1. General provisions
1.1. Scope of application
The data processing controller (“contoller”) within the meaning of the European General Data Protection Regulation (GDPR) is:
75196 Remchingen, Germany
Phone: 49 (0) 7232 36550
The controller will decide, either on its own or in cooperation with others, on the purposes and means of such processing of personal data (e.g., names, contact data, etc.)
1.3. Subject matter
Data protection generally refers to the processing of personal data. This includes any information related to an identified or identifiable natural person (“data subject”), e.g., a contact person of your company. This kind of information includes, but is not limited to the name, address, email account, phone number, but also any other data that is automatically generated in the course of our business relationship such as information on individual orders and contracts.
In processing personal data, we adhere to the applicable data protection rules and regulations. This means that we will not process your data, unless you have granted your consent or where legally permitted, e.g., if data processing is required for meeting our contractual obligations (e.g., order processing), or legally required.
1.4. Technical security measures
We take organizational and technical security measures based on the state of the art in order to ensure that data protection rules and regulations are complied with and to safeguard data processed by us against incidental or willful manipulations, loss, destruction, or access by unauthorized parties.
For safety reasons and in order to protect the transmission of confidential information that you send to us as the operator of this website, our website uses an SSL and/or TLS encryption. This means that any data you transmit via this website cannot be read by third parties. The “https://” and the lock icon in the address field of your browser indicate that the data transmission will be encrypted.
2. Data processing on the website
2.1. Access to our website
When you access our website, the browser on your device will automatically – and without any action on your part – store
- date and time of access and time zone deviation from Greenwich Mean Time (GMT);
- the access method (verb, e.g. “GET”);
- requested contents (specific page) and, if applicable, parameters (“query”);
- user's IP address;
- HPPT protocol version of the user;
- information on the browser type and language/version used, preferences regarding the display of multi-language websites (e.g., EN, DE), information on the user’s operating system and installed plug-ins or NDK/SDK used;
- cookies that may have been placed on the user’s system;
- websites from which user’s system is referred to our website;
- access status / HTTP (sub) status code;
- amount of data transferred
to the server of our website and temporarily stored in a so-called log-file for the following purposes:
- ensure that connection is smoothly built up;
- ensure a comfortable user experience;
- analyze system security and stability.
The legal basis for processing the IP address is Art. 6, par. 1, sentence 1, lit. f) of the GDPR. We have a legitimate interest in the data processing purposes listed above.
Data will be stored during a period of seven (7) days and automatically deleted after the end of this period.
2.2. Cookies - general provisions
Most browsers automatically accept cookies. However, you may configure your browser in such a manner that no cookies will be stored on your computer (“disable cookies”) or that you will see a warning before a new cookie is stored. When cookies are fully disabled, this may prevent you from enjoying the full functionality of our website.
You can use our Consent Manager to decide which cookies and similar technologies may be used. We have divided all cookies into three categories:
- Necessary - our website will not work without these cookies
- Statistics - Anonymous visitor statistics
- Comfort - videos, chat feature and recently viewed products
The following table lists all cookies and similar technologies. The link in the Provider column leads to the data protection declaration of the respective partner.
|Local Storage||language||heco||Neccessary||Selection of language|
|External Request||t.js||eTracker||Neccessary||Tracking-Code (Cookie-less)|
|External Request||e.js||eTracker||Neccessary||Tracking-Code (Cookie-less)|
|External Request||cntcc||eTracker||Neccessary||Tracking-Code (Cookie-less)|
|Cookie||BT_sdc||eTracker||Statistics||Current user session|
|Cookie||last_visited_article_groups||heco||Comfort||Last seen products|
|Skript||firmenidentifikation||heco||Comfort||Identification as myheco-user|
2.3. Contact form
It goes without saying that we will treat personal data that you provide by filling in contact forms on the website, by phone, or email as strictly confidential. We will use your data only for a particular purpose in order to process your inquiry. The legal basis for this type of data processing is either Art. 6, par. 1, lit. b) or Art. 6, par. 1, lit. f) of the GDPR. Our legitimate interest in this type of data processing is derived from our common aim of answering your inquiries, resolving any issues that may exist, and, thus, to ensure and enhance your satisfaction as a customer or user of our website.
If you participate in a customer survey, you will do so on a strictly voluntary basis. Any personal information that you provide while answering survey questions will be deemed to have been provided on a voluntary basis. Please do not enter any names or similar information in plain text fields that will allow conclusions to be drawn on your or other individuals’ identity. In the event you grant your consent in connection with a customer survey, Art. 6, par. 1, lit a) of the GDPR is the applicable legal basis for data processing based on a consent. In the event that you have granted a consent or consents in connection with a customer survey, you may withdraw these consents at any time with effect for the future. For further details, please refer to the applicable data protection notes in the customer survey concerned.
2.4. Specific website functionality
3. Data processing in the course of business relationships
We will give you, as an existing or prospective customer, an overview of the purposes and legal bases of data processing within the scope of our business relationship in the sections below.
3.1. Contract performance
We process personal data if this is required for preparing, closing, or performing the contract entered with you. The purposes depend on the particular contract and include, but are not limited to
- preparation and processing of offers;
- performance of the entered contracts;
- payment processing;
- management and assistance prior to, during, and after the end of the business relationship with you;
- processing of statutory warranty claims.
In this regard, your personal data will be processed in accordance with Art. 6, par. 1, lit b) of the GDPR, to the extent this is required for the above purposes. In the absence of this information, we will not be capable of entering the contract with you /or of performing it.
Data that we collect will only be stored as long as needed for attaining the purpose for which this data had been collected. As a general rule, this requirement will only cease to exist when the contractual services have been fully completed and the applicable statutory warranty periods have expired, unless we have the right and obligation to store the information for a longer period of time in accordance with legal retention obligations, in particular, under the trade and tax law.
3.2. Compliance with legal obligations
We will also process your personal data for the purpose of compliance with our legal requirements. These requirements may exist under the trade, tax, money laundering, financial, or criminal code. The processing purposes are determined by the applicable statutory duty; generally, data processing will serve the purpose of compliance with disclosure duties under national law. Your data will be processed pursuant to Art. 6, par. 1, lit c) of the GDPR. We will delete your personal data when the legal obligation to store your data ceases to exist, unless other legal duties require the retention.
3.3. Safeguarding legitimate interests
Furthermore, we will also process your personal data for safeguarding our legitimate interests and those of our affiliated companies, e.g., for the following purposes:
- storage in our customer database, e.g., to facilitate a follow-up communication after the initial contact at a trade fair;
- answering questions and business correspondence not related to a contract;
- mailing of information material, price lists, and information on events;
- credit screening;
- optimization of our business processes.
In this regard, your personal data will be processed in accordance with Art. 6, par. 1, lit f) of the GDPR. Thus, our legitimate interest is based on the purposes described above and also on our general interest of an ongoing customer relationship management.
In addition, we reserve the right to process personal data, i.e., your name and your contact data, that you provided to us during negotiation of contracts or the business relationship in order to provide you with information on our own similar products or services, provided, however, that we will comply with the applicable unfair competition rules and regulations that may apply to such actions in addition to the GDPR. If you have entered into a contract with us, we will treat you as an existing customer. In that case, we will process your postal mail contact data, regardless of whether a specific consent had been granted, in order to provide you with information on new products and services. We will process your email account in order to send you information on our own, similar products and services via that communication channel. You may object to marketing measures at any time.
If we process personal data based on your consent, the particular purpose will be described in each of the consent forms. In these cases, your data will be processed pursuant to Art. 6, par. 1, lit. a) of the GDPR. You may withdraw any consent that you granted at any time, which, however, will not affect the legitimacy of data processing that occurred based on this consent and prior to the date of withdrawal. We will delete your personal data if it is no longer required for the purposes we pursue or if you withdraw your consent and if there are no withstanding statutory provisions.
4. Use of recruitment data
In the event that you send us an application, including by email, for a job vacancy, we will process the data that you provide in connection with your application in order to check your suitability for the open position (or, if applicable, for other vacancies within our group of companies) and to conduct the recruitment process. Upon receipt of your application, your data will be reviewed by the human resources department and the heads of department within our group of companies. As a general rule, only those staff members will have access to your data that need this information for purposes directly related to the recruitment process.
The processing of your personal data in the course of a recruitment process is, in particular, based on section 26 of the German Federal Data Protection Act (BDSG). In accordance with this provision, the processing of personal data is permissible to the extent it is needed in connection with the hiring decision and for offering an employment. Any other additional information that you may have provided will be stored in accordance with Art. 6, par. 1 lit f) of the GDPR, since we also have a legitimate interest in considering your voluntarily provided information in the course of the recruiting process. If upon the – unsuccessful – completion of the recruiting process you grant your consent to the continued storing of your personal data in our recruiting pool, this continued further processing will occur based on Art. 6, par. 1, lit a) of the GDPR. You may revoke your consent at any time with effect for the future without giving reasons.
In the event of a negative reply, applicants’ personal data will be deleted by us after four (4), but no later than after six (6) months. If you grant your consent to the continued processing of your personal data in our recruitment pool, your data will be deleted when it is no longer required for the purposes for which it had been collected and processed, typically, upon the expiration of a period of five months following its inclusion in the recruitment pool. In the event that during the recruitment process you should be selected and offered a job, your data will be taken over into our HR management system and processed therein to the extent required for creating an employment contract and performing the obligations under this contract.
5. Third parties
5.1. Disclosure of data and categories of recipients
Being a company within the heco group of companies, we cooperate with other group companies and exchange data with them. However, personal data will only be transmitted to other group companies if this is legally permissible and if the transmission is required in connection with the purposes pursued by this data processing. For instance, customer and supplier data will be exchanged within our group, in particular, in connection with contract performance based on Art. 6, par. 1, lit b) GDPR and based on our legitimate interests pursuant to Art. 6, par. 1, lit f) GDPR. Our legitimate interest is based on reasons that include, but are not limited to the optimization of our inhouse administrative processes for enhanced efficiency and improvement of customer care services.
We will only disclose your personal data to external third parties, if this is required for performing the contract, if this is permitted based on another legal bases, or if you have granted your consent. The disclosure will then occur based on the Art. 6, par. 1 lit. a), lit. b), lit. c) and/ or lit. f) of the GDPR.
The external recipients may be service providers that were commissioned by us with the provision of services (“processors”) pursuant to Art. 28 of the GDPR (e.g., in the area of IT services, marketing services, or document shredding). These processors will be carefully selected and audited at regular intervals. They shall use the data exclusively for the purposes indicated by us and in accordance with our instructions. Besides, we also disclose data to external service providers based on a legal obligation or for safeguarding our own legitimate interests, if these parties provide us with third-party expert services in their own responsibility, e.g., mail service providers, tax advisors, or chartered accountants.
Furthermore, we may be required to transmit personal data to public authorities and government institutions in accordance with compelling legal requirements, such as public prosecution, courts, customs, fiscal, and tax authorities.
In the event data is transmitted to third parties whose registered office, place of residence, or place of data processing is not within a member state of the European Union or another country that is a party to the Agreement on the European Economic Area, we will ensure prior to passing on your data that, except for the statutorily permitted exceptions, the recipient complies with a reasonable level of data protection or that you have provided your sufficient consent.
5.2. Storage period
We will store your personal data only as long as required for meeting the processing purposes or – if a consent was granted – as long as you have not withdrawn your consent. In the event you withdraw your consent, we will erase your personal data, unless their continued processing is permissible under the applicable statutory provisions. We will also erase your personal data if we are obligated to do so subject statutory requirements. If and as long as statutory retention periods apply, we will not erase data, until the corresponding periods have expired.
5.3. Your rights as data subject(s)
In addition to your right to withdraw your consent(s) granted to us, you may also exercise the following rights if the corresponding legal prerequisites are met:
- Right to access to your personal data stored by us in accordance with Art. 15 of the GDPR and section 34 of the German Federal Data Protection Act;
- Right to rectification of incorrect data or completion of incomplete data in accordance with Art. 16 of the GDPR;
- Right to erasure of your personal data stored by us in accordance with Art. 17 of the GDPR and section 35 of the German Federal Data Protection Act;
- Right to restriction of the processing of your data in accordance with Art. 18 of the GDPR;
- Right to data portability in accordance with Art. 20 of the GDPR;
- Right to object in accordance with Art. 21 of the GDPR.
5.3.2. Right to access in accordance with Art. 15 of the GDPR.
Pursuant to Art. 15, par. 1 of the GDPR you have the right to free access to the personal data stored by us about you. This shall include, but is not limited to the following:
- purposes for which personal data is processed;
- the categories of personal data that are processed;
- recipients and/or categories of recipients to whom your personal data has been or will be disclosed;
- the intended storage period of your personal data or, if exact information cannot be provided, criteria for determining the storage period;
- the lawful right to request from the controller rectification or erasure of your personal data or a right to restrict the processing of your personal data by the controller, or a right to object to such processing;
- the lawful right to lodge a complaint with a supervisory authority;
- all available information as to the data origin, if personal data was not obtained from the data subject;
- the existence of automated decision-making, including profiling, referred to in Art. 22 par. 1 and 4 of the GDPR. And ‒ at least in these cases ‒ meaningful information about the logic involved, as well as the significance and the envisaged consequences of this kind of processing for the data subject.
Where personal data is transmitted to a third country or to an international organization, you have the right to be informed of the appropriate safeguards pursuant to Art. 46 of the GDPR relating to the transmission.
5.3.3. Right to rectification in accordance with Art. 16 of the GDPR
You have the right to request the controller to rectify inaccuracies in your personal data without undue delay. Taking into account the purposes of processing, you have the right to have incomplete personal data completed ‒ including by means of providing a supplementary statement.
5.3.4. Right to erasure in accordance with Art. 17 of the GDPR
You have the right to have your personal data promptly erased if either of the following grounds applies:
- the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
- you withdraw your consent on which the processing is based according to Art. 6, par. 1, lit a) or Art. 9, par. 2, lit a) of the GDPR and there is no other legal ground for the processing;
- you object to the processing pursuant to Art. 21, par. 1 or par. 2 of the GDPR, and in the case of Art. 21, par. 1 of the GDPR, there are no overriding legitimate grounds for the processing;
- the personal data has been unlawfully processed;
- the personal data has to be erased for compliance with a legal obligation;
- the personal data has been collected in relation to the offer of information society services referred to in Art. 8, par. 1 of the GDPR.
If we have made personal data public and are obligated to erase it, we will take reasonable steps, taking account of available technology and the cost of implementation, to inform third parties processing your personal data that you have requested erasure by such processors of any links to, or copy or replication of, this personal data.
5.3.5. Right to restriction of processing pursuant to Art. 18 of the GDPR
You have the right to require us to restrict processing where one of the following prerequisites is met:
- you contest the accuracy of the personal data;
- the processing is unlawful and you request the restricted use of personal data instead of its erasure;
- the controller no longer needs the personal data for the processing purposes, but you require it for the establishment, exercise, or defense of legal claims, or
- you have objected to processing pursuant to Art. 21, par. 1 of the GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.
5.3.6. Right to data portability in accordance with Art. 20 of the GDPR
You have the right to receive the personal data concerning yourself that you provided to us in a structured, commonly used and machine-readable format and have the right to transmit such data to another controller without hindrance from us, where:
- the processing is based on consent pursuant to Art. 6, par. 1, lit a) or Art. 9, par. 2, lit a) or on any other agreement in accordance with Art. 6, par. 1, lit b) of the GDPR; and
- the processing is carried out by automated means.
In exercising your right to data portability you have the right to have your personal data transmitted directly from us to another controller, where technically feasible.
5.3.7. Right to withdraw your consent(s) granted
You have the right to withdraw any consent that you granted at any time without any effect on the legitimacy of data processing prior to this withdrawal. If the consent is withdrawn, we will discontinue the corresponding data processing.
5.3.8. Right to object in accordance with Art. 21 of the GDPR.
Pursuant to Art. 21, par. 1 of the GDPR you have the right to object to the processing of your personal data that has been collected based on Art. 6, par. 1, lit. f) of the GDPR on grounds relating to your particular situation. We shall no longer process the personal data unless we can show that compelling, protection-worthy grounds exist for the processing which override the interests, rights and freedoms of the data subject or if the processing serves the purpose of establishing, exercising, or defending legal claims.
Furthermore, pursuant to Art. 21, par. 2 of the GDPR you have the right to object to the processing of your personal data for the purpose of direct marketing, and your exercising this right will either result in the discontinuation of this processing for the purpose of direct marketing or in the safeguarding legitimate interests.
5.5. Questions to the Data Protection Officer
If you should have any questions on data protection, please write an email or contact our data protection officer.
Sven Boden, co-IT.eu GmbH
Kriegsstraße 39, 76133 Karlsruhe
Version 1.0, last revised in September 2018
Attachment: Specific website functionality
The provider of this website uses services provided by etracker GmbH, Hamburg, Germany (www.etracker.com) for analyzing website traffic data. To this end, cookies will be used that allow a statistical analysis of the use of this website by its visitors and the display of use-related contents or advertising. Cookies are small text files that are stored on the user’s device by their web browser. etracker cookies do not contain any information that allows the identification of a user.
Data generated with etracker will be processed on behalf of the provider of this website and stored by etracker, exclusively within Germany. Thus, it is subject to the strict German and European data protection laws and standards. etracker has been audited and certified against these standards and has been awarded the data protection seal ePrivacyseal.
Art. 6, par. 1, lit f (legitimate interest) of the EU General Data Protection Regulation (GDPR) forms the legal basis for processing your personal data. We have a legitimate interest in the optimization of our online offer and our web presence. Since the privacy of our users is very important to us, etracker will anonymize your IP address at the earliest possible stage and etracker will convert login credentials and device IDs into a unique key that cannot be matched with an individual. etracker will not use data in any other manner, combine it with other data, or disclose it to third parties.
You may object to data collection as described above at any time, to the extent that personal data is concerned. Your objection will not have any adverse consequences for you.
For further information on data protection at etracker please click here.
2. Google AdWords and Google Conversion Tracking
Our website uses Google AdWords. This service is offered by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland.
AdWords is an online advertising program. As part of our online advertising program, we use conversion tracking. Following a click on an advertisement placed by Google, a conversion tracking cookie will be placed. Cookies are small text files that your web browser stores on your device. Google AdWords cookies expire after thirty (30) days and do not serve the purpose of identifying the user’s identity. The cookies allow Google and us to recognize that you have clicked on an advertisement and were directed to our website.
Every Google AdWords customer is given a separate cookie. The cookies cannot be tracked across the websites of AdWords customers. Conversion cookies are used to generate conversion statistics for AdWords customers that use conversion tracking. AdWords customer are informed about how many users have clicked on their advertisement and were redirected to pages with the conversion tracking tag. However, AdWords customers will not receive any information that allows them to personally identify the users. If you wish not to be tracked, you may object to this use of your data. In this case, you need to disable the conversion cookie in the user preferences of your web browser. In that event, you will not be included in the conversion tracking statistics.
“Conversion cookies” will be stored in accordance with Art. 6, par. 1, lit f of the GDPR. We, as the website operator have a legitimate interest in analyzing the user behavior in order to optimize our web offer and our advertising campaigns.
Any up-to-date web browser will enable you to monitor, restrict, or disable the placing of cookies. When you disable cookies, you may not be able to experience the full functionality of our website.
The controller has integrated YouTube components on this website. YouTube is an Internet video portal that allows video publishers to post video clips free of charge and other users to view, rate, and comment them free of charge. YouTube allows the publication of videos of any kind so that complete movies and TV broadcasts, but also music videos, trailers, or user-produced videos may be watched via this internet portal.
This service is offered by YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, U.S. YouTube, LLC is a subsidiary of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland.
Whenever a page of this website is visited that is operated by the controller and into which a YouTube component (YouTube video) has been integrated, the browser on the data subject’s IT system will be automatically triggered by the corresponding YouTube components to download an image of the corresponding YouTube component from YouTube. For further information on YouTube please refer to https://www.youtube.com/intl/de/yt/about/. As part of this technical procedure, YouTube and Google will know which specific page of our website was visited by the data subject.
If the data subject is logged into its YouTube account at the same time, YouTube will know which specific page of our website was visited by the data subject when a page containing a YouTube video is called up. This information will be gathered by YouTube and Google and matched with the data subject’s YouTube or Google account.
The YouTube component will provide YouTube and Google with information that the data subject visited our website, if the data subject has logged into its YouTube or Google account before visiting our website; this information will be transmitted irrespective of whether the data subject clicks on a YouTube video or not. In the event that the data subject does not wish its information to be transmitted to YouTube and Google, it may prevent this transmission by logging out of its YouTube or Google account prior to visiting our website.
The YouTube services are used for the purpose of making our online offer attractive. This constitutes a legitimate interest within the meaning of Art. 6, par. 1, lit. f of the GDPR.
4. Twitter plug-in
Our website uses functions provided by Twitter. Twitter is operated by Twitter, Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, U.S. (“Twitter”).
When you use Twitter and the “re-tweet” function, websites you visit will be linked with your twitter account and published in your twitter feed. This means, data is transmitted to Twitter. We have no information on the contents of the data transmitted or the use of this data by Twitter.
We wish to give users of our website the opportunity of staying informed of changes in our product offer via social media.
We use Twitter for the purpose of an attractive presentation of our online offers and for an easier exchange of information via social media. This constitutes a legitimate interest within the meaning of Art. 6, par. 1, lit. f of the GDPR.
You may change your privacy settings in your Twitter account: https://twitter.com/account/settings
Our website uses functionality provided by the Userlike service. This service is offered by Userlike UG (limited liability), Probsteigasse 44-46, 50670 Köln, Germany.
The following data will be collected and stored: Date and time of access to the service; chat contents. The collected data will not be used to identify you personally.
In the event that you disclose personal data to us via the chat, this will occur on a voluntary basis. We do not actively ask you for personal data. The texts that you enter in the input field during the chat will be stored on the Userlike server on our behalf. The legal basis for this type of data processing is either Art. 6, par. 1, lit. a) (consent) or lit. b) (contract performance) of the GDPR.
We need your email address for sending you a newsletter. The email account used for subscribing to our newsletter needs to be verified by way of a so-called double opt-in in order to ensure that an abusive registration by a third party is prevented. This email account will be exclusively used for mailing the newsletter.
The email account provided while subscribing to the newsletter will be exclusively processed based on your consent (Art. 6, par. 1, lit. a) of the GDPR). You may withdraw this consent at any time. If you wish to withdraw your consent you may send an email notice or deregister by clicking on the “unsubscribe” link in the newsletter. The withdrawn consent does not have any effect on the lawfulness of previous data processing operations.
If you unsubscribe, any data entered for setting up your subscription will be erased. If this data should have been transmitted to us for other purposes and via a different process, it will remain with us. The following table gives an overview of the processing operations that are related to the registration and mailing of the newsletter:
7. Customer portal on our website
Our customers may create a customer account on our website for which they need to register; this account will allow them to see and display their orders, product prices, or delivery status of their orders. No contracts will be concluded via the customer portal. During the registration process, some personal data such as name, address, contact and communication data, e.g., phone number and email account, will be gathered. If necessary, users of our customer portal may change or delete data which they provide during their registration at any time. Of course, we will be glad to provide you with information about your personal data stored by us at any time. We will also be glad to rectify and/or erase data upon your request, unless statutory retention duties provide otherwise.
As long as you use the enhanced functionality / features of our customer portal, we will store your data that you provided in the course of your registration for managing your customer account and for the purposes of contract performance (Art. 6, par. 1, sentence 1, lit. b) of the GDPR). Furthermore, we will store any data that you voluntarily disclose while using this portal based on your relevant consent (Art. 6, par. 1, lit a) of the GDPR). Following the deletion of your customer account we will erase your data, unless there are statutory provisions that allow their continued storage.