Data protection and security information
Our company attaches particular importance to data protection. In principle, you can use our website without providing personal data. However, if a data subject wishes to avail of particular services provided by our company online, processing of personal data may be required. If processing of personal data is required and there is no legal basis for such processing, we generally obtain the consent of the data subject.
Processing of personal data, in particular a data subject’s name, address, email address or telephone number, is always carried out in accordance with the EU General Data Protection Regulation (GDPR), the Federal Data Protection Act (Bundesdatenschutzgesetz; BDSG) and other applicable laws. Through this data privacy statement, our company would like to provide information about the nature, scope and purpose of the personal data we process and highlight to data subjects the rights granted to them.
(1.1) Personal data
Personal data means any information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Article 4 (1) GDPR).
(1.2) Data subject
A data subject is any identified or identifiable natural person, whose personal data is processed by the controller responsible for the processing.
Processing means any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
(1.4) Restriction of processing
Restriction of processing means the marking of stored personal data with the aim of limiting its processing in the future.
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Pseudonymisation is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information. Such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
(1.7) Controller or party responsible for processing
Controller or party responsible for the processing means the natural or legal person, public authority, agency or other body who/which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Processor means a natural or legal person, public authority, agency or other body, who/which processes personal data on behalf of the controller.
Recipient means a natural or legal person, public authority, agency or another body, to whom/which the personal data is disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.
(1.10) Third party
Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.
(2) Name and address of party responsible for processing (“controller”)
The controller as defined by the GDPR is:
perma-tec GmbH & Co. KG
Hammelburger Str. 21
97717 Euerdorf | GERMANY
(3) Contact details of our data protection officer
Every data subject can contact our data protection officer directly with any queries or suggestions that they might have concerning data protection.
(4) General data categories, purpose and legal basis of data processing
Whenever you use the perma-tec websites, applications or online tools (hereinafter also referred to as “perma-tec online service offer”), we process the following personal data:
- Personal data that you voluntarily provide via perma-tec online service offer (e.g. when registering, contacting us with your queries or participating in surveys, etc.), including e.g. first/last name, email address, telephone number, information submitted as part of a support request, comments or forum posts
- Information that is automatically sent to us by your web browser or device, such as your IP address, server log files, device type, browser type, referring site, sites accessed during your visit, the date and time of each visitor request
We process your personal data for the following purposes:
- To allow you to use the services and functions of perma-tec online service offer
- To process your request
- To verify your identity and enable user authentication
- To send you marketing information or to contact you in the context of customer satisfaction surveys as further explained in Clause 4
- To enforce our terms and conditions, to assert or defend legal claims, and to tackle and prevent fraud or other illegal activities, including attacks on our IT infrastructure
Processing personal data is required to achieve the specified purposes. In certain processing contexts, we also process other categories of personal data. Refer to Clauses 4.1 to 4.4 for more information.
Unless expressly specified otherwise when collecting personal data, the legal basis for data processing is as follows:
- Performance and fulfilment of a contract with you pursuant to Article 6 (1) (b) GDPR
- Fulfilment of legal obligations to which perma-tec is subject pursuant to Article 6 (1) (c) GDPR or
- To safeguard the legitimate interests of perma-tec pursuant to Article 6 (1) (f) GDPR. The legitimate interest of perma-tec lies in the processing of your personal data for the purpose of this offering and the operation of perma-tec online service offers
In some cases, we expressly request your consent for the processing of personal data. In this case, the legal basis for processing personal data is your declared consent pursuant to Article 6 (1) (a) GDPR.
(4.1) File-sharing portal
When using our file-sharing portal, the following additional personal data is collected and stored in addition to the data listed above under Clause 4: logging of accesses (downloads and uploads). This data is not shared with third parties and is deleted after six months at the latest.
4.2 perma Online shop
When using our perma Online shop, the following additional personal data is collected and stored in addition to the data listed above under Clause 4: ordering history. This data is not shared with third parties and is deleted following expiration of the legal retention period.
(4.3) perma SELECT APP, perma CONNECT APP, perma MLP APP and perma web application
When using our perma SELECT APP, perma MLP APP and perma MLP web application the following additional personal data is collected and stored in addition to the data listed above under Clause 4: results from calculations are saved in PDF format and sent to the specified email address. This includes the email address and name of author. When using the perma MLP APP, perma CONNECT APP and perma MLP web application, in addition to the profile data entered by the user, username and password (in encrypted form), the uploaded images and names of lubrication points are also saved. This data is not shared with third parties and is deleted following expiration of the legal retention period.
(4.4) perma SETBOX
When using our perma SETBOX, during an update the following additional personal data is collected, forwarded and stored via email (in the background) to the CRM system used internally at perma-tec in addition to the data listed above under Clause 4: IP address, SETBOX ID, name of PC and error messages. This data is not shared with third parties and is deleted following expiration of the legal retention period.
(4.5) perma ACADEMY, perma eACADEMY
When registering for the perma ACADEMY, in addition to the data listed above under Clause 4, information about dietary restrictions for catering is also saved. In order to use the perma eACADEMY, information about the user’s course participation, learning status and certificates is forwarded and saved in addition to the profile data entered by the user. This data is not shared with third parties and is deleted following expiration of the legal retention period.
You can revoke your consent at any time via the “Cookie settings” at the bottom of this website, unchecking the respective boxes and then clicking on “Confirm selection”. Please note that based on your settings you may experience interruptions or limited functionality in certain areas of the website. Furthermore, depending on the browser, it may also be possible to set the browser so that no cookies or similar technologies can be used.
User consent is required for the use of certain cookies and similar technologies, depending on their function and purpose.
No consent is required for cookies and similar technologies that are essential for the use of our online services or to safeguard IT security. The setting of these cookies and the use of similar technologies as well as related processing activities are permitted pursuant to Article 6 (1) (f) GDPR.
By contrast, consent is required for cookies and similar technologies used for all other purposes such as statistical analyses and the integration of map services.
Overview of cookies used on this website:
|Designation||Provider||Purpose||Type||Period of data storage|
|cookie_consent_manager||Tritum||Banner check||HTML Local Storage||90 days|
|ccm_statistics||Tritum||Banner check||HTML Local Storage||90days|
|ccm_external_maps||Tritum||Banner check: Tracking consent||HTML Local Storage||90 days|
More detailed information on the processing of personal data for statistical evaluations (analysis tools) which takes place when "Statistics" is activated in the cookie banner can be found under section 14.
More detailed information on the processing of personal data in connection with the use of map services when "Maps" is activated in the cookie banner can be found in section 14.
(6) Contact options on the website
perma-tec collects and processes personal data of the data subject in order to:
- Fulfil perma-tec obligations when concluding or over the course of a contractual relationship between perma-tec and the data subject
- Simplify effective communication and the relationship between perma-tec and the data subject
- Handle queries and other matters in relation to perma-tec products and services
- Forward customer queries to our sales partners if necessary
- Ensure compliance with legal obligations and enforce contractual agreements
- Manage the security of perma-tec products, services, intellectual property and other offerings • Analyse sales data and partner interaction with perma-tec products and services, in order to improve the customer experience and the content of these products and services
- Conduct surveys, carry out marketing and communication activities
- The legal basis for the above processing purposes is Article 6 (1) (b, f) GDPR
The following personal data is collected when you register for our newsletter: your name and email address. By subscribing to our newsletter, you permit perma-tec GmbH & Co. KG to collect, process and save the above-mentioned data. We only use this data to send the newsletter. In order to optimise our offering, we also evaluate which links have been clicked in the newsletter in a personalised form. You also grant us your consent to this processing purpose by registering. You can revoke your consent to the storage and use of your email address for the purpose of sending the newsletter at any time with future effect. To do so, simply click the unsubscribe link at the end of the newsletter or contact us in this regard.
(8) Processing the personal data of business partners
As part of its cooperation with business partners, perma-tec processes the personal data of points of contact at customers, suppliers, interested parties, distribution partners and cooperation partners (hereinafter “business partners”):
- Contact information such as first/last name, business address, business phone number, business mobile number, business fax number and business email address
- Payment data such as details required to process payment transactions or prevent fraud, including credit card information and card verification codes
- Additional information whose processing is required to execute a project or a contractual relationship with perma-tec and which is provided by business partners on a voluntary basis, e.g. when placing an order, submitting queries or providing details on projects
- Personal data that is collected from publicly available sources, information databases or credit agencies
- If legally required for compliance screenings: Date of birth, identification and ID numbers as well as information about relevant litigation or other legal proceedings involving business partners
perma-tec processes personal data for the following purposes:
- Communicating with business partners about products, services and projects, e.g. by responding to queries or requests from business partners or providing technical information about products
- Planning, performing and managing the contractual relationship between perma-tec and the business partner, e.g. in order to process product orders and service requests, process payments, carry out accounting and billing activities, arrange deliveries, and carry out maintenance activities and repairs
- Managing/conducting customer surveys, marketing campaigns, market analyses, sweepstakes, contests, or other promotional activities or events
- Conducting customer satisfaction surveys and direct marketing activities as described in more detail in Clause 4
- Maintaining and protecting the security of perma-tec products, services and websites, preventing and detecting security threats, fraud or other criminal or malicious activities
- Ensuring compliance with (i) legal requirements (e.g. fiscal and commercial retention obligations), (ii) existing obligations concerning performance of compliance screenings (to prevent white-collar or money laundering crimes) and (iii) perma-tec policies or industry standards
- Solving disputes, enforcing existing contracts and establishing, exercising and defending legal claims
The processing of personal data is required to achieve the aforementioned purposes. Unless expressly specified otherwise when collecting personal data, the legal basis for data processing is as follows:
- Performance and fulfilment of a contract with you pursuant to Article 6 (1) (b) GDPR
- Fulfilment of legal obligations to which perma-tec is subject pursuant to Article 6 (1) (c) GDPR or
- Safeguarding of perma-tec’s legitimate interests pursuant to Article 6 (1) (f) GDPR The legitimate interest pursued by perma-tec is the initiation, performance and management of the business relationship.
If you have expressly given your consent to the processing of your personal data in individual cases, this consent shall be the legal basis for processing pursuant to Article 6 (1) (a) GDPR.
(9) Recipients of personal data
Those parties within our company who require your data to fulfil our contractual and legal obligations will have access to it. Service providers and vicarious agents working for us may also receive data for such purposes if they undertake to maintain, in particular, confidentiality and integrity. These include companies in the following categories: IT services, logistics, print services, telecommunications, collection, consulting, sales and marketing.
In terms of sharing data with recipients outside our company, first and foremost it should be noted that we will only share necessary personal data, observing all applicable regulations on data protection. In principle, we may only disclose information about you if this is required by law, you have given your consent or if we are authorised to provide such information. Under these conditions, recipients of personal data may include:
- Public agencies and institutions (e.g. tax authorities, law enforcement agencies, family courts, deed registries) if there is a statutory or regulatory obligation to share the data
- Lending and financial service institutions or comparable organisations with which we share personal data for the purpose of conducting a business relationship (banks, credit agencies, etc.)
- Other affiliated companies in our group for risk management purposes based on a statutory or regulatory obligation
- Creditors or bankruptcy trustees that request the data in connection with foreclosure
- Service providers that we have retained as processors,
- commercial agents of the company
(10) Sending data to third countries
Data is sent to parties located in countries outside the European Union (third countries) in cases where
- It is necessary to execute your orders (e.g. delivery orders)
- It is required by law (e.g. reporting duties under tax law) or
- You have given us your consent
In addition, data is sent to parties in third countries in the following cases:
- Your personal data may be sent to an IT service provider in a third country in full compliance with European data protection standards if and as needed in individual cases to maintain the company's IT operations
- Personal data (e.g. authentication data) is sent to third countries in individual cases in full conformity with the data protection standards of the European Union when balancing interests and complying with laws on combating money laundering, terrorism financing and other illegal activities
When using social media and IT providers, user data may be transferred and processed by the provider in the US. Data processing is based on your explicit consent in the cookie banner. Your declaration of consent justifies such data processing on an exceptional and case-by-case basis pursuant to article 49 (1) GDPR. Please note that the level of data protection in the US may vary from that in the EU and the EEA. In particular, government agencies may access your personal data on the basis of legal authorisation without our/your knowledge or consent. Your chances of successfully enforcing your privacy rights in the USA are not very promising.
Any possible data transfers take place automatically only in connection with the use of our social media services (Vimeo, YouTube, LinkedIn and Xing), IT providers and cookies. For further details, please refer to ‘Recipients of personal data’ (art. 9) and ‘Sending data to third countries (art. 10).
You may revoke your consent at any time, in which case we would ask you to send an email to our data protection officer under datenschutz(at)perma-tec.com and delete all relevant cookies and temporary files in your browser.
(11) Routine deletion and blocking of personal data
The controller processes and stores personal data of the data subject only for the period necessary to achieve the purpose of its processing or as far as this is granted by legislators in laws or regulations to which the processor is subject. If the storage purpose is not applicable or if a storage period prescribed by the legislator expires, personal data will be routinely blocked or deleted in accordance with legal requirements.
(12) Rights of the data subject
(12.1) Right to confirmation
Every data subject shall have the right to request from the controller confirmation as to whether or not personal data concerning them is being processed. If a data subject wishes to exercise this right of confirmation, they can contact our data protection officer at any time or contact another employee of the controller.
(12.2) Right of access
Every person affected by the processing of personal data has the right – free of charge – to obtain information about the personal data concerning them from the controller and to receive a copy of this information in addition to the information listed here:
- The purposes of processing
- The categories of personal data processed
- The recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organisations
- Where possible, the planned period for which the personal data will be stored or if this is not possible, the criteria used to determine that period
- The existence of a right to request from the controller the rectification or erasure of the relevant personal data, or the restriction of its processing, or to object to such processing
- The existence of a right to file a complaint with a supervisory authority
- Where the personal data is not collected from the data subject: any available information as to the source of the data
- The existence of automated decision-making including profiling in accordance with Article 22 (1 and 4) GDPR and – at least in these cases – conclusive information about the logic involved as well as the implications and the intended effects of such processing for the data subject
Furthermore, the data subject has a right to obtain information as to whether personal data has been transmitted to a third country or to an international organisation. Where this is the case, the data subject has the right to be informed of the appropriate safeguards relating to the transmission of this data.
If a data subject would like to assert this right of access, they can send an email to datenschutz(at)perma-tec.com at any time.
(12.3) Right to rectification
Every person affected by the processing of personal data has the right to request immediate rectification of inaccurate personal data concerning them. Taking into account the purposes of the processing, the data subject also has the right to have incomplete personal data completed, including by means of providing a supplementary statement.
If a data subject would like to assert this right to rectification, they can contact our data protection officer at any time.
(12.4) Right to erasure (right to be forgotten)
Every person affected by the processing of personal data has the right to request from the controller the erasure of personal data concerning them without undue delay, where one of the following reasons applies and as long as the processing is not necessary:
- Personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed
- The data subject revokes their consent on which the processing was based in accordance with Article 6 (1) (a) GDPR or Article 9 (2) (a) GDPR, and there is no other legal basis for the processing
- The data subject files an objection in accordance with Article 21 (1) GDPR against the processing and there are no overriding legitimate grounds for the processing, or the data subject files an objection against the processing in accordance with Article 21 (2) GDPR
- The personal data has been processed illegally
- The personal data must be erased in order to ensure compliance with a legal obligation in Union or Member State law to which the controller is subject
- The personal data was obtained in relation to the services offered by the information society in accordance with Article 8 (1) GDPR
If one of the aforementioned reasons applies and a data subject wishes to request the erasure of personal data stored by our company, they can contact our data protection officer at any time. Our data protection officer will promptly ensure that the erasure request is complied with without undue delay.
Where our company has made personal data public and if our company is required in accordance with Article 17 (1) GDPR to erase said personal data, our company – taking into account the available technology and the cost of implementation – will take reasonable steps, including technical measures, to inform other controllers processing such data that the data subject has requested erasure by such controllers of any links to, or copies or replications of, the respective personal data, as long as the processing is not necessary. The data protection officer will arrange the necessary measures in individual cases.
(12.5) Right to restriction of processing
Every person affected by the processing of personal data has the right – granted by the European legislator – to request from the controller the restriction of processing where one of the following applies:
- The accuracy of the personal data is contested by the data subject, that is for such a period of time that the controller can verify its correctness
- The processing of personal data is deemed unlawful, the data subject opposes its erasure and requests instead that its use be restricted
- The controller no longer requires the personal data for the purposes of processing, but the data subject needs this data for the establishment, exercise or defence of legal claims
- The data subject has objected to its processing pursuant to Article 21 (1) GDPR pending verification as to whether the legitimate grounds of the controller override those of the data subject
If one of the aforementioned reasons applies and a data subject wishes to request the restriction of personal data stored by our company, they can contact our data protection officer at any time. The data protection officer will arrange the restriction of processing.
(12.6) Right to data portability
Every person affected by the processing of personal data has the right to receive the personal data concerning them, which the data subject has provided to a controller, in a structured, commonly used and machine-readable format. They also have the right to provide this data to another controller without hindrance from the controller, as long as the processing is based on consent in accordance with Article 6 (1) (a) GDPR or Article 9 (2) (a) GDPR or on a contract in accordance with Article 6 (1) (b) GDPR, and the processing is carried out by automated means, as long as the processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Furthermore, in exercising their right to data portability in accordance with Article 20 (1) GDPR, the data subject is entitled to have the personal data transmitted directly from one controller to another, where technically feasible, and provided that this does not infringe upon the rights and freedoms of other persons.
In order to assert their right to data portability, the data subject can contact our data protection officer at any time.
|(12.7) Right to object|
Every person affected by the processing of personal data has the right, for reasons arising from their particular situation, to file an objection at any time to the processing of said data, which takes place on the basis of Article 6 (1) (e or f) GDPR. This also applies to profiling based on these provisions.
Our company will no longer process personal data if an objection is filed, unless we can demonstrate compelling legitimate grounds for its processing, which override the data subject’s interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.
If our company processes personal data for direct marketing purposes, the data subject will have the right to object at any time to the processing of said data for such marketing. This also applies to profiling to the extent that it is related to such direct marketing. If the data subject objects to our processing of personal data for the purposes of direct advertising, we will no longer process this data for these purposes.
In addition, the data subject has the right, on grounds relating to their particular situation, to object to the processing of personal data for scientific or historical research purposes, or for statistical purposes in accordance with Article 89 (1) GDPR, unless such processing is necessary for the performance of a task carried out for reasons of public interest.
In order to assert their right to object, the data subject can contact our data protection officer directly.
(12.8) Right to withdraw data protection consent
Every person affected by the processing of personal data has the right to withdraw their consent to the processing of personal data at any time. If the data subject wishes to exercise their right to withdraw consent, they can contact our data protection officer at any time.
(12.9) Right not to be subject to automated decision-making
Furthermore, you have the right under Article 22 GDPR not to be subject to fully automated decision-making. In principle, we do not use fully automated decision-making to establish, implement and terminate the business relationship. If we decide to use this procedure in individual cases (e.g. to improve our products and services), we will inform you of this and of your rights in this regard separately if this is required by law.
(12.10) Obligation to provide data
In the context of our business relationship, you must provide such personal contractual data that is required for the establishment, implementation and termination of a business relationship, and for the fulfilment of the associated contractual obligations or for whose collection we are legally obliged. Generally speaking, we will not be able to conclude, execute or terminate a contract with you without this data.
The same is true with regard to visiting our online offering and collecting usage data. We will not be able to provide you with our online offering without collecting usage data.
(13) Data protection for job applications and application procedures
perma-tec collects and processes the personal data of job applicants for the purpose of carrying out the application process. This data is also processed electronically. This is the case in particular when an applicant submits their application documents to our company electronically, for example, by email or using a web form contained on the website. If our company enters into an employment agreement with an applicant, the data submitted will be stored in compliance with the applicable legal regulations for the purpose of performing the obligations under the employment contract. If our company does not conclude an employment contract with the applicant, the application documents will be automatically deleted six months after the decision not to hire has been communicated, unless there are other legitimate interests on the part of the controller preventing this. Other legitimate interests in this context means, for example, any obligation to provide substantiating evidence in proceedings based on the General Non-Discrimination Act (Allgemeines Gleichbehandlungsgesetz; AGG).
Within the perma group your data are transferred to perma USA and processed there. The legal basis for the data transfer and data processing is article 49 para.1 (b) GDPR (the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request) and / or the explicit consent in accordance with article 49 para. 1 (a) (the data subject has explicitly consented to the proposed transfer). There is no comparable level of data protection in the USA. Government agencies are legally authorized to access your personal data without our/your knowledge or consent. Your chances of successfully enforcing your privacy rights in the USA are not very promising.
(14) Data protection provisions: tracking tools
Web analytics tool Matomo
a. Scope of processing of personal data
This website uses the Matomo web analytics tool. This tool collects and evaluates data about your behaviour on our website. Among other things, data is collected via which website you accessed our website (so-called referrer), which subpage of our website you visited or how often and how long you viewed a subpage.
A cookie (for cookies, see above) is set in your system to enable analysis of the use of our website. Each time you access a subpage of our website, your system's internet browser is prompted by the Matomo component to transmit data to our server for the purpose of online analysis. As part of this process, we collect your IP address. After collection, the IP address is shortened by 6 digits and then used in this form to track your location and clicks. Furthermore, the cookie is used to store information such as access time, access location and the number of website visits. This personally identifiable information (including your IP address) is transmitted to our server in anonymised form every time you visit our website. It is stored by us and will not be passed on to third parties. An overview of the cookies used can be found in the data protection regulations under art. 5.
The software is operated on our own servers, so your data (e.g. log files) is stored on our servers only and is not passed on to third parties.
b. Legal basis for the processing of personal data
The legal basis for the processing of your personal data is Art. 6 (1) GDPR (consent).
c. Purpose of data processing
The web analysis serves to optimise our website and to improve our web services. The purpose of the Matomo component is to enable a website traffic analysis. The obtained data and information helps to evaluate the use of our website. Based on this, online reports are issued to show the activities on our website.
d. Period of data storage
For information on the period of data storage, please see art. 5.
As for the rest, your data will be deleted after a storage period of 90 days.
e. Right to object and deletion option
If you do not wish your data to be processed as described, you can withhold your consent when you first access our website. If you have already declared consent, you can revoke it at any time by unchecking “Statistics” under https://www.perma-tec.com/?type=5000.
Alternatively, you can prevent the setting of cookies via your browser settings and also delete cookies.
(15) Competent data protection supervisory authority
Bavarian Data Protection Authority
Promenade 27 (Schloss)
Telephone: +49 (0) 981 53 1300
Fax: +49 (0) 981 53 98 1300
(16) Amendments to the data protection provisions