Data Privacy Statement

Name and contact of the controller under Article 4 (7) GDPR


Company:
Central Glass Germany GmbH

Address:
Kantstrasse 2
33790 Halle/Westphalia
Germany

Telephone:
+49 - 5201 - 6613 - 0

Telefax:
+49 - 5201 - 6613 - 118

Email:
marketing@cg-germany.com


Commercial register at the local courts:
Amtsgericht Gütersloh, HRB 7987

VAT ID:
DE 259 904 773


Security and protection of your personal data

We feel it is our foremost responsibility to guard the confidentiality of the personal data you have provided and protect them from unauthorised access. Therefore, we use the utmost care and up-to-date security standards to guarantee maximal protection of your personal data.

As a company governed by private law, we are subject to the provisions of the European General Data Protection Regulation (GDPR) and the regulations of the Federal Data Protection Act (BDSG). We have taken technical and organisational measures which ensure that both we and our external service providers observe data protection provisions.


Definitions


The legislature demands that personal data be processed legally, in good faith, and in a manner that is transparent for the data subject (“legality, processing in good faith, transparency”). To guarantee this will occur, we wish to inform you about the individual statutory definitions used in this data privacy statement:

1. Personal data
“Personal data” means all information related to an identified or identifiable natural person (“data subject”). A natural person is deemed “identifiable” if they can be directly or indirectly identified, especially by allocating them to an identifier such as a name, ID number, location data, an online identifier, or to one or more particular characteristics which express this natural person’s physical, physiological, genetic, mental, economic, cultural or social identity.

2. Processing
“Processing” means any operation executed with or without the help of automatic procedures, or any such series of operations in connection with personal data, such as collecting, recording, organising, filing, storing, adjusting or altering, reading, requesting, using, disclosing through transmission, dissemination or another form of provision, comparing or connecting, restricting, deleting or destroying such data.

3. Restriction of processing
“Restriction of processing” means marking stored personal data with the goal of restricting its processing in the future.

4. Profiling
“Profiling” means any type of automatic processing of personal data in which those data are used to assess certain personal aspects related to a natural person, especially to analyse or predict aspects regarding their work performance, economic situation, health, personal preferences, interests, reliability, behaviour, abode or change of location.

5. Pseudonymisation
“Pseudonymisation” means processing personal data to prevent them from being linked to a specific data subject without drawing on additional information, provided this additional information is retained separately and is subject to technical and organisational measures which guarantee that the personal data cannot be allocated to an identified or identifiable natural person.

6. File system
A “file system” means any structured collection of personal data which is accessible according to certain criteria, regardless of whether this collection is kept centrally or locally or arranged according to functional or geographic aspects.

7. Controller
“Controller” means a natural person or legal entity, government agency, institution or other agency which, alone or in conjunction with others, decides on the purpose and means of processing personal data. If the purpose and means of that processing are prescribed by the law of the European Union or its member states, those laws may also prescribe who the controller must be or the specific criteria according to which the controller must be named.

8. Processor
“Processor” means a natural person or legal entity, government agency, institution or other agency which processes personal data on behalf of the controller.

9. Recipient
“Recipient” means a natural person or legal entity, government agency, institution or other agency to which personal data are disclosed, regardless of whether that recipient is a third party. However, authorities who obtain personal data due to a specific investigation mandate under the law of the European Union or its member states are not deemed recipients. The authorities named process that data according to applicable data protection provisions and the purpose of the processing.

10. Third parties
“Third party” means a natural person or legal entity, government agency, institution or other agency, besides the data subject, the controller, the processor and the people for whom the controller or the processor are directly responsible, who are authorised to process the personal data.

11. Consent
“Consent” from the data subject means any expression of intent which is voluntarily and unmistakeably given for the case at hand, in an informed manner, in the form of a declaration of other unambiguous affirming action, with which the data subject makes understood that party agrees to the processing of the personal data concerning them.


Legality of processing

The processing of personal data is legal only if it has a legal basis. Under Article 6 (1) a–f GDPR, such legal bases are particularly constituted if:

a. the data subject has consented to the processing of the personal data concerning them for one or more specific purposes;
b. processing is necessary to fulfil a contract to which the data subject is party, or to execute pre-contractual measures on the data subject’s request;
c. processing is necessary to fulfil a legal obligation to which the controller is subject;
d. processing is necessary to protect vital interests of the data subject or another natural person;
e. processing is necessary to carry out a task in the public interest or in the exercise of public authority vested in the controller;
f. processing is necessary to guard the legitimate interests of the controller or a third party, unless this need is outweighed by the interests or basic rights and freedoms of the data subject which require that the personal data be protected, especially if the data subject is a child.


Collection of personal data when you visit our website

If you are using our website only for informational purposes and thus do not register or otherwise transmit information to us, we will collect only the personal data that your browser transmits to our server. If you would like to look at our website, we will collect the following data, which are technically necessary for us to show you our website and guarantee its stability and security (legal basis is Art. 6 (1) sentence 1 f GDPR):

- IP-Adresse
- Date and time of request
- Time zone difference to Greenwich Mean Time (GMT)
- Contents of the request (specific page)
- Access status / HTTP status code
- Data quantity transferred each time
- Website from which the request comes
- Browser
- Operating system and its interface
- Language and version of the browser software.


Additional functions and services of our website


(1) We do not pass on your personal data to third parties unless you have given your consent to the data being passed on - this applies in particular to the passing on of data within the Central Glass Group and all of its branches. The exception being, that we are entitled or obliged to pass on data on the basis of legal regulations and/or official or legal court orders.
(2) If our service provider or partner is domiciled in a state outside the European Economic Area (EEA), we will include any consequences this entails in the offer description.


Children


Our services are meant for adults. People under 18 should get permission from their parent or legal guardian before transmitting personal data to us.


Rights of the data subject


(1) Withdrawal of consent If your personal data is being processed based on consent you have granted, you may always withdraw that consent. Withdrawing your consent will not affect the legality of processing that has already occurred based on your consent.

To exercise your right of withdrawal, you may contact us at any time.


(2) Right to confirmation You have the right to demand confirmation from the controller about whether we are processing personal data about you. You may demand this confirmation at any time, at the contact data indicated above.


(3) Right of access to information If personal data are being processed, you can always demand information about these data and about the following information:

a. the purpose of processing;
b. the categories of personal data that are being processed;
c. the recipients or categories of recipients to whom the personal data are or will be disclosed, especially if those recipients are located in third countries or international organisations;
d. if possible, how long the personal data is planned to be stored, or if this is impossible, the criteria for ascertaining that period;
e. the existence of a right to rectification or erasure of the personal data concerning you, or the restriction of the processing by the controller or a right of objection against this processing;
f. the existence of a right to lodge a complaint with a supervisory authority;
g. if the personal data are not collected from the data subject, all available data about the data’s origin;
h. the existence of any automatic decision-making, including profiling pursuant to Article 22 (1 and 4) GDPR and—at least in these cases—meaningful information about the involved logic and implications and sought-after effects of such processing for the data subject.

If personal data are transmitted to a third country or international organisation, you have the right to be informed about the appropriate guarantees under Article 46 GDPR in connection with the transmission. We will provide you with one copy of the personal data which are the object of processing. For all additional copies you request, we may charge a reasonable fee based on the administrative costs. If the request is made electronically, the information must be provided in a commonly used electronic format unless otherwise stipulated. The right to obtain a copy pursuant to section 3 may not impair the rights and freedoms of other people.


(4) Right to rectification You always have the right to demand that we rectify any incorrect personal data concerning you. Under consideration of the purpose of processing, you have the right to demand that incomplete personal data be completed, including by means of a supplementary declaration.


(5) Right to erasure (“right to be forgotten”) You have the right to demand from the controller that the personal data concerning you be erased, and we are obligated to erase that data without undue delay for one of the following reasons:

a. The personal data are no longer needed for the purposes for which they were collected or otherwise processed. b. The data subject withdraws their consent on which the processing under Article 6 (1) a or Article 9 (2) a GDPR is based, and there is no other legal basis for the processing. c. The data subject lodges a complaint against the processing under Article 21 (1) GDPR, and there are no overriding legitimate reasons for that processing, or the data subject lodges a complaint against the processing under Article 21 (2) GDPR. d. The personal data were processed illegally. e. The personal data must be erased to fulfil a legal obligation under EU or member state law to which the controller is subject. f. The personal data were collected in regard to services offered by the information society under Article 8 (1) GDPR.

f the controller has published the personal data and is obligated under paragraph 1 to erase them, the controller shall take reasonable measures, including technical ones, under consideration of available technology and implementation costs, to inform the controller for the data processing who processes the personal data that a data subject has demanded that they erase all links to those personal data or copies or replications thereof.

The right to erasure (“right to be forgotten”) does not exist if the processing is necessary:

- to exercise the right to information and free expression of opinion;
- to fulfil a legal obligation which requires the processing under EU or member state law to which the controller is subject, or to carry out a task in the public interest or in the exercise of public authority vested in the controller;
- for reasons of public interest in the area of public health under Article 9 (2) (h and i) and Article 9 (3) GDPR;
- for purposes of archiving, science or historical research which lie in the public interest, or for statistical purposes under Art. 89 (1) GDPR, insofar as the right mentioned in paragraph 1 is expected to prevent or seriously impair the realisation of this agreement’s objectives, or
- to assert, exercise or defend against legal claims.


(6) Right to restriction of processing You have the right to demand that we restrict the processing of your personal data if one of the following conditions is met:

a. if the data subject disputes that the personal data is correct, for a duration which enables the controller to check its correctness,
b. the processing is incorrect and the data subject waives their right to have the personal data erased, instead demanding that the data’s use be restricted;
c. the controller of the personal data no longer needs them for the purposes of their processing, but the data subject needs them to assert, exercise or defend against legal claims, or
d. the data subject has filed an objection against the processing under Article 21 (1) GDPR, provided it has not yet been established whether the legitimate reasons of the controller outweigh those of the data subject.

If the processing has been restricted, these personal data—regardless of their storage—may be processed only (1) with the data subject’s consent, (2) to assert, exercise or defend against legal claims, (3) to protect the rights of another natural person or legal entity, or (4) for reasons of an important public interest of the EU or a member state.
To exercise their right to restriction of processing, the data subject may contact us at any time using the contact data given above.


(7) Right to data portability You have the right to receive these personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format, and you have the right to transmit these data to another controller without hindrance from the controller to which the personal data were provided, as long as:

a. the processing is based on consent under Article 6 (1) a or Article 9 (2) a or on a contract under Article 6 (1) b GDPR and
b. the processing occurs with the help of automated procedures.

In exercising this right of data portability under paragraph 1, you may also have the personal data transmitted directly from one controller to another, insofar as this is technically feasible. Exercising the right to data portability does not affect the right to erasure (“right to be forgotten”). This right does not apply to processing which is necessary to carry out a task in the public interest or in the exercise of public authority vested in the controller.


(8) Right to object You have the right to object at any time, for reasons arising from your particular situation, to personal data concerning you being processed based on Article 6 (1) e or f GDPR. This also applies to profiling based on these provisions. The controller shall no longer process the personal data unless that party can prove compulsory reasons for doing so that are worth protecting, which outweigh the data subjects’ interests, rights and freedoms, or the processing helps to assert, exercise or defend against legal claims.

If the personal data are processed for direct marketing purposes, you may object to that processing at any time. This also applies to any profiling connected to such direct marketing. If you object to having personal data processed for direct marketing purposes, this processing will be discontinued.

In connection with the use of information society services, you may exercise your right to object using an automatic procedure in which technical specifications are used (regardless of Directive 2002/58/EC).

You have the right, for reasons arising from your particular situation, to object to the processing of the personal data concerning you, which occurs for scientific or historical research purposes or for statistical purposes under Article 89 (1), unless that processing is necessary for a task in the public interest.

You may always contact the controller in question to exercise your right to object.


(9) Automatic decision-making in individual cases, including profiling You have the right not to be subject to a decision based exclusively on automated processing—including profiling—which legally affects or otherwise significantly impairs you. This does not apply if that decision:

a. is necessary to conclude or fulfil a contract between the data subject and the controller,
b. is permitted under EU or member state law to which the controller is subject and which stipulates reasonable measures for guarding the data subject’s rights, freedoms and legitimate interests, or
c. with the express consent of the data subject.
The controller shall take reasonable measures to guard the data subject’s rights, freedoms and legitimate interests, which must include at least the right to obtain human intervention on the part of the controller, to present the data subject’s own point of view, and to contest the decision.
The data subject may always exercise their right to object by contacting the controller in question.


(10) Right to complain to a supervisory authority If the data subject believes that the processing of the personal data concerning them breaches the GDPR, they have the right to complain to a supervisory authority—especially in the member state of the data subject’s abode, workplace, or the place of the suspected breach—without prejudice to other administrative rights or judicial remedies.


(11) Recht auf wirksamen gerichtlichen Rechtsbehelf Without prejudice to any available administrative right or judicial remedy, including the right to complain to a supervisory authority under Article 77 GDPR, the data subject has the right to an effective legal remedy if the data subject believes that the rights to which they are entitled under this directive have been breached because the processing of their personal data failed to comply with this directive.

Processor

We use external service providers (processors) for such tasks as sending goods and newsletters or handling payments. A separate contract for commissioned data processing is concluded with the service provider to guarantee your personal data will be protected.
We cooperate with the following service providers:

- ComNet – Computer im Netzwerk Vertriebs-GmbH