I. Name and address of the controller
The controller within the meaning of the General Data Protection Regulation and other national data-protection laws of the Member States as well as other data-protection regulations is:
C.A. Warren GmbH
Tel.: +49 201 84 201 20
Fax: +49 201 84 201 10
II. Name and address of the data protection officer
The controller's data protection officer is:
Tel.: +49 201 530091
III. General information about data processing
1. Scope of processing of personal data
Fundamentally, we process our users' personal data only to the extent necessary to provide a functioning website and required by our content and services. The regular processing of users' personal data takes place only with the consent of the user. An exception applies to cases in which prior consent cannot be obtained for reasons of fact and the processing of the data is permitted by law.
2. Legal basis for the processing of personal data
Insofar as we obtain the consent of the data subject for the processing of personal data, Article 6(1)(a) of the EU General Data Protection Regulation (GDPR) provides the legal basis.
In the case of the processing of personal data necessary for the performance of a contract to which the data subject is a party, Article 6(1)(b) GDPR provides the legal basis. This also applies to processing operations required to carry out pre-contractual measures.
Insofar as the processing of personal data is required to fulfil a legal obligation of our company, Article 6(1)(c) GDPR provides the legal basis.
In the event that vital interests of the data subject or another natural person require the processing of personal data, Article 6(1)(d) GDPR provide the legal basis.
If processing is necessary to safeguard the legitimate interests of our company or a third party, and if the interests, fundamental rights and freedoms of the data subject do not prevail over the first interest, Article 6(1)(f) GDPR provide the legal basis for processing.
3. Data erasure and storage duration
The personal data of the data subject will be deleted or locked as soon as the purpose of the storage no longer applies. In addition, such storage may occur if provided for by the European or national legislator in EU regulations, laws or other regulations to which the controller is subject. Locking or deletion of the data also occur when a storage period prescribed by the specified standards expires, unless there is a need for further storage of the data for conclusion or fulfilment of a contract.
IV. Provision of the website and creation of log files
1. Description and scope of data processing
Each time our website is accessed, our system automatically collects data and information from the computer system of the client computer.
- The following data are collected in this situation:
- Information about the user's browser software
- The user's operating system, however limited to
- the user's Internet service provider, but not
- the user's public IP address (unabbreviated)
- date and time of access
- websites that are accessed by the user's system through our website
The data are also stored in our system's log files. These data are not stored together with other personal data of the user.
2. Legal basis for the data processing
The legal basis for the temporary storage of data and log files is Article 6(1)(f) GDPR.
3. Purpose of data processing
The temporary storage of the IP address by the system is necessary to allow delivery of the website to the user's computer. To do this, the user's IP address must be stored for the duration of the session.
Storage in log files is performed to ensure the functionality of the website. In addition, the data are used to optimise the website and to ensure the security of our IT systems. An evaluation of the data for marketing purposes does not take place in this context.
For these purposes, we have a legitimate interest in the processing of data according to Article 6(1)(f) GDPR.
4. Duration of storage
The data will be deleted as soon as they are no longer necessary to achieve the purposes of their collection. In the case of collecting data in order to provide the website, this is the case when the respective session ends.
The current configuration of the hosting web server writes sequentially to the current log file until it reaches 10 MB in size. As soon as the limit of 10 MB is reached, the log file is archived and a new one is started. The last 10 archived log files are always kept.
5. Right to object and to erasure
The collection of data for the provision of the website and the storage of the data in log files is essential for the operation of the website. The user consequently has no right to object.
a) Description and scope of data processing
In this way, the following data can be transmitted:
- Entered search terms
b) Legal basis for data processing
The legal basis for the processing of personal data using cookies is Article 6(1)(f) GDPR.
c) Purpose of data processing
We require cookies for the following applications:
- Google Maps (and route planning if applicable)
The user data collected via technically-required cookies are not used to create user profiles.
The use of the analytics cookies is for the purpose of improving the quality of our website and its contents. Via the analytics cookies, we learn how the website is used and can thus constantly optimise our services.
It records the monthly number of visitors to our website and the number of requests for directions to us.
For these purposes, our legitimate interest in the processing of personal data is provided for by Article 6(1)(f) GDPR.
e) Duration of storage, rights to object and to erasure
VI. Contact form and email contact
1. Description and scope of data processing
It is possible to contact us via the provided email address. In this case, the user's personal data transmitted with the email are stored.
In this context, no data are disclosed to third parties. The data are used exclusively for carrying out the conversation.
2. Legal basis for data processing
The legal basis for the processing of data in the presence of user consent of the user is Article 6(1)(a) GDPR.
The legal basis for the processing of the data transmitted in the course of sending an email is Article 6(1)(f) GDPR. If the email contact aims to conclude a contract, then an additional legal basis for the processing is Article 6(1)(b) GDPR.
3. Purpose of data processing
We only process personal data from the input form for contact purposes. In the case of contact via email, this also provides the required legitimate interest in the processing of the data.
The other personal data processed during the sending procedure serve to prevent abuse of the contact form and to ensure the security of our IT systems.
4. Duration of storage
The data will be deleted as soon as they are no longer necessary to achieve the purposes of their collection. With regard to the personal data submitted via the contact form and those sent by email, this is the case when the conversation with the respective user has concluded. The conversation is ended when it can be inferred from the circumstances that the relevant situation has been conclusively clarified.
The additional personal data collected during the sending process are deleted at the latest after a period of seven days.
5. Right to object and to erasure
Users have the right to revoke their consent to the processing of their personal data at any time. If the user contacts us by email, he or she may thus object to the storage of his/her personal data at any time. In this case, the conversation cannot continue.
All personal data stored in the course of the contact will be deleted in this case.
VII. Rights of the affected person
If your personal data are processed, you are the data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:
1. Right of access
You may require the controller to confirm if personal data concerning you are processed by us.
If such processing is occurring, you can request the following information from the controller:
- the purposes for which the personal data are processed;
- the categories of personal data that are processed;
- the recipients or categories of recipients to whom the personal data relating to you have been disclosed or are still being disclosed;
- the planned duration of the storage of your personal data or, if specific information is not available, criteria for determining the duration of storage;
- the existence of a right to rectification or erasure of personal data concerning you, a right to restriction of processing by the controller or a right to object to such processing;
- the existence of a right of appeal to a supervisory authority;
- all available information on the source of the data if the personal data are not collected from the data subject;
- the existence of automated decision-making including profiling under Articles 22 (1) and (4) GDPR and—at least in these cases—meaningful information about the logic involved, and the scope and intended impact of such processing on the data subject.
You have the right to request information about whether your personal information is transmitted to a third country or an international organisation. In this regard, you may demand to be informed of the appropriate guarantees under Article 46 GDPR in connection with the transfer.
2. Right to rectification
You have a right to rectification and/or completion vis-à-vis the controller if your personal data being processed are incorrect or incomplete. The controller must make the correction without delay.
3. Right to restriction of processing
You may request the restriction of the processing of your personal data under the following conditions:
- If you contest the accuracy of your personal information for a period that enables the controller to verify the accuracy of your personal information;
- the processing is unlawful and you reject the erasure of your personal data and instead request the restriction of the use of your personal data;
- the controller no longer requires the personal data for the purposes of processing, but you need them to assert, exercise or defend legal claims, or
- if you objected to the processing pursuant to Article 21(1) GDPR and it is not yet certain whether the legitimate reasons of the controller prevail over your reasons.
If the processing of your personal data has been restricted, these data—besides their storage—may only be used with your consent or for the purpose of asserting, exercising or defending legal claims; or protecting the rights of another natural or legal person; or for reasons of important public interest of the Union or a Member State.
If the restriction of processing has been limited in accordance with the above conditions, the controller will inform you before the restriction is lifted.
4. Right to deletion
a) Duty to delete
You may require the controller to delete your personal information without delay, and the controller is required to delete that information immediately if one of the following is true:
- Your personal data are no longer necessary for the purposes for which they were collected or otherwise processed.
- You revoke your consent to the processing in accordance with Article 6(1)(a) or Article 9(2)(a) GDPR and there is no other legal basis for processing.
- You object to the processing under Article 21(1) GDPR and there are no overriding justifiable reasons for the processing, or you object to the processing under Article 21(2) GDPR.
- Your personal data have been unlawfully processed.
- The erasure of your personal data is required to fulfil a legal obligation under Union law or the law of the Member States to which the controller is subject.
- Your personal data were collected in relation to information-society services offered pursuant to Article 8(1) GDPR.
b) Information to third parties
If the controller has made your personal data public and is obligated to erase them under Article 17(1) GDPR, the controller shall take measures—also of a technical nature—that are appropriate, under consideration of the available technology and implementation costs, to inform data controllers processing the personal data that you as the data subject have required the deletion of copies or replications of your personal data and all links to them.
The right to erasure does not exist if the processing is necessary
- to exercise the right to freedom of expression and information;
- to fulfil a legal obligation required by the law of the Union or of the Member States to which the controller is subject; or to carry out a task in the public interest; or in the exercise of official authority conferred to the controller;
- for reasons of public interest in the field of public health pursuant to Article 9(2)(h) and (i) and Article 9(3) GDPR;
- for archival, scientific or historical research or for statistical purposes of public interest under Article 89(1) GDPR, to the extent that the law referred to in point (a) is likely to render impossible or seriously affect the achievement of the objectives of that processing, or
- to assert, exercise or defend legal claims.
5. Right to notification
If you have asserted the right to rectification, erasure or restriction of processing vis-à-vis the controller, he/she is obligated to notify all recipients to whom your personal data have been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves to be impossible or involves a disproportionate effort.
You have a right vis-à-vis the controller to be informed about these recipients.
6. Right to data portability
You have the right to receive personal information you provide to the controller in a structured, commonly-used and machine-readable format. In addition, you have the right to transfer this data to another controller without hindrance by the controller to which the personal data have been provided, where:
- the processing is based on consent pursuant to Article 6(1)(a) GDPR or point (a) of Article 9(2)(a) GDPR or on a contract pursuant to Article 6(1)(b); and
- the processing is carried out by automated means.
In exercising this right, you also have the right to have your personal data transmitted directly from one controller to another, insofar as this is technically feasible. Freedoms and rights of other persons may not be affected by this.
The right to data portability does not apply to the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority delegated to the controller.
7. Right to object
You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on point (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions.
The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
Where your personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.
If you object to processing for direct marketing purposes, your personal data will no longer be processed for these purposes.
You have the option, in the context of the use of information-society services—Directive 2002/58/EC notwithstanding—to exercise your right to object by automated means using technical specifications.
8. Right to revoke the data-protection declaration of consent
You have the right to revoke your data-protection declaration of consent at any time. The revocation of consent does not affect the legality of processing carried out on the basis of the consent before the revocation.
9. Automated individual decision-making, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision:
- is necessary for entering into, or performance of, a contract between you and the controller;
- is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
- is based on your explicit consent.
However, these decisions may not be based on special categories of personal data referred to in Article 9(1) GDPR, unless point (a) or (g) of Article 9(2) GDPR applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.
With regard to the cases referred to in (1) and (3), the controller shall take appropriate measures to uphold the rights and freedoms and their legitimate interests, including at least the right to obtain human intervention on the part of the controller, to express his/her own position and to contest the decision.
10. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to complain to a supervisory authority, in particular in the Member State of your residence, place of work or the place of alleged infringement, if you believe that the processing of your personal data violates the GDPR.
The supervisory authority to which the complaint has been submitted shall inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy pursuant to Article 78 GDPR.