Newsletter Tracking

​

We would like to point out that we evaluate your user behavior when the newsletter is sent. For this evaluation, the emails sent contain so-called web beacons or tracking pixels, which we store. For the evaluations we link the mentioned data and the web beacons with your email address. Links received in the newsletter also contain these tracking IDs. The legal basis is Art. 6 paragraph 1 lit. f GDPR.

The information is stored for as long as you have subscribed to the newsletter. After unsubscribing, we only save the data purely statistically and anonymously.

Such tracking is not possible if you have deactivated the display of images by default in your email program. In this case, the newsletter will not be displayed in full and you may not be able to use all functions. If you display the images manually, the above-mentioned tracking takes place.

​

Server Log Files

​

For technical reasons, particularly to ensure a functioning and secure website, we process the technically necessary data about accesses to our website in so-called server log files which your browser automatically sends to us. 

​

The access data we process includes:

​

• The name of the website you are accessing  

• The browser type (including version) you use

• The operating system you use

• The site you visited before  accessing our site (referrer URL)

• The time of your server request

• The amount of data transferred

• The host name of computer (IP address) you are using to access the site

​

This data cannot be traced back to any natural person and is used solely to perform statistical analyses and to operate and improve our website while also optimising our site and keeping it secure. This data is sent exclusively to our website operator. The data is neither connected nor aggregated with other data sources. In case of suspicion of unlawful use of our website, we reserve the right to examine the data retroactively. This data processing takes place on the legal grounds of our legitimate interest in maintaining a technically fault-free and optimal website, as described under Art. 6 paragraph 1 lit. f of the GDPR.

​

The access data is deleted within a short period of time after serving its purpose (usually within a few days) unless further storage is required for evidence purposes. In such cases, the data is stored until the incident is definitively resolved.

​

SSL Encryption

​

Within your visit to our website, we use the widespread SSL procedure (Secure Socket Layer) in conjunction with the highest level of encryption supported by your browser. You can tell whether an individual page of our website is transmitted in encrypted form by the closed representation of the key or lock symbol in the lower status bar of your browser. We use this encryption procedure on the basis of our justified interest in the use of suitable encryption techniques in accordance with Art. 6 paragraph 1 lit. f GDPR.

​

We also make use of suitable technical and organisational security measures in accordance with Art. 32 GDPR to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorised access by third parties. Our security measures are continuously improved in line with technological developments and kept state-of-the-art.

​

WebCare

​

In order to obtain consent for the use of cookies on our website in accordance with data protection regulations, we use the Consent Banner of DataReporter WebCare. This is a service provided by DataReporter GmbH, Zeileisstraße 6, 4600 Wels, Austria ("DataReporter"). More information about this company can be found at www.datareporter.eu. The Consent Banner records and stores the consent to cookie use for the respective user of our website. Our Consent Banner ensures that statistical and marketing cookies are only set when the user has given his express consent to their use. 

​

We store information on the extent to which the user has confirmed the use of cookies. The user's decision can be revoked at any time by calling up the setting for cookies and managing the declaration of consent. Existing cookies will be deleted after revocation of the consent. A cookie is also set to store information on the status of the user's consent, which is indicated in the cookie details. Furthermore, the IP address of the respective user is transmitted to DataReporter's server for calling this service. The IP address is neither stored nor associated with any other data of the user, it is only used for the correct execution of the service. The use of the above data is therefore based on our legitimate interest in the legally compliant design of our website in accordance with Art. 6 paragraph 1 lit. f GDPR.

​

Further information can be found in the DataReporter data protection declaration at https://www.datareporter.eu/datenschutz. Please feel free to send your enquiries about this service to office@datareporter.eu.

​

Youtube

​

On our website, the "YouTube" service is used to embed videos into the site. The operator of the necessary software and plugin is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("YouTube"). 

​

When you visit a site with embedded YouTube videos, a connection is established to YouTube servers. This will tell YouTube which pages you are visiting.

​

ATTENTION: Within the scope of this service, data is transferred to the US or such a transfer cannot be excluded.

​

YouTube's applicable privacy policy can be found at https://www.google.com/policies/privacy/, Opt-Out option: https://adssettings.google.com/authenticated

​

General information on data protection

​

The following provisions in its principles apply not only to the data collection on our website, but also in general to other processing of personal data.

​

Personal data

​

Personal data is information that can be assigned to you individually. Examples include your address, name, postal address, email address or telephone number. Information such as the number of users who visit a website is not personal data because it is not assigned to a person.

​

Legal basis for the processing of personal data

​

Unless more specific information is provided in this Privacy Policy (e.g. in the case of the technologies used), we may process personal data from you on the basis of the following legal principles:

​

• consent in accordance with Art. 6 paragraph 1 lit. a of the GDPR - The data subject has given his or her consent to the processing of his or her personal data for one or more specific purposes.

• Fulfillment of a contract and pre-contractual measures pursuant to Art. 6 paragraph 1 lit. b of the GDPR - Processing is necessary for the fulfillment of a contract to which the data subject is a party or for the implementation of pre-contractual measures.

• Legal obligation pursuant to Art. 6 paragraph 1 lit. c of the GDPR - Processing is necessary for the performance of a legal obligation.

• Protection of vital interests pursuant to Art. 6 paragraph 1 lit. d of the GDPR - Processing is necessary to protect the vital interests of the data subject or of another natural person.

• Reasonable interests pursuant to Art. 6 paragraph 1 lit. f of the GDPR - The processing is necessary to protect the legitimate interests of the controller or of a third party unless the interests or fundamental rights and freedoms of the data subject prevail.

​

Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our home country.

​

Transfer of personal data

​

Your personal data will not be transferred to third parties for purposes other than those listed in this Privacy Policy.

​

We will only transfer your personal data to third parties if:

​

• you have given your express consent in accordance with Art. 6 paragraph 1 lit. a of the GDPR,

• the transfer pursuant to Art. 6 paragraph 1 lit. f of the GDPR is necessary to safeguard reasonable interests, as well as to assert, exercise or defend legal claims and there is no reason to assume that you have a prevailing interest worthy of protection by not disclosing your data,

• there is a legal obligation to transfer the data in accordance with Art. 6 paragraph 1 lit. c of the GDPR, as well as this is legally permissible and / or

• it is required according to Art. 6 paragraph 1 lit. b of the GDPR for the processing of contractual relationships with you.

​

Cooperation with processors

​

We carefully select our service providers who process personal data on our behalf. If we commission third parties to process personal data on the basis of a data processing agreement, this is done in accordance with Art. 28 of the GDPR.

​

Transfer to third countries

​

If we process data to a third country or if this is done in the context of using the services of third parties or disclosure or transfer of data to other persons or companies, this is only done for the reasons described above for the transfer of data.

​

Subject to express consent or contractual necessity, we process or allow data to be processed only in third countries with a recognized level of data protection or on the basis of special guarantees, such as contractual obligations through so-called standard contractual clauses of the EU Commission, the existence of certifications or binding corporate rules in accordance with Art. 44 - 49 of the GDPR.

​

Data transfer to the US / Discontinuation of the Privacy Shield

​

We would like to expressly point out that as of July 16, 2020, due to a legal dispute between a private individual and the Irish supervisory authority, the so-called "Privacy-Shield", an adequacy decision of the EU Commission according to Art 45 GDPR, which confirmed an adequate level of data protection for the US under certain circumstances, is no longer valid with immediate effect.

​

The Privacy Shield therefore no longer constitutes a valid legal basis for the transfer of personal data to the United States!

​

If a transfer of data by us to the US takes place at all or if a service provider based in the US is used by us, we refer to this explicitly in this Privacy Policy (see in particular the description of the technologies used on our website).

​

What can the transfer of personal data to the US mean for you as a user and what risks are involved?

Risks for you as a user are at any rate the powers of the US secret services and the legal situation in the US, which, in the opinion of the European Court of Justice, no longer ensure an adequate level of data protection. Among other things, this concerns the following points:

​

• Section 702 of the Foreign Intelligence Surveillance Act (FISA) does not provide for any restrictions on the surveillance measures of the secret services or guarantees for non-US citizens.

• Presidential Policy Directive 28 (PPD-28) does not provide effective remedies for those affected against actions by U.S. authorities and does not provide barriers to ensuring proportionate measures.

• The ombudsman provided for in the Privacy Shield does not have sufficient independence from the executive; he cannot issue binding orders to the U.S. secret services.

​

Legally compliant transfer of data to the US on the basis of standard contractual clauses?

​

The standard contractual clauses adopted by the Commission in 2010 (2010/87/EU of 05.02.2010), Art. 46 paragraph 2 lit. c GDPR, are still valid, but a level of protection for personal data must be ensured which is equivalent to the level in the European Union. Therefore, not only the contractual relationships with our service providers are relevant, but also the possibility of access to the data by U.S. authorities and the legal system of the U.S. (legislation and jurisdiction, administrative practice of authorities).

​

The standard contractual clauses cannot bind authorities in the US and therefore do not yet provide adequate protection in cases in which the authorities are authorized under the law in the US to intervene in the rights of the data subjects without additional measures by us and our service provider.

​

Legally compliant transfer of data to the US on the basis of your consent?

​

It is currently controversial whether informed consent and thus a deliberate and knowingly restriction of parts of your basic right to data protection is legally possible at all.

​

What measures do we take to ensure that a data transfer to the US complies with the law?

​

Insofar as US providers offer the option, we choose to process data on EU servers. This should technically ensure that the data is located within the European Union and cannot be accessed by US authorities.

​

Furthermore, we carefully examine European alternatives to US tools used. However, this is a process that does not happen overnight, as it also involves technical and economic consequences for us. Only if the use of European tools and / or the immediate switch off of the US tools is impossible for us for technical and / or economic reasons, US service providers are currently still used.

​

For the further use of US tools we take the following measures:

​

As far as possible, your consent will be asked for before using a US tool and you will be informed in advance in a transparent manner about the functioning of a service. The risks involved in transferring data to the USA can be found in this section.

​

We make every effort to conclude standard contract clauses with US service providers and to demand additional guarantees.  In particular, we require the use of technologies that do not allow access to data, e.g. the use of encryption that cannot be broken even by US services or anonymization or pseudonymization of data, where only the service provider can make the assignment to a person.  At the same time, we require additional information from the service provider if data is actually accessed by third parties or the service provider exhausts all legal remedies until access to data is granted at all.

​

Storage period

​

If no explicit storage period is specified during the collection of data (e.g. in the context of a declaration of consent), we are obliged to delete personal data in accordance with Art. 5 paragraph 1 lit. e of the GDPR as soon as the purpose for processing has been fulfilled. In this context, we would like to point out that legal storage obligations represent a legitimate purpose for the processing of personal data.

​

Personal data will be stored and retained by us in principle until the termination of a business relationship or until the expiry of any applicable guarantee, warranty or limitation periods, in addition, until the end of any legal disputes in which the data is required as evidence, or in any event until the expiry of the third year following the last contact with a business partner.

​

Rights of data subjects

​

Data subject have the right:

​

• in accordance with Art. 15 of the GDPR, to request information about your personal data processed by us. In particular, you may request information on the purposes of processing, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned duration of storage, the existence of a right of rectification, deletion, restriction of processing or opposition, the existence of a right of appeal, the origin of your data, if not collected by us, as well as the existence of automated decision making including profiling and, where applicable, meaningful information on the details thereof;

• in accordance with Art. 16 of the GDPR, to demand without delay the correction of incorrect or incomplete personal data stored by us;

• in accordance with Art. 17 of the GDPR, to demand the deletion of your personal data stored with us, unless the processing is necessary to exercise the right to freedom of expression and information, to fulfill a legal obligation, for reasons of public interest or to assert, exercise or defend legal claims;

• in accordance with Art. 18 of the GDPR, to demand the restriction of the processing of your personal data, insofar as the accuracy of the data is disputed by you, the processing is unlawful, but you refuse to delete it and we no longer require the data, but you require it for the assertion, exercise or defense of legal claims or you have lodged an objection to the processing in accordance with Art. 21 of the GDPR;

• in accordance with Art. 20 of the GDPR, to receive your personal data that you have provided to us in a structured, common and machine-readable format or to request that it be transferred to another controller;

• in accordance with Art. 21 of the GDPR, if your personal data are processed on the basis of our legitimate interest, to object to the processing of your personal data for reasons arising from your specific situation or if the objection is directed against direct advertising. In the latter case, you have a general right of objection, which we will implement without indicating a specific situation.

• in accordance with Art. 7 paragraph 3 of the GDPR, you may at any time revoke your consent to us. As a result, we may no longer continue the data processing based on this consent in the future. Among other things, you have the option of revoking your consent to the use of cookies on our website with effect for the future by calling up our Cookie Settings.

• in accordance with Art. 77 of the GDPR to complain to a data protection authority regarding the illegal processing of your data by us. As a rule, you can contact the data protetion authority at your usual place of residence or workplace or at the headquarters of our company.

​

The responsible data protection authority for SHW AG is:

​

Der Landesbeauftragte für Datenschutz in Baden- Württemberg
Königstraße 10 a, 70173 Stuttgart, Deutschland
Tel.: +49 711 615541-0, poststelle@lfdi.bwl.de

​

Assertion of rights of data subjects

​

You yourself decide on the use of your personal data. Should you therefore wish to exercise one of your above-mentioned rights towards us, you are welcome to contact us by email at datenschutz@shw.de or by post, as well as by telephone.

Together with your application, please send us a copy of an official photo ID for clear identification and support us in concretizing your request by answering questions from our responsible employees regarding the processing of your personal data. In your request, please state in which role (employee, applicant, visitor, supplier, customer, etc.) and in which period of time you have been in contact with us. This enables us to process your request promptly.

​

Security of personal data

​

The security of your personal data is of particular concern to us. Therefore, in accordance with Art. 32 of the GDPR and taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing, as well as the different probabilities of occurrence and severity of the risk to the rights and freedoms of natural persons, we take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk.

​

These measures shall include, but not be limited to, ensuring the confidentiality, integrity and availability of data by controlling physical access to the data, as well as access, input, disclosure, safeguarding of availability and segregation of data relating to them. Furthermore, we have established procedures to ensure that data subjects' rights are exercised, data is deleted, and we respond to data threats. Furthermore, we take the protection of personal data into account as early as the development or selection of hardware and software, in accordance with the principle of privacy by design and through data protection-friendly pre-settings in accordance with Art. 25 of the GDPR.

​

Our understanding of security is also requested from the processors we use.

​

Actuality of this Privacy Policy

Due to further developments or changes in legal requirements, it may become necessary to adapt this Privacy Policy from time to time. The current Privacy Policy can be found and printed out by you at any time here on this website.

​

For questions regarding data privacy, you can reach us at datenschutz@shw.de or at the other contact details stated in this Privacy Policy.

​

Aalen, on  10. May 2021

​

Last update:  10. May 2021