Data Protection Declaration of the HERMA Group (HERMA)
B2B Online Shops
We attach the utmost importance to the protection of your personal data which you provide to us when you visit and use our B2B online shops. B2B stands for business to business and means business relationships between two companies.
Effective registration and, thus, the provision of personal data are necessary to use the HERMA online shops. Your personal data, for example name, postal address, e-mail address or telephone number, are always processed in accordance with the European General Data Protection Regulation (GDPR) and the country-specific data protection regulations applying to HERMA. If there is no legal basis for this processing, we will normally obtain your consent. Data are transferred in encrypted form during the order process.
The objective of this Data Protection Declaration is to inform you, as a visitor to the B2B online shops, about the nature, extent and purpose of the personal data which we collect, use and process. We will also inform you about the rights accruing to you.
Table of Contents
- Responsibility for data processing
- Contact with the Data Protection Officer
- Definitions of terms
- Recording of general data and information
- Order process – registration, contact, credit check, payment, check against the sanctions list
- Data security
- Use of Google Analytics (with an anonymisation function)
- Use of Google AdWords
- Legal or contractual provisions for providing personal data
- Storage period, erasure and blocking of personal data
- Rights of shop visitors
- Existence of automated decision-making
1. Responsibility for data processingEach company which belongs to the HERMA Group and operates the website is responsible for data processing in the online shops.
Fabrikstraße 16, 70794 DE-Filderstadt
Telephone: +49 711 / 77020
Telefax: +49 711 / 7702 700
HERMA UK LIMITED
The Hollands Centre, Hollands Road, GB-Haverhill, Suffolk CB9 8PR
Telephone: +44 / 1440763366
Telefax: +44 / 1440706834
2. Contact with the Data Protection OfficerIf you have any questions or suggestions relating to data protection, you may directly contact at any time our employees in each responsible company belonging to the HERMA Group and the Data Protection Officer for HERMA GmbH.
You may contact the Data Protection Officer of HERMA GmbH as follows:HERMA GmbH, Fabrikstrasse 16, 70794 Filderstadt, Germany To: The Data Protection Officer
3. Definitions of termsOur Data Protection Declaration should be easy to read and comprehensible both for the general public and our customers and business partners. The following terms from our Data Protection Declaration originate from the GDPR.
a) Personal data
Personal data’ means any information relating to an identified or identifiable natural person (hereinafter called ‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
b) Data subject
A data subject is every identified or identifiable natural person whose personal data are processed by the controller.
Processing of personal data includes collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
d) Restriction of processing
Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future.
Means any form of automated processing of personal data consisting of the use of these personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Pseudonymisation means the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that this additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.
j) Third party
A third party means a natural or legal person, public authority, agency or body other than the data subject. controller, processor and persons who, under the direct authority of the controller or the processor, are authorised to process personal data.
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
4. Recording of general data and informationEvery time a data subject visits an individual website, the web pages of HERMA collect a range of general data and information which are stored in the server's log files. The following data and information may be collected: (1) Utilised browser types and versions, (2) The operating system used by the accessing system, (3) The website from which an accessing system reaches our website (so-called "referrer"), (4) The sub-websites which are controlled via an accessing system on our website, (5) The date and time of access to the website, (6) An Internet protocol address (IP address), (7) The Internet service provider of the accessing system and (8) Other similar data and information which are used to avert danger in the case of attacks on our computer systems.
This involves information which does not make your person identifiable. This information is used instead to (1) correctly show the contents of our website, (2) optimise the contents of our website and advertising for the website, (3) ensure permanent operability of our computer systems and the technology used on our website, and (4) provide prosecution authorities with the information required for criminal proceedings in the event of a cyber attack.These anonymously recorded data and information are therefore evaluated by HERMA for statistical purposes and also to increase data protection and data security in our companies so that an optimum protection level is ultimately attained for the personal data which we process. The anonymous data in the server log files are stored separately from all personal data provided by you.
5. Order process – registration, contact, credit check, payment, check against the sanctions lista) Registration (opening a new account)
The data to be sent here to HERMA are shown in the respective input mask used for registration. This normally involves the mandatory boxes - e-mail address and name - and voluntary information about gender, forename, telephone number and fax number of the contact person at the customer. The customer is always a legal person since the offers in our shops are aimed exclusively at tradespersons. In exceptional cases (e.g. one-man limited company or an individual trader), the customer's data (name of company, address, VAT registration number) may also include personal data.
Without your separate consent, the input personal data will only be processed in order to handle your order.
Registration with entry of personal data is necessary in order to provide you, as a regular or potential customer, with shop contents or services which may only be offered to registered users in the course of making an offer or when fulfilling a contract. The legal basis for data processing is Article 6 I lit. b of the GDPR since processing of your personal data is necessary to fulfil a contract, e.g. during the supply of goods or supplying other services or a consideration where you are a contracting party. The same provision as above applies to those processing operations which are necessary to implement pre-contractual measures, e.g. in cases involving inquiries regarding our products or services.
HERMA may pass on personal data to one or more transport service providers who use the data to deliver goods, to a subsidiary company who use the data to handle a part of your order or to the collection service.
Through registration on the website, the date and time of registration are also assigned to and stored in the customer's account. These data are stored automatically for purposes of proof and given the fact that this is the only way to prevent misuse of our services and that these data can be used, if necessary, to investigate criminal offences. These data must therefore be stored in order to protect HERMA: Generally speaking, these data will not be passed on to third parties, unless there is a legal obligation to do so or transmission of the data is required for criminal prosecution proceedings.
On request, HERMA will provide you at any time with information about your personal data which we have stored. HERMA will also rectify or erase personal data at your request or indication, provided there are no legal retention obligations in this respect. The Data Protection Officers or, if no Data Protection Officer was appointed for the controller, every employer of the respective controller are available to you as contact persons in this case.
b) Contact form
You can contact HERMA by e-mail or by using the contact form. The personal data to be transmitted in this case to HERMA are shown in the input mask which is used to make contact. This normally involves the mandatory boxes - e-mail address and surname - and voluntary information about gender, forename, telephone number and fax number of the requester,
Without your separate consent, the input personal data will only be processed for contact purposes in order to process your inquiry and handle your order.
Data collection and processing through the contact form are based on Article 6 (1) lit. f of the GDPR since HERMA, as a shop operator, has a business interest in being contacted by (potential) customers in order to offer them through these services the fastest possible and easiest order process and, thus, facilitate the conclusion or initiation of a contract.
These personal data may only be passed on to third parties if this is necessary to process the order.
c) Credit check
During the order process we will use the information from the following credit agencies or credit insurers to assess your creditworthiness. For this purpose, we will pass on your customer data (name of company, address, VAT registration number) to these credit agencies and credit insurers. In exceptional cases (e.g. one-man limited liability company or a sole trader) this may involve personal data. The credit agencies or credit insurers will send us in the second case your stored personal address and creditworthiness data, if available, including data which are determined based on mathematical and statistical methods.
The received information about your creditworthiness, including information concerning the statistical probability of non-payment, will be used for a balanced decision on the justification (selection of payment methods), implementation or end of the contract.
Data processing will be based on Article 6 I lit. a of the EU General Data Protection Regulation (GDPR) which permits us to obtain consent for certain processing purposes. You gave us your consent when you registered. You may withdraw your consent at any time with effect for the future by using our contact form under "Service".
Credit agencies or credit insurersBureau van Dijk Electronic Publishing GmbH, Hanauer Landstraße 175-179, 60314 Frankfurt a.M.
Bürgel Wirtschaftsinformationen GmbH & Co.KG, Gasstraße 18, 22761 Hamburg
Codinf Services SA, 120 Avenue Ledru-Rollin, 75011 Paris
Coface Rating GmbH, Isaac-Fulda-Allee 1, 55124 Mainz
Creditreform Stuttgart Strahler KG, Theoder-Heuss-Str. 2, 70174 Stuttgart
Creditsafe Deutschland GmbH, Schreiberhauerstraße 30, 10317 Berlin
Bisnode D&B Deutschland GmbH, Robert-Bosch-Straße 11, 64293 Darmstadt
Kisys Krediet Informatie Systemen B.V., Hullenbergweg 270, 1101 BV Amsterdam –Zuidoost
Kreditschutzverband von 1870, Wagenseilgasse 7 1120 Wien
The creditworthiness information may contain probability values (score values) which are calculated based on scientifically recognised mathematical and statistical methods, and during the calculation of which address data, for example, are included. Your legitimate interests will be considered in accordance with legal regulations.
During the order process we will use the payment service provider Heidelberger Payment GmbH, Vangerowstrasse 17, 69115 Heidelberg, for the purpose of online payment processing. In this case your payment data will be directly collected, processed and stored by Heidelberger Payment GmbH in its capacity as a processor. The transmitted payment data are shown on the respective input mask for the means of payment. This normally involves the mandatory boxes - card holder or account holder, card number or bank number and name of the customer's (company's) bank. In exceptional cases (e.g. one-man limited company or an individual trader), personal data may be involved.
Without your separate consent, the input personal data will only be processed to handle your order.
Payment with stipulation of your bank details is necessary in order to pay the purchase price as the consideration for the supply of goods. The legal basis for data processing is Article 6 (1) lit. b of the GDPR, according to which processing of your personal data is necessary to fulfil a contract to which you are a party.
Depending on the selected payment method, we will pass on your personal data to the authorised bank for the purpose of processing payments.
e) Check against sanctions lists
During the order process HERMA will compare your company data (name of company and address) and personal data (name of the contact person) with official sanctions lists of the Federal Republic of Germany, the European Union and the USA. Sanctions lists are official directories containing the names of persons, groups, organisations and/or companies on whom certain economic or legal sanctions have been imposed. Due to national regulations such as the German Foreign Trade and Payments Act (AWG)and European regulations, HERMA is obliged to carry out this comparison in order to combat terrorism and maintain embargoes against particular individuals. Data processing is based on Article 6 (1) lit. c of the GDPR
6. Data securityDuring the order process your personal data are transmitted over the Internet by means of SSL encryption (with 128/256 bits). We have implemented technical and organisation measures to protect our website and other systems against loss, destruction, access, alteration or distribution of your data by unauthorised persons. Access to your customer account is only possible after your personal password has been entered. You should always treat your access data as confidential and close the browser window once you have finished communicating with us, but especially if you use the computer together with other people.
Only enter your data directly via our website. If you receive unsolicited e-mails in which you are requested to provide or confirm personal information or payment data, ignore these letters and inform our HERMA team. In some of our shops registered customers receive an e-mail every few months with a request to confirm their account. This will ensure that the registered contact persons are still working for the customer and have the specified e-mail address.
A cookie can be used to optimise the information and offers on our website for the benefit of the user. As already mentioned, cookies enable us to recognise the users of our website. The purpose of this recognition is to make it easier for users to utilise our website. For example, the user of a website utilising cookies need not re-enter his/her access data during every visit to the website since this task is performed by the website and the cookie stored on the user's computer system. Another example is the cookie of a goods basket in the online shop. The online shop notes via a cookie the product which a customer has placed in the virtual goods basket.
You can prevent the placement of cookies by our website at any time through a corresponding setting in the utilised Internet browser and therefore permanently reject the placement of cookies. Cookies which have already been placed can also be erased at any time by means of an Internet browser or other software programs. This is possible in all current Internet browsers.
If you deactivate the placement of cookies in the utilised Internet browser, it may be impossible to use all the functions of our website.
8. Use of Google Analytics (with an anonymisation function)HERMA has integrated the component of the Web analysis service Google Analytics (with an anonymisation function) on this website.
The operator of the Google Analytics component is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.
HERMA uses the suffix "_gat._anonymizeIp" for Web analysis via Google Analytics. Using this suffix, the IP address of your Internet connection is truncated and anonymised by Google if our web pages are accessed from within any Member State of the European Union or another Contracting State of the Treaty on the European Economic Area..
HERMA uses the suffix "_gat._anonymizeIp" for Web analysis via Google Analytics. Using this suffix, the IP address of your Internet connection is truncated and anonymised by Google if our web pages are accessed from within any Member State of the European Union or another Contracting State of the Treaty on the European Economic Area.
The purpose of the Google Analytics component is to analyse the flow of visitors to our website (contract data processing). As a contract data processor, Google uses the data and information obtained, among other things, to evaluate the use of our website, to compile online reports for us that highlight the activities on our web pages, and to provide us with further services connected with the use of our website.
Google Analytics places a cookie on your IT system. We already explained above what cookies are. Placement of the cookie enables Google to analyse the use of our website. Every time you access one of the individual pages of this website into which a Google Analytics component has been integrated, the Internet web browser on your IT system is automatically induced by the respective Google Analytics component to transmit data to Google for the purpose of online analysis. Within the context of this technical procedure, Google becomes aware of personal data such as your IP address which Google uses, for example, to comprehend the origin of the visitors and clicks.
Personal information, e.g. the time of access, the location from which this access originated and the frequency of the visits to our website, is saved using the cookie. During every visit to our web pages this personal data, including the IP address of the utilised Internet connection, is transmitted to Google in the USA. These personal data are saved by Google in the USA. In certain circumstances, Google passes these personal data, which were collected via the specific technical procedure, on to third parties.
As already described above in § 7, you may permanently oppose the placement of cookies.
You can prevent recording by Google Analytics by clicking on the following link. An opt-out cookie is placed that prevents future recording of your data when you visit this website. Deactivate Google Analytics.
Google Analytics is explained in more detail under this link.
9. Use of Google AdWordsHERMA has integrated Google AdWords on this website. Google AdWords is an Internet advertising service which allows advertisers to place both advertisements in the search engine results of Google and in the Google advertising network.
The operator of the Google AdWords services is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.
The purpose of Google AdWords is to promote our website through the insertion of interest-related advertising on the websites of third companies and in the search engine results of the Google search engine, and through the insertion of third-party advertising on our website.
If you access our website via a Google advertisement, Google will place a so-called conversion cookie on your computer. The meaning of cookies has already been explained above. A conversion cookie ceases to be valid after thirty days and is not used for identification purposes. Unless a conversion cookie is no longer valid, it traces whether certain subpages, e.g. the goods basket in an online shop, were called up on our website. A conversion cookie also enables both our company and Google to trace whether you, if you accessed our website via an AdWords advertisement, completed a sale, i.e. purchased goods, or aborted it.
The data and information recorded through use of the conversion cookie are used by Google to produce visit statistics for our website. These visit statistics are then used by us to determine the total number of users who were transferred to us through AdWords advertisements, i.e. to determine the success or failure of the particular AdWords advertisement and optimise our AdWords advertisements for the future. Neither our company nor other advertising customers of Google-AdWords receive information from Google through which you can be identified.
Personal information, e.g. the websites which you visit, is saved using the conversion cookie. During every visit to our web pages this personal data, including the IP address of your utilised Internet connection, is therefore transmitted to Google in the USA. These personal data are saved by Google in the USA. In certain circumstances, Google may pass these personal data, which were collected via the technical procedure, on to third parties.
As already described above in § 7, you may permanently oppose the placement of cookies by our website.
You can also object to interest-related advertising by Google. For this purpose, you must call it up from one of your utilised Internet browsers using the link https://adssettings.google.com and make the required settings there.
You can find further information and the valid data protection provisions of Google at: https://policies.google.com/privacy?hl=en
10. Legal or contractual provisions for providing personal dataWe hereby wish to inform you that the provision of personal data is prescribed by law at times (e.g. check against the sanctions list according to the German Foreign Trade and Payments Act (AWG)) or that it may also be due to contractual provisions (e.g. information relating to the contracting party). In order to ensure that an order is placed successfully via our online shop, you must therefore provide personal data which must then be processed by our company. Failure to provide personal data would mean that the order could not be processed or that a contract could not be concluded with you.
11. Storage period, erasure and blocking of personal dataHERMA will only process and store your personal data for as long as is necessary to attain the storage purpose or if provision was made for this in a law or regulation to which each HERMA controller is subject – e.g. statutory retention periods.
If the storage purpose ceases to apply or a legally prescribed storage period expires, the personal data will be routinely blocked or erased according to legal regulations.
12. Rights of shop visitorsIf you want to make use of the rights described below, you may also contact our Data Protection Officers or another employee of HERMA for this purpose at any time.
a) Right to receive information
You are entitled to receive information from HERMA free of charge at any time about your stored personal information and a copy of this information. The legislature allows you to receive the following information:
- Reasons for processing personal data
- Categories of personal data which are processed
- The recipients or categories of recipients to whom personal data were or will still be disclosed, especially recipients in third countries or in international organisations
- If possible, the planned period for which the personal data will be stored or, if this is not possible, the criteria for determining this period
- The existence of a right to rectification or erasure of your personal data or to restriction of processing by the controller or a right to object to this processing
- The existence of a right to complain to a supervisory authority
- If the personal data of a data subject are not recorded. All the available information regarding the origin of the data
- The existence of automated decision-making, including profiling according to Article 22 (1) and (4) of the GDPR and — at least in these cases — meaningful information about the involved logic, the extent and the intended effects of this processing for the data subject
b) Right to rectification
You have the right to request immediate rectification of inaccurate data concerning you. Taking into account the purposes of processing, you also have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
c) Right to erasure (right to be forgotten)
You have the right to request HERMA to immediately erase personal data concerning you if one of the following reasons applies and processing is not necessary:
- The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
- You withdraw your consent on which the processing was based according to Article 6 (1) a of the GDPR or Article 9 (2) a of the GDPR, and where there are no other legal grounds for the processing.
- You object to the processing pursuant to Article 21 (1) of the GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21 (2) of the GDPR.
- The personal data have been illegally processed.
- The personal data have to be erased in order to comply with a legal obligation under European Union law or member state law to which the controller is subject.
- The personal data were collected in relation to services offered by HERMA according to Article 8 (1) of the GDPR.
d) Right to restriction of processing
You have the right to request HERMA to restrict processing if one of the following conditions applies:
- The accuracy of the personal data is contested by you, i.e. for a period which enables HERMA to verify the accuracy of the personal data.
- The processing is illegal, you oppose the erasure of the personal data and request the restriction of their use instead.
- HERMA no longer needs the personal data for the purposes of processing, but you require them for the enforcement, exercise or defence of legal claims.
- You objected to processing pursuant to Article 21 (1) of the GDPR and it has not been determined whether the legitimate grounds of HERMA override your interests.
You have the right to receive your personal data, which you provided to HERMA, in a structured, commonly used and machine-readable format. You are also entitled to transmit these data to another controller without interference by HERMA if processing is based on consent according to Article 6 (1) a of the GDPR or Article 9 (2) a of the GDPR, or on a contract pursuant to Article 6 (1) b of the GDPR and processing is carried out using automated methods, unless processing is required for a task which is in the public interest or in the exercise of public authority vested in HERMA.
In exercising your right to data portability pursuant to Article 20 (1) of the GDPR, you are entitled to have the personal data transmitted directly from one controller to another where this is technically feasible and if the rights and freedoms of other persons are not hereby adversely affected.
f) Right to object
You have the right to object, for reasons relating to your particular situation, at any time to processing of your personal data which is based on Article 6 (1) e or f of the GDPR. This also include profiling based on these provisions.
HERMA will stop processing your personal data in the event of objection, unless we demonstrate compelling legitimate grounds for processing which override your interests, rights and freedoms, or processing is used to enforce, exercise or defend legal claims.
If HERMA processes personal data for direct marketing purposes, you have the right to object at any time to processing of personal data for the purpose of this marketing. This also applies to profiling if it relates to this direct marketing. If you inform HERMA that you object to processing for direct marketing purposes, HERMA will no longer process personal data for these purposes.
You also have the right to object, for reasons relating to your particular situation, to processing of your personal data which is carried out by HERMA for scientific, historical research or statistical purposes according to Article 89 (1) of the GDPR, unless this processing is necessary to perform a task for reasons of public interest.
g) Right to revoke consent to data processing
You have the right to revoke at any time consent to processing of your personal data.
h) Right to complain to supervisory authorities
If you have a problem relating to data protection, you may make use of your right to complain to the responsible national supervisory authorities
13. Existence of automated decision-makingWe have waived automated decision-making, unless we have expressly made reference thereto.
This Data Protection Regulation was prepared with the assistance of DGD Deutsche Gesellschaft für Datenschutz GmbH, which operates as an external Data Protection Officer and in cooperation with RC GmbH, which recycles second-hand computers, and the law firm WILDE BEUGER SOLMECKE | Rechtsanwälte erstellt.