1. General information
 

1.1 Controller

This Privacy Policy is provided by: 

BOMAG GmbH

Hellerwald

56154 Boppard, Germany

Email: info@bomag.com

to fulfil its existing legal duty to provide information pursuant to Article 13 of the General Data Protection Regulation (“GDPR”) regarding any processing of personal data on our website. We therefore explain to you below in our Privacy Policy the personal data from you that we process and how we process such data. 

For more information about data processing at our Group headquarters at FAYAT SAS, 137 Rue du Palais Gallien, Bordeaux, France, please go to www.fayat.com/en/personal-data.

Please contact us if you have any further questions.

1.2 Personal data 

Personal data means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. This includes information such as your name, address, phone number, language, email address, IP address, bank details and date of birth. 

1.3 Processing of personal data 

Processing of personal data means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. Data processing includes, in particular, the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data. 

The relevant legal bases for other processing of data are set out below.

The following principles of data processing apply to all the purposes of data processing described in this Policy.

Article 6(1)(c) GDPR is the relevant legal basis for compliance with legal obligations. We process your personal data depending on the applicable legal obligation.

There is no automated decision-making in individual cases, including profiling, in accordance with Article 22 GDPR.

1.4 Data collection when you visit our website
 When using the website for information purposes, i.e. by simply viewing it without registering and without you providing us with any other information, we process the personal data that your browser sends to our server. The data described below is technically necessary in particular for us to display our website to you and to ensure website stability and security and therefore has to be processed by us.

• IP address
• Date and time of the request
• Time zone difference from Greenwich Mean Time (GMT)
• Content of the request (page visited)
• Access status/HTTP status code
• The volume of data transferred
• Previously visited page
• Browser
• Operating system
• Language and version of the browser software

The legal basis is Article 6(1)(f) GDPR, (legitimate interest).
 

1.5 Other features and services 

In addition to using our website purely to provide information, we offer various services that you can use, if interested, and use other typical features to analyse or market our products, which are set out in more detail below. This usually requires you to provide further personal data or we process such further data that we use to perform the applicable services. This Policy sets out these processes.

In some cases, we use external service providers to process your data. We have carefully selected them, they are required follow our instructions and they are regularly monitored. 

We may also disclose your personal data to third parties when we run promotions and competitions, sign contracts or provide similar services with partners. Depending on the service, your data may also be collected by such partners themselves as data controllers. We provide more information about such offers at the time when you provide your personal data or below in the description of the applicable offer. 

If our service providers or partners have their registered office in a state outside the European Economic Area (EEA), we will inform you of the consequences of the location of our service providers in the description of the offer.
 

2. Use of cookies

In addition to the data listed above, we use technical tools for various functions when you use our website, in particular cookies, which may be stored on your device. When you access our website and at any time later, you have the choice of whether to allow cookies to be set in general or which individual additional functions you would like to select. You can make changes in your browser settings or via our Consent Manager, which you can access via “Cookie Settings” in the footer at the very bottom of our website. Below, we start by describing cookies from a technical point of view, before going into more detail about your individual choices by describing technically necessary cookies and cookies that you can optionally select or deselect.

Cookies are text files or information in a database that are stored on your hard drive and assigned to the browser you are using to provide the website that creates the cookie with certain information. Cookies cannot run programs or infect your computer with viruses, but are primarily used to make the website faster and more user-friendly and to recognise returning visitors. This website uses the following types of cookies – how they work and the legal basis is set out below: 

• Transient Cookies: These cookies, in particular session cookies, are automatically deleted when the browser is closed or when you log out. They contain a session ID. This means that various requests from your browser can be assigned to the same session and we can recognise your computer when you return to our website.
• Persistent Cookies: These cookies are automatically deleted after a predefined period of time, which varies depending on the cookie. You can see the cookies that are set and the times they expire at any time in the settings of your browser and delete the cookies manually.
• Other technologies: These functions are not based on cookies, but on similar technical mechanisms, such as Flash cookies, HTML5 objects or analysis of your browser settings. The result is similarly that we can use the techniques described below. You can of course consent or object to such technical mechanisms as well. 

We use technically necessary cookies, firstly, to display the website. The legal basis is Article 6(1)(f) GDPR (legitimate interest). The technical structure of the website requires us to use techniques, in particular cookies. Without these techniques, our website cannot be (entirely correctly) displayed or it would not be possible to provide the support functions, or they are necessary our website to function effectively. These are transient cookies that are deleted after the end of your website visit, at the latest when you close your browser. You cannot opt out of these cookies if you want to use our website. See the Consent Manager in the footer at the very bottom of our website for details of the specific cookies. You can, however, of course configure your browser settings to your preference and reject these kinds of technically necessary cookies as well. Please note that you will then not be able to use our website or only with limitations. 

Otherwise, Article 6(1)(a) GDPR (consent) is the legal basis for using cookies, which you can select when you first visits our website and also on each subsequent visit, using the Cookie Consent Manager, which you can access via “Cookie settings” in the footer at the very bottom of our website. The functions are only activated if you consent and may be used in particular so that we can analyse and improve visits to our website, to make it easier for you to use it via different browsers or devices, to recognise you when you visit the website or to deliver advertising, potentially also to personalise advertising to match interests, to measure the effectiveness of ads or to display interest-based advertising. 

Storing information about a device that belongs to you by setting cookies and accessing such information stored on such a device by reading the cookies is only allowed if you give us consent for such purposes, in accordance with Section 25(1) sentence 1 of the German Telecommunications and Telemedia Data Protection Act (TTDSG). In this case, according to Section 25(1) sentence 2 of the German Telecommunications and Telemedia Data Protection Act (TTDSG), the relevant requirements under GDPR, as already described, apply.

You may withdraw your consent, but this does not affect the lawfulness of processing prior to withdrawal.

You can indicate specifically whether you consent to all cookies, only consent to certain types of cookie or do not consent to any cookies. Your consent is optional. You can refuse to consent without giving any reasons and without risk of any disadvantage as a result. You can also withdraw such consent at any time with effect for the future in our Cookie Consent Manager, without risk of any disadvantage as a result. However, please note that you may not be able to make full use of all the features of this website if you do not give your consent or if you withdraw your consent.
 

We also provide you with more information about the use of cookies in the sections below, including where cookies are used, and via the “Cookie Settings” in the footer at the very bottom of our website.
 

3. Contact forms on our website 

When you contact us by email or via a contact form, we store and process the personal data you provide to the extent necessary to fulfil the applicable purpose of your request or the contact form, in particular to respond to your request. 

For example, we use our general our dealer contact form (Dealer Locator), which gives you the option of sending your enquiry directly to the dealer of your choice; or our Intercompany contact form, which – using contact forms on other websites in markets outside Germany – makes it possible to send your message to branches in the relevant target country.

Mandatory information is indicated on each form and is only information that is required to fulfil the relevant purpose. You can also optionally provide us with further data.

We erase (delete) the data that is collected in this regard: after the time limits for the term of the contract, if the enquiry is linked to a contract; otherwise, after the storage is no longer necessary; or, if statutory retention obligations apply, we restrict processing.

The legal basis is Article 6(1)(f) GDPR, (legitimate interest).
 

4. Used machines

Please see the above points regarding contact forms, which apply generally to the used machines contact form.

Data is only processes to the extent necessary to fulfil the relevant purpose.

You can have your used machine valued using the used machines contact form. In addition to technical data about your used machine, it is also necessary to enter personal data so that we can provide you with a specific assessment by one of our employees of the used machine you want to sell.

The assessed value is only indicative (plus statutory VAT). The actual purchase value must be identified specifically by a used machinery expert and depends on the condition, add-on parts and the market.

Mandatory details are the details about the machine that are required to value the machine as well as name, company name, phone number and email address.

The legal basis is Article 6(1)(b) GDPR for steps prior to entering into a contract; alternatively, the legal basis is Article 6(1)(f) GDPR (our legitimate interest).
 

5. Webshops

5.1 Merchandise webshop for consumers

The BOMAG Merchandise Shop is operated by Verticas Service GmbH, Schöne Aussicht 59, 65193 Wiesbaden, Germany, as the data controller. For more information about data protection, please see the privacy policy for the webshop. 

5.2 Original Spare Parts webshop for companies 

If you want to place an order on our BOMAG Parts Webshop at parts.bomag.com or via my.bomag.com, then, in order to enter into the contract, you have to provide your personal data, which we require for the purpose of processing your order. Mandatory information required for processing contracts is indicated specifically; other details are optional. For payment, you may provide your payment details to our payment service provider or we pass on your payment details to our main bank. These third parties are each independently responsible for processing the payment. 

The legal basis in this case is Article 6(1)(b) GDPR (performance of a contract). 

We use our own web server and IT system to process your order. The delivery address you provide is sent to our shipping service provider/carrier for the purpose of delivering the order. Otherwise, personal data is not disclosed to any third party.

The BOMAG Original Spare Parts Webshop is aimed solely at companies and legal entities. 

Electronic registration is therefore required before using it. On registration, we create a customer account. You register electronically on the registration page we provide. The fields marked as mandatory must be completed so that we can check your registration request, in particular to verify whether you as the applicant are actually a company or a legal entity.

When you create an account, the data you provide is stored, subject to withdrawal of consent. You can delete all other data, including your user account, at any time in the customer area.

Mandatory details for parts.bomag.com are: Company name/name of the legal entity, contact person and their phone number, email address, invoice address and, if applicable, different delivery address, VAT ID, and the password you want for your future customer account.
 

Mandatory details for the mybomag.com webshop are: First name, last name, email, company, department (optional), phone number, street, postcode, city, VAT number, place of jurisdiction (optional), invoice email address

We use the double opt-in procedure for registration. This means that, after registering, we will send an email to the email address you have provided, where we ask you to confirm your registration request and to check the accuracy of the data you have provided. If you do not confirm your registration request within 7 days, your login data is deleted.

If you confirm your registration request, we record and save the date and time of confirmation of the registration request.

After we have received your confirmation, we check whether you are actually a company or a legal entity and carry out a credit check, as we finance the delivery of the parts you subsequently order via our webshop. Within the scope of the credit check, we shall obtain credit information from Creditreform Koblenz Dr. Rödl & Brodmerkel KG, Rizzastr. 49, 56068 Koblenz. For this purpose, we shall provide your company name and registered business address. We subsequently view and assess the report. There is no automated decision-making for this purpose. 

For applicable information about data processing in accordance with Article 14 GDPR, which is carried out by the credit agency, Creditreform Koblenz Dr. Rödl & Brodmerkel KG, please go to www.creditreform-koblenz.de. Otherwise, the data is not disclosed. 

You can object to the registration check being continued and to data being sent to the credit agency at any time. However, it is then not possible to complete registration successfully or place future orders via our webshop.

The legal basis in this case is Article 6(1)(b) GDPR (performance of a contract), as well as our legitimate interest within the meaning of Article 6(1)(f) GDPR.

We may also process the data you provide to inform you about other interesting products from our portfolio or to send you emails with technical information.

We are required under commercial and tax law to store your address, payment and order data for a period of ten years. However, we restrict processing after three years. I.e. from this time onwards your data is only used to comply with legal obligations.

To prevent unauthorised access by third parties to your personal data, the ordering process is encrypted using TLS technology.

6. Portals

6.1 BOMAG Extranet

If you want to use our BOMAG Extranet portal, you must register by entering your email address and a password of your choice. 

It is also mandatory to provide the following data: Company, street, postcode, city, country, first name, last name, email, position, department

You can optionally provide more information.

For this service, we use the double opt-in procedure, i.e. we send you an email where you must confirm that you are the owner of the email address that has been provided. We store the data you provide, as well as the times you registered for the service and your IP address, until you unsubscribe from the information service.

If you use our portal, we store the data from you that required to perform the contract, including information about the method of payment, until you permanently delete your access. We also store the optional data you provide for the duration of your use of the portal, unless you delete it first. You can manage and change all your details in the protected customer area. 

The legal basis is Article 6(1)(b) GDPR (performance of a contract).

To prevent unauthorised access by third parties to your personal data, in particular to your financial data, the connection is encrypted using TLS technology.

Your data is not made available to other members of the portal. 

Registration and the account are managed by BOMAG and its foreign subsidiaries. This means that the data can be viewed and managed by companies affiliated with BOMAG within the meaning of Section 15 ff. of the German Stock Corporation Act (AktG). The account is used for authentication on portals, websites, shops and apps. This means that data can also be used in other services.

6.2 myBOMAG

Access to myBOMAG is either via www.bomag.com or directly via my.bomag.com and allows you to use various services. You can log in via Single Sign-On (SSO) using the email address you have registered with BOMAG.

When registering for SSO, the following data is collected and stored:

• Customer number (optional)
• First name
• Last name
• Email
• Department (optional)
• Position (optional)
• Phone number (optional)
• Mobile phone number (optional)
• Preferred language (optional)
• Company (optional)
• Street (optional)
• Postcode (optional)
• City (optional)
• State/province/county (Optional)
• Country
• Organisation name
• Dealers

For this service, we use the double opt-in procedure, i.e. we send you an email where you must confirm that you are the owner of the email address that has been provided. We store the data you provide, as well as the times you registered for the service and your IP address, until you unsubscribe from the information service.

If you use our portal, we store the data from you that required to perform the contract, including information about the method of payment, until you permanently delete your access. We also store the optional data you provide for the duration of your use of the portal, unless you delete it first. You can manage and change all your details in the protected customer area. 

To prevent unauthorised access by third parties to your personal data, in particular to your financial data, the connection is encrypted using TLS technology.

Your data will not be made available to other participants on the portal. BOMAG may access your data for administrative purposes. Once you have had your machines verified by a dealer, they will be able to view the following data: name of the end customer employee, location of the machine (if telematics is active) and the machine's operating hours.

Registration and the account are managed by BOMAG and its foreign subsidiaries. This means that the data can be viewed and managed by companies affiliated with BOMAG within the meaning of Section 15 ff. of the German Stock Corporation Act (AktG). The account is used for authentication on portals, websites, shops and apps. This means that data can also be used in other services.

Bing Maps

On myBOMAG,. we use Bing Maps, which is provided by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA. This allows us to display interactive maps for your directly on the website and allows you to display your saved machines conveniently on a map. The maps are only used and displayed for machines that you have saved and that have been authorised by the dealer.

The legal basis for processing for myBOMAG is Article 6(1)(f) GDPR and our legitimate interest in making our website more attractive and user-friendly for users in general.

When you use Bing Maps, the Bing Maps provider (Microsoft Corporation) is informed that you have accessed the corresponding page on our website. To use the Bing Maps features, it is necessary to process your IP address for Internet communication. The address is typically processed on a Microsoft server in the USA.

We have no influence over the specific processing of data by Bing Maps. Information regarding the purpose and extent of data processing is available in the provider's privacy policy at: https://privacy.microsoft.com/en-us/privacystatement and https://www.microsoft.com/en-us/maps/bing-maps/product. The Privacy Policy also provides more information about your rights in this regard and optional settings to protect your privacy.

Microsoft Application Insights

As part of myBOMAG, we use Azure Application Insights from the Azure cloud platform of Microsoft Corporation, Redmond, USA (“Microsoft”). This service collects anonymised statistical telemetry data from the application used. The analyses of the website and the application are carried out on the basis of Art. 6 para. 1 sentence 1 lit. f GDPR.

We want to use Azure Application Insights to monitor and improve myBOMAG so that we can ensure a needs-based design and an ongoing optimisation of our website and application.

By using Application Insights, we can generate diagrams and tables that, for example, provide information on the times of day when user interest is particularly high, how well the app responds and how well it is supplied by external services on which it may be dependent.

For support purposes, i.e. in the event of faults, errors or performance problems, we can analyse the data collected in order to determine the cause of the error. This helps us provide myBOMAG with a high availability and quality.

Azure Application Insights collects telemetry data, such as performance data, the number of page views, the number of users and sessions, HTTP requests and server availability times. The collected IP address is anonymised after telemetry data has been analysed. It is therefore not possible to deduct a personal reference to the user from this collected data. On the following page, Microsoft describes in detail what Azure Application Insights does, what data is processed and how long it is stored: https://docs.microsoft.com/de-de/azure/application-insights/app-insights-data-retention-privacy

Azure Application Insights stores a cookie in the browser that enables usage to be analysed. The information generated by the cookie is normally transmitted to a server within the EU, where it is processed and stored. In exceptional situations, Microsoft can also transfer data to servers outside the EU for maintaining the service.

Further information from Microsoft on the subject of data protection and Azure can be found at https://www.microsoft.com/en-us/trust-center/privacy.

Userlane

myBOMAG uses the Userlane web application provided by Userlane GmbH, Rosenheimer Str. 143c, Munich, Germany (hereinafter referred to as "Userlane"). This allows us to provide you with instructions and help for myBOMAG and to collect feedback. We use a virtual assistant for these tasks, which can be loaded on myBOMAG. The assistant can be used to demonstrate features and how to use the platform, thereby enhancing usability and the user experience.

We process pseudonymized personal data for this purpose:

Pseudonymized login information:

• Browser type and version

• Time zone

• Language settings

• Operating system that is used

Usage data:

• Interaction data including usage logs

• Server log files

The legal basis for using the data is our legitimate interest under Article 6(1)(f) GDPR in optimizing our online service.

Userlane uses cookies, which are stored on your computer. The legal basis for using the data is our legitimate interest under Article 6(1)(f) GDPR in optimizing our online service. When users access my.bomag.com, they are informed about the use of cookies via an info banner. As a user, you are asked to consent to cookies being used. See the Consent Manager for details of the specific cookies. You may object to your data being processed, at any time, with effect for the future, by changing the configuration in the cookie settings. If you disable the use of cookies on your browser, it is possible that Userlane and myBOMAG will not work. Userlane runs its services on the Microsoft Azure infrastructure, which is a service provided by Microsoft Ireland Operations Ltd., One Microsoft Place, South County Business Park, Leopardstown, Dublin 18/Ireland, solely within the EU in data centres in Amsterdam, Netherlands (for more information, go to: docs.microsoft.com/en-us/azure/security/).
 

For more information about data protection and the processing of personal data by Userlane, go to: www.userlane.com/trustcenter/privacy-policy/.


Contracts

If you wish to conclude a contract for licences or software via myBOMAG, you must provide your personal data, which we require for the purpose of processing your order. The mandatory information required for the processing of contracts is marked separately; further information is voluntary.

Additional registration is required before ordering contracts. Your registration is carried out electronically via the registration page provided by us. The fields marked as mandatory must be filled in so that we can check your registration request. The legal basis for this is Art. 6 (1) (1) GDPR, ‘Consent to processing’. Mandatory information when using ‘Contracts’: First name, surname, email, company, department (optional), telephone number, street, postcode, city, VAT ID number, place of jurisdiction (optional), billing email address, country.

Within the scope of contract execution, the data can be viewed and managed by the responsible dealer. The dealer is authorised to create contracts for a customer, which must be confirmed by the customer.

Other services at mybomag.com

mybomag.com provides you with access to the Telematics, Bomap and Service 4.0 products, when you use the portal. Using these services does not require access to my.bomag.com and there are separate data privacy policies for these services.
 

6.3 BOMAG Information Platform

The BOMAG Information Platform (BIP) is a portal that can be used by our customers, dealers and employees to display BOMAG documents and download them. Depending on user authorisation, these documents include operating and maintenance instructions or spare parts catalogues, for example. The Service 4.0 app is available as a mobile version for both Android and Apple devices, and is particularly designed for end customers.

The applications are hosted in certified data centres in Germany and are subject to appropriate data protection agreements.

Basis of use

As a customer of Bomag, you use this application within the scope of your consent (Art. 6(1)(a) General Data Protection Regulation (GDPR)). As an employee of Bomag, you use this application within the scope of your job at Bomag (Art. 6(1)(f) GDPR).

When using the BIP and the Service 4.0 app, we collect and store the following data:

Account data

Account data refers to information about a user that is processed in connection with the creation or management of a customer account. We require this data to identify the user account and to determine and maintain a user’s authorisations and access rights. The following data is collected: Customer number (optional), first name, last name, e-mail, department (optional), position (optional), telephone number (optional), mobile number (optional), preferred language (optional), company (optional), street (optional), postcode (optional), city (optional), state/province (optional), country, organisation name, dealer.

Access data

Access data is data that is usually collected automatically when using a product. For example, this includes technical log files and usage data, but also feedback or ratings from users.

General access data is only evaluated anonymously in order to verify and ensure contractual agreements with the customer. The following data is collected: User name, time of login, number and time of accesses and operations performed.

We use the log files for error analysis and troubleshooting only. This data is not evaluated on a user-specific basis. The following data is collected: URL accessed, browser type and browser version, operating system used, referrer URL, host name, time of server request and IP address.

We require the session data for various core product functions. For example, you can use the ‘Show log’ function to view the history of your current session. Furthermore, this data is used for other application-specific evaluations in order to improve the application. For instance, this allows the most frequently viewed documents to be analysed. Information about the start time of a session, in conjunction with the IP address, is used temporarily to enable you to use the service on different devices at the same time. The following data is collected: User name, user role, start and end time of a session, date of the operation performed, the operation performed (e.g. search queries including the search terms and search filters entered), download or display of documents, pausing of sessions, resumption of paused sessions.

In order to improve the stability and reliability of our Service 4.0 app, we collect anonymous crash reports via Firebase Crashlytics from Google Ireland Ltd. (Google Ireland, Gordon House, Barrow Street, Dublin 4, Ireland). In the event of a crash, anonymous information is transmitted to Google’s servers in the United States. This information contains no personal data and shall only be sent with your express consent. When using iOS apps, you can give your consent in the app settings or after a crash. When setting up Android apps on mobile devices, you have the option of giving your general consent to the transmission of crash reports to Google and app developers. The legal basis for this data transfer is Article 6(1)(a) GDPR. The following data is transferred: Status of the app at the time of the crash, installation UUID, crash trace, manufacturer and device operating system an the last log messages.

User feedback that you provide during a session using the ‘Helpful’ or ‘Not helpful’ function helps us to improve the content.

We use anonymised usage data to identify trends, usages, activity patterns and areas where we can integrate and improve our services. For example, we may record the frequency and extent of your use of the service, the duration of your sessions, and how you interact with the service’s user interface, etc. This enables us to make our services smarter, faster, safer and more useful for you. The following data is collected: Event name, event properties (e.g. time of server request, API version, component used), user properties (e.g. anonymised user name, browser type, browser version, operating system used, app used, position in the company, country)

Reporting functions on this data also enable us to make statements about key areas of use (e.g. geographical or grouped by app).
 

7. Analytics 

7.1 Google Analytics

This website uses Google Analytics, which is a web tracking service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, (Google). The purpose for which we use the tool is to make it possible to analyse your user interactions on websites and to improve our website via the statistics and reports obtained, and to make it more interesting for you as a user.

We primarily collect interactions between you as a website user and our website using cookies, device/browser data, IP addresses and website activity. Google Analytics also collects your IP addresses to ensure the security of the service and to provide us, as the website operator, with information about the country, region or location from which the relevant user originates (IP geolocation). For your protection, however, we use the IP masking anonymisation function, which means that Google truncates the IP addresses by the last octet within the EU/EEA.

Google operates as a data processor on our behalf and we have concluded a corresponding processor agreement with Google in accordance with Article 28 GDPR. Processors only process your data in accordance with the legal requirements and with instructions from us and only to perform the processor agreement. 

Information generated by the cookie and IP addresses that are normally truncated, relating to your use of this website, are normally sent to a Google server in the USA and processed there. For these cases, Google states that it has set itself a benchmark equivalent to the former EU-US Privacy Shield and has explained that it complies with applicable data protection laws when transferring data internationally. We have also agreed standard contractual clauses with Google pursuant to Article 46(2)(c) GDPR, the purpose of which is to ensure compliance with an adequate level of data protection, in the third country.

Since Google uses cookies and also processes your personal data in the USA, your personal data is only processed in this way if you have given us your optional consent for such processing in accordance with Article 6(1)(a) GDPR in conjunction with Section 25 of the German Telecommunications and Telemedia Data Protection Act (TTDSG) in conjunction with Article 49(1)(a) GDPR. Before giving your consent pursuant to Article 49(1)(a) GDPR, please note in particular that, in the absence of an adequacy decision and suitable guarantees, there may not be an adequate level of data protection in the USA, as data protection laws do not comply with the requirements of GDPR. In particular, data subjects' rights may not be enforced and, based on the CLOUD Act, US authorities may have access both to group companies based in the USA and outside the USA, as long as they belong to a US group.

The legal basis for collection and further processing of the information, which is for a maximum of 14 months, is your consent in accordance with Article 6(1)(a) GDPR in conjunction with Section 25 of the German Telecommunications and Telemedia Data Protection Act (TTDSG). You may withdraw your consent at any time, but this does not affect the lawfulness of processing prior to withdrawal. The easiest way to withdraw your consent is to use our Consent Manager or to install Google's browser add-on, which is available via the following link: tools.google.com/dlpage/gaoptout?hl=en/. 

For more information about the services provided by Google Analytics, please go to marketingplatform.google.com/about/analytics/terms/en/. Google provides information about data processing when using Google Analytics under the following link: support.google.com/analytics/answer/6004245?hl=en/. For general information about data processing, which Google believes should also apply to Google Analytics, is available in Google's Privacy Policy at www.google.co.uk/intl/en/policies/privacy/.

7.2 eTracker

On our website, we use the technologies provided by eTracker GmbH to obtain information about the use of our website. We use eTracker to analyse the use of our website, to improve our website regularly and to make it more interesting for you as a user. We carry out reach analyses, measure the success of our online marketing measures and test processes, e.g. in order to test and optimise different versions of our website or parts of our website.

Collected data is stored and analysed pseudonymously. We do not use cookies for web analytics by default. 

The legal basis for the use of eTracker is legitimate interest in accordance with Article 6(1)(f) GDPR. 

According to the provider, collected data that could potentially be related to an individual person, such as IP address, login ID and device ID, are anonymised or pseudonymised as soon as possible. There is no other use of the data, combination with other data or transfer to third parties. The data generated using eTracker is processed on our behalf by the provider. According to the provider, it is processed exclusively in Germany and is therefore subject to the strict German and European data protection laws and standards. eTracker has been independently audited, certified and awarded the ePrivacyseal for data protection.

You may object to the collection and storage of data at any time with effect for the future. To be excluded from the statistics, please click on the button at the bottom of this page.

Name and contact details of the third-party provider: eTracker GmbH, Erste Brunnenstr. 1, 20459 Hamburg, Germany; information from the third-party provider about data protection is available at www.etracker.com/datenschutz.

7.3 Leadinfo

We use the lead generation service provided by Leadinfo B.V., Rotterdam, Netherlands. This service recognises visits by companies to our website based on IP addresses and shows us publicly available information, such as company names and addresses. Leadinfo also creates two first-party cookies to analyse user behaviour on our website and processes domains from data entered on forms (e.g. “leadinfo.com”) to correlate IP addresses with companies and improve services. More information is available at www.leadinfo.com. You can opt out on this page: www.leadinfo.com/en/opt-out. If you opt out, your data will no longer be collected by Leadinfo.
 

8. Social networks 

8.1 Integration of YouTube videos

We have integrated YouTube videos into our website, which are stored on YouTube.com and can be played directly from our website. 

The legal basis for processing your data is Article 6(1)(a) GDPR in conjunction with Section 25 of the German Telecommunications and Telemedia Data Protection Act (TTDSG), i.e. this service is only integrated into the website with your consent.

YouTube also processes your personal data in the USA. For these cases, YouTube states that it has set itself a benchmark equivalent to the former EU-US Privacy Shield and has explained that it complies with applicable data protection laws when transferring data internationally. We have also agreed standard contractual clauses with YouTube pursuant to Article 46(2)(c) GDPR, the purpose of which is to ensure compliance with an adequate level of data protection, in the third country.

Since YouTube processes your personal data in the USA, your personal data is only processed in this way if you have given us your optional consent for such processing in accordance with Article 6(1)(a) GDPR in conjunction with Section 25 of the German Telecommunications and Telemedia Data Protection Act (TTDSG) in conjunction with Article 49(1)(a) GDPR. Before giving your consent pursuant to Article 49(1)(a) GDPR, please note in particular that, in the absence of an adequacy decision and suitable guarantees, there may not be an adequate level of data protection in the USA, as data protection laws do not comply with the requirements of GDPR. In particular, data subjects' rights may not be enforced and, based on the CLOUD Act, US authorities may have access both to group companies based in the USA and outside the USA, as long as they belong to a US group.

You may withdraw your consent at any time, but this does not affect the lawfulness of processing prior to withdrawal. The easiest way to withdraw is via our Consent Manager.

When you visit the website, YouTube is informed that you have accessed the corresponding subpage on our website. The basic data above, such as IP address and time stamp, are also transferred. YouTube receives this information, whether you have a user account that you are logged in to or have no user account. If you are logged, your data is directly linked to your account. If you do not want data to be linked to your YouTube profile, you must log out before enabling the button. YouTube stores your data in usage profiles and uses the data for advertising purposes, as well as for market research and/or to optimise the design of its website for users. Analysis of this kind is carried out in particular, even for users who are not logged in, to provide targeted advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of such user profiles, and you must contact YouTube to exercise this right.

For more information about the purpose and extent of data collection and processing by YouTube, please see YouTube's Privacy Policy. The Privacy Policy also provides more information about your rights and optional settings to protect your privacy at www.google.co.uk/intl/en/policies/privacy/.

8.2 Social media

We have various accounts on social media platforms. We operate accounts with the following providers: 

• Facebook Inc, 1601 S California Ave, Palo Alto, California 94304, USA; www.facebook.com/about/privacy.
• LinkedIn Corporation, 2029 Stierlin Court, Mountain View, California 94043, USA; www.linkedin.com/legal/privacy-policy.
• YouTube, operated by Google Inc, 1600 Amphitheater Parkway, Mountainview, California 94043, USA; www.google.com/policies/privacy/partners/?hl=en.
• Instagram, operated by Facebook Inc, 1601 S California Ave, Palo Alto, California 94304, USA; www.facebook.com/policy.php; more information about data collection: www.facebook.com/help/186325668085084, www.facebook.com/about/privacy/your-info-on-other#applications as well as www.facebook.com/about/privacy/your-info#everyoneinfo.
• Xing, operated by New Work SE, Am Strandkai 1, 20457 Hamburg, Germany; privacy.xing.com

Data collected relating to you in these cases is processed by the platforms and may be transferred to countries outside the European Union (except Xing, which is based in Germany), in particular the USA. All of the above providers (except Xing, which is based in Germany) state that they comply with an adequate level of data protection equivalent to that of the former EU-US Privacy Shield and we have concluded the standard contractual clauses pursuant to Article 46(2)(c) GDPR with the companies. 

Please note that, in the absence of an adequacy decision and suitable guarantees, there may not be an adequate level of data protection in the USA, as data protection laws do not comply with the requirements of GDPR. In particular, data subjects' rights may not be enforced and, based on the CLOUD Act, US authorities may have access both to group companies based in the USA and outside the USA, as long as they belong to a US group.

We do not known how the social media platforms use the data from your visit to our account or interaction with our posts for their own purposes, how long such data is stored or whether data is passed on to third parties. The processing of data may be different depending on whether you are registered and logged in to the social network or visit the site as a non-registered user and/or user who is not logged in. When you access a post or the account, the IP address assigned to your device is sent to the provider of the social media platform. If you are logged in as a user at the same time, a cookie on your device can be used to track how you have moved around the network. Buttons embedded in websites make it possible for the platforms to record your visits to such website pages and assign them to your relevant profile. This data can be used to provide personalised content or ads. If you want to prevent this, you must log out or disable the “stay logged in” function, delete the cookies on your device and restart your browser.

We rely on the technical platform and services provided by the providers for these information services. Please note that you use our presence on social media platforms and associated functions on your own responsibility. This applies in particular to using interactive functions (e.g. commenting, sharing and rating). When you visit our accounts, the providers of the social media platforms collect your IP address and other information that is on your device in the form of cookies. This information is used to provide us, as operator of the accounts, with statistical information about your interaction with us.

As the provider of the information service, we also only process the data from your use of our service that you provide to us and require interaction. For example, if you ask a question that we can only answer by email, we store your information in accordance with the general principles according which we process data, which we describe in this Privacy Policy. 

The legal basis for processing your data on the social media platform is legitimate interest in accordance with Article 6(1)(f) GDPR.

The legal basis for taking part in competitions is Article 6(1)(b) GDPR (performance of a contract).

To exercise your rights as data subject, you can contact us or the provider of the social media platform. To the extent that one party is not responsible for replying or needs to obtain the information from the other party, we or the provider then forward your request to the relevant partner. Please contact the operator of the social media platform directly for questions about profiling and the processing of your data when you use the website. If you have any questions about the processing of your interaction with us on our website, please write to the contact details we have provided above.

For more information about data protection at the relevant provider, see the privacy policies of the providers, as listed above.
 

9. Advertising

9.1 General advertising 

Our intention is to process the data you provide or that we collect in the course of an existing customer relationship or other contractual relationships involving payment for advertising purposes as well. In this case, the legal basis under data protection law is Article 6(1)(f) GDPR, (legitimate interest). According to the recitals to GDPR, there is a legitimate interest in particular with regard to direct marketing (Recital 47 sentence 7). The term “direct advertising” means a provider directly approaching a customer with the aim of promoting the sale of products or services for payment. Customer satisfaction surveys and taking part in surveys can also fall under the legal concept of advertising. The other legal requirements (in particular Section 7(3) of the German Act against Unfair Competition (UWG) must, of course, be observed.
 

In the absence of an existing customer relationship or any other contractual relationship involving payment, we only process your personal data for advertising purposes if you have given us your optional consent to do so (Article 6(1)(a) GDPR). 

With your consent, you can also e.g. subscribe to our newsletter, which we use to inform you about our current offers and events. We use the double opt-in procedure to subscribe to our newsletter via our websites and portals. This means that, once you have subscribed, we will send an email to the email address you have provided, where we ask you to confirm that you want to receive the newsletter. We also store the IP addresses you have used and the times that you have signed up to the newsletter and confirmed that you want to receive the newsletter. The purpose of the procedure is to confirm that you have signed up to the newsletter and, if necessary, to identify any possible misuse of your personal data. The only information that is required for us to send the newsletter is your email address and your choice of the parts of the newsletter you want to subscribe to. 

Any further, separately indicated data is provided optionally and is used to address you personally. Once you have confirmed your email address, we store your personal data for the above purpose. The legal basis is Article 6(1)(a) GDPR. Your consent is optional. You can refuse to consent without giving any reasons and without risk of any disadvantage as a result. You can also withdraw such consent at any time with effect for the future by clicking on the link provided in every newsletter email, by email or by sending a message to the contact details provided in this Privacy Policy, without risk of any disadvantage as a result.
 

Advertising may be by post, electronically, including email, in particular via our newsletter, on social media, by SMS/MMS or by phone call, where allowed by law.
 

Advertising relates in particular to all of our products and all of our services, customer satisfaction surveys and polls and to trade fairs and events and are stated on the consent page. 

If you give your additional optional consent in accordance with Article 6(1)(a) GDPR in conjunction with Section 25 of the German Telecommunications and Telemedia Data Protection Act (TTDSG), your user behaviour is also assessed. For this analysis, the emails that are sent contain web beacons or tracking pixels, which are single-pixel image files stored on our website. For the analyses, we link the following technical data: IP address, date and time of the request, time zone difference to Greenwich Mean Time (GMT), content of the request (specific page), access status/HTTP status code, the volume of data transferred, website from which the request comes, browser, operating system and its interface, language and version of the browser software with your email address and an individual ID in our customer database. We record when you read our newsletters, which links you click on in the newsletters, e.g. using confirmation of receipt or read confirmations, and infer your personal interests from such information. We link this data to the actions you have taken on our website, the interests you indicated when registering for the newsletter and the information already available about you or your company in our customer database with reference to the personal data you have provided. Using the data obtained in this way, we create a user profile to send you the newsletter and to personalise the advertising addressed to you to match your personal interests. Based on your personal profile, we send you information about new catalogues or special offers, for example. There is no such tracking if you have disable the display of images by default in your email program. In this case, the newsletter is not displayed completely and you may not be able to use all the features. If you display the images manually, there is tracking as described above. Any such consent is optional. You can refuse to consent without giving any reasons and without risk of any disadvantage as a result. You can also withdraw such consent at any time with effect for the future by email or by sending a message to the contact details provided in this Privacy Policy, without risk of any disadvantage as a result.
 

You can object to the processing of your personal data for advertising purposes and for data analysis at any time. The relevant contact details are listed at the end of this Privacy Policy. In this case, your personal data is no longer processed for advertising purposes and is deleted from the relevant advertising mailing lists.
 

If we use data processors on our behalf for this purpose, we have concluded a data processor agreement with them in accordance with the requirements of Article 28 GDPR. Processors only process your data in accordance with the legal requirements and with instructions from us and only to perform the processor agreement.

9.2 Use of Google Ads

We use the Google Ads service for ads to advertise our products and services. When you access our website via a Google ad, Google Ads stores a cookie on your device. 

The legal basis for processing your data is Article 6(1)(a) GDPR in conjunction with Section 25 of the German Telecommunications and Telemedia Data Protection Act (TTDSG), i.e. this service is only integrated into the website with your consent.

Google also processes your personal data in the USA. For these cases, Google states that it has set itself a benchmark equivalent to the former EU-US Privacy Shield and has explained that it complies with applicable data protection laws when transferring data internationally. We have also agreed standard contractual clauses with Google pursuant to Article 46(2)(c) GDPR, the purpose of which is to ensure compliance with an adequate level of data protection, in the third country.

Since Google processes your personal data in the USA, your personal data is only processed in this way if you have given us your optional consent for such processing in accordance with Article 6(1)(a) GDPR in conjunction with Section 25 of the German Telecommunications and Telemedia Data Protection Act (TTDSG) in conjunction with Article 49(1)(a) GDPR. Before giving your consent pursuant to Article 49(1)(a) GDPR, please note in particular that, in the absence of an adequacy decision and suitable guarantees, there may not be an adequate level of data protection in the USA, as data protection laws do not comply with the requirements of GDPR. In particular, data subjects' rights may not be enforced and, based on the CLOUD Act, US authorities may have access both to group companies based in the USA and outside the USA, as long as they belong to a US group.

Ads are delivered by Google via ad servers. For this purpose, we and other websites use ad server cookies, which can be used to measure certain parameters of success, such as displayed ads or clicks by users. Using the Google Ads cookies stored on our website, we can obtain information about the success of our advertising campaigns. Such cookies are not intended to identify you personally. The unique cookie ID, number of ad impressions per placement, frequency, last impression, relevant for post-view conversions and opt-out information, indicating that a user wants to opt out, are usually stored as analysis values for this cookie.

Cookies set by Google allow Google to recognise your web browser. If a user visits certain pages on a Google Ads customer's website and the cookie stored on their computer has not yet expired, Google and the customer can see that the user has clicked on the ad and been redirected to that page. A different cookie is assigned to each Google Ads customer so that the cookies cannot be tracked across other Google Ads customers' websites. By integrating Google Ads, Google is informed that you have opened the corresponding part of our website or clicked on an ad from us. If you are registered with a Google service, Google can link the visit to your account. Even if you are not registered with Google or have not logged in, the provider can obtain and store your IP address.

Using Google Ads, your browser automatically establishes a direct connection with Google's server. We do not collect personal data ourselves for the above advertising measures, but only provide Google with the ability to collect the data. We only receive statistical analyses from Google that provide information about that ads that have been clicked, how often and at what prices. We do not receive any further data from using the advertising; in particular, we cannot use this information to identify users.

You may withdraw your consent at any time, but this does not affect the lawfulness of processing prior to withdrawal. The easiest way to withdraw is via our Consent Manager or via the following functions: a. by setting your browser software accordingly. In particular, blocking third-party cookies means you will not receive ads from third-party providers; b. by setting your browser to block cookies from the domain “www.googleadservices.com”, www.google.de/settings/ads. This setting is deleted when you delete your cookies; c. by deactivating interest-based ads of the providers that are part of the self-regulation campaign “About Ads” via the link www.aboutads.info/choices. This setting is deleted when you delete your cookies; d. by permanently deactivating them in your browsers using the following link: www.google.com/settings/ads/plugin. Please note that, in this case, you may not be able to use all the features of this website in full.

For more information about data protection at Google Ireland Limited, Gordon House, Barrow Street Dublin 4, Ireland, go to: www.google.com/intl/en/policies/privacy and services.google.com/sitestats/en.html.
 

10. Other services

10.1 Google Maps integration

We use the Google Maps service on this website. This allows us to display interactive maps for your directly on the website and allows you to use the map function conveniently. 

The legal basis for processing your data is Article 6(1)(a) GDPR in conjunction with Section 25 of the German Telecommunications and Telemedia Data Protection Act (TTDSG), i.e. this service is only integrated into the website with your consent.

Google also processes your personal data in the USA. For these cases, Google states that it has set itself a benchmark equivalent to the former EU-US Privacy Shield and has explained that it complies with applicable data protection laws when transferring data internationally. We have also agreed standard contractual clauses with Google pursuant to Article 46(2)(c) GDPR, the purpose of which is to ensure compliance with an adequate level of data protection, in the third country.

Since Google processes your personal data in the USA, your personal data is only processed in this way if you have given us your optional consent for such processing in accordance with Article 6(1)(a) GDPR in conjunction with Section 25 of the German Telecommunications and Telemedia Data Protection Act (TTDSG) in conjunction with Article 49(1)(a) GDPR. Before giving your consent pursuant to Article 49(1)(a) GDPR, please note in particular that, in the absence of an adequacy decision and suitable guarantees, there may not be an adequate level of data protection in the USA, as data protection laws do not comply with the requirements of GDPR. In particular, data subjects' rights may not be enforced and, based on the CLOUD Act, US authorities may have access both to group companies based in the USA and outside the USA, as long as they belong to a US group.

You may withdraw your consent at any time, but this does not affect the lawfulness of processing prior to withdrawal. The easiest way to withdraw is via our Consent Manager.

When you visit the website, Google is informed that you have accessed the corresponding subpage on our website. The basic data above, such as IP address and time stamp, are also transferred. Google receives this information, whether you have a Google user account that you are logged in to or have no user account. If you are logged in to Google, your data will be linked to your account. If you do not want data to be linked to your Google profile, you must log out before enabling the button. Google stores your data in usage profiles and uses the data for advertising purposes, as well as for market research and/or to optimise the design of its website for users. Analysis of this kind is carried out in particular, even for users who are not logged in, to provide targeted advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of such user profiles, and you must contact Google to exercise this right.

For more information about data protection at Google Ireland Limited, Gordon House, Barrow Street Dublin 4, Ireland, go to: www.google.com/intl/en/policies/privacy and services.google.com/sitestats/en.html.

10.2 Google Tag Manager

For easier management, we use the Google Tag Manager. Google Tag Manager is a solution that allows marketed website tags to be managed using an interface. The Tag Manager tool itself (which implements the tags) is a cookie-less domain and does not collect personal data. The tool triggers other tags, which in turn may collect data under certain circumstances. Google Tag Manager does not access this data. If disabled at domain or cookie level, it stays disabled for all tracking tags are implemented by Google Tag Manager.

The legal basis for processing your data is Article 6(1)(a) GDPR in conjunction with Section 25 of the German Telecommunications and Telemedia Data Protection Act (TTDSG), i.e. this service is only integrated into the website with your consent.

Google also processes your personal data in the USA. For these cases, Google states that it has set itself a benchmark equivalent to the former EU-US Privacy Shield and has explained that it complies with applicable data protection laws when transferring data internationally. We have also agreed standard contractual clauses with Google pursuant to Article 46(2)(c) GDPR, the purpose of which is to ensure compliance with an adequate level of data protection, in the third country.

Since Google processes your personal data in the USA, your personal data is only processed in this way if you have given us your optional consent for such processing in accordance with Article 6(1)(a) GDPR in conjunction with Section 25 of the German Telecommunications and Telemedia Data Protection Act (TTDSG) in conjunction with Article 49(1)(a) GDPR. Before giving your consent pursuant to Article 49(1)(a) GDPR, please note in particular that, in the absence of an adequacy decision and suitable guarantees, there may not be an adequate level of data protection in the USA, as data protection laws do not comply with the requirements of GDPR. In particular, data subjects' rights may not be enforced and, based on the CLOUD Act, US authorities may have access both to group companies based in the USA and outside the USA, as long as they belong to a US group. 

You may withdraw your consent at any time, but this does not affect the lawfulness of processing prior to withdrawal. The easiest way to withdraw is via our Consent Manager.

For more information about data protection at Google Ireland Limited, Gordon House, Barrow Street Dublin 4, Ireland, go to: www.google.com/intl/en/policies/privacy and services.google.com/sitestats/en.html.

10.3 Captcha.eu
We use Captcha.eu (Captcha GmbH) for bot and spam protection. When you submit the form, the following data is stored: your IP address (the last 4 digits of the IP address are deleted on processing, before being stored), the type and model of your device and browser and the referrer website. In addition, when a cookie or local storage value is written, there is no further processing; the value never leaves the user's device. Mouse movements and the time intervals between keystrokes are analysed. Keyboard entries and multiple choice data entries on the form/user selections are not processed. Processed data is stored for a maximum period of 6 months; no personal data is stored.

10.4 Friendly Captcha (bot/spam protection)

Our website uses the “Friendly Captcha” service (www.friendlycaptcha.com).

This service is provided by Friendly Captcha GmbH, Am Anger 3-5, 82237 Wörthsee, Germany.

Friendly Captcha is an innovative, data protection-friendly protection solution that makes it more difficult for automated programmes and scripts (known as “bots”) to use our website.

For this purpose, we have integrated program code from Friendly Captcha into our website (e.g. for contact forms) so that the visitor's device can establish a connection to the Friendly Captcha servers and receive a puzzle from Friendly Captcha. The visitor's device solves the puzzle, which uses certain system resources, and sends the result to our web server. Our web server contacts the Friendly Captcha server via an interface and receives a response that tells us whether the puzzle has been solved correctly by the device. Depending on the result, we can assign security rules to requests via our website and e.g. process or reject them.

The data is used exclusively to protect against spam and bots, as described above. Friendly Captcha does not create or read any cookies on the visitor's device.

IP addresses are only stored in hashed (one-way encrypted) format and do not allow us or Friendly Captcha to identify you individually. If personal data is stored, it is deleted within 30 days.

The legal basis for the processing is our legitimate interest in protecting our website against access for misuse by bots, i.e. spam protection and protection against attacks (e.g. distributed denial of service (DDoS) attacks), Article 6(1)(f) GDPR.

More information about data protection when using Friendly Captcha is available at friendlycaptcha.com/legal/privacy-end-users/.
 

11. Job application 

If you apply to us for a position, we process the data you provide to check whether we want to employ you. 

If you apply online via our career portal, your data is stored and processed on the systems of our software partner, d.vinci HR-Systems GmbH, Nagelsweg 37-39, 20097 Hamburg, Germany. We have concluded an applicable data processor agreement with this company in accordance with Article 28 GDPR. Our software partner only processes your data in accordance with the legal requirements and with instructions from us and only to perform the processor agreement as data processor on our behalf. IT has also taken necessary security, technical and organisational measures.

During the job application process, the usual correspondence data such as postal address, email address and phone numbers is stored in addition to title, last name and first name. Job application documents, such as covering letters, curriculum vitae, vocational, educational and further training qualifications and applicant references are recorded. If the application does not lead to employment, the applicant data you send or enter is only processed up to the time of the decision regarding the appointment. The data is deleted four months after the rejection letter has been sent or after the application documents have been returned to the applicant. 

The data is only stored in an applicant pool if you give us your express consent for this in accordance with Article 6(1)(1) GDPR. You can optionally consent to storage for this purpose. Not giving consent has no disadvantages for you. You may withdraw your consent at any time by sending us an email or by post. Such withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal. See the end of this Privacy Policy for our contact details. The data in this case is stored for a maximum of two years. 

If we enter into an employment relationship with you, the data you have provided to us is processed for the purpose of establishing, carrying out and, if applicable, ending the employment relationship. Data may also be processed for statistical purposes (e.g. reporting). When used for this purpose, it is not possible to identify individuals. 

The legal basis in this case is Section 26 of the German Federal Data Protection Act (BDSG) (Section 26(8) sentence 2 BDSG).
 

12. Duration of data processing

The maximum storage period depends on the purpose of the data processing. The duration of storage depends on the period for which processing is necessary to fulfil the purpose. 

Data protection-related erasure (deletion) periods do not apply if and to the extent that statutory retention obligations, such as under social insurance law, commercial law or tax law (for example, under Section 257 of the German Commercial Code (HGB) or Section 147 of the German Tax Code (AO)) require longer deletion periods.
 

13. Recipients of the personal data 

AT our company, data is transferred within the specialist departments only as necessary to achieve the purpose. 

In our case, data may be transferred within the Group. The primary legal basis for data transfer within the group of FAYAT SAS, 137 Rue du Palais Gallien, Bordeaux, France, along with Group companies, is Article 6(1)(f) GDPR. For a relevant overview of the Group companies, go to: fayat.com/en/implantations

An overview of the BOMAG Group companies is available here: www.bomag.com/de-de/service/support-and-training/weltweite-niederlassungen/.
On this legal basis, processing of data is lawful if processing is necessary to safeguard legitimate interests, except where such interests are overridden by the interests or fundamental rights of the data subject. In the recitals to the GDPR, which are to be regarded as interpretative aids to the GDPR, Recital 48 provides details of the legitimate interest for transfer within a group of undertakings. According to the recital, transfer of personal data within the group of undertakings for internal administrative purposes with regard to the processing of data of customers or employees qualifies as a legitimate interest within the meaning of Article 6(1)(f) GDPR. 

Personal data may also be transferred to external third parties to the extent that the above is necessary to achieve the purpose, for example as follows, though not exhaustively:

• www.baupool.com/bomag/
  • BOMAG Used Equipment portal
  • Operating company: baupool.com c/o LV digital GmbH
  • More information about the use of your data: https://www.baupool.com/service/info/privacy/
     
• BOMAG Extranet:
  •  bip.bomag.com 
    • BOMAG information platform (machine documentation)
    • Operating company: Empolis Information Management GmbH
    • More information about the use of your data: https://bip.bomag.com/doc/en/legal/privacy-policy
  •  sis-ac4dbbaba.dispatcher.hana.ondemand.com
    • Sales Information System
    • Operating company: SAP Deutschland SE & Co. KG
    • More information about the use of your data: https://www.sap.com/germany/about/legal/privacy.html
  • fayatit.plateau.com/learning/user/personal/ 
    • e-learning
    • Operating company: SAP Deutschland SE & Co. KG
    • More information about the use of your data: https://www.sap.com/germany/about/legal/privacy.html
  • botis.bomag.com/sts/init.do 
    • BOMAG ticket system 
    • Operating company: advasco GmbH
    • More information about the use of your data: https://www.advasco.com/datenschutz/

For an overview of our dealers outside the BOMAG Group, go to www.bomag.com/de-de/service/support-and-training/standorte-haendler/.

The processors that we used are contractually obliged to comply with the requirements of Article 28 GDPR. Processors only process your data in accordance with the legal requirements and with instructions from us and only to perform the processor agreement.
 

14. Place of the data processing operations

All the processing of your personal data takes place in Germany or in member states of the European Union. 

We transfer your personal data to countries outside the member states of the European Union (third countries) or to other international organisations to the extent set out in this document. If we transfer personal data to service providers outside the EU, we only do so if the third country has been confirmed by the EU Commission to have an adequate level of data protection or other adequate data protection guarantees in place (e.g. binding internal company data protection regulations or the EU Commission's standard contractual clauses are agreed) or if the data subject has given their consent (Article 44 ff. GDPR).
 

15. Security/technical and organisational measures

We take all necessary technical and organisational measures, taking into account the requirements of Articles 24, 25 and 32 GDPR, to protect your personal data against loss, destruction, access, alteration or distribution by unauthorised persons and against misuse. For example, we comply with legal requirements regarding the pseudonymisation and encryption of personal data, the confidentiality, integrity, availability and resilience of systems and services related to processing, the availability of personal data and the ability to recover such data quickly in the event of a physical or technical incident, and requirements regarding the establishment of procedures to regularly review, assess and evaluate the effectiveness of technical and organisational measures to ensure the security of processing. We also comply with the requirements of Article 25 GDPR with regard to the principles of privacy by design (data protection via technical design) and privacy by default (data protection via privacy-friendly default settings).
 

16. Your rights 

You have a right of access to your personal data free of charge and, if the legal requirements are met, a right to rectification (correct), a right to blocking and erasure (deletion) of your data, a right to restriction of processing, a right to data portability and a right to object. 

Where we base the processing of your personal data on the balancing of interests, you may object to the processing. This is the case if the processing in particular is not necessary for the performance of a contract with you. When you exercise your right to object, we ask you to explain the reasons why we should not process your personal data as we have done. If your objection is justified, we shall examine the facts and either stop processing your data, change how we process your data or set out to you our compelling legitimate grounds on the basis of which we will continue processing your data. 

You are also entitled to lodge a complaint with a competent supervisory authority (e.g. State Commissioner for Data Protection and Freedom of Information Rhineland-Palatinate, Hintere Bleiche 34, 55116 Mainz, Germany). 

If you have any questions regarding the processing of your personal data, or if you have any questions regarding the above rights or asserting them, or if you have any suggestions, please contact use using the above contact details or contact our internal data protection officer: 

BOMAG GmbH 
Mr Andreas Mallmann 
Hellerwald
56154 Boppard 
Germany
Email: datenschutz.de@bomag.com
Tel.: 0049 (0)6742 100190 

Version dated 06 January 2026

The current version of this Privacy Policy from time to time applies.