Data protection declaration of Aug. Winkhaus SE & Co. KG

1. Controller

The controller is the natural or legal person who, alone or jointly with others, decides
on the purposes and means of the processing of personal data.
The controller for data processing on this website is:
Aug. Winkhaus SE & Co. KG
Registered company location: Telgte
Münster District Court, HRA 6525 Münster, Germany
Partner: Winkhaus Verwaltungs SE, Münster District Court, HRB 21970
VAT no. DE 126046759
Executive board: Sofie Winkhaus, Tilmann Winkhaus, Stefan Wemhoff | Supervisory Board Chairman: Dr Udo
Schnell
Telephone: +49 2504 921 0
E-mail: info@winkhaus.de

2. General information

2.1 General information on the legal basis for data processing on this website

If you1
have consented to data processing, we process your personal data on the basis
of Art. 6 para. 1 litre. a GDPR or Art. 9 para. 2 litres. a GDPR, insofar as special
categories of data pursuant to Art. 9 para. 1 of the GDPR.
In the event of express consent to the transfer of personal data to third countries, data
processing is also carried out on the basis of Art. 49 para. 1 lit. a GDPR
If you have consented to the storage of cookies or to access to information on your
end device (e.g. via device fingerprinting), data processing is also carried out on the
basis of Section 25 para. 1 TDDDG. Consent can be revoked at any time.
If your data is required for the performance of the contract or for the implementation of
pre-contractual measures, we process your data on the basis of Art. 6 para. 1 lit. b
GDPR.
Furthermore, we process your data insofar as this is necessary to fulfil a legal
obligation on the basis of Art. 6 para. 1 lit. c GDPR.
Data processing can also be carried out on the basis of our legitimate interest pursuant
to Art. 6 para. 1 litre. GDPR regulations.
The following paragraphs of this privacy policy provide information on the relevant legal
bases in each individual case.

2.2 General information on storage duration

Unless a specific storage period is specified in this privacy policy, your personal data
will remain with us until the purpose for data processing ceases to apply.
If you make a legitimate request for deletion or withdraw your consent to data
processing, your data will be deleted unless we have other legally permissible reasons
for storing your personal data (e.g. retention periods under tax or commercial law). In
this latter case, the data will be deleted after these reasons cease to apply.

2.3 General information on data transfer to the USA and other third countries

We sometimes use tools from companies based in the USA or other third countries
(countries outside the EEA) that may not offer and take into account a comparable high
level of protection in accordance with the GDPR requirements in the EU. If these tools
are active, your personal data may be transferred to these third countries and
processed there.
For example, U.S. companies are required to disclose personal data to security
authorities without you being able to take legal action against this. It cannot therefore
be ruled out that US authorities (e.g. intelligence services) may process, evaluate and
permanently store your data on US servers for monitoring purposes. We have no
influence on these processing activities.

2.4 SSL or TLS encryption

This site uses SSL or TLS encryption for security reasons and to protect the
transmission of confidential content, such as orders or enquiries that you send to us
as the site operator.
You can recognise an encrypted connection by the fact that the address line of the
browser changes from “http://” to “https://” and by the padlock symbol in your browser
line.
If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third
parties.

3. Processing of personal data on this website

3.1 Hosting

This website is hosted by an external service provider (host). The personal data
collected on this website is stored on the host’s servers. This may include IP
addresses, contact requests, meta and communication data, contract data, Contact
details, names, website accesses and other data generated through a website,
operation.
The host is used for the purpose of fulfilling the contract with our potential and existing
customers (Art. 6 para. 1 litre. b GDPR) and in the interest of a secure, fast and efficient
provision of our online offer by a professional provider (Art. 6 para. 1 lit. f GDPR).
Insofar as corresponding consent has been requested, processing takes place
exclusively on the basis of Art. 6 para. 1 litre. a GDPR and Section 25 para. 1 TTDSG,
insofar as the consent includes the storage of cookies or access to information on the
user’s end device (e.g. device fingerprinting) within the meaning of the TTDSG.
Consent can be revoked at any time.
Our host will only process your data to the extent necessary to fulfil its performance
obligations and follow our instructions in relation to that data.

3.2 Server log files

The provider of the pages automatically collects and stores information in server log
files, which your browser automatically transmits to us. These are:
• Browser type and browser version
• Operating system used
• Referrer URL
• Hostname of the accessing computer - time of the server request
• IP address
This data is not merged with other data sources. This data is collected on the basis of
Art. 6 para. 1 letter f GDPR. The website operator has a legitimate interest in the
technically error-free presentation and optimisation of its website - the server log files
must be recorded for this purpose.

3.3 Cookies

Our website uses so-called “cookies”. Cookies are small data packets and do not
damage your end device. They are either temporarily stored on your end device for the
duration of a session (session cookies) or permanently (permanent cookies). Session
cookies are automatically deleted at the end of your visit. Permanent cookies remain
stored on your end device until you delete them yourself or until they are automatically
deleted by your web browser. Cookies can originate from us (first-party cookies) or from third-party companies (socalled third-party cookies). Third-party cookies enable the integration of certain
services from third-party companies within websites (e.g. cookies for processing
payment services).
Cookies have various functions. Numerous cookies are technically necessary, as
certain website functions would not work without them (e.g. the shopping cart function or the display of videos). Other cookies may be used to evaluate user behaviour or for
advertising purposes.
Cookies that are necessary to carry out the electronic communication process, to
provide certain functions requested by you (e.g. for the shopping cart function) or to
optimise the website (e.g. cookies for measuring the web audience) (necessary
cookies) are set on the basis of Art. 6 para. 1 litre. f GDPR, unless another legal basis
is specified.
The website operator has a legitimate interest in storing cookies that are necessary for
the technically error-free and optimised provision of its services. If consent to the
storage of cookies and comparable recognition technologies has been requested,
processing takes place exclusively on the basis of this consent (Art. 6 para. 1 litre. a
GDPR and Section 25 para. 1 TDDDG); Consent can be revoked at any time.
You can set your browser so that you are informed about the setting of cookies and
only allow cookies in individual cases, exclude the acceptance of cookies for certain
cases or in general, and activate the automatic deletion of cookies when closing the
browser. Disabling cookies may limit the functionality of this website.
You can determine which cookies and services are used on this website
Read the privacy policy.
Consent with Usercentrics
This website uses the consent technology of Usercentrics to obtain your consent to the
storage of certain cookies on your end device or to the use of certain technologies and
to document this in accordance with data protection regulations. The provider of this
technology is Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany,
website: https://usercentrics.com/de/(hereinafter referred to as “Usercentrics”)
When you access our website, the following personal data is transferred to
Usercentrics:
• Your consent(s) or withdrawal of your consent(s)
• Your IP address
• Information about your browser
• Information about your end device
• Time of your visit to the website
• Geolocation
Usercentrics also stores a cookie in your browser to be able to assign the granted
consents or their revocation to you. The data collected in this way is stored until you
request us to delete it, delete the Usercentrics cookie itself or the purpose for data
storage ceases to apply. Mandatory statutory retention obligations remain unaffected.
Usercentrics is used to obtain the legally required consents for the use of certain
technologies. The legal basis for this is Art. 6 para. 1 lit. c GDPR.

3.4 Registration on this website

You can register on this website to use additional features on the site. We only use the
data entered for this purpose for the use of the respective offer or service for which
you have registered. The mandatory information requested during registration must be
provided in full. Otherwise, the registration will be declined.
For important changes, such as in the scope of the offer or in the event of technically
necessary changes, we use the e-mail address provided during registration to inform
you of this.
The data entered during registration is processed for the purpose of implementing the
usage relationship based on the registration and, if necessary, for the initiation of
further contracts (Art. 6 para. 1 lit. b GDPR).
The data collected during registration is stored by us for as long as you are registered
on this website and will then be deleted. Statutory storage obligations remain
unaffected by this.

3.5 Contact form

If you send us enquiries via the contact form, your details from the enquiry form,
including the contact details you provide there, will be stored by us for the purpose of
processing the enquiry and in the event of follow-up questions. We will not pass on this
data without your consent.
This data is processed on the basis of Art. 6 para. 1 litre. b GDPR, insofar as your
request is related to the performance of a contract or is necessary for the
implementation of pre-contractual measures. In all other cases, the processing is
based on our legitimate interest in the effective processing of enquiries addressed to
us (Art. 6 para. 1 litre. f GDPR) or on your consent (Art. 6 para. 1 litre. a GDPR) if this
has been requested; Consent can be revoked at any time.
The data entered by you in the contact form remains with us until you ask us for its
deletion, revoke your consent to storage or the purpose for the data storage no longer applies (e.g. after completion of your enquiry). Mandatory statutory provisions - in
particular retention periods - remain unaffected.

3.6 Request by e-mail, telephone or fax

If you contact us by e-mail, telephone or fax, your request, including all resulting
personal data (name, request), will be stored and processed by us for the purpose of
processing your request. We will not pass on this data without your consent.
This data is processed on the basis of Art. 6 para. 1 litre. b GDPR, insofar as your
request is related to the performance of a contract or is necessary for the
implementation of pre-contractual measures. In all other cases, the processing is
based on our legitimate interest in the effective processing of enquiries addressed to
us (Art. 6 para. 1 litre. f GDPR) or on your consent (Art. 6 para. 1 litre. a GDPR), if this
has been requested; Consent can be revoked at any time.
The data sent by you to us using the contact form remains with us until you ask us for
its deletion, revoke your consent to storage or the purpose for the data storage is
omitted (e.g. after completion of your enquiry). Mandatory statutory provisions - in
particular statutory retention periods - remain unaffected.

3.7 Online order system

Your personal data is transmitted, via SSL over the Internet in the order process (online
order system). We secure our website and other systems by means of technical and
organisational measures against loss, destruction, access, alteration or dissemination
of your data by unauthorised persons. Access to your customer account is only
possible after entering your personal password and security key. You should always
keep your access information confidential and close the browser window when you
have finished communicating with us, especially if you share your computer with
others.

3.8 Marketing mailings

We use Emarsys to conduct our marketing mailings. The service provider is SAP
Deutschland SE & Co. KG, Hasso-Plattner-Ring 7, 69190 Walldorf, Baden Germany.

3.8.1 Purposes and categories of personal data processing

Aug. Winkhaus SE & Co. KG processes personal data for the purpose of sending
marketing mailings. When registering for marketing mailings and creating marketing
mailings, the following personal data will be processed, depending on the data you
provide to us:
• Title:
• Surname, first name
• Address
• Postcode
• Town / City
• E-mail address *
When you give your consent to receive our mailings and have completed the double
opt-in process to verify your email address, your personal data will be collected by
Emarsys.
Our mailings allow us to analyse the behaviour of mailing recipients. This can include
analysing how many recipients have opened the mailing and how often which link in the mailing was clicked. Conversion tracking can also be used to analyse whether a
predefined action has taken place after clicking on the link in the newsletter.
You can find Emarsys’ privacy policy here:
https://www.emarsys.com/privacy-policy/

3.8.2 Legal basis

If you have subscribed to marketing mailings, data processing is based on your
consent (Art. 6 para. 1 lit. a GDPR). You can withdraw this consent at any time by
unsubscribing from marketing mailings. For this purpose, we provide a corresponding
link in each mailing. The legality of the data processing operations already carried out
remains unaffected by the revocation.
If you have not subscribed to marketing mailings, data processing is based on our
legitimate interest (Art. 6 para. 1 litre. f GDPR) to promote existing customers. You can
unsubscribe from the marketing mailing at any time. For this purpose, we provide a
corresponding link in each mailing.
Data processing (evaluation of marketing mailings and success measurement) is
based on our legitimate interest (Art. 6 para. 1 litre. f GDPR) - subject to your consent
- to a secure and user-friendly procedure for our mailings and thus serves both our
business interests and your expectations in improving our mailings, products and
services.

3.8.3 Recipients or categories of recipients

The personal data processed within the framework of registration for marketing
mailings or for carrying out marketing mailings is processed by SAP Deutschland SE
& Co. KG, Hasso-Plattner-Ring 7, 69190 Walldorf, Baden Germany, on behalf of and
in accordance with the instructions of Aug. Winkhaus SE & Co. KG.
Personal data is generally only transferred to third parties if there is a legal basis for
this. This is the case in particular if the transfer serves to comply with legal
requirements under which we are obliged to provide information, report or disclose
data, you have given us your consent to do so or a balancing of interests justifies this.

3.8.4 General information on retention period

The data you store with us for the purpose of conducting marketing mailings will be
stored by us or the service provider (see above) until you unsubscribe from the
marketing mailing and deleted from the distribution list after unsubscribing from the
mailing. Data stored by us for other purposes remains unaffected by this.
After you have been removed from the distribution list, your e-mail address may be
stored on a blacklist by us or the service provider if this is necessary to prevent future
mailings. The data from the blacklist will only be used for this purpose and will not be
merged with other data. This serves both your interest and our interest in complying
with the legal requirements when sending marketing mailings (legitimate interest within
the meaning of Art. 6 para. 1 lit. f GDPR). Storage in the blacklist is not limited in time.
You can object to storage if your interests override our legitimate interests.

4. Candidate data

The data required for the application process is submitted by the applicant (m/f/d) in
relation to a specific job advertisement or as an unsolicited application itself digitally,
by post or personally. The following data must be processed by you within the
framework of the application process: Title, name, date of birth, e-mail address, User
language, postal address and telephone numbers, degree, specialty, last educational
institution, information on current employment, professional experience and CV. In
addition, we process such data as is necessary for the processing of the application
process (correspondence with the applicant, written records from the interviews, etc.).
If you voluntarily provide us with additional information (e.g. by providing information
in the annexes you have attached), processing will take place in accordance with the
legal provisions.

4.1 Purpose and legal basis

The purpose of data processing is the selection of applicants for employment. There
are no plans to change this purpose. Any deviations require the separate consent of
the applicant.
The data is collected, stored and, if necessary, passed on by us to the extent necessary
to process an application for a specific purpose. The data is also collected, stored and
passed on for the purposes of pre-contractual measures at the request of the person
in question. The legal basis is Section 26(1) BDSG, Art. 6 para. 1 litre. b) (Initiation of
the employment contract) and Art. 88 GDPR. We process voluntary information within
the framework of an application on the basis of Section 26 para. 2 BDSG, Art. 6 para.
1 litre. a) (consent) and Art. 88 GDPR.
When an employment contract is signed, the documents are added to the personnel
file. This file is stored securely by the human resources department.
Personal data is generally only passed on within the company group to persons or
departments involved in the application process. Disclosure to third parties only takes place if and insofar as there is a specific legal basis for this and/or in cases where a
state investigating authority requests data on the basis of these legal provisions.
Further processing will only take place if the applicant within the meaning of Art. 6 para.
1 litre. a GDPR has specifically consented to this processing in terms of type and
scope.
The information is never passed on to third countries. In all other respects, reference
is made to Section 2.3. of this data protection declaration.
We take systematised technical and organisational measures to ensure the protection
of personal data. These measures are always adapted to the current state of the art.

4.2 Storage period

In principle, applicant data will be deleted 6 months after the end of the application process.
The provisions of the General Equal Treatment Act (AGG) form the basis for the 6-month
retention period. If we are unable to offer you a suitable position at the time of your application,
we may, after completion of the application process, offer to include your data in the Winkhaus
applicant pool. The Winkhaus applicant pool serves to maintain contact with you for
professional purposes and to take your person into account in future job placements. Your
data will only be processed for this purpose if you expressly consent to this after receiving a
separate e-mail from us. This consent can be revoked at any time with effect for the future -
even without stating reasons. If you have received travel expense reimbursements from the
Winkhaus Group within the framework of an application process, the applicant data collected
within the framework of travel expense reimbursements (in particular name, address, bank
details, amount) will be stored for no longer than 10 years to the end of the calendar year in
which the claim arose.
Once these terms have elapsed, the data collected is deleted, or blocked if it is not
possible to delete the information in the individual case.

5. Analytics tools and advertising

5.1 Google Analytics

5.1.1 Overview

Google Analytics enables the website operator to analyse the behaviour of visitors to
the website. The website operator receives various usage data, such as page views,
length of visit, operating systems used and origin of the user. This data is assigned to
the respective end device of the user. No assignment to a user ID takes place.

Furthermore, we can use Google Analytics to, among other things, Record your mouse
and scroll movements and clicks. Google Analytics also uses different modelling
approaches to complement the collected data sets and uses machine learning
technologies in data analysis.
Google Analytics uses technologies that enable the recognition of the user for the
purpose of analysing user behaviour (e.g. cookies or device fingerprinting). The
information collected by Google about your use of this website is usually transferred to
a Google server in the USA and stored there.
The use of this service is based on your consent pursuant to Art. 6 para. 1 litre. a
GDPR and Section 25 para. 1 TDDDG. Consent can be revoked at any time.
Data transfer to the USA is based on the standard contractual clauses of the EU
Commission. You can find more information here:
https://privacy.google.com/businesses/controllerterms/mccs/
The company has EU-US Data Privacy Framework (DPF) certification. The DPF is an
agreement between the European Union and the USA that aims to ensure compliance
with European data protection standards for data processing in the USA. Every
company certified under the DPF undertakes to comply with these data protection
standards. Further information on this can be obtained from the provider at the
following link:
https://www.dataprivacyframework.gov/participant/5780

5.1.2 IP anonymization

Google Analytics IP anonymization is activated. This means that your IP address will
be shortened by Google within member states of the European Union or in other
contracting states of the Agreement on the European Economic Area before being
transferred to the USA. Only in exceptional cases will the full IP address be transferred
to a Google server in the USA and abbreviated there. On behalf of the operator of this
website, Google will use this information for the purpose of evaluating your use of the
website, compiling reports on website activity, and providing other services relating to
website activity and internet usage towards the website operator. The IP address
transmitted by your browser within the framework of Google Analytics will not be
merged with other Google data.

5.1.3 Browser plugin

You can prevent the collection and processing of your data by Google by downloading
and installing the browser plug-in available at the following link:
https://tools.google.com/dlpage/gaoptout?hl=de
However, we would like to point out that, in this case, you may not be able to make full
use of all the functions of this website.
You can find more information on how Google Analytics handles user data in
Google’s privacy policy: https://support.google.com/analytics/answer/6004245?hl=de

5.1.4 Demographics in Google Analytics

This website uses the 'demographic features' function of Google Analytics in order to
be able to display suitable advertisements to website visitors within the Google
advertising network. This allows reports to be created that contain statements about
the age, gender and interests of the site visitors. This data comes from interest-based
advertising by Google and from visitor data from third-party providers. This data cannot
be assigned to a specific person. You can deactivate this function at any time via the ad settings in your Google account
or generally prohibit the collection of your data by Google Analytics as described in the
point “Objection to data collection”.

5.1.5 Google Signals

We use Google signals. When you visit our website, Google Analytics collects, among
other things, Your location, search history and YouTube history as well as demographic
data (visitor data). This data can be used for personalised advertising with the help of
Google Signal. If you have a Google account, Google Signal’s visitor data is linked to
your Google account and used for personalised advertising messages. The data is
also used to compile anonymous statistics on the user behaviour of our users.

5.2 Google Ads

The website operator uses Google Ads. Google Ads is an online advertising program
of Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.
Google Ads allows us to display advertisements in the Google search engine or on
third-party websites when the user enters certain search terms on Google (keyword
targeting). In addition, targeted advertisements can be displayed based on the user
data available at Google (e.g. location data and interests) (target group targeting). As
website operators, we can evaluate this data quantitatively by analysing, for example,
which search terms led to the display of our advertisements and how many
advertisements led to corresponding clicks.
The use of this service is based on your consent pursuant to Art. 6 para. 1 litre. a
GDPR and Section 25 para. 1 TDDDG. Consent can be revoked at any time.
Data transfer to the USA is based on the standard contractual clauses of the EU
Commission.
You can find more information here:
https://policies.google.com/privacy/frameworks and https://business.safety.google/controllerterms/ .
The company has EU-US Data Privacy Framework (DPF) certification. The DPF is an
agreement between the European Union and the USA that aims to ensure compliance
with European data protection standards for data processing in the USA. Every
company certified under the DPF undertakes to comply with these data protection
standards. Further information on this can be obtained from the provider at the
following link:
https://www.dataprivacyframework.gov/participant/5780 .

5.3 Google Ads Remarketing

5.3.1 Overview

This website uses Google Ads Remarketing functions. The provider is Google Ireland
Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.
Google Ads Remarketing allows us to assign people who interact with our online
offering to certain target groups in order to then display interest-based advertising in
the Google advertising network (remarketing or retargeting).
Furthermore, the advertising target groups created with Google Ads Remarketing can
be linked to the cross-device functions of Google. In this way, interest-based,
personalised advertising messages that have been adapted to you based on your
previous usage and browsing behaviour on one end device (e.g. mobile phone) can
also be displayed on another of your end devices (e.g. tablet or PC).
If you have a Google account, you can object to personalised advertising under the
following link:
https://adssettings.google.com/anonymous?hl=de .
The use of this service is based on your consent pursuant to Art. 6 para. 1 litre. a
GDPR and Section 25 para. 1 TDDDG. Consent can be revoked at any time.
Further information and the data protection provisions can be found in Google’s privacy
policy at: https://policies.google.com/technologies/ads?hl=de .
The company has EU-US Data Privacy Framework (DPF) certification. The DPF is an
agreement between the European Union and the USA that aims to ensure compliance
with European data protection standards for data processing in the USA. Every
company certified under the DPF undertakes to comply with these data protection
standards. Further information on this can be obtained from the provider at the
following link:
https://www.dataprivacyframework.gov/participant/5780 .

5.3.2 Target group formation with customer comparison

Among other things, we use the customer comparison of Google Ads Remarketing to
form target groups. In doing so, we pass on certain customer data (e.g. e-mail
addresses) from our customer lists to Google. If the customers concerned are Google
users and logged in to their Google account, they will be shown suitable advertising
messages within the Google network (e.g. on YouTube, Gmail or in the search engine).

5.4 Google conversion tracking

This website uses Google Conversion Tracking. The provider is Google Ireland Limited
("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.
With the help of Google conversion tracking, Google and we can recognise whether
the user has carried out certain actions. For example, we can evaluate which buttons
on our website have been clicked on and how often, and which products have been
viewed or purchased particularly frequently. This information is used to generate
conversion statistics. We find out the total number of users who clicked on our ads and
what actions they took. We do not receive any information that would enable us to
identify the user. Google itself uses cookies or similar recognition technologies for
identification.
page 20 of 43
The use of this service is based on your consent pursuant to Art. 6 para. 1 litre. a
GDPR and Section 25 para. 1 TDDDG. Consent can be revoked at any time.
You can find more information about Google Conversion Tracking in Google’s privacy
policy:
https://policies.google.com/privacy?hl=de .
The company has EU-US Data Privacy Framework (DPF) certification. The DPF is an
agreement between the European Union and the USA that aims to ensure compliance
with European data protection standards for data processing in the USA. Every
company certified under the DPF undertakes to comply with these data protection
standards. Further information on this can be obtained from the provider at the
following link:
https://www.dataprivacyframework.gov/participant/5780 .

5.5 Google DoubleClick

This website uses features of Google DoubleClick. The provider is Google Ireland
Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland, (hereinafter
“DoubleClick”).
DoubleClick is used to show you interest-based advertisements throughout the Google
advertising network. With the help of DoubleClick, the advertisements can be
specifically adapted to the interests of the respective viewer. For example, our
advertisements may be displayed in Google search results or in advertising banners
linked to DoubleClick. In order to be able to display interest-based advertising to users,
DoubleClick must be able to recognise the respective viewer and assign his/her visited
websites, clicks and other information about user behaviour. For this purpose,
DoubleClick uses cookies or comparable recognition technologies (e.g. device
fingerprinting). The collected information is combined into a pseudonymous user profile
in order to display interest-based advertising to the relevant user. Google DoubleClick is used in the interest of targeted advertising measures. This
constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. Insofar
as corresponding consent has been requested, processing takes place exclusively on
the basis of Art. 6 para. 1 litre. a GDPR and Section 25 para. 1 TTDSG, insofar as the
consent includes the storage of cookies or access to information on the user’s end
device (e.g. device fingerprinting) within the meaning of the TTDSG. Consent can be
revoked at any time.
You can find further information on how to object to the advertisements displayed by
Google at the following links: https://policies.google.com/technologies/ads and
https://adssettings.google.com/authenticated

5.6 Facebook pixel

This website uses Facebook’s visitor action pixels for conversion measurement. The
provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square,
Dublin 2, Ireland. According to Facebook, however, the data collected is also
transferred to the USA and other third countries.
This means that the behaviour of the website visitors can be tracked after they have
been forwarded to the provider’s website by clicking on a Facebook advertisement.
This allows the effectiveness of Facebook advertisements to be evaluated for statistical
and market research purposes and future advertising measures to be optimised. The
data collected is anonymous to us as the operator of this website; we cannot draw any
conclusions about the identity of the users. However, the data is stored and processed
by Facebook so that a connection to the respective user profile is possible and
Facebook can use the data for its own advertising purposes in accordance with the
Facebook data use policy. This allows Facebook to display advertisements on
Facebook pages as well as outside Facebook. As the website operator, we have no
influence on this use of data.
Facebook pixels are used on the basis of Art. 6 para. 1 letter f GDPR. The website
operator has a legitimate interest in effective advertising measures, including social
media. Insofar as corresponding consent has been requested, processing takes place exclusively on the basis of Art. 6 para. 1 litre. a GDPR and Section 25 para. 1 TTDSG,
insofar as the consent includes the storage of cookies or access to information on the
user’s end device (e.g. device fingerprinting) within the meaning of the TTDSG.
Consent can be revoked at any time.
Data transfer to the USA is based on the standard contractual clauses of the EU
Commission. In all other respects, Section 2.3 of this data protection declaration
applies.
You can find more information here:
https://www.facebook.com/legal/EU_data_transfer_addendum and https://dede.facebook.com/help/566994660333381
Insofar as personal data is collected on our website and forwarded to Facebook using
the tool described here, we and Meta Platforms Ireland Limited, 4 Grand Canal Square,
Grand Canal Harbour, Dublin 2, Ireland are jointly responsible for this data processing
(Art. 26 GDPR). The joint responsibility is limited exclusively to the collection of data
and its transfer to Facebook. Processing by Facebook after forwarding is not part of
the joint responsibility. The obligations incumbent upon us jointly have been set out in
an agreement on joint processing. The wording of the agreement can be found at:
https://www.facebook.com/legal/controller_addendum
In accordance with this agreement, we are responsible for providing data protection
information when using the Facebook tool and for the data protection-compliant
implementation of the tool on our website.
Facebook is responsible for the data security of Facebook products. You can assert
data subject rights (e.g. requests for information) regarding the data processed by
Facebook directly with Facebook. If you assert the data subject rights with us, we are
obliged to forward them to Facebook.
You can find further information on protecting your privacy in Facebook’s privacy
policy: https://de-de.facebook.com/about/privacy/
You can also use the remarketing function “Custom Audiences” in the ad settings
area at https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen
Deactivate. To do this, you must be logged in to Facebook.
If you do not have a Facebook account, you can opt-out of Facebook’s usage-based
advertising on the European Interactive Digital Advertising Alliance website: http://www.youronlinechoices.com/de/praferenzmanagement/

5.7 LinkedIn Insight Day

5.7.1 Overview

This website uses the LinkedIn Insight Tag. The provider of this service is LinkedIn
Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland.
The LinkedIn Insight Tag provides us with information about visitors to our website. If
a website visitor is registered with LinkedIn, we can, among other things, analyse the
professional key data (e.g. career level, company size, country, location, industry and
job title) of our website visitors and thus better target our page to the respective target
groups.
We can also use LinkedIn Insight Tags to measure whether visitors to our websites
make a purchase or take another action (conversion measurement). The conversion
measurement can also be carried out across devices (e.g. from PC to tablet). LinkedIn
Insight Tag also offers a retargeting function with the help of which we can display
targeted advertising to visitors to our website outside the website, whereby, according
to LinkedIn, no identification of the advertiser takes place.
LinkedIn Insight is used on the basis of Art. 6 para. 1 letter f GDPR. The website
operator has a legitimate interest in effective advertising measures, including social
media. Insofar as corresponding consent has been requested, processing takes place
exclusively on the basis of Art. 6 para. 1 litre. a GDPR and Section 25 para. 1 TTDSG,
insofar as the consent includes the storage of cookies or access to information on the
user’s end device (e.g. device fingerprinting) within the meaning of the TTDSG.
Consent can be revoked at any time. Data transfer to the USA is based on the standard contractual clauses of the EU
Commission. In all other respects, Section 2.3 of this data protection declaration
applies.
You can find more information here: https://www.linkedin.com/legal/l/dpa and
https://www.linkedin.com/legal/l/eu-sccs
LinkedIn itself also collects so-called log files (URL, referrer URL, IP address, device
and browser properties and time of access). The IP addresses are shortened or (if
used to reach LinkedIn members across devices) hashed (pseudonymized). The direct
identifiers of LinkedIn members will be deleted by LinkedIn after seven days. The
remaining pseudonymized data will then be deleted within 180 days.
As the website operator, we cannot assign the data collected by LinkedIn to specific
individuals. LinkedIn will store the collected personal data of website visitors on its
servers in the USA and use it as part of its own advertising measures. Details can be
found in LinkedIn’s privacy policy at https://www.linkedin.com/legal/privacypolicy#choices-oblig

5.7.2 Objection to the use of LinkedIn Insight Tag

Object to the analysis of usage behaviour and targeted advertising by LinkedIn at the
following link: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out
LinkedIn members can also control the use of their personal data for advertising
purposes in the account settings. To prevent LinkedIn from linking data collected on
our website to your LinkedIn account, you must log out of your LinkedIn account before
visiting our website.

6. Plugins and tools

6.1 Youtube

Videos from the YouTube website are integrated in this website. The website is
operated by Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin
4, Ireland.
If you visit one of our websites on which YouTube is integrated, a connection to the
YouTube servers is established. The YouTube server is informed which of our pages
you have visited.
Furthermore, YouTube may store various cookies on your end device or use
comparable technologies for recognition (e.g. device fingerprinting). In this way,
YouTube can receive information about visitors to this website. This information is
used, among other things, to collect video statistics, improve user-friendliness and
prevent fraud attempts. Furthermore, the data collected is processed in the Google
advertising network.
If you are logged in to your YouTube account, you allow YouTube to assign your
browsing behaviour directly to your personal profile. You can prevent this by logging
out of your YouTube account.
YouTube is used in the interest of presenting our online services in an appealing
manner. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f
GDPR. Insofar as corresponding consent has been requested, processing takes place
exclusively on the basis of Art. 6 para. 1 litre. a GDPR and Section 25 para. 1 TDDDG,
insofar as the consent includes the storage of cookies or access to information on the
user’s end device (e.g. device fingerprinting) within the meaning of the TDDDG.
Consent can be revoked at any time.
You can find further information on the handling of user data in YouTube’s privacy
policy at:
https://policies.google.com/privacy?hl=de .
page 26 of 43
The company has EU-US Data Privacy Framework (DPF) certification. The DPF is an
agreement between the European Union and the USA that aims to ensure compliance
with European data protection standards for data processing in the USA. Every
company certified under the DPF undertakes to comply with these data protection
standards. Further information on this can be obtained from the provider at the
following link:
https://www.dataprivacyframework.gov/participant/5780 .

6.2 Google Tag Manager

We use Google Tag Manager. The provider is Google Ireland Limited, Gordon House,
Barrow Street, Dublin 4, Ireland.
Google Tag Manager is a tool that allows us to integrate tracking or statistics tools and
other technologies into our website. Google Tag Manager itself does not create any
user profiles, stores no cookies and does not perform any independent analyses. It is
only used to manage and deploy the tools integrated via it. However, Google Tag
Manager collects your IP address, which may also be transmitted to Google’s parent
company in the United States.
Google Tag Manager is used on the basis of Art. 6 para. 1 letter f GDPR. The website
operator has a legitimate interest in the quick and uncomplicated integration and
management of various tools on its website. Insofar as corresponding consent has
been requested, processing takes place exclusively on the basis of Art. 6 para. 1 litre.
a GDPR and Section 25 para. 1 TDDDG, insofar as the consent includes the storage
of cookies or access to information on the user’s end device (e.g. device fingerprinting)
within the meaning of the TDDDG. Consent can be revoked at any time.
The company has EU-US Data Privacy Framework (DPF) certification. The DPF is an
agreement between the European Union and the USA that aims to ensure compliance
with European data protection standards for data processing in the USA. Every
company certified under the DPF undertakes to comply with these data protection
standards. Further information on this can be obtained from the provider at the
following link: https://www.dataprivacyframework.gov/participant/5780 .

6.3 Google Web Fonts (Local Hosting)

This website uses so-called Google fonts provided by Google for the uniform display
of fonts. The Google fonts are installed locally. No connection to Google servers takes
place.
Further information on Google Web Fonts can be found at
https://developers.google.com/fonts/faq and in Google’s privacy policy:
https://policies.google.com/privacy?hl=de

6.4 Google Maps

This page uses the Google Maps service. The provider is Google Ireland Limited
("Google"), Gordon House, Barrow Street, Dublin 4, Ireland. With the help of this
service, we can integrate map material on our website.
To use the functions of Google Maps, it is necessary to store your IP address. This
information is usually transferred to a Google server in the USA and stored there. The
provider of this site has no influence on this data transfer. If Google Maps is activated,
Google may use Google Fonts for the purpose of uniformly displaying the fonts. When
you call up Google Maps, your browser loads the required web fonts into your browser
cache in order to display texts and fonts correctly.
Google Maps is used in the interest of an appealing presentation of our online offers
and to make it easy to find the locations we specify on the website. This constitutes a
legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. Insofar as
corresponding consent has been requested, processing takes place exclusively on the
basis of Art. 6 para. 1 litre. a GDPR and Section 25 para. 1 TDDDG, insofar as the
consent includes the storage of cookies or access to information on the user’s end
device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent can be
revoked at any time.
Data transfer to the USA is based on the standard contractual clauses of the EU
Commission. You can find more information here:
https://privacy.google.com/businesses/gdprcontrollerterms/ and
page 28 of 43
https://privacy.google.com/businesses/gdprcontrollerterms/sccs/ .
More information on how user data is handled can be found in Google’s privacy
statement:
https://policies.google.com/privacy?hl=de .
The company has EU-US Data Privacy Framework (DPF) certification. The DPF is an
agreement between the European Union and the USA that aims to ensure compliance
with European data protection standards for data processing in the USA. Every
company certified under the DPF undertakes to comply with these data protection
standards. Further information on this can be obtained from the provider at the
following link:
https://www.dataprivacyframework.gov/participant/5780 .

6.5 Google reCAPTCHA

We use "Google reCAPTCHA" (hereinafter "reCAPTCHA") on this website. The
provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4,
Ireland.
The purpose of reCAPTCHA is to check whether data entry on this website (e.g. in a
contact form) is carried out by a human or by an automated program. For this purpose,
reCAPTCHA analyses the behaviour of the website visitor based on various
characteristics. This analysis starts automatically as soon as the website visitor enters
the website. For the analysis, reCAPTCHA evaluates various information (e.g. IP
address, length of time the visitor stays on the website or mouse movements made by
the user). The data collected during the analysis is forwarded to Google.
The reCAPTCHA analyses are done completely in the background. Website visitors
are not informed that an analysis is taking place.
The data is stored and analysed on the basis of Art. 6 para. 1 letter f GDPR. The
website operator has a legitimate interest in protecting its websites against fraudulent
automated spying and SPAM. Insofar as corresponding consent has been requested,
page 29 of 43
processing takes place exclusively on the basis of Art. 6 para. 1 litre. a GDPR and
Section 25 para. 1 TDDDG, insofar as the consent includes the storage of cookies or
access to information on the user’s end device (e.g. device fingerprinting) within the
meaning of the TDDDG. Consent can be revoked at any time.
Further information on Google reCAPTCHA can be found in Google’s data protection
provisions and Google’s terms of use under the following links:
https://policies.google.com/privacy?hl=de and
https://policies.google.com/terms?hl=de .
The company has EU-US Data Privacy Framework (DPF) certification. The DPF is an
agreement between the European Union and the USA that aims to ensure compliance
with European data protection standards for data processing in the USA. Every
company certified under the DPF undertakes to comply with these data protection
standards. Further information on this can be obtained from the provider at the
following link:
https://www.dataprivacyframework.gov/participant/5780 .

6.6 Matterport

On our websites, we use services of Matterport Inc., 352 E. Java Dr. Sunnyvale, CA
94089, USA. If you visit one of our pages equipped with a Matterport 3D tour, a
connection will be established to Matterport’s servers. Your IP address, browser
version and displaying device, origin and destination URL and the ID of the respective
3D tour are transmitted to the Matterport servers in the USA. Matterport is certified
under the terms of the EU-U.S. Privacy Shield Framework. Data transfer to the USA is
based on the standard contractual clauses of the EU Commission. In all other respects,
Section 2.3 of this data protection declaration applies.
Matterport is used in the interest of presenting our online services in an appealing
manner. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f
GDPR. For more information on how user data is handled, please see Matterport’s
privacy policy at: https://matterport.com/legal/privacy-policy/

6.7 Font Awesome (local hosting)

This page uses Font Awesome for uniform display of fonts. Font Awesome is installed
locally. A connection to Fonticons, Inc. servers. does not take place.
For more information about Font Awesome, please see the Font Awesome Privacy
Policy at: https://fontawesome.com/privacy

6.8 Hoefler & Co. Webfonts

We use external webfonts from Hoefler & Co., 611 Broadway, Room 725, New York,
NY 100122608, USA for optimised display on our websites.
For technical reasons, your browser establishes a direct connection with the servers
of Hoefler & Co. during each session, whereby your IP address can be read, among
other things. To improve performance, a temporary session cookie is stored in your
browser.
The use of Hoefler & Co. webfonts is in the interest of an appealing presentation of our
online offer. This constitutes a legitimate interest within the meaning of Art. 6 para. 1
lit. f GDPR. If your browser does not support Web Fonts, your computer will use a
default font instead.
We have no influence on the scope of the data collected by Hoefler & Co. in this way.
You can find Hoefler & Co.'s privacy policy (in English) here:
http://www.typography.com/home/privacy.php

6.9 Data tables

A CDN service for tables and charts is used on our website. In this context, your
browser may transfer personal data to our service provider. The legal basis for data
processing is Art. 6 para. 1 letter f GDPR. The legitimate interest lies in ensuring the
functionality of our website. The data is deleted as soon as the purpose for which it
was collected has been fulfilled.

7. eCommerce and payment providers (partner portal and spare
parts shop)

7.1 Customer and contract data

We collect, process and use personal customer and contract data to establish,
structure and amend our contractual relationships. We collect, process and use
personal data about the use of this website (usage data) only to the extent necessary
to enable the user to use the service or to bill for it. The legal basis for this is Art. 6
para. 1 lit. b GDPR.
The customer data collected will be deleted after completion of the order or termination
of the business relationship and expiry of any existing statutory retention periods.
Statutory storage obligations remain unaffected by this.

7.2 Data transfer upon conclusion of contract for online shops, retailers and
shipping of goods

When you order goods from us, we pass on your personal data to the transport
company entrusted with the delivery as well as to the payment service provider
commissioned with the processing of the payment. Only data that the respective
service provider needs to fulfil its task is provided. The legal basis for this is Art. 6 para.
1 litre. b GDPR, which permits the processing of data for the performance of a contract
or pre-contractual measures. If you have given your consent pursuant to Art. 6 para. 1
litre. a GDPR, we will pass on your email address to the shipping company entrusted
with the delivery so that they can inform you by email about the shipping status of your
order; You can withdraw your consent at any time.

7.3 Data Transfer at the Conclusion of a Contract for Services and Digital
Content

We only transfer personal data to third parties if this is necessary to carry out the
contract, for example to the bank commissioned with payment processing.
The data will not be transferred further or will only be transferred if you have expressly
consented to the transfer. Your data will not be passed on to third parties without
express consent, for example for advertising purposes.
The basis for data processing is Art. 6 para. 1 litre. b GDPR, which permits the
processing of data for the performance of a contract or pre-contractual measures.

7.4 Credit checks

In the case of a purchase on account or other payment method for which we make
advance payment, we can carry out a credit check procedure (scoring). For this
purpose, we transmit the data you enter (e.g. name, address, age or bank details) to a
credit agency. The probability of a payment default is determined on the basis of this
data. In the event of an excessive risk of payment default, we may refuse the payment
method in question.
The credit check is carried out on the basis of the fulfilment of the contract (Art. 6 para.
1 litre. b GDPR) as well as to avoid payment defaults (legitimate interest pursuant to
Art. 6 para. 1 lit. f GDPR). If consent has been obtained, the credit check is carried out
on the basis of this consent (Art. 6 para. 1 lit. a GDPR); Consent can be revoked at
any time.

8. Audio and video conferences

8.1 General information

8.1.1 Data processing

Among other things, we use online conference tools to communicate with our
customers and applicants. The specific tools we use are listed below. When you
communicate with us via video or audio conference via the Internet, your personal data
will be collected and processed by us and the provider of the respective conference
tool.
The conference tools collect all data that you provide/use to use the tools (e-mail
address and/or your telephone number). The Conference Tools also process the
duration of the conference, the start and end (time) of participation in the conference,
the number of participants and other “context information” related to the
communication process (metadata).
Furthermore, the provider of the tool processes all technical specifications required for
the processing of online communication. This includes, in particular, IP addresses,
MAC addresses, device IDs, device type, Operating system type and version, client
version, camera type, microphone or speaker, and connection type. If content is
exchanged, uploaded or otherwise provided within the tool, it is also stored on the
servers of the tool providers. Such content includes, in particular, cloud recordings,
chat/instant messages, voicemails, uploaded photos and videos, files, whiteboards
and other information shared during the use of the Service. Please note that we do not
have full influence over the data processing operations of the tools used. Our options
depend largely on the company policy of the respective provider. Further information
on data processing by the conference tools can be found in the data protection
statements of the respective tools used, which we have listed below this text.

8.1.2 Purpose and legal basis

The conference tools are used to communicate with prospective or existing contractual
partners and applicants and/or to offer certain services to our customers (Art. 6 para.
1 lit. b GDPR). Furthermore, the use of the tools serves to generally simplify and
page 34 of 43
accelerate communication with us or our company (legitimate interest within the
meaning of Art. 6 para. 1 lit. f GDPR). Insofar as consent has been requested, the use
of the relevant tools is based on this consent; Consent can be revoked at any time with
effect for the future.

8.1.3 Storage period

The data collected directly by us via the video and conference tools will be deleted
from our systems as soon as you request deletion, withdraw your consent to storage
or the purpose for data storage ceases to exist. Stored cookies remain on your end
device until you delete them. Mandatory statutory retention periods remain unaffected.
We have no influence on how long your data is stored by the operators of the
conference tools for their own purposes. For details, please contact the operators of
the conference tools directly.

8.2 Tools used

8.2.1 Team viewer

We use TeamViewer. The provider is TeamViewer Germany GmbH, Jahnstr. 30,
73037 Göppingen, Germany Details on data processing can be found in TeamViewer’s
privacy policy: https://www.teamviewer.com/de/datenschutzerklaerung/

8.2.2 Microsoft Teams

We use Microsoft Teams. The provider is Microsoft Ireland Operations Limited, One
Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland.
Details on data processing can be found in the Microsoft Teams privacy policy:
https://privacy.microsoft.com/de-de/privacystatement .
The company has EU-US Data Privacy Framework (DPF) certification. The DPF is an
agreement between the European Union and the USA that aims to ensure compliance
with European data protection standards for data processing in the USA. Every
company certified under the DPF undertakes to comply with these data protection
standards. Further information on this can be obtained from the provider at the
following link:
https://www.dataprivacyframework.gov/participant/6474 .

9. Digital whistleblower system - hintbox

We use hintbox to provide a digital whistleblower system. The provider is lawcode
GmbH, Universitätsstraße 3, 56070 Koblenz, Germany.

9.1 Purposes of processing personal data

Aug. Winkhaus SE & Co. KG processes the following types of personal data within
the framework of entering and processing reports in the internal reporting system:
• Information that personally identifies the whistleblower, such as first and last
name, gender, address, telephone number and email address;
• Employee characteristic for Aug. Winkhaus SE & Co. KG;
• Information about data subjects, i.e. natural persons identified in a report as a
person who has committed the infringement or with whom the identified
person is associated. Such information includes, for example, first and last
name, gender, address, telephone number and e-mail address or other
information that allows identification;
• Information about infringements that may allow conclusions to be drawn about
a natural person.
page 36 of 43
Aug. Winkhaus SE & Co. KG processes the personal data for the purpose of
investigating reports in order to prevent, detect and/or take follow-up measures against
violations of applicable law or company policies (such as measures to check the validity
of the allegations made in the report and, where applicable, to address the reported
violation, including through internal investigations, investigations, criminal prosecution
measures, measures to (re) recover funds or close the proceedings).

9.2 Legal basis

We only process information that identifies the whistleblower personally if the
whistleblower has obtained consent to do so pursuant to Art. 6 para. 1 litre. a GDPR
has issued. Accordingly, processing is lawful only if the data subject has given his or
her consent to the processing of the personal data concerning him or her for one or
more specific purposes.
We process information on employee characteristics, information on data subjects and
other information that allows inferences to be drawn to natural persons on the basis of
Art. 6 para. 1 lit. f GDPR. Accordingly, processing is lawful if the processing is
necessary to protect the legitimate interests of the controller or a third party, unless the
interests or fundamental rights and freedoms of the data subject that require the
protection of personal data override.
Depending on the specific case to be examined, our legitimate interest is in processing
reports in order to be able to take follow-up measures, such as measures to check the
validity of the allegations made in the report and, if necessary, to take action against
the reported violation, including through internal investigations, investigations, criminal
prosecution measures, measures for (re)collection of funds or completion of the
procedure. Whether the interests or fundamental rights and freedoms of the data
subject conflict with such data processing will be examined on a case-by-case basis -
including with regard to the breach.
Where applicable, we process personal data of employees on the basis of Section 26
para. 1 sentence 2 BDSG. According to this, personal data of employees within the
meaning of Section 26 para. 8 BDSG for the detection of criminal offences, if there are
page 37 of 43
actual indications to be documented that the data subject has committed a criminal
offence in the employment relationship, the processing is necessary for the detection
and the employee’s legitimate interest in the exclusion of processing does not outweigh
this, in particular if the nature and extent are not disproportionate with regard to the
occasion.

9.3 Recipients or categories of recipients

The personal data processed within the framework of a report is processed by lawcode
GmbH, Universitätsstraße 3, 56070 Koblenz, on behalf of and in accordance with the
instructions of Aug. Winkhaus SE & Co. KG.
Personal data is generally only transferred to third parties if there is a legal basis for
this. This is the case in particular if the transfer serves to comply with legal
requirements under which we are obliged to provide information, report or disclose
data, you have given us your consent to do so or a balancing of interests justifies this.
In addition, external service providers, such as external data centres or
telecommunications providers, process personal data on our behalf as processors.
Depending on the area of responsibility for the report and for the effective initiation of
follow-up measures, the personal data may be passed on to our correspondingly
responsible specialist departments.
We may also disclose the personal data to state security and/or law enforcement
authorities, other competent authorities and/or persons subject to confidentiality
obligations, such as auditors/lawyers.

9.4 General information on the retention period

Data is generally stored until the follow-up measures have been completed. As a rule,
the data from a report is deleted after 2 months after the procedure has been finally
concluded, unless the initiation of further legal steps requires further storage (e.g.
initiation of criminal proceedings or disciplinary proceedings). Personal data in
connection with reports will be deleted by us immediately if we consider it to be
obviously unfounded.

9.5 Information pursuant to Art. 13 para. 2 lit. e GDPR

The provision of data via a report is neither contractually prescribed nor required for
the conclusion of a contract. Depending on the individual case, there may be legal
obligations to provide us with a report. However, the data must be processed in order
for the report to be processed and investigated appropriately.

10. SnapAddy digital lead management

We use VisitReport for digital recording of trade fair activities. The provider is
SnapAddy GmbH, Haugerkirchgasse 7, 97070 Würzburg, Germany.

10.1 Description and scope of data processing

At trade fairs and events, it is possible to submit your contact details using the
VisitReport lead collection tool. The following data is transmitted:
Form of address*, title, first name*, surname*, Company*, position*, website,
telephone, Mobile, telephone or mobile*, fax, email*, Street and house number*,
additional address, postcode*, city*, State/Province
The information marked with an asterisk is mandatory, all other information is optional.

10.2 Purposes of processing personal data

The purpose of processing personal data is to fulfil customer requirements (e.g.
sending information material about our products, sending an offer or arranging a
meeting) following information meetings at trade fairs or similar events.

10.3 Legal basis

The legal basis for processing the data in the context of the VisitReport lead recording
tool is Art. 6 para. 1 lit. a GDPR.

10.4 Recipients or categories of recipients

The data you provide will be processed by SnapADDY GmbH, Haugerkirchgasse 7,
97070 Würzburg for the purpose of contact recording on behalf of and in accordance
with the instructions of Aug. Winkhaus SE & Co. KG.
The processing of personal data therefore takes place exclusively in the EU or
Germany.
Personal data is generally only transferred to third parties if there is a legal basis for
this. This is the case in particular if the transfer serves to comply with legal
requirements under which we are obliged to provide information, report or disclose
data, you have given us your consent to do so or a balancing of interests justifies this.
In addition, external service providers, such as external data centres or
telecommunications providers, process personal data on our behalf as processors.
Depending on the jurisdiction, the personal data may be passed on to our respectively
responsible specialist departments or responsible sales companies.
Under certain circumstances, we may also disclose the personal data to competent
authorities and/or persons subject to confidentiality obligations, such as
auditors/lawyers, if we are obliged to do so.

10.5 General information on the retention period

The personal data collected will be deleted from the VisitReport software after the
purpose of processing ceases, unless legal retention periods conflict or a customer
relationship is established. After deletion of the data, it is permanently deleted from the
snapADDY systems after compliance with the backup deadlines (30 days).

11. Jaggaer One Platform

We use the Jaggaer One platform. The provider is Jaggaer, LLC, Biberger Straße 26,
82008 Unterhaching, Germany. Details on data processing can be found in Jaggaer’s
privacy policy:
https://www.jaggaer.com/service-privacy-policy

12. Your rights

12.1 Right of access

You have the right to receive information from us (Art. 15 GDPR) about the processing
of your personal data.

12.2 Right to rectification

You have the right to request that we correct (Art. 16 GDPR) incorrect or incomplete
personal data relating to you.

12.3 Right to erasure

If the conditions specified in Art. 17 GDPR apply, you have the right to request the
erasure of your data. After that, you can, for example, request the deletion of your data,
insofar as it is no longer necessary for the purposes for which it was collected. You
can also request erasure if your data was processed on the basis of your consent and
you withdraw this consent.

12.4 Right to restriction of processing

You have the right to request the restriction of the processing of your personal data.
Please do not hesitate to contact us. The right to restrict processing exists in the
following cases:
• if you deny the accuracy of your personal information stored with us, we usually
need time to verify this. For the duration of the verification, you have the right to
request the restriction of the processing of your personal data.
• If the processing of your personal data is unlawful, you may request the
restriction of data processing instead of its deletion.
• if we no longer need your personal data, but you need it to exercise, defend or
assert legal claims, you have the right to request restriction of the processing of
your personal data instead of deletion.
• if you file an objection pursuant to Art. 21 para. 1 GDPR, a balance must be
made between your and our interests. As long as it is not clear whose interests
prevail, you have the right to demand the restriction of the processing of your
personal data.
• if you have restricted the processing of your personal data, these data may -
apart from their storage - only be processed with your consent or for the
establishment, exercise or defence of legal claims or for the protection of the
rights of another natural or legal person or for reasons of important public
interest of the European Union or a Member State.

12.5 Right to data portability

You have the right to have data that we process automatically on the basis of your
consent or in the performance of a contract handed over to yourself or to a third party
in a commonly used machine-readable format. If you require the direct transfer of data
to another responsible person, this will only be done to the extent that it is technically
feasible.

12.6 Right to object

If data processing is carried out on the basis of Art. 6 para. 1 litre. e or f GDPR, you
have the right to object to the processing of your personal data at any time for reasons
arising from your particular situation; this also applies to profiling based on these
provisions. The relevant legal basis on which processing is based can be found in this
data protection declaration.
If you file an objection, we will no longer process your personal data unless we can
demonstrate compelling legitimate grounds for the processing which override your
interests, rights and freedoms or the processing serves the assertion, exercise or
defence of legal claims (right to object pursuant to Art. 21 para. 1 GDPR).
If your personal data is processed for the purpose of direct marketing, you have the
right to object at any time to the processing of personal data concerning you for the
purpose of such marketing; this also applies to profiling insofar as it is associated with
such advertising.
If you object, your personal data will no longer be used for the purposes of direct
advertising. (Objection pursuant to Art. 21 para. 2 GDPR)

12.7 Right of withdrawal

Many data processing operations are only possible with your explicit consent. You can
withdraw your consent at any time. The legality of the data processing carried out until
the point of revocation remains unaffected by the revocation.

12.8 Right to complain

In the event of a breach of the GDPR, you have the right to lodge a complaint with a
supervisory authority. For example, you can contact:
State Officer for Data Protection and Freedom of Information North Rhine-Westphalia
PO Box 20 04 44 | 40102 Düsseldorf

13. Contact persons

Our data protection officer is available as a contact person for any data protectionrelated concerns:
Data Protection Officer at Aug. Winkhaus SE & Co. KG
August-Winkhaus-Str. 31
48291 Telgte
Email: datenschutz@winkhaus.de