Data Protection Statement
We would herewith like to inform you about our Data Protection Statement. We will provide information about the collection and use of personal data when using our website.
We will handle your personal data confidentially and in accordance with data protection legislation.
We wish to emphasise that the transfer of data via the internet (e.g. in communications by email) may entail security vulnerabilities and that absolute protection against unauthorised access by third parties cannot be guaranteed.
Personal data means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Data subject means any identified or identifiable natural person whose personal data are processed by the data controller.
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, reading, retrieval, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Recipient means a natural or legal person, public authority, agency or another body to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular enquiry in accordance with European Union or member state law shall not be regarded as recipients.
Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
II. Name and address of the Controller
The Controller for the purposes of the General Data Protection Regulation is:
Leichtmetall Aluminium Giesserei Hannover GmbH
Göttinger Chaussee 12-14
Telephone: +49 (0)511/89878
Managing Director: Thomas Witte
III. Data Protection Officer
EDV.de Systemhaus GmbH & Co. KG
IV. General information on data processing
1. Scope of data processing
Personal data of users are generally processed only if processing is necessary to provide a functioning website or contents and services. Personal data will generally be processed only after obtaining the consent of the user concerned. An exception shall apply only if the data subject’s consent cannot be obtained in advance for factual reasons and if the processing of the data is permitted in terms of statutory provisions.
2. Legal basis for processing personal data
The following legal bases justify the processing of personal data:
- Article 6(1)(a) GDPR: The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
- Article 6(1)(b) GDPR: Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
- Article 6(1)(c) GDPR: Processing is necessary for compliance with a legal obligation to which the controller is subject.
- Article 6(1)(d) GDPR: Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
- Article 6(1)(e) GDPR: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller.
- Article 6(1)(f) GDPR: Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
3. Erasure of data and storage periods
The personal data of a data subject will be erased as soon as the purpose for storing the data becomes obsolete. Data may also be stored if the storage is provided for by the European or national legislator in EU law regulations, legislation or other provisions governing the Controller. Data will also be erased when a storage period required by any of the aforementioned laws or regulations expires, unless there is a need for continued storage of the data for the purpose of concluding or performing a contract.
V. Visiting the website
Each time our website is visited, our system automatically records data and information about the computer system of the retrieving computer. This information is the IP address of the user.
The legal basis justifying this temporary storage of the data is Article 6(1)(f) GDPR.
The temporary storage of the IP address by our system is necessary for our system to provide our website to the user’s computer.
The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. Where data were collected to make a website available to the data subject, this shall be the case when the relevant session is concluded.
The legal basis for the processing of personal data using cookies is Article 6(1)(f) GDPR.
Cookies are used to enhance the quality of the website. Cookies allow the operator of the website to analyse the internet data traffic and, hence, to identify the more popular sections of websites.
By changing the settings of the internet browser, the data subject can disable or restrict the transmission of cookies. If cookies are disabled for our website, the user concerned may not be able to use all functions of the website.
VII. Data protection policy relating to the use of Google Analytics
Based on our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our website), we use Google Analytics, a website analysis service of Google LLC (‘Google’). The legal basis of the use is Article 6(1)(f) GDPR.
Google is certified under the Privacy Shield Agreement and thus offers a guarantee of compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
The use of Google Analytics is based on cookies. A cookie is a text file which is transmitted when visiting a website and temporarily stored on the user’s hard drive to allow the user to access the website. The information stored by the cookie will be transmitted as a rule to a Google server in the USA and saved there.
As part of IP anonymisation, the user’s IP address will first be truncated within a member state of the European Union or other contracting party to the European Economic Area (EEA) Agreement. Google will use the transmitted information on our behalf to compile a report about the use of the website. The IP address transferred as part of Google Analytics will not be merged with any other data held by Google.
For further information and the applicable privacy provisions of Google, please visit https://www.google.de/intl/en/policies/privacy/ and https://www.google.com/analytics/terms/gb.html. Google Analytics is explained in more detail here: https://www.google.com/intl/en_en/analytics/.
VIII. Data protection policy regarding the use of Vimeo
We also integrate videos from the Vimeo platform. Vimeo is operated by Vimeo, LLC headquartered at 555 West 18th Street, New York City, New York 10011.
If users access a video on one of our webpages, a connection to the Vimeo servers will be established. At the same time, the Vimeo server receives information about the webpage that the user has visited. If the user is logged in with a Vimeo user account while viewing the video, Vimeo will attribute this information to the user’s personal user account. The user can prevent such attribution by logging out of his or her Vimeo user account and deleting the corresponding Vimeo cookies from his or her browser before using our website.
IX. Use of Google Maps
This website uses the Google Maps map service. It is provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. If the user visits one of our websites offering Google Maps, the browser will establish a direct link with the Google servers and retrieve the maps from there to display them for the benefit of the user. This connection is established based on Article 6(1)(f) GDPR (balancing of interests and pursuit of our legitimate interest to offer a website with the most useful content).
To use the functions of Google Maps, it is necessary to process the user’s IP address as well as information about their possible use of the map. This information is transferred from the user’s internet browser to a Google server within the USA and processed there by Google. The EU has at present not issued a resolution to the effect that the USA generally offers an adequate level of data protection. However, Google has undertaken to comply with the Privacy Shield Agreement concluded by the EU and the USA, and published by the US Department of Commerce, on the collection, use and storage of personal data from the member states of the
EU. For further information, please visit: https://support.google.com/analytics/answer/7105316?hl=en
X. Automated processing and profiling
The IP address is recorded purely automatically upon the webpage being accessed (see section IV). Otherwise, we abstain from automated processing of personal data and profiling.
XI. Rights of data subjects
Data subjects may avail themselves of the various rights conferred under the GDPR. Those rights are in particular the right of access to information, the right to rectification, the right to erasure, the right to the restriction of processing, the right to object, the right to withdraw consent, the right to lodge a complaint with a supervisory authority and the right to data portability.
1. Right of access to information
Data subjects may require us to provide information about the following:
- the processing purposes
- the categories of personal data which are being processed
- the recipients or categories of recipients to whom the personal data have been disclosed or will be disclosed, in particular recipients in third countries or international organisations
- if possible, the anticipated duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration
- the existence of the right to request from the Controller rectification or erasure of personal data or restriction of processing concerning the data subject or to object to the processing
- the existence of a right to lodge a complaint with a supervisory authority
- if the personal data are not being collected from the data subject: all available information about the origin of the data
- the existence of an automatic decision-making process, including profiling pursuant to Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject concerned.
Furthermore, the data subject shall have the right to be informed whether his or her personal data were transferred to a third country or to an international organisation. In this case, the data subject shall have also the right to be informed of the appropriate safeguards relating to the transfer.
If a data subject wishes to avail himself or herself of this right of access to personal data, they can contact the Controller’s data protection officer or an employee.
2. Right to rectification
The data subject shall have the right to obtain from the Controller the rectification and/or completion of personal data concerning him or her subject if the personal data are inaccurate or incomplete.
If a data subject wishes to avail himself or herself of this right to rectification, they can contact the Controller’s data protection officer or an employee at any time.
3. Right to erasure (right to be forgotten)
Every data subject affected by the processing of personal data shall have the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay if one of the following grounds applies, thus obviating the need for processing:
- The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
- The data subject withdraws his or her consent on which the processing was based according to Article 6(1)(a) GDPR or Article 9(2)(a) GDPR, and where there is no other legal ground for the processing.
- The data subject objects to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) GDPR.
- The personal data were processed unlawfully.
- The personal data must be erased to comply with a legal obligation under European Union law or the law of the member state by which the Controller is governed.
- The personal data were collected in connection with an offer of information society services pursuant to Article 8(1) GDPR.
If one of the aforementioned grounds applies and if a data subject wishes to have his or her personal data erased, the data subject can contact the Controller’s data protection officer or an employee at any time.
Where the Controller has made the personal data public and is obliged pursuant to Article 17(1) GDPR to erase the personal data, the Controller, taking into account the available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you, as the data subject, have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
4. Right to restriction of processing
Every data subject affected by the processing of personal data shall have the right to obtain from the Controller a restriction of the processing where one of the following condition applies:
- The accuracy of the personal data is contested by the data subject, for a period enabling the Controller to verify the accuracy of the personal data.
- The processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead.
- The Controller no longer needs the personal data for the purposes of the processing, but the data subject needs the personal data for the establishment, exercise or defence of legal claims.
- The data subject has objected to processing pursuant to Article 21(1) GDPR pending verification of whether the legitimate grounds of the Controller override those of the data subject.
If one of the aforementioned conditions applies and if a data subject wishes to have personal data restricted, the data subject may contact the Controller’s data protection officer or an employee at any time.
5. Right to data portability
Data subjects have the right to receive the personal data concerning them, which they have provided to the Controller, in a structured, commonly used and machine-readable format. Data subjects also have the right to transmit those data to another controller without hindrance from the Controller to whom the personal data have been provided, where
- the processing is based on consent pursuant to Article 6(1)(a) GDPR or Article 9(2)(a) GDPR or on a contract pursuant to Article 6(1)(b) GDPR, and
- the processing is carried out by automated methods.
In exercising this right, data subjects also have the right to have the personal data transmitted directly from one controller to another, where technically feasible. This may not impair the freedoms and rights of other people.
The right to data portability shall not apply to the processing of personal data required for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller.
To assert the right to data portability, data subjects may contact the Controller’s data protection officer or an employee at any time.
6. Withdrawal of consent
If the processing is based on consent pursuant to sentence 1a of Article 6(1), Article 7 GDPR, data subject shall have the right to withdraw their consent at any time.
If data subjects wish to assert their right to withdraw their consent, they can contact the Controller’s data protection officer or an employee at any time.
7. Right to object
Every data subject affected by the processing of personal data shall have the right to object, on grounds relating to his or her particular situation, at any time to the processing of personal data concerning him or her which is based on Article 6(1)(e) or (f) GDPR, including any profiling based on those provisions.
If you exercise your right to object, we will no longer process your personal data, unless we are able to demonstrate compelling, legitimate reasons for the processing that override your interests, rights and liberties, or if the processing serves to establish, exercise or defend legal claims.
8. Automated individual decision-making, including profiling
Any data subject affected by the processing of personal data shall have the right not to be subject to a decision based solely on automated processing, including profiling, which has a legal impact concerning him or her or similarly significantly affects him or her unless the decision (1) is necessary for entering into, or the performance of, a contract between the data subject and a data controller, (2) is authorised by European Union or Member State law to which the Controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, or (3) is based on the data subject’s explicit consent.
If the decision (1) is necessary for entering into or performing a contract between the data subject and the data controller, or (2) is based on the data subject’s explicit consent, Leichtmetall Aluminium Giesserei Hannover GmbH shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, including at least the right to obtain human intervention on the part of the Controller, to express his or her point of view and to contest the decision.
If data subjects wish to assert rights in regard to automated decision-making, they may contact the Controller’s data protection officer or any employee at any time.
9. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, data subjects have the right to lodge a complaint with a supervisory authority, in particular in the member state of their habitual residence, place of work or place of the alleged infringement if the data subject concerned believes that the processing of personal data relating to him or her infringes the General Data Protection Regulation.
XII. Changes to our Data Protection Policy
We reserve the right to adapt this Data Protection Statement at any time to ensure that it always complies with current legal requirements or to implement any changes in our services as regards the Data Protection Statement, e.g. when launching new services. Any later visit to our website will then be governed by such new data protection statement.