Information for customers and interested parties pursuant to Art. 13 and Art. 14 of the General Data Protection Regulation (GDPR)
With the following information, we would like to give you an overview of the processing of your personal data by us and your rights in this regard. Which data is processed in detail and how it is used depends largely on the services requested or agreed in each case. Therefore, not all parts of this information will apply to you.
In addition, this privacy information may be updated from time to time.
Who is responsible for data processing and whom can I contact?
The responsible person within the meaning of the GDPR is:
HIMA Paul Hildebrandt GmbH
Phone: +49 (0) 6202 / 709-0
You can contact our external data protection officer at:
Data Protection Officer of HIMA Paul Hildebrandt GmbH
c/o activeMind AG
Management- und Technologieberatung
Phone: +49 (0) 30 / 770 19 10 70
E-mail: datenschutz(at)hima.com, privacy(at)hima.com or only to the Data Protection Officer via datenschutzbeauftragter(at)hima.com
We process your data for the following purposes and on the following legal basis:
We process personal data in accordance with the provisions of the European Data Protection Regulation (GDPR) and the German Federal Data Protection Act ([Bundesdatenschutzgesetz] BDSG):
In the context of consent (Art. 6 (1)(a) GDPR)
Insofar as you have given us consent to process your personal data, processing will only take place in accordance with the purposes specified in the consent and to the extent agreed therein. You can revoke your given consent at any time with effect for the future. This also applies to the revocation of declarations of consent given to us prior to the application of the GDPR, i.e. prior to 25th May, 2018. The revocation of consent only takes effect for the future and does not affect the lawfulness of the data processed until the revocation.
Examples of such cases are:
- Registration form to call for valuable information/white papers
- Registration form Smart Safety Update
- Extranet registration form
- Direct advertising of our own products and/or services in the form of [e.g. regular e-mail newsletters]
For the fulfilment of contractual obligations (Art. 6 (1)(b) GDPR)
The processing of data is carried out for the implementation:
- Pre-contractual measures (e.g. preparation of offers, product presentation)
- for the performance of our contract [insert exact name of contract if applicable].
- of ancillary contractual services (e.g. warranty notifications or retrieval by manufacturer or sub-manufacturer).
Due to legal requirements (Art. 6 (1)(c) GDPR)
We are subject to various legal obligations that entail data processing. These include, for example:
- Control, reporting and retention obligations under tax law
- Obligations under the German Money Laundering Act [Geldwäschegesetz]
- the fulfilment of requests and requirements from supervisory authorities, law enforcement agencies or courts of law
- Embargo and sanctions list check
Within our legitimate interest (Art. 6 (1)(f) GDPR)
Where necessary, we process your data beyond the actual performance of the contract to protect the legitimate interests of us or third parties.
Examples of such cases are:
- Direct advertising of our own products and/or services in the form of [e.g. regular email newsletters].
- Measures for building and facility security (e.g. operation of video cameras, access controls, locking systems).
- the assertion of legal claims and defense in legal disputes
- the processing of your data in our CRM system
Who gets your data?
Employees of HIMA Paul Hildebrandt GmbH and the European Group companies, insofar as this is necessary for contacting you and for the fulfilment of our contractual and legal obligations (including the fulfilment of pre-contractual measures).
Within the framework of processing orders (internal recipients)
Your data may be passed on to service providers who act as processors for us. These may be other group companies and/or external service providers from the following areas:
- Support or maintenance of EDP or IT applications
- Data destruction
- Marketing agencies
All processors are contractually bound and in particular obliged to treat your data confidentially.
Other recipients (third parties)
Data is only passed on to recipients outside our company in compliance with the applicable data protection regulations. Recipients of personal data can be, e.g.:
- Public bodies and institutions (e.g. financial or law enforcement authorities) in the case of a legal or official obligation
- Credit and financial service providers (processing of payment transactions)
- Tax advisor or business and payroll tax and tax auditor (statutory audit mandate)
- External data protection officer
- Service provider
All service providers are contractually bound and in particular obliged to treat your data confidentially.
Is data transferred to a third country or to an international organisation?
Data is transferred to bodies in countries outside the European Economic Area (so-called third countries) insofar as
- it is required by law (e.g. reporting obligations under tax law),
- you have given us your consent or
- we have concluded a data processing agreement with our service provider. In this case, your data will only be transmitted if either
- the European Commission has decided that an adequate level of protection exists in the third country (Art. 45 GDPR) or
- on the basis of appropriate guarantees (standard contractual clauses issued by the EU Commission).
We have also contractually agreed with our service providers that data protection guarantees in compliance with the European level of data protection must always be in place with their contractual partners as well. We will provide you with a copy of these guarantees upon request.
How long will your data be stored?
We process and store your personal data as long as this is necessary for the fulfilment of our contractual and legal obligations. If the data is no longer required for the fulfilment of contractual or legal obligations, it is regularly deleted.
The following exceptions apply,
- insofar as statutory retention obligations must be fulfilled, e.g. the German Commercial Code ([Handelsgesetzbuch] HGB) and the German Fiscal Code ([Abgabenordnung] AO). The periods specified there for retention or documentation are generally six to ten years;
- to preserve evidence within the framework of the statutory limitation provisions. According to §§ 195 ff. of the German Civil Code ([Bürgerliches Gesetzbuch] BGB), these limitation periods can be up to 30 years, with the regular limitation period being 3 years.
If the data processing is carried out in the legitimate interest of us or a third party, the personal data will be deleted as soon as this interest no longer exists. The exceptions mentioned above apply.
What data protection rights do you have?
You have the right to information under Article 15 of the GDPR, the right to rectification under Article 16 of the GDPR, the right to erasure under Article 17 of the GDPR, the right to restriction of processing under Article 18 of the GDPR, the right to object under Article 21 of the GDPR and the right to data portability under Article 20 of the GDPR.
Restrictions may apply to the right to information and the right to erasure in accordance with §§ 34 and 35 BDSG.
In addition, there is a right of appeal to a competent data protection supervisory authority (Article 77 GDPR in conjunction with § 19 BDSG). A list of the supervisory authorities (for the non-public sector) with contact details can be found at (the link provides a list in German):
Is there an obligation for me to provide data?
Within the framework of the contractual relationship, you must provide those personal data that is necessary for the commencement, implementation and termination of the contractual relationship and for the fulfilment of the associated contractual obligations or which we are legally obliged to collect. Without this data, we will generally not be able to conclude the contract with you or execute it.
Information on your right to object in accordance with Article 21 of the General Data Protection Regulation (GDPR)
Right to object on a case-by-case basis
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6(1)(f) GDPR (data processing based on our legitimate interest).
If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
Recipient of an opposition
If you wish to exercise your right of objection, simply send an e-mail to: privacy(at)hima.com