Data protection is a special concern for the Gamperl & Hatlapa GmbH. Our efforts to comply especially with the requirements of the General Data Protection Regulation (GDPR) and the newest version of the Federal Data Protection Act are primarily aimed to respect your private and personal sphere.
For modern companies such as the Gamperl & Hatlapa GmbH the use of electronic data processing systems (EDP) nowadays is indispensable. In doing so we obviously mind to observe the legal regulations as carefully as possible.
The use of the Gamperl & Hatlapa website is basically possible without any statement of personal data. If a concerned person makes use of special services of our company through the website, processing of personal data could be necessary. If processing of personal data is necessary and no legislative basis for such a processing exists, we collect the consent of the data subject in general.
1.General information/ Definitions
This privacy statement is based on terms of the GDPR and shall be easily readable and comprehensible for everyone. Therefore, we want to explain some terms in advance:
a) Personal data
Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
b) Data subject
Data subject is any identified or identifiable natural person whose data are processed by the controller of the processing.
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
d) Restriction of processing
Restriction of processing means the marking of stored personal data with the objective of limiting future processing.
Profiling means any form of automated processing of personal data that consists of using these personal data to assess certain personal aspects that refer to a natural person, especially to analyze or predict aspects concerning work performance, economic situation, health, personal preferences, interests, reliability, behavior, whereabouts or change of location of this natural person.
Pseudonymisation means the processing of personal data in a way that personal data cannot be assigned to a specific affected person without the bringing in of additional information as far as this additional information is stored separately and is subject to technical and organizational measures that ensure that personal data are not assigned to an identified or identifiable natural person.
Controller means the natural or legal person, authority, institution or any other organization besides the affected person that decides alone or jointly with others on the purpose or means of the processing of personal data. If purpose or means of this processing are given by Union Law or the legislation of the member states, the controller respectively the specific criteria of his appointment according to Union Law or the law of the member states can be designated.
h) Processor/Data processor
Processor/Data processor means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.
Recipient means a natural or legal person, public authority, institution or any other body to which personal data are disclosed, whether a third party or not. Authorities which may receive personal data in the framework of a particular inquiry in accordance with Union law or member state law shall not be regarded as recipients.
j) Third party
Third party means a natural or legal person, public authority, agency or any other body other than the data subject, controller, and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
k) Consent of the data subject
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
2. Information about the collection of personal data
(1) In the following we will inform about the collection of personal data when using our website. Personal data are all data personally referring to you, e.g., name, address, e-mail address, user behavior etc.
(2) Controller according to Article 4 (7) General Data Protection Regulation (GDPR) is
Gamperl & Hatlapa GmbH
Am Weilachfeld 1
(3) When contacting us per e-mail or per contact form the communicated data (your e-mail address, if necessary your name and phone number) will automatically be saved to answer your questions. Such personal data communicated on a voluntary basis from a concerned person to a controller responsible for processing are solely saved for processing reasons or for contact reasons. The regarding data is deleted after the saving is not necessary anymore or we restrict the processing if legal duties to preserve records exist.
(4) If we rely on commissioned contractors for single functions of our supply or want to use your data for commercial purposes we will inform you in detail about the particular processes below.
Thereby we state the determined criteria of the storage period.
(5) As controller for the processing we have implemented various technical and organisational measures to ensure a protection as complete as possible for the personal data processed in this website. Nevertheless, internet- based data transmission can basically exhibit security gaps so that no absolute protection can be guaranteed. Therefore, it is at everybody´s discretion to communicate personal data to us, also by alternative ways, e.g. by telephone.
(6) As a responsible company we renounce automatic decision making or profiling.
(1) Towards us you have the following rights regarding the concerning personal data:
- Right to demand information:
Every person affected by processing personal data has got the right (granted by GDPR) to obtain free information about his personal saved data from the data processing controller and to obtain a copy of this information. Furthermore, the European Guidelines and Act Regulator has conceded the right to give the following information to the concerned person:
a) the purposes of the processing
b) the categories of processed personal data
c) the recipients or categories of recipients towards whom the personal data have been revealed or will be revealed, in particular in the case of recipients in third countries or in international organisations
d) if possible the scheduled duration during which the personal data are saved or, if this is not possible, the criteria for the determination of this duration
e) the existence of a law to adjust or delete the concerning personal data or the existence of a law to limit the processing by the controller or the existence of a right to object against this processing
f) the existence of a right to complain at a board of control
g) if the personal data are not collected on persons: Every available information about the origin of the data
h) the existence of an automated decision- making including profiling according to Article 22 (1) and (4) GDPR and – at least in these cases- meaningful information about the logic involved and also the scope and the intended implications of such a processing for the person concerned.
Furthermore, the affected person is conceded the right to information if personal data were transmitted to a third country or an international organisation. If this is the case, the concerned person is conceded to obtain the right to information about suitable guarantees related to the transmission. If a concerned person wants to make use of that right to information, he/she can address to a staff member of the controller anytime.
- Right to revoke a consent regarding data protection law:
Every person concerned by the processing of personal data (data subject) has got the right to revoke a consent to the processing of personal data anytime.
If a data subject wants to make use of that right to revoke, he/she can address to a staff member of the controller for the processing anytime by any means of communication.
- Right to rectification:
The data subject shall have the right to demand the immediate adjustment of concerning false data from the person responsible. Considering the purposes of the processing the affected person has got the right to demand the completion of incomplete personal data- also by means of an additional statement.
If a data subject wants to make use of this right of adjustment, he/she can address to a staff member of the controller for the processing anytime by any means of communication.
- Right to erasure / Right to be forgotten:
The data subject shall have the right to demand from the controller that relevant personal data are deleted immediately and the controller is obliged to delete personal data immediately if one of the following reasons apply:
a) the personal data are not required anymore for the purposes they were collected for or processed for
b) the data subject revokes the consent the processing according to Article 6 (1) point (a) or Article 9 (2) point (a) is based on and a further legal basis for the processing is missing
c) the data subject lodges an objection according to Article 21 (1) and there are no prior justified reasons for the processing or the affected person raises an objection against the processing according to Article 21 (2)
d) personal data was processed unlawfully
e) the deletion of personal data is necessary due to a legal fulfilment according to Union law or the law of the member countries to which the controller is subject to
f) the personal data was collected regarding offered services of the information company according to Article 8 (1)
If a data subject wants to make use of this right to erasure/right to be forgotten, he/she can address to a staff member of the controller for the processing anytime by any means of communication.
If we have made public personal data and are obliged to delete it according to Article 17 (1) GDPR, we take appropriate measures, even of a technical kind, considering the available technology and the implementation costs, to inform the controller, who processes the personal data, that a data subject has demanded the deletion of all links to these personal data or of copies or replications of these personal data. Our staff members will induce the necessary measures.
- Right to restriction of processing
The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
d) the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.
If a data subject wants to make use of this right to restriction of processing, he/she can address to a staff member of the controller for the processing anytime by any means of communication.
- Right to object the processing
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on Article 6 (1) point (e) or (f), including profiling based on those provisions.
We as controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the assertion, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89 (1) the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.
- Right to data portability
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
b) the processing is carried out by automated means.
In exercising his or her right to data portability pursuant to Article 20 (1) GDPR the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.
If a data subject wants to make use of this right to data portability, he/she can address a staff member of the controller for the processing anytime by any means of communication.
- Automated individual decision-making including profiling
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or to a decision that similarly significantly affects him or her.
Paragraph 1 shall not apply if the decision:
(1) is necessary for entering into, or performance of, a contract between the data subject and a data controller;
(2) is authorized by Union or Member State law to which the controller is subject to and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
(3) is based on the data subject’s explicit consent.
If the decision is necessary for the completion of a contract between the data subject or if it takes place by explicit consent by the data subject, we take suitable measures to safeguard the data subject´s rights and freedoms and legitimate interests which includes the right to obtain an intervention of a person on behalf of the controller, the right to define one´s position and the right to contest a decision.
If a data subject wants to claim a right regarding automated decision- making, he/she can address to a staff member of the controller for the processing anytime by any means of communication.
Furthermore, you have the right to complain about the processing of your personal data by us at an independent data protection supervisory authority. The supervisory authority which is responsible for us is:
Bayerisches Landesamt für Datenschutzaufsicht
Tel.: 0981-53 1300
4. Collection of personal data on visiting our website/Cookies
(1) When using our website for an informational purpose, that is when you do not register or transfer data to us, we only collect the personal data your browser transfers to our server. If you want to view our website, we collect the following data which are technically necessary for us to show the website and to guarantee stability and safety (Legal basis Art.6 (1) GDPR):
- IP- address
- Date and time of the request
- Time difference to Greenwich Mean Time (GMT)
-Internet-Service-Provider of the access demanding system
-Content of the request (specific page)
-Access status/ HTTP status code
-Transferred volume of data at a time
-Web site the request is coming from (Referrer)
-Operating system and its interface
-Language and version of the browser software
(2) In addition to the previously mentioned data web site cookies will be stored on your PC. Cookies means small text files which are assigned to your used browser and are stored on your hard drive. Cookies transfer certain information to the body (us in this case) that sets the cookies. Cookies cannot perform programs or transfer viruses onto your PC. They only serve to make the internet service more user-friendly and more effective.
a) This web site uses the following kinds of cookies whose scope and functionality are explained below:
- Transient cookies (thereto b)
- Persistent cookies (thereto c)
(b) Transient cookies are deleted automatically when you close the browser. This includes the session cookies in particular. These store a so-called session-ID with which different requests of your browser can be assigned to the common session. Thus your PC can be recognized when you return to our web site. The session cookies will be deleted when you log out or close the browser.
(c) Persistent cookies are deleted after a default time which can vary depending on the cookie. You can delete cookies in the security settings of your browser anytime.
(d) You can change your browser settings according to your needs and e.g. deny the acceptance of third-party-cookies or all cookies. We wish to point out that maybe you cannot use all functions of this web site.
(e) We utilize cookies to identify you for follow-up visits if you have an account with us. Otherwise you would have to log in at every visit.
5. Data transfer
Basically, there is no data transfer to a third party unless we are legally obliged to do so, or the data transfer is necessary for the execution of the contract, or you have previously agreed explicitly to the transfer of your data.
External providers only receive your data if that is required for the processing of your order. In this case the scope of the transferred data is restricted to the required minimum. As far as our providers get in touch with your personal data we ensure within the context of data processing according to Article 28 GDPR that these comply with the regulations of the data protection laws in the same way.
We put emphasize on processing your data within the EU/ EEA. However, it can happen that we deploy providers who process data outside the EU/EEA. In this case we ensure that prior to the transfer of your personal data an adequate data protection level was established at the recipient. By that we mean that with EU standard contracts or an adequacy decision like the EU Privacy Shield a data protection level is reached that is comparable to standards within the EU.
6. Data protection in applications
The processing controller collects and processes the personal data of applicants to execute an application process. The processing can also be done by electronic means. In particular, this is the case if an applicant transfers corresponding appli-
cation documents by electronic means, e.g. by e-mail or by a corresponding contact form on the web site, to the processing controller. If the processing controller concludes a deal with an applicant the transferred data are saved for the purpose of the
conclusion of the employment contract taking into consideration the legal regulations. If no contract is concluded with the applicant by the processing controller, the application documents will be deleted automatically as far as there are no further
reasonable interests opposed to it on the part of the processing controller, e.g. a burden of proof in a process in accordance with the General Equal Treatment Act.
7. Objection or revocation of the processing of your data
(1) If you have given a consent to the processing of your data, you can revoke it anytime and by any communication channel. Such an objection influences the legitimacy of the processing of your personal data once you have pronounced the revocation.
(2) As far as we base the processing of your data on a balance of interests you can object to the processing. This is the case when the processing in particular is not necessary for the fulfilment of a contract with you, which is described by us at a time in the subsequent description of the functions. On exercising such an objection, we ask for a statement of the reasons why we should not process your personal data as we executed it. In the case of a justified objection we consider the situation and will either stop the processing respectively adjust it or point out our compelling worth of protection reasons due to which we will continue the processing.
(3) Of course you can object to the processing of your personal data for the purpose of advertisement and data analysis any time. You can communicate us your advertisement objection under the address indicated under number 2(2).
8. Legal or contractual regulations for the provision of personal data/ Necessity for a conclusion of a contract/ Consequences for the non-provision
We would like to inform you that the provision of personal data is partly legally prescribed by law. However, it may be possible that a concerned person has to provide personal data so that a contract can be concluded. A non- provision would have the consequence that the contract could not be concluded. Our staff members will be gladly at your disposal with questions on a case-by-case basis.