General management
Beat Spillmann
Michael Bollmann
Link to legal notice: https://www.polysil-coatings.com/impressum/
Types of data processed
- Inventory data (e.g., names, addresses).
- Contact details (e.g., email addresses, telephone numbers).
- Content data (e.g., text input, photographs, videos).
- Usage data (e.g., visited websites, content interests, access times).
- Meta/communication data (e.g., device information, IP addresses).
Categories of data subjects
Visitors and users of the online service (hereinafter referred to as “users”).
Purpose of processing
- Provision of our services, its contents and the associated functions, as well as
- responding to contact requests and communication including
- security measures.
- Reach analysis/marketing
Terms used
“Personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The definition of this term is extensive and covers practically all handling of data.
“Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Applicable legal basis
In accordance with Art. 13 DSGVO 13 GDPR, we inform you of the legal basis of our data processing. If the legal basis is not explicitly stated in the Privacy Policy, the following applies: The legal basis for obtaining consents is Art. 6 (1) a and Art. 7 GDPR, the legal basis for processing for the performance of our services and performance of contractual measures as well as for answering inquiries is Art. 6 (1) b GDPR, the legal basis for processing to fulfil our legal obligations is Art. 6 (1) c GDPR, and the legal basis for processing to protect our legitimate interests is Art. 6 (1) f GDPR. In the event that the vital interests of the data subject or another natural person require the processing of personal data, Art. 6 (1) GDPR serves as the legal basis.
Security measures
We shall take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk in accordance with Article 32 GDPR, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
The measures include in particular ensuring the confidentiality, integrity and availability of data by controlling physical access to the data, as well as the
access, input, transfer, integrity and pseudonymity. Furthermore, we have established procedures that guarantee the assertion of data subjects’ rights, the erasure of data and the response to data hazards. We also already consider the protection of personal data during the development or selection of hardware, software and procedures, in accordance with the principle of data protection by design of technology and by data protection-friendly presettings (Art. 25 GDPR).
Working with processors and third parties
If we disclose data to other persons and companies (processors or third parties) within the scope of our processing, transfer the data to them or otherwise grant them access to the data, this will only be carried out on the basis of a legal permission (e.g. if a transfer of the data to third parties, such as to payment service providers, is required for contract fulfilment pursuant to Art. 6 (1) b GDPR), if you have consented, if a legal obligation requires this or on the basis of our legitimate interests (e.g. when using agents, web hosting services, etc.).
If we commission third parties with the processing of data on the basis of a so-called
“Data Processing Agreement”, this is carried out based on Art. 28 GDPR.
Transfers to third countries
If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of the use of third-party services or disclosure or transmission of data to third parties, this only takes place if it is necessary to fulfil our (pre)contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we process or let the data being processed in a third country only if the special requirements of Art. ff. GDPR are met. This means, for example, processing is carried out on the basis of special guarantees, such as the officially recognised adequate data protection level corresponding to the EU (e.g. for the USA by the “Privacy Shield”) or compliance with officially recognised special contractual obligations (so-called “Standard Contractual Clauses”).
Rights of data subjects
You have the right to obtain from the controller confirmation as to whether personal data concerning you are being processed, and, where that is the case, access to the personal data and the further information and a copy of the data in accordance with Art. 15 GDPR.
According to Art. 16 of the GDPR, you have the right to obtain from the controller the rectification of inaccurate personal data concerning you, or the completion of the data concerning you.
In accordance with Art. GDPR, you have the right to demand that relevant data be erased without undue delay or, alternatively, to demand a restriction of the processing of the data in accordance with Art 18 GDPR.
You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller in accordance with Art. 20 GDPR.
In accordance with Art. GDPR, you also have the right to file a complaint with the supervisory authority.
Right of withdrawal
You have the right to withdraw consents granted pursuant to Art. 7 (3) GDPR with effect for the future.
Right of objection
You can object to the future processing of the data concerning you in accordance with Art. 21 GDPR at any time. The objection may be lodged in particular against processing for direct marketing purposes.
Cookies and right of objection in direct marketing
“Cookies” are small files that are stored on the user’s computer. Various information can be stored within the cookies. A cookie is primarily used to store information about a user (or the device on which the cookie is stored) during or after their visit to an online service. Temporary cookies, or “session cookies” or “transient cookies”, are cookies that are deleted after a user leaves an online service and closes their browser. For example, the content of a shopping basket in an online shop or a login status can be stored in such a cookie. Cookies are referred to as “permanent” or “persistent” if they remain stored even after the browser is closed. For example, the login status can be saved if users visit it after several days. Likewise, the users interests may be stored in such a cookie and used for coverage or marketing purposes. “Third-party cookies” are cookies that are offered by providers other than the controller for operating the online service (otherwise, if they are only cookies offered by the controller for operating the online service, they are referred to as “first-party cookies”).
We may use temporary and permanent cookies and clarify this as part of our privacy policy.
If users do not want cookies to be stored on their computer, they are asked to deactivate the option in the system settings of their browser. Stored cookies can be deleted in the browser’s system settings. The exclusion of cookies can lead to functional restrictions with this online service.
A general objection to the use of cookies used for online marketing purposes can be found in a large number of services, particularly in the case of tracking, via the US site http://www.aboutads.info/choices/ or the EU site http://www.youronlinechoices.com/. Furthermore, the storage of cookies can be blocked by deactivating them in the browser settings. Please note that in this case not all of the functions of this online service can be used.
Erasure of data
The data processed by us will be erased or its processing restricted in accordance with Art. 17 and 18 GDPR. Unless expressly stated in this privacy policy,
the data stored by us will be erased as soon as it is no longer required for its intended purpose and there are no legal obligations to retain it. If the data are not erased because they are necessary for other and legally permissible purposes, their processing is restricted. This means that the data is excluded and not processed for other purposes. This applies, for example, to data that must be retained for commercial or taxation reasons.
In accordance with German statutory requirements, the records shall be kept for 6 years in particular in accordance with § 257 (1) German Commercial Code (trading books, inventories, opening balance sheets, annual financial statements, commercial letters, accounting documents, etc.) and for 10 years in accordance with § 147 (1) German Financial Act (books, records, management reports, accounting documents, commercial and business letters, documents relevant to taxation, etc.).
In accordance with Austrian statutory requirements, the records shall be kept for 6 years in particular in accordance with § 132 (1) BAO (accounting documents, receipts/invoices, accounts, receipts, business documents, statement of income and expenses, etc.), for 22 years in connection with real estate and for 10 years for documents in connection with electronically provided services, telecommunications, radio and television services, which are provided to private individuals in EU member states and for which the Mini-One-Stop-Shop (MOSS) is used.
Order processing in the online shop and customer account
We process the data of our customers as part of the ordering process in our online shop to allow them to select and order the selected products and services, as well as their payment, delivery and execution.
The processed data includes inventory data, communication data, contract data, payment data and the data subjects include our customers, interested parties and other business partners. Processing takes place for the purpose of providing contractual services within the context of operating an online shop, billing, delivery and customer services. We use session cookies to store the contents of the shopping cart and permanent cookies to store the login status.
Processing is carried out in accordance with Art. 6 (1) b (execution of order processes) and c (legally required archiving) GDPR. The information marked as necessary is required to establish and fulfil the contract. We disclose the data to third parties only within the context of delivery, payment or within the context of legal permits and obligations to legal advisors and authorities. The data will only be processed in third countries if this is necessary for the fulfilment of the contract (e.g. at the customer’s request upon delivery or payment).
Users have the option of creating a user account in which they can see their orders. During the registration process the users are informed of the required mandatory information. The user accounts are not public and cannot be indexed by search engines. If users have terminated their user account, their data with regards to the user account is deleted, unless retention is necessary for commercial or tax reasons according to Art. 6 (1) c GDPR. Data in the customer’s account is retained up to its deletion unless archived in the case of a legal obligation. It is the user’s responsibility to save their data before the end of the contract if they have given notice of termination.
When registering at each login and using our online services we store the IP address and the time of the particular user action. The data is stored on the basis of our legitimate interests as well as the user’s protection against misuse and other unauthorized use. This data is not passed to third parties unless it is necessary for the pursuit of our claims or there is a legal obligation to do so according to Art. 6 (1) c GDPR.
The data is deleted after the expiry of statutory warranty and comparable obligations, the requirement to retain the data is reviewed every three years; in the case of statutory archiving obligations, deletion takes place after their expiry (end of commercial law (6 years) and tax law (10 years) retention obligation).
External payment service providers
We use the external payment service provider Paypal. Users can use the Paypal platform to carry out payment transactions.
(https://www.paypal.com/uk/webapps/mpp/ua/privacy-full)
As part of the fulfilment of contracts we employ payment service providers on the basis of Art. 6 (1) b GDPR. We also employ external payment service providers on the basis of our legitimate interests in accordance with Art. 6 (1) b GDPR to provide our users with effective and secure payment options.
The data processed by the payment service providers includes inventory data such as name and address, bank data such as account numbers or credit card numbers, passwords, TANs and checksums as well as contract, total sums and recipient information. This information is required to execute the transactions. However, the data entered will only be processed and stored by the payment service providers. This means that we do not receive any account or credit card related information, but only information with confirmation or negative information about the payment. The data may be transferred by the payment service providers to credit agencies. The purpose of this transmission is to verify identity and creditworthiness. For this we refer to the terms and conditions and data protection information of the payment service providers.
Applicable for payment transactions are the terms and conditions and the data protection information of the respective payment service providers, which can be accessed within the respective websites or
transaction applications. We refer to these also for the purpose of further information and assertion of rights of revocation, information and other interested parties.
Registration feature
Users can create a user account. During the registration process the users are informed of the required mandatory information which is processed on the basis of Art. 6 (1) b GDPR for the purpose of providing the user account. The processed data includes in particular the login information (name, password and an email address). The data entered during registration is used for using the user account and its purpose.
Users can be notified by e-mail of information relevant to their user account such as technical changes. If users cancel their user account, their data relating to the user account is deleted, subject to a legal obligation to retain data. It is the user’s responsibility to save their data before the end of the contract if they have given notice of termination. We are entitled to irretrievably delete all user data stored during the term of the contract.
As part of the use of our registration and login functions and using the user account, we store the IP address and the time of the particular user action. The data is stored on the basis of our legitimate interests as well as the user’s protection against misuse and other unauthorized use. This data is not passed to third parties unless it is necessary for the pursuit of our claims or there is a legal obligation to do so according to Art. 6 (1) c GDPR. The IP addresses are anonymized or deleted after 7 days at the latest.
Comments and contributions
If users leave comments or other contributions, their IP addresses may be stored for 7 days as part of pursuing our legitimate interests as stipulated by Art. 6 (1) f. GDPR. We do this to mitigate our risk in case someone leaves illegal content in comments and contributions (insults, forbidden political propaganda, etc.). In such cases, we could ourselves be prosecuted for the comment or contribution and therefore have a vested interest in determining the author’s identity.
We also reserve the right to process the information entered by the user to detect spam as stipulated by Art. 6 (1) f GDPR.
We permanently store data provided in the context of comments and contributions until the user objects.
Akismet anti-spam check
Our online offer uses the Akismet service provided by Automattic Inc., 60 29th Street #343, San Francisco, CA 94110, USA. Usage is based on our legitimate interests as stipulated by Art. 6 (1) f GDPR. The service helps distinguish between comments entered by real people and spam comments. For this purpose, all comment information is sent to a server in the USA, where it is analysed and stored for four days for comparison purposes. If a comment has been classified as spam, the data will be stored after this time. This information includes the name entered, the e-mail address, the IP address, the comment content, the referrer, information on the browser used, the computer system and the time of entry.
Further information on Akismet’s collection and use of data can be found in Automattic’s privacy policy: https://automattic.com/privacy/.
Users are welcome to use pseudonyms or refrain from entering their name or email address. They can also completely prevent the transfer of data by not using our comment system. That would be a pity, but unfortunately we see no other alternatives that work as effectively.
The use of emojis and smilies
Graphical emojis (or smilies), i.e. small graphical files that express feelings, which are obtained from external servers, are used within our WordPress blog. The providers of the servers collect the IP addresses of the users. This is required to transmit the emoji files to the user’s browser. The emoji service is offered by Automattic Inc, 60 29th Street #343, San Francisco, CA 94110, USA.
Automattic’s privacy policy: https://automattic.com/privacy/. The server domains used are s.w.org and twemoji.maxcdn.com, whereby to our knowledge these are so-called content-delivery networks, i.e. servers which merely serve to provide fast and secure transmission of the files and the personal data of the users are deleted after the transmission.
The use of the Emojis is based on our legitimate interests, i.e. interest in an attractive design of our online offer according to Art. 6 (1) f GDPR.
Contacting us
When contacting us (using the contact form, e-mail, telephone or social media), the user’s details are used for handling the contact enquiry and its processing in accordance with Art. 6 (1) b GDPR. User information can be stored in a customer relationship management system (“CRM system”) or comparable enquiry organisation.
We delete the enquiries as soon as they are no longer required. We review this requirement every two years; the statutory archiving obligations also apply.
Newsletter – CleverReach
We use the newsletter distribution platform provided by CleverReach GmbH & Co. KG, Mühlenstr. 43, 26180 Rastede, Germany. For further information about the newsletter distribution service provider’s privacy policy, visit https://www.cleverreach.com/en/privacy-policy/. The newsletter distribution service provider is used to pursue our legitimate interests in accordance with Art. 6 (1) f GDPR and a processing agreement is entered with this service provider in accordance with Art. 28 para. 3 item 1 GDPR.
The newsletter distribution service provider can use the recipient’s data in pseudonymous form, i.e. without assignment to a user, to optimize or improve its own services, e.g. to technically optimize the dispatch and presentation of the newsletter or for statistical purposes. However, the newsletter distribution service does not use the data of our newsletter recipients to contact them itself or to pass the data on to third parties.
Hosting and email distribution
The hosting services we use are designed to provide the following services: Infrastructure and platform services, computing capacity, storage and database services, emailing, security and technical maintenance services we use to operate this online service.
In this context we, or our hosting provider process inventory data, contact data, content data, contract data, usage data, metadata and communication data of customers, interested parties and visitors to this online service on the basis of our legitimate interests in an efficient and secure provision of this online service acc. to Art. 6 (1) f GDPR in connection with Art. 28 GDPR (conclusion of data processing contract).
Google Analytics
Based on our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online service within the meaning of Art. 6 (1) f GDPR), we use Google Analytics, a web analytics service provided by Google LLC (“Google”). Google uses cookies. The information generated by the cookie about the use of the online service by the users is usually transmitted to a Google server in the USA and stored there.
Google is certified under the Privacy Shield Agreement, which provides a guarantee to comply with European privacy legislation (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
Google will use this information on our behalf to evaluate the use of our online service by users, to compile reports on the activities within this online service and to provide us with further services related to the use of this online service and internet usage. In this case, pseudonymous usage profiles of the users can be created from the processed data.
We use Google Analytics only with enabled IP anonymization. This means that Google will truncate the IP address of users within Member States of the European Union or in other states party to the Agreement on the European Economic Area. Your full IP address will only be transmitted to a Google server in the USA and truncated there in exceptional cases.
The IP address submitted by the user’s browser will not be merged with other data provided by Google. Users can prevent the storage of cookies by setting their browser software accordingly; users may also prevent the collection by Google of the data generated by the cookie and related to their use of the online service and the processing of such data by Google by downloading and installing the browser plug-in available under the following link: https://tools.google.com/dlpage/gaoptout?hl=en.
For more information about Google’s data usage, setting and objection options, please read Google’s Privacy Policy (https://policies.google.com/technologies/ads) as well as in the settings for the display of advertisements by Google (https://adssettings.google.com/authenticated).
The personal data of users will be deleted or anonymized after 14 months.
Online presences in social media
We maintain online presences within social networks and platforms in order to communicate with active customers, interested parties and users and to inform them about our services. When accessing the respective networks and platforms, the terms and conditions and the privacy policy of their respective providers apply.
Unless otherwise stated in our privacy policy, we will process the data of users who communicate with us within social networks and platforms, e.g. publish contributions on our online profiles or send us messages.
Integration of third-party services and content
Based on our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online service within the meaning of Art. 6 (1) f GDPR), we use the content or service offerings of third parties to incorporate their content and services, such as videos or fonts (hereinafter uniformly referred to as “content”) in our website.
This always presupposes that the third party providers of this content perceive the IP address of the users, as they could not send the content to users’ browsers without an IP address. The IP address is therefore required to display this content. We make every effort to use only content, the respective providers of which use the IP address only for the delivery of the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. Pixel tags can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user’s device and may include technical information about the browser and operating system, referring websites, visiting time and other information about the use of our online offer, and may be linked to such information from other sources.
Google Fonts
We use Google Fonts provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy policy: https://www.google.com/policies/privacy/, Opt-Out: https://adssettings.google.com/authenticated.
Google ReCaptcha
We use the function for the recognition of bots, e.g. for entries in online forms (“ReCaptcha”) provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy policy: https://www.google.com/policies/privacy/, Opt-Out: https://adssettings.google.com/authenticated.
Google Maps
We use Google Maps provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The processed data may include in particular IP addresses and location data of the users, which, however, are not collected without their consent (as a rule within the framework of the settings of their mobile devices). This data can be processed in the USA. Privacy policy: https://www.google.com/policies/privacy/, Opt-Out: https://adssettings.google.com/authenticated.
Adobe Typekit fonts
Based on our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online service within the meaning of Art. 6 (1) f GDPR), we use external Typekit fonts provided by Adobe Systems Software Ireland Limited, 4-6 Riverwalk, Citywest Business Campus, Dublin 24, Republic of Ireland. Adobe is certified under the Privacy Shield Agreement and thus offers a guarantee to comply with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000TNo9AAG&status=Active).
Use of Facebook Social Plugins
Based on our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online service within the meaning of Art. 6 (1) f GDPR), we use the Social Plugins provided by the social network facebook.com, which is operated by Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”). The plugins can display interaction elements or content (e.g. videos, graphics or text contributions) and are identified by one of the Facebook logos (white “f” on blue square, the terms”like” or a “thumbs up” symbol) or are indicated by the note “Facebook Social Plugin”. The list and appearance of Facebook Social Plugins can be viewed here: https://developers.facebook.com/docs/plugins/.
Facebook is certified under the Privacy Shield Agreement and thus offers a guarantee to comply with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).
When a user displays a feature of this online service that contains such a plugin, their device establishes a direct connection to the Facebook servers. The content of the plugin is transmitted by Facebook directly to the user’s device and integrated from their into the online service. The processed data can be used to create user profiles. We therefore have no influence on the amount of data Facebook collects with the help of this plugin and therefore inform users to the best of our knowledge.
By integrating the plugins, Facebook receives information that a user has displayed the corresponding page of the online service. If the user is logged in to Facebook, then Facebook can assign the visit to that user’s Facebook account. If users interact with the plugins by clicking on the Like button or posting a comment, for example, then the information is sent directly from the user’s device to Facebook and stored there. If a user is not a member of Facebook, it is still possible for Facebook to obtain and store their IP address. According to Facebook, it only stores anonymized IP addresses in Germany.
The purpose and scope of the data collection and the further processing and use of the data by Facebook, as well as the relevant rights and setting options for the protection of users’ privacy, can be found in Facebook’s data protection information: https://www.facebook.com/about/privacy/.
If a user is a member of Facebook and does not want Facebook to collect data about them via this online service and link it to their membership data stored on Facebook, then they must log out of Facebook before using our online service and delete their cookies. Further settings and objections to the use of data for advertising purposes can be made within the Facebook profile settings: https://www.facebook.com/settings?tab=ads or via the US page http://www.aboutads.info/choices/ or the EU page http://www.youronlinechoices.com/. The settings are platform-independent, i.e. they are applied to all devices including desktop computers and mobile devices, for example.
Twitter
Our online service can included features and content of the service Twitter provided by Twitter Inc, 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. This may include, for example, content such as images, videos or texts and buttons with which users can express their appreciation of the content and subscribe to the authors of the content or our contributions. If the users are members of the platform Twitter, then Twitter can allocate use of the above mentioned. contents and features to the users’ profiles. Twitter is certified under the Privacy Shield Agreement and thus offers a guarantee to comply with European data protection law.
(https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status=Active). Privacy policy: https://twitter.com/de/privacy, Opt-Out: https://twitter.com/personalization.
