Privacy notice according to the GDPR

I. Name and address of the controller

The controller in accordance with the General Data Protection Regulation and other national data protection laws of the Member States as well as other data protection regulations is:

Neumann&Müller GmbH & Co.KG
Zeppelinstr. 126
73730 Esslingen
Germany
Tel.: +49 711 305 29 100
E-mail: info@neumannmueller.com
Website: www.neumannmueller.com

II. Name and address of the data protection officer

The controller's data protection officer is:

Thomas Brehm
BBS Bier Brehm Spahn Partnerschaft Rechtsanwälte 
Brandstwiete 46
20457 Hamburg 
Germany
Tel.: +49 40 34 9999 014
E-mail: bt@bbs-law.de
Website: www.bbs-law.de

III. General information on data processing

1. Scope of processing of personal data

We only collect and use the personal data of our users insofar as this is necessary to provide a functional website as well as our content and services. Personal data is only collected and used on a regular basis after the user has given consent. Exceptions only apply in cases in which it is not possible to obtain prior consent for factual reasons and processing of the data is permitted by statutory regulations. 

2. Legal basis for processing personal data

If we obtain consent from the data subject for processing operations relating to personal data, Article 6(1)(a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis for the processing of personal data.

Article 6(1)(b) GDPR serves as the legal basis when processing personal data necessary for the performance of a contract to which the data subject is party. This also applies to processing operations that are necessary to take steps before entering into a contract.

If the processing of personal data is necessary for complying with a legal obligation to which our company is subject, Article 6(1)(c) GDPR serves as the legal basis.

If interests essential for the life of the data subject or that of another natural person necessitate the processing of personal data, Article 6(1)(d) GDPR serves as the legal basis.

If processing is necessary to uphold the legitimate interests of our company or those of a third party and if such interests are not overridden by the interests or fundamental rights and freedoms of the data subject, Article 6(1)(f) GDPR applies as the legal basis for processing. 

3. Data erasure and storage period

The personal data of the data subject will be erased or made unavailable as soon as the purpose for storage no longer applies. Data may be stored for a longer period if provided for by European or national legislators in Union regulations, laws or other rules to which the data subject is subject. Data will also be made unavailable or erased when a maximum storage limit prescribed by the stated standards expires unless continued storage of the data is necessary for the purpose of entering into a contract or performance of a contract.

IV. Provision of the website and creation of log files

1. Description and scope of data processing

Every time our website is visited, our system automatically records data and information regarding the system of the computer through which our website is accessed. 

The following data is collected:

  1. Information on the type of browser and the version used
  2. The user's operating system
  3. The user's Internet service provider
  4. The user's IP address (anonymized)
  5. Date and time of access
  6. Websites from which the user's system accesses our website 
  7. Websites accessed by the user's system via our website

This data will also be stored in our system's log files. This does not apply to the user's IP addresses or other data that enables data to be traced back to a user. This data is not stored together with other personal data of the user.

2. Legal basis for data processing 

Article 6(1)(f) GDPR is the legal basis for temporary data storage. 

3. Purpose of data processing

The system needs to temporarily store the IP address to enable delivery of the website to the user's computer. For this purpose, the user's IP address must remain stored for the duration of the session. 

4. Duration of storage

The data will be erased as soon as it is no longer needed to achieve the purpose for which it was collected. With regard to data collected for the purpose of making the website available, this will be when the session is ended. 

5. Opportunity to object and remove

The collection of data for the purpose of making the website available and the storage of data in log files are essential for the purpose of operating the website. The user therefore has no opportunity to object. 

V. Use of cookies

1. Description and scope of data processing

Our website uses cookies. Cookies are text files that are stored in the Internet browser or by the Internet browser of the user's computer system. If a user accesses a website, a cookie can be stored in the user's operating system. This cookie contains a characteristic sequence of characters that enables unique identification of the browser when the website is accessed again. Unless otherwise stated in this privacy notice, the purpose of processing is to make our website available in line with actual needs and tailored to our users.

2. Legal basis for data processing 

Article 6(1)(f) GDPR is the legal basis for the processing of personal data using cookies.

3. Duration of storage, opportunity to object and remove

Cookies are stored on the user's computer and transmitted by the user's computer to our website. You as the user therefore have complete control over the use of cookies. You can deactivate or restrict the transmission of cookies by changing the settings in your Internet browser. Cookies that have already been stored can be deleted at any time. This can be done automatically. If cookies are deactivated for our website, it may no longer be possible to use the full range of functions available on the website.

VI. Google Analytics

This website uses Google Analytics, a Web analysis service from Google Inc. ("Google"). Google Analytics uses "cookies", text files that are stored on your computer and enable analysis of your use of the website. The information generated by the cookie about your use of the website will normally be transmitted to and stored by Google on servers in the United States. If IP anonymization is activated on this website, however, your IP address will first be truncated by Google from within Member States of the European Union or from within any other country which is party to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be sent to a Google server in the USA and truncated there. Google will use this information on behalf of the operator of this website for purposes of evaluating your use of the website, compiling reports on website activity and providing the website operator with other services relating to website use and Internet usage.

The IP address transferred by your browser during the use of Google Analytics will not be combined with any other data held by Google.

You can prevent the storage of cookies by selecting an appropriate setting in your browser software. However, please note that if you do this, you may not be able to use the full functionality of this website. Furthermore, you can prevent the collection of data that is generated by the cookie and related to your use of the website (including your IP address) for Google and the processing of this data by Google by downloading and installing the browser plug-in available under the following link: tools.google.com/dlpage/gaoptout.

This website uses Google Analytics with the extension "_anonymizeIp()", IP addresses being truncated before further processing in order to rule out direct associations to persons. If the data collected about you can be associated with you, this possibility will be eliminated immediately and the personal data erased without undue delay.

We use Google Analytics so that we can analyse and regularly improve usage of our website. The statistics we obtain help us to improve our offering and make it more interesting for you as a user. With respect to the exceptional cases in which personal data is transferred to the USA, Google has signed up to the EU-US Privacy Shield, www.privacyshield.gov/EU-US-Framework. Article 6(1)(f) GDPR is the legal basis for the use of Google Analytics.

Information on the third-party vendor: Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, fax: +353 (1) 436 1001. Terms of service: www.google.com/analytics/terms/de.html, overview of data protection: www.google.com/intl/de/analytics/learn/privacy.html, and the privacy policy www.google.de/intl/de/policies/privacy.

VII. Newsletter

1. Description and scope of data processing

On our website you can subscribe to a free newsletter. When registering for the newsletter, the data from the input mask is transmitted to us.

  1. E-mail address (mandatory field)
  2. First and last name

No data is forwarded to third parties in connection with data processing for the purpose of sending newsletters. The data is used exclusively for sending the newsletter.

2. Legal basis for data processing

If the user has given consent, Article 6(1)(a) GDPR is the legal basis for processing data once the user has registered for the newsletter.

3. Purpose of data processing

The user's e-mail address is collected for the purpose of delivering the newsletter. 

Other personal data is collected during the registration procedure to prevent misuse of the services or of the e-mail address used.

4. Duration of storage

The data will be erased as soon as it is no longer needed to achieve the purpose for which it was collected. In accordance with the above, the user's e-mail address will be stored for as long as the subscription to the newsletter is active. 

The other personal data collected in connection with the registration procedure will normally be erased after a period of seven days.

5. Opportunity to object and remove

The user concerned can cancel the subscription to the newsletter at any time. The newsletter contains a corresponding link for this purpose. 

This also enables withdrawal of the consent to store the personal data collected during the registration procedure.

VIII. Contact form and e-mail contact

1. Description and scope of data processing

On our website there is a contact form that can be used for contact by electronic means. If a user makes use of this option, the data entered in the input mask is transmitted to us and stored. This data is:

  1. First and last name
  2. Company
  3. Telephone number
  4. E-mail address (mandatory)
  5. Subject
  6. Attachments
  7. Free text field (mandatory)

At the time the message is sent, the following data will also be stored:

  1. The user's IP address
  2. Date and time of registration
  3. Time taken to write the e-mail
  4. User's operating system
  5. User's browser

Your consent to process the data will be requested during the sending procedure and your attention will be drawn to this Privacy Notice.

Alternatively, you can contact us via the e-mail address provided. In this case, the user's personal data transmitted with the e-mail will be stored. 

Data will not be forwarded to third parties in this context. The data will be used exclusively for the purpose of processing the dialogue.

2. Legal basis for data processing 

If the user has given consent, Article 6(1)(a) GDPR is the legal basis for processing data.

Article 6(1)(f) GDPR is the legal basis for the processing of data transmitted when sending an e-mail. Article 6(1)(b) GDPR is the additional legal basis for processing if the aim of the e-mail contact is to enter into a contract.

3. Purpose of data processing

The sole purpose of processing personal data from the input mask is to deal with your contact with us. If you contact us by e-mail, a legitimate interest in the processing of the data applies.

The purpose of the other personal data processed during the sending procedure is to prevent misuse of the contact form and to ensure the security of our information technology systems.

4. Duration of storage

The data will be erased as soon as it is no longer needed to achieve the purpose for which it was collected. This is the case regarding the personal data from the input mask of the contact form and that sent by e-mail when the respective dialogue with the user is ended. The dialogue is ended when the circumstances indicate that the matter concerned has been finally settled. 

The additional personal data collected in connection with the sending procedure will be erased after a period of seven days at the latest.

5. Opportunity to object and remove

The user can withdraw his/her consent to process personal data at any time. If the user contacts us by e-mail, he/she can object to the storage of his/her personal data at any time. In such a case, the dialogue cannot be continued.

The user can contact us by e-mail, by post or by telephone to object to the use of his/her data.

All personal data stored in the course of making contact will be erased in this case.

IX. Application procedure

We collect and process personal data from applicants for the purpose of handling the application procedure. If the applicant is selected for an interview, the data transferred will be stored and processed in compliance with statutory regulations for the purpose of handling the onboarding process or for carrying out the application procedure. If the application is not successful, we will automatically delete the application documents three months after giving notification of rejection provided that we have no other legitimate interests for not erasing the data, for example because the documents transferred to us are required for the purpose of a legal defence. Section 26 of the German Data Protection Act (Bundesdatenschutzgesetz, BDSG) is the legal basis for processing personal data for the purpose of applications.

X. Rights of the data subject

If your personal data is processed, you are a data subject pursuant to GDPR and you have the following rights vis-à-vis the controller:

1. Right to information

You can demand confirmation from the controller as to whether personal data concerning you is processed by us. 

If that is the case, you can demand information from the controller regarding the following:

  1. The purposes of the processing
  2. The categories of personal data concerned
  3. The recipients or categories of recipient to whom the personal data concerning you have been or will be disclosed
  4. The envisaged period for which the personal data concerning you will be stored, or, if no specific information can be given on this point, the criteria used to determine that period
  5. The existence of the right to rectification or erasure of personal data concerning you, a right to restriction of processing by the controller or the right to object to such processing 
  6. The existence of the right to lodge a complaint with a supervisory authority
  7. Where the personal data is not collected from the data subject, any available information as to their source
  8. The existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject

You have the right to demand information as to whether the personal data concerning you is transferred to a third country or to an international organisation. In this regard, you can demand to be informed about the appropriate safeguards according to Article 46 GDPR in connection with such transfer

2. Right to rectification 

If the personal data concerning you is incorrect or incomplete, you have the right to demand that the controller correct or complete such data. The controller shall carry out the correction without undue delay.

3. Right to restriction of processing

You have the right to restriction of the processing of the personal data concerning you, where one of the following applies:

  1. If  you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data
  2. The processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead
  3. The controller no longer needs the personal data for the purposes of the processing, but you require the personal data for the establishment, exercise or defence of legal claims
  4. If you have objected to processing pursuant to Article 21(1) GDPR pending the verification whether the legitimate grounds of the controller override your own

Where processing of the personal data concerning you has been restricted, such personal data will, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

If processing has been restricted pursuant to the above preconditions, you will be informed by the controller before the restriction of processing is lifted.

4. Right to erasure

a) Obligation to erase

You can demand from the controller that personal data concerning you is erased without undue delay and the controller has the obligation to erase this data without undue delay where one of the following grounds applies:

  1. The personal data concerning you is no longer necessary in relation to the purposes for which it was collected or otherwise processed
  2. You withdraw your consent on which the processing is based according to Article 6(1)(a) Article 9(2)(a) GDPR and where there is no other legal ground for the processing 
  3. You object to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) GDPR
  4. The personal data concerning you has been unlawfully processed 
  5. The personal data concerning you has to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject 
  6. The personal data concerning you has been collected in relation to the offer of information society services referred to in Article 8(1) GDPR

b) Notification to third parties

If the controller has made the personal data concerning you public and is obliged pursuant to Article 17(1) GDPR to erase such personal data, the controller, taking account of available technology and the cost of implementation, will take reasonable steps, including technical measures, to inform controllers who are processing the personal data that you as the data subject have requested the erasure by such controllers of any links to, or copy or replication of, this personal data. 

c) Exceptions

The right to erasure does not apply to the extent that processing is necessary:

  1. For exercising the right of freedom of expression and information
  2. For compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  3. For reasons of public interest in the area of public health in accordance with Article 9(2)(h) and (i)  as well as Article 9(3) GDPR
  4. For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) GDPR in so far as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing
  5. For the establishment, exercise or defence of legal claims

5. Right to be notified

If you have established the right to rectification, erasure or restriction of processing with the controller, the controller is obliged to communicate this rectification or erasure of data or restriction of processing to each recipient to whom the personal data concerning you has been disclosed, unless this proves impossible or involves disproportionate effort.

You may request that the controller inform you about those recipients.

6. Right to data portability

You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format. You also have the right to transmit such data to another controller without hindrance from the controller to whom the personal data was provided, where:

  1. The processing is based on consent pursuant to Article 6(1)(a) GDPR or Article 9(2)(a) GDPR or on a contract pursuant to Article 6(1)(b) GDPR and
  2. The processing is carried out by automated means

In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. This may not adversely affect the rights and freedoms of others.

The right to data portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority with which the controller has been vested.

7. Right to object

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point Article 6(1) (e) or (f), including profiling based on those provisions. 

The controller will no longer process the personal data concerning you unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms, or if the processing is for the establishment, exercise or defence of legal claims.

Where personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.

If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for such purposes.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications

8. Right to withdraw declaration of consent based on data protection law

You have the right to withdraw your declaration of consent based on the data protection law at any time. Withdrawing your consent does not affect the lawfulness of processing carried out up to the time of withdrawal.

9. Automated individual decision-making including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This applies if the decision: 

  1. Is necessary for entering into, or performance of, a contract between you and the data controller
  2. Is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests
  3. Is based on your explicit consent.

However, these decisions may not be based on special categories of personal data referred to in Article 9(1) GDPR, unless Article 9(2) (a) or (g) applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.

With regard to the cases referred to in 1. and 3., the controller will implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your own view and to contest the decision.

10. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you will have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data concerning you infringes GDPR. 

The supervisory authority with which the complaint has been lodged will inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 GDPR.

You can find our Data Protection Guideline here.