1 Privacy statement

1 Privacy statement

This privacy statement explains how we process your personal data (hereinafter referred to as “data”).

1.1 Data controller

In accordance with the provisions in the General Data Protection Regulation (GDPR), the data controller is:

SÜDWEST Lacke + Farben GmbH & Co. KG
Iggelheimer Strasse 13
D-67459 Böhl-Iggelheim
Tel.: +49 6324 709 0
E-mail: info@suedwest.de

1.2 Contact details for our data protection officer

Lorenzo Foglia
Ehrenbachstr. 1
D-79780 Stühlingen
datenschutzbeauftragter@sto.com.

1.3 General information on data processing

We process data as part of our business and website activities. This includes disclosing data by transferring it to third parties and, where applicable, to non-member countries outside the European Union (“EU”) and the European Economic Area (“EEA”). In cases where we transfer data to parties or locations outside the EU or EEA, we identify this as outlined below.

2 Data processing

The specific items of data affected, purposes of processing, legal bases, recipients, and – where applicable – transfers to non-member countries are listed below.

2.1 Log file generated during website visit

We log your visit to our website. In doing so, we process the following data:

The name(s) of the web page(s) you visited, the date and time you visited the page, the amount of data transferred, the browser type and version, the operating system you used, the referrer URL (the previous website you visited), your IP address, and the requesting provider.

The legal basis for this data processing is our overriding legitimate interest in the continued provision and security of our website, in accordance with Article 6(1)(f) GDPR.

The log file is deleted after a period of seven days unless it is required to verify or clarify actual legal infringements that become known during this period.

2.2 Hosting

To maintain our online presence, we use the services of web hosting providers, who process the aforementioned data and all data to be processed in connection with the operation of this website (log file generated during website visit) on our behalf.

The legal basis for this data processing is our overriding legitimate interest in the provision of our website, in accordance with Article 6(1)(f) GDPR.

2.3 Establishing contact

If you establish contact with us, your data – name, contact details if you provide them – and your message will be processed for the purposes of dealing with your request.

The legal basis for this data processing is our obligation to fulfil a contract and/or to fulfil our pre-contractual obligations in accordance with Article 6(1)(b) GDPR and/or our overriding legitimate interest in processing your request in accordance with Article 6(1)(f) GDPR.

2.4 Establishing contact in case of job applications

If you establish contact with us in order to submit an application for employment with us – by e-mail or using a contact form, for example – the data that you have submitted (such as your name, e-mail address, and requested employment location), your message, and the application documents you have submitted will be processed exclusively for the purpose of dealing with your application.

The primary legal basis for data processing is Section 26 of the German Federal Data Protection Act (BDSG), according to which data may be processed if it is required in order to reach decisions about entering into employment relationships.

Should the data be required after the conclusion of the application process (in the context of legal action, for example), data processing for the purposes of our legitimate interests is permitted in accordance with Art. 6(1)(f) of the General Data Protection Regulation (GDPR), i.e. to assert and/or defend claims.

2.5 Contract performance and data management in the context of service provision

We process various items of data when providing our services and for the purposes of initiating and processing contractual relationships between you and us.

If you have assigned us to provide a service, we will process your data (if specified: name, contact details, address) and all the information required to perform this assignment exclusively for the purpose of handling the contractual relationship.

In particular, this includes appropriate consulting services and support, correspondence with you, delivery and invoicing, and fulfilling our accounting and tax-related obligations.

The data is processed accordingly on the basis of Article 6(1)(b) GDPR and in order to fulfil our statutory obligations in accordance with Article 6(1)(c) GDPR.

Your data may be passed on to third parties where necessary for the purposes of processing the assignment.

We will pass on your address information to the company entrusted with making delivery. Where necessary to execute the contract, we will also pass on your e-mail address or your telephone number to the company entrusted with making delivery in order to arrange a delivery date (dispatch notification).

We will pass on your transaction data (name, date of order, payment method, date of dispatch and/or receipt, amount and payee, and – where applicable – bank details or credit card details) to the payment provider commissioned with handling the payment.

This may also include passing data on to supervisory authorities for correspondence purposes and in order to assert and defend your rights.

In doing so, we will put all suitable measures in place to ensure that personal data is only transferred to the extent necessary for the underlying purpose.

2.6 Credit check

If applicable for the payment method you have selected, we will carry out a credit check. In this process, we transmit your name and address to a credit agency, which compares this data with its own database in order to check your creditworthiness. The credit agency then transmits the corresponding creditworthiness information to us.

The legal basis for data processing in the case of purchase on account is our legitimate interest in accordance with Article 6(1)(f) GDPR as we make advance payments for the dispatch of goods and bear the risk of default. In all other cases, data processing in the context of a credit check is carried out exclusively on the basis of your prior consent in accordance with Article 6(1)(a) GDPR.

2.7 Newsletter

We offer you the option of receiving an e-mail newsletter so that we can share with you regular information about our company and our offers. If you subscribe to our newsletter, we will process the data you provide when doing so (e-mail address and other information shared voluntarily). To prevent misuse, once you have subscribed, we will send you an e-mail asking you to confirm your subscription (double opt-in procedure). Your subscription is logged so that we can verify that the subscription process complies with legal requirements. The log entry records the time and date you initially subscribed and the time and date you confirmed your subscription, along with your IP address.

The legal basis for sending the newsletter is your consent in accordance with Article 6(1)(a) GDPR. The data processing in connection with sending the confirmation e-mail for your subscription and the associated data logging takes place in accordance with Article 6(1)(f) GDPR on the basis of our legitimate interest in verifying that your subscription is carried out properly.

To send the newsletter, we use service providers to whom we transmit the specified data.

2.8 Direct e-mail advertising for existing customers

In order to offer you similar goods and services in connection with the goods and services you have purchased, we will send you direct mail to the e-mail address you used in connection with the purchase.

The legal basis for sending this direct advertising is Section 7(3) of the German Act against Unfair Competition (UWG) in conjunction with Article 95 GDPR.

To send the newsletter, we use service providers to whom we transmit the specified data. These service providers process the data on our behalf and are bound by our instructions.

2.9 Contact by telephone

If your company should have a presumed interest in our services and products, we take the liberty of contacting you by telephone. In doing so, we may also process your personal data as a contact person. The following data may be processed in this context: IP address, location, telephone number, first and last name, job title.

The legal basis for the data processing is our legitimate interest in accordance with Article 6(I)(f) GDPR for direct advertising in the case of your company’s presumed interest in our products and/or services in conjunction with Section 7 II of the German Act against Unfair Competition (UWG).

The telephone calls are made by service providers who process the data on our behalf.

2.10 Shop system, data management, and newsletter via Salesforce

In order to provide our shop system, manage our customer data, and send our personalised newsletter, we use systems from Salesforce.com Germany GmbH, Erika-Mann-Str. 63, 80636 Munich (“Salesforce”). The data that we process in the context of providing your customer account, purchase transactions, and personalised newsletter, including the analysis of your user activity, is therefore processed by us in Salesforce systems.

We do not process your data using Salesforce systems for any additional purposes. The legal basis for this processing therefore corresponds to the legal bases described under sections 2.5, 2.6, and 2.8 above.

Salesforce is a group of companies with branches worldwide. The group’s parent company is salesforce.com Inc., Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105, USA.

It is therefore possible that data may be transferred to the USA in the context of data processing undertaken by Salesforce. Salesforce is certified under the EU-US Data Privacy Framework and is thus covered by the EU’s adequacy decision for the USA.

2.11 Requests for marketing support

Via our website, we offer trade/specialised companies the opportunity to receive offers for the conception of individual advertising material from our partner agencies. We will forward your requests via our contact form to our respective partner agency for further coordination with you. In addition to the information about your company, the selected motifs, and products, personal data (contact person, e-mail address, name of the company owner, telephone number) may also be processed.

The data processing takes place in order to enable the implementation of pre-contractual measures, which happens on your request. The legal basis for data processing is Article 6(I)(b) GDPR.

2.12 Cookies

Our website uses what are known as cookies. These are small text files that are stored on your device (PC, smartphone, tablet, etc.) by your web browser.

Information about the specific cookies we use, their providers, and purposes can be found in our consent banner. There you can give your consent to the respective services, revoke it, or subsequently adjust your settings.

2.13 “Usercentrics” consent banner

We use the service provided by Usercentrics GmbH, Sendlinger Str. 7, 80331 Munich (hereinafter referred to as “Usercentrics”) on our website to document your selection regarding specific data processing processes and to communicate this information to the respective third-party providers. Usercentrics processes the selection you make regarding data processing processes and sends this information to the respective third-party providers where applicable.

The data processing takes place in order to fulfil our legal obligation to process data in compliance with data protection requirements in accordance with Article 6(1)(c) GDPR.

Further information on data processing by Usercentrics can be found at: https://usercentrics.com/privacy-policy/

2.14 Analysis / Marketing

Google services

Our website uses various services provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter referred to as “Google”). As part of this, there is the potential for data to be transferred to Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043 in the USA.

Google is certified under the EU-US Data Privacy Framework and is thus covered by the EU’s adequacy decision for the USA.

(a) Google Analytics

Our website uses the tracking tool Google Analytics from Google. We use Google Analytics to analyse your use of the website, compile reports about activity on our web presence, provide further services associated with use of the website, and improve user-friendliness as a result.

The use of Google Analytics primarily involves using cookies to collect data about and systematically evaluate interactions by users of our website.

You can find details of the cookies we use in our cookie settings. You can change or withdraw your consent at any time by clicking on the appropriate icon at the bottom left-hand corner of the website.

We use Google Analytics with the “anonymizeIp()” extension. This truncates IP addresses within member states of the EU or EEA. If data is transferred to Google servers in the USA, the complete IP address is only transferred and truncated there in exceptional cases. In most cases, this prevents the possibility of the data being used to directly identify an individual person. In particular, it makes it impossible to link the data to the computer or other device that the visitor to the website used.

Google Analytics processes the following data:

Bytes from the IP address of the system used by the website visitor (anonymised IP address), the website visited, the website from which the user accessed our website (referrer), the individual pages visited on our website, the duration for which users remain on the website, the frequency with which the website is visited.

Google has itself stated that it will never unite your IP address with other Google data.

(b) Google remarketing/retargeting

We use what are known as tracking cookies from Google on our website. When you visit our site, information is stored in permanent cookies about which products you have viewed on our site and through which third-party advertisements and pages users reach our website. If you subsequently visit a partner website, we can display personalised advertising for you based on the items you have viewed on our site.

(c) Google Tag Manager

This is a tag management system. Via Google Tag Manager, tags can be integrated centrally via a user interface. Tags are small sections of code that can track activities. Script codes of other tools are integrated via the Google Tag Manager. The Tag Manager makes it possible to control when a particular tag is triggered.

(e) Legal basis and revocation

The legal basis for data processing within the scope of the aforementioned Google services is your prior consent pursuant to Article 6(1)(a) GDPR.

You can revoke your consent at any time with effect for the future by adjusting your preferences in our consent banner. This can be found in the bottom left-hand corner of our website in the form of a fingerprint.

2.15 Facebook custom audiences (pixel/cookies)

Our website uses what is known as a tracking pixel from Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, a subsidiary of Meta Platforms Inc. 1601, Willow Road Menlo Park, CA 94025, USA. We use the Facebook pixel to track the success of our Facebook advertising campaigns and to optimise how Facebook advertising campaigns are displayed to interested target groups.

When you click on a Facebook advertisement or visit our website, the pixel on our website is used to store a cookie on your device. The cookie processes data relating to whether you have accessed our website via a Facebook advertisement and enables your activity up to the point that you make a purchase to be analysed. This allows us to track the success rate of our Facebook advertising campaigns. In addition, the pixel processes data relating to the fact that you have visited our website, enabling the advertising shown to you on Facebook to be adapted to your interests.

Via the Facebook pixel integrated on our website, a direct connection to the Facebook servers is established when you visit our website. The information generated by the cookie about your use of this website (including your IP address) is transmitted to Meta in the USA.

Meta is certified under the EU-US Data Privacy Framework and is thus covered by the EU’s adequacy decision for the USA.

The data collected is anonymous for us and does not allow us to draw any conclusions about the user. If you are registered with Facebook, Facebook can assign the collected information to your account. Even if you do not have a Facebook account or are not logged in when you visit our website, it is possible for Facebook to process and store your IP address and other identification data.

You can revoke your consent for data processing by Facebook pixel for our web domain at any time with effect for the future by adjusting your preferences in our consent banner. This can be found in the bottom left-hand corner of our website in the form of a fingerprint.

The legal basis for data processing is your consent in accordance with Article 6(1)(a) GDPR.

2.16 External content

We use dynamic content (hereinafter referred to as “content”) from third parties to optimise the appearance and content of our website. When you visit our website, a request is sent automatically to the corresponding content provider’s server via an interface. Certain log data (e.g. the user’s IP address) is transferred in this request. The dynamic content is then transferred to our website, where it is displayed.

We use external content from Google/YouTube in connection with the following functionalities. Data transfer to the USA is not excluded.

Google is certified under the EU-US Data Privacy Framework and is thus covered by the EU’s adequacy decision for the USA.

(a) Integration of YouTube videos

We have integrated videos from the YouTube portal operated by YouTube LLC, 901 Cherry Ave. San Bruno, CA 94066, USA (“YouTube”) into our website. When videos are played back, log data is transferred to YouTube’s servers in the USA.

The legal basis for the data processing is our overriding legitimate interest in the optimal marketing of our online content in accordance with Article 6(1)(f) GDPR.

(b) Google Maps

We use the map service “Google Maps” from Google on our website to provide you with an interactive map. When the map is displayed, data including your IP address and location is transferred to Google’s servers in the USA and stored there. This processing is carried out on the basis of our overriding legitimate interest in optimal marketing of our content in accordance with Article 6(1)(f) GDPR.

3 Data retention

3.1 Data retention period

We save personal data only for as long as is necessary for the purposes for which it is being processed or until you withdraw your consent. Insofar as statutory retention requirements need to be complied with, the retention period for certain data can be up to 10 years, regardless of the purposes for which the data is being processed.

4 Your rights as a data subject

4.1 Information and access

You can request information free of charge at any time about all personal data we are holding for you.

4.2 Rectification, erasure, restriction of processing, objection

If you no longer agree to your personal data being stored or if your personal data is no longer correct, on receipt of a corresponding instruction from you, we will have your data deleted or blocked or make the necessary corrections (insofar as this is possible under applicable law). The same applies if we are to restrict the processing of your data in the future. In particular, you have the right to object in cases where your data is necessary for the performance of a task in the public interest or our legitimate interest, including any profiling that is based on this. You also have the right to object in cases where data is processed for direct marketing purposes.

4.3 Right to withdraw consent with effect for the future

You can withdraw consent with effect for the future at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

4.4 Data portability

If data is being processed on the basis of a contract or negotiations prior to entering into a contract, on the basis of consent, or using automated methods, you have the right to data portability. On request we will provide your data to you in a commonly used, structured, and machine-readable format so that you can transfer this data to another controller should you wish to do so.

4.5 Right to lodge a complaint

You also have the option to lodge a complaint with a supervisory authority in relation to your rights as a data subject.

4.6 Restrictions

The above rights do not apply to data where we are not able to identify the data subject (if the data has been anonymised for analysis purposes, for example). It may be possible for you to exercise your right to access/be informed, right to erasure, right to block, right to rectification, or right to transfer to another organisation in relation to this data if you provide us with additional information that will enable us to identify you.

5 Exercising your rights as a data subject

5.1 Exercising your rights as a data subject

If you have any questions about the processing of your personal data or if you wish to exercise your right to access/be informed, right to rectification, right to block, right to object, or right to erasure, or should you wish to submit a request for your data to be transferred to another organisation, please contact datenschutzbeauftragter@sto.com.