I Introduction

We are pleased that you are visiting our website. We respect your privacy. Data protection and data security when using our website are very important to us. With this privacy policy, we would like to inform you about the extent to which data is collected when you use our website and the purposes for which we use this data. We would also like to inform you about your rights in this regard.

II General information

Below we provide information in accordance with Art. 13 GDPR on the collection of personal data when using our website. Personal data is all data that can be related to you personally, e.g. name, address, e-mail addresses, user behaviour.

The controller pursuant to Art. 4 (7) of the EU General Data Protection Regulation (GDPR) is
Kallfass GmbH Maschinen plus Automation, Röter Straße 44, 72270 Baiersbronn, Germany info@kallfass-online.com

https://www.kallfass-online.com/impressum/.

You can reach our data protection officer at

Bugl & Kollegen Gesellschaft für Datenschutz und Informationssicherheit mbH, Alexander Bugl, Eifelstraße 55, 93057 Regensburg, Germany, e-mail: kontakt@buglundkollegen.de

III Contact

a. Nature and purpose of the processing

The data you enter in the contact form will be stored for the purpose of personalised communication with you. This requires a valid e-mail address and your name. This serves to allocate the enquiry and subsequently answer it. The specification of further data is optional.

If you also contact us by e-mail or telephone, we will process the contact details you provide in order to respond to your enquiry.

b. Legal basis of the processing

Your personal data is processed on the basis of a legitimate interest (Art. 6 para. 1 lit. f GDPR). By providing the contact form, we would like to make it easy for you to contact us. The information you provide will be stored for the purpose of processing your enquiry and for possible follow-up questions. If you contact us to enquire about an offer, the data provided will be processed to carry out pre-contractual measures (Art. 6 para. 1 lit. b GDPR).

c. Data categories

Company, name, e-mail, telephone, your message

d. Recipient

The recipients of the data are internal employees of Kallfass GmbH and, if applicable, processors.

e. Storage periods

Data will be deleted no later than 6 months after the enquiry has been processed. If there is a contractual relationship, we are subject to the statutory retention periods according to the German Commercial Code (HGB) and delete your data after these periods have expired.

f. Legal/contractual requirement

The provision of your personal data is voluntary. However, we can only process your enquiry if you provide us with your name, e-mail address and the reason for the enquiry.

g. Third country transfer

Processing does not take place outside the European Union (EU) or the European Economic Area (EEA).

h. Possibility of objection

You have the right to object to the processing of your personal data at any time. You can inform us of your cancellation at any time via the contact option given at the beginning of this data protection notice.

i. Automated decision-making and profiling

As a responsible company, we do not use automated decision-making or profiling for this data processing.

IV Your rights

If personal data is processed by you as a user, you are considered a data subject in accordance with the GDPR. Data subjects have the following rights vis-à-vis the controller:

• Right to information (Art. 15 GDPR)
• Right to rectification or erasure of personal data (Art. 16, 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to notification in connection with the rectification or erasure of your personal data or the restriction of processing (Art. 19 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object (Art. 21 GDPR)
• Right to revoke declarations of consent. The legality of the data processing carried out until the revocation remains unaffected on the basis of the previously valid consent. (Art. 7 para. 3 GDPR)
• Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

Contact options for the supervisory authorities of the individual countries

V Hosting

The hosting services we use (services for the operation and provision of the website) serve to provide the following services: Infrastructure and platform services, computing capacity, storage space and database services, e-mail dispatch, security services and technical maintenance services that we use for the purpose of operating this online offering.

In doing so, we or our hosting provider process inventory data, contact data, content data, contract data, usage data, meta and communication data of customers, interested parties and visitors to this online offer on the basis of our legitimate interests in the efficient and secure provision of this online offer in accordance with Art. 6 para. 1 lit. f GDPR in conjunction with Art. 28 GDPR (conclusion of order processing contract). Art. 28 GDPR (conclusion of order processing contract).

VI Accessing the website

If you use the website purely for information purposes, i.e. if you do not register or otherwise transmit information to us, we only collect the personal data that your browser transmits to our server. If you wish to view our website, we collect the following data, which is technically necessary for us to display our website to you and to ensure stability and security:

• IP address
• Date and time of the enquiry
• Time zone difference to Greenwich Mean Time (GMT)
• Content of the request (specific page)
• Access status/HTTP status code
• amount of data transferred in each case
• Website from which the request comes
• Browser
• Operating system and its interface
• Language and version of the browser software.

We may also use another service provider in order to be able to display the privacy policy. An embedding code is used to transmit your IP address to the aforementioned service provider (preeco GmbH).

We process your data on the basis of our legitimate interest for a limited period of time in order to initiate a derivation of personal data in the event of unauthorised access or attempted access to local servers and in order to be able to display the data protection declaration properly and to be able to load our fonts from our own server (Art. 6 para. 1 lit. f GDPR).

VII Use of cookies

In addition to the aforementioned data, cookies are stored on your computer when you use our website. Cookies are small text files that are stored on your hard drive assigned to the browser you are using and through which certain information flows to the place that sets the cookie (here by us). They serve to make the website more user-friendly and effective overall.

We distinguish between two categories of cookies: (a) essential cookies, without which the functionality of our website would be limited and (b) optional cookies for website analysis and marketing purposes.

The use of optional cookies is based on your consent (Art. 6 para. 1 lit. a GDPR).

We describe the optional cookies used on this website in detail in our cookie banner.

VIII Google Analytics

a. Nature and purpose of the processing

This website uses Google Analytics, a web analytic service provided by Google Building Gordon House, 4 Barrow Street, Dublin, D04 E5W5, Ireland. Google Analytics uses "cookies", which are text files placed on your computer, to help the website analyse how users use the site. The information generated by the cookie about your use of this website is usually transferred to a Google server in the USA and stored there. However, due to the activation of IP anonymisation on these websites, your IP address will be shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and truncated there. On behalf of the customer of this website, Google will use this information to analyse your use of the website, to compile reports on website activity and to provide the website operator with other services relating to website activity and internet usage. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data. The purposes of data processing are to analyse the use of the website and to compile reports on activities on the website. Based on the use of the website and the Internet, further associated services will then be provided.

b. Legal basis of the processing

The data entered is processed on the basis of the user's consent (Art. 6 para. 1 lit. a GDPR).

c. Data categories

• IP address (shortened/anonymised)
• Device-related data

d. Recipient

• Employees of the IT and marketing department of your own company
• Google Building Gordon House, 4 Barrow Street, Dublin, D04 E5W5, Ireland

e. Storage periods

Data will only be processed in this context as long as the corresponding consent has been given. They will then be deleted, provided there are no statutory retention obligations to the contrary. To contact us in this context, please use the contact details provided at the beginning of this privacy policy.

f. Legal/contractual requirement

The provision of your personal data is voluntary, solely on the basis of your consent. If you prevent access, this may result in functional restrictions on the website.

g. Third country transfer

Processing outside the European Union (EU) or the European Economic Area (EEA) cannot be ruled out.

h. Revocation of consent

You can revoke your consent to the storage of your personal data at any time with effect for the future.

You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website. You can also prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) to Google and the processing of this data by Google by downloading and installing the available browser plug-in: “Browser add-on to deactivate Google Analytics”.

i. Automated decision-making and profiling

With the help of the Google Analytics tracking tool, the behaviour of visitors to the website can be evaluated and their interests analysed. We create a pseudonymised user profile for this purpose.

IX Google Tag Manager

a. Nature and purpose of the processing

Use of the Google Tag Manager: Google Tag Manager is a solution that allows marketers to manage website tags via a single interface. The Tag Manager tool itself (which implements the tags) is a cookie-less domain and does not collect any personal data. The tool triggers other tags, which in turn may collect data. Google Tag Manager does not access this data. If a deactivation has been made at domain or cookie level, this remains in place for all tracking tags that are implemented with Google Tag Manager: https://marketingplatform.google.com/about/analytics/tag-manager/use-policy/.

b. Legal basis of the processing

The data entered is processed on the basis of the user's consent (Art. 6 para. 1 lit. a GDPR).

c. Data categories

IP address, device-related data

d. Recipient

The recipients of the data are internal employees of Kallfass GmbH and Google as the processor.

e. Storage periods

Data will only be processed in this context as long as the corresponding consent has been given. They will then be deleted, provided there are no statutory retention obligations to the contrary. To contact us in this context, please use the contact details provided at the beginning of this privacy policy.

f. Legal/contractual requirement

The provision of your personal data is voluntary, solely on the basis of your consent. If you prevent access, this may result in functional restrictions on the website.

g. Third country transfer

Processing outside the European Union (EU) or the European Economic Area (EEA) cannot be ruled out.

h. Revocation of consent

You can revoke your consent to the storage of your personal data at any time with effect for the future. You can inform us of your cancellation at any time via the contact option given at the beginning of this data protection notice.

You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website.

i. Profiling

The Google Tag Manager tool can be used to evaluate the behaviour of website visitors and analyse their interests.

X News letter

a. Nature and purpose of the processing

Your data will only be used to send you the subscribed newsletter by e-mail. Your name is given in order to be able to address you personally in the newsletter and, if necessary, to identify you if you wish to exercise your rights as a data subject. To receive the newsletter, it is sufficient to enter your e-mail address. When you register to receive our newsletter, the data you provide will be used exclusively for this purpose. Subscribers may also be informed by e-mail about circumstances relevant to the service or registration (e.g. changes to the newsletter offer or technical circumstances). For an effective registration we need a valid e-mail address. We use the "double opt-in" procedure to check that a registration is actually made by the owner of an e-mail address. For this purpose, we log the newsletter order, the sending of a confirmation email and the receipt of the response requested. No further data is collected. The data will be used exclusively for sending the newsletter and will not be passed on to third parties.

b. Legal basis of the processing

On the basis of your expressly granted consent (Art. 6 para. 1 lit. a GDPR, Art. 7 GDPR in conjunction with § 6 TTDSG), we will regularly send you our newsletter or comparable information by e-mail to your specified e-mail address.

c. Data categories

E-mail address, optional: Title, First name, Last name

d. Recipient

The recipients of the data are internal employees of the Kallfass GmbH department.

e. Storage periods

The data will only be processed in this context as long as the corresponding consent has been given. They are then deleted.

f. Legal/contractual requirement

The provision of your personal data is voluntary, solely on the basis of your consent. Unfortunately, we cannot send you our newsletter without your consent.

g. Third country transfer

Processing does not take place outside the European Union (EU) or the European Economic Area (EEA).

h. Revocation of consent

You can revoke your consent to the storage of your personal data and its use for sending the newsletter at any time with effect for the future. There is a corresponding link in every newsletter. You can also unsubscribe directly on this website at any time or inform us of your cancellation using the contact option provided at the end of this data protection notice.

i. Automated decision-making and profiling

As a responsible company, we do not use automated decision-making or profiling for this data processing.

XI Processing in the context of the business relationship

a. Nature and purpose of the processing

We may process the personal data of our customers, prospective customers, suppliers, vendors and partners for communication, planning, execution of the contractual relationship, marketing, administration and security purposes.

b. Legal basis of the processing

The processing of the data provided is based on a legitimate interest (Art. 6 para. 1 lit. f GDPR) and the fulfilment of the contract (Art. 6 para. 1 lit. b GDPR).

c. Data categories

• Contact information (full name, job title, professional e-mail address, professional telephone number, professional address)
• Billing information and payment data
• Other necessary information in a project or contractual relationship or information voluntarily provided to us, such as personal data relating to orders, payments, enquiries and projects

d. Recipient

The recipients of the data are the internal employees of the respective departments and, if applicable, the processors of the departments.

e. Retention periods

We delete personal data when the storage of the personal data is no longer necessary for the purposes for which it was collected or processed or for the fulfilment of legal obligations (e.g. HGB, AO).

f. Transfers to third countries

Your personal data may be transferred to third parties based outside the European Union (EU) or the European Economic Area (EEA) who provide hosting services for us, for example. In order to guarantee the level of data protection in the third country, we have concluded so-called standard data protection clauses with our respective service providers.

g. Automated decision-making and profiling

As a responsible company, we do not use automated decision-making or profiling for this data processing.

XII Duty to provide information in the application process

a. Nature and purpose of the processing

We process the applicant data only for the purpose and in the context of the application process in accordance with the legal requirements. Applicant data is processed to fulfil our (pre-)contractual obligations in the context of the application process, insofar as data processing becomes necessary for us, e.g. in the context of legal proceedings.

The application procedure requires applicants to provide us with their application data. If we offer an online form, the necessary applicant data is labelled, otherwise it can be found in the job descriptions and basically includes personal details, postal and contact addresses and the documents belonging to the application, such as cover letter, CV and certificates. Applicants can also voluntarily provide us with additional information. By submitting their application to us, applicants consent to the processing of their data for the purposes of the application process in the manner and to the extent set out in this privacy policy. If provided, applicants can send us their applications using an online form on our website. The data is transmitted to us in encrypted form in accordance with the state of the art. Applicants can also send us their applications by e-mail to karriere@kallfass-online.com . Please note, however, that e-mails are generally not sent in encrypted form and applicants must ensure that they are encrypted themselves. We can therefore accept no responsibility for the transmission path of the application between the sender and receipt on our server and therefore recommend using an online form or sending it by post. In the event of a successful application, the data provided by applicants may be processed by us for the purposes of the employment relationship.

b. Legal basis of the processing

The processing of your data is carried out for the implementation of (pre-)contractual measures (Art. 6 para. 1 lit. b GDPR).

c. Data categories

First name, surname, address, e-mail address, telephone number, CV, references, certificates, photos, documents that you send us unsolicited

Insofar as special categories of personal data within the meaning of Art. 9 para. 1 GDPR are voluntarily communicated as part of the application process, their processing is also carried out in accordance with Art. 9 para. 2 lit. b GDPR (e.g. health data, such as severely disabled status or ethnic origin).

d. Recipient

The recipients of the data are internal employees of Kallfass GmbH. We use Onlyfy's applicant management software as part of the application process. For this purpose, we have concluded a contract with Onlyfy for the processing of personal data on behalf of Onlyfy (order processing contract).

e. Storage periods

The deletion takes place, subject to a justified cancellation of the applicants, after the expiry of a period of 6 month(s), so that we can answer any follow-up questions to the application and meet our obligations to provide evidence under the Equal Treatment Act. Invoices for any reimbursement of travel expenses are archived in accordance with tax regulations.

f. Legal/contractual requirement

The provision of your personal data beyond the retention period, e.g. in order to be included in our applicant pool, is voluntary and based solely on your consent. You can revoke this consent to the storage of your personal data at any time with effect for the future.

g. Third country transfer

Processing does not take place outside the European Union (EU) or the European Economic Area (EEA).

h. Revocation of consent

If the application for a job offer is not successful, the applicant's data will be deleted. Applicants' data will also be deleted if an application is withdrawn, which applicants are entitled to do at any time. You can revoke your consent to the storage of your personal data beyond the storage period at any time with effect for the future. You can inform us of your cancellation at any time via the contact option given at the beginning of this data protection notice.

i. Automated decision-making and profiling

As a responsible company, we do not use automated decision-making or profiling for this data processing.

XIII Online presence in social media

We maintain online presences within social networks in order to inform the users active there about our services and to communicate directly via the platforms if there is interest. We are currently represented in the following networks:

https://www.linkedin.com/company/kallfass-gmbh/

https://www.facebook.com/KallfassGmbH

https://www.instagram.com/kallfassgmbh/

https://www.xing.com/pages/kallfassgmbhmaschinenplusautomation

All our social media channels can only be accessed by visitors to the website via an external link. We do not use any plugins or other interfaces on our website that the respective networks offer for embedding offers on websites.

We have no influence on the collection of data and its further use by the social networks. For example, there is no information on the extent to which, where and for how long the data is stored, the extent to which the networks fulfil existing deletion obligations, which analyses and links are made with the data and to whom the data is passed on. We therefore expressly draw your attention to the fact that user data (e.g. personal information, IP address) is stored by the customers of the networks in accordance with their data usage guidelines and used for business purposes.

We process the data of users in the social media presences insofar as they contact and communicate with us via comments or direct messages, for example.

The legal basis for the processing of the user's data is Art. 6 para. 1 lit. b and f GDPR.

• LinkedIn
• Facebook/Instagram
• Xing

No functions and content of the LinkedIn service, offered by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland, are integrated into our online offering. The LinkedIn channels can only be accessed via an external link, and if visitors to our website are members of the LinkedIn platform, LinkedIn can assign the visit to the social media channel to the user's profile there if the user visits the LinkedIn profile while logged in. We would like to point out that we have no influence on the content, scope or use of the data collected by LinkedIn. For further information in this regard, please refer to LinkedIn's privacy policy: https://de.linkedin.com/legal/privacy-policy

You can access the social media networks Facebook and Instagram via external links on our website. All functions in the social media network are offered by Meta Platforms Ireland Ltd, 4 Grand Canal Square, Dublin 2, Ireland. The channels are only accessible via an external link. If you are logged into Facebook or Instagram with your own profile and visit our social media channel, Facebook can assign your visit to your logged-in profile. If you do not wish your user account to be associated with your IP address, please log out of your Facebook/Instagram account before using our website.

For further information on the processing of your data, please refer to Facebook's privacy policy: https://facebook.com/privacy/explanation and to our https://www.kallfass-online.com/datenschutzerklaerung/

No functions and content of the Xing service, offered by New Work SE, Dammtorstraße 29-32, 20354 Hamburg, Germany, are integrated into our online offering. The Xing channels are only accessible via an external link. If the visitors to our website are members of the Xing platform, Xing can assign the visit to the social media channel to the user's profile there if the user visits the Xing profile when logged in. We would like to point out that we have no influence on the content and scope of use of the data collected by Xing. For further information in this regard, please refer to Xing's privacy policy:https://privacy.xing.com/de/datenschutzerklaerung

XIV Shared responsibility with Facebook

Kallfass GmbH operates an online presence on Facebook, a so-called Facebook fan page. The following additional information on data processing applies to visits to our fan page. Information on data protection at Facebook in general can be found here(https://www.facebook.com/about/privacy/).

1. Joint responsibility, contact details, company data protection officer:

We are jointly responsible with Facebook for the operation of our Facebook fan page in accordance with Art. 26 GDPR. To this end, we have concluded an agreement with Facebook to determine who fulfils which obligations with regard to data protection. This agreement can be downloaded here (https://www.facebook.com/legal/terms/page_controller_addendum). Facebook is therefore primarily responsible for providing the data subject with information about the joint processing and enabling them to exercise their data protection rights. Irrespective of this, we hereby inform you about your visit to our fan page.

Our contact details are as follows:

Kallfass GmbH

Röter Straße 44, 72270 Baiersbronn, Germany

info@kallfass-online.com

You can reach Facebook at:

Meta Platforms Ireland Ltd.

4 Grand Canal Square,

Grand Canal Harbour,

Dublin 2, Ireland

You can reach Facebook online here (https://www.facebook.com/legal/terms?ref=pf)

You can reach our company data protection officer at

Bugl & Kollegen Gesellschaft für Datenschutz und Informationssicherheit mbH

Alexander Bugl

Eifelstrasse 55

93057 Regensburg, Germany

email: kontakt@buglundkollegen.de

You can contact Facebook's data protection officer at

https://www.facebook.com/help/contact/540977946302970.

2. Collection and storage of personal data as well as type and purpose and their use:

a) Data collected by Facebook:

If you are a Facebook user, Facebook collects the data described in the Facebook data policy under "What types of information do we collect?". If you are not a Facebook user, cookies with identifiers, small text files, may still be stored in your browser, which enable your user behaviour to be tracked.

As a rule, user data is also processed by Facebook for market research and advertising purposes when you visit Facebook. Complex user profiles are created based on user behaviour (including when visiting our fan page), which Facebook can use to display personalised advertisements to visitors inside and outside Facebook. You can also find more information on this in the Facebook data policy.

If you do not agree to this, you can object here (opt-out).

b) Data used by us ("Page Insights") and legal basis:

Facebook provides us with statistics and usage data that we can use to analyse the use of our fan page (so-called "Page Insights"). This enables us to continuously improve our offer on Facebook. As the customer, we do not make any decisions regarding the processing of Insights data and all other information resulting from Art. 13 GDPR, such as the storage duration of cookies on user end devices. The primary responsibility under the GDPR for the processing of Insights data lies with Facebook and Facebook fulfils all obligations under the GDPR with regard to the processing of Insights data.

As the site administrator, we have no other way of evaluating user behaviour on our fan page, not even via user tracking. It is also generally not possible for us to identify the visitor to the fan page based on the page insights. In particular, in accordance with the agreement, we have no right to demand that Facebook disclose individual visitor data. Identification is only possible for us if we can assign individual profile pictures to "Like" information for the page; however, this is only possible if our fan page has been marked with "Like" by the corresponding visitor and the "Like" information is set to "public".

You can find out what information Facebook uses to create Page Insights here.

The operation of the Faceboook fan page and the use of page insights serve our legitimate interest in an effective external presentation and efficient communication with our customers and interested parties. This interest justifies the operation of the page both in relation to the legitimate interests of Facebook users and in relation to visitors to our fan page who do not have a Facebook account. The legal basis is therefore Art. 6 para. 1 lit. f) GDPR.

3. Disclosure of data to third parties:

Data collected by Facebook is exchanged and processed within the entire Facebook group. The Facebook Group also owns Instagram, WhatsApp and Oculus, for example. For example, information collected via Facebook is used to display personalised advertising to the user on Instagram, or information from WhatsApp is used to take action on Facebook against accounts that send spam via WhatsApp. You can find this information in the Facebook data policy under "How do the Facebook companies work together?".

When Facebook processes data, user data may be transferred outside the European Economic Area (EEA), in particular to the USA.

4. Right of objection:

If your personal data is processed on the basis of legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR, you have the right to object to the processing of your personal data in accordance with Art. 21 GDPR, provided that there are reasons for this arising from your particular situation or the objection is directed against direct advertising. In the latter case, you have a general right to object, which will be implemented by us without specifying a particular situation. If you wish to exercise your right of cancellation or objection, simply send an email to {email address}.

5. Rights of data subjects:

You have the right to withdraw your consent from us at any time. As a result, we may no longer continue the data processing that was based on this consent in the future. In addition, you have the right of access under Art. 15 GDPR, the right to rectification under Art. 16 GDPR, the right to erasure under Art. 17 GDPR, the right to restriction of processing under Art. 18 GDPR and the right to data portability under Art. 20 GDPR. You also have the right to lodge a complaint with a competent data protection supervisory authority (Art. 77 GDPR).

In principle, you can assert your rights as a data subject against both Facebook and us. As only Facebook has direct access to your user data, you can assert your rights as a data subject most effectively against Facebook.