Concerning data protection
The following information will explain how our company, Nordmann, Rassmann GmbH, processes your data in the interest of responsible administration. To support both transparency and understanding, this declaration will also provide an overview of our company’s data processing policy. Additionally – and in order to ensure fair processing – we would also like to inform you of your rights under the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (Bundesdatenschutzgesetz or BDSG).
Data processing is handled by Nordmann, Rassmann GmbH, located at Kajen 2, 20459 Hamburg (hereinafter referred to as “we” or “us”).
1. General information
a) Contact information
Should you have any questions or concerns about the following information, or if you would like to get in touch with us in order to exercise your rights, please contact us at:
Nordmann, Rassmann GmbH
Kajen 2, 20459 Hamburg, Deutschland
Phone: +49 40 36 87-0
Fax: +49 40 36 87 249
b) Data Protection Officer (DPO)
The contact details for our DPO are:
Herting Oberbeck Datenschutz GmbH
Hallerstr. 76, 20146 Hamburg
2. General information on data processing
Under data protection law, the term “personal data” refers to all the information relating to a specific or identifiable person. IP addresses can also be considered personal data, as a specific IP address is assigned to each electronic device when it is connected to the Internet by an internet provider so that the device may send and receive data. When you visit our company website, we collect information that you yourself provide. In addition, certain information about your use of the website is automatically collected during your visit.
We process personal data in compliance with relevant data protection regulations, in particular the GDPR and the BDSG. Data will only be processed by us on the basis of legal provisions. When using this website, we only process personal data given with your consent (GDPR Article 6 [a]), to fulfil a contract to which you are a party or upon your request to carry out pre-contractual measures (GDPR Article 6 [c]), to fulfil a legal obligation (GDPR Article 6 [c]) or if the processing is necessary to protect the legitimate interests of either our company or a third party – unless your interests, fundamental rights or freedoms (which require the protection of personal data), take precedent (GDPR Article 6 [f]). If you apply for work at our company, we also process your personal data so that we may consider establishing an employment relationship with you (BDSG §26 ).
a) Duration of storage
Unless otherwise stated hereinafter, we store personal data only as long as necessary to achieve the purposes of processing or to fulfil our contractual or statutory obligations. In particular, such statutory retention obligations may arise from commercial or tax regulations.
b) Technical service providers
Unless otherwise stated hereinafter, personal data is processed on the servers of technical service providers that we have commissioned for this purpose. These service providers process the data only after express instructions are given and are contractually obliged to guarantee appropriate technical and organizational measures for data protection. Some of the operations that may be carried out by our service providers include, for example, hosting, sending e-mails, IT system maintenance and support, customer and order management, order processing, accounting and billing, marketing tasks and/or destroying files and data carriers.
A commissioned processor is an individual or legal entity, authority, institution or other body that processes personal data on behalf of a data controller. Processors do not use the data for their own purposes but carry out data processing exclusively for the data controller and are contractually obligated to ensure the observation of appropriate technical and organizational measures for data protection.
We may transfer your personal data to other bodies such as postal and delivery services, our house bank, tax consultancy/auditing company and/or the financial authorities. Additional recipients may result as stated below in Section 2c, “Transfer of data to third countries”.
c) Transfer of data to third countries
Our data processing procedures may involve the transfer of certain personal data to third countries, i.e. countries in which the GDPR is not a binding law. Any such transfer is permissible if the European Commission has determined that an adequate level of data protection is required in the country in question. If an adequacy decision such as this has not yet been granted by the European Commission, transfer of personal data to a third country will only occur if appropriate safeguards exist (pursuant to GDPR Article 46) or if one of the conditions of GDPR Article 49 is met.
Unless otherwise stated below, we employ the EU-standard data protection clauses as appropriate safeguards for the transfer of personal data to third countries. You have the option of receiving a copy of these EU standard data protection clauses and/or inspecting them. To do so, please contact us using any of the contact details provided in Section 1a, “Contact information”.
If you consent to the transfer of your personal data to third countries, this will take place on the legal basis provided for by Article 49 (1) of the GDPR.
d) Your rights
As a data subject, you have rights concerning your data and may exert them at any time. These rights include:
- the right to request information concerning whether and to what extent we process your personal data (GDPR Article 15, BDSG §34)
- the right to ask us to correct your data, in accordance with GDPR Article 16
- the right to request deletion of your personal data, in accordance with GDPR Article 17 and BDSG §35
- the right to have the processing of your personal data restricted, in accordance with GDPR Article 18
- the right, in accordance with GDPR Article 20, to receive the personal data concerning you and which you have provided us with in a structured, current and machine-readable format and to transmit this data to another person responsible
Should you choose to exert your rights in accordance with Articles 15 to 22 of the GDPR, this will require us to process the personal data provided for the purpose of implementing these rights and to be able to provide evidence thereof. Stored data will only be processed for the purpose of providing information, for preparing it for this purpose and for data protection control purposes. Otherwise, we will restrict processing in accordance with GDPR Article 18.
These processing procedures are legally supported by GDPR Article 6 (1)(c), GDPR Articles 15 to 22 and BDSG §34 (2).
e) Right of refusal
In accordance with Article 21 of the GDPR, you have the right to appeal against any data processing that occurs based on Article 6 (1)(e) or (f) of the GDPR. If we process personal data about you for the purpose of direct advertising, you may object to this pursuant to GDPR Article 21 (2) and (3).
f) Withdrawal of consent
If you have provided us with a separate declaration of consent for data processing, you can revoke it at any time in accordance with Article 7 (3) of the GDPR. However, such revocation does not affect the legality of data processing which took place prior to this action and which was based on consent.
g) Official complaints
If you believe that the processing of your personal data violates the provisions stated in the GDPR, you have the right to appeal to a supervisory authority in accordance with Article 77.
3. Processing server logs
When using our website solely for informational purposes, general information that your browser transmits to our server will initially be stored automatically (i.e. not via specific registration). By default, this information includes browser type/version, operating system used, accessed page, the previously visited page (referrer URL), IP address, date and time of the server request and HTTP status code.
There is no permanent log on our web server. However, IP addresses are stored on the firewall for 14 days. Processing is carried out to protect our company’s legitimate interests and on the legal basis provided for in Article 6 (1)(f) of the GDPR. This processing serves to support the technical administration and security of the website.
4. Online contact form and inquiries
Our website features a contact form which you can use to send us messages. When you do, the transfer of your data is encrypted (indicated by the “https” that appears in the address bar of your browser). All of the data fields which are marked as mandatory are required in order to process your contact request. If you do not provide us with this data, we will not be able to process your message. The provision of any further data here is entirely voluntary. Alternatively, you can opt to send us messages via e-mail using the e-mail address given. In this case, we process only the data needed in order to respond to your inquiry.
If your request relates to establishing or fulfilling a contract with us, the legal basis for processing data in this way is provided for by Article 6 (1)(b) of the GDPR. Otherwise, we process data to support our legitimate interest in answering inquiries. The legal basis for this is provided for by Article 6 (1)(f) of the GDPR.
In order to use all features of the website to the full extent, it is necessary to register on the website itself. The information required for registration can be seen in the corresponding input screen. Certain information is marked as mandatory, as this information is necessary for the registration to be completed. The data provided will then be processed for the purpose of providing the service. The legal basis for this is Article 6(1)(b) of the GDPR.
6. Applying for jobs through our website
You have the option of applying for employment via our website on the Jobs page. For this purpose, it is necessary for us to collect personal data from you such as your name, address, telephone number and e-mail address in addition to your uploaded application documents.
The personal data submitted with your application will only be processed for purposes in connection with your interest in a current or future position of employment with us and in order to process your application. Your online application will only be processed and viewed by the pertinent recruiting officers at our company. All employees entrusted with these data processing duties are obliged to maintain the confidentiality of your data.
If we are unable to offer you employment, we will keep the information you provide for up to six months after the application process has been completed in order to answer any questions relating to your application and/or its refusal. This does not apply if legal provisions prevent deletion, if further storage is necessary for the purpose of providing evidence and/or if you have expressly agreed to longer storage.
The legal basis for data collection in this regard is BDSG §26 (1)(1). If we keep your application data for a period of six months and you have expressly consented to this, we would like to point out that this consent can be freely revoked at any time in accordance with GDPR Article 7 (3). However, this does not affect the legality of any data processing which occurred prior to such revocation and which was based on previous consent.
8. Consent Management Tool
The Nordmann website uses the Consent Management Tool CCM19 from Papoo Software & Media GmbH (Germany/EU) to control cookies and the processing of personal data.
The consent banner displayed on our website enables users to consent to certain data processing procedures or to revoke consent they have given. By clicking the “I accept” button or by saving individual cookie settings, you consent to the use of the associated cookies. The legal basis for this under data protection law is the consent you give within the scope of Art. 6 (1)(a) of the GDPR.
In addition, the banner helps us to provide evidence of the declaration of consent. For this purpose, we process information concerning the declaration of consent and other log data relating to it. Cookies are also used to collect this data. The processing of such data is necessary in order for us to prove that consent has been given. This is based on our legal obligation to document your consent, as provided for by Article 6 (1)(c) and Article 7 (1) of the GDPR.
To adjust cookie settings, please click on the cookie icon in the bottom left corner of the screen.
9. Integrated services and third-party content
We use services and content on our website that is provided by third parties (hereinafter collectively referred to as “content”). For this integration to work, processing your IP address is necessary for the content to be sent to your browser. Your IP address will therefore be transmitted to the respective third-party provider.
Such data processing is carried out in each case – unless otherwise stated below – to protect our company’s legitimate interests in both the optimization and economic operation of our website as per Article 6 (1)(f) of the GDPR.
We have incorporated content from the following third-party services on our website:
a) Google Maps
We use Google Maps services (provided by Google Ireland Limited [Ireland/EU)) for displaying maps and supporting virtual tours. Processing your IP address is a technical necessity for the content to be sent to your browser and viewed. Your IP address is therefore transmitted to Google and Google may set its own cookies. The processing of your data in this way is based on your consent according to Article 6 (1)(a) of the GDPR.
We use services from YouTube (provided by Google Ireland Limited [Ireland/EU]) to integrate videos. Processing your IP address is a technical necessity for the content to be sent to your browser and viewed. Your IP address is therefore transmitted to Google and Google may set its own cookies. We use YouTube in extended data protection mode so that no cookies are set by YouTube to analyze user behavior. The processing of your data in this way is based on your consent according to Article 6 (1)(a) of the GDPR.
We use services from Vimeo Inc. (USA) on our website to integrate videos. Processing your IP address is a technical necessity for the content to be sent to your browser and viewed. Your IP address is therefore transmitted to Vimeo and Vimeo may set its own cookies. The processing of your data in this way is based on your consent according to Article 6 (1)(a) of the GDPR.
d) Friendly Captcha
The Nordmann website uses the Friendly Captcha tool provided by Friendly Captcha GmbH (Germany/EU). To protect the website from spam and abuse, this tool is used is used for all our contact forms. For the tool to work, processing your IP address is a technical necessity so that a connection to Friendly Captcha’s servers can be established and content sent to your browser. Your IP address is therefore processed by Friendly Captcha on our behalf and replaced by a hash value immediately following collection. We use the Friendly Captcha service for security reasons to check whether form entries are made by an actual person. In this way, automated access attempts and attacks can be detected and blocked.
We are required by law to take certain technical and commercially reasonable measures to ensure the security of our website. You can prevent this type of data processing at any time by adjusting the settings of your browser or of certain browser extensions. An example of such an extension is the Matrix-based firewall uMatrix, used for Firefox and Google Chrome browsers. Please note that doing so may result in functional restrictions on our website. The processing of your data is based on Article 6 (1)(c) and Article 32 of the GDPR and BDSG §19 (4).
e) Google Analytics
Some of this data is information that is stored in the device you are using. Additional information is also stored on your device via the cookies used. This type of information storage, or access to information that is already stored on your device by Google Analytics, only takes place with your consent.
Google Ireland uses this information on our behalf to evaluate the use of our company’s online offering, to compile reports concerning website activity on our homepage and to provide us with further services that are associated with the use of our website and the Internet. Pseudonymous user profiles can be created using the processed data.
The setting of cookies and further processing of the personal data described here is done with your consent, and the legal basis for data processing in connection with Google Analytics service is GDPR Article 6 (1)(1a). You may revoke consent of future processing at any time using our Consent Management Tool.
The personal data processed on our behalf to enable Google Analytics may be transferred to any country in which Google Ireland or Google Ireland’s sub-processors maintain facilities. Please refer to Section 2c “Transfer of data to third countries”.
We use Google Analytics 4 to process data, which allows us to track interaction data from different devices and from different sessions. In turn, this enables us to put individual user actions into context and to analyze long-term use of the website.
Data concerning user activity is stored for a period of 14 months and then automatically deleted. All other event data is stored for two months and then automatically deleted. The deletion process takes place once a month for all data whose storage period has expired.
10. Nordmann News publication
On our website, we offer you the possibility of subscribing to our newsletter, Nordmann News. By receiving a digital copy of our Nordmann News publication, you can ensure that you stay up to date and receive important product and market information regularly in a brief and compact way. After you register, we will not only keep you updated on the latest product highlights from our portfolio, but also provide you with expert knowledge on industries and trends, share our company insights and make sure you stay informed about important events. You only need a valid e-mail address to register for the newsletter; to verify the address, you will receive an e-mail that asks you to click a confirmation link (double opt-in).
If you subscribe to the newsletter through our website, please note that we process personal data such as your e-mail address and name based on the consent you provide us. The legal basis for this is found in Article 6 (1) of the GDPR. You can revoke this consent at any time, e.g. by clicking “unsubscribe” in the newsletter or by contacting us through one of the channels mentioned above. However, the legality of the data processing operations carried out prior to the withdrawal of consent shall remain unaffected.
When an individual registers for the newsletter, we store the associated IP address as well as the date and time of registration. Processing this data is necessary in order to prove that consent has been given. The legal basis for this is found in Article 6 (1)(c) and Article 7 (1) of the GDPR.
We analyze reading-related data and the opening rates of our newsletter as well as data generated during the delivery and retrieval of our e-mails (delivery rates, opening rates, click rates, unsubscribe rates, bounce rates, visits, completions) in an aggregated and anonymized form in order to measure the use and success of our newsletter e-mails. The legal basis for this is found in Article 6 (1)(f) of the GDPR, and the processing of this data serves the legitimate interest that our company has in optimizing the Nordmann News publication. You can object to this at any time through any of the above-mentioned contact channels.
We also evaluate the data generated when you retrieve and use our newsletter e-mails (time of opening, hyperlinks clicked, documents downloaded) as well as data on downstream websites in combination with your e-mail address in order to send you individualized content in the future, taking your interests and needs into account in the best possible way. We use both the anonymous and personal data collected to provide you with personalized content in our promotional e-mails. The legal basis for such data processing in the context of e-mails is found in Article 6 (1) of the GDPR.
You can withdraw your consent at any time, e.g. by clicking “unsubscribe” in the newsletter or by contacting us through one of the channels mentioned above.
To manage subscriptions, dispatch our newsletter and handle analysis, we employ the services of Sendinblue GmbH (Germany/EU). For these purposes, your e-mail address will be transmitted by us to the service provider. Should you not wish your data to be processed by Sendinblue, do not subscribe to the newsletter. Alternatively, if you already have a subscription to Nordmann News, unsubscribe. For more information about how Sendinblue processes your data, please visit: https://de.sendinblue.com/legal/privacypolicy/
11. Customer satisfaction surveys
You can participate in surveys on various topics on our website and through our newsletters. In each case, participation is voluntary.
Processing personal data in these instances is carried out on the basis of your consent pursuant to GDPR Article 6 (1)(a). You can revoke your consent at any time with effect for the future. Please note that this type of data processing may relate to our company's legitimate interest in improving the operations of our website and in learning your interests. The legal basis for this is Article 6 (1)(f) of the GDPR.
We use the Easy Feedback service provided by easyfeedback GmbH (Germany/EU) to conduct our surveys. For more information on easyfeedback GmbH’s data processing practices, please visit: https://easy-feedback.de/privacy/datenschutz/
12. Customer data and data from potential customers
If you contact our company as a customer or prospective customer, we process your data to the extent that is necessary to establish or implement a contractual relationship. This regularly includes the processing of master, contract and payment data provided to us as well as contact and communication data from the contacts we have through commercial customers and business partners. The legal basis for these operations is GDPR Article 6 (1)(b).
We also process customer and prospective customer data for evaluation and marketing purposes. These processing operations are carried out on the legal basis of GDPR Article 6 (1)(f) and serve our interest in further developing our commercial offerings and specifically informing you about them.
13. Offline orders
If you submit a purchase order or place an order for our products by telephone, we are obliged to process your personal data exclusively for the purpose of performing our contractual duties and to be able to provide you with the product you ordered. In doing so, we only process the data that you yourself have provided. In order for us to provide you with the products you order, we must also transmit the data required for delivery to one of our delivery service providers (as stated in the order). The legal basis for this can be found in GDPR Article 6 (1)(b). All data fields marked as mandatory on our form are required for your order to be processed. Failure to provide this information means that we will be unable to process your order. Providing any other additional data is voluntary.
If you send a message to the e-mail address provided here or on our website, we will process the data transmitted so that we may respond. We process this data based on our company’s legitimate interest in responding to inquiries. The legal basis for this type of data processing is GDPR Article 6 (1)(f).
15. Data processing on our social media sites
We maintain active profiles on several social media platforms in order to provide representation and information about our company, as well as to create opportunities for exchange. These platforms include:
Should you visit or interact with one our company’s profiles on a social media platform, personal data about you may be processed. This often involves data/information associated with the social media profile that you used when accessing our profile, and it covers messages and statements made while using the profile. In addition, when you visit one of our social media profiles, certain information is often automatically collected about the visit which may also constitute personal data.
a) Visiting our social media sites
Facebook and Instagram
When you visit our Facebook and/or Instagram pages where we present news concerning our company and/or specific products from our portfolio, certain information about you will be processed. The sole controller in charge of processing this data is Meta Platforms Ireland Limited (Ireland/EU). For more information about how Meta processes personal data, please visit: https://www.facebook.com/privacy/explanation
With Meta, you may object to certain types of data processing. Information and opt-out options in this respect can be found at: https://www.facebook.com/settings?tab=ads
Meta provides us with anonymized statistics and information regarding our Facebook and Instagram sites (known as “page insights”) that help us understand how visitors engage with these pages. These page insights are generated on the basis of certain information about site visitors. Processing personal data in this way is carried out by Meta and Nordmann together as joint controllers and serves our legitimate interest in evaluating the types of actions taken on our site so that we may improve it. The legal basis for this practice is provided by GDPR Article 6 (1)(f).
We cannot link the information that we obtain through page insights to any individual user profiles of those who interact with our Facebook or Instagram pages. This is part of the joint controller agreement that we have entered into with Meta, which specifies how data protection obligations are distributed between our two companies. For details about this agreement and how personal data is processed to create page insights, please visit: https://www.facebook.com/legal/terms/information_about_page_insights_data
For those who visit our LinkedIn page, the sole party responsible for processing personal data is LinkedIn Ireland Unlimited Company. For more information about how Meta processes personal data, please visit: https://www.linkedin.com/legal/privacy-policy?trk=homepage-basic_footer-privacy-policy
When you visit, follow or otherwise engage with our company’s LinkedIn page, LinkedIn processes personal data to provide us with statistics and other information in an anonymized form (known as “page insights”). These page insights provide us with a better understanding of how visitors interact with our site. To generate these insights, LinkedIn primarily processes data that you have already provided to the platform through your profile, e.g. your job title, location, industry, seniority, company size and employment status. In addition, LinkedIn processes information about how you interact with our LinkedIn company page, e.g. whether or not you are a follower. When delivering page insights, LinkedIn does not provide us with any personal data about you specifically; we only have access to the aggregated information. It is also not possible for us to draw conclusions about individual members ourselves using the information contained in the page insights.
Processing personal data in this way is carried out by LinkedIn and Nordmann together as joint controllers and serves our legitimate interest in evaluating the types of actions taken on our LinkedIn site so that we may improve it. The legal basis for this practice is GDPR Article 6 (1)(f).
We have entered into a joint controller agreement with LinkedIn which specifies how data protection obligations are distributed between our two companies. This agreement can be accessed at: https://legal.linkedin.com/pages-joint-controller-addendum
The following apply:
- LinkedIn and Nordmann have agreed that LinkedIn is responsible for enabling you to exert your rights in accordance with the GDPR. You can contact LinkedIn to do so online at: https://www.linkedin.com/help/linkedin/ask/PPQ?lang=de
The Data Protection Officer at LinkedIn Ireland can be reached at: https://www.linkedin.com/help/linkedin/ask/TSO-DPO.
You may also contact us using any of the contact details provided to discuss how your rights may be exerted with regard to the processing of personal data and in relation to page insights. Should you do so, we will forward your request to LinkedIn.
- LinkedIn and Nordmann have agreed that the Irish Data Protection Commission will be the lead supervisory authority for overseeing the processing of page insights. You always have the right to lodge a complaint with the Irish Data Protection Commission (see www.dataprotection.ie) or any other supervisory authority.
b) Comments and direct messages
We also process information that you provide to us through our company page(s) on social media platforms. This sort of information may include your username, contact details and/or messages that you send to us. The processing operations related to this are carried out by our company as the sole party responsible. Processing personal data in this way serves our legitimate interest in answering inquiries. The legal basis for this is provided by GDPR Article 6 (1)(f). Additional data processing may take place if you have consented to this (GDPR Article 6 [a]) or if this is necessary to fulfil a legal obligation (GDPR Article 6 [c]).
Date: September 2022