Thank you for your interest in our company. Privacy is a particularly high priority for the management of Centroplast Engineering Plastics GmbH, Unterm Ohmberg 1, 34431 Marsberg, Germany (hereinafter referred to as the “company”).
It is fundamentally possible to use the web pages of the company without disclosing any personal data. Where a data subject would like to use particular services of our company via our website, it may nevertheless be necessary to process personal data. If it is necessary to process personal data and if no legal basis exists for such processing, we generally obtain consent from the data subject.
The processing of personal data, such as the name, address, e-mail address or phone number of a data subject, is always handled in agreement with the General Data Protection Regulation and in conformity with the nationally specific data protection regulations applicable to the company. By means of this privacy statement, our company would like to inform the public of the nature, scope and purpose of the personal data that we collect, use and process. In addition, this privacy statement informs data subjects of their rights.
The company, as the data controller, has implemented a large number of technical and organisational measures in an effort to provide the most comprehensive level of protection possible for the personal data processed through this website. Nevertheless, security gaps may fundamentally be present in web-based data transmissions, with the result that absolute security cannot be guaranteed. For that reason, every data subject is also entitled to communicate personal data to us by alternative channels, for example by phone.
1. Definition of terms
The privacy statement of the company is based on the terms used by the European legislature and regulators in issuing the General Data Protection Regulation (GDPR). Our privacy statement is intended to be easy to read and understand both for the public and for our customers and business partners. To guarantee this, we would first like to explain the terms used in it.
The terms we use in this privacy statement include the following:
a) Personal data
Personal data means all information that relates to an identified or identifiable natural person (hereinafter “data subject”). A natural person is regarded as identifiable if they can be identified directly or indirectly, in particular by means of matching with an identifier such as a name, an identification number, location data, an online identifier or one or more special features that express the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
b) Data subject
A data subject is any identified or identifiable natural person whose personal data is processed by the data controller.
Processing is any operation conducted with or without the help of automated procedures, or any such sequence of operations in connection with personal data, such as the collection, capturing, organisation, sorting, saving, adjustment or modification, reading out, retrieval, use, disclosure through transmission, dissemination or another form of delivery, comparison or association, limitation, deletion or destruction.
d) Limitation of processing
Limitation of processing is the marking of saved personal data with the goal of limiting its future processing.
Profiling is any kind of automated processing of personal data which involves using this personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning working performance, economic situation, health, personal preferences, interests, reliability, behaviour, abode or change of location of that natural person.
Pseudonymisation is the processing of personal data such that the personal data can no longer be matched to a specific data subject without reference to supplementary information, provided that supplementary information is kept separately and is subject to technical and organisational measures that guarantee that the personal data is not assigned to an identified or identifiable natural person.
g) Controller or data controller
The controller or data controller is the natural or legal person, public authority, agency or other body which, alone or together with others, decides on the purposes and means of processing personal data. If the purposes and means of this processing are laid down by Union or Member State law, the controller or the specific criteria for their nomination may be envisaged as laid down by Union law or the law of the Member States.
A processor is a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.
A recipient is a natural or legal person, public authority, agency or other body to which personal data is disclosed, irrespective of whether it is a third party or not. Agencies that potentially receive personal data as part of a specific inquiry under Union or Member State law are however not considered to be recipients.
j) Third party
A third party is a natural or legal person, public authority, agency or other body apart from the data subject, the controller, the processor and the persons with direct responsibility to the controller or processor who are authorised to process the personal data..
Consent is any informed, unambiguously submitted, voluntary expression by the data subject for a specific case, in the form of a declaration or other clearly confirmatory action, by which the data subject indicates that they consent to the processing of their personal data.
2. Name and address of the data controller
The controller under the General Data Protection Regulation, other data protection laws applicable in the Member States of the European Union and other provisions with a data protection character is:
Centroplast Engineering Plastic GmbH
+49 2992 9704 700
3. Name and address of the Data Protection Officer
The Data Protection Officer of the data controller is:
Ms Nelly Born
SK Consulting Group GmbH
32549 Bad Oeynhausen
Any data subject may contact our Data Protection Officer directly at any time with any queries and suggestions regarding privacy.
The data subject can at any time prevent the placing of cookies by our website by changing the appropriate setting in the web browser used, and thus permanently reject the placing of cookies. In addition, cookies already placed may be deleted at any time via a web browser or other software programs. This is possible in all conventional web browsers. If the data subject deactivates the placing of cookies in the web browser used, it is possible that not all functions of our website will be fully usable.
5. Capture of general data and information
The company’s website captures a range of general data and information each time the website is called up by a data subject or an automated system. This general data and information is saved in the server’s log files. The following can be captured: (1) the browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system reaches our website (the “referrer”), (4) the sub-websites on our websites that are activated by an accessing system, (5) the date and time the website was accessed, (6) an internet protocol address (IP address), (7) the internet service provider of the accessing system and (8) other similar data and information to aid an emergency response in the event of attacks on our information technology systems.
The company draws no conclusions about the data subject from the use of this general data and information. Rather, this information is needed (1) to deliver the content of our website correctly, (2) to optimise the content of our website as well as advertising for it, (3) to assure the permanent functioning of our information technology systems and the technology of our website, and (4) to provide law enforcement authorities with the information needed for law enforcement in the event of a cyber attack. This data and information captured anonymously is therefore evaluated statistically by the company, and also with the goal of increasing data protection and privacy in our company so that it ultimately provides an optimum level of protection for the personal data we process. The anonymous data in the server log files is saved separately from all personal data disclosed by a data subject.
6. Registering on our website
The data subject has the option of registering on the data controller’s website by disclosing personal data. The specific input mask used for the registration process indicates which personal data is transmitted to the data controller. The personal data entered by the data subject is captured and saved exclusively for internal use by the data controller and for internal purposes. The data controller may arrange sharing with one or more processors, for example a parcel service, which equally uses the personal data exclusively for an internal purpose that is attributable to the data controller.
By registering on the website of the data controller, the IP address assigned by the internet service provider (ISO) of the data subject as well as the date and time of registration are saved. The reason for saving this data is that only then can abuse of our services be prevented, and this data enables offences committed to be investigated if necessary. To that extent the saving of this data is necessary for the protection of the data controller. This data is fundamentally not shared with third parties provided there is no legal obligation to do so or sharing is for the purpose of law enforcement.
The data controller uses the data subject’s registration with voluntary disclosure of personal data to offer the data subject content or services that can only be offered to registered users due to the nature of the matter. Registered persons have the option of modifying personal data provided during registration at any time or having it deleted entirely from the data pool of the data controller.
The data controller will, at any time upon request, provide any data subject with information on what personal data it holds on the data subject. In addition, the data controller will correct or delete personal data as requested or given notice by the data subject, to the extent that it is not subject to statutory retention obligations. A data protection officer named in this privacy statement and all employees of the data controller are available to the data subject as points of contact in this regard.
7. Subscribing to our newsletter
Users are given the option of subscribing to our company newsletter via the company’s website. The input mask used for subscribing to the newsletter indicates which personal data is transmitted to the data controller..
The company informs its customers and business partners about the products and services offered by the company through a newsletter published at regular intervals. Our company’s newsletter can fundamentally only be received by the data subject if (1) the data subject has a valid e-mail address and (2) the data subject registers for mailing of the newsletter. For legal reasons a confirmation e-mail using the double opt-in process is sent to the e-mail address entered initially by a data subject for mailing of the newsletter. The purpose of this confirmation e-mail is to check whether the owner of the e-mail address as the data subject has authorised receipt of the newsletter.
When registering for the newsletter, we also save the IP address assigned by the internet service provider (ISO) of the computer system used by the data subject at the time of registration as well as the date and time of registration. This data needs to be collected to identify the (possible) abuse of the e-mail address of a data subject at a later stage and therefore provides legal protection for the data controller.
The personal data captured during registration for the newsletter is used exclusively for the mailing of our newsletter. In addition, subscribers to the newsletter could be notified by e-mail where this is necessary for operation of the newsletter service or for registration for the same, as might occur in the event of changes to the newsletter service or a change in the technical circumstances. Personal data captured for the newsletter service is not shared with third parties. The subscription to our newsletter may be cancelled by the data subject at any time. The consent to the saving of personal data which the data subject has given us for mailing of the newsletter may be revoked at any time. Every newsletter contains a corresponding link for the purpose of revoking consent. It is also possible to unsubscribe from the newsletter at any time directly on the website of the data controller or to communicate this to the data controller by other means.
8. Newsletter tracking
The company’s newsletters contain tracking pixels. A tracking pixel is a miniature graphic that is embedded in e-mails that we send in HTML format to enable log file recording and log file analysis. We are then able to make a statistical evaluation of the success or failure of online marketing campaigns. The company can identify from the embedded tracking pixel whether and when an e-mail was opened by a data subject, and which of the links contained in the e-mail were used by the data subject.
Such personal data captured with the tracking pixels contained in the newsletters are saved and evaluated by the data controller to optimise the mailing of newsletters and bring the content of future newsletters even more closely in line with the interests of the data subject. This personal data is not shared with third parties. Data subjects may at any time revoke the separate declaration of consent made for this purpose by the double opt-in process. Once revoked, this personal data is deleted by the data controller. The company automatically interprets unsubscribing from the newsletter as revocation.
9. Contact option via the website
To comply with statutory requirements the company’s website contains particulars that enable our company to be contacted swiftly by electronic means as well as direct communication with us, and equally include a general address for electronic mail (e-mail address). Where a data subject makes contact with the data controller by e-mail or via a contact form, the personal data transmitted by the data subject is automatically saved. Such personal data transmitted by the data subject on a voluntary basis to the data controller is saved for purposes of processing or contacting. This personal data is not shared with third parties.
10. Routine deletion and blocking of personal data
The data controller processes and saves personal data for the data subject only for the period that is required to satisfy the purpose for saving or to the extent that was envisaged by the European legislature and regulators or another legislature, in laws or regulations to which the data controller is subject.
If the purpose of saving ceases to apply or if a retention period specified by the European legislature and regulators or another responsible legislature expires, the personal data is blocked and deleted as a routine matter and in accordance with the statutory requirements.
11. Rights of the data subject
a) Right to confirmation
Every data subject has the right granted by the European legislature and regulators to demand confirmation from the data controller on whether personal data relating to them is processed. If a data subject would like to exercise this right to confirmation, they may contact our Data Protection Officer or another employee of the data controller at any time in that regard.
b) Right to information
Every data subject whose personal data is processed has the right granted by the European legislature and regulators to receive information free of charge from the data controller on what personal data relating to them is saved, and to receive a copy of that information. The European legislature and regulators has furthermore granted the data subject disclosure of the following information:
- The processing purposes
- The categories of personal data that is processed
- o The recipients or categories of recipients to which the personal data has been disclosed or remain to be disclosed, in particular recipients in third countries or at international organisation
- If possible the planned period for which the personal data will be saved, or, if that is not possible, the criteria for determining this period
- The existence of a right to correction or deletion of personal data relating to them or to limitation of processing by the controller, or of a right to object to this processing
- The existence of a right to complain to a supervisory authority
- o If the personal data has not been collected from the data subject: all available information on the origin of the data
- o The existence of automated decision-making including profiling pursuant to Article 22 (1) and (4) of GDPR and — at least in these instances — pertinent information on the logic applied as well as the scope and intended effects of such processing for the data subject
The data subject furthermore has a right to information on whether personal data has been transmitted to a third country or an international organisation. Where this is the case, the data subject moreover has the right to receive information on the appropriate guarantees in connection with the transmission.
If a data subject would like to exercise this right to information, they may contact our Data Protection Officer or another employee of the data controller at any time in that regard.
c) Right to correction
Every data subject whose personal data is processed has the right granted by the European legislature and regulators to demand immediate correction of incorrect personal data relating to them. The data subject in addition has the right, taking into account the purposes of processing, to demand the completion of incomplete personal data, including by means of a supplementary declaration.
If a data subject would like to exercise this right to correction, they may contact our Data Protection Officer or another employee of the data controller at any time in that regard.
d) Right to deletion (right to be forgotten)
Every data subject whose personal data is processed has the right granted by the European legislature and regulators to demand that the controller delete the personal data relating to them without delay, provided one of the following reasons applies and to the extent that processing is not required:
- The personal data was captured or otherwise processed for purposes for which they are no longer required.
- The data subject revokes their consent on which processing was based pursuant to Art. 6 (1) point a of GDPR or Art. 9 (2) point a of GDPR, and there is no other legal basis for processing.
- The data subject objects to processing pursuant to Art. 21 (1) of GDPR and there are no overriding proper reasons for processing, or the data subject objects to processing pursuant to Art. 21 (2) of GDPR.
- The personal data was processed unlawfully.
- Deletion of the personal data is necessary to fulfil a legal obligation under Union or Member State law to which the controller is subject.
- The personal data was captured for the provision of information society services pursuant to Art. 8 (1) of GDPR.
Provided one of the above reasons applies and a data subject would like to arrange the deletion of personal data that is stored by the company, they may contact our Data Protection Officer or another employee of the data controller at any time in that regard. The Data Protection Officer of the company or another employee will arrange for the request for deletion to be met without delay.
If the personal data was made public by the company and if our company as the controller pursunt to Art. 17 (1) of GDPR is obliged to delete the personal data, the company will take appropriate measures including of a technical nature, bearing in mind the available technology and the implementation costs, to notify other data controllers which process the disclosed personal data that the data subject has demanded the deletion of all links to this personal data or of copies or replications of this personal data from these other data controllers, to the extent that processing is not necessary. The Data Protection Officer of the company or another employee will arrange the necessary action on a case by case basis.
e) Right to limitation of processing
Every data subject whose personal data is processed has the right granted by the European legislature and regulators to demand that the controller limit processing if one of the following conditions is met:
- The correctness of the personal data is disputed by the data subject, in connection with a period that enables the controller to check the correctness of the personal data.
- Processing is unlawful, the data subject declines deletion of the personal data and instead demands the limitation of use of the personal data.
- The controller no longer requires the personal data for purposes of processing, but the data subject requires it to assert, exercise or defend legal claims.
- The data subject has objected to processing pursuant to Art. 21 (1) of GDPR and it has not yet been established whether the proper reasons of the controller override those of the data subject.
Provided one of the above conditions is met and a data subject would like to demand the limitation of personal data that is stored by the company, they may contact our Data Protection Officer or another employee of the data controller at any time in that regard. The Data Protection Officer of the company or another employee will arrange the limitation of processing.
f) Right to data portability
Every data subject whose personal data is processed has the right granted by the European legislature and regulators to receive the personal data relating to them that was provided to a controller by the data subject in a structured, conventional and machine-readable format. They in addition have the right to transfer this data to another controller without hindrance by the controller to whom the data subject supplied the personal data, provided processing is based on consent pursuant to Art. 6 (1) point a of GDPR or Art. 9 (2) point a of GDPR or on a contract pursuant to Art. 6 (1) point b of GDPR and processing is performed by means of automated procedures, to the extent that processing is not necessary for the performance of a task that is in the public interest or in the exercise of public authority vested in the controller.
Furthermore, in exercising their right to data portability pursuant to Art. 20 (1) of GDPR, the data subject has the right to obtain transmission of the personal data directly from one controller to another, provided this is technically feasible and to the extent that to do so does not prejudice the rights and freedoms of other persons.
To assert the right to data portability, the data subject may contact the Data Protection Officer appointed by the company or another employee at any time.
g) Right to objection
Every data subject whose personal data is processed has the right granted by the European legislature and regulators, on grounds relating to their particular situation, to object at any time to the processing of personal data relating to them, carried out on the basis of Art. 6 (1) points e or f of GDRP. The same applies to profiling based on these provisions.
In the event of an objection the company will no longer process the personal data, unless we can demonstrate compelling legitimate grounds for processing that override the interests, rights and freedoms of the data subject, or processing takes place to assert, exercise or defend legal claims.
If the company processes personal data to conduct direct advertising, the data subject has the right to object at any time to the processing of the personal data for purposes of such advertising. The same applies to profiling where it is conducted in connection with such direct advertising. If the data subject objects to the company to processing for purposes of direct advertising, the company will no longer process the personal data for those purposes
In addition the data subject has the right, on grounds relating to their particular situation, to object to the processing of personal data that relates to them by the company for scientific or historical research purposes or for statistical purposes pursuant to Art. 89 (1) of GDPR, unless such processing is necessary to satisfy a task that is in the public interest.
To exercise the right to objection, the data subject may contact the Data Protection Officer of the company or another employee directly. In connection with the use of information society services, notwithstanding Directive 2002/58/EC, the data subject is furthermore at liberty to exercise their right to object by means of automated processes in which technical specifications are used.
h) Automated decisions in individual cases, including profiling
Every data subject whose personal data is processed has the right granted by the European legislature and regulators not to be subjected exclusively to a decision based exclusively on automated processing – including profiling – which produces a legal effect towards them or substantially affects them in a similar manner, provided the decision (1) is not required for the conclusion or fulfilment of a contract between the data subject and the controller, or (2) is permissible on the basis of Union or Member State law to which the controller is subject and this legislation contains appropriate measures to uphold the rights and freedoms as well as the legitimate interests of the data subject or (3) is taken with the express consent of the data subject.
If the decision (1) is required for the conclusion or fulfilment of a contract between the data subject and the controller or (2) is made with the express consent of the data subject, the company will take appropriate measures to uphold the rights and freedoms as well as the legitimate interests of the data subject, which include at least the right to obtain the intervention of a person at the controller, to present their own position and to contest the decision.
If the data subject would like to assert rights relating to automated decisions, they may contact our Data Protection Officer or another employee of the data controller at any time in that regard.
i) Right to revoke consent under privacy law
Every data subject whose personal data is processed has the right granted by the European legislature and regulators to revoke consent to the processing of personal data at any time.
If the data subject would like to assert their right to revoke consent, they may contact our Data Protection Officer or another employee of the data controller at any time in that regard.
12. Privacy in applications and the application procedure
The data controller collects and processes the personal data of applicants for the purpose of handling the application procedure. Processing may also be by electronic means. That is particularly the case if an applicant transmits the appropriate application documents to the data controller by electronic means, for example by e-mail or using a web form available on the website. If the data controller concludes an employment contract with an applicant, the data transmitted for the purpose of settling the employment relationship are saved in accordance with the statutory requirements. If the data controller does not conclude an employment contract with the applicant, the application documents are automatically deleted two months after notice of rejection was given, unless deletion is in conflict with any other legitimate interests of the data controller. Other legitimate interests in this sense include for example a burden of proof in proceedings under the German Equal Treatment Act (AGG).
The data controller has incorporated the component Google Analytics (with anonymisation function) into this website. Google Analytics is a web analytics service. Web analytics means the capturing, collection and evaluation of data on the behaviour of visitors to web pages. A web analytics service captures data on such aspects as which website a person accessed another website from (so-called referrers), which subpages of the website are accessed or how often and for how long a subpage was viewed. Web analytics is used predominantly to optimise a website and conduct a cost-benefit analysis of web advertising.
The operating company of the Google Analytics component is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.
The data controller uses the “_gat._anonymizeIp” function for web analytics via Google Analytics. With this function, the IP address of the data subject’s internet connection is abbreviated and anonymised by Google if access to our web pages is from a Member State of the European Union or from another signatory state of the Agreement on the European Economic Area.
The purpose of the Google Analytics component is to analyse visitor flows to our website. Google uses the data and information obtained for example to evaluate use of our website in order to compile online reports for us that reveal the activities on our web pages, and to deliver further services connected with the use of our website.
Google Analytics places a cookie on the IT system of the data subject. It has already been explained above what cookies are. By placing the cookie, Google is able to analyse the use of our website. Each time an individual page of this website operated by the data controller and incorporating a Google Analytics component is called up, the corresponding Google Analytics component automatically prompts the web browser on the IT system of the data subject to transmit data to Google for the purpose of online analytics. Through this technical process, Google acquires knowledge of personal data such as the IP address of the data subject, which Google uses for such purposes as tracking the origin of visitors and clicks, and on that basis billing commission payments.
By means of the cookie, personal information such as the access time, the place from which the website was accessed and the frequency of visits to our website by the data subject is saved. Every time our web pages are visited, this personal data including the IP address of the internet connection used by the data subject is transmitted to Google in the United States of America. This personal data is saved by Google in the United States of America. Google may in certain circumstances share this personal data collected by the technical process with third parties.
As already explained above, the data subject can at any time prevent the placing of cookies by our website by changing the appropriate setting in the web browser used, and thus permanently reject the placing of cookies. Making such a setting to the web browser used would also prevent Google from placing a cookie on the IT system of the data subject. In addition, a cookie already placed by Google Analytics may be deleted at any time via the web browser or other software programs.
14. Legal basis for processing
Art. 6 I point a of GDPR serves as the legal basis for our company for processing operations where we obtain consent for a particular purpose of processing. If the processing of personal data is required to fulfil a contract to which the data subject is party, for example as is the case in processing operations that are needed for a delivery of goods or the provision of another service or consideration, processing is based on Art. 6 I point b of GDPR. The same applies for those processing operations that are required to carry out pre-contractual measures, for example in cases of enquiries about our products or services. If our company is subject to a legal obligation under which processing of personal data becomes necessary, for example to fulfil tax obligations, processing is based on 6 I point c of GDPR. In rare cases the processing of personal data could become necessary to protect vital interests of the data subject or another natural person. That would be the case for example if a visitor to our premises were to be injured and their name, age, health insurance fund data or other vital information needed to be shared with a physician, hospital or other third parties. Processing would then be based on Art. 6 I point d of GDPR. Processing operations could ultimately be based on Art. 6 I point f of GDPR. Processing operations that are not covered by any of the above legal bases take this legal basis if processing is necessary to uphold a legitimate interest of our company or of a third party, provided the interests, fundamental rights and fundamental freedoms of the data subject are not overriding. We are in particular permitted to conduct such processing operations because they have been specifically mentioned by the European legislature. To that extent it took the view that a legitimate interest could be assumed if the data subject is a customer of the controller (recital 47 sentence 2 of GDPR).
15. Legitimate interests in processing pursued by the controller or a third party
If the processing of personal data is based on Article 6 I point f of GDPR, our legitimate interest is the conducting of our business activities in the interests of the well-being of all our employees and shareholders.
16. Period for which the personal data is saved
The criterion for the period for which personal data is saved is the respective statutory retention period. After expiry of the period, the data in question is routinely deleted provided it is no longer required to fulfil or initiate a contract.
17. Statutory or contractual regulations on the provision of personal data; necessity for contract conclusion; obligation of the data subject to provide the personal data; possible consequences of non-provision
We inform you that the provision of personal data is to some extent prescribed by law (e.g. tax regulations) or may arise under contractual arrangements (e.g. particulars of contracting party). For the conclusion of a contract, it may sometimes be necessary for a data subject to provide us with personal data that we then need to process. The data subject is for example obliged to provide us with personal data if our company concludes a contract with them. Non-provision of the personal data would have the consequence that the contract could not be concluded with the data subject. The data subject must contact our Data Protection Officer before providing personal data. Our Data Protection Officer will inform the data subject on a case by case basis whether the provision of personal data is legally or contractually prescribed or is necessary for the conclusion of the contract, whether there is any obligation to provide the personal data, and what the consequences of non-provision of the personal data would be.
18. Existence of automated decision-making
As a responsible company, we do not use automated decision-making or profiling.