Name/Company: Westfalenhallen Unternehmensgruppe GmbH
Street address: Strobelallee 45
Postal code, city, country: 44139 Dortmund, Germany
Commercial Register No.: HRB 2522, Dortmund Municipal Court
Director: Sabine Loos
Phone No.: 023112040
E-mail address: medien[VIA]westfalenhallen.de
Data protection officer
Name: Christian Volkmer, Projekt 29 GmbH & Co. KG
Street address: Ostengasse 14
Postal code, city, country: 93047 Regensburg, Germany
Phone No.: +49 (0)231 1204-368
E-mail address: datenschutz[VIA]westfalenhallen.de
Types of data processed
- User data (e.g. names, addresses)
- Contact data (e.g. e-mail, phone numbers)
- Content data (e.g. text entries, photographs, videos)
- Contract data (e.g. object of the contract, term of the contract, customer category)
- Payment data (e.g. bank details, payment history)
- Usage data (e.g. websites visited, interest in content, access times)
- Meta-/Communication data (e.g. device information, IP addresses)
Processing of special categories of data (Article 9, paragraph 1 of the GDPR)
- As a rule, with the exception of birthdates, no special categories of data are processed, unless these are provided by the user for processing, e.g. entered in online forms.
- The following special categories of data are processed: health data (birthdate)
Categories of persons affected by the processing (data subjects)
- Customers / interested parties / suppliers / partners
- Visitors to and users of the online offering
Hereinafter the data subjects will also be collectively referred to as ‘users’.
Purposes of the processing
- Making the online offering, its contents and functions accessible.
- Performance of contractual services
- Customer service and customer care
- Responding to contact requests and communication with users
- Marketing, advertising and market research
- Security measures
Last revised: 15 April 2019
- Applicable legal basis
- Security measures
3.1. We shall take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk, in accordance with article 32 of the GDPR, taking into account the state of the art, implementation costs and the nature, scope, circumstances and purposes of processing and the varying likelihood and severity of the risk to the rights and freedoms of natural persons; the measures shall include in particular safeguarding the confidentiality, integrity and availability of data by controlling physical access to the data, as well as the corresponding access, input, transmission, security, availability and separation thereof. Moreover, we have established procedures that ensure the exercise of data subject rights, the deletion of data and response to threats to the data. Furthermore, we take the protection of personal data into account in the development and selection of hardware, software and processes, in accordance with the principle of data protection via technology design and via preconfigured settings conducive to data protection (article 25 of the GDPR).
3.2. The security measures include in particular encrypted transmission of data between your browser and our server.
- Cooperation with processors and third parties
4.1. Insofar as we disclose data to other persons and companies (processors or third parties) within the scope of our processing, transfer data to them or otherwise grant them access to the data, this shall take place only on the basis of legal permission (e.g. if a transfer of the data to third parties, such as payment service providers, pursuant to article 6, paragraph 1, letter b of the GDPR is necessary for the performance of the contract), if you have consented to this, if a legal obligation provides for this or on the basis of our legitimate interests (e.g. when using agents, web hosts, etc.).
4.2. Insofar as we commission third parties to process data on the basis of a ‘contract for the processing of data on behalf of the data controller’, this is done on the basis of article 28 of the GDPR.
- Transfers to third countries
Insofar as we process data in a third-party country (i.e., outside the European Union [EU] or the European Economic Area [EEA]) or if this occurs in the context of the use of third-party services or disclosure or transfer of data to third parties, this takes place only if it occurs for the fulfilment of our (pre)contractual obligations, on the basis of your consent, on the basis of a legal obligation, or on the basis of our legitimate interests. Subject to statutory or contractual permissions, we process data or have data processed in a third country only if the special prerequisites of article 44 ff. of the GDPR are met; i.e., the processing is done on the basis of special guarantees, such as the officially recognised establishment of a data protection level corresponding to that of the European Union (e.g. for the United States via the ‘privacy shield’), or compliance with officially recognised, specific contractual obligations (‘standard contractual clauses’).
- Rights of data subjects
6.1. You have the right to request confirmation as to whether the data concerned are being processed and to request information about these data as well as further information and a copy of the data in accordance with article 15 of the GDPR.
6.2. In accordance with article 16 of the GDPR, you have the right to request that incomplete personal data be completed and the right to have inaccurate personal data rectified.
6.3. In accordance with article 17 of the GDPR, you have the right to request that relevant data be deleted immediately (‘right to be forgotten’) or, alternatively, to request a restriction on the processing of the data in accordance with article 18 of the GDPR.
6.4. In accordance with article 20 of the GDPR, you have the right to request that you receive the data you provided to us and to request the transfer thereof to other controllers.
6.5. Moreover, in accordance with article 77 of the GDPR, you have the right to lodge a complaint with the competent supervisory authority.
- Right to revocation
You have the right to revoke any consent given with effect for the future in accordance with article 7, paragraph 3 of the GDPR.
8. Right to object
In accordance with article 21 of the GDPR, you can object to the future processing of your personal data at any time. In particular, you can object to the processing of your personal data for purposes of direct marketing.
- Cookies and the right to object to their use for direct marketing
You can lodge a general objection to the use of the cookies placed for purposes of online marketing for numerous services, particularly with regard to tracking, via the American website at http://www.aboutads.info/choices/ or the European website at http://www.youronlinechoices.com/. In addition, cookies and their data storage function can be deactivated in your browser settings. Please note that if the cookies are deactivated you may not be able to use all the functions of this online offering.
- Deletion of data
10.2. In line with statutory requirements, the data will be retained in particular for 6 years in accordance with section 257, paragraph 1 of the German Commercial Code (Handelsgesetzbuch [HGB]) (account/trading books, inventories, opening balance sheets, annual reports, commercial letters, booking vouchers, etc.) and for 10 years in accordance with section 147, paragraph 1 of the German Tax Code (account/trading books, records, management reports, booking vouchers, commercial and business letters, documents relevant to taxation, etc.)
- Performance of contractual services
11.1. We process personal data (e.g. names and addresses as well as contact data of users), contractual data (e.g. services used, names of contact persons, payment information) for the purpose of fulfilling our contractual obligations and services in accordance with article 6, paragraph 1, letter b of the GDPR. The data entered in the fields marked as required in online forms are required for the conclusion of the contract.
11.2. Users have the option of creating a user account, where they can view their orders, among other things. Users will be informed of the mandatory information required during registration. The user accounts are not public and cannot be indexed by search engines. If users have terminated their user account, their data with regard to the user account will be deleted, subject to retention of the data if these are required for commercial or tax reasons in accordance with article 6, section 1, letter c of the GDPR. It is the responsibility of the user to save their data prior to the end of the contract if they have given notice of termination. We have the right to delete all user data stored during the term of the contract.
11.3. During user registration and subsequent logins and when users use our online services, we store the IP address and the time of the respective user action. The storage ensues on the basis of our legitimate interests as well as to protect the user from abuse and other unauthorised use. We never transfer these data to third parties, unless this is required for the pursuit of our claims or there is a legal obligation in accordance with article 6, paragraph 1, letter c of the GDPR.
11.4. We process usage data (e.g., the visited websites of our online offering, interest in our products) and content data (e.g., entries in the contact form or user profile) for advertising purposes in a user profile in order to show the user product information based on services they have previously used, for example.
11.5. Deletion of the data shall ensue upon the expiration of statutory warranty obligations and comparable obligations. The necessity of retaining the data is reviewed every three years. In the case of statutory archiving obligations, deletion shall ensue upon the expiration of these (end of commercial [6 years] and tax-related [10 years] retention obligation). Data in the customer account shall remain there until the account is deleted.
- Initiation of contact
12.1. When the user contacts us (via contact form or e-mail), the user’s details for the processing of the contact request and its handling are stored in accordance with article 6, paragraph 1, letter b of the GDPR.
12.2. We delete the requests/inquiries when retention thereof is no longer required. We review this requirement every two years; requests/inquiries from customers who have a customer account are stored permanently; for purposes of deletion, we refer customers to the information provided about customer accounts and their handling. In the case of statutory archiving obligations, deletion shall ensue upon the expiration of these (end of commercial [6 years] and tax-related [10 years] retention obligation).
- Comments and posts
13.1. The following service provider operates blogs with contact and comment options for us: Daniel Grosse, Gartenstrasse 17, 04425 Taucha, Germany. If a user contacts us via e-mail or via a contact form, the user data provided (e-mail address, and if applicable name and phone number) will be stored to enable us to respond to any questions. We will delete the data collected in this context after its storage is no longer required or restrict any further processing thereof if we are required by law to continue retaining these data. For the comment function, in addition to the comment, data concerning the time the comment was posted, the e-mail address and/or web address of the commenter, and in the event of an anonymous post, the chosen user name will be stored. The IP address is not stored for comments; the corresponding function in WordPress has been deactivated. Comments will remain on the blog as long as it is operated or until the commenter requests the deletion of his/her comments.
13.2. If users leave comments or other posts, their IP addresses will be stored for seven days on the basis of our legitimate interests within the meaning of article 6, paragraph 1, letter f of the GDPR.
13.3. This takes place for our security, in case someone leaves illegal content in comments and posts (abuse, forbidden political propaganda, etc.). In this case, we ourselves could be prosecuted for the comment or post and are therefore interested in the identity of the author.
- Collection of access data and log files
14.1. We collect data concerning each access to the server on which this service is located (known as server log files), based on our legitimate interests within the meaning of article 6, paragraph 1, letter f of the GDPR. The access data collected include the name of the website retrieved, file, date and time of access, volume of data transferred, report whether the site was successfully retrieved, browser type and version, the user’s operating system, the referrer URL (the site visited before coming to our site), the user’s IP address, and the requesting internet service provider.
14.2. Log file information is stored for a maximum of seven days for security reasons (e.g. to investigate misuse or fraud) and then deleted. Data which must be retained as potential evidence is not deleted until the relevant incident has been ultimately clarified.
- Online presence in social media
15.1. We maintain online presences on social networks and platforms in order to communicate with active customers, interested parties, and users and to inform them about our services. When users access the relevant networks and platforms, the terms and conditions and the data processing guidelines of the respective operators of these networks and platforms apply.
- Cookies and reach measurement
16.1. Cookies contain data that are transmitted from our web server or third-party web servers to users’ web browsers and stored there for later retrieval. Cookies can be small files or other types of information storage.
16.2. We use ‘session cookies’ which are placed only for the duration of the current visit to our website (e.g. to store your login status or the shopping cart function and thus to enable the use of our online offering in the first place). A randomly generated, unique identification number, known as a session ID, is stored in a session cookie. A cookie also contains information about its origin and the storage period. These cookies cannot store any other data. Session cookies are deleted when you have finished using our online offering and log out or close your browser, for example.
- Google (re)marketing services
17.1. On the basis of our legitimate interests (i.e., interest in the analysis, optimisation and economical operation of our online offering within the meaning of article 6, paragraph 1, letter f of the GDPR), we use the marketing and re-marketing services (hereinafter referred to as ‘Google marketing services’) of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, (‘Google’).
17.2. Google is certified under the Privacy Shield Agreement and thus offers a guarantee of compliance with European data protection and privacy law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
17.3. The Google marketing services allow us to display ads for and on our website in a more targeted manner in order to present users only with ads that potentially match their interests. For example, if a user sees ads for products he has been interested in on other websites, this is referred to as ‘re-marketing’. For these purposes, when our websites and others on which Google marketing services are active are accessed, Google directly executes a code from Google and (re-)marketing tags (invisible graphics or code, also known as ‘web beacons’) are integrated into the website. These store a unique cookie (a small file) on the user’s device. Comparable technology may also be used instead of cookies. Cookies can be set by various domains, including google.com, doubleclick.net, invitemedia.com, admeld.com, googlesyndication.com or googleadservices.com. This file keeps a record of which websites the user visited, which contents he is interested in and which offers he has clicked on, as well as technical information about the browser and operating system, referring websites, visiting time and further information about the use of the online offering. Likewise, the IP address of the user is recorded, whereby we inform you in the context of Google Analytics that the IP address is truncated within member countries of the European Union or in other countries who are parties to the Agreement on the European Economic Area, and that only in exceptional cases is the full IP address transmitted to a Google server in the United States and shortened there. The IP address is not collated with user data within other Google websites. The above information may also be linked by Google to such information from other sources. If the user subsequently visits other websites, the ads tailored to his/her interests can be displayed.
17.4. User data is processed pseudonymously for Google marketing services. This means that Google does not store and process, for example, the names or e-mail addresses of users, but processes the relevant data based on cookies within pseudonymous user profiles. This means that, from Google’s point of view, the ads are not managed and displayed for a specifically identified person, but for the cookie holder, regardless of who this cookie holder is. This does not apply if a user has expressly permitted Google to process the data without this pseudonymisation. The information collected about the user by Google marketing services is transmitted to Google and stored on Google’s servers in the United States.
17.5. One of the Google marketing services we use is Google AdWords, an online advertising platform. In the case of Google AdWords, each AdWords customer receives a different ‘conversion cookie’. Thus, cookies cannot be tracked via the websites of AdWords customers. The information obtained using the conversion cookie is used to create conversion statistics for the AdWords advertisers who have opted for conversion tracking. AdWords advertisers can find out the total number of users who have clicked on their ad and been redirected to the page with a conversion tracking tag. However, they do not obtain any information which can be used to identify you personally.
17.8. We may also use the ‘Google Optimizer’ service. Google Optimizer allows us to track the effects of various changes to a website (e.g. changes to input fields, design, etc.) within the framework of so-called ‘A/B testing’. Cookies are placed on user devices for the purpose of this testing. Only pseudonymous user data is processed.
17.9. Moreover, we may also use ‘Google Tag Manager’ to integrate Google analytical and marketing services in our website and manage these.
17.11. If you wish to object to interest-based advertising from Google marketing services, you can use the settings and opt-out options provided by Google to do so: https://adssettings.google.com/authenticated.
- Integration of share buttons to share content on social networks
18.1. On our website we do not use social plugins from social networks that collect data. To make it easy to share content from our website on social media, we use the so-called Shariff solution for our share buttons (for more information see: https://www.heise.de/ct/artikel/Shariff-Social-Media-Buttons-mit-Datenschutz-2467514.html).
This prevents our users’ data being shared with social networks without their knowledge when they visit our website. Shariff share buttons only link to the relevant social network on request – i.e. only after a user clicks on a share button. Provided they are logged in, the user can then share the contents of our website with other users on the corresponding social network. This process is slightly different for each social network. After clicking on the share button, the content to be shared as well as the IP address and the general header information of the user’s browser are sent to the respective social network. We point out that we have no knowledge of the content of the subsequently transferred (personal) data and their use by the social networks.
18.2. The Shariff share buttons described above are offered for the following social networks:
19.1. On our website we do not use social plugins from social networks that collect data. Where we do not use the Shariff solution, we place only links to social networks on our site. This prevents our users’ data being shared with social networks without their knowledge when they visit our website. The links create a connection to the respective social network only upon request – i.e., only after a user clicks on a link. After a user clicks on the link, the IP address and the general header information of the user’s browser are sent to the respective social network. We point out that we have no knowledge of the content of the subsequently transferred (personal) data and their use by the social networks. The links described above are used for the following social networks:
20.1. On the basis of our legitimate interests (i.e., interest in the analysis, optimisation and economical operation of our online offering within the meaning of article 6, paragraph 1, letter f of the GDPR), we use the ‘etracker’ analysis service of etracker GmbH, Erste Brunnenstrasse 1, 20459 Hamburg, Germany.
20.2. The data processed by etracker can be used to create user profiles under a pseudonym. Cookies may be used for this purpose. The cookies make it possible to recognise your browser again. The data collected with etracker technologies will not be used to personally identify visitors to our website without the separately given consent of the person concerned and will not be combined with personal data about the bearer of the pseudonym. Furthermore, personal data will be processed only for us, i.e. not combined with personal data collected within other online offers.
20.3. You can object to the collection and storage of data at any time with effect for the future. To object to the collection and storage of your visitor data for the future, you can obtain an opt-out cookie from etracker by clicking on the link below. This will ensure that no visitor data from your browser will be collected and stored by etracker in future: http://www.etracker.de/privacy?et=jYVcVK
21.1. With the following information we inform you about the contents of our newsletter as well as the sign-up, sending and statistical evaluation procedure and your rights to object. By subscribing to our newsletter, you agree to receive it and to the procedures described.
21.2. Content of the newsletter: We send newsletters, e-mails and other electronic notifications containing promotional information (hereinafter ‘newsletters’) only with the consent of the recipients or legal permission. If a newsletter’s content is specifically described in the sign-up process, it is decisive for the consent of the users. In addition, our newsletters contain information about our products, offers, promotions and our company.
21.3. Double opt-in and logging: Subscription to our newsletter takes place in a so-called double opt-in procedure. This means that after signing up you will receive an email asking you to confirm your subscription. This confirmation is necessary so that no one can log in with someone else’s email address. Subscriptions to the newsletter are logged in order to be able to prove the registration process has taken place, in accordance with legal requirements. This includes the storage of the sign-up and confirmation date/time, as well as the IP address. Any changes to the data registered with the distribution service provider sending the newsletter will also be recorded.
21.5. Furthermore, according to their own information, the distribution service provider may use this data in pseudonymous form, i.e. without assignment to a user, in order to optimise or improve their own services, e.g. for technical optimisation of the sending and presentation of the newsletter or for statistical purposes in order to determine from which countries the recipients come. However, the distribution service provider does not use the data of our newsletter recipients to write to them on its own behalf or pass them on to third parties.
21.6. Subscription data: To subscribe to the newsletter you only need to provide your email address. As an option, we ask you to provide a name we can use to address you personally in the newsletter.
21.7. Performance measurement: The newsletters contain a so-called ‘web beacon’, i.e. a pixel-sized file that is retrieved from the distribution service provider’s server when the newsletter is opened. Within the scope of this retrieval, technical information is initially collected, such as information about the browser and your system as well as your IP address and the time of retrieval. This information is used to technically improve the services based on the technical data or the target audiences and their reading behaviour based on their retrieval locations (which can be determined using the IP address) or access times. The statistical data collected also includes whether or not the newsletter is opened, when it is opened, and which links are clicked. For technical reasons, this information can be assigned to the individual newsletter recipients. However, it is not our intention, nor that of the distribution service provider, to observe individual users. The evaluations primarily allow us to identify the reading habits of our users and adapt our content to them or to send different content according to the interests of our users.
21.8. Distribution of the newsletter and performance measurement are based on the recipient’s consent pursuant to article 6, paragraph 1, letter a) and article 7 of the GDPR in conjunction with section 7, paragraph 2, number 3 of the German Act Against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb [UWG]) or on the basis of the legal permission pursuant to section 7, paragraph 3 of the German Act Against Unfair Competition (UWG).
21.9. Logging of the sign-up process is based on our legitimate interests pursuant to article 6, paragraph 1, letter f of the GDPR and serves as proof of consent to receipt of the newsletter.
21.10. Cancellation/Revocation: You can unsubscribe from our newsletter at any time, i.e. revoke your consent to receiving it. You will find an ‘Unsubscribe’ link at the end of each newsletter. If users have only subscribed to the newsletter and cancelled their subscription, their personal data will be deleted.
- Integration of third-party services and content
22.1. Within our online offering, on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online offering within the meaning of article 6, paragraph 1, letter f of the GDPR), we use the content or service offerings of third parties to incorporate their content and services, such as videos or fonts (hereinafter uniformly referred to as ‘content’). A prerequisite for this is that the third-party providers of such content receive the IP address of the users because they cannot send the content to the user browsers without knowing the IP address. The IP address is therefore required for the display of this content. We make every effort to use only content from providers who use the IP address solely for the delivery of the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as ‘web beacons’) for statistical or marketing purposes. ‘Pixel tags’ can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user’s device and may include technical information about the browser and operating system, referring websites, visiting time and other information about the use of our online offer, and may also be linked to such information from other sources.
22.2. The following information provides an overview of third-party providers and their contents, together with links to their privacy policies, which contain further information on the processing of data and, in some cases already mentioned here, options to object (so-called opt-out):