Buchem Chemie + Technik GmbH & Co. KG
Manager: Thomas Buchem
Types of processed data:
– Basic data (e.g. names, addresses).
– Contact data (e.g. email, telephone numbers).
– Content data (e.g. text entries, photographs, videos).
– Usage data (e.g. visited websites, content of interest, access times).
– Meta-/communication data (e.g. device information, IP addresses).
Categories of data subjects
Visitors and users of the online offer (data subjects are hereinafter summarised as “users”)
Purpose of processing
– Provision of the online offer, its functions and content.
– Replying to contact requests and communication with users.
– Security measures.
– Reach assessment/marketing.
”Personal data” are all data that refer to identified or identifiable natural persons (hereinafter “data subject”); a natural person that can be directly or indirectly identified by means of assignation to an identifier such as a name, an identification number, location data, to an online identification (e.g. cookie), or to one or several particulars that are expressions of the physiological, genetic, psychological, economic, cultural or social identity of this natural person.
“Processing” means any operation, or series of operations, that is carried out with or without the help of automated procedures in connection with person-specific data. The term is comprehensive and includes virtually any handling of data.
“Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
Any natural or legal person, authority, establishment or other institution that can, alone or in conjunction with others, decide upon the purposes and means of processing of person-specific data is referred to as the “data controller”.
“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.
Relevant legal bases
Pursuant to Art. 32 GDPR and taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
Measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical access to the data, as well as their access, input, disclosure, availability and separation. In addition, we have established procedures that ensure the enjoyment of data subject rights, data erasure, and reaction to data vulnerability. Furthermore, we take into account the protection of personal data in the development and/or selection of hardware, software and procedures, pursuant to the principle of data protection through technology design and privacy-friendly default settings (Art. 25 GDPR).
Collaboration with contract processors and third parties
If we reveal data to other persons or companies (contract processors or third parties) in the course of processing, transmit, or otherwise grant them access to this data, this only occurs on the basis of legal permission (e.g. if transmission of data to third parties such as payment service providers is required for contract performance according to Art. 6 para. 1 lit. b) GDPR, if you have given your consent, if a legal obligation provides for it, or on the basis of our legitimate interests (e.g. when deploying agents, web hosts, etc.).
If we instruct third parties to process data on the basis of a so-called “order data processing agreement”, this happens on the basis of Art. 28 GDPR.
Transfer of data to third countries
If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA), or if we use third-party services, or disclose or transfer data to third parties, this only occurs if we are required to do so in order to fulfil (pre-)contractual obligations, on the basis of your consent, on the basis of a statutory requirement or on the basis of our legitimate interests. Subject to legal or contractual concessions, we only process data or allow data to be processed in a third country under the specific conditions outlined in Art. 44 ff. GDPR. This means that data is processed on the basis of special guarantees, for example the data protection level must be determined in accordance with the levels officially recognised by the EU (e.g. in accordance with the Privacy Shield Frameworks stipulated in the USA), or must comply with officially recognised contractual obligations (standard contractual clauses).
Rights of data subjects
You are entitled to request confirmation whether the relevant data are processed, as well as information about this data, and other information and copies of the data pursuant to Art. 15 GDPR.
Pursuant to Art. 16 GDPR, you are entitled to request the completion or correction of data concerning your person.
Pursuant to Art. 17 GDPR, you are entitled to demand the immediate erasure of relevant data, or, alternatively, pursuant to Art. 18 GDPR, to request a limitation of data processing.
Pursuant to Art. 20 GDPR, you are entitled to request data relating to your person that you have provided to us and to request transfer thereof to other data controllers.
Pursuant to Art. 77 GDPR, you are furthermore entitled to lodge a complaint with the relevant supervisory authorities.
Right of cancellation
Pursuant to Art. 7 para. 3 GDPR, you are entitled to revoke given consent with future effect.
Right to object
Pursuant to Art. 21 GDPR, you can at any time object to future processing of your personal data. Users can specifically object to having their data processed for the purposes of direct marketing.
Cookies and right to object in case of direct marketing
Small files that are saved on users’ computers are known as “cookies”. Various data can be saved within cookies. A cookie primarily serves the purpose of saving data concerning users (or the computer on which the cookie is saved) during and possibly after their visit to the online offering. Cookies that are deleted after users leave an online offering and close their browser are known as temporary cookies, “session cookies” or “transient cookies”. Cookies of this type may contain data such as the content of a shopping cart in an online shop, or a log-in status. Cookies that remain saved after closing the browser are known as “permanent” or “persistent” cookies. Particulars such as the log-in status can thus be saved when users revisit them after several days. User interests that are used for reach assessment or marketing purposes can equally be saved in these types of cookies. “Third-party cookies” are cookies that are offered by a provider other than the data controller who operates the online offer (the data controller’s own cookies are known as “first-party cookies”)
If users do not wish for cookies to be saved on their computers, we ask them to activate the appropriate option in their browser’s system preferences. You can delete stored cookies using your browser’s system preferences at any time. The exclusion of cookies can lead to function limitations in this online offering.
Deletion of data
According to legal requirements in Germany, the retention period is 10 years pursuant to Art. 147 para. 1 of the German Fiscal Code (Abgabeordnung, AO), and Art. 257 para. 1 nos. 1 and 4, para. 4 of the German Commercial Code (Handelsgesetzbuch, HGB) (trading books, inventories, opening balances, annual accounts, commercial letters, accounting records, etc.), as well as 6 years pursuant to Art. 257 para. 1 nos. 2 and 3, para. 4 of the German Commercial Code (business letters).
According to legal requirements in Austria the retention period is 7 years pursuant to § 132 para. 1 of the Austrian Fiscal Code (Bundesabgabeordnung, BAO) (accounting documents, receipts/invoices, accounts, records, business papers, statement of income and expenses, etc.), 22 years in connection with real estate, and 10 years in the case of documents relating to electronically supplied services, telecommunications, broadcasting and television services provided to non-EU companies in EU Member States for which the Mini-One-Stop-Shop (MOSS) is used.
In addition, we process
– Contract data (e.g. subject matter of the contract, duration, customer category).
– Payment data (e.g. bank details, payment history)
from our customers, interested parties and business partners, for the purpose of contract performance, services and customer care, marketing, advertising and market research.
We process the data of our contractual partners and interested parties as well as that of other contracting authorities, customers, mandates, clients or contractual partners (uniformly referred to as “contractual partners”) pursuant to Art. 6 para. 1 lit. b) GDPR in order to provide you with our contractual or pre-contractual services. The data processed, and the nature, scope, purpose and necessity of their processing are determined by the underlying contractual relationship.
The processed data includes the master data of our contractual partners (e.g. names and addresses), contact data (e.g. email addresses and telephone numbers) as well as contract data (e.g. services used, contract contents, contractual communication, names of contact persons) and payment data (e.g. bank details, payment history).
In principle, we do not process special categories of personal data, unless they are part of a contracted or contractual processing.
We process data which are necessary for the establishment and fulfilment of the contractual services and point out the necessity of the data, if this is not evident for the contractual partners. Data will only be disclosed to external persons or companies if required by a contract. When processing the data provided to us within the framework of an order, we act in accordance with the instructions of the client as well as the legal requirements.
As part of the use of our online services, we may store the IP address and the time of the respective user action. The legal basis for this storage is our legitimate interests, as well as the user interests with regard to protection against misuse and other unauthorised use. These data are not transferred to third parties, unless it is necessary for the prosecution of our claims pursuant to Art. 6 para. 1 lit. f) GDPR or there is a legal obligation pursuant to Art. 6 para. 1 lit. c) GDPR.
The data will be deleted if it is no longer required for the fulfilment of contractual or statutory duties of care, or for the handling of any warranty and comparable obligations, whereby the necessity of keeping the data is reviewed every three years; otherwise the statutory storage obligations apply.
Administration, financial accounting, office organisation, contact administration
We process data within the framework of administrative tasks, and the organisation of our operations, financial accounting and compliance with statutory requirements, such as archiving. In so doing, we process the same data as in the course of provision of our contractual services. The basis for processing is Art. 6 para. 1 lit. c) GDPR and Art. 6 para. 1 lit. f) GDPR. Customers, interested parties, business partners and website visitors are affected by processing. The purpose of, and our interest in processing is in the administration, financial accounting, office organisation and archiving of data, thus tasks that serve the maintenance of our business activities, performance of our functions and performance of our services. Deletion of data with a view to contractual services and contractual communication correspond to the statements made in these contractual activities.
We thereby disclose or transfer data to fiscal authorities, consultants, such as tax advisors or auditors, as well as fees offices and payment service providers.
Furthermore, on the basis of our business interests, we store information regarding suppliers, organisers and other business partners, e.g. for later contact. Such predominantly company-related data is usually stored permanently.
Business analysis and market research
In order to operate our business efficiently and recognise market trends and the requirements of contractual partners and users, we analyse data regarding business transactions, contracts, enquiries, etc. In so doing, we process basic data, communication data, contract data, payment data and metadata on the basis of Art. 6 para. 1 lit. f) GDPR, whereby data subjects include contractual partners, potential customers, customers, visitors to and users of our online offering.
Analyses are carried out for the purposes of business analysis, marketing and market research. We can thereby take into account user profiles containing information on, for example, the services they have used. Analyses serve to improve user friendliness, and to optimise our offering and business efficiency. We are the sole users of such analyses and they will not be disclosed externally, unless they are anonymous analyses with summarised values.
If such analyses or profiles are person-specific, they are deleted or anonymised at the time of user termination, otherwise they are deleted two years after the contract conclusion. Apart from that, general business analyses and trend assessments are compiled on an anonymous basis whenever possible.
When contact is made with us (e.g. via contact form, email, telephone or social media), user data is processed in order to process and implement the enquiry pursuant to Art. 6 para. 1 lit. b) GDPR (for contractual/pre-contractual relationships) and Art. 6 para. 1 lit. f) GDPR (for other enquiries). User information can be stored in a customer relationship management system (“CRM system”) or similar enquiry organisation.
We delete the information once it is no longer required. We review necessity every two years; in addition, legal archiving obligations apply.
The following information is intended to provide information on the content of our newsletter, the registration process, the distribution process, the statistical evaluation process and your right to object. When you subscribe to our newsletter, you acknowledge that you have agreed to receive the newsletter and that you agree with the processes that have been described.
Content of the newsletter: We send the newsletter, emails and other electronic messages with advertising information (hereinafter referred to as ‘newsletter’) only with the recipient’s consent or if we have been granted legal permission to do so. Insofar as the contents of the newsletter are concretely described when subscribing, this is decisive for user consent. Our newsletter also contains information about our services and our company.
Double opt-in and data logging: A double opt-in process is used when users register to receive our newsletter i.e. you will receive an email after registering which asks you to confirm your registration. This confirmation is necessary so that it is not possible for people to log in with external email addresses. New registrations to the newsletter are logged in order to verify that the registration process complies with the legal requirements. This involves storing the IP address and the time at which the new user registers and confirms the registration. Changes to any of your data stored by the email marketing service are also logged.
Registration details: You only need to provide your email address when you register to receive the newsletter. Optionally, we ask you to provide a name for the purposes of addressing the newsletter to you personally.
The dispatch of the newsletter and the related tracking is based on the consent of the recipient pursuant to Art. 6 para. 1 lit. a) and Art. 7 GDPR in conjunction with Art. 7 para. 2 no. 3 of the German Unfair Competition Act (Gesetz gegen unlauteren Wettbewerb, UWG), or, in the event that consent is not required, on the basis of our legitimate interest in direct marketing pursuant to Art. 6 para. 1 lit. f) GDPR in conjunction with Art. 7 para. 3 UWG.
The logging of the registration process is based on our legitimate interests pursuant to Art. 6 para. 1 lit. f) GDPR. Our prime goal is to deploy a user-friendly and secure newsletter system that both serves our commercial interests and meets our users’ expectations, and furthermore enables us to prove consent.
Cancellation/revocation: You can cancel your subscription to our newsletter i.e. revoke your consent, at any time. You will find an unsubscribe link at the end of each newsletter. We may save the submitted email addresses for up to three years based on our legitimate interests before we delete them in order to prove prior consent. The processing of this data is limited to the purpose of the potential defence against claims. You may make an individual cancellation request at any time, provided that you simultaneously confirm your prior consent.
Newsletters – MailChimp
Furthermore, the email marketing provider can use this data in pseudonymous form, that is to say without attribution to a specific user, to improve their own services, e.g. to enhance how the distribution process operates on a technical level and how the newsletter is presented, or for statistical reasons. However, the email marketing provider does not use our newsletter recipients’ data to contact them or to disclose this information to third parties.
The newsletters contain what is known as a web beacon, which is a pixel-sized file called up by our server, or the by server of the email marketing provider insofar as we employ such a service, when the newsletter is opened. Technical information such as information on your browser, your operating system and IP address are collected at the time the file is called up.
This information is used to facilitate technical improvements in our services by means of gathering technical data, information on target groups and their reading behaviour by analysing access times and the locations from which readers call up the files (determined by means of IP addresses). Further statistical analysis includes determining whether the newsletter has been opened, when it was opened and which links have been clicked. For technical reasons, this information can be matched to individual newsletter recipients. However, neither we nor the email marketing service, insofar as we employ such a service, intends to monitor individual users. The main purpose of this analysis is to identify the reading habits of our users and to tailor our content to their requirements or to publish content that matches the interests of our readers.
Separate revocation of the tracking is unfortunately not possible, in this case, the entire newsletter subscription must be terminated.
Hosting and email distribution
We use hosting to provide the following services: Infrastructure and platform services, computing capacity, data storage, databank services, email distribution, security services, as well as technical maintenance that we deploy for the operation of this online offering.
In doing so, we, or our hosting service provider, process basic data, contact data, content data, contract data, usage data, meta data and communication data of customers, interested parties and visitors to this online offering. The legal basis for this is our legitimate interest in the efficient and secure provision of this online offering pursuant to Art. 6 para. 1 lit. f) GDPR in conjunction with Art. 28 GDPR (conclusion of order data processing agreement).
On the basis of Art. 6 para. 1 lit. f) GDPR, we, or our hosting service provider, collect data regarding every access to the server that contains this service (so-called server log files). Access data include the name of the website visited, the file accessed, the date and time of the visit, the volume of data transferred, notification of a successful visit, the browser type and version, the user’s operating system, the referring URL (previously visited site), the IP address and the querying provider.
For security reasons (e.g. for the investigation of improper or fraudulent use), log file information is stored for a duration of no more than 7 days, then deleted. Data which must be stored for purposes of documentation is excluded from deletion until the event in question is fully clarified.
Google is certified under the Privacy Shield agreement and thus offers a guarantee to comply with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
On our behalf, Google will use this information to evaluate use of our online offering by users, to collate reports on activities within this online offering and to provide us with further services related to the use of this online offering and internet use. Pseudonymous user profiles of users can thereby be generated from processed data.
We only use Google Analytics with activated IP anonymisation. This means that your IP address will be abbreviated by Google within the member states of the European Union or in other countries that have signed the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and abbreviated there.
The IP address transmitted by your browser will not be merged with any other Google data. Users can prevent the storage of cookies by using the corresponding setting of their browser software; users can furthermore prevent the collation of cookie-generated data relating to the use of the online offering by Google if they download and install the browser plugin available under the following link: http://tools.google.com/dlpage/gaoptout?hl=de.
The personal data of users will be erased or anonymised after 14 months.
Online presence in social media
We maintain an online presence within social media and platforms, in order to be able to communicate with customers, interested parties and users that are active there, and to inform them of our services.
We would hereby like to point out that user data may be processed outside the area of the European Union. This may result in risks for the users because e.g. enforcement of user rights could be made more difficult. With respect to US providers certified under the Privacy Shield, we would like to point out that they are committed to respecting EU privacy standards.
Furthermore, user data is usually processed for market research and advertising purposes. Therefore, user profiles can be created from e.g. user behaviour and the user interests revealed in this way. In turn, user profiles can be used, for example, to place ads inside and outside the platforms that are allegedly in line with users’ interests. For these purposes, cookies are usually stored on users’ computers. These cookies store information on user behaviour and interests. Furthermore, data not related to user devices can also be stored in user profiles (in particular if users are members of the respective platforms and are logged in).
The processing of users’ personal data is based on our legitimate interests in informing users effectively and communicating with users pursuant to Art. 6 para. 1 lit. f) GDPR. If users are asked by the respective providers for consent to process their data (e.g. they declare their agreement, for example, by ticking a check box or clicking on a “confirm” button), the legal basis for data processing is Art. 6 para. 1 lit. a) and Art. 7 GDPR.
For a detailed description of the processing carried out in each case and the options to revoke consent (opt-out), we refer you to the following information links for each provider.
In addition, in the case of requests for information and the assertion of user rights, we would like to point out that these can be requested/asserted most effectively by contacting the providers directly. Only the providers have access to user data, and can take appropriate measures and provide information directly. If you still need help after contacting the providers, then you can contact us.
opt-out: https://www.facebook.com/settings?tab=ads and http://www.youronlinechoices.com, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active.
opt-out: https://adssettings.google.com/authenticated, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.
Inclusion of services and content from third parties
On the basis of our legitimate interests (i.e. interest in analysis, optimisation and efficient operation of our online offering in terms of Art. 6 para. 1 lit. f) GDPR), we use third-party content or service offerings in order to include their content and services, such as videos or fonts (hereinafter “content”).
This always takes for granted that third-party providers of such content detect users’ IP address, because they cannot send content to their browser without the IP address. This means that the IP address is required to display the content in question. We make every attempt to use only the type of content where the supplier only uses the IP address to deliver the content. Third-party providers can furthermore use so-called pixel tags (invisible graphics, also known as “web beacons” for statistical or marketing purposes. Through these “pixel tags”, information such as visitor traffic on the pages of this website can be processed. Pseudonymous information can furthermore be stored in cookies on the users’ device and may contain technical information on the browser and operating system, referring websites, visiting time, as well as additional information regarding the use of our online offering, and merged with such information from other sources.
We embed videos from the “YouTube” platform, provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
We embed fonts (“Google Fonts”), provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
We embed maps from the service “Google Maps”, provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The processed data may include, in particular, users’ IP addresses and location data, which, however, are not collected without their consent (usually as part of the settings of their mobile devices). These data may be processed in the USA.