Gustav Ehlert GmbH & Co. KG 

Privacy policy 

1. use of your data when visiting our websites
2. use of cookies and other technologies for web analysis and advertising purposes
3. social plugins from Facebook, Instagram, YouTube, LinkedIn and Xing
4. use of your data when creating a customer account and for contract processing
5. information on the processing of your applicant data
6. contact options and your rights

1. use of your data when visiting our websites

1.1 Access data

You can visit our website without providing any personal data. Each time a website is accessed, the web server only automatically saves a so-called server log file, which contains the following data:

• Your IP address

• The website you came from

• Websites that you access via our site

• The pages you click on or the name of the requested file

• Time of the page view

• Name of your Internet Service Provider

• Your browser type and version

• The operating system of your end device

• The date and duration of the visit

This access data is analysed exclusively for the purpose of ensuring trouble-free operation of the site and improving our offering. Pursuant to Art. 6 pcs. 1 sentence 1 lit. f GDPR, this serves to safeguard our legitimate interests in the correct presentation of our website, which are overriding in the context of a balancing of interests.

All access data will be deleted no later than 30 days after the end of your visit to the site.

1.2 Hosting services by a third-party provider

As part of processing on our behalf, a third-party provider provides us with the services for hosting and displaying the website. This serves to safeguard our legitimate interests in the correct presentation of our website, which outweigh our interests. All data collected in the course of using this website is processed on its servers. Processing on other servers only takes place within the framework explained here. Our service provider is located within a country of the European Union or the European Economic Area.

2. use of cookies and other technologies for web analysis and advertising purposes

We use cookies on various pages to make our website more attractive and to enable the use of certain functions, to display suitable products or for market research. This serves to safeguard our legitimate interests, which predominate in the context of a weighing up of interests, in an optimised presentation of our offer in accordance with Art. 6 pcs. 1 sentence 1 lit. f GDPR. Cookies are small text files that are automatically stored on your end device. Some of the cookies we use are deleted again at the end of the browser session, i.e. after you close your browser (so-called session cookies). Other cookies remain on your end device and enable us to recognise your browser on your next visit (persistent cookies). The duration of storage can be found in the overview in the cookie settings of your web browser. You can set your browser so that you are informed about the setting of cookies and decide individually whether to accept them or to exclude the acceptance of cookies for certain cases or in general. Each browser differs in the way it manages cookie settings. This is described in the help menu of each browser, which explains how you can change your cookie settings. You can find these for the respective browsers under the following links:

• Internet Explorer™:windows.microsoft.com/en-DE/windows-vista/Block-or-allow-cookies

• Safari™:support.apple.com/guide/safari/manage-cookies-sfri11471/mac

• Chrome™:support.google.com/chrome/bin/answer.py

• Firefox™:support.mozilla.org/en/kb/cookies-allow-and-reject

• Opera™:help.opera.com/Windows/10.20/en/cookies.html

Changes to the cookie settings may limit the functionality of our websites.

2.1 Technically necessary cookies

These cookies are necessary for the secure operation of our website. This includes the Google Tag Manager, which helps us to set and manage tags. Your data is not collected by the service.

2.2 Statistics cookies

2.2.1 Google Analytics

For website analysis, this website uses Google (Universal) Analytics, a web analysis service provided by Google LLC (www.google.de). This serves to safeguard our legitimate interests in an optimised presentation of our offer in accordance with Art. 6 pcs. 1 sentence 1 lit. f GDPR, which predominate in the context of a balancing of interests. Google (Universal) Analytics uses methods that enable your use of the website to be analysed, such as cookies. The automatically collected information about your use of this website is usually transmitted to a Google server in the USA and stored there. By activating IP anonymisation on this website, the IP address is shortened before transmission within the member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and truncated there. The anonymised IP address transmitted by your browser as part of Google Analytics is not merged with other Google data. The data collected in this context will be deleted after the end of the purpose and use of Google Analytics by us.

You can prevent Google from collecting the data generated by the cookie and relating to your use of the website (including your IP address) and from processing this data by Google by downloading and installing the browser plug-in available under the following link:tools.google.com/dlpage/gaoptout

As an alternative to the browser plugin, you can click this link to prevent Google Analytics from collecting data on this website in the future. An opt-out cookie will be stored on your end device. If you delete your cookies, you must click the link again.

2.2.2 Matomo

On our website, we use the open source software tool Matomo (formerly "PIWIK", https://www.matomo.org), a service provided by InnoCraft Ltd, 150 Willis St, 6011 Wellington, New Zealand, to analyse the data traffic on our pages and their reach.

This enables us to find out how our websites are used and to constantly improve and develop our website and our offering. The use of Matomo is also essential for necessary maintenance work so that the page content is updated outside of the most frequently visited pages or - if certain content is largely accessed using mobile devices - so that it can be adapted accordingly (e.g. to ensure accessibility).

In addition, server resources can be distributed economically with the help of Matomo web analytics and load management can be better coordinated. To fulfil the aforementioned tasks and to ensure data security, we operate Matomo on our own server. The server is located in Germany (Technik Datacenter Deutschland, Am Datacenter-Park 1, 08223 Falkenstein/Vogtland, Germany) and is operated by our partner peaknetworks Hosting GmbH, Eduard-Bodem-Gasse 5 - 7, 6020 Innsbruck, Austria (for more information on the data protection provisions of peaknetworks Hosting GmbH, please visit: https://www.peaknetworks.at/datenschutz). peaknetworks Hosting GmbH only provides the server and is not involved in the processing of data, so there is no need to conclude a contract for order processing (AVV) in accordance with Art. 28 GDPR. We do not use cookies for statistical analyses with Matomo. We also do not store any information on the requesting computers of our website visitors and do not access information that is already stored on the end devices of our visitors. No personal data is processed for the use of Matomo. The processing falls neither within the scope of the GDPR nor under the legal provisions for a consent requirement pursuant to Art. 25 pcs. 1 TDDDG. Instead, Matomo uses log files that have already been created automatically when a web browser accesses a website. Matomo processes the following data for purely statistical analyses:

• IP address of the requesting computer -> this is anonymised before the analysis takes place

• Browser type

• Set language

• Operating system

• Time of visit, time spent on the website

• pages accessed (URLs and page titles)

• Content that was loaded during the visit (e.g. images, JavaScript or CSS files)

• Frequency of visits to the website (aggregated file)

The Matomo software is set so that 2 bytes of the IP address (e.g. 192.168.xxx.xxx) are masked before this information is analysed. As a result, it is no longer possible to clearly identify the calling computer in the statistical analysis with Matomo.

The statistical analysis only records visits to individual pages. Furthermore, it is not technically possible for us to track visitors to our websites with Matomo across several websites or over several days. Matomo does not create a profile of our visitors.

The data obtained with Matomo is not passed on to third parties or used for other purposes, in particular not for performance or behaviour monitoring of website users.

Further information on Matomo can be found athttps://matomo.org/docs/privacy-how-to/. You can find Matomo's privacy policy athttps://matomo.org/privacy-policy/.

2.3 Use of Google services

We use the following technologies of Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). The information automatically collected by Google technologies about your use of our website is usually transmitted to a server of Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA and stored there. There is no adequacy decision by the European Commission for the USA. Our co-operation is based on standard data protection clauses of the European Commission. If your IP address is collected via Google technologies, it will be shortened by activating IP anonymisation before it is stored on Google's servers. Only in exceptional cases will the full IP address be transmitted to a Google server and truncated there. Unless otherwise specified for the individual technology, data processing is carried out on the basis of an agreement concluded for the respective technology between jointly responsible parties in accordance with Art. 26 GDPR. Further information about data processing by Google can be found in Google's privacy policy atpolicies.google.com/privacy?hl=en.

2.3.1 Google Analytics

For the purpose of website analysis, Google Analytics automatically collects and stores data (IP address, time of visit, device and browser information as well as information on your use of our website), from which user profiles are created using pseudonyms. Cookies may be used for this purpose. Your IP address will not be merged with other Google data. Data processing is carried out on the basis of an agreement on order processing by Google.

2.3.2 Google Ads

For advertising purposes in Google search results and on third-party websites, the so-called Google Remarketing Cookie is set when you visit our website, which automatically enables interest-based advertising by collecting and processing data (IP address, time of visit, device and browser information and information about your use of our website) and by means of a pseudonymous cookie ID and based on the pages you visit. Any further data processing will only take place if you have activated the "personalised advertising" setting in your Google account. In this case, if you are logged in to Google while visiting our website, Google will use your data together with Google Analytics data to create and define target group lists for cross-device remarketing.

2.3.3 Google Ads Remarketing

We use Google Ads to advertise this website in Google search results and on third-party websites. For this purpose, the so-called remarketing cookie is set by Google when you visit our website, which automatically enables interest-based advertising by means of a pseudonymous cookie ID and on the basis of the pages you visit. This serves to safeguard our legitimate interests, which predominate in the context of a balancing of interests, in the optimal marketing of our website in accordance with Art. 6 pcs. 1 sentence 1 lit. f GDPR. After the end of the purpose and the end of the use of Google Ads Remarketing by us, the data collected in this context will be deleted.

Any further data processing will only take place if you have consented to Google linking your web and app browsing history to your Google account and using information from your Google account to personalise ads that you see on the web. In this case, if you are logged in to Google while visiting our website, Google will use your data together with Google Analytics data to create and define target group lists for cross-device remarketing. For this purpose, Google will temporarily link your personal data with Google Analytics data in order to create target groups.

Google Ads is a service provided by Google Ireland Limited, a company incorporated and operated under Irish law with its registered office at Gordon House, Barrow Street, Dublin 4, Ireland (www.google.de).

Insofar as information is transferred to Google servers in the USA and stored there, there is no adequacy decision by the European Commission. Our co-operation is based on standard data protection clauses of the European Commission.

You can deactivate the remarketing cookie via this link. You can also obtain information from the Digital Advertising Alliance about the setting of cookies and make settings for this.

For website analysis and event tracking, we use Google Ads Conversion Tracking to measure your subsequent usage behaviour if you have reached our website via a Google Ads advertisement. For this purpose, cookies may be used and data (IP address, time of visit, device and browser information as well as information on your use of our website based on events specified by us, such as visiting a website or subscribing to a newsletter) may be collected, from which user profiles are created using pseudonyms.

2.3.4 Google Tag Manager

Google Tag Manager is used on this website. Google Tag Manager is a solution from Google Inc. that allows companies to manage website tags via an interface. Google Tag Manager is a cookie-free domain that does not collect any personal data. The Google Tag Manager triggers other tags, which in turn may collect data. We hereby point this out separately. The Google Tag Manager does not access this data. If deactivation has been carried out by the user at domain or cookie level, this remains in place for all tracking tags that are implemented with Google Tag Manager.

2.4 Use of Facebook services

2.4.1 Facebook Ads

We use Facebook Ads to advertise this website on Facebook and other platforms. We determine the parameters of the respective advertising campaign; Facebook is responsible for the exact implementation, in particular the decision on the placement of the adverts with individual users. Unless otherwise specified for the individual technology, data processing is carried out on the basis of an agreement between joint controllers in accordance with Art. 26 GDPR. The joint responsibility is limited to the collection of data and its transmission to Facebook Ireland. The subsequent data processing by Facebook Ireland is not covered by this.

We use Facebook Custom Audience to operate group-based advertising on Facebook by determining the characteristics of the respective target group on the basis of the statistics on visitor activity on our website generated via Facebook Pixel.

2.5 Other providers of web analytics and online marketing services

2.5.1 Integration of the Trusted Shops Trustbadge

The Trusted Shops Trustbadge is integrated on this website to display our Trusted Shops seal of approval and any collected reviews as well as to offer Trusted Shops products to buyers after an order.

This serves to safeguard our legitimate interests, which predominate in the context of a balancing of interests, in optimising marketing by enabling secure shopping in accordance with Art. 6 pcs. 1 sentence 1 lit. f GDPR. The Trustbadge and the services advertised with it are an offer from Trusted Shops GmbH, Subbelrather Str. 15C, 50823 Cologne. The Trustbadge is provided by a CDN provider (Content Delivery Network) as part of order processing. Trusted Shops GmbH also uses service providers from the USA. An appropriate level of data protection is ensured. Further information on data protection at Trusted Shops GmbH can be found here.

When the Trustbadge is called up, the web server automatically saves a so-called server log file, which also contains your IP address, the date and time of the call, the amount of data transferred and the requesting provider (access data) and documents the call. Individual access data is stored in a security database for the purpose of analysing security anomalies. The log files are automatically deleted no later than 90 days after creation.

Further personal data will be transferred to Trusted Shops GmbH if you decide to use Trusted Shops products after completing an order or if you have already registered to use them. The contractual agreement concluded between you and Trusted Shops applies. For this purpose, personal data is automatically collected from the order data. Whether you as a buyer are already registered for product use is automatically checked using a neutral parameter, the e-mail address hashed using a cryptological one-way function. The e-mail address is converted into this hash value, which cannot be decrypted by Trusted Shops, before transmission. After checking for a match, the parameter is automatically deleted.

This is necessary for the fulfilment of our and Trusted Shops' overriding legitimate interests in the provision of the buyer protection linked to the specific order and the transactional evaluation services in accordance with Art. 6 pcs. 1 sentence 1 lit. f GDPR. Further details, including on objection, can be found in the Trusted Shops Privacy Policy linked above and in the Trustbadge.

2.5.2 Use of etracker for web analysis

For the purpose of website analysis, technologies from etracker GmbH, Erste Brunnenstraße 1, 20459 Hamburg, Germany ("etracker") are used to automatically collect and store data (IP address, time of visit, device and browser information as well as information on your use of our website), from which user profiles are created using pseudonyms. Cookies may be used for this purpose. The pseudonymised user profiles are not merged with personal data about the bearer of the pseudonym without separate, express consent. etracker acts on our behalf.

2.5.3 Microsoft Claritiy

In the event of consent to statistical analysis, our website uses the "Clarity" service of Microsoft Corporation. Among other things, Clarity uses cookies, which enable us to analyse the use of our website, as well as a so-called tracking code. The information collected is transmitted to Clarity and stored there. According to Microsoft, this information can also be used for advertising purposes. See Microsoft Privacy Statements. For more information about Clarity, see Clarity's privacy policy.

2.5.4 Marketing automation with Mautic

We use Mautic on this website, an open source tool for marketing automation. It is an analysis and tracking software for the allocation and storage of usage data (e.g. browser used, last page visited, duration of visit). The software uses this information to personalise our marketing measures and better align them with the interests of each individual user. The software also helps us to better analyse the success of individual marketing measures. For this purpose, we have concluded an AV contract with our hoster for the Mautic marketing tool.

We use the open source marketing tool Mautic on our website, which is operated exclusively on servers in Germany. Data is not passed on to third parties. We collect and process data with Mautic only to the extent necessary to achieve our business objectives with you.

The way Mautic works is characterised by:

a) Email marketing and campaigns: In so-called e-mail marketing, personalised e-mails are sent to you. These are partly based on usage behaviour on the website, when reading our emails and when interacting with the links contained therein. We also send emails as part of campaigns. The allocation to the campaigns takes place through segmentation and tagging.

b) Personalised web links: In order to recognise whether, for example, a user calls up a link from an e-mail, Mautic adds a unique identifier to these links, which has previously been assigned to an individual user profile.

c) IP address: The IP address currently used by website visitors is transmitted to us each time our website is accessed. Mautic uses this to recognise users of the website.

d) Reports analyse the performance data on the recorded data and display it in aggregated form.

The data collected in the process is as follows:
- the activity on our website
- Number of page views and dwell time of the website visitor
- the click path of the respective visitor
- Downloads of files provided via the website
- Visits to landing pages
- Openings of emails from newsletters and campaigns

As part of a registration on the website, the provider collects data through the use of Mautic:

• Contact details (such as name, postal or e-mail address, telephone number)

• Business contact details (such as your job title, the name of a business, business email address, telephone or fax number).

• The IP address of the end device from which the website is used (a sequence of numbers that identifies your current computer connection on the Internet).

The released data is clearly recognisable for the user by filling out a form. The data required to send the form is labelled.

Mautic is only used if you have expressly given your consent to the use of so-called "first-party cookies" when using our website for the first time. You can revoke this consent at any time by contacting the contact person named above. In this case, all tracking data collected using Mautic will be deleted immediately.

3. social plugins from Facebook, Instagram, YouTube, LinkedIn and Xing

Social buttons from social networks are used on our website. These are only integrated into the page as HTML links so that no connection is established with the servers of the respective provider when our website is accessed. If you click on one of the buttons, the website of the respective social network will open in a new window of your browser where you can click on the Like or Share button, for example.

3.1 Our online presence on Facebook, Instagram, YouTube, LinkedIn and Xing

If you have given your consent to the respective social media operator in accordance with Art. 6 pcs. 1 sentence 1 lit. a GDPR, your data will be automatically collected and stored for market research and advertising purposes when you visit our online presences on the above-mentioned social media, from which user profiles are created using pseudonyms. These can be used, for example, to place adverts within and outside the platforms that presumably correspond to your interests. Cookies are generally used for this purpose. For detailed information on the processing and use of data by the respective social media operator as well as a contact option and your rights and setting options for protecting your privacy, please refer to the providers' data protection notices linked below. If you still need help in this regard, you can contact us.

Facebook is an offer of Facebook Ireland Ltd, 4 Grand Canal Square, Dublin 2, Ireland ("Facebook Ireland") The information automatically collected by Facebook Ireland about your use of our online presence on Facebook is usually transferred to a server of Facebook, Inc, 1601 Willow Road, Menlo Park, California 94025, USA and stored there. There is no adequacy decision by the European Commission for the USA. Our cooperation is based on standard data protection clauses of the European Commission. Data processing in the context of a visit to a Facebook fan page is based on an agreement between jointly responsible parties in accordance with Art. 26 GDPR. Further information (information on Insights data) can be found here.

Instagram is an offer of Facebook Ireland Ltd, 4 Grand Canal Square, Dublin 2, Ireland ("Facebook Ireland") The information automatically collected by Facebook Ireland about your use of our online presence on Instagram is usually transferred to a server of Facebook, Inc, 1601 Willow Road, Menlo Park, California 94025, USA and stored there. There is no adequacy decision by the European Commission for the USA. Our cooperation is based on standard data protection clauses of the European Commission. Data processing in the context of visiting an Instagram fan page is based on an agreement between jointly responsible parties in accordance with Art. 26 GDPR. Further information (information on Insights data) can be found here.

YouTube is a service provided by Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). The information automatically collected by Google about your use of our online presence on YouTube is usually transferred to a server of Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA and stored there. There is no adequacy decision by the European Commission for the USA. Our co-operation is based on standard data protection clauses of the European Commission.

LinkedIn is a service provided by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland ("LinkedIn"). The information automatically collected by LinkedIn about your use of our online presence on Pinterest is generally transmitted to a server of LinkedIn Corporation, 1000 W. Maude Avenue, Sunnyvale, CA 94085, USA and stored there. There is no adequacy decision by the European Commission for the USA. Our cooperation is based on standard data protection clauses of the European Commission.

4. use of your data when creating a customer account and for contract processing

4.1 Data collection and use for contract processing

We collect personal data if you provide it to us personally as part of your order (e.g. via our contact form or by email) or voluntarily when opening a customer account. Mandatory fields and mandatory information such as the company name, address, contact details, telephone number or email address are labelled as such or communicated as such, as in these cases we require the data to process the contract or to open the customer account. Without this data, you will not be able to complete the order and/or open an account. Which data is collected can be seen from the respective input forms or will be communicated to you in person or on the telephone.

We use the data provided by you in accordance with Art. 6 pcs. 1 sentence 1 lit. b GDPR for contract processing. After completion of the contract or deletion of your customer account, your data will be restricted for further processing and deleted completely after expiry of the retention periods under tax and commercial law, unless you have expressly consented to further use of your data or we reserve the right to use data beyond this, which is permitted by law and about which we inform you in this declaration. You can request the deletion of your customer account at any time by sending a message todatenschutz@ehlert-gmbh.detake place.

4.2 Data transfer

In order to fulfil the contract in accordance with Art. 6 pcs. 1 sentence 1 lit. b GDPR, we pass on your data to the shipping company commissioned with the delivery, insofar as this is necessary for the delivery of ordered goods.

Depending on which payment method you select to fulfil the contract, we will pass on the payment data collected for the processing of payments to the credit institution commissioned with the payment and, if applicable, to payment service providers commissioned by us.

After completion of the contract, your data processed for this purpose will be deleted, unless you have expressly consented to further use of your data or we reserve the right to use data beyond this, which is permitted or required by law and about which we inform you in this declaration.

4.2.1 Data transfer to shipping service providers

If you have given us your express consent to this during or after your order, we will pass on your e-mail address and telephone number to the selected shipping service provider in accordance with Art. 6 pcs. 1 sentence 1 lit. a GDPR so that they can contact you before delivery for the purpose of delivery notification or coordination.

• DPD Deutschland GmbH, Wailandtstraße 1, 63741 Aschaffenburg

• DACHSER SE, Thomas-Dachser-Str. 2, 87439 Kempten

Consent can be revoked at any time by sending a message todatenschutz@ehlert-gmbh.de or to the shipping service provider at the contact address listed below. After cancellation, we will delete your data provided for this purpose, unless you have expressly consented to further use of your data or we reserve the right to use data beyond this, which is permitted by law and about which we inform you in this declaration.

4.2.2 Credit assessment

If we make advance payments, e.g. when purchasing on account or SEPA direct debit, it is necessary to obtain identity and credit information from specialised service companies (credit agencies) for the conclusion of the contract in accordance with Art. 22 pcs. 2 lit. a GDPR. For this purpose, we transmit your personal data required for a credit check to the following company(ies)

• Creditreform Boniversum GmbH, Hellersbergstraße 11, 41460 Neuss

Appropriate measures to safeguard your rights, freedoms and legitimate interests will be taken into account. You have the opportunity to present your point of view and contest the decision by contacting the contact option described below. Detailed information on how Creditreform handles your data can be found here.

4.2.3 Card payment

You have the option of paying by debit or EC card in our shop. Your payment data will be processed by our payment service provider, Volksbank Bielefeld Gütersloh eG, under its own responsibility. Further information on data protection at Volksbank Bielefeld Gütersloh eG can be found here.

When paying by debit or EC card, we process your data in particular to execute the purchase contract (legal basis Art. 6 pcs. 1 lit. b GDPR), to fulfil legal obligations (legal basis Art. 6 lit. c GDPR) and to investigate fraud and other criminal offences (Art. 6 pcs. 1 lit. f GDPR) and our legitimate interest in protecting our assets and preventing payment defaults.

During the usual processing of a payment, no personal data is processed by us - except when using the electronic direct debit procedure. The checkout system only receives the information "payment made" and masked card data from the payment service provider, which has no reference to your person.

Your payment data is processed in a PCI DSS-compliant system certified for credit cards under the responsibility of the payment service provider. In particular, the payment service provider will read your card data (IBAN, BIC, card expiry date and card sequence number) through the payment terminal and process it with the payment data (date, time, amount of the payment, terminal ID, location, company and branch) to process the payment.

For auditing purposes, we also receive a file from our payment service provider with all transactions for a day, which also contains masked card data (and other anonymous data). This data is also anonymous and not personalised. We can use it to identify payment differences and allocate them to specific purchase transactions. In the event of a payment difference being identified, we can initiate a new execution of the payment by the payment service provider if necessary - again without personal reference for us.

For the above-mentioned purposes, your data will also be transmitted by the payment service provider to banks and, where applicable, to the bodies responsible for clearing and settling payments.

If we store your data at all for the above-mentioned purposes, it will generally be deleted when the claim has been settled or after the conclusion of any legal or official proceedings and any subsequent retention periods.

This deletion of the blocked file will be cancelled upon full payment of the amount to be paid or if there is a justified revocation; otherwise the file will be deleted after 3 years.

4.2.4. electronic direct debit procedure

When using the electronic direct debit procedure (SEPA direct debit procedure), you sign a SEPA direct debit mandate with which you grant us a direct debit authorisation for the outstanding payment and instruct your bank to provide us, or our payment service provider, with your contact details to assert the claim if the direct debit is not honoured. We will retain the direct debit mandate signed by you as proof that the direct debit authorisation has been issued and that your bank has given its consent for us to pass on your contact details in the event that we need to assert our corresponding rights. In addition, we retain the receipts to fulfil legal obligations, in particular retention periods in accordance with Sections 257 HGB and 147 AO. We may also use the receipts to investigate and prosecute fraud and other criminal offences.

For these purposes, we may pass on the receipt or the data contained therein to the extent necessary, in particular to debt collection companies, lawyers, courts and law enforcement authorities. The direct debit vouchers are destroyed on a regular basis after the statutory retention periods have expired.

4.2.4.1 Only in the case of a return debit note

If a direct debit is not honoured or is reversed by your bank, we will receive notification of this from our bank (so-called return debit data). With this notification, we also receive information on the reason for the non-debit (objection, no information) as well as your IBAN and BIC, the amount outstanding and the corresponding 27-digit code number. This "returned direct debit data" enables us to determine the data necessary to assert the claim against you ("claim data"), in particular to find the relevant receipt and to determine your contact details via your bank using your declaration of consent on the receipt.

We use this chargeback and claim data to assert our claim against you. We may also use it to investigate and prosecute fraud and other criminal offences. For these purposes, we may pass on this data to the extent necessary, in particular to debt collection agencies, lawyers, courts and law enforcement authorities. We may also use your data to fulfil any retention periods.

4.2.5 Collection procedure

In order to protect our interest in the settlement of outstanding claims, we transmit data to our debt collection company, Creditreform Boniversum GmbH, Hellersbergstraße 11, 41460 Neuss, Germany, on the basis of Art. 6 (1) sentence 1 lit. f of the General Data Protection Regulation (GDPR).

Appropriate measures to safeguard your rights, freedoms and legitimate interests will be taken into account. You have the opportunity to present your point of view and contest the decision by contacting the contact option described below. Detailed information on how Creditreform handles your data can be found here.

From a data protection point of view, personal data cannot be deleted from the debt collection company before it has been clarified under civil law whether a claim actually exists and, if so, in what amount.

4.3 Advertising

4.3.1 Postal advertising

We reserve the right to use your first name, surname and postal address for our own advertising purposes, e.g. to send you interesting offers and information about our products by post. This serves to safeguard our legitimate interests, which predominate in the context of a balancing of interests, in a promotional approach to our customers in accordance with Art. 6 pcs. 1 sentence 1 lit. f GDPR

4.3.2 E-mail advertising with registration for the newsletter

If you register for our newsletter, we will use the data required for this or separately provided by you to regularly send you our e-mail newsletter based on your consent in accordance with Art. 6 (1) sentence 1 lit. a GDPR.

Unsubscribing from the newsletter is possible at any time and can be done either by sending a message to the contact option described below or via a link provided for this purpose in the newsletter. After unsubscribing, we will delete your e-mail address unless you have expressly consented to further use of your data or we reserve the right to use data beyond this, which is permitted by law and about which we inform you in this declaration.

The newsletter is sent as part of processing on our behalf by a service provider to whom we pass on your e-mail address for this purpose.

This service provider is located within a country of the European Union or the European Economic Area.

We use Newsletter2Go as software and service provider for sending our newsletter. As part of this registration, you agree that the data you enter will be transmitted to Sendinblue GmbH. Please note the data protection provisions and general terms and conditions of Sendinblue GmbH.

4.4 Video surveillance

To protect our property, to investigate theft and security-related incidents and to use recordings as evidence in judicial and extrajudicial proceedings, our company premises are under video surveillance.

The legal basis for the processing of video recordings is Art. 6 pcs. 1 lit. f EU General Data Protection Regulation (GDPR). This states that video surveillance of the company premises and facilities is permitted in order to safeguard the legitimate interests of the company or a third party, unless the interests or fundamental rights and freedoms of data subjects requiring the protection of personal data take precedence.

A legitimate interest arises from internal organisational and administrative purposes, to protect the company's facilities, equipment and assets and from the company's interest in compensation and legal prosecution in the event of damage and criminal offences. In contrast, there is no overriding interest of the data subjects in the protection of their fundamental rights and freedoms.

The recordings may be transferred to law enforcement agencies as evidence for the purpose of prosecution or transferred to lawyers, agents or experts for the enforcement of civil claims and used in court and disclosed to contractors or security services providing a service to us, including insurers and consultants, for legitimate purposes.

If you have any concerns or questions about the processing of your personal data and information, you can contact the company address stated under point 4.2. or the company data protection officer or the competent supervisory authority for data protection.

The video recordings are stored for 72 hours (3 days). The retention period results from the necessity of the video recording to check the stock of goods, inventory control, the investigation of theft or the investigation of traffic accidents on the company premises. The recordings are analysed on an ad hoc basis in the case of events that require investigation. In these cases, the recordings can be transmitted to lawyers, law enforcement authorities and courts or used to enforce civil claims and stored for a longer period of time depending on the duration of the proceedings.

5. information on the processing of your applicant data

We hereby inform you about the processing of your personal data in the application process by Gustav Ehlert GmbH und Co KG and the rights to which you are entitled under data protection law.

5.1 What happens to your applicant data?

We attach particular importance to the protection of your personal data and are obliged to comply with the legal requirements on data protection in accordance with the General Data Protection Regulation (GDPR) and the Data Protection Act (BDSG new).

We process your applicant data on the basis of § 26 pcs. 1 BDSG new. We have taken technical and organisational measures to protect your data against accidental or intentional manipulation and unauthorised access.

In the following, we would like to inform you about the use of your personal data within the application process in our company. Personal data at Gustav Ehlert GmbH & Co. KG is subject to restrictive access control, which ensures that only authorised persons can access your data.

Your applicant data will only be used by the body processing the application (usually the HR department and head of department of the target department) within the application process. Your data will be used exclusively for the application process. Your applicant data will not be used for any other purpose or passed on to third parties.

If we intend to process your applicant data for other purposes (e.g. inclusion in a talent pool), we will obtain separate consent from you in advance. Such consent is voluntary and can be revoked at any time without giving reasons.

5.2 What data protection rights can you assert as a data subject?

You can request information about the personal data stored about you at the address given under point 4.

In addition, under certain conditions you can request the correction or deletion of your data.

You may also have the right to restrict the processing of your data and the right to receive the data you have provided in a structured, commonly used and machine-readable format.

5.2 Right of objection

You have the right to object to the processing of your personal data for direct marketing purposes without giving reasons.

If we process your data to protect legitimate interests, you can object to this processing on grounds relating to your particular situation.

We will then no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing serves the establishment, exercise or defence of legal claims.

5.4 Where can you complain?

You have the option of contacting our data protection officer with a complaint by email todatenschutz@ehlert-gmbh.de or to a data protection supervisory authority.

5.5 How long will your data be stored?

We delete your personal data as soon as it is no longer required for the defined purpose of processing your application.

After completion of the application process, they will be deleted immediately, at the latest after 6 months, in compliance with data protection regulations.

In exceptional cases, personal data may be retained for the period during which claims can be asserted against us (statutory limitation period of three or up to thirty years).

6. contact options and your rights

6.1 As the data subject, you have the following rights:

• in accordance with Art. 15 GDPR, the right to request information about your personal data processed by us to the extent specified therein

• in accordance with Art. 16 GDPR, the right to demand the immediate correction of incorrect or incomplete personal data stored by us

• in accordance with Art. 17 GDPR, the right to request the erasure of your personal data stored by us, unless further processing is necessary for exercising the right of freedom of expression and information; for compliance with a legal obligation; for reasons of public interest or for the establishment, exercise or defence of legal claims;

• in accordance with Art. 18 GDPR, the right to demand the restriction of the processing of your personal data if the accuracy of the data is disputed by you; the processing is unlawful, but you refuse to delete it; we no longer need the data, but you need it for the assertion, exercise or defence of legal claims or you have lodged an objection to the processing in accordance with Art. 21 GDPR;

• in accordance with Art. 20 GDPR, the right to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or to request that it be transferred to another controller;

• in accordance with Art. 77 GDPR, the right to lodge a complaint with a supervisory authority. As a rule, you can contact the supervisory authority of your usual place of residence or workplace or our company headquarters.

Please contact us directly if you have any questions about the collection, processing or use of your personal data, if you require information, correction, blocking or deletion of data or if you wish to revoke your consent or object to a specific use of data:

6.2 Centre responsible for data collection

GUSTAV EHLERT GMBH & CO. KG
Schinkenstr. 9, 33415 Verl
Phone: 05246 503000
Fax: 0800 50300 40
e-mail:datenschutz@ehlert-gmbh.de

Managing Directors: Martin Ehlert, Tobias Ortkras, Philipp Ehlert
Commercial register: Gütersloh HRA 2400
General partner Ehlert Beteiligungsgesellschaft mbH
Gütersloh HRB 1252
Sales tax identification number: DE 126774840

6.3 Company data protection officer

SW-C Schönwälder Consulting
Jörg Schönwälder
e-mail:datenschutz@ehlert-gmbh.de

Competent supervisory authority

6.4 State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia

Helga Block
Kavalleriestr. 2-4, 40213 Düsseldorf
Phone: 0211/38424-0
Fax: 0211/38424-10
e-mail:poststelle@ldi.nrw.de

6.5 Right of objection

If we process personal data as explained above in order to safeguard our legitimate interests, which are overriding in the context of a balancing of interests, you can object to this processing with effect for the future. If the processing is carried out for direct marketing purposes, you can exercise this right at any time as described above. If the processing is carried out for other purposes, you only have the right to object on grounds relating to your particular situation.

After exercising your right to object, we will no longer process your personal data for these purposes unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or if the processing serves the establishment, exercise or defence of legal claims.

This does not apply if the processing is for direct marketing purposes. In this case, we will no longer process your personal data for this purpose.