We are pleased that you are visiting our website and your interest in our company. In the following we would like to inform you briefly about data protection at Elma.
§1 – Name and Address of the Controller
The controller in the sense of the EU-GDPR and further national data protection legislation of the EU member states is::
Elma Schmidbauer GmbH
+49 7731 882-0
Please check our imprint to obtain further information.
§2 – Contact of the Data Protection Officer
The Controller´s data protection officer is available through:
§3 – General Information on Data Processing
1. Scope of Processing of Personal Data
Your data is basically processed to the extent required to provide a technically functional website and to provide our content and services as well. The processing of personal data usually is based on your declaration of consent. However, there may be exceptions in cases, in which obtaining your consent is impossible for factual reasons and where at the same time processing is mandatory under the law applying.
2. Legal Basis for processing Personal Data
Where we obtain your declaration of consent in regard of processing activities, Art. 6 I 1 f EU-GDPR is the legal basis for processing.
When processing personal data for purposes required to fulfil a contract you are a party to, the legal basis for processing is Art. 6 I 1 a EU-GDPR. The same applies in cases of processing personal data required for the initiation of a contractual relationship-.
Where processing personal data to comply with a legal obligation, our company is subject to, processing is based on Art. 6 I 1 c EU-GDPR.
Should personal data be processed to protect your or another person´s vital interests, the legal basis is Art. 6 I 1 d EU-GDPR.
Where processing personal data is required to protect legitimate interests of our company or a third party and where at the same time the interests, rights and freedoms oft e data subjects do not outweigh the formerly mentioned interests, Art. 6 I 1 f EU-GDPR is the legal basis for processing.
3. Transfer of Personal Data to third Parties and to Third Countries
Your personal data will not be transferred to third parties for any other purposes than the ones mentioned as follows. Your personal data will not be transferred to third parties if not
we have obtained you declaration of consent as per Art. 6 I 1 a EU-GDPR,,
such is required for purposes of fulfilling a contract you are a party to, as per Art. 6 I 1 b EU-GDPR,
transferring the data is required to comply with a legal obligation as per Art. 6 I 1 c EU-GDPR or
transferring the data is required to protect a legitimate interest as per Art. 6 I 1f EU-GDPR which we may have and where at the same time your basic rights and freedoms do not outweigh the formerly mentioned interest.
We may employ external data processors for purposes of processing your data. These have been carefully picked and commissioned, are bound to the orders we issue and subject to regular checks.
A transfer of personal data to third countries (outside the European Union or the European Economic Area) will only take place if such is required to fulfil a contractual relationship, legally mandatory or in cases you have declared you consent. Currently, your personal data is not transferred to any group company or service provider outside the European Economic Area. Should you have declared your respective consent, we may transfer your data outside of the European Economic Area – the required level of data protection, also in these cases, is safeguarded, e.g. by Standard Contractual Clauses.
4. Deletion of Data and Retention Periods
Your personal data will be deleted or blocked das soon as the purpose of processing has terminated to exist. However, your personal data may be further stored if such is required under national or European law, regulations or further acts the Controller is subject to. Your personal data is also deleted or blocked, if a legally mandatory retention period terminates, if not there is a requirement to retain the data for further processing in regard to a contractual relationship. Should you, e.g. place an order with our web-shop, we are obliged to retain your data for 10 years to follow for reasons of accountability towards fiscal authorities.
§4 – Your Rights as a Data Subject
Whenever your personal data is processed, you are considered a data subject as per the EU-GDPR. In this case, you are entitled to the following rights of a data subject which you may execute against us:
1. Right to Data Access
You may request a confirmation on whether we process personal data which affect you. Should such processing exist, you are entitled to request information on the following aspects:
the purposes for which the personal data is processed
the categories of personal data processed:
the recipients respectively the categories of recipients, your personal data is disclosed to or will be disclosed to;
the intended period for which your personal data is retained or criteria for the determination of such period in case, such period may not be further specified;
whether there exists a right to rectification or deletion, a right to restricted processing or a right to contradict a processing;
whether you are entitled to lodge a complaint with a data protection supervisory authority;
all information which is available concerning the origin of the data in case the personal data has not been obtained from the data subject itself;
whether there is an automated decision making inclusively of a profiling as per Art. 22 I and IV EU-GDPR and -at least in such cases- meaningful information on the logic involved and the consequences and intended effects such processing may have on you.
You are entitled to request information on whether your personal data is transferred to a third country or an international Organization. In this context, you may request to be provided information on adequate warranties as per Art. 46 EU-GDPR in regard to the transfer.
2. Right to Rectification
You are entitled to request rectification and/ or completion of your data in case the data we process should be incorrect or incomplete. If so requested, wes hall immediately implement the correction.
3. Right to Restricted Processing
You may request to have the processing of your data restricted in the following conditions are present:
if you dispute the correctness of your personal data for a span of time enabling us to check, whether your data is actually incorrect;
if the processing is illegitimate and you decline the deletion of the personal data while requesting your personal data to be processed restrictedly;
we do no longer require the personal data for the purposes of the processing while you need the data for reasons of legal claims, or
if you have contradicted the processing of your personal data a per Art. 21 EU-GDPR and if there is no clarification yet on whether our legitimate interest is outweighing your legitimate interest.
If the processing of your personal data has been restricted, this data -besides the sole storing o fit- may be processed with your consent or for reasons of legal claims or purposes of the protecting other person´s rights or for reasons of an important public interest of the EU or one of its member states, only.
Should processing of personal data have been restricted as per the conditions named before, we shall notify you prior to any lifting of such processing restrictions.
4. Right to Data Deletion
a) Obligation to delete Data
You may request to having your data immediately deleted and we are obliged to immediately delete your data if one of the following conditions is met:
Your personal data is no longer required for the purposes for which it has been obtained or processed in any other way;
you withdraw your declaration of consent on which a processing of personal data was based (Art. 6 I 1 a or 9 II a EU-GDPR) and if there is no other legal basis for processing available;
You contradict processing of your persona data as per Art. 21 EU-GDPR and there is no legitimate reason of higher priority, or you contradict processing as per Art. 21 II EU-GDPR;
processing of your personal data is illegitimate;
deleting your personal data is required to comply with a legal obligation as per the law of the European Union or as per the law of a member state to the EU to which the Controller is subject;.
Your personal data has been obtained in regard of services of the information society as per Art. 8 I EU-GDPR.
b) Information provided to Third Parties
Should we have disclosed your personal data to the public and should we be obliged to delete tat data as per Art. 17 I EU-GDPR, we will -in consideration of available technology and the implementation costs- implement adequate measures, also technical ones, to inform the data controllers that you as a data subject have requested all links to such data, copies or replications of such data to be deleted.
The right to deletion cannot be taken advantage of, if processing is required
to exercise the right to the freedom of opinion and information;
to comply with a legal obligation as per the law of the EU or its member states to which the Controller is subject or in case the Controller acts to fulfil a task of public interest or to exercise public sovereignty he has been transferred;
for reasons of public interest in the area of public health as per Art. 9 II h and i, as well as per Art. 9 III EU-GDPR;
for public archiving purposes or purposes of historical research or statistical purposes as per Art. 89 I EU-GDPR, as far as the right mentioned in section a.) would expectedly make the realization of the processing impossible or would significantly impair such right or
to claim, exercise or defend legal claims. z.
5. Right to Information
In case you have claimed rectification, deletion or restriction of processing with us, we are obliged to notify all recipients which your personal data has been disclosed to about this rectification or deletion or restriction of processing, except in cases where such should turn out to be impossible or to require unreasonable efforts.
You are entitled to receive information about these recipients from us.
6. Right to Data Portability
You are entitled to be transferred the data you have provided in a structured, usual and machine-readable form. Besides that, you are entitled to having this data transferred to another controller and without any obstruction by the Controller the personal data has been provided to, given that:
processing is based on a declaration of consent as per Art. 6 I 1 a EU-GDPR or Art. 9 II a EU-GDPR or on a contract as per Art. 6 I 1 b EU-GDPR and
processing is executed by automated means.
When executing this right, you are further entitled to having your data transferred to another controller as far as such is technically possible. The rights and freedoms of further data subjects, however, must remain unaffected.
The right to data transfer, however, does not apply to a processing of personal data which is required for fulfilling a task in public interest or to exercise public sovereignty which has been transferred to the Controller.
7. Right to contradict a Data Processing
You are entitled to contradict a processing of personal data based on Art. 6 I 1 e or f EU-GDPR anytime for reasons resulting from your specific situation.; this is also valid for a profiling based on the legal grounds mentioned.
Your personal data, in such case, is no longer processed, provided that we can present compulsory reasons for the processing which are worthy of protection and which outweigh your interests, rights and freedoms or in cases the processing serves the protection of legal claims..
Should your personal data be processed for purposes of direct marketing, you are entitled to contradict such processing anytime; this does also apply for any profiling as far as it is related to direct marketing.
Should you contradict the processing of personal data for purposes of direct marketing, we will cease to process your personal data for such purposes.
In relation to services of the information society, you may exercise your right to contradiction by means of automated processes which use technical specifications – regardless of Regulation 2002/58/EC.
8. Right to withdraw Your Consent
You are entitled to withdraw your consent anytime. Such, however, will not affect the legitimacy of the processing which has been executed based on your consent until the moment of withdrawal.
9. Automated Decisions including Profiling
You are entitled to not being subject to a fully automated decision – including profiling, which is of legal effect on you or may impair you alike. Such, however does not apply, if the decision taken
is required for the initiation or fulfilment of a contract between you and the Controller.,
is admissible based on legal provisions to which the Controller is subject and which have been issued by the EU or its member states, and if these rules are containing adequate measures for the protection of your rights and freedoms or if the processing is based on your consent.
Such decisions may not be based on special categories of personal data as per Art. 9 I EU-GDPR, if not adequate measures to protect the data subjects rights and freedoms have been taken.
Concerning the cases mentioned in No. 1 and 3, we are taking adequate measures to protect the rights and freedoms of data subjects as well as their legitimate interests, which does at least include the right to having the processing intervened by a human representative of the Controller, to having the data subjects point of view heard and to contest the decision..
10. Right to lodge a Complaint with a Data Protection Supervisory Authority
Without having effect on any further administrative or judicial remedy, you are entitled to lodge a complaint with a data protection supervisory authority, especially the one(es) located in the member state of your residence, your workplace or the presumed violation, in case you suppose the processing to violate the EU-GDPR.
The data protection supervisory authority you have turned to for lodging your complaint, will inform you as the claimant on the state of processing and results of your claim including the option of a judicial remedy as per Art. 78 EU-GDPR.
§5 - Hosting
The website is hosted on servers of a service provider we commissioned.
The servers are automatically collecting and processing information by means of s-called logfiles, which your browser is automatically transmitting upon browsing the website. The following information is processed;
Browser type und browser version
Date and time of the server request
This data will not be combined with further sources of data. The data is processed basing on Art. 6 I 1 d EU-GDPR. The website controller has a legitimate interest in optimizing the website and in displaying the content properly – which requires server logfiles to be created.
The servers are physically located in Germany
§6 – Providing the Website and creating the Logfiles
1. Description, Purpose and legal Basis of the Processing
Whenever our website is browsed, our system automatically processes data and information of the computer system requesting our content. The following data is processed:
IP-address (anonymized – the last two bytes are erased)
Date and time of accessing our website
Websites from which our site is surfed
Websites operated by us which are surfed
Text entered to search our website
Amount of data transferred
This data will be stored in our system´s logfiles. The data, however, is not stored together with further personal data.
Storing the IP-address is stored for a short period of time to enable the system to deliver the website. Therefore, the IP-address requires to remain stored for the duration of the session.
The logfiles are stored to safeguard the functionality of our website. Additionally, the data is used to optimize our website and to safeguard the security of our IT-systems. The data is not evaluated for marketing purposes.
The legal basis for this short-term processing of personal data is Art. 6 I 1 f EU-GDPR.
2. Data retention, Contradiction and Deletion-Options
The data will be deleted as soon as it is no longer required for the purpose it has been collected for. Concerning the processing of personal data for purposes of operating the website, the data is deleted after the session has terminated.
In case of logfiles, this the case after 60 days at the latest. However, data may be stored beyond this moment. In this case, the users IP-address is deleted or anonymized, which leads to impossibility of identifying the respective client.
Processing the data for purposes of offering the website as well as storing this data in logfiles is a mandatory need in order to operate the website. The user, therefor, cannot contradict such processing.
1. Description, Purposes and legal Bases of Processing
The following data is transferred to the browser in this case:
Besides that, we are using cookies which allow to analyze our users browsing behavior.
This way, we may process the following data:
Terms entered to be searched for
Frequency of browsing
Use of our websites functions.
The data collected from you in this way is pseudonymized by technical precautions. It is therefore no longer possible to assign the data to you personally. The data is not stored together with other personal data
Cookies are required for the following applications:
Storing preferences in the Cookie-Consent-Manager
Web analysis by Matomo / Google Analytics
Identification of users after their registration in our Elma Partner Area
The data collected by use of technically required cookies will not be used to create user profiles.
Analysis cookies are used for the purpose of improving the quality of our website and its content. Through the analysis cookies we learn how the website is used and can thus continuously optimize our offer.
2. Retention, Contradiction and Removal-Option
Use of Google Analytics for Analyzing Purposes
1. Description, Purpose and legal Basis of Processing
With this web analysis, we aim to improve the quality of our websites and their content.
In this context, data processing takes place on the basis of Art. 6 I 1 f EU-GDPR. We have a legitimate interest in analyzing your behavior as a user of our website in order to optimize our website. Insofar as information is transferred to Google servers in the USA and stored there, an adequate level of data protection is guaranteed via EU Standard Contractual Clauses on data protection.
2. Retention, Contradiction and Removal-Option
§ 8 User-Account and Web-Orders
You can create a customer account in our web shop if you are a commercial customer. Unfortunately, our web shop is not available to private customers. A customer account offers you the advantage that you do not have to enter a large amount of information again when you place subsequent orders. You can also view your order history and adjust the stored data, e.g. if a delivery address changes. We observe the principle of data minimization as you only have to provide the data that is required to process your order.
If you want to set up an account, you must provide your first and last name, your company or the company you work for, the VAT number of the company and an e-mail address. For security reasons, you must also choose a password. If you would like to place an order via our online shop, we also need a delivery- and, if different, billing-address, as well as an indication of the preferred shipping method.
This information is required to provide you access to our web shop and ensure that only commercial customers register. The legal basis is your consent, Art. 6 I 1 a EU-GDPR, or with regard to the initiation and/or execution of (purchase) contracts Art. 6 I 1 b EU-GDPR.
In addition, it is technically and legally required to store your IP-address. If you do not provide the data specified as required or not in full, we may not be able to enter into a contract with you via our online shop. Of course, alternative order-channels (e.g. telephone, letter) are available in this case.
If you wish to do so, you can also register with our shipping partner via a link to receive SMS about the shipping status of your order after we have handed over the goods to the carrier. Please note that the data protection information of the respective carrier is decisive here. Of course, we will be happy to help you find them on request.
If you no longer want to use your customer account and would like to have it deleted, you can contact us at any time via one of the contact channels in this privacy statement or our imprint. Please note that despite the deletion of your customer account, we may still be obliged to store certain data, e.g. in order to comply with our commercial storage and verification obligations (e.g. invoices).
§ 9 Payment Systems
In our online shop you can pay by credit card or direct transfer. For this purpose, the respective payment-relevant data is collected in order to be able to carry out your order and payment processing. In addition, your IP address will be processed for technical reasons and for legal protection.
The principle of data minimization is observed in that you only have to provide us with the data objectively required to process the payment and to process the contract or that we are legally obliged to collect. Without this data, we will have to refuse to conclude the contract, as we will then not be able to carry it out. Every payment system we use uses SSL encryption to protect the transmission of your data.
Information on Credit Card Payments: As usual with credit card payments, the payment data is checked.
Information on „Sofort“-Payments:
In our web shop you can select the payment method of "Sofortüberweisung" from Sofort GmbH, Theresienhöhe 12, 80339 Munich, a company of Klarna (Sweden). Sofortüberweisung is an online payment system that allows payment via online banking. The payment itself is carried out without our participation, we only receive a notification that the payment has been made. To use this method, you need an active online bank account that will process the transfer. The legal basis for the processing of your data in this context is your consent, Art. 6 I 1 a EU-GDPR.
If you pay using this method, your name, account number, bank code, subject, amount and date will be transferred to Sofort and processed there. Before the payment is authorized, a random check is carried out to determine whether instant transfers have been successfully made in the past thirty days. In addition, your user ID is saved in abbreviated form and your IP address. If a SEPA transfer is carried out, the IBAN and BIC are also saved. According to Sofort, no further information will be transferred.
Further information can be obtained from GmbH via <a href='https://www.sofort.de/datenschutz.html'>https://www.sofort.de/datenschutz.html</a>.
§10 – Contact Form
1. Description, Purpose an Legal Basis of Processing
There are several contact forms on our website that can be used for electronic contact. If you, as a user, take advantage of this option, the data entered in the input mask will be transferred to us and saved. At the time the message is sent, the following data (if requested and entered in the contact form) is stored:
Landline- / Cellular number
Date and time of contact
Branch, Product (e.g. serial number and topic)
Your consent will be obtained for the processing of the data during the sending process and reference will be made to this data protection declaration.
It may be necessary for us to forward your request or data to the trading partner responsible for you, who may be based in a country outside the European Economic Area (EEA). You must agree to this forwarding in the course of contacting us via the contact form provided.
Alternatively, you can contact us via the email address provided. In this case, the user's personal data transferred with the email will be stored and, if necessary, also transferred to the trading partner responsible for the user.
The data is solely processed for the purpose of you Request.
The processing of your personal data from the input mask serves us solely to process the contact. If contact is established by email, this is also the legitimate interest in the processing of the data.
The other personal data processed during the sending process serve to prevent misuse of the contact form and to ensure the security of our information technology systems.
The legal basis for processing the data is Art. 6 I 1 a EU-GDPR if the user has given his consent. The legal basis for the processing of data transferred in the course of sending an email is Art. 6 I 1 f EU-GDPR. If the email contact is aimed at concluding a contract, the additional legal basis for the processing is Art. 6 I 1 b EU-GDPR.
2. Retention, Contradiction and Option to Cancellation
The data will be deleted as soon as it is no longer required to achieve the purpose for which is was collected. For the personal data from the input mask of the contact form and those sent by email, this is the case when the respective conversation/enquiry with you as a user has ended. The conversation/enquiry is ended when it can be inferred from the circumstances that the facts in question have been finally clarified.
The data additionally collected during the registration process is deleted after fourteen days at the latest.
You have the option to revoke your consent to the processing of your personal data at any time. If you contact us via the contact form or email, you can object to the storage of your personal data at any time via email@example.com. In such a case, the processing of your request cannot be continued. All personal data that was saved in the course of making contact will be deleted in this case.
§ 11. Google Maps
This website uses Google Maps to display interactive maps and to create routes. Google Maps is a map service provided by Google Inc., 1600 Amphitheater Parkway, Mountain View, California 94043, USA. By using Google Maps, information about the use of this website, including your IP address and the (start) address entered as part of the route planner function, can be transmitted to Google in the USA. When you visit a page on our website that contains Google Maps, your browser establishes a direct connection to the Google servers. The content of the map is sent directly to your browser by Google, which integrates it into the website. We therefore have no influence on the extent of the data collected by Google in this way. As far as we know, this is at least the following data:
• Date and time of your visit to the respective website,
• URL of the website browsed,
• The (starting) address entered for purposes of rout planning.
§12 - Social Media -Share-Links
offer you the option to recommend or share parts of our website via various external social media sites (e.g. Facebook, Twitter, etc.). By clicking on the corresponding button, the Internet address of the page on which the button was clicked is transferred to the provider of the social media website. We will not transfer any other data. If necessary, the operator of the external social media site will collect further data from you (e.g. set cookies or request a login); please consult the privacy statement of the respective provider of the social media site.
§ 13 Instagram-Plugin
Our website uses social plugins ("Plugins") from Instagram, which is operated by Instagram LLC., 1601 Willow Road, Menlo Park, CA 94025, USA ("Instagram"). The plugins are marked with an Instagram logo, for example in the form of an “Instagram camera”. You can find an overview of the Instagram plugins and their appearance here: <a href='http://blog.instagram.com/post/36222022872/introducing-instagram-badges'>http://blog.instagram.com/post/36222022872/introducing-instagram-badges</a>
If you access a page on our website that contains such a plugin, your browser establishes a direct connection to the Instagram servers. The content of the plugin is transferred directly from Instagram to your browser and integrated into the page. Through this integration, Instagram receives the information that your browser has accessed the corresponding page of our website, even if you do not have an Instagram profile or are not currently logged in to Instagram. This information (including your IP address) is transferred directly from your browser to an Instagram server in the USA and stored there.
If you are logged in to Instagram, Instagram can directly assign your visit to our website to your Instagram account. If you interact with the plugins, for example by pressing the "Instagram" button, this information is also transferred directly to an Instagram server and stored there. The information is also published on your Instagram account and displayed to your contacts there.
The purpose and scope of the data processing by Instagram as well as your rights in this regard and setting options for protecting your privacy can be found in Instagram's data protection information: <a href='https://help.instagram.com/155833707900388/'>https://help.instagram.com/155833707900388/</a>
If you do not want Instagram to use the data collected via our website directly assigned to your Instagram account, you must log out of Instagram before visiting our website. You can also completely prevent the Instagram plugins from loading with add-ons for your browser, e.g. B. with the script blocker "NoScript" (<a href='http://noscript.net/'>http://noscript.net/</a>).
§14 – Data Security
We use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorized access by third parties. Our security measures are continuously improved in line with technological developments.
§15 - Updates and Changes of this Privacy Statement
This data protection declaration is currently valid and has the status of April 2020.
Due to the further development of our website and offers or due to changed legal or official requirements, it may become necessary to change this privacy statement. You can access and print the current privacy statement here at any time.