Data Protection Declaration
We are delighted by your interest in our company. Data protection is regarded especially highly by the company management of HEISO GmbH. Use of the website of HEISO GmbH is always possible without providing personal data. However, if an affected person wishes to make use of certain services of our company via our website, it may be necessary to process personal data. If the processing of personal data is necessary and there is no legal basis for such processing, we generally obtain the consent of the affected person.
The processing of personal data, for example the name, address, email address or telephone number of an affected person, always take place in accordance with the General Data Protection Regulations and in compliance with the state-specific data protection regulations applicable to HEISO GmbH. Through this data protection declaration our company wishes to inform the public of the type, scope, and purpose of the personal data collected, used and processed by us. In addition, through this data protection declaration, we explain to affected persons the rights they have.
HEISO GmbH is responsible as controller for the deployment of numerous techniques and organisational measures for ensuring the most seamless protection of the personal data processed via this website. Nevertheless, internet-based data transfers can always have security gaps, so that absolute protection cannot be guaranteed. Because of this, every affected person is free to transmit personal data to us by other means, for example by telephone.
The data protection declaration of HEISO GmbH is based on the terminology used by the European regulations and decree legislators when enacting the General Data Protection Regulations (GDPR). Our data protection declaration should be easy to read and to comprehend for both the public and for our customers and business partners. To ensure this, we wish to explain the terminology used beforehand.
In this data protection declaration, we use the following terms, amongst others:
- a) personal data
personal data are all information referring to and identified or identifiable natural person (in the following the “affected person”); a natural person is regarded as identifiable who can be identified, directly or indirectly, especially through allocation to an identifier, such as a name, an identification number, location data, an online identifier or one or more special attributes, which convey the physical, physiological, genetic, mental, economic, cultural or social identity of this natural person.
- b) affected person
An affected person is every identified or identifiable natural person, whose personal data are processed by the data controller.
- c) processing
Processing is every procedure or each series of such procedures performed with or without the aid of an automated process in connection with personal data, such as capturing, recording, organisation, arrangement, saving, adjustment or changing, reading, retrieval, use, disclosure through transmission, distribution or any other form of provision, matching or linking, restriction, deletion or destruction.
- d) restriction of the processing
Restriction of the processing is the marking of saved personal data with the goal of restricting the future processing.
- e) profiling
is every type of automated processing of personal data so that this personal data is used to evaluate, referring to a natural person, especially to analyse or forecast aspects relating to work performance, financial situation, health, personal preferences, interest, trustworthiness, conduct, place of residence or a change of residence of this natural person.
- f) pseudonymisation
is the processing of personal data in a way in which the personal data is processed without enlisting additional information and can no longer be allocated to a specific affected person, if this information is saved separately and is subject to technical and organisational measures, which ensure that the personal data cannot be assigned to an identified or identifiable natural person.
- g) responsible person or the controller responsible for the processing
The responsible person or the controller responsible for the processing is the natural or legal entity, authorities, facilities, or other agencies which decide alone or together with others on the purpose and means of the processing of personal data. If the purpose and means of this processing is prescribed by EU law or the law of member states, the specific criteria for the nomination of the responsible person can be prescribed by either EU law or the law of the member states.
- h) data processor
A data processor
is a natural person or a legal entity, authorities, facilities, or other agencies which process the personal data on behalf of the responsible person.
- i) recipient
A recipient is a natural person or a legal entity, authorities, facilities, or other agencies which discloses the personal data, regardless of whether it concerns a third-party or not. Authorities that may receive personal data as part of a specific inquiry under EU law or the laws of the member states are not regarded as recipients.
- j) third parties
a third party is a natural person or a legal entity, authorities, facilities, or other agencies, apart from the affected person, the responsible person, the data processor and the persons who are under the direct responsibility of the responsible person or the data processor are entitled to process the personal data.
- k) consent
Consent is all forms of freely given specific and informed indication of their wishes by the affected person signifying their consent in the form of a declaration or other clear affirmative act to personal data relating to them being processed for a specific case.
- Name and Address for the Controller Responsible for Processing
The responsible person in the meaning of the General Data Protection Regulations or the data protection regulations and other provisions with a data protection character applicable in the member states of the European Union:
Site Internet: www.heiso.de
The person concerned can prevent the placing of cookies at any time through our website via the relevant settings of the internet browser used and thus permanently veto the placing of cookies. Furthermore, already placed cookies can be deleted at any time via an internet browser or another software programme. This is possible in all common browsers. If the person concerned deactivates the placing of cookies in the internet browser used, potentially not all functions of our website will be completely usable.
- The Collection of General Data and Information
HEISO GmbH’s website collects a series of general data and information every time the website is accessed by the person concerned or an automated system. These general data and information are saved in the log files of the server. Collected could be (1) the browser type and version used, (2) the operating system used by the accessing system, (3) the website from which an accessing system arrived at our website (so-called referrer), (4) the sub-website from which a system accessing our website is controlled, (5) the date and time of accessing the website, (6) an internet protocol address (IP address), (7) the internet service provider of the accessing system, and (8) other similar data and information, which serve to protect against danger in the event of attacks on our information technological systems.
In using these general data and information, HEISO GmbH cannot draw conclusions about the person concerned. Rather, this information is required to (1) correctly deliver the content of our website, (2) to optimise the content of our website and the advertising for this, (3) to ensure the permanent functionality of our information technological systems and the technology of our website, and (4) to prepare the information required for prosecution for the criminal prosecution authorities in the event of a cyber-attack. These anonymously collected data and information are thus statistically evaluated by HEISO GmbH, with the goal of increasing data protection and data security in our company and, ultimately, of ensuring optimal processing by us of personal data. The anonymous data of the server log files are saved separate from all personal data given by the affected person.
- Registering on Our Website
The affected person can register on the website of the person responsible for processing, providing details of personal data. Which personal data are transmitted to the person responsible for processing arises from the relevant entry mask used for registration. The personal data entered by the affected person are collected and saved for the exclusive internal use by the person responsible for processing and for their own purpose. The person responsible for processing can arrange for the forwarding of one or more data processors, for example a package service provider, which also exclusively uses the personal data for an internal use which is attributed to the person responsible for processing.
In addition, through registration on the website of the person responsible for processing the internet-service-provider (ISP) of the IP address, the date and time of the registration assigned by the affected person are saved. Saving these data takes place against the background that only in this way that a misuse of our service can be avoided, and these data enable the clearing up of a crime committed if required. In this respect, the saving of these data is required for the person responsible for processing. Sharing these data to a third party never takes place unless there is a statutory duty for sharing or sharing serves a criminal prosecution.
The registration of the affected person, voluntarily providing personal data, enables the person responsible for processing to offer the affected person content or services that can be offered only to registered users due to the nature of the item. Registered persons can amend personal data provided at registration at any time or to have the data fully deleted from the database of the person responsible for processing.
The person responsible for processing issues to every affected person at any time upon request information about which personal data on the affected person are saved. In addition, at the wish or indication of the affected person, the person responsible for processing corrects or deletes personal data, unless no statutory storage period contradicts this. In this connection, all the employees of the person responsible for processing are available to the affected person as a contact person.
- Contact Opportunity via the Website
Because of the statutory provisions, HEISO GmbH’s website includes information which enables rapid electronic contact to our company as well as direct communication with us, which also encompasses a general address of the so-called electronic post (email address). If the affected person contacts the person responsible for processing by email or via a contact form, the personal data transmitted by the affected person will be automatically saved. Such personal data transmitted by an affected person on a voluntary basis to the person responsible for processing will be saved and used for the purpose of processing or contacting the affected person. There will be no sharing of these personal data with third parties.
- Routine Deletion and Blocking of Personal Data
The affected person’s personal data is processed and saved for the person responsible for processing for only the period required for achieving the purpose of saving or if prescribed by the European directives or another legislator in laws or regulations to which the person responsible for processing is subject.
If the purpose of saving lapses or the period set by the European directives and regulators expires, the personal data are routinely and in accordance with the statutory provisions blocked or deleted.
- Rights of the Affected Person
- a) right to acknowledgement
All affected persons have a right granted by the European directives and regulators to demand an acknowledgement from the person responsible for processing of whether the personal data concerned has been processed. If an affected person wishes to assert this right of acknowledgement, they can contact at any time an employee of the person responsible for processing for this.
- b) right to information
Every person affected by the processing of personal data has the right granted by the European directive and regulators to receive information about the saved personal data on them at no charge and at any time from the person responsible for processing and to receive a copy of this information. In addition, the European directives and regulators have conceded the affected person information about the following information:
- the purpose of processing
- the categories of personal data which are processed
- the recipient or categories of recipients to whom the personal data has been or will be disclosed, especially regarding recipients in other countries or international organisations
- if possible, the planned duration for which the personal data will be saved for or, if this is not possible, the criteria for the determination of this period
- the existence of a right to correction or deletion of the personal data concerned or for restricting of the processing by the responsible person or their right of objection against this processing
- the existence of a right of complaint to a supervisory authority
- if the personal data has not been collected in respect of the affected person: all available information on the origin of the data
- the existence of automated decision making, including profiling, pursuant to Article 22, Paras. 1 and 4 GDPR and, at least in these cases, meaningful information on the logic involved as well as the scope and the intended effects of such processing for the affected person
Furthermore, the affected person has a right to information regarding whether the personal data will be transmitted to another country or an international organisation. If this is the case, the affected person otherwise has the right to receive information about the suitable guarantees in connection with the transmission.
If an affected person wishes to exercise this right to information, they can contact at any time an employee of the person responsible for processing for this.
- c) right of correction
All affected persons have a right granted by the European directives and regulators to demand from the person responsible for processing an expeditious correction of the incorrect personal data involved. In addition, the affected person has the right, taking account of the purpose of saving, the completion of incomplete personal data, including through a supplementary declaration.
If an affected person wishes to exercise this right of correction, they can contact at any time an employee of the person responsible for processing for this.
- d) right of deletion (right to be forgotten)
All affected persons have a right granted by the European directives and regulators to demand from the person responsible for processing that the personal data concerned be deleted expeditiously if one of the following grounds applies and insofar as the processing is not necessary:
- the personal data are collected or otherwise processed for purposes no longer required.
- The affected person revokes their consent supported in accordance with Art. 6, Para. 1, Letter a GDPR or Art. 9, Para. 2, Letter a, GDPR and there are no other legal grounds for the processing.
- In accordance with Art. 21, Part. GDPR, objects to the processing and there are no overriding, justifiable grounds for the processing or the affected person makes an objection against the processing pursuant to Art. 21 , Para. 2, GDPR.
- The personal data was incorrectly processed.
- The deletion of the personal data is required for meeting a legal obligation pursuant to European law or the laws of member states to which the person responsible for processing is subject.
- The personal data were collected regarding services offered by the information company as per Art. 8, Para. 1, GDPR.
If one of the grounds mentioned applies and an affected person wants to have personal data saved by HEISO GmbH deleted, they can contact at any time an employee of the person responsible for processing for this. The HEISO GmbH employee shall arrange that the demand for deletion is expeditiously met.
If the personal data are disclosed by HEISO GmbH and our company is duty bound, as the person responsible pursuant to Art. 17, Para. 1, GDPR, to delete the personal data, HEISO GmbH, taking into account the available technology and the implementation costs of reasonable measures, including of a technical kind, for making other persons responsible for the data processing ,who are processing the disclosed personal data, aware that the affected person has demanded the deletion of all links to these personal data or the making of copies or replications of these personal data, if the processing is not necessary. The employees of HEISO GmbH will arrange what is necessary on a case-by-case basis
- e) right to restriction of the processing
All affected persons have a right granted by the European directives and regulators to demand from the person responsible for processing the restricting of the processing if one of the following prerequisites is present:
- the correctness of the personal data is disputed by the affected person and that for a period that will enable the person responsible for processing to check the correctness of the personal data.
- The process is unlawful, and the affected person rejects deletion of the personal data and, instead, demands the restriction of the use of the personal data.
- The person responsible no longer requires the personal data for the purpose of processing; however, the affected person requires them for making, exercising, or defending legal claims.
- In accordance with Art. 21, Para. 1, GDPR, the affected person has objected to the processing and it is still not established whether the justifiable grounds of the responsible person outweigh those of the affected person.
If one of the abovementioned prerequisites apply and an affected person wishes to demand the restriction of personal data which are saved by HEISO GmbH, they can contact at any time an employee of the person responsible for processing for this. The employee of HEISO GmbH shall arrange the restricting of the processing.
- f) right to data portability
All persons affected by the processing of personal data have been granted the right by European directives or regulators to receive the personal data involved, which was made available to the person responsible by the affected person, in a structured, common and machine readable format. In addition, they have the right to transmit these data to another responsible person without being impeded by the person responsible for whom the personal data was made available, if the processing takes place based on consent pursuant to Art. 6, Para. 1, Letter a, GDPR or Art. 9, Para. 2, Letter a, GDPR or to a contract pursuant to Art. 6, Para. , Letter, GDPR and the processing takes place with the aid of an automated process, unless the processing is required for performing a task that is in the public interest or in the exercise of public authority, which shall be transferred by the responsible person.
In addition, in exercising their right to data portability pursuant to Art. 20, Para. 1, GDPR, the affected person has the right to effect that the personal data shall be transmitted direct from the responsible person to another responsible person, to the extent that this can be done and the rights and freedoms of other persons are not impaired by this.
Too claim the right to data portability, the affected person can contact at any time an employee of HEISO GmbH.
- g) right of objection
On the grounds of their special situation, all persons affected by the processing of personal data have been granted the right by European directives or regulators to object to the processing of the personal data affecting them at any time based on Art. 6, Para. 1, Letters e or f, GDPR. This also applies to profiling supported by these provisions.
HEISO GmbH will no longer process the personal data in the event of an objection, unless we can demonstrate compelling, legitimate grounds for the processing, which outweigh the interests, rights and freedoms of the affected person, or the processing serves to making, exercising or defending of legal claims.
If HEISO GmbH processes the personal data in order to operate direct advertising, the affected person has the right to object at any time to the processing of the personal data for the purpose of such advertising. This also applies to profiling insofar as it is in connection with such direct advertising. If the affected person objects to processing for the purpose of direct advertising to HEISO GmbH, HEISO GmbH will no longer process the personal data for this purpose.
In addition, the affected person has the right, based on grounds resulting from their particular situation, to object to the processing of personal data involved, which takes place at HEISO GmbH for purposes of commercial or historical research or for statistical purposes pursuant to Art. 89. Para. 1, GDPR, unless such processing is required for fulfilling a task in the public interest.
To exercise the right of objection the affected person can directly contact all employees of HEISO GmbH or another employee. Moreover, in connection with the use of the services of the information company, the affected person is also free, regardless of Directive 2002/58/EC, to exercise their right of objection via an automated process in which technical specifications are used.
- h) automated decision making in an individual case, including profiling
All persons affected by the processing of personal data have been granted the right by European directives or regulators not to be subject exclusively to decision making based on automated processing, including profiling, which has no legal effect vis-à-vis them or seriously impair them in a similar way, insofar as the decision (1) is not required for the conclusion or fulfilment of a contract between the affected person and the responsible person, or (2) because of the legal provisions of the EU or the member states to which the responsible person is subject, is permissible and these legal provisions include measures for safeguarding rights and freedoms as well as the justified interests of the affected person, or (3) ensued with the explicit consent of the affected person.
If Decision (1) is necessary for the conclusion or fulfilment of a contract between the affected person and the responsible person or (2) ensues with the explicit consent of the affected person, HEISO GmbH shall take reasonable measures to safeguard the rights and freedoms as well as the justified interests of the affected person wherefore at least the right to obtain the intervention of a person on behalf of the responsible person for presenting their standpoint and for hearing a challenge to the decision.
If the affected person wishes to assert rights regarding automated decisions, they can always contact an employee of the person responsible for processing.
- i) right to revoke consent given in line with the data protection regulations
All persons affected by the processing of personal data have been granted the right by European directives or regulators to revoke at any time consent for processing personal data.
If the affected person wishes to assert their right to revoke their consent, they can always contact an employee of the person responsible for processing.
- Data Protection Provisions on the Use and Application of Google Analytics (with an anonymising function)
The person responsible for processing has integrated the components Google Analytics (with an anonymising function) into this website. Google Analytics is a web analysis service. Web analysis is the gathering, collection, and evaluation of data on the behaviour of visitors of websites. A web analysis service gathers data, amongst others, on from which website an affected person has arrived at a website (so-called referrer), on which sub-pages of the website are accessed or how often and for how long a sub-page was viewed. A web analysis is mainly deployed to optimise a website and to perform a cost-use analysis of internet advertising.
The operating company of Google Analytics components is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.
The person responsible for processing uses the web analysis via Google Analytics the ad-on “_gat._anonymizeIp”. Through this add-on, the IP address of the internet connection of the affected person is abbreviated and anonymised by Google, if the access to our website takes place from a member state of the European Union or another treaty state of the Agreement on the European Economic Area.
The purpose of the Google Analytics components is the analysis of the flow of visitors to our website. Google uses the data and information gathered, amongst others, to evaluate the activities on our website, to compile online reports which display the activities of our website for us and to render further services in connection with the use of our website.
Google Analytics places a cookie on the IT system of the affected person. What cookies are has already been explained in the above. With the placing of the cookie, Google is enabled to carry out an analysis of the usage of our website. By every access of the individual web pages of this website, which is operated by the person responsible for processing and into which Google Analytics components have been integrated, the internet browser on the IT system of the affected person is automatically occasioned by the relevant Google Analytics components to transmit data for the purpose of online analysis to Google. As a part of this technical process, Google receives information about personal data, such as the IP address of the affected person, which, amongst others, serve to enable Google to trace the origins of the visitor and clicks and, as a result, commission statements.
Through the cookies, personal information, for example, the access time, the location from which the access emanates and the frequency of visits to our website by the affected person, is saved. At each visit to our website, these personal data, including the IP address of the internet connection of the affected person, are transferred to Google in the United States of America. These personal data are saved by Google in the United States of America. In certain circumstances, Google shares the personal data gathered via the technological process with third parties.
The affected person can prevent the placing of cookies by our website, as already described above, at any time through the corresponding setting of the internet browser used and thus permanently veto placing cookies. Such a setting of the internet browser used will also prevent Google from placing a cookie on the IT system of the affected person. Furthermore, a cookie already placed by Google Analytics can always be deleted via the internet browser or another software programme.
Further information and the applicable data protection provisions of Google can be retrieved from https://www.google.de/intl/de/policies/privacy/ and http://www.google.com/analytics/terms/de.html Google Analytics is explained in greater detail at this link https://www.google.com/intl/de_de / analytics /.
- Legal Basis of the Processing
Article 6, paragraph 1, sentence 1 lit. a of the General Data Protection Regulation (GDPR) serves our company as the legal basis for the processing of personal data for which we obtain consent for certain purposes of processing. If the processing of personal data for fulfilling a contract, of which the affected person is a contractual party,, is required, which, for example, is the case in the processing procedures, which are necessary for the supply of goods or rendering another service or consideration, the processing is based on Art. 6 I let. b GDPR. The same applies to such processing procedures which are required for the implementation of pre-contractual measures, perhaps in cases of inquiries about our products or services. If our company is subject to a legal obligation through which the processing of personal data is necessary, such as, for example, for meeting tax obligations, the processing is based on Art. 6 I let. c GDPR. In rare cases, the processing of personal data can be necessary to protect the vital interests of the affected person or another natural person. This would be the case, for example, if a visitor to our operation were injured and thereupon his name, age, illness data or other vital information must be shared with a doctor, a hospital or another third party. Then the processing will be based on Art. 6 I let. d GDPR. Finally, processing procedures can be based on Art. 6 I let. f GDPR. The processing procedure based on these legal grounds not covered by any of the abovementioned legal grounds if the processing is required to safeguard a justified interest of our company or of a third party, unless the interests, basic rights and basic freedoms of the affected person outweigh this. Such processing procedures are especially authorised for us as they were specially granted by the European legislators. In this respect it represents the view that a justified interest can be accepted if the affected person is a customer of the responsible person (Grounds for consideration 47 Sentence 2 GDPR).
- Justified Interests in the Processing Pursued by the Person Responsible for Processing or a Third Party
If the processing of personal data is based on Article 6 I let. f GDPR, our justifiable interest is the performance of our business activities to benefit the welfare of all our employees and our shareholders.
- Period for which the Personal Data will be Saved
The criterion for the period of saving of personal data is the relevant statutory retention period. After the expiration of the period, the relevant data are regularly deleted, unless they are needed for fulfilling a contract or initiating a contract.
- Statutory or Contractual Provisions for the Provision of Personal Data; Necessity for Concluding a Contract; the Obligation of the Affected Person to Provide the Personal Data; Possible Consequences of Not Making them Available
We inform you that the providing of personal data can in part be legally prescribed (e.g., taxation provisions) or can also result from contractual regulations (e.g. information on the contractual partner). Sometimes, it can be necessary for concluding a contract that an affected person makes personal data available to us which must consequently be processed by us. For example, the affected person is obliged to provide us with personal data when our company has concluded a contract with them. The non-provision of the personal data can lead to not being able to conclude the contract with the affected person. Before providing personal data by the affected person, the affected person must contact our employees. Our employee will explain to the affected person on a case-by-case basis whether the provision of personal data is legally or contractually prescribed or required for concluding the contract, whether there is an obligation to provide the personal data and what would be the consequences of not providing the personal data.
- Existence of Automated Decision Making
As a conscientious company, we do not use automatic decision making or profiling.
This data protection declaration was drawn up via the data protection declaration generator of DGD Deutsche Gesellschaft für Datenschutz GmbH, which acts as the external data protection officer for Landshut in cooperation with the Lawyer for IT and Data Protection Christian Solmecke.