is stored and transmitted in the cookies:

  • Website settings
  • Session ID
2. Legal basis for data processing

The legal basis for the processing of personal data using cookies is Article 6(1)(f) GDPR.

3. Purpose of data processing

The purpose of using technically necessary cookies is to make it easier for users to use websites. Some functions on our website cannot be offered if cookies are not used. For these, it must be possible to recognise the browser even after the user has moved to a different page.

We require cookies for the following applications:

  • Adopting language and view settings
  • Remembering search terms
  • Storing login details

The user data collected by technically necessary cookies is not used to create user profiles.

Our legitimate interest in the processing of personal data pursuant to Article 6(1)(f) GDPR also lies in these purposes.

4. Storage period, opportunity to object and delete

Cookies are stored on the user’s computer and transmitted to our website from there. Therefore, as a user you have full control over the use of cookies. You can deactivate or restrict the transfer of cookies by amending the settings on your internet browser. You can delete stored cookies at any time. This can also be done automatically. If cookies are deactivated for our website, users may not be able to use all of the website’s functions in full.

VI.  Newsletter

1. Description and scope of data processing

Users can sign up for a free newsletter on our website. The data from the input screen is transmitted to us in the newsletter registration process. On a voluntary basis, we may record data on the extended input screen relating to the interested party’s company, industry and interests.

The following data is also collected on registration:

  • IP address of the requesting computer
  • Date and time of registration

Your consent to the processing of data is obtained and reference is made to this data protection statement and the information obligations in the registration process.

If you purchase goods or services from us and provide your email address in the process, we may subsequently use it to send newsletters. In such a case, the newsletter will only be used for purposes of directly advertising similar own goods or services.

Data is passed on within the group, but not to third parties, in connection with data processing for the provision of newsletters. The data is used exclusively to send newsletters.

We use newsletter tracking to improve our services. For this purpose, we use a uniform link for all users and collect statistical data on users’ interest in our portfolio with no personal reference.

2. Legal basis for data processing

The legal basis for processing data once the user has signed up for the newsletter is Article 6(1)(a) GDPR if the user grants consent.

The legal basis for passing on data within the group for purposes of sending newsletters is the particular interest of third parties pursuant to Article 6(1)(f) GDPR.

The legal basis for newsletter tracking is Article 6(1)(f).
The legal basis for sending the newsletter following the sale of goods or services is Section 7(3) of the German Unfair Competition Act (UWG).

3. Purpose of data processing

The user’s email address is collected for purposes of sending the newsletter.

Other personal data is collected in the registration process in order to prevent abuse of the services or the email address used. The other data is also used to tailor the newsletter to the data subject’s needs.

4. Storage period

Data is deleted once it is no longer required to achieve the purpose of its collection. The user’s email address is therefore stored as long as the user remains subscribed to the newsletter.

The other personal data collected in the registration process is usually deleted with the email address.

5. Opportunity to object and delete

The user may unsubscribe from the newsletter at any time. A link is provided in each newsletter for this purpose.

This link can also be used to withdraw consent to the storage of the personal data collected in the registration process.

VII. Contact form and email contact

1. Description and scope of data processing

There is a contact form on our website that can be used to contact us electronically. If the user makes use of this option, the data entered on the input screen is transmitted to us and stored.

Users can also contact us using the email addresses provided. Users’ personal data transmitted with the email is also stored in such cases.

If another company in the group is responsible in this respect, the data will be passed on to third parties within the group. The data is used exclusively to process the conversation.

2. Legal basis for data processing

The legal basis for processing the data transmitted in the course of sending an email is Article 6(1)(f) GDPR. If the purpose of the email contact is to conclude a contract, the additional legal basis for processing is Article 6(1)(b) GDPR.

If the query is forwarded within the group, the legal basis is Article 6(1)(f) GDPR.

3. Purpose of data processing

The personal data from the input screen is processed solely to process the communication. If contact is made by email, this also constitutes the required legitimate interest in the processing of data.

4. Storage period

Data is deleted once it is no longer required to achieve the purpose of its collection. For personal data transmitted by email, this is the case when the relevant conversation with the user has ended. The conversation has ended when it is evident from the circumstances that the relevant matter has definitively been dealt with.

The personal data additionally collected in the transmission process is deleted after no more than seven days.

5. Opportunity to object and delete

Users are free at all times to withdraw their consent to the processing of personal data. The conversation cannot be continued in such cases.

Users may withdraw their consent using the same email address or by letter in writing.

All personal data stored in the course of communication is deleted in this case.

VIII.  Application form

1. Description and scope of data processing

There is an application form on our website that can be used for electronic applications. If the user makes use of this option, the data entered on the input screen is transmitted to us and stored. This data includes:

  • Name
  • Contact details
  • Desired position
  • Professional qualifications
  • Work experience
  • Curriculum vitae
  • Photograph

The following data is also stored when the message is sent:

  • Date and time of application

Your consent to the processing of data is obtained and reference is made to this data protection statement and the information obligations in the transmission process.

2.  Legal basis for data processing

The legal basis for processing data is Article 6(1)(a) GDPR if the user grants consent. The legal basis for the initiation and establishment of an employment relationship is Section 26(1) of the new version of the Federal Data Protection Act (BDSG n.F.).

3. Purpose of data processing

The personal data from the application form is processed solely to execute the application process.

The other personal data processed in the transmission process serves to prevent abuse of the application form and to guarantee the security of our IT systems.

4. Storage period

If the applicant is rejected, we will store the personal data for a further two months following receipt of the rejection in accordance with Section 15(4) of the General Equal Treatment Act (AGG).

If applicants are interested in future vacancies, they can grant us consent to store the applicant data in accordance with Article 6(1)(a) GDPR until it is withdrawn.

If an employment relationship is established, the data will continue to be used in accordance with Section 26(1) BDSG n.F.

5. Opportunity to object and delete

Applicants may at any time object to the processing of their personal data, unless an employment relationship is established. We will delete the data without delay. In such a case, it is no longer possible to consider the applicant in the application process from this point.

 IX. Web analysis by Google Analytics

1. Description of the processing of personal data

We use Google Analytics, a web analysis service provided by Google Inc. (‘Google’). Google uses cookies. The information generated by the cookie about users’ use of the website is usually transmitted to and stored on a Google server in the US.

We only use Google Analytics with activated IP anonymisation. This means that Google will abbreviate users’ IP addresses within Member States of the European Union and in other signatory states to the Agreement on the European Economic Area. Only in exceptional cases is the entire IP address transmitted to a Google server in the US and abbreviated there. The IP address transmitted from the user’s browser is not combined with other data held by Google.

Further information on Google’s use of data for advertising purposes, settings options and opportunities to object can be found on Google’s websites: https://www.google.com/intl/de/policies/privacy/partners/ (‘How Google uses data when you use our partners’ sites or apps’), http://www.google.com/policies/technologies/ads (‘Data use for advertising purposes’), http://www.google.de/settings/ads (‘Control the information Google uses to show you ads’) and http://www.google.com/ads/preferences/ (‘Take control of your Google ads experience’).

Further information on the terms of use and data protection can be found at https://www.google.com/analytics/terms/de.html.

2. Legal basis for the processing of personal data

The legal basis for the use of Google Analytics is Section 15(3) of the German Telemedia Act (TMG) and Article 6(1)(f) GDPR.

3. Purpose of data processing

Google uses this information on our instruction to analyse users’ use of our website, to compile reports on website activities, and to perform for us other services associated with website use and internet use. In this context, pseudonymous user profiles may be created for users using the processed data.

4. Storage period

The data we transmit and the data linked to cookies, user IDs or advertising IDs is automatically deleted after 14 months. Once its retention period ends, data is deleted automatically once a month.

5. Opportunity to object and delete

Users can prevent the storage of cookies using the corresponding setting on their browser software and can also prevent Google from collecting data generated by the cookie and relating to their use of the website and from processing this data by downloading and installing the browser plugin available at the following link: http://tools.google.com/dlpage/gaoptout?hl=de.

 X.  Google reCAPTCHA

1. Description of the processing of personal data

We use Google reCAPTCHA (hereinafter ‘reCAPTCHA’) on our websites, a service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (‘Google’).

reCAPTCHA serves to review whether data is entered on our websites (e.g. on a contact form) by a person or an automated program. To this end, reCAPTCHA analyses the website visitor’s behaviour based on various features. This analysis begins automatically when the visitor accesses the website. reCAPTCHA analyses various information, including

  • IP address
  • The length of the visitor’s visit to the website
  • The user’s mouse movements

The data recorded in the analysis is forwarded to Google.

Further information on Google reCAPTCHA and Google’s privacy statement can be found at the following links: https://www.google.com/intl/de/policies/privacy/ and https://www.google.com/recaptcha/intro/v3beta.html

reCAPTCHA analyses run entirely in the background. Website visitors are not informed that an analysis is taking place.

2. Legal basis

Data is processed on the basis of Article 6(1)(f) GDPR.

3. Purpose of data processing

We have a legitimate interest in protecting our website against abusive, automated spying and against unwanted, automated transmissions.

4. Opportunity to object and delete

Data is recorded for purposes of IT system security and to ensure queries are processed properly. The user therefore does not have an opportunity to object.

 XI. Google Maps

1. Description of the processing of personal data

This website uses the map service Google Maps via an API. This service is provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

To use the functions offered by Google Maps, your IP address has to be stored. This information is usually transmitted to a Google server in the US and stored there. The provider of this website cannot influence this data transmission.

Further information on the handling of user data can be found in Google’s privacy statement: https://www.google.de/intl/de/policies/privacy/

2. Legal basis of processing

Google Maps is used in order to attractively present our online services and to make it easy to find the places referred to on our website. This constitutes a legitimate interest as defined by Article 6(1)(f) GDPR.

3. Purpose of processing

With Google Maps, we provide an embedded map on our website that allows interested users to easily plan routes to the presented locations.

4. Opportunity to object and delete

Route planning is used voluntarily. For technical reasons, users do not have an opportunity to object when using the service.

XII. Embedded YouTube videos

1. Description of the processing of personal data

YouTube components are integrated on this website. YouTube is an online video portal that allows video publishers to upload video clips free of charge and allows other users to watch, rate and comment on these free of charge. YouTube allows all types of videos to be published. Entire films and TV programmes, but also music videos, trailers and videos made by users themselves can therefore be accessed on the portal.

YouTube is operated by YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. YouTube, LLC is a subsidiary of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043-1351, USA.

Every time an individual page on this website that is operated by us and on which a YouTube component (YouTube video) has been integrated is accessed, the internet browser on the data subject’s IT system will automatically be prompted by the YouTube component to download a representation of the corresponding YouTube component from YouTube. Further information on YouTube can be accessed at https://www.youtube.com/yt/about/de/. In this technical process, YouTube and Google will be informed which specific subpage on our website was visited by the data subject.

If the data subject is logged in on YouTube at the same time, YouTube will recognise which specific subpage on our website was visited by the data subject when this subpage containing a YouTube video is accessed. This information is collected by YouTube and Google and assigned to the data subject’s YouTube account.

Via the YouTube component, YouTube and Google are always informed that the data subject visited our website if the data subject is logged in on YouTube at the time our website is accessed. This happens irrespective of whether the data subject clicks on a YouTube video or not. If the data subject does not want this information to be transmitted to YouTube and Google, they may prevent this transmission by logging out of their YouTube account before accessing our website.

The data protection guidelines published by YouTube – which can be accessed at https://www.google.de/intl/de/policies/privacy/ – provide information on the collection, processing and use of personal data by YouTube and Google.

2. Legal basis of processing

YouTube is used in order to attractively present our online services. This is in our legitimate interest pursuant to Article 6(1)(f) GDPR.

3. Purpose of processing

We use YouTube videos to show interested users various elements of our company, such as our produced products.

4. Opportunity to object and delete

YouTube videos are accessed voluntarily. For technical reasons, users do not have an opportunity to object when using the service.

XIII.  Rights of data subjects

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:

1. Right of access

You have the right to obtain confirmation from the controller as to whether we are processing personal data concerning you

and, where that is the case, you have the right to obtain access from the controller to the following information:

(1)          the purposes of the processing;

(2)          the categories of personal data concerned;

(3)          the recipients or categories of recipient to whom the personal data concerning you has been or will be disclosed;

(4)          the envisaged period for which the personal data concerning you will be stored, or, if not possible, the criteria used to determine that period;

(5)          the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning you or to object to such processing;

(6)          the existence of the right to lodge a complaint with a supervisory authority;

(7)          all available information regarding the source of the personal data where this is not collected from the data subject.

 

You have the right to obtain information on whether the personal data concerning you is transmitted to a third country or an international organisation. In this respect, you have the right to be informed of the appropriate safeguards pursuant to Article 46 GDPR relating to the transfer.

2. Right to rectification

You have a right to rectification and/or completion vis-à-vis the controller if the processed personal data concerning you is incorrect or incomplete. The controller must rectify the data without delay.

3. Right to restriction of processing

Under the following conditions you have the right to obtain restriction of processing of the personal data concerning you:

(1)          you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;

(2)          the processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead;

(3)          the controller no longer needs the personal data for the purposes of the processing, but you require it for the establishment, exercise or defence of legal claims; or

(4)          you have objected to processing pursuant to Article 21(1) GDPR pending the verification whether the legitimate grounds of the controller override your grounds.

Where processing of the personal data concerning you has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

If you have obtained restriction of processing pursuant to the above conditions, you shall be informed by the controller before the restriction of processing is lifted.

4. Right to erasure
a.       Obligation to erase

You have the right to obtain from the controller the erasure of personal data concerning you without delay and the controller is obliged to erase this data without delay where one of the following grounds applies:

(1)          The personal data concerning you is no longer necessary in relation to the purposes for which it was collected or otherwise processed.

(2)          You withdraw your consent on which the processing is based according to Article 6(1)(a) or Article 9(2)(a) GDPR, and there is no other legal ground for the processing.

(3)          You object to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) GDPR.

(4)          The personal data concerning you has been unlawfully processed.

(5)          The personal data concerning you has to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.

(6)          The personal data concerning you has been collected in relation to the offer of information society services referred to in Article 8(1) GDPR.

b.      Disclosure of information to third parties

Where the controller has made the personal data concerning you public and is obliged pursuant to Article 17(1) GDPR to erase it, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you, the data subject, have requested the erasure of any links to, or copy or replication of, this personal data.

c.       Exceptions

The right to erasure does not exist to the extent that processing is necessary

(1)          for exercising the right of freedom of expression and information;

(2)          for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(3)          for reasons of public interest in the area of public health in accordance with Article 9(2)(h) and (i) as well as Article 9(3) GDPR;

(4)          for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) GDPR insofar as the right referred to in (a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

(5)          for the establishment, exercise or defence of legal claims.

5. Right to be informed

If you have asserted the right to rectification, erasure or restriction of processing against the controller, the controller is obliged to notify all recipients to whom the personal data concerning you has been disclosed of this rectification or erasure of the data or the restriction of processing, unless this proves impossible or involves disproportionate effort.

The controller shall inform you about those recipients if you so request.

6. Right to data portability

You have the right to receive the personal data concerning you that you have provided to the controller in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller without hindrance from the controller to which the personal data has been provided, where

(1)          the processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) GDPR or on a contract pursuant to Article 6(1)(b), and

(2)          the processing is carried out by automated means.

In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. This must not adversely affect the rights and freedoms of others.

The right to data portability does not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7.  Right to object

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Article 6(1)(e) or (f) GDPR.

The controller shall no longer process the personal data concerning you unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

Where personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing.

Where you object to processing for direct marketing purposes, the personal data concerning you shall no longer be processed for such purposes.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.

8. Right to withdraw a declaration of consent

You have the right to withdraw your declaration of consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

9. Automated individual decision-making, including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision

(1)          is necessary for entering into, or performance of, a contract between you and the controller;

(2)          is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or

(3)          is based on your explicit consent.

However, these decisions must not be based on special categories of personal data referred to in Article 9(1) GDPR, unless Article 9(2)(a) or (g) GDPR applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.

In the cases referred to in (1) and (3), the controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.

10. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.

The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 GDPR.