Data Protection Information (Information Obligations as per Art. 13 GDPR)
We believe that data protection should be transparent, simple to understand, and, most importantly, be fair for everyone. That’s why the objective of this data protection information is to tell you about the personal data we collect and use; whether it is forwarded to third parties and, if yes, which third parties; how long we store your data; and what your rights are if you don’t agree with our responsible handling of your data. If you still have questions after reading this detailed data protection information, please don’t hesitate to contact us using the addresses given below.
We would first like to clarify what some of the terms used mean so that we are all on the same page. This will ensure that we all understand the same thing when reading the information below.
This is all information relating to an identified or identifiable natural person (referred to below as the “data subject”. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.
Processing is any operation or set of operations performed on personal data or sets of personal data, either with or without the help of automated procedures, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
Restriction of Processing:
This refers to the marking of stored personal data with the aim of limiting its processing in future.
“Profiling” is any form of automated personal data processing that involves using this personal data to analyze certain personal aspects relating to the data subject, in particular to analyze or predict aspects regarding their performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
Pseudonymization describes the procedure used to carry out processing of personal data in such a way that it can no longer be attributed to a specific data subject without the use of additional information, insofar as this additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data cannot be attributed to an identified or identifiable natural person.
This the natural or legal person, public authority, agency, or other body that, alone or together with others, determines the purposes and means of processing of personal data. Where the purposes and means of such processing are determined by EU or member state law, the data controller or the specific criteria for their nomination may be provided for by EU or member state law.
A natural or legal person, public authority, agency, or other body to whom the personal data is disclosed, whether a third party or not. Public authorities that may receive personal data within the scope of a particular enquiry in accordance with EU or member state law are not, however, deemed to be recipients. Processing of such data by these public authorities is carried out in compliance with the applicable data protection regulations relating to the purposes of processing.
A natural or legal person, public authority, agency, or other body other than the data subject, controller, processer, and persons who, under the direct authority of the controller or processer, are authorized to process personal data.
Any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
1. Name and Contact Details of the Data Controller
The data processing controller is
HIGHLUX Ltd, Located at 195A High Street, Potters Bar, EN6 5DA
You can contact us by postal mail, email to email@example.com, or by calling 0800 0488711.
2. Data Protection Officer
The contact details for our data protection officer are as follows:
HIGHLUX Ltd, Located at 195A High Street, Potters Bar, EN6 5DA
3. Collection of Personal Data for Informational Use
Where the website is used purely for information – in other words if you do not register or provide us with information in any other way – we will only collect the personal data transmitted by your browser to our server. If you want visit our website, we will collect the following data, that is required to display the website to you and ensure its stability and security (The legal basis is Art. 6 Para. 1 (1) lit. f GDPR.):
• The IP address (truncated, e.g. 192.168.100.xxx)
• The date and time of the request
• The content of the request (specific site)
• The website from which the request came
• The browser
• The operating system and its user interface
• The browser software language and version.
(1) In addition to this, cookies will be stored on your computer when you use the website. Cookies are small text files that can be stored on your hard drive and assigned to the browser you use. They are used to transmit certain information to whoever created the cookie (so in this case, us). Cookies cannot execute programs or infect your computer with viruses. They are used to make the Internet offering generally more user-friendly and effective.
a) This website uses the following kinds of cookies, whose scope and method of functioning are explained – Persistent cookies (see c) below).
b) Persistent cookies are automatically deleted after a predefined period of time that can vary depending on the cookie. You can delete cookies whenever you want using your browser’s corresponding security settings.
c) You can configure your browser settings in line with your wishes and, for example, block acceptance of third-party cookies or all cookies. Please note that you may not be able to use all the features of this website if you do so.
(2) This stored information is kept separate from any other data that we may store. In particular, the data generated by cookies is not linked to any other data regarding you.
(3) You can object to this data processing at any time, effective for the future.
5. Use of Our Website Features
(1) In addition to purely informational use of our website we also offer a range of services that you can use if interested. To do so you must generally provide additional personal data that will be used to provide the relevant service. Where users have the option of providing additional voluntary information, this is identified accordingly.
(2) If you contact us by email or via the contact form, we will store your email address and, if provided, your name and telephone number plus any other information so that we can answer your enquiries or send you a catalog.
6. Data Forwarding to Third Parties
(1) We will only forward your personal data to third parties if we work together with a third-party provider to give you the opportunity to participate in promotions or competitions, to make a booking, or to conclude a contract. In such cases you will be informed about transmission to third parties before your data is forwarded.
(2) In some cases we use external service providers to process your data. These providers have been carefully selected and commissioned in writing. They are subject to our instructions and are regularly inspected by us. The service providers will not forward data to third parties. In the event these service providers are located in the USA, then we will inform you accordingly in line with the relevant functions. Such data processing is also carried out in accordance with the current legal situation.
6.1. Use of Google Maps
(1) This website uses the Google Maps offering. This allows us to present interactive maps directly on the website, providing you with a convenient navigation function.
(2) When you visit our website Google is informed that you have retrieved the corresponding sub-page on our website. In addition to this, the data stated under Item 3 of this declaration is transmitted. This happens irrespective of whether Google provides a user account that you are logged in to or you have no user account. If you are logged in to Google, then your data will be directly assigned to your account. If you do not want information to be assigned to your Google profile, then you must log off before activating the button. Google will save your data as a usage profile and use it for advertising and market research purposes and/or needs-based designing of its website. Such analysis (even of users who are not logged in) is carried out in particular to provide needs-based advertising and to inform other social network users about your activities on our website. You have the right to object to creation of such user profiles, however you must make this objection to Google.
(3) For more information on the purpose and extent of data collection and its processing by the plug-in provider see the provider’s data protection declarations. They also provide more information about your corresponding rights and settings options to protect your personal privacy: http://www.google.de/intl/de/policies/privacy. Google will also process your personal data in the USA and participates in the EU-US Privacy Shield: https://www.privacyshield.gov/EU-US-Framework.
(4) The legal basis for processing of your data is Art. 6 Para. 1 (1) lit. f GDPR. For more information on data protection at Google visit: http://www.google.com/intl/de/policies/privacy and https://services.google.com/sitestats/de.html. Alternatively, you can visit the Network Advertising Initiative (NAI) website at http://www.networkadvertising.org. Google participates in the EU-US Privacy Shield: https://www.privacyshield.gov/EU-US-Framework.
6.2. Use of Google Ads Conversion Tracking
We use the Google Ads offering and, within the scope of this, conversion tracking to draw attention to our products and interior design solutions through advertising (so-called ‘Google Ads’) shown on external websites. Our aim is to identify which advertising measures attract the interest of potential customers and Google Ads conversion tracking provides us with information relating to advertising campaigns and how successful individual advertising measures (Google Ads) are. This corresponds with our interest in showing you and other Internet users advertising that is tailored to your interests. Tracking allows us to design our advertising campaigns and website in a more interesting way and to identify as precisely as possible the cost-benefit factor for the advertising budget spent on Google Ads.
Google transmits such advertising via so-called “ad servers”. To analyze the impact of Google Ads we use ad server cookies that, based on attainment of specific goals on our website (“conversions) – such as ordering or downloading of a catalog or clicking our dealer search feature – allow Google to record these conversions. Google is thus able to measure the number of conversions. In addition to this, Google uses previously installed cookies to identify which ads were clicked beforehand and thus led to the conversion. These cookies are temporary; contain no personal data; and thus cannot be used to identify users. We do not receive any information that could be used to identify users. Your data may be transmitted to the USA. Google is certified under the “Privacy Shield” US-EU data protection agreement and thus undertakes to comply with European data protection guidelines. Data processing, in particular the installation of cookies, takes place with your consent on the basis of Art. 6 Para. 1 (a) GDPR. You can withdraw your consent at any time without this affecting the lawfulness of consent-based processing carried out before consent was withdrawn. For more information on privacy and to see Google’s data protection declaration visit: https://www.google.de/policies/privacy/
6.3. Use of Matomo
(1) This website uses the Matomo web analysis service to analyze use of our website and allow us to improve it on a regular basis. We are able to use the statistics collected to improve our offering and make it more interesting for you as a user. The legal basis for use of Matomo is Art. 6 Para. 1 (1) lit. f GDPR.
(3) This website uses Matomo with the “AnonymizeIP” add-on. It ensures that IP addresses are truncated before being processed; doing so means that IP addresses cannot be directly attributed to a specific person. The IP address transmitted by your browser via Matomo will not be combined with other data that we collect.
(4) The Matomo program is an open-source project. For data protection information from the third-party provider visit https://matomo.org/privacy/policy.
7. Recipients or Categories of Recipients
Insofar as we forward your personal data to third parties, the description of the corresponding data processing will explicitly inform you that we are doing so (e.g. when you use our contact form). It goes without saying that, in addition to this, we have signed contract processing contracts as defined by Art. 28 GDPR (until May 25, 2018 Sect. 11 German Federal Data Protection Act [BDSG]) with the external service providers whom we use for technical and organizational processing. These companies are, for example, service providers for web hosting, sending of emails and letters; maintenance and management of our IT systems, etc.
8. Duration of Storage
Your data will be stored for as long as required to fulfil the corresponding purpose, at most for as long as required to comply with any legal regulations (e.g. under commercial law we must keep business correspondence, which may include emails, for 10 years).
Personal data is routinely blocked or erased as soon as the purpose for which it has been stored has been fulfilled or the statutory retention period stipulated by the above-mentioned legal regulations has expired.
9. Your Rights
This section provides you with detailed information on your rights.
9.1. Right to Information
You have the right at any time to request information regarding whether we have processed personal data regarding you. Should this be the case, then you have a right to receive information concerning data covered by the second part of Art. 15 Para. 1 GDPR.
You have the right to request information regarding whether your personal data has been transmitted to a third country or an international organization. In this context you may request information regarding the appropriate safeguards relating to transfers as per Art. 46 GDPR.
9.2. Right to Rectification
In addition to this, under the terms of Art. 16 GDPR you have the right to request that we rectify incorrect personal data regarding you without delay. Over and above this, and taking processing purposes into consideration, you have the right to request the completion of incomplete personal data – including by means of a supplementary statement.
9.3. Right to Erasure (“Right to be Forgotten”)
You also have the right to request that we erase personal data regarding you without delay. We must fulfil this request and erase personal data unless we are legally obliged or entitled to continue processing your data. For more information on this, please see Art. 17 GDPR.
9.4. Right to Restriction of Processing
You have the right to request that we restrict processing insofar as the legal preconditions defined by Art. 18 GDPR apply.
9.5. Right to Notification
Under the terms of Art. 19 GDPR, if you have exercised the right to rectification, erasure, or restriction then we are obliged to notify all the recipients to whom personal data regarding you has been disclosed about this rectification or erasure of data or restriction of processing unless doing so proves impossible or involves disproportionate effort. You have the right to be informed by us regarding these recipients.
9.6. Right to Data Portability
Where we have processed your data on the basis of your consent or a contract, then you have the right to receive the personal data regarding you in a structured, commonly used, machine-readable format. In addition to this, you have the right to transmit this data to another data controller insofar as the legal preconditions defined by Art. 20 GDPR apply.
9.7. Right to Object
Right to Object on Grounds Relating to the Data Subject’s Particular Situation
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data regarding you that is based on Art. 6 Para. 1 lit. e or f GDPR. This also applies to profiling based on these provisions.
We will then no longer process your personal data unless we can demonstrate compelling legitimate grounds for processing that override your interests, rights, and freedoms or for the establishment, exercise, or defense of legal claims.
Right to Object to Data Processing for Direct Marketing Purposes
Where your personal data is being processed for direct marketing purposes you have the right, at any time, to object to processing of the personal data regarding you for direct marketing purposes. This also applies to profiling to the extent that it is related to such direct marketing. Should you object to processing for direct marketing purposes, then the personal data regarding you will no longer be processed for these purposes. In the context of the use of information society services – notwithstanding Directive 2002/58/EC – you have the option of exercising your right to object by automated means using technical specifications.
9.8. Right to Withdraw Declaration of Consent Under Data Protection Law
You have the right at any time to withdraw your declaration of consent under data law. Withdrawing consent will not affect the lawfulness of consent-based processing carried out before consent was withdrawn.
9.9. Automated Individual Decision-Making, Including Profiling
You have the right not to be subject to a decision based solely on automated processing – including profiling – that produces legal effects regarding you or similarly significantly affecting you. This does not apply if the decision
a) Is necessary for entering into or performance of a contract between you and the data controller,
b) Is authorized by EU or member state law to which the data controller is subject and that also lays down suitable measures to safeguard your rights and freedoms and legitimate interests, or
c) Is based on your explicit consent.
Such decisions may, however, not be based on special categories of personal data as defined by Art. 9 Para. 1 GDPR, unless Art. 9 Para. 2 lit. a or g applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place. These measures include, at minimum, the right to obtain human intervention on the part of the data controller, to express your point of view, and to contest the decision.
9.10. Right to Complain
Irrespective of any other legal remedy under administrative law or before the courts, you have the right to lodge a complaint with a supervisory authority, in particular in the member state where you are habitually resident, where your place of work is located, or where the alleged infringement took place if you consider that processing of personal data regarding you infringes the GDPR.
The supervisory authority that receives the complaint will inform the complainant on the progress and outcome of the complaint, including the possibility of a legal remedy as defined by Art. 78 GDPR.
The supervisory authority responsible for us is:
Information Commissioner’s Office
Tel.: +44 (0) 303 123 1113
Fax: +44 (0) 1625 524510
10. Legal Basis for Processing
Insofar as nothing else is stipulated for the individual processing procedures described under the above-mentioned items, then the following legal basis applies for our data processing.
Insofar as we obtain consent from data subjects for processing procedures involving personal data, then the legal basis for this is Art. 6 Para. 1 lit. a EU General Data Protection Regulation (GDPR).
Where processing of personal data is required for performance of a contract to which the data subject is party, then the legal basis for this is Art. 6 Para. 1 lit. b GDPR. The same applies to processing procedures that are required to take steps prior to entering into a contract.
Where processing of personal data is required to comply with a legal obligation to which our company is subject, the legal basis for this is Art. 6 Para. 1 lit. c GDPR. Where processing is required to protect the vital interests of the data subject or another natural person, the legal basis for this is Art. 6 Para. 1 lit. d GDPR. Where processing is required to safeguard the legitimate interests of our company or a third party and the interests, fundamental rights, and fundamental freedoms of the data subject do not override these legitimate interests, the legal basis for this is Art. 6 Para. 1 lit. f GDPR.
9. Notes of Photos
HIGHLUX Ltd, Located at 195A High Street, Potters Bar, EN6 5DA
Production of photos taken at events such as the imm cologne international furnishing fair and publication of such photos on the website, social media channels, and print media for PR purposes and presentation of the data controller’s activities in order to raise the data controller’s profile.
Legitimate interest as defined by Art. 6 Para. 1 lit f GDPR and Sect. 12 and 13 DSG (German Data Protection Act) – PR purposes and presentation of the data controller’s activities in order to raise the data controller’s profile.
Data subjects have the right to object to processing. Objections may be submitted to: firstname.lastname@example.org (whereby all other methods of objection are also possible).
It must, however, be assumed that the data controller’s interest in production and use of the photos does not infringe natural persons’ rights and freedoms excessively, in particular since these persons are entering a public space; are informed in advance and at the event regarding the production and use of the photos; and care is taken that the legitimate interests of the persons shown are not infringed. Insofar as the rights and freedoms of a person depicted should, in exceptional circumstances, be infringed, then we will take appropriate measures to prevent any further processing. Anonymization in print media which has already been issued is not possible. Erasure from the website or social media channels will be carried within the scope of what is technically possible.
Duration of Storage
Data will be erased 3 years after its production.
Categories of Recipients
Departments of the data controller that must receive the data in order to complete processing activities (e.g. IT, other administrative units, marketing). Sub-contractors and contract processers who are involved in processing activities (production and publication). Tax accountants, authorities (IRS, other government agencies), and legal representatives (when asserting rights or defending against claims or within the scope of official procedures).
The data will be made available to the general public on the Internet and published on social media channels. It will be published in print media and limited print runs of this media will be distributed to, for example, customers and the general public.
Data will not be forwarded to recipients who will use it to pursue their own purposes. In the case of social media channels it may, however, be the case that the relevant social media provider acquires exploitation rights to the data published.