Privacy Policy
Status: November 2023
Thank you for your interest in the products and services offered by HANSA-FLEX AG (“HANSA-FLEX”). The protection of your personal data (“data”) is very important to us. With this Privacy Policy, we inform you about the processing of your data in connection with our online services and other business and communication processes with us.
We are controller for the data processing described in this Privacy Policy:
HANSA-FLEX AG
Zum Panrepel 44
28307 Bremen
Germany
Phone: +49 421 48 90 70
Fax: +49 421 48 90 748
E-mail: info@hansa-flex.com
Internet: http://www.hansa-flex.com
Data Protection Officer of HANSA-FLEX AG:
Max Danne
HANSA-FLEX AG
Zum Panrepel 44
28307 Bremen
Phone: +49 421 48 90 7 221
Fax: +49 421 48 90 7 930
E-mail: datenschutz@hansa-flex.com
Table of contents:
1. Your rights
If we process your personal data, you have the following rights:
1.1 Right of access
You have the right to request and obtain information free of charge as to whether data concerning you is being processed and, if this is the case, what data we are processing about you (Art. 15 GDPR). You can make this request again within a reasonable period of time. You also have the right to obtain a copy of your data undergoing processing.
1.2 Right to rectification
You can also obtain the rectification of inaccurate data concerning you in accordance with Art. 16 GDPR. You also have the right to have incomplete data concerning you completed, taking into account the purposes of the processing.
1.3 Right to erasre
Under the conditions of Art. 17 GDPR, you can request the erasure of your data.
1.4 Right to restriction of processing
You have the right to obtain restriction of processing of your data if the requirements of Art. 18 GDPR are met. This is the case, for example, if the processing of your data is no longer necessary for our purposes, but you need it for the establishment, exercise or defence of legal claims. If the processing of your data is restricted, this data - with the exception of storage - shall only be processed by us with your consent or in the special cases specified in Art. 18 para. 2 GDPR.
1.5 Right to data portability
Under the conditions of Art. 20 GDPR, you may request that you receive your data in a structured, commonly used and machine-readable format. In this case, you can also request that we transmit this data to another controller.
1.6 Right to withdraw
If we process your data on the basis of your consent, you have the right to withdraw your consent at any time with effect for the future (Art. 7 para. 3 GDPR).
1.7 Right to object
You have the option to object to data processing for direct marketing purposes at any time. In addition, you can object at any time to data processing that is carried out on the basis of a legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR, Art. 21 GDPR on grounds relating to your particular situation.
1.8 Exercise of your rights as a data subject
To exercise your rights as a data subject, please contact our Data Protection Officer by e-mail or letter (contact details below).
1.9 Contact channels
You can exercise your rights via the following contact channels:
HANSA-FLEX AG
Zum Panrepel 44
28307 Bremen
Germany
Phone: +49 421 48 90 70
Fax: +49 421 48 90 748
E-mail: datenschutz@hansa-flex.com
1.10 Right to lodge a complaint with a data protection supervisory authority
You have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement (Art. 77 GDPR).
1.11 Other notes
The provision of personal data is in no case required by law or contract or necessary for the conclusion of a contract. Furthermore, we do not use automated decision-making (including profiling).
2. Data processing on our Online Worlds
In this section, we inform you about the processing of your data when you visit our Online Worlds. This information applies in particular to our websites (Corporate Website, Customer Portal and Online Shop)
2.1 Operation of all Online Worlds
2.1.1 Scope of data processing
When you access our Online Worlds, the following data is transmitted to our web server and stored in a log file:
- Information about the browser type and version used,
- The user’s operating system,
- The user’s internet service provider,
- The IP address of the user,
- Date and time of access,
- Websites from which the user’s system accesses our website (referrer URL),
- Websites that are accessed by the user’s system via our website
2.1.2 Purposes of data processing
The processing of this data is necessary in order to display the content of the Online Worlds on your device in the best possible way. We also process this data to defend against, investigate and clarify attacks on our IT and to prevent and detect criminal offences.
2.1.3 Legal basis for data processing
This data is processed in accordance with Art. 6 para. 1 lit. f GDPR on the basis of our legitimate interest in being able to display the Online Worlds to you in the best possible way, to be able to track attacks on our IT and to prevent and detect criminal offences.
2.1.4 Recipient of the data
Our web hosting service provider processes the aforementioned data on our behalf strictly in accordance with our instructions on the basis of an data processing contract (Art. 28 GDPR).
2.1.5 Storage period
The log data is stored for a period of 30 days and then deleted, unless it needs to be retained for longer in exceptional cases to track an identified attack or for other reasons.
2.2 Use of cookies and tracking technologies
When you visit our online worlds, so-called cookies are set by us. These are small text files that are stored on your end device. Cookies usually contain a characteristic string of signs, the so-called cookie ID, with which your browser can be identified when you visit our website again.
Cookies save you from having to enter data multiple times, facilitate the transmission of specific content and help us to identify particularly popular areas of our website. They enable us to constantly improve the structure and content of our website.
2.2.1 Purposes and legal basis
“Functional” cookies: Insofar as the cookies used on our Online Worlds are necessary to enable the operation of the Online Worlds or to ensure IT security, the legal basis for the use of cookies is § 25 para. 2 No. 2 of the Telecommunications-Telemedia Data Protection Act (TTDSG). The legal basis for the further processing of this data is Art. 6 para. 1 lit. f GDPR.
“Measurement” cookies: Insofar as the cookies used on our Online Worlds are for statistical purposes (e.g. evaluation of visitor behaviour, range measurement), the legal basis is your consent in accordance with Art. 6 para. 1 lit. a GDPR; § 25 para. 1 TTDSG.
“Marketing” cookies: Insofar as the cookies used on our Online Worlds are used for marketing purposes (tracking cookies), the legal basis is your consent in accordance with Art. 6 para. 1 lit. a GDPR; § 25 para. 1 TTDSG.
You can obtain specific information about the cookies used on our respective Online Worlds via the cookie banners that are displayed when you first visit the site. You can also give your consent to the use of certain cookies via the cookie banner.
2.2.2 Deactivation of cookies
You have full control over the use of cookies and can delete cookies in your browser, completely deactivate the storage of cookies, selectively accept certain cookies and, if necessary, set your browser so that you are notified if a cookie is to be set. Please use the help functions of your browser to find out how you can change these settings. This may limit the functionality of our Online Worlds.
2.3 Consent Manager
2.3.1 Description and scope of data processing
On our Online Worlds, we use the cookie consent technology of “Consent Manager”, a service of consentmanager AB, Håltegelvägen 1b, 72348 Västerås, Sweden. We have concluded a data processing agreement with consentmanager AB in accordance with Art. 28 GDPR.
With the help of the Consent Manager, we document whether you have consented to the setting of certain cookies in the cookie banner or revoked your consent or objected to data processing. The following data is stored:
- Your IP address in anonymised form (the last three digits are set to ‘0’),
- Date and time of your consent,
- User agent of your browser,
- URL from which your consent was sent,
- an anonymous, random and encrypted key,
- Your consent status, which serves as proof of consent.
You can find details about the Consent Manager here: https://www.consentmanager.net/privacy/
2.3.2 Purposes and legal bases of data processing
The Consent Manager is used to fulfil data protection requirements for the setting and documentation of cookies. We use the Consent Manager to be able to demonstrate compliance with legal obligations, Article 6 para. 1 lit. c GDPR.
2.3.3 Storage period and control options
The cookie is active for 12 months. Beyond this period, the data collected will be deleted if you ask us to do so or delete the Consent Manager cookie yourself or if the purpose for storing the data no longer applies. Mandatory statutory retention periods remain unaffected.
2.4 Google Analytics
2.4.1 Description and scope of data processing
On our Online Worlds, we use Google Analytics, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). Cookies are used for this purpose. Once you have given your consent by clicking on the consent button on our cookie banner, the advertising analysis process by Google Analytics begins.
In addition to your IP address, the usage data collected includes in particular the specific selection of links, the time spent on individual pages, the order in which the respective Online World is used and the frequency of page views. Further information can be found in Google’s privacy policy: https://policies.google.com/privacy.
2.4.2 Purposes and legal bases of data processing
Google Analytics collects information in order to compile usage statistics for our Online Worlds. Google Analytics is only used after you have given your consent by clicking on the consent button in the cookie banner on the respective Online World. The legal basis for the processing of data when using our Online Worlds is Art. 6 para. 1 lit. a GDPR (consent), § 25 para. 1 TTDSG.
2.4.3 Recipient of the data
The data is usually transferred to a Google server in the USA and stored there. We have no influence on the type and scope of the data processed by Google, the type of processing and utilisation or the transfer of this data to third parties. Data transfers to third countries are based on the EU standard contractual clauses… In addition, Google LLC is certified under the EU-U.S. Data Privacy Framework.
2.4.4 Storage period, right to withdraw and right to object
Your data will be deleted as soon as it is no longer required for the purpose for which it was collected and any statutory retention obligations have expired.
You can withdraw your consent to Google Analytics at any time in the Consent Manager settings with effect for the future. Alternatively, you can object to data processing by Google Analytics at any time by downloading and installing the browser add-on offered by Google at tools.google.com/dlpage/gaoptout?hl=en. The analysis data processed and stored with Google Analytics will be automatically deleted by us after 14 months.
2.5 Google Ads Conversion Tracking
2.5.1 Description and scope of data processing
On our Online Worlds, we use Google Ads Conversion Tracking, an advertising analysis service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). Cookies are used for this purpose. After you have given your consent by clicking on the consent button on our cookie banner, the analysis process by Google Ads Conversion Tracking begins.
In addition to your IP address, the usage data collected includes, in particular, information on whether you have reached our Online World via our adverts via Google Ads and what actions you have subsequently taken on our website. Further information can be found in Google’s privacy policy: https://policies.google.com/privacy.
2.5.2 Purposes and legal bases of data processing
We use Google Ads Conversion Tracking to optimise our advertising presence and our advertisements. Google Ads conversion tracking is only used after you have given your consent by clicking the consent button in the Consent Manager on the respective Online World. The legal basis for the processing of data when using our online worlds is Art. 6 para. 1 lit. a GDPR (consent), § 25 para. 1 TTDSG.
2.5.3 Recipient of the data
The data is usually transferred to a Google server in the USA and stored there. We have no influence on the type and scope of the data processed by Google, the type of processing and use or the transfer of this data to third parties. In this respect, we also have no effective control options. Data transfers to third countries are based on the EU standard contractual clauses. In addition, Google LLC is certified under the EU-U.S. Data Privacy Framework.
2.5.4 Storage period, right to withdraw
Your data will be deleted as soon as it is no longer required for the purpose for which it was collected and any statutory retention obligations have expired.
You can withdraw your consent to Google Ads Conversion Tracking at any time in the Consent Manager settings with effect for the future. The processed and stored analysis data will be automatically deleted by us after 14 months.
2.6 Meta Pixel
2.6.1 Description and scope of data processing
We use Meta Pixel on our Online Worlds. This is a JavaScript code offered by Meta Platforms Ireland Limited, Block J, Serpentine Avenue, Dublin 4, Ireland (“Meta”).
Once you have given your consent by clicking on the consent button on our cookie banner, the data processing procedure by Meta Pixel begins.
The data collected includes
- HTTP header information such as information about the web browser used (e.g. user agent, language setting country/language)
- Online identifiers such as IP addresses and, where provided, meta-related identifiers or device IDs (such as advertising IDs for mobile operating systems)
- the actions you take on the respective Online World (so-called “events”), such as completing a registration, selecting items for the shopping basket or initiating contact via our Online Worlds.
This data may be merged with your user data on Facebook and Instagram.
Both we and Meta are jointly responsible for the processing of this data. The basis for data processing by Meta is an agreement between us and Meta on the joint processing of personal data, in which the respective responsibilities are defined. The agreement is available at https://www.facebook.com/legal/controller_addendum. Accordingly, we are responsible in particular for the fulfilment of the information obligations pursuant to Art. 13, 14 GDPR and for compliance with the obligations pursuant to Art. 33, 34 GDPR, insofar as a breach of the protection of personal data affects our obligations under the joint processing agreement. Meta is responsible for enabling the rights of data subjects in accordance with Art. 15 - 20 GDPR, complying with the security requirements of Art. 32 GDPR with regard to the security of processing and fulfilling the obligations under Art. 33, 34 GDPR insofar as a personal data breach affects Meta’s obligations under the joint processing agreement. However, you can still contact us to exercise your rights.
Further information on data processing by Meta can be found in Meta’s privacy policy: https://www.facebook.com/privacy/policy/.
2.6.2 Purposes and legal bases of data processing
Meta Pixel collects information to create usage statistics for our adverts and Online Worlds. This enables us to measure the effectiveness of our advertising and improve our adverts. Meta Pixel is only used after you have given your consent by clicking the consent button in the Consent Manager on the respective Online World. The legal basis for the processing of data when using our Online Worlds is Art. 6 para. 1 lit. a GDPR (consent), § 25 para. 1 TTDSG.
2.6.3 Recipient of the data
The processed data may be passed on to the parent company Meta Platforms, Inc. based in the USA. We have no influence on the type and scope of the data processed by Meta, the type of processing and use or the transfer of this data to third parties. In this respect, we also have no effective control options. Data transfers to third countries are based on the EU standard contractual clauses. Meta Platforms, Inc. is also certified under the EU-U.S. Data Privacy Framework.
2.6.4 Storage period, right to withdraw
Your data will be deleted as soon as it is no longer required for the purpose for which it was collected and any statutory retention obligations have expired.
You can withdraw the consent you have given with regard to Meta Pixel at any time in the Consent Manager with effect for the future. The analysis data processed and stored via Meta Pixel will be automatically deleted by us after 14 months.
2.7 LinkedIn Insight Tag
2.7.1 Description and scope of data processing
On our Online Worlds, we use LinkedIn Insight Tag, an advertising analysis service of LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland (“LinkedIn”). Cookies are used for this. After you have given your consent by clicking on the consent button on our cookie banner, the analysis process by LinkedIn begins.
In addition to your IP address and device and browser characteristics, the usage data collected includes, in particular, information on whether you have reached our Online World via our LinkedIn Ads advert and what actions you have subsequently taken on our website. Further information can be found in LinkedIn’s privacy policy: https://www.linkedin.com/legal/privacy-policy.
2.7.2 Purposes and legal bases of data processing
We use LinkedIn Insight Tag to optimise our advertising presence and our advertisements. LinkedIn Insight Tag is only used after you have given your consent by clicking the consent button in the Consent Manager on the respective Online World. The legal basis for the processing of data when using our Online Worlds is Art. 6 para. 1 lit. a GDPR (consent), § 25 para. 1 TTDSG.
2.7.3 Recipient of the data
This information may be transferred to LinkedIn in the USA and stored there. We have no influence on the type and scope of the data processed by LinkedIn, the type of processing and use or the transfer of this data to third parties. In this respect, we also have no effective control options. Data transfers to third countries are based on the EU standard contractual clauses.
2.7.4 Storage period, right to withdraw
Your data will be deleted as soon as it is no longer required for the purpose for which it was collected and any statutory retention obligations have expired.
You can withdraw the consent you have given with regard to LinkedIn Insight Tag at any time in the Consent Manager settings with effect for the future. The processed and stored analysis data will be automatically deleted by us after 14 months
2.8 Google reCAPTCHA
2.8.1 Description and scope of data processing
To secure our Online Worlds against the misuse of bots, we use Google reCAPTCHA, a captcha service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). Cookies are used for this. As part of this service, Google processes your IP address and other data such as information on the operating system, the language set, time and screen resolution and mouse and keyboard behaviour.
Further information can be found in Google’s privacy policy: https://policies.google.com/privacy.
2.8.2 Purposes and legal bases of data processing
Google reCAPTCHA collects data to determine whether the actions performed on our Online Worlds are performed by a human or a bot. The legal basis for the processing of the data is Art. 6 para. 1 lit. f GDPR. Our legitimate interest lies in protecting our Online Worlds from bot attacks.
2.8.3 Recipient of the data
The information generated by the cookies about the use of our Online Worlds is usually transmitted to a Google server in the USA and stored there. We have no influence on the type and scope of the data processed by Google, the type of processing and use or the transfer of this data to third parties. Data transfers to third countries are based on the EU standard contractual clauses. In addition, Google LLC is certified under the EU-U.S. Data Privacy Framework.
2.8.4 Storage period
Your data will be deleted as soon as it is no longer required for the purpose for which it was collected and any statutory retention obligations have expired.
2.9 Google Maps
2.9.1 Description and scope of data processing
We use the Google Maps map service on our Online Worlds. This allows us to show you interactive maps directly on our Online World and enables you to use the map function conveniently. The provider is Google Ireland Limited Gordon House, Barrow Street, Dublin 4, Ireland. As part of data processing, data is also regularly transmitted to Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). Google Ireland Limited and Google LLC are hereinafter jointly referred to as “Google”. To use the functions of Google Maps, it is necessary to process your IP address.
2.9.2 Purposes and legal bases of data processing
The use of Google Maps is in the interest of an appealing presentation of our offers and to make it easy to find the locations specified by us in the respective Online World. The data is processed on the basis of Art. 6 para. 1 lit. a GDPR (consent), § 25 para. 1 TTDSG.
2.9.3 Recipient of the data
This information is usually transferred to a Google server in the USA and stored there. We have no influence on the type and scope of the data processed by Google, the type of processing and use or the transfer of this data to third parties. In this respect, we also have no effective control options. Data transfers to third countries are based on the EU standard contractual clauses. In addition, Google LLC is certified under the EU-U.S. Data Privacy Framework.
2.9.4 Storage period, right to withdraw
Your data will be deleted as soon as it is no longer required for the purpose for which it was collected and any statutory retention obligations have expired.
You can withdraw the consent you have given with regard to Google Maps at any time in the Consent Manager settings with effect for the future.
2.10 YouTube plugins
2.10.1 Description and scope of data processing
Our Online Worlds use plugins from YouTube. The operator is Google Ireland Limited Gordon House, Barrow Street Dublin 4 Ireland (hereinafter referred to as “Google”). The YouTube videos are integrated in the so-called “extended data protection mode”, which, according to the provider, only initiates the storage of user information when the video(s) is/are played.
When you visit one of our Online Worlds equipped with a YouTube plug-in, a connection to the YouTube servers is established. The YouTube server is informed which of our online worlds you have visited. If you are logged into your YouTube account, you enable YouTube to assign your surfing behaviour directly to your personal profile. You can prevent this by logging out of your YouTube account.
Further information on the handling of user data can be found in YouTube’s privacy policy: https://policies.google.com/privacy.
2.10.2 Purposes and legal bases of data processing
The legal basis for data processing is Art. 6 para. 1 lit. f GDPR, whereby our interest lies in the smooth integration of the videos and the appealing design of our website.
2.10.3 Recipient of the data
By integrating YouTube, personal data may be transmitted to Google. Google also processes your personal data in the USA. We have no influence on the type and scope of the data processed by Google, the type of processing and use or the transfer of this data to third parties. In this respect, we also have no effective control options. Data transfers to third countries are based on the EU standard contractual clauses.
2.10.4 Storage period, right to withdraw
Your data will be deleted as soon as it is no longer required for the purpose for which it was collected and any statutory retention obligations have expired.
You can withdraw the consent you have given with regard to YouTube plugins at any time in the Consent Manager settings with effect for the future.
2.11 Contact options on our Online Worlds
2.11.1 Scope of data processing
You can contact us via our online worlds in various ways, for example:
Contact form
Enquiry form mobile hydraulic emergency service
If you would like to contact us via these channels, we need the following data from you:
- Salutation
- Name
- E-mail address (if contact by e-mail is required)
- Telephone number (if you wish to be contacted by telephone)
- Company data (name, address)
2.11.2 Purposes and legal basis of data processing:
We process your data for the purpose of being able to answer your enquiry to us in the best possible way. We process your data on the basis of Art. 6 para. 1 lit. f GDPR. Our legitimate interest lies in responding to your enquiry addressed to us.
2.11.3 Recipient of the data
The data is only processed by the internal contact persons responsible for the contact enquiries.
2.11.4 Storage period
The storage period depends on the content of your contact enquiry. In principle, the data is deleted as soon as it is no longer required to fulfil the purpose for which it was collected and any statutory retention obligations have expired.
2.12 Newsletter
2.12.1 Scope of data processing
You can subscribe to our online newsletter, including the customer magazine “Hydraulikpresse”. The following data will be processed:
- Salutation
- Surname, first name
- E-mail address
- Company name
2.12.2 Purposes and legal basis of data processing
We process your data for the purpose of sending the newsletter to business customers by email. We process your data on the basis of Art. 6 para. 1 lit. a GDPR. You have the right to withdraw your consent at any time with effect for the future (Art. 7 para. 3 GDPR).
2.12.3 Recipient of the data
The data is processed by the internal contact persons responsible for sending the newsletter.
The provider CleverReach GmbH & Co KG (Schafjückenweg 2, 26180 Rastede, Germany), with whom we have also concluded a data processing agreement in accordance with Art. 28 GDPR, supports us in sending the newsletter.
2.12.4 Storage period
Your data will be deleted as soon as it is no longer required for the purpose for which it was collected and any statutory retention obligations have expired.
2.13 Whitepaper
2.13.1 Scope of data processing
We offer the option of downloading white papers from our Online Worlds in order to provide our visitors with up-to-date information or information relating to you. The following data is processed for this purpose:
- Salutation
- Name
- E-mail address
- Company name
- Telephone number (optional)
2.13.2 Purposes and legal basis of data processing
We process your data for the purpose of providing downloads to business customers. We process your data on the basis of Art. 6 para. 1 lit. a GDPR. You have the right to withdraw your consent at any time with effect for the future (Art. 7 para. 3 GDPR).
2.13.3 Recipient of the data
The data is processed by the internal contact persons responsible for sending the customer magazine.
The provider CleverReach GmbH & Co KG (Schafjückenweg 2, 26180 Rastede, Germany), with whom we have also concluded a data processing agreement in accordance with Art. 28 GDPR, supports us in sending the download information.
2.13.4 Storage period
Your data will be deleted as soon as it is no longer required for the purpose for which it was collected and any statutory retention obligations have expired.
2.14 Data security
Ongoing technical and organisational security measures are taken to protect your personal data against manipulation, loss, destruction or access by unauthorised persons. In particular, we use TLS encryption when transmitting data via our Online Worlds. You can recognise this by the fact that the lock symbol in the status bar of your browser is closed and the address line begins with https://.
3. HANSA-FLEX Corporate Website
3.1 Scope of data processing
You can access the HANSA-FLEX corporate website via hansa-flex.de.
3.2 Purposes and legal basis of data processing
We process your data for the purpose of providing the HANSA-FLEX Corporate Website on the basis of Art. 6 para. 1 lit. f GDPR.
3.3 Recipient of the data
The service provider neusta infrastructure services GmbH (Konsul-Smidt-Straße 24, 28217 Bremen) supports us with hosting.
The advertising agency team neusta GmbH (Konsul-Smidt-Straße 24, 28217 Bremen) supports us in the operation of the application.
As part of an data processing agreement (Art. 28 GDPR), the service providers have undertaken to comply with appropriate technical and organisational measures for data security, among other things, and act on our behalf in accordance with our instructions.
3.4 Use of cookies and tracking technologies
For more information on the cookies used on the website, please refer to the sections 2.2 to 2.8.
4. HANSA-FLEX customer portal (my.hansa-flex Portal, X-CODE Manager)
4.1 Scope of data processing
We operate the mobile application and the browser-based web application X-CODE Manager (“Application”). This customer portal is aimed exclusively at commercial customers. You can only use the application if you have been authorised to do so by a HANSA-FLEX employee. To create a user account, we receive your professional contact details from the HANSA-FLEX customer. Once we have created your user account, you will receive an e-mail from us containing a link to the application. There you can log in for the first time and assign yourself a password. You can then use the application as intended. The following data categories are processed in this context:
- Surname, first name
- Professional contact details (function, department, company address, telephone, fax, e-mail, customer and partner number)
- Signature (for the creation of service reports)
4.2 Purposes and legal basis of data processing
We process this data so that we can provide you with the application in accordance with the terms of use concluded between you and us. Legal basis: We process your personal data in fulfilment of a contractual obligation (Art. 6 para. 1 lit. b GDPR) and on the basis of legitimate interests (Art. 6 para. 1 lit. f GDPR).
4.3 Shared responsibility
In addition to us, the HANSA-FLEX customer on whose behalf you use the application is also responsible for the processing of this data. The HANSA-FLEX customer can view your activities in the application via the user administration and assign to you certain rights to use the application. HANSA-FLEX and the HANSA-FLEX customer are to be regarded as joint controllers pursuant to Art. 26 GDPR with regard to the processing of your data. For this reason, HANSA-FLEX and the HANSA-FLEX customer have concluded a corresponding agreement on the joint processing of personal data in accordance with Art. 26 para. 1 GDPR. In essence, it was agreed that we would provide you with information on data processing and inform you about the essential contents of our agreement on joint processing, which we hereby do. We have agreed with the HANSA-FLEX customer that you can contact us or the HANSA-FLEX customer at your request with regard to the assertion of data subject rights (e.g. right of access, right to erasure). Details on this can be found in the section “Your rights”.
4.4 Processing of analysis data
We use the functions of the mobile development platform Firebase. The provider is Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94943, USA. Firebase sends analysis data with the help of embedded code. This data is usually transferred to a Google server in the USA and stored there. Firebase data is processed on the basis of Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in analysing user behaviour in order to optimise the development of the app. The EU standard contractual clauses provide sufficient guarantees for data transfers to third countries. Google LLC is also certified under the EU-U.S. Data Privacy Framework.
We also use the functions of the crash reporting tool Crashlytics. The provider is Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94943, USA. Crashlytics uses embedded code to send an error report if the app crashes unexpectedly. This information is usually transmitted to a Google server in the USA and stored there. Crash reports are stored on the basis of Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in analysing crash reports in order to continuously improve the user experience. The EU standard contractual clauses provide sufficient guarantees for data transfers to third countries. In addition, Google LLC is certified under the EU-U.S. Data Privacy Framework.
We also use functions of the web analysis service Firebase Analytics. The provider is Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Firebase sends analysis data with the help of embedded code. This data is usually transferred to a Google server in the USA and stored there. The storage of Firebase Analytics data is based on Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in analysing user behaviour in order to optimise the development of the app. The EU standard contractual clauses provide sufficient guarantees for data transfers to third countries. Google LLC is also certified under the EU-U.S. Data Privacy Framework.
4.5 Recipient of the data
We use the SAP Cloud of the external hosting service provider SAP Deutschland SE & Co KG, Hasso-Plattner-Ring 77, 69190 Walldorf, Germany, to provide the application. We also use Arvato Systems S4M GmbH, Am Coloneum 3, 50829 Cologne, Germany, as a hosting service provider.
The advertising agency team neusta GmbH (Konsul-Smidt-Straße 24, 28217 Bremen) and neusta mobile solutions GmbH (Konsul-Smidt-Straße 24, 28217 Bremen) support us in the operation of the application.
As part of an data processing agreement (Art. 28 GDPR), the service providers have undertaken to comply with appropriate technical and organisational measures for data security, among other things, and act on our behalf in accordance with our instructions.
4.6 Storage period
We only store your personal data until the purpose for which we collected or received it has been fulfilled. The log files are stored for a period of seven days and then deleted, unless they need to be retained for longer in exceptional cases to track an identified attack. Transmitted data of deactivated users will be deleted after 12 months.
4.7 Use of cookies and tracking technologies
For more information on the cookies used on the website, please refer to the sections 2.2 to 2.8.
5. HANSA-FLEX Online Shop (shop.hansa-flex.de)
5.1 Scope of data processing
We offer the HANSA-FLEX Online shop on the shop.hansa-flex.de website. The Online Shop is aimed at commercial customers. You can create a personal profile there (e.g. as an employee of a commercial customer). The following data is required for registration:
- Surname, first name
- Professional contact details (address, telephone, fax, e-mail)
In addition, the following data may be processed as part of an order via the Online Shop:
- Order information (subject and date of the order, delivery times)
- Payment information
5.2 Purposes and legal basis of data processing
We process your data for the purpose of providing the HANSA-FLEX Online shop and to fulfil an order placed via the Online Shop for a business customer on the basis of legitimate interests in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR. Our legitimate interest lies in the functioning and practicable cooperation with our business partners and the employees of our business partners and the processing of orders via our Online Shop.
5.3 Recipient of the data
We use the SAP Cloud of the external hosting service provider SAP Deutschland SE & Co KG, Hasso-Plattner-Ring 77, 69190 Walldorf, Germany, to provide the application. We also use Arvato Systems S4M GmbH, Am Coloneum 3, 50829 Cologne, Germany, as a hosting service provider. As part of a data processing agreement (Art. 28 GDPR), the service providers have undertaken to comply with appropriate technical and organisational measures for data security, among other things, and act on our behalf in accordance with our instructions. We process your data exclusively in the European Union or the European Economic Area.
The advertising agency team neusta GmbH (Konsul-Smidt-Straße 24, 28217 Bremen) supports us in the operation of the application.
We use the financial services provider Unzer GmbH, Schöneberger Str. 21a, 10963 Berlin for the purpose of processing payments by credit card.
As part of a data processing agreement (Art. 28 GDPR), the service providers have undertaken to comply with appropriate technical and organisational measures for data security, among other things, and act on our behalf in accordance with our instructions.
Insofar as it is necessary for the fulfilment of an order, we transmit your data to company branches, group companies and partner companies & agencies as well as other external service partners that we use to fulfil the contract. This includes in particular the shipping company commissioned with the delivery of ordered goods and the payment institutions and payment service providers commissioned with payment processing as well as the company branches https://www.hansa-flex.co.uk/subsidiaries.html, group companies and partner companies & agencies as well as other external service providers commissioned to carry out maintenance, repair work and other work and services as well as service work.
5.4 Storage period
Your data will be stored by us for as long as we need it for the specific processing purpose. We regularly store your data for at least the duration of your use of our online shop.
We also store certain data for the duration of statutory limitation periods (usually three years, in individual cases up to thirty years) and for as long as statutory retention periods (e.g. from the German Commercial Code, the German Fiscal Code) prescribe (but usually for a maximum of ten years).
Under certain circumstances, we may have to store your data for longer. This is the case, for example, if a prohibition to delete data is ordered for the duration of the proceedings in connection with official or court proceedings .
5.5 Use of cookies and tracking technologies
For more information on the cookies used on the website, please refer to the sections 2.2 to 2.8.
6. Business contacts
6.1 Scope of data processing
As part of our business relationship with you as a business customer, service provider or supplier or as an employee of our business partners, we process the data that we receive from you or your employer.
In particular, this is data that we receive as soon as you or one of your colleagues contact our employees. Contact can be made electronically (by e-mail) or in person (e.g. contact at trade fairs, handing over a business card).
We may process the following categories of data in this context:
- Surname, first name
- Professional contact details (function, department, address, telephone, fax, e-mail)
- Data on professional circumstances (job title, tasks, activity, qualifications)
- In addition, we may process other data that you provide during interaction with our employees.
We use your data to communicate with you (e.g. by email) for business purposes and to send you offers, for example. In this context, we store your contact data in our CRM system and possibly in other contact directories (e.g. in Outlook).
6.2 Purposes and legal bases of data processing
Your data will be processed by us for the purpose of establishing and implementing the contractual relationship with you as a business customer and to fulfil legal requirements.
If you are personally our business partner, the processing is carried out on the basis of Art. 6 para. 1 lit. b GDPR for the fulfilment or initiation of a contract.
For the purpose of fulfilling legal obligations, processing is carried out on the basis of Art. 6 para. 1 lit. c GDPR in conjunction with legal and official requirements (e.g. from tax and commercial law).
6.3 Recipients of your data
Personal data may be processed by external service providers (e.g. cloud, support, hosting or analysis service providers) on the basis of contracts in accordance with Art. 28 GDPR. The external service providers have been carefully selected and commissioned by us. They are contractually bound to our instructions, have suitable technical and organisational measures in place to protect the rights of the data subjects and are regularly monitored by us.
Insofar as it is necessary for the above-mentioned purposes, we transmit your data to company branches, group companies and partner companies & agencies as well as other external service partners that we use to fulfil the contract. This includes in particular the shipping company commissioned with the delivery of ordered goods and the payment institutions and payment service providers commissioned with payment processing as well as the company branches https://www.hansa-flex.co.uk/subsidiaries.html, group companies and partner companies & agencies as well as other external service providers commissioned to carry out maintenance, repair work and other work and services as well as service work.
6.4 Transfer of your data to a third country
We endeavour to process your data within the European Union or the European Economic Area. If we transfer your data to a third country, i.e. outside the European Union or the European Economic Area, this will only be done in accordance with the legal requirements.
Should your personal data nevertheless be transferred, this will only take place if an adequate level of data protection is ensured in the third country in accordance with an adequacy decision of the European Commission or if suitable guarantees (e.g. data protection contracts using the standard contractual clauses of the European Commission) can ensure adequate protection of your personal data.
We have concluded standard contractual clauses with our subsidiaries in non-EU countries for which there is no adequacy decision.
6.5 Storage period
We store your data for as long as we need it for the specific processing purpose. We regularly store your data for at least the duration of our business relationship with you or the business customer for whom you work.
We also store certain data for the duration of statutory limitation periods (usually three years, in individual cases up to thirty years) and for as long as statutory retention periods (e.g. from the German Commercial Code, the German Fiscal Code) prescribe (but usually for a maximum of ten years).
Under certain circumstances, we may have to store your data for longer. This is the case, for example, if a prohibition to delete data is ordered for the duration of the proceedings in connection with official or court proceedings.
7. Video conferences, online meetings and webinars
We use platforms and applications from other providers (“third-party providers”) for the purpose of holding video and audio conferences, webinars and other types of video and audio meetings. When selecting third-party providers and their services, we observe the legal requirements. In this context, data of the communication participants are processed and stored on the servers of the third-party providers, insofar as these are part of communication processes with us. This data may include, in particular, registration and contact data, visual and vocal contributions as well as entries in chats and shared screen content. If users are referred to third-party providers or their software or platforms in the context of communication, business or other relationships with us, the third-party providers may process usage data and metadata for security purposes, service optimisation or marketing purposes. We therefore ask you to observe the data protection notices of the respective third-party providers.
7.1 Scope of data processing
If you participate in video conferences, online meetings or webinars organised by us, we generally process the following data:
- Inventory data (e.g. names, addresses),
- Meta/communication data (e.g. device information, IP addresses)
In individual cases, the following data may also be processed, for example if you have stored this information in your user profile or if you share content with us:
- Contact details (e.g. email, telephone numbers),
- Content data (e.g. text entries, photographs, videos),
- Usage data (e.g. websites visited, interest in content, access times),
7.2 Purposes and legal bases of processing
We use the applications to conduct video and audio conferences, webinars and other types of video and audio meetings. If we ask users for their consent to the use of third-party providers or certain functions (e.g. consent to the recording of conversations), the legal basis for processing is consent pursuant to Art. 6 para. 1 lit. a GDPR. Furthermore, their use may be part of our (pre-)contractual services in accordance with Art. 6 para. 1 lit. b. GDPR, insofar as the use of third-party providers has been agreed in this context. Otherwise, user data is processed on the basis of our legitimate interests in efficient and secure communication with our communication partners in accordance with Art. 6 para. 1 lit. f. GDPR.
7.3 Recipient of the data
We currently use Microsoft Teams. Personal data is transmitted to the operator of this service - Microsoft Ireland Operations Ltd, The Atrium Building, Block B, Carmanhall Road, Sandyford Business Estate, Dublin 18, Ireland (“Microsoft”) - and processed on our behalf in accordance with instructions on the basis of a data processing agreement pursuant to Art. 28 GDPR.
Microsoft Teams
Website: https://products.office.com
Privacy policy: https://privacy.microsoft.com/en-gb/privacystatement
Safety instructions: https://www.microsoft.com/en-gb/trustcenter
7.4 Transfer of your data to a third country
We have agreed with the third-party providers that the data will generally be processed within the EU. However, it cannot be technically ruled out that personal data may also be transferred to the USA when using the above services. In order to ensure sufficient guarantees for data transfers to the USA, EU standard contractual clauses have been concluded. Microsoft is also certified under the EU-U.S. Data Privacy Framework.
7.5 Storage period
We store your data for as long as we need it for the specific processing purpose. Metadata from calls and conversations is stored for a maximum of 180 days (depending on the date). Chats are stored for 90 days after the end of the chat and then automatically deleted. Logged administrative events are stored for 90 days and then automatically deleted. If the contract with Microsoft is cancelled, the data is deleted after 90 days.
8. Applicants
8.1 Scope of data processing
In the application process, we only collect the data that you provide to us. We require the following data to carry out the application process:
- Surname, first name
- Contact details (address, e-mail address and telephone number)
- Information on the course of training and, if applicable, professional career
- Data on your professional qualifications, such as school-leaving and educational qualifications, language skills, as well as your place of study or training, certificates
- If you send us your CV, we will process the data provided in it, such as photos of you or possibly the existence of a driving licence
- Any other data provided by you as part of your application
We are looking for the best employees, regardless of ethnic origin, gender, religion or ideology, disability, age or sexual identity. Please do not provide any information on:
- Pregnancy
- ethnic origin, political opinions, philosophical or religious beliefs, trade union membership or sexual life
- Information that has nothing to do with the job profile of the position for which you are applying
8.2 Purpose and legal basis of data processing
We treat your details confidentially and solely for the purpose of selecting applicants. We need your personal data in order to process your application and to be able to contact you to handle your application process. Unfortunately, we cannot offer you a position without this data. The legal basis for data processing is Art. 6 para. 1 lit. b GDPR and § 26 para. 1 Federal Data Protection Act (BDSG). Insofar as the data transmitted by you contains special categories of data (e.g. ethnic origin, trade union membership, health data) and this data is necessary for us to fulfil our obligations under labour or social law, the legal basis is Art. 9 para. 2 lit. b GDPR.
8.3 Recipient of the data
Internally, only those persons have access to your data who need it for the stated purposes. These are primarily the responsible partners, responsible HR employees and all persons who are necessarily involved in the applicant selection process.
The provider Haufe Service Center GmbH (Munziger Straße 9, 79111 Freiburg) supports us in the administration of applications.
The provider PitchYou GmbH (Campusallee 9, 51379 Leverkusen) supports us in the processing of applications via digital channels.
As part of a data processing agreement (Art. 28 GDPR), the service providers have undertaken to comply with appropriate technical and organisational measures for data security, among other things, and act on our behalf in accordance with our instructions.
8.4 Transfer of your data to third countries
We do not transfer your personal data to countries outside the European Union or the European Economic Area (currently EU member states plus Iceland, Liechtenstein and Norway) as part of the application process.
8.5 Storage period
If an employment relationship is established with you, we will process your data for the purposes of the employment relationship in accordance with a separate privacy policy, which you will then receive from us.
You can consent to your personal data being transferred to an applicant pool. We process your data on the basis of Art. 6 para. 1 lit. a GDPR. You have the right to withdraw your consent at any time with effect for the future (Art. 7 para. 3 GDPR). We request new consent at regular intervals.
In the event that no employment relationship is established with you, we will generally store your data for a period of six months from the date of receipt of your rejection. Your application documents will then be deleted.
9. Social media profiles
We operate various social media profiles in order to constantly improve our public image and to provide information on the respective social media platforms. Below you will find information about our data processing on the individual social media platforms.
9.1 Scope of data processing
You can interact with our profile on the respective social media platform, for example by following us, sharing posts, commenting or rating them (e.g. by marking them with “like”). In this case, we will receive a notification that you have visited or interacted with our account. We can then see your profile name, your interaction and - if available - your profile picture. If you contact us via direct notification or send us a message, we can see your user profile and your message.
In addition, the respective social media platforms generally offer analysis options that we use to improve our online presence and increase our reach. We can use the analysis tools provided by the respective social media platform to see how many users have seen or interacted with our posts. The analysis evaluations do not allow any conclusions to be drawn about you personally.
9.2 Purpose and legal basis of data processing
We process the data in order to improve our online presence or to be able to interact with you on your initiative and to read and respond to your enquiry or notification.
We process your data on the basis of our legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR. Our legitimate interest lies in improving our online presence and for marketing purposes.
9.3 Recipient of the data
Your data will be viewed by our employees who manage our social media accounts. In addition, the respective providers of the social media platforms process your data in accordance with their own privacy policies. Specifically, these are the following social media providers:
Platform | Provider | Data protection information |
Facebook | Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland | |
Instagram | Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland | |
LinkedIn | LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland | |
Xing | New Work SE, Dammtorstraße 30, 20354 Hamburg, Germany | |
Youtube | Google Ireland Limited Gordon House, Barrow Street Dublin 4, Ireland |
The respective platform operators are themselves responsible for the processing of your personal data on the respective platform. As a user of the respective platform, you have accepted the corresponding user agreements. As a commercial customer of the respective platform, we have concluded data protection agreements with the respective platform operators. We have concluded agreements with Meta and LinkedIn regarding the use of analysis functions for the joint processing of personal data in accordance with Art. 26 GDPR. The contents of the agreements can be found here:
Meta: https://www.facebook.com/legal/controller_addendum
LinkedIn: https://legal.linkedin.com/pages-joint-controller-addendum
Insofar as the respective platform operators transfer personal data to non-EU third countries, they use the EU standard contractual clauses.
9.4 Storage period
We will store your data for as long as we need it for the specific processing purpose. We also store certain data for the duration of statutory limitation periods (usually three years, in individual cases up to thirty years) and for as long as statutory retention periods (e.g. from the German Commercial Code, the German Fiscal Code) prescribe (but usually for a maximum of ten years).