Data protection is a very high priority for our company. It is possible to use this website without supplying any personal information. If a data subject wishes to make use of specific services of our company via our website, the processing of personal data may become necessary. If the processing of personal data is necessary and there is no legal basis for such processing, data subjects must generally consent to the processing of their data.
Our company has implemented numerous technical and organizational measures to ensure the most complete protection possible of the personal data we process. Nevertheless, internet-based data transmission can have security gaps and absolute protection cannot be guaranteed.
1.1 Personal data
Personal data refers to all information relating to an identified or identifiable natural person (hereinafter “data subject”); a natural person is regarded as identifiable, if he/she can be directly or indirectly identified, especially by means of association with an identifier such as a name, with an identification number, with location data, with an online ID or with one or several special features reflecting the physical, physiological, genetic, psychic, economic, cultural or social identity of that natural person (GDPR Art. 4 para. 1).
1.2 Data subject
The data subject is any identified or identifiable natural person whose personal data is processed by the data controller.
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, deletion or destruction.
1.4 Restriction of processing
Restriction of processing involves tagging stored personal data with the aim of limiting its future processing.
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
Pseudonymization is the processing of personal data in which personal data can no longer be assigned to a specific data subject without the need for additional information. This additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not assigned to an identified or identifiable natural person.
1.7 Data controller and data processor
The data controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing personal data;
1.8 Third-party processor
A third-party processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.
The recipient means a natural or legal person, public authority, agency or another body to which the personal data is disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.
1.10 Third party
Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
Consent is any statement of intent voluntarily and unambiguously given by the data subject in an informed and unambiguous manner in the form of a statement or other unambiguous confirming act that indicates to the data subject that they have consented to the processing of their personal data.
2 Name and address of the data controller
The data controller within the meaning of the GDPR:
stoba Holding GmbH & Co. KG
Lange Äcker 8
3 Contact data for our external data protection officer
Herr Michael Gruber
Any data subject can contact our data protection officer directly with any questions or suggestions regarding data protection.
The data subject can prevent cookies being set by our web pages at any time by appropriately setting their browser, thus permanently objecting to the setting of cookies. Furthermore, cookies that have already been set can be deleted at any time using an internet browser or other software programs. This is possible in all common internet browsers. If the data subject deactivates the setting of cookies in their internet browser, not all functions of our web pages may be entirely usable.
5 Collection of general data and information
Our web server collects a series of general data and information each time the website is accessed by a data subject or an automated system. This general data and information are stored in the server’s log files. We may record (1) the browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system reaches our website (so-called referrer), (4) the sub-pages which are accessed via an accessing system on our website, (5) the date and time the website was accessed, (6) an internet protocol address (IP address), (7) the internet service providers of the accessing system, and (8) other similar data and information used for security purposes in the event of attacks on our IT systems.
When using this general data and information, we do not draw any conclusions about the data subject. Rather, this information is needed to correctly deliver the contents of our website, to optimize the contents of our website and the advertising for it, to ensure the permanent functionality of our information technology systems and the technology of our website, and to provide law enforcement authorities with the information necessary for criminal prosecution in the event of a cyber attack. This anonymously collected data and information are therefore evaluated statistically with the aim of increasing data protection and data security in our company in order to ultimately ensure an optimal level of protection for the personal data processed by us. The anonymous data of the server log files are stored separately from all personal data provided by a data subject.
6 Contacts via the website
Our website contains information that makes it possible to contact our company directly and quickly, including a general email address. If a data subject contacts the data controller by email or through a contact form, the personal data provided by the data subject will be saved automatically. Such personal data transmitted on a voluntary basis by a data subject to the data controller is stored for the purpose of processing or contacting the data subject. We will not pass on this personal information to third parties.
7 Routine deletion and blocking of personal data
The data controller shall process and store the personal data of the data subject only for the period necessary to achieve the purpose of its storage or as long as stipulated by the law and regulations to which the data controller is subject. If the purpose of the storage no longer applies or if the legally prescribed retention period has expired, the personal data will be routinely blocked or deleted in accordance with the statutory provisions.
8 Rights of the data subject
8.1 Right to confirmation
Data subjects have the right granted to demand confirmation from the controller whether their personal data is being processed. If they wish to exercise this right, they may contact our data protection officer or any other employee tasked with the processing of such data at any time.
8.2 Right to be informed
Data subjects whose personal data is processed have the right to obtain, at any time and free of charge, the following information from the data controller concerning the personal data on file about them and to receive a copy of that information:
- the purpose of the processing;
- the categories of personal data being processed;
- the recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organizations;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of a right to correction or deletion of the personal data concerning you or of a restriction of the processing by the data controller or of a right to object to such processing;
- the existence of the right to lodge a complaint with a supervisory authority
- if the personal data has not been obtained directly from the data subject: all available information on the origin of the data;
- dthe existence of any automated decision-making processes, including profiling, as defined in Art. 22 para.1 and 4 GDPR and, at least in these cases, – meaningful information on the logic involved and the scope and intended effects of such processing for the data subject.
Furthermore, data subjects have a right to information as to whether their personal data has been transferred to a third party or to an international organization. If this is the case, then data subjects have the right to obtain information about the security guarantees made in connection with the transfer.
If a data subject wishes to exercise this right to obtain information, they may contact our data protection officer at any time.
8.3 Right to correct data
Data subjects whose personal data is being processed have the right to request the immediate correction of any personal data on file that is inaccurate. Furthermore, taking into account the purposes of the processing, data subjects have the right to request that incomplete personal data be completed, including by means of a supplementary declaration.
If data subjects wish to exercise this right to correct their data on file, they may contact our data protection officer at any time.
8.4 Right to deletion (right to be forgotten)
Data subjects have the right to request that their personal data be deleted immediately, provided that one of the following reasons applies and insofar as the processing is not necessary:
- the personal data has been collected for purposes or processed in ways that are no longer necessary;
- the data subject withdraws their consent to the processing in accordance with Art. 6 para. 1 lit. a) or Art. 9 para. 2 lit. a) GDPR and there is no other legal basis for the processing;
- the data subject objects to the processing per Art. 21 para. 1 GDPR and there are no overriding legitimate grounds for its continued processing or the data subject is entitled to submit an objection pursuant to Art. 21 para. 2 GDPR;
- the personal data have been unlawfully processed;
- (the personal data must be deleted in compliance with the obligations under European Union or Member State law to which the data controller is subject);
- the personal data has been collected in relation to services offered by an information collection company according to Art. 8 para. 1 GDPR.
If one of the above-mentioned reasons applies and a data subject wishes to have their personal data stored deleted, they may contact our data protection officer at any time. Our data protection officer will arrange for the deletion request to be fulfilled immediately.
If the personal data has been made public and our company is responsible pursuant to Art. 17 para. 1 GDPR for the deletion of personal data, we shall take appropriate measures, also of a technical nature, taking into account the available technology and the implementation costs, to inform other data processors who process the published personal data that the data subject has requested the deletion of all links to this personal data or of copies or replications of this personal data from these other data processors, insofar as the processing is not necessary. The data protection officer will arrange the details as necessary.
8.5 The right to restrict the processing of data
Each data subject shall have the right to demand that the data controller restrict processing where one of the following conditions applies:
- the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests instead the restriction of their use instead;
- the controller no longer needs the personal data for the purposes of the processing, but they are required to by the data subject for the establishment, exercise or defense of legal claims;
- the data subject has objected to the processing pursuant to Art. 21 para. 1 GDPR and it has not yet been determined whether the legitimate reasons of the data controller outweigh those of the data subject.
If any one of the above mentioned conditions is fulfilled and a data subject wishes to request the restriction of personal data stored by the company, they can contact our data protection officer at any time. The data protection officer will then initiate the restriction of the processing.
8.6 Right to data portability
Each data subject whose personal data is processed shall have the right to obtain the personal data relating to them such as may be stored by the company and/or provided to the data controller, in a structured, current and machine-readable format. They also have the right to transmit this data to another party without hindrance from the data controller to whom the personal data was originally provided, provided that the processing is based on the consent provided for in Art. 6 para. 1 lit. a) or Art. 9 para. 2 a) GDPR or on a contract per Art. 6 para. 1 lit. b GDPR and processing is carried out by means of automated procedures, except where such processing is necessary for the performance of a task in the public interest or in the exercise of official authority conferred on the controller.
Furthermore, in exercising their right to data portability pursuant to Art. 20 para. 1 GDPR, the data subject has the right to require that the personal data be transmitted directly from one controller to another as far as this is technically feasible and provided that this does not affect the rights and freedoms of others.
To assert the right to data transferability, the person concerned may contact the data protection officer at any time.
8.7 Right to object
Each data subject whose personal data is processed has the right granted by the European legislator, for reasons arising from their particular situation, to at any time oppose the processing of personal data relating to them which is undertaken on the basis of Art. 6 para. 1 lit. e or f GDPR. This also applies to profiling based on these provisions.
The company will no longer process personal data in the event of an objection, unless we can prove compelling reasons worthy of protection for the processing, which outweigh the interests, rights and freedoms of the data subject, or the processing serves to assert, exercise or defend legal claims.
If the company processes personal data in order to carry out direct advertising, the person concerned has the right to object at any time to the processing of the personal data for the purpose of such advertising. This also applies to any profiling connected with such direct advertising. If the data subject objects to the company processing for direct advertising purposes, we will no longer process the personal data for these purposes.
In addition, the data subject has the right, for reasons arising from his/her particular situation, to object to the processing of personal data concerning him/her for scientific or historical research purposes or for statistical purposes at the company in accordance with Art. 89 para. 1 GDPR, unless such processing is necessary for the performance of a task in the public interest.
In order to exercise the right to object, the data subject may contact the controller directly.
8.8 Automated individual decision-making including profiling
Each data subject whose personal data is processed shall have the right not to be subject to a decision based exclusively on automated processing, including profiling, which has a legal effect against him/her or significantly affects him/her in a similar manner, provided that the decision (1) is not necessary for the conclusion or performance of a contract between the data subject and the controller, or (2) is admissible under Union or Member State law to which the controller is subject and that such law contains appropriate measures to safeguard the rights, freedoms and legitimate interests of the data subject, or (3) is made with the express consent of the data subject.
If the decision (1) is necessary for the conclusion or performance of a contract between the data subject and the data controller or (2) is made with the express consent of the data subject, the company shall take appropriate measures to protect the rights and freedoms as well as the legitimate interests of the data subject, including at least the right to obtain the intervention of a data controller, to state their own position and to challenge the decision.
If the data subject wishes to exercise their rights concerning automated individual decision-making, they may contact our data protection officer at any time.
8.9 Right to revoke consent
Each data subject whose personal data is processed shall have the right to withdraw their consent to the processing of their personal data at any time. If the data subject wishes to assert their right to withdraw consent, they may contact our data protection officer at any time.
9 Data protection for job applications and in hiring procedures
The data controller collects and processes the personal data of applicants for the purpose of handling the application procedure. Processing may also be carried out electronically. This is especially the case if an applicant sends us corresponding application documents electronically, such as, for example, by email or via a web form on the website. If our company concludes an employment contract with the applicant, the transmitted data will be stored for the purpose of processing the employment relationship in compliance with the legal regulations. If our company does not conclude an employment contract with the applicant, the application documents shall be automatically deleted two months after notification of the decision of rejection, provided that no other legitimate interests preclude their deletion. Other legitimate interests in this sense include retaining evidence for use in proceedings under the German Equal Opportunities Act (AGG).
Data protection provisions related to the use of Google Analytics
The data controller has integrated the Google Analytics component (with anonymization function) on this website. Google Analytics is a web analytics service. Web analytics are used to collect and analyze data about visitor behavior on websites. A web analytics service collects, among other things, data on the website from which a data subject has accessed a website (“referrer”), which sub-pages of the website have been accessed, or how often and for how long a sub-page has been viewed. Web analytics is mainly used to optimize a website and to perform a cost-benefit analysis of online advertising.
The operator of the Google Analytics component is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.
The data controller uses the “_gat._anonymizeIp” suffix with Google Analytics. This suffix instructs Google to truncate and anonymize the IP address of the data subject accessing our website from a Member State of the European Union or from another signatory state to the Agreement on the European Economic Area.
The purpose of the Google Analytics component is to analyze visitor traffic on our web page. Among other things, Google uses the data and information obtained to evaluate the use of our websites, to compile online reports for us showing the activities on our websites, and to provide other services related to the use of our websites.
Google Analytics places a cookie on the data subject’s device. Cookies have already been explained above. The placement of this cookie enables Google to analyze the use of our web pages. Each time one of the individual pages of this website is accessed, which is operated by the data controller and on which a Google Analytics component has been integrated, the Internet browser on the information technology system of the data subject is automatically prompted by the respective Google Analytics component to transmit data to Google for the purpose of online analysis. As part of this technical process, Google receives information about personal data, such as the data subject’s IP address, which Google uses, among other things, to track the origin of visitors and clicks, and subsequently to facilitate settlement of commissions.
Cookies are used to store personal information, such as the time of access, the location from which access came and the frequency of visits to our web pages by the data subject. Whenever you visit our website, this data, including the IP address of the Internet connection used by the data subject, is transmitted to Google in the USA. This personal data is also stored by Google in the USA. Google may disclose such personal data collected through the technical process to third parties.
As already described above, the person concerned can prevent cookies being set by our website at any time by adjusting the appropriate setting of the internet browser used and will thereby object to cookies being set on a permanent basis. Setting the Internet browser used in this way would also prevent Google from placing a cookie on the information technology system of the data subject. In addition, a cookie already set by Google Analytics can be deleted at any time via the internet browser or other software programs.
11 Google tag manager
We use the Google Tag Manager from Google Inc. for our website. (1600 Amphitheatre Parkway Mountain View, CA 94043, USA). Using Google Tag Manager, we can centrally install and manage code sections from tracking tools that we use on our website.
The Tag Manager itself is a domain that does not set cookies and does not store any data. It merely acts as an “administrator” of the implemented tags. The individual tags of the different web analysis tools collect the data. The data is passed through to the individual tracking tools in Google Tag Manager and is not saved.
In the Tag Manager account settings, we have allowed Google to receive anonymized data from us. However, this only involves the use of our Tag Manager and not the data of data subjects that is saved via the code sections. We thus enable Google and others to anonymously receive selected data. We therefore consent to the anonymous disclosure of our website data. Despite extensive research, we were unable to find out exactly which summarized and anonymous data were forwarded. In any case, Google deletes all information that could identify our website. Google summarizes the data along with data from hundreds of other websites and creates user trends as part of benchmarking measures. Benchmarking compares your own results with those of your competitors. Processes can be optimized based on the information collected.
If Google stores data, then this data is stored on its own Google servers. The servers are spread out all over the world. Most are in America. Additional information on the location of the Google servers can be found at https://www.google.com/about/datacenters/inside/locations/?hl=de.
The Google Tag Manager itself does not set cookies, but manages tags from various tracking websites. Data subjects can find detailed information regarding the deletion or management of this data in our data protection texts for the individual tracking tools.
Google is an active participant in the EU-U.S. Privacy Shield Framework, which regulates the correct and secure data transfer of personal data. More information can be found at https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&tid=211116544. More information about Google Tag Manager can be found here https://www.google.com/intl/de/tagmanager/faq.html.
12 Google maps
Our website uses Google Maps to display maps and directions to our locations.
Google Maps is operated by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
By visiting the website, Google receives the information that you have accessed in the corresponding page of our website. This happens regardless of whether you are logged into Google or not. If you are logged into Google, the information you enter will be directly associated with your account. If you do not want this, you must log out before using the service.
Created with Datenschutz-Generator.de by Dr. Thomas Schwenke, Attorney-at-Law.
We have included YouTube videos on our website. So we can present interesting videos directly on our site. YouTube is a video portal that has been a subsidiary of Google since 2006. The video portal is operated by YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. When you visit a page on our website that has a YouTube video embedded, your browser automatically connects to the servers of YouTube or Google. Different data are transmitted (depending on the settings). Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland) is responsible for all data processing in the European area.
In the following, we would like to explain to you in more detail what data is processed, why we have included YouTube videos and how you can manage or delete your data.
What is YouTube?
On YouTube, users can view, rate, comment on and upload videos for free. Over the last few years, YouTube has become one of the most important social media channels worldwide. To enable us to display videos on our website, YouTube provides a code snippet that we have built into our site.
Why do we use YouTube videos on our website?
YouTube is the video platform with the most visitors and the best content. We strive to provide you with the best possible user experience on our website. And of course interesting videos should not be missing. With the help of our embedded videos we provide you with further helpful content in addition to our texts and images. In addition, our website is easier to find on the Google search engine due to the embedded videos. Even though we use Google Ads to display ads, Google can – thanks to the data collected – really only show these ads to people who are interested in our offers.
What data is stored by YouTube?
When you visit one of our sites that has a YouTube video embedded, YouTube at least sets a cookie that stores your IP address and our URL. If you are logged in to your YouTube account, YouTube can associate your interactions on our site with your profile, often using cookies. This includes data such as session duration, bounce rate, approximate location, technical information such as browser type, screen resolution or your Internet service provider. Other data may include contact information, any ratings, sharing content through social media, or adding to your favorites on YouTube.
If you’re not signed in to a Google Account or a YouTube account, Google stores data with a unique identifier associated with your device, browser, or app. For example, your preferred language setting is retained. But a lot of interaction data cannot be stored because fewer cookies are set.
In the following list we show cookies that were set in a test in the browser. On the one hand, we show cookies that are set without a registered YouTube account. On the other hand, we show cookies that are set with a registered account. The list cannot claim to be complete, because the user data always depends on the interactions on YouTube.
Purpose: This cookie registers a unique ID to store statistics of the video viewed.
Expiry date: after the end of the meeting
Purpose: This cookie also registers your unique ID. Google gets statistics about how you use YouTube videos on our website via PREF.
Expiry date: after 8 months
Purpose: This cookie registers your unique ID on mobile devices to track your GPS location.
Expiration date: after 30 minutes
Purpose: This cookie tries to estimate the bandwidth of the user on our websites (with built-in YouTube video).
Expiry date: after 8 months
Other cookies that are set when you are logged in with your YouTube account:
Purpose: This cookie is used to create a profile about your interests. The data is used for personalized advertisements.
Expiry date: after 2 years
Purpose: The cookie stores the status of a user’s consent to use various Google services. CONSENT also serves security purposes to check users and protect user data from unauthorized attacks.
Expiry date: after 19 years
Purpose: This cookie is used to create a profile about your interests. This data helps us to display personalized advertising.
Expiry date: after 2 years
Purpose: Information about your login data is stored in this cookie.
Expiry date: after 2 years
Purpose: This cookie works by uniquely identifying your browser and device. It is used to create a profile about your interests.
Expiry date: after 2 years
Purpose: This cookie stores your Google Account ID and your last sign-in time in digitally signed and encrypted form.
Expiry date: after 2 years
Purpose: This cookie stores information about how you use the website and what advertisements you may have seen before visiting our site.
Expiry date: after 3 months
How long and where is the data stored?
The data that YouTube receives from you and processes are stored on Google’s servers. Most of these servers are located in America. At www.google.com/about/datacenters/inside/locations/ you can see exactly where the Google data centres are located. Your data is distributed on the servers. This means that data can be retrieved more quickly and is better protected against manipulation.
Google stores the collected data for different lengths of time. Some data can be deleted at any time, some are automatically deleted after a limited time, and some are stored by Google for a longer period of time. Some data (such as My Activity items, photos or documents, products) stored in your Google Account will remain stored until you delete them. Even if you’re not signed in to a Google Account, you can delete some data associated with your device, browser, or app.
How can I delete my data or prevent data storage?
Basically, you can manually delete data in your Google Account. With the automatic deletion of location and activity data introduced in 2019, information is stored for either 3 or 18 months depending on your decision, and then deleted.
Whether or not you have a Google Account, you can configure your browser to delete or disable Google cookies.
14 Competent data protection supervisory authority
State Commissioner for Data Protection and Freedom of Information
phone +49 711 6155410