Data protection policy
We are delighted that you are interested in our company and products. When it comes to processing of personal data, we take the protection of your privacy very seriously in all of our business processes. For this reason, we have a comprehensive range of technical measures in place to ensure that your data is secure. We keep these measures updated in line with state-of-the art developments.
All personal data that we collect is treated as confidential and only processed in compliance with statutory regulations. Data protection is an integral part of our company policy.
We would like to take this opportunity to point out that our online presence contains links to and from websites operated by other providers. This data protection policy does not apply to any such websites. If you do click on a link to another website, please be aware that we cannot accept any responsibility or liability for any third-party content or data protection terms and conditions. Please check out the data protection terms and conditions applicable to the website before transferring any personal data to it.
Alongside information for visitors to our online presence, this data protection policy also covers the aspects of data protection relevant to our business partners.
A. General data protection information
1. Collection and processing of personal data
Personal data is all information (e.g. address, email address, name, user behaviour, location data, telephone number) relating to you as a natural person (e.g. employee of one of our business partners, sole trader, contractor, consumer).
This could also include order data (e.g. sales data, business partner history), data relating to the fulfilment of our contractual obligations (e.g. payments), information on your financial situation (e.g. credit status data) and other similar data.
This data may be collected in particular within the context of a contractual relationship (e.g. purchase and sale of products, services, works), contact made prior to entering into a contract (e.g. offer preparation, contract negotiation) or any other enquiry (e.g. made online, via email or phone, at a trade fair or video conference). If required for the purpose of fulfilling our contractual or legal obligations, we also process personal data that we permissibly gain access to through public sources (e.g. commercial and association registers, the press, the internet) or that we are sent by other authorised third parties (e.g. credit agencies).
As the “controller” according to the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG), Gebr. Heller Maschinenfabrik GmbH, Gebrüder-Heller-Straße 15, 72622 Nürtingen or the respective group company affiliated to it as per Section 15 of the German Stock Corporation Act (AktG) decides how your personal data is used and for what purpose in accordance with the provisions set out in this data protection policy.
3. Purposes of processing
Your personal data is processed for the following purposes:
- Operation and technical administration of our online presence, provision of online services.
- Responding enquiries, initiation, performance or management of business relations with the HELLER Group.
- Fulfilment of contractual and/or legal obligations.
- Conducting virtual conferences and trainings.
- Customer management.
- Access to (virtual) in-house exhibitions and their organization (e.g. sending schedule and programme information prior to the beginning of the event.
- Performance of internal processes.
We will also use your personal data for needs-based marketing information (e.g. product surveys) provided that this is permitted under competition law. Moreover, your personal data may also be processed on the basis of a purpose outlined in Section B.
In addition to this, your personal data helps us to get a clear understanding of your interest in our products and allows us to amend our business relationships so that they are more effective for both parties.
4. Legal bases
We process personal data in compliance with the provisions of GDPR and BDSG according to the following legal bases:
Art. 6 (1) (1) (a) GDPR
In some exceptional cases, we will ask for your express consent to the processing of your personal data (e.g. newsletter, advertising). You have the right to withdraw your consent at any time with future effect.
Art. 6 (1) (1) (b) GDPR
The processing of data serves the fulfilment of our duties set out by a contract to which you are party (e.g. purchase, work, service, licence or rental contract) or the execution of steps prior to entering into a contract. As a general rule, we will not be able to conclude, perform or terminate a contract with you, without this data being provided. Nor will we be able to take steps prior to entering into a contract with you even if you request us to do so.
Art. 6 (1) (1) (c) GDPR
Legal obligations may require us to process your data (e.g. monitoring and reporting requirements under tax and social security law, checks by authorities, statutory retention periods).
Art. 6 (1) (1) (f) GDPR
Where necessary, we will process your personal data within the context of our business relations on the basis of a balance of interests. In this case, processing is permitted when it is required in order to safeguard our legitimate interests or those of third parties provided that these interests are not overridden by interests or fundamental rights and freedoms of the data subject requiring the protection of personal data. This applies in the following cases:
- Enforcement or exercising of legal claims or judicial court action, or defence against them.
- Optimisation of business processes (e.g. customer database).
- Minimisation of default risks as part of procurement processes through consultation with credit agencies (e.g. Creditreform).
- Assessment of European and international embargo lists if this goes beyond statutory obligations.
- Implementation of security measures for buildings and systems and preservation of the domiciliary right (e.g. video surveillance, access control).
- Safeguard of network and data security (e.g. prevention of unauthorised access to electronic communication networks, prevention of the distribution of malicious program codes, defence against attacks in the form of targeted server overloading, defence against damage to computers and electronic communication systems).
- Restricted storage of your data if erasure is not possible or requires an unreasonable amount of effort.
5. Your rights
You have the following rights against us relating to your personal data:
- The right to information and access.
- The right to rectification or erasure.
- The right to restriction of processing.
- The right to object to processing.
- The right to data portability.
You also have the right to lodge a complaint about our processing of your personal data with a supervisory authority responsible for data protection.
6. Data transmission
Your personal data will be made accessible to the departments (e.g. Procurement, Accounting, Logistics, Sales) and companies within the HELLER Group that require it for the purposes set out under Section A, Point 3.
Service providers and agents may also be able to access and process your personal data for these purposes. These are in particular external companies specialising in commercial and/or legal consultancy as well as financial, IT and logistics service providers. The following third parties shall give you an example of who may receive your personal data:
- Processors (e.g. cloud providers, service providers for virtual conference systems).
- Insolvency administrators and creditors.
- Public authorities and institutions (e.g. finance and law enforcement authorities, artists' social security fund).
Otherwise, we will not pass your personal data onto third parties unless you have given your consent for us to do so or we are entitled or obliged to do so on the basis of legal provisions and/or official or judicial orders. This may be the case in particular if information needs to be provided as part of criminal proceedings, as a way of preventing danger or in order to enforce intellectual property rights.
We are also authorised to pass your personal data onto third parties if we have partnered with them to put on special offers, run competitions or enter into contracts. In these cases, we will inform you separately and in advance that your data is going to be passed on.
7. Storage period
We process and store your personal data for as long as is necessary for the purposes set out under Section A, Point 3.
This data is then deleted at regular intervals unless it temporarily needs to be processed further in order to comply with statutory retention periods, which may result from the German Commercial Code (HGB) and the German Tax Code (AO) in particular. For example, accounting records need to be kept for ten years and business correspondence for six years. Otherwise, the regular period of limitation is three years, with the option for periods of limitation to be as long as 30 years.
If you allow us to use your personal data for advertising purposes, we will store the personal data required for this purpose until you withdraw your consent to advertising purposes. If we are not processing your personal data for any other purposes, we will erase this data in line with data protection provisions as soon as you give us notice of the withdrawal of your consent.
If you have any questions that have not been answered by this data protection policy or if you would like further information about a specific aspect, please feel free to get in touch with the Data Protection Officer of the HELLER Group at any time:
Heller Holding SE & Co. KGaA
Data Protection Officer
B. Additional information on data protection relating to our online presence
1. Processing of personal data in the event of use for information purposes
If you are using our online presence purely for information purposes, i.e. you do not register or transmit any other information, we will only collect the personal data that your browser transmits to our server in accordance with Article 6 (1) (1) (f) GDPR. If you visit our online presence, we will collect the following data as we need it from a technical point of view to be able to display the online presence to you and guarantee its stability and security:
- IP address.
- Date and time of request.
- Time zone difference from Greenwich Mean Time (GMT).
- Content of request (specific page).
- Access status/HTTP status code.
- Amount of data transmitted.
- Website the request came from (referrer URL).
- Operating system and its interface.
- Type, language and version of browser software.
- Information on device used (user agent).
- Supported browser features (e.g. CSS version, frames/iframes, Java, XML, images).
Beyond using our online presence purely for information purposes, you can also search for contacts and fill in a contact form. You may need to enter further personal data in these cases. If there is the option of voluntarily entering additional information, this will be marked accordingly.
If you get in touch with us via email, we will process the data you enter in order to be able to respond to your enquiry.
2. Analysis of data traffic and behaviour
General information about "cookies"
In addition to processing personal data as outlined in Section B, Point 1, we might collect information about the way in which you use our online presence by using cookies. Cookies are small text files that are stored on your device and save certain settings and data about your browser to be exchanged with our system. As a general rule, cookies contain the name of the domain from which the data is being sent along with information on how old the cookie is and an alphanumeric ID code. Cookies enable our systems to recognise your device and automatically apply any pre-configured settings. A cookie is transmitted to your device's hard drive as soon as you access our online presence. Cookies cannot run programs or transmit viruses to your device.
Use of “Google Analytics” and "Google Tag Manager"
We use IP anonymization on this online presence, which means that “anonymizeIp()” is added in conjunction with Google Analytics. This means that IP addresses are shortened within EU Member States or in other countries that are party to the Agreement on the European Economic Area before being processed further so that they cannot be linked to specific individuals. Consequently, if the data collected does include a link to specific individuals, this will be immediately removed and the personal data promptly deleted.
Only in exceptional cases the full IP address will be sent to a Google server in the US and shortened there. Google will use this information on our behalf for the purpose of evaluating your use of the online presence, compiling reports on activities on our online presence and providing to us other services relating to the use of the online presence and the internet usage.
The IP address transmitted by your browser in connection with Google Analytics will not be associated with any other Google data.
This online presence also uses Google Analytics to analyse visitor numbers using a user ID for cross-device tracking. You can disable cross-device tracking by deactivating this feature under “My Data”, “Personal Data” in your Google customer account.
Information on the third-party provider
Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001.
This online presence uses the following types of cookies:
Transient cookies (temporary use)
Transient cookies are automatically deleted when you close your browser. Session cookies are the most common type of transient cookies. They save a session ID that can be used to allocate different requests from your browser to the same session. This means that your device can be recognised when you return to the online presence. Session cookies are deleted when you log out or close your browser.
Persistent cookies (in use for a set amount of time)
Persistent cookies are automatically deleted after a set amount of time has passed. The duration may be different for each cookie. You can delete these cookies at any time via the security settings in your browser.
Third-party cookies (from third-party providers)
Details about the cookies used are provided below:
Purpose: TYPO3 standard session identification. The session itself is used to enable various features on the online presence.
Storage period: Length of the session
Purpose: Used to detect new sessions and/or visits and contains a unique identification code.
Storage period: 24 hours
Purpose: Used to detect new sessions and/or visits and contains a unique identification code.
Storage period: Two years
Purpose: Stores information on the use of cookie consent.
Storage period: One month
Purpose: Google Analytics cookie. Used to stop tracking through Google Analytics when the Google Analytics opt-out link has been clicked on.
Storage period: 90 years
Purpose: Used to throttle request rate. If Google Analytics is deployed via Google Tag Manager, this cookie will be named _dc_gtm_<property-id>.
Storage period: One minute
Purpose: Used for remembering that a logged in user is verified by two-factor authentication.
Storage period: Two years
Purpose: This cookie is used to track impressions of LinkedIn alerts, such as the Cookie Banner and to implement cool off periods for display of alerts.
Storage period: One year
Purpose: This cookie is used to authenticate members and API clients.
Storage period: One year
Purpose: This cookie is used as part of LinkedIn’s Remember Me feature to save login data. It is set when a user clicks ‘Remember me’ on their device. This makes logging in on that device easier.
Storage period: One year
Purpose: Used to temporarily store the language setting.
Storage period: One year
Purpose: This cookie, also known as ‘Adaptive Images’, only stores the horizontal value of the screen resolution of the respective visitor.
Storage period: 30 days
Purpose: Language setting in the backend. Set by WordPress.
Storage period: Length of the session
Purpose: This cookie is used to see if the browser is set to accept cookies. Set by WordPress.
Storage period: Length of the session
Purpose: Supports multi-lingual websites. Set by the ‘Polylang’ plugin.
Storage period: One year
Purpose: Privacy toolkit for the theme used. Set by the ‘Uncode Privacy’ plugin.
Storage period: One year
Consent and ways of restricting cookies
Moreover, you can stop Google from collecting data generated by cookies in relation to your use of the online presence (including your IP address) by downloading and installing the browser plugin available here: http://tools.google.com/dlpage/gaoptout?hl=de.
As an alternative to the browser plugin and for the use of browsers on mobile devices, click here to stop your data from being collected through Google Analytics on this online presence in future (the opt-out function will only apply on this browser and for this domain). An opt-out cookie will be stored on your device. If you delete the cookies from this browser or use a different browser or device, you will have to click on this link again.
Reach analysis by WiredMinds
Our website uses the ‘LeadLab’ counting pixel technology provided by WiredMinds GmbH (www.wiredminds.de) to analyse visitor behaviour. In connection with this, the visitor’s IP address is processed. The processing only occurs for the purpose of collecting company-related information such as the company name, for example. IP addresses of natural persons are excluded from any further processing by means of a whitelist (‘whitelist procedure’). Under no circumstances, the IP address is stored in LeadLab. We use the company-related information to create anonymised usage profiles with regard to the visiting behaviour. Data obtained during this process are not used to personally identify visitors of our website. Our interest in processing the data is based on Art. 6, (1) lit. (f) GDPR.
If you do not want your visits to be tracked, please click here. This will store an opt-out cookie on your device. If you delete the cookies from this browser or use a different browser or device, you will have to click on this link again.
Our newsletter is only sent if you have given us your consent in accordance with Art. 6 (1) (1) (a) GDPR. We cooperate with an external service provider to distribute our newsletter.
We use a “double opt-in process” for newsletter subscriptions. Thus, we will send an email to the address you enter when you subscribe asking you to confirm that you would like to start receiving our newsletter. If you do not confirm your subscription within seven calendar days (starting from the moment you subscribe), your information will be automatically deleted. Moreover, we will store your IP address from when you subscribed and submitted confirmation as well as the time at which you subscribed and submitted confirmation. We use this process to verify your subscription and to be able to resolve misuse of your personal data.
The only information you need to provide us with when subscribing to the newsletter is your email address. It is your choice if you provide us with any further information (which is marked as optional). If you do, it will be used to personalise the newsletter for you. Once you have submitted your confirmation, we will store your email address for the purpose of sending you the newsletter until you unsubscribe.
You can withdraw your consent to us sending you the newsletter at any time, meaning you will unsubscribe from the newsletter. You can withdraw by clicking on the link provided in every newsletter email or by sending us an email to email@example.com.
Analysis of your user behaviour
We want to take this opportunity to inform you that we analyse your user behaviour when we send you the newsletter. For analysis purposes, the emails we send you contain web beacons or tracking pixels, which come in the form of 1x1 pixel graphics. As part of our analyses, the data specified in Section B, Point 1 and the web beacons or tracking pixels are linked to your email address and a unique identifier (“ID”). Links in the newsletter use this ID too. The newsletter provider saves the information collected in this way on their server in Germany.
You can object to this form of tracking at any time by clicking on the special link provided in every newsletter email. Alternatively, you can also notify us of your request by sending us an email to firstname.lastname@example.org. The information relating to your user behaviour will be stored until you unsubscribe from the newsletter. Once you have unsubscribed from the newsletter, the data will only be stored in the form of statistics.
4. Social media
Use of social media plugins
We currently use the following social media plugins on the basis of Art. 6 (1) (1) (f) GDPR: Facebook, LinkedIn, Twitter, Xing, YouTube. We use here what is known as the two-click solution. This means that when you visit our online presence, no personal data will initially be sent to the providers of these plugins. You will be able to recognise the plugin provider from the respective logo. Therefore, we give you the option of communicating directly with the plugin provider. But the plugin provider will not receive any information about you visiting the corresponding page on our online presence unless you click on the button with the relevant logo to activate it. Furthermore, the data specified in Section B, Point 1 is transmitted. In the case of Facebook and Xing, according to the providers in Germany, your IP address will be anonymised immediately after it is collected. When you activate a plugin, your personal data will be transmitted to and stored by the corresponding plugin provider (in the US if the provider is based there). Given that the plugin providers' main method of collecting data will be by using cookies, we recommend that you delete all cookies via your browser's security settings before clicking on the button.
We do not have any influence over the data collected or methods of data processing. Nor do we know the full extent of the data collection, the purposes of processing or the storage periods. We do not have any information about the deletion of the data collected by the plugin provider.
The plugin provider stores the data collected in relation to you in the form of user profiles, which it uses for the purpose of advertising, market research and/or adjusting the design of its website in response to how it is being used. This form of analysis is used in particular (even in the case of users who are not logged in) to display tailored advertising and to notify other people using the social media network of your activity on our online presence. You have the right to object to these user profiles being created. You will need to get in touch with the relevant plugin provider directly to exercise this right. Through these plugins, we are providing you with the option of interacting with the social media networks and other users as a way of improving our online presence and making it more interesting to you as the user.
Data will be transmitted regardless of whether you have an account with the plugin provider and are logged in there. If you are logged in with the plugin provider, the data collected from our online presence will be assigned directly to your account with the plugin provider. If you click on the relevant button and, for example, link to the website, the plugin provider will store this information in your user account too and will share it publicly with your contacts. We recommend that you get in the habit of logging out of social media networks once you have used them and make sure you do this before clicking on the relevant buttons so as to stop the plugin provider from linking information to your account.
You can find further information on the purpose and scope of data collection and processing by the plugin providers by reading their data protection policies, which will also contain more details on your related rights and the settings that are available to allow you to protect your privacy.
Addresses for each of the plugin providers and URL for information on data protection:
Facebook Inc., 1601 S California Ave, Palo Alto, California 94304, USA; www.facebook.com/policy.php. Further information on data collection: www.facebook.com/help/186325668085084, www.facebook.com/about/privacy/your-info-on-other and www.facebook.com/about/privacy/your-info.
YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA; https://policies.google.com/privacy.
LinkedIn Corporation, 2029 Stierlin Court, Mountain View, California 94043, USA; www.linkedin.com/legal/privacy-policy.
New Work SE (previously XING AG), Dammtorstraße 30, 20354 Hamburg, DE; privacy.xing.com/en/privacy-policy.
Twitter, Inc., 1355 Market St, Suite 900, San Francisco, California 94103, USA; twitter.com/privacy.
Share function via “Shariff” buttons
We use the two-click “Shariff” solution here. This has been developed as a way of giving users greater privacy online. It involves the server of the website, which is linked to the server of the relevant social media platform rather than the individual user's browser (e.g. to retrieve the number of “likes”).
You can read more about this here: https://www.heise.de/ct/artikel/Shariff-Social-Media-Buttons-mit-Datenschutz-2467514.html (only available in German language).
Use of YouTube videos
Our online presence includes YouTube videos that are stored on www.YouTube.com and can be played directly from our online presence. These are all integrated in “Privacy-enhanced Mode”, meaning that no data relating to you as the user will be transmitted to YouTube if you do not play the videos. The data specified in Section B, Point 1 will only be transmitted if you play the videos. We do not have any influence over the data being transmitted in this way.
When you visit our online presence, YouTube will be informed that you have visited the specific page of our online presence. The data specified in Section B, Point 1 is transmitted too. This will happen regardless of whether you are logged into a YouTube user account or whether you do not have such an account. If you are logged into Google, your data will be assigned directly to your account. If you do not want your data to be linked to your YouTube profile, make sure that you have logged out before clicking on the button. YouTube stores your data in the form of user profiles, which it uses for the purpose of advertising, market research and/or adjusting the design of its website in response to how it is being used. This form of analysis is used in particular (even in the case of users who are not logged in) to provide tailored advertising and to notify other people using the social media network of your activity on our online presence. You have the right to object to these user profiles being created. You will need to get in touch with YouTube directly to exercise this right.
Use of Google Maps
We use Google Maps on this online presence. This allows us to display interactive maps directly on our web pages for convenient map functionality.
When you visit our online presence, Google will be informed that you have visited the specific page of our online presence. The data specified in Section B, Point 1 is transmitted here too. This will happen regardless of whether you are logged into a Google user account or whether you do not have such an account. If you are logged into Google, your data will be assigned directly to your account. If you do not want your data to be linked to your Google profile, make sure that you have logged out before clicking on the button. Google stores your data in the form of user profiles, which it uses for the purpose of advertising, market research and/or adjusting the design of its website in response to how it is being used. This form of analysis is used in particular (even in the case of users who are not logged in) to provide tailored advertising and to notify other people using the social media network of your activity on our online presence. You have the right to object to these user profiles being created. You will need to get in touch with Google directly to exercise this right.
C. Additional information on data protection relating to virtual conferences and trainings using Microsoft Teams
We use Microsoft Teams, a service of Microsoft Corporation (“Microsoft”), to conduct virtual conferences and trainings. For this purpose, we process your personal data insofar it is required in order to communicate and collaborate with you. The responsibility for processing the data is defined in Section A, Point 2. However, if you go to the Microsoft website to use Microsoft Teams, then Microsoft will be responsible for data processing. Visiting the website, however, is only required for downloading the Microsoft Teams app. If you do not use the app, you can start Microsoft Teams via your web browser. The service is then rendered by Microsoft.
While using Microsoft Teams we collect the following personal data about you:
- Personal information (e.g. name, e-mail address, local IP address, preferred language, profile picture, if any).
- Meta data of the virtual conference or training (e.g. date, meeting ID, telephone number, time).
- You have the option to use a chat function. In this case, the input provided by you (e.g. texts, training exercises and solutions) will be processed, in particular, for display on the screens of the conference or training participants and for the follow-up of training events.
- In order to enable the playback of audio and the display of video, the data from the microphone and video camera (if any) of your device will be processed accordingly for the duration of the virtual conference or training. You can mute the microphone and switch off the camera yourself at any time.
The extent of data processing also depends on which data you provide before or while participating in any such event.
If we want to record virtual conferences or trainings, we will inform you in advance and ask for your consent. Recording may be necessary, for instance, in order to make the contents presented available following a training for deepening the knowledge acquired or to be able to provide evidence to the Federal Employment Agency of having provided government-sponsored training.
The purpose and the legal basis for the processing of your personal data result from the respective context of the communication or collaboration. These contexts and the corresponding legal bases are described in Section A, Point 4.
For the technical provision of the Microsoft Teams functions, we will transfer your data to Microsoft as processor, who according to the Data Protection Addendum for Microsoft Online Services especially has a duty of confidentiality with regard to the handling of personal data. In principle, no data will be processed outside of the EU/EEA as we have agreed with Microsoft to restrict the storage location to electronic data processing centres within the EU/EEA. Should Microsoft in violation of this agreement transfer your data to states outside of the EU/EEA, in particular to the USA, and process them there, the standard contractual clauses adopted by the European Commission, forming an integral part of the Data Protection Addendum for Microsoft Online Services, shall apply in order to provide an adequate level of protection for your data.
More information about the purpose and extent of data collection and processing by Microsoft Teams can be found in the Microsoft Privacy Statement:
Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA; https://privacy.microsoft.com/en-us/privacystatement