Data protection and security information

Our company attaches particular importance to data protection. In principle, you can use our website without providing personal data. However, if a data subject wishes to avail of particular services provided by our company online, processing of personal data may be required. If processing of personal data is required and there is no legal basis for such processing, we generally obtain the consent of the data subject.
Processing of personal data, in particular a data subject’s name, address, email address or telephone number, is always carried out in accordance with the EU General Data Protection Regulation (GDPR), the Federal Data Protection Act (Bundesdatenschutzgesetz; BDSG) and other applicable laws. Through this data privacy statement, our company would like to provide information about the nature, scope and purpose of the personal data we process and highlight to data subjects the rights granted to them.

(1) Definitions
Our company’s privacy policy is based on the GDPR. Our data privacy statement should be easy to read and understand. Below we explain some of the most relevant terms to ensure that this is the case:

(1.1) Personal data
Personal data means any information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Article 4 (1) GDPR).

(1.2) Data subject
A data subject is any identified or identifiable natural person, whose personal data is processed by the controller responsible for the processing.

(1.3) Processing
Processing means any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

(1.4) Restriction of processing
Restriction of processing means the marking of stored personal data with the aim of limiting its processing in the future.

(1.5) Profiling
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

(1.6) Pseudonymisation
Pseudonymisation is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information. Such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

(1.7) Controller or party responsible for processing
Controller or party responsible for the processing means the natural or legal person, public authority, agency or other body who/which, alone or jointly with others, determines the purposes and means of the processing of personal data.

(1.8) Processor
Processor means a natural or legal person, public authority, agency or other body, who/which processes personal data on behalf of the controller.

(1.9) Recipient
Recipient means a natural or legal person, public authority, agency or another body, to whom/which the personal data is disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.

(1.10) Third party
Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

(1.11) Consent
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.

(2) Name and address of party responsible for processing (“controller”)
The controller as defined by the GDPR is:
perma-tec GmbH & Co. KG
Hammelburger Str. 21
97717 Euerdorf | GERMANY
Email: info(at)perma-tec.com
www.perma-tec.com

(3) Contact details of our data protection officer
datenschutz(at)perma-tec.com
Every data subject can contact our data protection officer directly with any queries or suggestions that they might have concerning data protection.

(4) General data categories, purpose and legal basis of data processing
Whenever you use the perma-tec websites, applications or online tools (hereinafter also referred to as “perma-tec online service offer”), we process the following personal data:

• Personal data that you voluntarily provide via perma-tec online service offer (e.g. when registering, contacting us with your queries or participating in surveys, etc.), including e.g. first/last name, email address, telephone number, information submitted as part of a support request, comments or forum posts
• Information that is automatically sent to us by your web browser or device, such as your IP address, server log files, device type, browser type, referring site, sites accessed during your visit, the date and time of each visitor request

We process your personal data for the following purposes:

• To allow you to use the services and functions of perma-tec online service offer
• To process your request
• To verify your identity and enable user authentication
• To send you marketing information or to contact you in the context of customer satisfaction surveys as further explained in Clause 4
• To enforce our terms and conditions, to assert or defend legal claims, and to tackle and prevent fraud or other illegal activities, including attacks on our IT infrastructure

Processing personal data is required to achieve the specified purposes. In certain processing contexts, we also process other categories of personal data. Refer to Clauses 4.1 to 4.4 for more information.
Unless expressly specified otherwise when collecting personal data, the legal basis for data processing is as follows:

• Performance and fulfilment of a contract with you pursuant to Article 6 (1) (b) GDPR
• Fulfilment of legal obligations to which perma-tec is subject pursuant to Article 6 (1) (c) GDPR or
• To safeguard the legitimate interests of perma-tec pursuant to Article 6 (1) (f) GDPR. The legitimate interest of perma-tec lies in the processing of your personal data for the purpose of this offering and the operation of perma-tec online service offers

In some cases, we expressly request your consent for the processing of personal data. In this case, the legal basis for processing personal data is your declared consent pursuant to Article 6 (1) (a) GDPR.

(4.1) File-sharing portal
When using our file-sharing portal, the following additional personal data is collected and stored in addition to the data listed above under Clause 4: logging of accesses (downloads and uploads). This data is not shared with third parties and is deleted after six months at the latest.

4.2 perma Online shop
When using our perma Online shop, the following additional personal data is collected and stored in addition to the data listed above under Clause 4: ordering history. This data is not shared with third parties and is deleted following expiration of the legal retention period.

(4.3) perma SELECT APP, perma MLP APP and perma MLP web application
When using our perma SELECT APP, perma MLP APP and perma MLP web application the following additional personal data is collected and stored in addition to the data listed above under Clause 4: results from calculations are saved in PDF format and sent to the specified email address. This includes the email address and name of author. When using the perma MLP APP and perma MLP web application, in addition to the profile data entered by the user, username and password (in encrypted form), the uploaded images and names of lubrication points are also saved. This data is not shared with third parties and is deleted following expiration of the legal retention period.

(4.4) perma SETBOX
When using our perma SETBOX, during an update the following additional personal data is collected, forwarded and stored via email (in the background) to the CRM system used internally at perma-tec in addition to the data listed above under Clause 4: IP address, SETBOX ID, name of PC and error messages. This data is not shared with third parties and is deleted following expiration of the legal retention period.

(4.5) perma ACADEMY, perma eACADEMY
When registering for the perma ACADEMY, in addition to the data listed above under Clause 4, information about dietary restrictions for catering is also saved. In order to use the perma eACADEMY, information about the user’s course participation, learning status and certificates is forwarded and saved in addition to the profile data entered by the user. This data is not shared with third parties and is deleted following expiration of the legal retention period.

(5) Cookies
Our online offering uses cookies. Cookies are small text files that are stored on your computer when you visit our website. We use cookies in order to ensure usage of our online offering, for marketing purposes, individual website optimisation and to guarantee IT security.
A so-called “cookie banner” appears when you visit our website. By clicking on a corresponding button, you declare your consent to the use of cookies on this website and you can also make a selection concerning the cookies used on the site. Your selection will also be stored for future visits.
If you no longer wish to use cookies at a later point in time, you can change your selection in this regard at any time by adjusting the cookie settings in your internet browser. Here, in particular, you can ensure that cookies already set are deleted or prevent the setting of cookies in the future. Please note that the settings may vary depending on which browser you use and cannot be declared as generally valid.
User consent is required in order to use certain cookies depending on their function and purpose.
Cookies that are essential in order to use our online offering or to safeguard IT security do not require consent. The setting of these cookies and related processing activities are permitted under Article 6 (1) (f) GDPR.
By contrast, consent is required for cookies used for all other purposes such as individual website optimisation, marketing or execution of individual statistical evaluations of your activities on the website.
Overview of cookies used on this website:

(6) Contact options on the website
perma-tec collects and processes personal data of the data subject in order to:

• Fulfil perma-tec obligations when concluding or over the course of a contractual relationship between perma-tec and the data subject
• Simplify effective communication and the relationship between perma-tec and the data subject
• Handle queries and other matters in relation to perma-tec products and services
• Forward customer queries to our sales partners if necessary
• Ensure compliance with legal obligations and enforce contractual agreements
• Manage the security of perma-tec products, services, intellectual property and other offerings • Analyse sales data and partner interaction with perma-tec products and services, in order to improve the customer experience and the content of these products and services
• Conduct surveys, carry out marketing and communication activities
• Provide passwords so that customers can access certain websites without having to re-enter data previously specified thanks to cookies
• The legal basis for the above processing purposes is Article 6 (1) (b, f) GDPR

(7) Newsletter
The following personal data is collected when you register for our newsletter: your name and email address. By subscribing to our newsletter, you permit perma-tec GmbH & Co. KG to collect, process and save the above-mentioned data. We only use this data to send the newsletter. In order to optimise our offering, we also evaluate which links have been clicked in the newsletter in a personalised form. You also grant us your consent to this processing purpose by registering. You can revoke your consent to the storage and use of your email address for the purpose of sending the newsletter at any time with future effect. To do so, simply click the unsubscribe link at the end of the newsletter or contact us in this regard.

(8) Processing the personal data of business partners
As part of its cooperation with business partners, perma-tec processes the personal data of points of contact at customers, suppliers, interested parties, distribution partners and cooperation partners (hereinafter “business partners”):

• Contact information such as first/last name, business address, business phone number, business mobile number, business fax number and business email address
• Payment data such as details required to process payment transactions or prevent fraud, including credit card information and card verification codes
• Additional information whose processing is required to execute a project or a contractual relationship with perma-tec and which is provided by business partners on a voluntary basis, e.g. when placing an order, submitting queries or providing details on projects
• Personal data that is collected from publicly available sources, information databases or credit agencies
• If legally required for compliance screenings: Date of birth, identification and ID numbers as well as information about relevant litigation or other legal proceedings involving business partners

perma-tec processes personal data for the following purposes:

• Communicating with business partners about products, services and projects, e.g. by responding to queries or requests from business partners or providing technical information about products
• Planning, performing and managing the contractual relationship between perma-tec and the business partner, e.g. in order to process product orders and service requests, process payments, carry out accounting and billing activities, arrange deliveries, and carry out maintenance activities and repairs
• Managing/conducting customer surveys, marketing campaigns, market analyses, sweepstakes, contests, or other promotional activities or events
• Conducting customer satisfaction surveys and direct marketing activities as described in more detail in Clause 4
• Maintaining and protecting the security of perma-tec products, services and websites, preventing and detecting security threats, fraud or other criminal or malicious activities
• Ensuring compliance with (i) legal requirements (e.g. fiscal and commercial retention obligations), (ii) existing obligations concerning performance of compliance screenings (to prevent white-collar or money laundering crimes) and (iii) perma-tec policies or industry standards
• Solving disputes, enforcing existing contracts and establishing, exercising and defending legal claims

The processing of personal data is required to achieve the aforementioned purposes. Unless expressly specified otherwise when collecting personal data, the legal basis for data processing is as follows:

• Performance and fulfilment of a contract with you pursuant to Article 6 (1) (b) GDPR
• Fulfilment of legal obligations to which perma-tec is subject pursuant to Article 6 (1) (c) GDPR or
• Safeguarding of perma-tec’s legitimate interests pursuant to Article 6 (1) (f) GDPR The legitimate interest pursued by perma-tec is the initiation, performance and management of the business relationship.

If you have expressly given your consent to the processing of your personal data in individual cases, this consent shall be the legal basis for processing pursuant to Article 6 (1) (a) GDPR.

(9) Recipients of personal data
Those parties within our company who require your data to fulfil our contractual and legal obligations will have access to it. Service providers and vicarious agents working for us may also receive data for such purposes if they undertake to maintain, in particular, confidentiality and integrity. These include companies in the following categories: IT services, logistics, print services, telecommunications, collection, consulting, sales and marketing.
In terms of sharing data with recipients outside our company, first and foremost it should be noted that we will only share necessary personal data, observing all applicable regulations on data protection. In principle, we may only disclose information about you if this is required by law, you have given your consent or if we are authorised to provide such information. Under these conditions, recipients of personal data may include:

• Public agencies and institutions (e.g. tax authorities, law enforcement agencies, family courts, deed registries) if there is a statutory or regulatory obligation to share the data
• Lending and financial service institutions or comparable organisations with which we share personal data for the purpose of conducting a business relationship (banks, credit agencies, etc.)
• Other affiliated companies in our group for risk management purposes based on a statutory or regulatory obligation
• Creditors or bankruptcy trustees that request the data in connection with foreclosure
• Auditors
• Service providers that we have retained as processors,
• commercial agents of the company

(10) Sending data to third countries
Data is sent to parties located in countries outside the European Union (third countries) in cases where

• It is necessary to execute your orders (e.g. delivery orders)
• It is required by law (e.g. reporting duties under tax law) or
• You have given us your consent

In addition, data is sent to parties in third countries in the following cases:

• Your personal data may be sent to an IT service provider in a third country in full compliance with European data protection standards if and as needed in individual cases to maintain the company's IT operations
• Personal data (e.g. authentication data) is sent to third countries in individual cases in full conformity with the data protection standards of the European Union when balancing interests and complying with laws on combating money laundering, terrorism financing and other illegal activities

(11) Routine deletion and blocking of personal data
The controller processes and stores personal data of the data subject only for the period necessary to achieve the purpose of its processing or as far as this is granted by legislators in laws or regulations to which the processor is subject. If the storage purpose is not applicable or if a storage period prescribed by the legislator expires, personal data will be routinely blocked or deleted in accordance with legal requirements.

(12) Rights of the data subject

(12.1) Right to confirmation
Every data subject shall have the right to request from the controller confirmation as to whether or not personal data concerning them is being processed. If a data subject wishes to exercise this right of confirmation, they can contact our data protection officer at any time or contact another employee of the controller.

(12.2) Right of access
Every person affected by the processing of personal data has the right – free of charge – to obtain information about the personal data concerning them from the controller and to receive a copy of this information in addition to the information listed here:

• The purposes of processing
• The categories of personal data processed
• The recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organisations
• Where possible, the planned period for which the personal data will be stored or if this is not possible, the criteria used to determine that period
• The existence of a right to request from the controller the rectification or erasure of the relevant personal data, or the restriction of its processing, or to object to such processing
• The existence of a right to file a complaint with a supervisory authority
• Where the personal data is not collected from the data subject: any available information as to the source of the data
• The existence of automated decision-making including profiling in accordance with Article 22 (1 and 4) GDPR and – at least in these cases – conclusive information about the logic involved as well as the implications and the intended effects of such processing for the data subject

Furthermore, the data subject has a right to obtain information as to whether personal data has been transmitted to a third country or to an international organisation. Where this is the case, the data subject has the right to be informed of the appropriate safeguards relating to the transmission of this data.
If a data subject would like to assert this right of access, they can send an email to datenschutz(at)perma-tec.com at any time.

(12.3) Right to rectification
Every person affected by the processing of personal data has the right to request immediate rectification of inaccurate personal data concerning them. Taking into account the purposes of the processing, the data subject also has the right to have incomplete personal data completed, including by means of providing a supplementary statement.
If a data subject would like to assert this right to rectification, they can contact our data protection officer at any time.

(12.4) Right to erasure (right to be forgotten)
Every person affected by the processing of personal data has the right to request from the controller the erasure of personal data concerning them without undue delay, where one of the following reasons applies and as long as the processing is not necessary:

• Personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed
• The data subject revokes their consent on which the processing was based in accordance with Article 6 (1) (a) GDPR or Article 9 (2) (a) GDPR, and there is no other legal basis for the processing
• The data subject files an objection in accordance with Article 21 (1) GDPR against the processing and there are no overriding legitimate grounds for the processing, or the data subject files an objection against the processing in accordance with Article 21 (2) GDPR
• The personal data has been processed illegally
• The personal data must be erased in order to ensure compliance with a legal obligation in Union or Member State law to which the controller is subject
• The personal data was obtained in relation to the services offered by the information society in accordance with Article 8 (1) GDPR

If one of the aforementioned reasons applies and a data subject wishes to request the erasure of personal data stored by our company, they can contact our data protection officer at any time. Our data protection officer will promptly ensure that the erasure request is complied with without undue delay.
Where our company has made personal data public and if our company is required in accordance with Article 17 (1) GDPR to erase said personal data, our company – taking into account the available technology and the cost of implementation – will take reasonable steps, including technical measures, to inform other controllers processing such data that the data subject has requested erasure by such controllers of any links to, or copies or replications of, the respective personal data, as long as the processing is not necessary. The data protection officer will arrange the necessary measures in individual cases.

(12.5) Right to restriction of processing
Every person affected by the processing of personal data has the right – granted by the European legislator – to request from the controller the restriction of processing where one of the following applies:

• The accuracy of the personal data is contested by the data subject, that is for such a period of time that the controller can verify its correctness
• The processing of personal data is deemed unlawful, the data subject opposes its erasure and requests instead that its use be restricted
• The controller no longer requires the personal data for the purposes of processing, but the data subject needs this data for the establishment, exercise or defence of legal claims
• The data subject has objected to its processing pursuant to Article 21 (1) GDPR pending verification as to whether the legitimate grounds of the controller override those of the data subject

If one of the aforementioned reasons applies and a data subject wishes to request the restriction of personal data stored by our company, they can contact our data protection officer at any time. The data protection officer will arrange the restriction of processing.

(12.6) Right to data portability
Every person affected by the processing of personal data has the right to receive the personal data concerning them, which the data subject has provided to a controller, in a structured, commonly used and machine-readable format. They also have the right to provide this data to another controller without hindrance from the controller, as long as the processing is based on consent in accordance with Article 6 (1) (a) GDPR or Article 9 (2) (a) GDPR or on a contract in accordance with Article 6 (1) (b) GDPR, and the processing is carried out by automated means, as long as the processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Furthermore, in exercising their right to data portability in accordance with Article 20 (1) GDPR, the data subject is entitled to have the personal data transmitted directly from one controller to another, where technically feasible, and provided that this does not infringe upon the rights and freedoms of other persons.
In order to assert their right to data portability, the data subject can contact our data protection officer at any time.

(12.8) Right to withdraw data protection consent
Every person affected by the processing of personal data has the right to withdraw their consent to the processing of personal data at any time. If the data subject wishes to exercise their right to withdraw consent, they can contact our data protection officer at any time.

(12.9) Right not to be subject to automated decision-making
Furthermore, you have the right under Article 22 GDPR not to be subject to fully automated decision-making. In principle, we do not use fully automated decision-making to establish, implement and terminate the business relationship. If we decide to use this procedure in individual cases (e.g. to improve our products and services), we will inform you of this and of your rights in this regard separately if this is required by law.

(12.10) Obligation to provide data
In the context of our business relationship, you must provide such personal contractual data that is required for the establishment, implementation and termination of a business relationship, and for the fulfilment of the associated contractual obligations or for whose collection we are legally obliged. Generally speaking, we will not be able to conclude, execute or terminate a contract with you without this data.
The same is true with regard to visiting our online offering and collecting usage data. We will not be able to provide you with our online offering without collecting usage data.

(13) Data protection for job applications and application procedures
perma-tec collects and processes the personal data of job applicants for the purpose of carrying out the application process. This data is also processed electronically. This is the case in particular when an applicant submits their application documents to our company electronically, for example, by email or using a web form contained on the website. If our company enters into an employment agreement with an applicant, the data submitted will be stored in compliance with the applicable legal regulations for the purpose of performing the obligations under the employment contract. If our company does not conclude an employment contract with the applicant, the application documents will be automatically deleted six months after the decision not to hire has been communicated, unless there are other legitimate interests on the part of the controller preventing this. Other legitimate interests in this context means, for example, any obligation to provide substantiating evidence in proceedings based on the General Non-Discrimination Act (Allgemeines Gleichbehandlungsgesetz; AGG).

(14) Data protection provisions: tracking tools
Data protection regulations for the use and application of Google Analytics
The controller has integrated the Google Analytics component (with anonymisation function) into this website for processing. Google Analytics is a web analytics service. Web analytics is the collection, gathering and analysis of data on the behaviour of visitors on websites. Among other things, a web analytics service records data on the website from which a data subject accesses a website (referrer), which subpages on the website are accessed, or how often and for how long a subpage is viewed. Web analytics is mainly used to optimise a website and to conduct a cost-benefit analysis of internet advertising.
The operator of the Google Analytics component is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.
The controller uses the extension “_gat._anonymizeIp” for the web analysis via Google Analytics. This extension is used to shorten and anonymise the IP address of the data subject's internet connection if access to our web pages takes place from a Member State of the European Union or another signatory state to the Agreement on the European Economic Area.
The purpose of the Google Analytics component is to analyse visitor flows on our website. Among other things, Google uses the data and information it gathers for evaluating the use of our website, compiling online reports on activities on our web pages for us, and providing services related to the use of our website.
Google Analytics places a cookie on the data subject’s IT system. Cookies have already been explained above. Placement of the cookie enables Google to analyse the use of our website. Whenever a data subject visits an individual page of our website that we operate and into which a Google Analytics component has been integrated, the web browser on the data subject’s IT system is automatically prompted by the Google Analytics component to transmit data to Google for the purpose of online analysis. As part of this technical process, Google gains knowledge of personal data, such as the IP address of the system used by the data subject. This helps Google trace the origin of visitors and clicks and thus, for example, enables commission to be charged.
The cookie is used to store personal information, such as the time at and place from which our website was accessed and how often the data subject visited it. Whenever our web pages are visited, this personal data, including the IP address of the internet connection used by the data subject, is transferred to Google in the USA. This personal data is stored by Google in the USA. Google may transmit the personal data collected by this technical method to third parties.
Google Analytics cookies are stored on the basis of Article 6 (1) (a) GDPR. We obtain the necessary consent from the user as soon as our website is accessed.
As described above under Clause 5, data subjects can, at any time, prevent cookies from being placed by our website by making the relevant settings in their web browsers and thus permanently objecting to the placement of cookies. Such a setting in the web browser would also prevent Google from placing a cookie on the data subject’s IT system. In addition, a cookie that has already been placed by Google Analytics can be deleted at any time in the web browser or by using other software programs.
Moreover, data subjects can object to and prevent recording of the data generated by Google Analytics and relating to the use of this website and the processing of that data by Google. To do so, a data subject must download and install a browser add-on using the link https://tools.google.com/dlpage/gaoptout. This browser add-on notifies Google Analytics by means of JavaScript that no data and information on visits to websites may be transmitted to Google Analytics. Installation of the browser add-on is interpreted by Google as an objection to the recording of data. If the data subject’s IT system is deleted, formatted or reinstalled later, the browser add-on must be installed again in order to disable Google Analytics. If the browser add-on is uninstalled or disabled by data subjects or other persons in their sphere of influence, the browser add-on can be reinstalled or reactivated.
More information and Google’s privacy policy can be found at https://policies.google.com/privacy?hl=en and https://policies.google.com/terms?hl=en. More detailed explanations on Google Analytics can be found at https://www.google.com/analytics.

(15) Competent data protection supervisory authority
Bavarian Data Protection Authority
Promenade 27 (Schloss)
D-91522 Ansbach
Germany
Telephone: +49 (0) 981 53 1300
Fax: +49 (0) 981 53 98 1300
Email: poststelle(at)lda.bayern.de

(16) Amendments to the data protection provisions
We reserve the right to amend our security and data protection provisions if this is required due to relevant technical developments. In these cases, we will also amend our data protection information accordingly. Please refer to the latest version of our data privacy policy.