§ 1 Information on the Collection of Personal Data
(1) In the following, we inform you on the collection and processing of personal data when using our website, and the rights granted to you according to the EU General Data Protection Regulation, hereinafter referred to as GDPR.
(2) The term "personal data" defines all data that may be personally related to/identified with you, e.g. your name, address, e-mail-addresses, user behaviour.
(3) Responsible for all contents pursuant to EU General Data Protection Regulation, Article 4, Section 7, hereinafter referred to as controller:
Mr. Andreas Widhammer, Managing Director/CEO, esmo AG, Brueckenstrasse 1, 83022 Rosenheim, Germany, firstname.lastname@example.org
(4) You may contact our data protection officer at email@example.com or our postal address, esmo AG, Brueckenstrasse 1, 83022 Rosenheim, Germany, by adding the suffix "Data Protection Officer".
(5) When you contact us via e-mail or a contact form, we will store the information you have provided to us (your e-mail address, your name, and your telephone number, if applicable) in order to respond to your questions. We will delete any data arising in this context, once data storage is no longer required, or limit data processing in the event statutory retention requirements exist.
(6) In case we rely on commissioned service providers for individual functions of our internet offer, or would like to use your data for advertising purposes, we will inform you in detail in the following on these respective transactions/processes. We will furthermore indicate all specified criteria for the data storage duration.
§ 2 Your Rights
(1) You shall be granted the following statutory rights against us with regards to personal data related to you:
– Right of Access (GDPR Article 15)
– Right to Rectification and Erasure (GDPR Articles 16 and 17)
– Right to Restriction of Processing (GDPR Article 18)
– Right to Object (GDPR Article 21)
– Right to Data Portability (GDPR Article 20)
– Right to Lodge a Complaint with a Supervisory Authority
– Right to Withdraw the Data Privacy Declaration of Consent
(2) Explanation of Your Rights in Detail:
(2.1) Right of Access
You shall be granted the right to obtain from the controller confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and the following information:
a. the purposes of the processing;
b. the categories of personal data concerned;
c. the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
d. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
e. the existence of the right to request from the controller rectification or erasure of personal data, or restriction of processing of personal data concerning you, or to object to such processing;
f. the right to lodge a complaint with a supervisory authority;
g. where the personal data are not collected from the data subject, any available information as to their source;
h. the existence of automated decision-making, including profiling, referred to in Articles 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you.
Where personal data are transferred to a third country or to an international organization, you shall further be granted the right to be informed of the appropriate safeguards pursuant to GDPR Article 46 relating to the transfer.
(2.2) Right to Rectification
You shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement
(2.3) Right to Erasure ("Right to be Forgotten")
(2.3.1) You shall have the right to obtain from the controller the erasure of personal data concerning you without undue delay, and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
a. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
b. you withdraw consent on which the processing is based according to GDPR Article 6(1), Subsection (a), or GDPR Article 9(2), Subsection (a), and where there is no other legal ground for the processing;
c. you object to the processing pursuant to GDPR Article 21(1), and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to GDPR Article 21(2);
d. the personal data relating to you have been unlawfully processed;
e. the personal data relating to you have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
f. the personal data have been collected in relation to the offer of information society services referred to in GDPR Article 8(1).
(2.3.2) Where the controller has made the personal data public and is obliged pursuant to GDPR Article 17(1) to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
(2.3.3) The right to erasure shall not apply to the extent that processing is necessary:
a. for exercising the right of freedom of expression and information;
b. for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
c. for reasons of public interest in the area of public health in accordance with GDPR Article 9, Section 2, Subsection (h) as well as GDPR Article 9, Section 3;
d. for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with GDPR Article 89(1), insofar as the right referred to in Section 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
e. for the establishment, exercise, or defence of legal claims.
(2.4) Right to Restriction of Processing
You shall have the right to obtain from the controller restriction of processing personal data related to you where one of the following applies:
a. you contest the accuracy of the personal data is contested, for a period enabling the controller to verify the accuracy of the personal data related to you;
b. the processing is unlawful, and you oppose the erasure of the personal data and request the restriction of their use instead;
c. the controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims;
d. You have objected to processing pursuant to GDPR Article 21(1), pending the verification whether the legitimate grounds of the controller override your legitimate grounds
Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise, or defence of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union, or of a Member State. In case you have obtained restriction of processing pursuant to the afore-mentioned conditions, you shall be informed by the controller before the restriction of processing is lifted.
(2.5) Notification Obligation
In case you have asserted your right to rectification, erasure, and/or restriction of processing of personal data against the controller, the latter shall communicate any rectification, or erasure of personal data, or restriction of processing carried out in accordance with GDPR Articles 16, 17(1), and 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible, or involves disproportionate effort. The controller shall furthermore inform you about those recipients in case you may request such disclosure.
(2.6) Right to Data Portability
You shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used, and machine-readable format, and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
a. the processing is based on consent pursuant to GDPR Article 6(1), Subsection (a), or GDPR Article 9(2), Subsection (a), or on a contract pursuant to GDPR Article 6(1); and
b. the processing is carried out by automated means.
In exercising your right to data portability, you shall have the right to have the personal data related to you transmitted directly from one controller to another, where technically feasible.
This right, however, shall not adversely affect the rights and freedoms of others. The right to data portability shall not apply to processing of personal data necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller.
(2.7) Right to Object
You shall have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on GDPR Article 6(1), Subsections (e) or (f), including profiling based on those provisions.
The controller shall no longer process the personal data related to you, unless the controller demonstrates compelling legitimate grounds for the processing of such data which override your interests, rights, and freedoms, or for the establishment, exercise, or defence of legal claims.
Where personal data are processed for direct marketing purposes, you shall have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Where you object to processing for direct marketing purposes, the personal data concerning you shall no longer be processed for such purposes.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.
(2.8) Right to Withdraw Consent
You shall have the right to withdraw your consent, i.e. your data protection declaration of consent, at any time. However, the withdrawal of your consent shall not affect the lawfulness of processing based on consent before its withdrawal.
(2.9) Automated Individual Decision-Making, Including Profiling
You shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you, or similarly significantly affects you. This, however, shall not apply if the decision –
a. is necessary for entering into, or performance of, a contract between you and the data controller;
b. is authorized by Union or Member State law to which the controller is subject, and which also lays down suitable measures to safeguard your rights and freedoms, and legitimate interests; or
c. is based on your explicit consent.
Nevertheless, these decisions shall not be based on special categories of personal data referred to in GDPR Article 9(1), unless GDPR Article 9(2), Subsection (a) or (g) applies, and suitable measures to safeguard your rights and freedoms, and legitimate interests are in place or have been taken.
In the cases referred to in paragraphs (a) and (c), the data controller shall implement suitable measures to safeguard your rights and freedoms, and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view, and to contest the decision.
(3) Without prejudice to any other administrative or judicial remedy, you shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement if you consider that the processing of personal data relating to you infringes GDPR regulations.
§ 3 Legal Basis of Processing
(1) For any consent we request of the data subject for the processing of personal data, GDPR Article 6(1), Subsection (a), shall constitute the legal basis.
(2) For any processing of personal data, necessary for the performance of a contract to which the data subject is a party, GDPR Article 6(1), Subsection (b), shall constitute the legal basis. This shall also apply to processing operations required to perform pre-contractual measures.
(3) Insofar as processing of personal data is required to fulfill a legal obligation to which our company is subject, GDPR Article 6(1), Subsection (c) shall constitute the legal basis for such processing requirement.
(4) In the event that vital interests of the data subject or another natural person require the processing of personal data, GDPR Article 6(1), Subsection (d) shall constitute the legal basis for such processing requirement.
(5) If processing is necessary to safeguard the legitimate interests of our company or of a third party, and if the interests, fundamental rights, and fundamental freedoms of the data subject do not prevail over the interest of our company or of a third party, GDPR Article 6(1), Subsection (f) shall constitute the legal basis for such processing. The legitimate interest of our company is founded in the performance of our business activities.
(6) Insofar as detailed information on the collection of individual personal data is provided below, separate reference shall be made to the corresponding legal basis.
§ 4 Collection of Personal Data when Visiting our Website
(1) In case of an exclusively informative use of the website, i.e. if you do not register or otherwise provide information to us, we will only collect the personal data that your browser transmits to our server. If you wish to view our website, we collect the following data, which is technically required in order to display our website, and to ensure its stability and security (pursuant to GDPR Article 6(1), Subsection (f)):
– IP address
– date and time of the request
– time zone difference to Greenwich Mean Time (GMT)
– contents of the requirement (specific/particular page)
– access status/HTTP status code
– respective amounts of transmitted data
– referrer URL
– operating system and operating system interface
– browser software language and version
(2) In addition to the aforementioned data, cookies will be stored on your computer when using our website. Cookies are small text files, which are stored on your hard drive, allocated to the browser you use, providing certain information to the entity setting the cookie (in present case, us). Cookies can neither run programs nor transmit viruses to your computer. They serve the mere purpose to make the internet offer more user-friendly and effective in general.
a) Present website uses the following types of cookies, the scope and operation of which will be explained in the following:
– transient cookies, please refer to b)
– persistent cookies, please refer to c)
b) Transient cookies are automatically deleted when you close the browser. This, in particular, includes session cookies. Session cookies store a so-called session ID, by means of which various requests from your browser may be assigned to the shared session. This will allow your computer to be recognized once you return to our website. Session cookies will be deleted as soon as you log out or close the browser.
c) Persistent cookies will be automatically deleted after a specified period of time, which may differ, depending on the particular cookie. However, you may delete the cookies in the security settings of your browser at any time.
d) You may configure your browser settings as you wish, and – for instance – refuse to accept third-party cookies or any cookies at all. Please consider though that this measure may prevent you from using all features of present website.
e) Any Flash cookies used will not be detected by your browser but by your Flash plug-in. We furthermore use HTML5 Storage Objects, which will be stored on your device. These objects store the required data, regardless of the browser you use, and do not have any pre-specified, automatic expiration date. Unless you wish to process Flash cookies, you will have to install a corresponding add-on. You may prevent the use of HTML5 Storage Objects by using private mode in your browser setting. Moreover, we recommend that you manually delete your cookies as well as you browser history on a regular basis.
§ 5 Objection to or Revocation of Personal Data Processing
(1) If you have given your consent to the processing of your data, you may revoke such consent at any time. Such an objection, after having entered it, will affect the admissibility of the processing of your personal data henceforth.
(2) Insofar as we base the processing of your personal data on the balancing/consideration of interests, you may object to the processing. This will be the case if, in particular, the processing is not required to fulfill a contract with you, which we will describe individually, in the following description of the functions. In the event of such a disagreement, we shall ask you to explain the reasons why we should not process your personal data as we have done. In case your objection is justified, we shall examine the situation, and either discontinue or adapt data processing, or point out to you our compelling, legitimate reasons on grounds of which we will continue the processing.
(3) You may, of course, object to the processing of your personal data for advertising and data analysis purposes at any time. Please use the following contact data for communicating your objection to advertising/data analysis to us:
• esmo AG, Brueckenstrasse 1, 83022 Rosenheim, Germany
§ 6 Use of Google Analytics
(1) Present website uses Google Analytics, a web analysis service provided by Google, Inc. ("Google"). Google Analytics uses so-called "cookies": cookies are text files stored on your computer which allow an analysis of your use of the respective website. In general, the information generated by the cookie, will be transmitted to a Google server, located in the United States of America, and stored there. In case you opt to activate the IP anonymization in present website, Google will truncate/anonymize the last octet of the IP address for Member States of the European Union as well as for other parties to the Agreement on the European Economic Area. Only in exceptional cases, your full IP address will be sent to and shortened by Google servers in the USA. Google will use this information, by order of the owner of present website, to evaluate your use of the website, to compile reports about website activities for website operators, and to render other services associated with website activities and internet usage to website providers.
(2) The IP address provided by your browser as part of Google Analytics shall not be merged with other Google data.
(3) You may refuse/prevent the installation of cookies by changing the setting of your browser software. We would like to point out to you though that you may not be able to use all the functions of this website in their entirety any more in that case. You may also prevent the collection of the data generated by the cookie and related to your use of the website (including your IP address) by Google as well as the processing of this data by Google by downloading and installing the browser plug-in available under the following link: https://tools.google.com/dlpage/gaoptout?hl=en
(4) Present website uses Google Analytics with the extension "_anonymizeIp()". As a result, IP addresses will be shortened/truncated prior to further processing, for which reason any association with your person/personal data can be excluded. Insofar as any personal data collected will be assigned to or associated with a personal reference, the latter will be immediately excluded, and the personal data will be deleted immediately.
(5) We utilize Google Analytics to analyze and regularly improve the use of our website. With the statistics generated by Google Analytics, we will be able improve our internet offer and make it more interesting and appealing for you as a user. For exceptional cases, in which personal information is transferred to the USA, Google has submitted to the EU-US Privacy Shield: https://www.privacyshield.gov/EU-US-Framework
(6) GDPR Article 6(1) Subsection f shall constitute the legal basis for the use of Google Analytics.
(8) Present website also uses Google Analytics for cross-device analyses of visitor traffic conducted via a user ID. You may deactivate this cross-device analysis of your use in your customer account, under "My Data", "Personal Data".
§ 7 Integration of YouTube Videos
(1) We have included YouTube videos in our online offering, which are stored on http://www.YouTube.com, and are directly playable from our website. These are all included in the "extended privacy mode", i.e. no data about you as a user will be transmitted to YouTube if you do not play the videos. Only when you play the videos, the data mentioned in subsequent paragraph 2 will be transmitted. We have no influence on this data transfer whatsoever.
§ 8 Use of Google AdWords Conversion
(1) We use the offer of Google AdWords to draw attention to our attractive offers with the help of advertising media (so-called Google AdWords) on external websites. In relation to the data of the advertising campaigns, we can determine this way how successful individual advertising measures are. We aim at presenting you advertisements that are of interest to you, to make our website more interesting and appealing for you, and to achieve an adequate and fair calculation of advertising costs.
(2) These advertising media are supplied by Google via so-called "Ad Servers". For this purpose we use ad server cookies, which measure certain performance metrics such as ad pop-ups or user clicks. If you access our website via a Google ad, Google AdWords will store a cookie on your PC. These cookies usually lose their validity, i.e. expire, after 30 days, and are not intended to identify you personally. As a rule, the unique cookie ID, the number of ad impressions per placement (frequency), the last impression (relevant to post-view conversions), and opt-out information (indicating that the user does not wish to be addressed again) are stored as this particular cookie's analytical values.
(3) These cookies allow Google to recognize your internet browser at a later time. If a user visits certain pages of an AdWords customer's website, and the cookie stored on the user's computer has not expired, Google and the customer will be able to detect that the user clicked on the ad, and was then redirected to that page. Each AdWords customer will be assigned a different cookie. For this reason, cookies cannot be tracked via the websites of AdWords customers. We ourselves do not collect and process any personal data within the framework of the aforementioned advertising measures. We only receive statistical evaluations provided by Google. On the basis of these evaluations, we will be able to identify which of the advertising measures used are particularly effective. We do not receive any further and more extensive data from the use of advertising media – we are not able to identify users on the basis of this information in particular.
(4) Due to the marketing tools used, your browser automatically establishes a direct connection to the Google server. We have no control over the extent and the further use of the data, which are raised by the employment of this tool by Google. For this reason, we provide you with information according to and basing on our state of knowledge: By the incorporation of AdWords Conversion Google will receive the information that you have visited a particular section/site of our internet appearance, or clicked on one of our ads. In case you are registered with a service provided by Google, Google may associate your visit with your account. Even if you are not registered with Google, or have not logged in, there is a possibility that the provider may detect and store your IP address.
(5) You may prevent a participation in this tracking process in several ways:
a) by adjusting your browser software accordingly – in particular, the suppression of third-party cookies will prevent you from receiving any third-party ads;
b) by disabling the cookies for conversion tracking and setting your browser to block cookies from the domain "www.googleadservices.com", https://www.google.com/settings/ads – however, this setting be deleted when you delete your cookies;
c) by deactivating interest-based advertisements of the providers which are part of the "About Ads" self-regulation campaign via the link http://www.aboutads.info/choices – however, this setting be deleted when you delete your cookies;
d) by permanent deactivation in your browsers Firefox, Internet Explorer, or Google Chrome via the link http://www.google.com/settings/ads/plugin. We would like to point out to you that in this case you may not be able to use all the features of this internet offer in its entirety though.
(6) GDPR Article 6(1), Section 1, Subsection (f) shall constitute the legal basis for processing your personal data. More detailed information on Google data privacy, please refer to https://policies.google.com/privacy?hl=en and https://services.google.com/sitestats/en.html. Alternatively, you may also visit the website of Network Advertising Initiative (NAI) at http://www.networkadvertising.org. Google has submitted to the EU-US Privacy Shield: https://www.privacyshield.gov/EU-US-Framework
§ 9 Service of Matelso GmbH
(1) Our website uses a service of Matelso GmbH, Stuttgart, Germany. In case you call a Matelso telephone number we commissioned, details/information on the call will be transmitted to a web analysis service (e.g. Google Analytics) we use. Matelso furthermore reads the cookies set by our analysis service, or other parameters of the website you are currently visiting, for instance referrer, document path, and remote user agent data. This information will be processed in accordance with our instructions by Matelso, and stored on servers in the EU. For further information/details, please refer to http://www.matelso.de/privacy. You may refuse/prevent the installation of cookies by changing the setting of your browser software. We would like to point out to you though that you may not be able to use all the functions of this website in their entirety any more in that case.