Data Protection Policy
1. Definition of terms
DSI Getränkearmaturen GmbH’s Data Protection Policy utilises the terms used by European legislators and regulators in their General Data Protection Regulation (GDPR). Our Data Protection Policy aims to be easy to read and understand for the public as well as our clients and business partners. To make sure that is the case, we would like to explain some of the terms we have used.
Here are some of the terms used in this Data Protection Policy:
· Personal data
Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors particular to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
· Data subject
A data subject is any identified or identifiable natural person whose personal data is processed by the controller.
Processing means any operation or set of operations which is performed on personal data, whether or not by automated means, such as collecting, recording, organising, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, dissemination or otherwise making available, aligning or combining, restricting, erasing or destroying.
· Restriction of processing
Restriction of processing means the marking of stored personal data with the aim of limiting its processing in the future.
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Pseudonymisation means processing personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
· Controller or person responsible for processing
Controller or person responsible for processing means the natural person or corporate entity, public authority, agency or other entity, which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Processor means a natural person or corporate entity, public authority, agency or other entity which processes personal data on behalf of the controller.
Recipient means a natural person or corporate entity, public authority, agency or other entity, to which personal data is disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.
· Third party
Third party means a natural person or corporate entity, public authority, agency or other entity other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Consent means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
2. General notes and mandatory information
As the operator of this website, we, DSI Getränkearmaturen GmbH, take the protection of your personal data very seriously. We treat your personal data as confidential and handle it in compliance with statutory data protection regulations and this Data Protection Policy.
The entity responsible for processing data on this website is:
DSI Getränkearmaturen GmbH
Oberster Kamp 20
Telephone: +49 (0) 2385 772 0
The controlling entity is the natural person or corporate entity which, alone or together with others, decides on the purposes and means of processing personal data (such as names, email addresses and so on.)
The data subject’s rights under GDPR
Right to information
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed, and, where that is the case, access to the personal data and the following information:
· the purposes of the processing;
· the categories of personal data concerned;
· the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
· where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
· the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
· the right to lodge a complaint with a supervisory authority;
· where the personal data is not collected from the data subject, any available information as to its source;
· the existence of automated decision-making, including profiling, referred to in Article 22 Paragraphs 1 and 4 and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
· Where personal data is transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
· 1 The controller shall provide a copy of the personal data undergoing processing. 2 For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. 3 Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
· The right to obtain a copy referred to in Paragraph 3 shall not adversely affect the rights and freedoms of others.
Right to rectification
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Right to erasure (‘right to be forgotten’)
Every data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
· The personal data is no longer needed in relation to the purposes for which it was collected or otherwise processed;
· The data subject withdraws consent on which the processing is based according to Art. 6 Par. 1 point a GDPR or Art. 9 Par. 2 point a GDPR, and where there is no other legal foundation for the processing;
· The data subject objects to the processing pursuant to Art. 21 Par. 1 GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant toArt. 21 Par. 2 GDPR.
· The personal data has been unlawfully processed;
· The personal data has to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
· The personal data has been collected in relation to the offer of information society services referred to in Art. 8 Par. 1 GDPR.
Where the controller has made the personal data public and is obliged pursuant to Paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, that personal data.
Right to restriction of processing
The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
· The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
· The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of its use instead;
· The controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims;
· The data subject has objected to processing pursuant toArticle 21 Paragraph 1 GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.
Right to data portability
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit that data to another controller without hindrance from the controller to which the personal data has been provided, where the processing is based on consent pursuant to Article 6 Paragraph 1 point a GDPR or Article 9 Paragraph 2 point a GDPR, or on a contract pursuant to Article 6 Paragraph 1 point b GDPR and the processing is carried out by automated means.
In exercising his or her right to data portability pursuant to Paragraph 1 GDPR, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
The exercise of the right shall be without prejudice to Article 17 GDPR.
That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
The right to data portability shall not adversely affect the rights and freedoms of others.
Right to object
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based Article 6 Paragraph 1 points e or f GDPR, including profiling based on those provisions.
The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Where personal data is processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
At the latest at the time of the first communication with the data subject, the right referred to in Art. 21 Paragraphs 1 and 2 GDPR shall be explicitly brought to his or her attention and shall be presented clearly and separately from any other information.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.
Where personal data is processed for scientific or historical research purposes or statistical purposes pursuant to Article 89 Paragraph 1 GDPR, the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
Automated individual decision-making, including profiling
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly impacts on him or her.
This shall not apply if the decision:
· is necessary for entering into, or performance of, a contract between the data subject and a data controller;
· is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
· is based on the data subject’s explicit consent.
In the cases referred to in points a and c, the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
Decisions shall not be based on special categories of personal data referred to in Article 9 Paragraph 1 GDPR, unless Article 9 Paragraph 2 point a or g GDPR applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.
Right to revoke consent under data protection law
The data subject has the right to revoke his or her consent to the processing of personal data at any time. If the data subject wishes to exercise his or her right to revoke this consent, then he or she must contact the controller. Revoking consent does not render illegal any data processing done up to that point.
Right to complain to the responsible regulatory authorities
The data subject has the right to complain to the responsible regulatory authorities if data protection laws have been breached. The regulatory authority responsible for matters of data protection law is the state data protection officer of the federal state in which our company’s headquarters are located. The following link provides a list of data privacy officers and their contact details:https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html.
Legal basis for the processing
Art. 6 I lit. a GDPR serves our company as the legal basis for processing operations for which we obtain consent for a specific processing purpose. If the processing of personal data is necessary for the performance of a contract to which the data subject is party, as is the case, for example, when processing operations are necessary for the supply of goods or to provide any other service, then the processing is based on Art. 6 I lit. b GDPR. The same applies to such processing operations which are necessary for carrying out pre-contractual measures, for example in the case of enquiries concerning our products or services. If our company is subject to a legal obligation requiring the processing of personal data, such as the fulfilment of tax obligations, then the processing is based on Art. 6 I lit. c GDPR. In rare cases, the processing of personal data may be necessary to protect the vital interests of the data subject or of another natural person. This would be the case, for example, if a visitor were injured at our company premises and his or her name, age, health insurance details or other vital information would have to be passed on to a doctor, hospital or other third party. The processing would then be based on Art. 6 I lit. d GDPR. Finally, processing operations could be based on Art. 6 I lit. f GDPR. This legal basis is used for processing operations which are not covered by any of the aforementioned legal grounds, if processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. Such processing operations are particularly permissible because they have been specifically mentioned by European legislators, who considered that a legitimate interest could be assumed if the data subject is a client of the controller (Recital 47 Clause 2 GDPR).
Legitimate interests in processing pursued by the controller or a third party
If the processing of personal data is based on Article 6 I lit. f GDPR, our legitimate interest is to carry out our business for the wellbeing of all our employees and shareholders.
Period for which personal data is stored
The criterion used to determine the period of storage of personal data is the respective statutory retention period. At the end of that period, the corresponding data is routinely deleted, provided it is no longer needed for the fulfilment or initiation of a contract.
Statutory and contractual requirements on the provision of personal data; necessity for entering into a contract;obligation of the data subject to provide personal data; possible consequences of failure to provide it
We would like to inform you that the provision of personal data is sometimes required by law (e.g. tax regulations) and can also result from contractual provisions (e.g. information about a contractual partner). In order to conclude a contract, it may be sometimes necessary for the data subject to provide us with personal data, which must subsequently be processed by us. For instance, the data subject is obliged to provide us with personal data when our company signs a contract with him or her. Failure to provide the personal data would prevent the contract from being concluded with the data subject. The data subject must contact one of our staff before providing personal data. Our staff member will explain to the data subject whether the provision of the personal data is required by law or contract or is necessary for the conclusion of the contract, whether there is an obligation to provide the personal data and the consequences of not providing the personal data.
Objection to advertising emails
The use of contact details published as part of the statutorily required publication information to send advertising and information not explicitly requested is hereby expressly denied. The operators of this website expressly reserve the right to take legal action in the event of the unsolicited delivery of advertising material, for example by spam emails.
3. Data Protection Officer
Statutory Data Protection Officer
We have appointed a Data Protection Officer for our company.
Frau Lynn Peiffer
Telephone: +49 (0) 201 890 881 14
Who is responsible for collecting data on this website?
Data on this website is processed by DSI GetränkearmaturenGmbH. You will find our contact details on this website’s imprint page.
What do we use your data for?
Some of the data is collected to ensure that the website works properly, to protect ourselves against cyber-attacks and, if necessary, to trace such attacks; and to collect statistical information about people who visit our website.
Ways of contacting us through the website
The law stipulates that our website must contain details that enable you to get in touch with our company quickly by electronic means, and which enable direct communication with us; this includes a general email address.
If as a data subject you wish to contact the controller by email or using a contact form on this website, then the personal data you give us will be automatically stored. This personal data which you provide us voluntarily as a data subject will be stored for the purposes of processing and being in contact.
This means that the data you provide in a contact form is processed exclusively on the basis of your consent (Art. 6 Par. 1 lit. a GDPR).You can revoke your consent at any time; an informal email to us will suffice. Revoking your consent does not render illegal any data processing done up to that point.
The data you enter in the contact form remains with us until you ask that it is deleted or revoke your consent for its storage, or until the purpose for which it is stored no longer applies (such as once your enquiry has been processed). This does not affect mandatory legal requirements, in particular statutory retention periods.
Data protection in applications and application processes
We collect and process personal data belonging to applicants for the purpose of handling their applications.
The data may be processed electronically. This is especially the case if an applicant submits application documents to the controller electronically, such as by email or using a Web form on the website. If an employment contract is concluded between DSI Getränkearmaturen GmbH and the applicant, then the data sent will be stored in compliance with legal regulations for the purpose of maintaining the employment relationship. If no employment contract is concluded between DSI Getränkearmaturen GmbH and the applicant, then the application documents will be automatically deleted two months after the application has been declined, unless other legitimate interests dictate that it should be kept. Other legitimate interests in this sense might for example include the duty to furnish proof in a lawsuit under the General Equal Treatment Act (AGG).
Most of the cookies we use are ‘session cookies’, which are automatically deleted when you leave the website. Other cookies remain on your terminal device until you delete them. These cookiesallow us to recognise your browser the next time you visit us.
You can set your browser so that you are told whenever cookies are received, and so that you can decide which ones to accept or whether instead to reject cookies in particular cases or in general; you can also set your browser to automatically delete cookies when you close it. If you deactivate cookies, then the features of this website may be limited.
Cookies needed to perform electronic communication processes and to provide particular features you require (such as a shopping basket) are stored on the basis of Art. 6 Par. 1 lit. f GDPR. The website operator has a legitimate interest in storing cookies so that it can provide its services free of technical faults and in optimised form. If other cookies are stored (such as cookies for analysing your surfing behaviour), these will be discussed separately in this Data Protection Policy.
Server log files
The provider of this website automatically collects and stores information in server log files which your browser automatically sends to us. This information is:
· Browser type and version
· Operating system used
· Referrer URL
· Host name of accessing computer
· Time of server request
· IP address
· Web pages and sub-pages opened
· Internet service provider
· Other similar data and information used to defend against threats in the event of cyber-attacks on our systems.
This data is not combined with any other data sources.
The data is processed on the basis of Art. 6 Par. 1 lit. f GDPR, which permits data to be processed in the fulfilment of a contract and precontractual activities.
SSL and TLS encryption
For security reasons and to protect the transmission of confidential content (such as orders and enquiries) which you send to us as the operator of the website, our site uses SSL and TLS encryption. You can see that a connection is encrypted because the address line of your browser will change from ‘http://’ to ‘https://’ and a padlock symbol will appear in the browser line.
When SSL or TLS encryption is activated, data you send to us cannot be read by anyone else.
Google Analytics (with anonymisation)
The websites use Analytics (with anonymisation). Google Analytics is a Web analysis service. Web analysis is the collection, retrieval and evaluation of data about the behaviour of people who visit websites. A Web analysis service includes data about the website from which a data subject arrives at another website (known as the referrer), the sub-pages of the website which are visited, and the frequency and duration for which sub-pages are viewed. Web analysis is used mainly to optimise websites and to perform cost-benefit analyses of Internet advertising.
The company that operates the Google Analytics component is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.
We use the ‘_gat._anonymizeIp’ extension for Google Analytics Web analysis. This extension is used by Google to truncate and anonymise the IP address of the data subject’s Internet connection if our website is accessed from a Member State of the European Union or from other states that are signatories to the European Economic Area treaty.
The purpose of the Google Analytics component is to analyse visitor flows onto our website. Google uses the data and information it collects to evaluate the way our website is used and to generate online reports for us showing the activities on our website and to provide other services connected with the use of our website.
Google Analytics places cookies on the data subject’s IT system. We have already explained above what cookies are. By setting cookies, Google enables an analysis of the way our website is used. Every time a data subject visits one of the pages of this website, which is operated by the controller, and in which a Google Analytics component is integrated, the Internet browser on the data subject’s IT system is automatically instructed by the Google Analytics component to send data to Google for the purposes of online analysis. As part of this technical process, Google gets to know about personal data, such as the data subject’s IP address, which Google uses among other things to determine the origin of visitors and clicks and to calculate commissions accordingly.
Cookies are used to store personal information such as access times, the place from which the website was accessed and the frequency of visits to our website by the data subject. Every time a data subject visits our website, this personal data, including the IP address of the Internet connection used by the data subject, is sent to Google in the United States of America. Google stores this personal data in the United States of America. Google may give the personal data collected using this technical process to third parties.
The data subject can prevent the setting of cookies by our website at any time, as described above, by making the appropriate settings in their Internet browser, thus permanently disabling the placing of cookies. Making this setting in the Internet browser used also prevents Google from placing cookies on the data subject’s IT system. The Internet browser and other software can be used to delete cookies placed by Google Analytics at any time.
This websites uses the Google Maps service via an API. The provider is Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
In order to use the features of Google Maps, your IP address will have to be stored. This information is usually sent to a server belonging to Google in the USA and stored there. The operator of this website has no influence over the sending of that data.
Google Maps is used in order to make our website look more attractive and to make it easy to locate the places detailed on our site. This constitutes a legitimate interest as defined in Art. 6 Par. 1 lit. f GDPR.
You will find more information about how user data is used in Google’s data protection policy: https://www.google.de/intl/de/policies/privacy/.
This website uses plugins issued by YouTube, which is operated by Google. The operator of the YouTube site is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA.
If you visit one of our pages that carries the YouTube plugin, a connection will be established with the YouTube servers. The YouTube server will be told which of our pages you have visited.
If you are logged into your YouTube account, you will enable YouTube to ascribe your surfing behaviour directly to your personal profile. You can prevent this from happening by logging out of your YouTube account.
The use of YouTube is done in the interests of making our website more appealing. This constitutes a legitimate interest as defined in Art. 6 Par. 1 lit. f GDPR.
Further information about how user data is used is available in YouTube’s data protection policy at:https://www.google.de/intl/de/policies/privacy.
Google Web Fonts
In order to make screen fonts look uniform, this website uses Web Fonts which are provided by Google. When you open a page, your browser loads the Web Fonts it needs into your browser cache so that text and fonts display correctly.
For this purpose, the browser you use must connect to Google’s servers. This allows Google to know that our website was accessed from your IP address. The use of Google Web Fonts is done in the interests of making our website look uniform and appealing. This constitutes a legitimate interest as defined in Art. 6 Par. 1 lit. f GDPR.
If your browser does not support Web Fonts, then a standard font will be used by your computer.
Further information about Google Web Fonts is available at https://developers.google.com/fonts/faq and in Google’s data protection policy: https://www.google.com/policies/privacy/.
Amendments to our data protection rules
We reserve the right to amend this Data Protection Policy so that it remains compliant with the latest legal regulations, and so that we can incorporate changes to our services in the Data Protection Policy – such as when we introduce new services. The new Data Protection Policy will then apply when you next visit.