DATA PROTECTION POLICIES
Unless explicitly mentioned in the following provisions, these apply equally to all previously listed Hemro Group websites. Where reference is made below to “our website”/”the website,” this refers to the website you are currently visiting.
The provider of the websites listed above and the controller in terms of data protection law is
Hemro International AG
Authorized representatives of the Executive Board: Dr. Marcel Lehmann, Adrian Schürmann, Ziya Boro
Tel.: +41 44 864 18 00
1. Data processing to enable website usage
Every time you access content on our website, connection data is transferred to our web server. This connection data includes:
- the IP address (Internet Protocol address) of the respective users
- the date and time of the query
- the referrer URL
- device numbers such as your unique device identifier (UDID) and comparable device numbers, device information (e.g., device type)
- the browser type/version
This connection data is neither used to determine a user’s identity nor is it combined with data from other sources. Rather, it serves to make the website available. The legal basis for processing your data is Art. 6 (1) (1) (f) GDPR. After no more than seven days, the connection data is anonymized by truncating the IP address at the domain level.
2. Data processing on request
The use of our website is generally possible without providing personal data. You are neither obliged to visit this website nor to provide any personal data. If you do not provide us with the personal data listed below, you may not be able to use certain functions or services of this website. Other than that there will be no consequences for you.
We process your personal data when you use our following services:
2.1 Dealer area
Some of our websites provide you with the opportunity to register with us as a dealer and use the dealer area on our website. We will process your data for this purpose.
When using a password, please take appropriate security measures. For example, a password should contain a minimum of 8 characters and should always consist of a combination of upper- and lowercase letters, numbers, and special characters. Trivial words such as “ABC” or keyboard sequences (e.g., “qwert” or “asdfgh”), all kinds of names (e.g., of friends, acquaintances, colleagues, family members, pets), city and building names, cartoon characters, car brands, license plates, terms, dates of birth, telephone numbers, common abbreviations, etc. are thus problematic.
Your personal data is processed based on Art. 6 (1) (1) (b) GDPR.
2.2 Employee login
If you are an employee of Hemro, the Hemro Group’s website provides you with the ability to access the dealer area and website administration and editing functions via the website’s login function. When you make changes on the website (e.g., edit content), we record the time when the changes are saved and the login used.
Login data must be kept strictly confidential. If a password has nevertheless been shared, for example, to enable third parties to access certain databases in an emergency, the password must be changed immediately. For your own protection, passwords that have already been used before may not be used again.
We also store your IP address and the time of access during the login process. This is necessary to ensure the security of our information technology systems.
We also set a session cookie each time you log in. This session cookie prevents automatic logout during active use of the account or related services. After the respective logout, the session cookie is automatically deleted within a few minutes.
Your personal data is processed for the purpose of the employment relationship and thus on the basis of Art. 88 GDPR in conjunction with the relevant national regulations (in German law, Section 26 (1) (1) of the German Data Protection Act [BDSG]). If special categories of personal data are involved, processing is based on Article 88 GDPR in conjunction with the relevant national regulations (in German law, Section 26 (3) of the German Data Protection Act [BDSG]).
2.3 Contact form
If you use the contact form we provide to contact us, your details will be stored so that they can be used to process your query. Provision of your email address is sufficient for us to contact you. The additional voluntary information about your person serves only to personalize the address for you.
The legal basis for processing your data is Art. 6 (1) (1) (f) GDPR. Our legitimate interest then lies in responding to your query.
In the event that (pre)contractual measures are implemented, the legal basis is Art. 6 (1) (1) (b) GDPR.
If you expressly consented to receiving our newsletter, information about company news, current events, and the latest coffee grinding product highlights will be sent regularly to the email address you provided. Provision of your email address is sufficient for us to send you the newsletter. The additional voluntary information about you is only used to personalize the newsletter for you.
In order to subscribe to our newsletter, we use the so-called double-opt-in procedure. This means that once you have subscribed, we will send you an email to the email address you provided, asking you to confirm that you want us to send you the newsletter. If you do not confirm your subscription within three months, your information will be automatically deleted.
The legal basis for the processing of data is based on your consent, based on Section 25 (1) (1) of the Federal Act on the Regulation of Data Protection and Privacy in Telecommunications and Telemedia (TTDSG) for the storage and access to information in end devices, as well as pursuant to Art. 6 (1) (1) (a) GDPR for the further processing of your data. You may withdraw your consent at any time with effect for the future. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. A link is provided at the end of each newsletter for you to exercise your right to withdraw from the newsletter and tracking. Alternatively, you can also withdraw your consent at any time, for example, by sending an email to email@example.com.
Please note that Intuit Inc. is a company from the USA. According to a recent ruling by the European Court of Justice (ECJ), no adequate level of data protection exists in the USA, meaning that there is a risk to the protection of your data. For example, under certain conditions, US authorities may therefore process your data for control and monitoring purposes. For further information regarding the legal basis for the transfer of data, please refer to Art. 49 GDPR for now. After EU standard data protection clauses have been implemented, this shall provide the legal basis for the transfer of data to third countries.
When you subscribe to a newsletter, we also store your IP address and the time of registration in order to fulfill our legal duty to document. The legal basis for data processing in this case is Art. 6 (1) (1) (c) GDPR.
Job vacancies to which you can apply by email are provided on the Hemro Group website.
We shall process the data you provide to us as part of your application for the purpose of deciding whether to establish an employment relationship. The legal basis for data processing is Art. 88 (1) GDPR in conjunction with the relevant national regulations (in German law, Section 26 (1) (1) of the German Data Protection Act [BDSG]). If special categories of personal data are involved, processing is based on Article 88 GDPR in conjunction with the relevant national regulations (in German law, Section 26 (3) of the German Data Protection Act [BDSG]). If you are sent a rejection or the application process is concluded, your data will be deleted within 90 days.
3. Data processing for a needs-oriented website design
In order to make your user experience of our website as pleasant as possible, we use so-called “web tracking systems.” Cookies are generally used for this purpose. These are small text files, which are sent from a web server to your browser and stored on your computer’s hard drive. This enables us to recognize the end device you are using when you access our website. We are thus able to determine, for example, whether you are logged in, have an active shopping cart, and what the contents of your shopping cart are. The session cookies deployed for using the shop are deleted at the end of the browser session. Other cookies remain on your end device and allow us to recognize your device on your next visit.
Most browsers are set to accept cookies by default. You can deactivate the storage of cookies in your browser and delete them from your hard drive at any time. However, you can also use your browser to prevent certain cookies (e.g., from third parties) from being set – to prevent web tracking, for example. Further information about your browser’s help function is available here.
Finally, we would like to point out that if cookies are deactivated, it may not be possible to use all functions of this website to their full extent. Please also note that deactivation may have to be carried out for each browser and each end device.
Details of the cookies used on the website can be found in the cookie banner and in the following terms and conditions. Unless otherwise stated in the following provisions in Section 3.1 ff., the legal basis for processing your data is Art. 6 (1) (1) (f) GDPR. Our legitimate interest lies in the needs-oriented design of the website.
3.1 Cookie consent with the cookie consent tool
In order to be able to manage your consent to the use of tracking tools, we use the cookie consent tool “GDPR Legal Cookie” from the provider beeclever GmbH, Friedrich-Mohr-Straße 1, 56070 Koblenz. In addition to the connection data, the granting or refusal of your consent or the withdrawal of consent is processed in this context. In order to be able to make the corresponding assignment, the cookie consent tool also sets a cookie in your browser. If you wish to undo these settings, simply delete the cookies in your browser (also see Section 3) or select the individual cookie via the cookie banner. For more information on data protection, please visit: https://gdpr-legal-cookie.com/pages/terms-conditions or click the link in the cookie banner.
In addition to the information in the cookie banner, please also note the following information in the Sections 3.2 ff.
Some of our websites use plug-ins from YouTube, which is operated by Google. If you visit one of our websites featuring a YouTube plug-in and actively click on the corresponding field, a connection to YouTube servers is established. Here the YouTube server is informed about which of our pages you have visited. If you’re logged in to your YouTube account, you allow YouTube to associate your browsing behavior directly with your personal profile. You can prevent this by logging out of your YouTube account.
The legal basis for the use of YouTube is based on your consent pursuant to Section 25 (1) (1) of the Federal Act on the Regulation of Data Protection and Privacy in Telecommunications and Telemedia (TTDSG) for the storage and access to information in end devices, as well as pursuant to Art. 6 (1) (1) (a) GDPR for the further processing of your data. You give your corresponding consent via our cookie banner. Please note that Google is a company from the USA. According to a recent ruling by the European Court of Justice (ECJ), no adequate level of data protection exists in the USA, meaning that there is a risk to the protection of your data. For example, under certain conditions, US authorities may therefore process your data for control and monitoring purposes. If you nevertheless wish to consent to the use of this tool, you can select this via the cookie banner. After EU standard data protection clauses have been implemented, this shall provide the legal basis for the transfer of data to third countries.
3.3 Google Analytics
Our website uses the “Google Analytics” tracking tool. This is a service provided by Google Ireland Limited, a company registered and operated in accordance with Irish law, headquartered at Gordon House, 4 Barrow Street, Dublin, Ireland (“Google”). This tracking tool helps us to make our online offers more interesting for you and to improve the user experience. Data on the use of our website is stored in pseudonymized user profiles. Cookies can also be used for this purpose. Data from different devices, sessions, and interactions can additionally be linked to a user ID. This information is generally transferred to a Google server in the USA and stored there.
By default, Google already automatically anonymizes user IP addresses when collecting user data. Google also does not log or store the IP addresses. The truncating of IP addresses does not mean that data is processed entirely in anonymized form. Thus, when Google Analytics is used, usage data is collected that is to be evaluated as personal data, such as identification features of the individual users, which also allow a link to an existing Google account, for example.
On our behalf, Google will use this information to evaluate your usage of our website, to compile reports on website activity, and to provide other services related to website and Internet usage to us. The pseudonymized user profiles are not combined with personal data about the bearer of the pseudonym unless separate consent has been obtained for this.
For more information on Google Analytics, see: https://support.google.com/analytics/answer/12017362
Please note that Google also has independent access to your data collected via Google Analytics and may also use this data for its own purposes. Google may, for example, link this data to other information about you, such as search history, personal account, usage data from other devices, and all other data that Google has about you.
The legal basis for the use of Google Analytics is based on your consent pursuant to Section 25 (1) (1) of the Federal Act on the Regulation of Data Protection and Privacy in Telecommunications and Telemedia (TTDSG) for the storage and access to information in end devices, as well as pursuant to Art. 6 (1) (1) (a) GDPR for the further processing of your data. You give your corresponding consent via our cookie banner. Please note that Google is a company from the USA. According to a recent ruling by the European Court of Justice (ECJ), no adequate level of data protection exists in the USA, meaning that there is a risk to the protection of your data. For example, under certain conditions, US authorities may therefore process your data for control and monitoring purposes. The new EU standard data protection clauses were agreed as appropriate safeguards to ensure an adequate level of protection for the transfer of data.
3.4 Google Tag Manager
We use Google Tag Manager. This Google service allows website tags to be managed via an interface. Google Tag Manager only implements tags, however. This means that no cookies are set and no personal data is recorded. Google Tag Manager may instead trigger tags, which may record data. Google Tag Manager, however, does not access this data. The data is evaluated exclusively in the respective tool (for more details, see the aforementioned explanations in Section 3).
4. Social media presences
4.1 Links to social networks
Our website may contain links to social networks (Facebook, Twitter, Instagram, and YouTube). These websites are operated exclusively by third parties. If you click the links, the respective provider may process your personal data. Please refer to the providers’ privacy policies for further information in this regard.
4.2 Data processing by Hemro and legal basis
Our social media presences (Facebook, Twitter, LinkedIn, Instagram, and YouTube) are intended to provide you with information about Hemro as well as about our new developments, services, and products. Depending on the respective provider’s offer, you have the option to interact in different ways (comments, recommendations, etc.), for example, in connection with our social media presence. The interaction of users is an important criterion for us in order to carry out targeted marketing. For example, we can determine which posts users prefer to read. We therefore also use the statistics determined by the providers in this regard for our own purposes. If we process the users’ personal data, the legal basis for this is Art. 6 (1) (1) (f) GDPR. Our legitimate interest thus lies in particular in targeted information/advertising. The providers will inform you separately about the legal basis on which they process your data for their own purposes.
4.3 Joint responsibility
In individual cases, we may share responsibility for the processing of your personal data with social media providers. In this case, you may assert your rights both against us and against the social media provider (see Section 9). However, the first point of contact is always the social media provider.
We have concluded an agreement with Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (Facebook or Meta) on joint responsibility for the processing of personal data. This applies to the processing of so-called “insights data” – page statistics, in particular on the interactions of Facebook users. Further information on page insights is available here: https://www.facebook.com/business/pages/manage#page_insights. You can view our agreement with Google by clicking the following link: https://www.facebook.com/legal/controller_addendum
In relation to “page insights,” we have also concluded an agreement with LinkedIn Ireland on joint responsibility. With Page Insights, LinkedIn does not provide us with any personal data about you. We only have access to your aggregated data. It is not possible for us to draw conclusions about individual users by means of page insights information. Detailed information about page insights and our agreement with LinkedIn Ireland can be viewed by clicking the following link: https://legal.linkedin.com/pages-joint-controller-addendum.
Please note that social media providers also process your data outside the EU/EEA. According to a recent ruling by the European Court of Justice (ECJ), no adequate level of data protection exists in the USA, meaning that there is a risk to the protection of your data. For example, under certain conditions, US authorities may therefore process your data for control and monitoring purposes.
5. Data transfer
We will only transfer personal data to third parties or other recipients if this is necessary for the provision of services, if you have given your consent, if there is a legal obligation to do so, or if the transfer of data is permitted on another legal basis. Where necessary, we have concluded data processing agreements with the recipients of your data in accordance with Art. 28 GDPR.
6. Data transfer to countries outside the EU
Insofar as necessary for our purposes, we will only transfer personal data to recipients outside the EU if you have given your consent, if there is a legal obligation to do so, or if the transfer of data is permitted on another legal basis. Your data will also be transferred to recipients based in the USA within the scope of processing data. Please note: According to a recent ruling by the European Court of Justice (ECJ), no adequate level of data protection exists in the USA, meaning that there is a risk to the protection of your data. For example, under certain conditions, US authorities may therefore process your data for control and monitoring purposes. For further information regarding the legal basis for the transfer of data, please refer to Art. 49 GDPR for now. An appropriate level of data protection will be ensured in the future by concluding the new so-called EU standard contractual clauses.
7. Storage period for personal data/criteria for determining the storage period
We will store your personal data for as long as this is necessary for the aforementioned processing purposes or in case of an objection that no compelling reasons worthy of protection exist for Hemro or in case of a withdrawal of consent if no other legal basis for data processing exists. In certain cases (e.g., if there is a legal obligation to store data), your personal data will not be deleted immediately, but rather blocked initially. For example, the storage period for messages sent via the contact form with business-related content can be ten years.
8. Security measures to protect your personal data
We use technical and organisational measures to protect your data from unauthorized access, loss, or destruction. Our security measures are continuously adapted in line with technical developments. Our employees and all persons involved in data processing are obliged to comply with data protection laws and to treat personal data confidentially. Our employees are trained accordingly.
To protect your personal data on this website, we use a secure online transmission procedure known as “Secure Socket Layer” (SSL) transmission. This can be recognized by the closed lock symbol displayed on the https:// address. Click on this symbol for details of the SSL certificate used. Display of this symbol depends on the browser version used. SSL encryption guarantees the encrypted and complete transmission of your data.
9. Your rights
Within the framework of the legal requirements, you are in principle entitled to request from Hemro:
- confirmation of whether Hemro is processing your personal data
- information about this data and the circumstances of processing
- correction if this data is incorrect
- deletion if there is no justification for processing and no obligation to store your personal data (any longer)
- restriction of processing in certain cases specified by law
- objection in case of data processing based on Art. 6 (1) (1) (f) GDPR
- transfer of your personal data – insofar as you have provided it – to you or a third party in a structured, common and machine-readable format
If you have given your consent to the processing of your personal data, you have the right to withdraw your consent again at any time. Processing of your personal data will then not be allowed in the future. However, this will not affect the lawfulness of the processing carried out with your consent before you withdrew your consent.
Please address your specific request to our data protection officer in writing or via email, clearly identifying your person:
Data Protection Officer
Rotating track 7
Insofar as we use your data in joint responsibility with third parties in the sense of Art. 26 GDPR, the third party is primarily responsible for the exercise of all data subject rights. However, you are also free to assert your rights against us.
Finally, we would like to draw your attention to your right to lodge a complaint with a supervisory authority.
10. No automated individual decisions
We do not use your personal data to make automated individual decisions.