Data Protection Statement

Privacy Statement of Novoferm tormatic GmbH

Last revised: 16/05/2018

General Information About Privacy

(1 ) Novoferm tormatic GmbH is happy to see your interest in our company and its products. You may possibly be asked to disclose personal information so that we can provide to you the comprehensive information you would like to have. Any such disclosures are completely voluntary. The privacy statement below and the brief summary of our public record of processing activities describe how we handle your personal data in conformity with the General Data Protection Regulation (hereinafter: GDPR) and data protection laws. Since the company headquarters are located in Germany, German data protection authorities have jurisdiction pursuant to the German Federal Data Protection Act (hereinafter: BDSG).

This is the controller:

Novoferm tormatic GmbH

Venue: Dortmund Local Court, HRB 14016

VAT ID no.: DE812890558

Represented by the managing director

Norbert Dyx

Data protection officer: Thorsten Werbeck

Eisenhüttenweg 6

D-44145 Dortmund

Phone:  (+49) 0231-56602-0

Fax:       (+49) 0231-56602-23

Internet:         www.tormatic.de

Data Protection on the Trading Platform TORMATICSALES for Registered Users Headquartered in Europe

The trading platform TORMATICSALES is accessible to registered commercial users throughout Europe. Novoferm GmbH, represented by the managing director Mr Rainer Schackmann, CEO, Schüttensteiner Strasse 26, D-46419 Isselburg, operates the services offered on the trading platform on our behalf and is the controller under telemedia and data protection law pursuant to Art. 28 GDPR and Section 62 BDSG. This will be explicitly pointed out to you when you register. Novoferm GmbH collects and processes the data on our behalf as described below:

The company Beyond Media GmbH, Mercedesstrasse 3, 74366 Kirchheim am Neckar (HRB 731659, Stuttgart Local Court), represented by its managing director Sven Heib, operates the website server at the Strasbourg location and the commissioned data processing (storage and transfer to Novoferm and its distribution partners) on behalf of Novoferm GmbH. The host service provider is also subject to German data protection laws and contractually obligated pursuant to Art. 28 GDPR.

The support (including advertising), technical security monitoring and analysis of the Novoferm group site are also provided by Beyond Media GmbH, Mercedesstrasse 3, 74366 Kirchheim am Neckar (HRB 731659, Stuttgart Local Court), represented by its managing director Sven Heib. The anonymous or pseudonymised data of the users of the platform are analysed on the basis of a contract for commissioned data processing pursuant to Art. 28 GDPR and Section 62 BDSG. As a service provider to Novoferm GmbH, Beyond Media GmbH is also subject to German data protection laws and, in addition, is contractually obligated to confidentiality; it may process the user data collected and stored in accordance with the contract solely and exclusively for the purposes set forth in this privacy statement.

Neither Novoferm GmbH nor the host service provider have access to your data apart from the commissioned data processing on our behalf.

Novoferm GmbH as well as Novoferm tormatic GmbH are subject to the same level of data security as the Novoferm corporate group, have a privacy statement equivalent to that found on the internet site novoferm.de and makes public the record of processing activities for the internet services that are also performed on our behalf. Our data protection officer is the group officer pursuant to Art. 37 (2) GDPR and is also in charge of data protection at Novoferm GmbH.

Our Processers Pursuant to Art. 28 GDPR and Section 62 BDSG

(1) The company arvato systems GmbH, An der Autobahn 200, D-33333 Gütersloh, operates our servers at the Gütersloh location and the commissioned data processing (storage and transfer to Novoferm and its distribution partners) on our behalf.

(2) The company Beyond Media GmbH, Mercedesstrasse 3, 74366 Kirchheim am Neckar (HRB 731659, Stuttgart Local Court), represented by its managing director Sven Heib, also operates our website server at the Strasbourg location and the commissioned data processing (storage and transfer to Novoferm and its distribution partners) on our behalf. Our host service provider is also subject to German data protection laws.

(3) The support (including advertising), technical security monitoring and analysis of our internet site are also provided by Beyond Media GmbH, Mercedesstrasse 3, 74366 Kirchheim am Neckar (HRB 731659, Stuttgart Local Court), represented by its managing director Sven Heib. The anonymous or pseudonymised data of our users are analysed on the basis of a contract for commissioned data processing pursuant to Art. 28 GDPR and Section 62 BDSG. Beyond Media GmbH, our service provider, is also subject to the Germany data protection provisions and is contractually obligated to confidentiality as well.

(4) The “Cookiebot” service described in Section 9 is a service offered by Cybot A/S, Havnegade 39, DK-1058 Copenhagen, Denmark. The data security level in the EU member state Denmark, just as German data protection law, is in conformity with the General Data Protection Regulation. Furthermore, all Novoferm tormatic GmbH contract partners are contractually obligated to confidentiality and are permitted to process the user data that are collected and stored for us in accordance with their contracts solely and exclusively for the purposes described in this privacy statement.

(5) We describe below in detail the advertising for our internet site and how we monitor and optimise the group site in response to user interests.

(6) Please note as well the Terms and Conditions of Use for our internet site and the Terms and Conditions of Use for the trading platform TORMATICSALES.

Our Privacy Policy and Information

Section 1       Anonymous Use, Security, Analysis and Statistics

(1) Novoferm tormatic GmbH is very conscientious about the protection of the data provided by its website visitors and complies with the regulations of data protection laws. We would like to describe to you in the remarks below what personal data we ask for and store and how we work with these data. Personal data are any information that make it possible to identify a specific person. This includes in particular your name, address and telephone number, but extends as well to the IP address assigned by your provider or your email address.

(2) We seek to make most of the functions of our websites and our services available for anonymous use. Since internet sites must constantly be monitored and protected from attacks by hackers, bots and all types of malware, it is necessary to be able to identify users temporarily, as a minimum on the basis of the so-called metadata of their use of the sites. During your visits to our websites, the following data are recorded, whereby they are stored solely and exclusively for internal system-related and statistical purposes: names of the accessed pages, the browser used, the operating system and the referring domain, data and time of the access, search engines used, names of downloaded files and your IP address. All of the data related to your use of the site, especially your IP address, are erased as early as possible — no later, however, then immediately after the conclusion of your use of the site.

(3) The analysis of anonymous user data, which cannot be traced back during analysis to you personally as the user of the internet sites, helps us to determine the habits of our users so that we can design our services to be more user friendly and adapt them to the wishes and needs of our users. Our processor uses the analysis program Google Analytics for the anonymised analysis of the data. We will describe the functions of this program and the precautions taken to anonymise the user data below.

Section 2       Web Analysis Service “Google Analytics”, Opt-Out Procedure v. Cookiebot Statement

(1) This website uses Google Analytics, a web analysis service provided by Google, Inc. (“Google”). Google Analytics uses cookies (small text files, cf. also Section 9 below) that are stored on your computer and make it possible to analyse your use of the website. The information about your use of this website generated by the cookie is generally transmitted to a Google server in the USA and stored there. The data protection laws in the USA do not at this time meet in all respects the standards of the legal requirements of European data protection laws.

(2) We have enabled the function IP anonymisation on our website. Google consequently truncates your IP address within member states of the European Union or other party states to the treaty regarding the European Economic Area before transmitting it to the USA. The full IP address is transferred to a Google server in the USA and truncated there only in exceptional cases. Google, acting on behalf of the operator of this website, uses the collected information to evaluate your activities on the website, to compile reports about the website activities and to perform further services related to the use of the website and the internet for the website operator. The IP address communicated by your browser for Google Analytics is not associated with any other data of Google.

(3) Our processor uses the latest operating standard of Google Analytics, modified to meet the data security level required by the GDPR, namely, Universal Analytics, on the basis of a contract for commissioned data processing pursuant to Art. 28 GDPR and Section 62 BDSG. Universal Analytics makes possible cross-device tracking by means of a user ID, for example, and permits user-defined measurement values/standards. In accordance with the Terms and Conditions of Use of Universal Analytics, which apply to all users, no personal data may be sent to Analytics. We have obligated our processor and our employees to comply strictly with these Terms and Conditions of Use.

(4) The direct identification of an individual user from the user ID is supposed to be excluded. Nevertheless, the program functions (see above) mean that the Universal Analytics ID is presumably to be classified as an online identifier within the sense of Art. 4 (1) GDPR and consequently as personal data.

(5) We have therefore instructed our processor and our employees not even to enable the user ID and not to send any personal data to Google. (“https://support.google.com/analytics/answer/6366371?hl=en”.)

(6) Google continues to place a cookie, of course. It is used to process the information type of browser, operating system used, referrer URL, IP address (truncated/anonymised) and the time of the server query. You can prevent the storage of cookies by making the appropriate settings in your browser software; however, we expressly point out to you that doing so may possibly prevent you from being able to use all of the functions on this site in their full scope. If you do not wish to accept any restrictions in the possible use of the site, you should instead utilise the provided function for disabling the analysis cookies the first time you visit our website (Cookiebot procedure in Section 9) or exercise your right to object , which is possible at any time.

(7) Furthermore, you can prevent the recording of the data generated by the cookie related to your use of the website (including your IP address) at Google and the processing of these data by Google by downloading and installing the browser plugin available at this link (http://tools.google.com/dlpage/gaoptout?hl=en). When using disabling functions (so-called opt-out solutions), however, you must in general make sure that your browser or the “cleaning program” with access to your browsing history is not set so that the opt-out cookies from the third-party provider are erased. Your decision in the Cookiebot procedure (cf. Section 9) is stored for one year; at the end of this period, you will be asked again for a decision. That is why we believe this is the better procedure.

(8) You will find additional information about the handling of user data with Google Analytics in the Google privacy statement https://support.google.com/analytics/answer/6004245?hl=en or at http://www.google.com/intl/en/analytics/privacyoverview.html (general information about Google Analytics and privacy).

(9) Here you can deactivate Google Analytics:

Section 3       Facebook Pixel

(1) Subject to your consent, we utilise the “tracking pixel” of Facebook, Inc., 1601 S. California Ave., Palo Alto, CA 94304, USA (Facebook”) on some of the pages of our internet site. The collected data are anonymous for us and do not enable us to draw any conclusions about the identity of the users. Nevertheless, the data are stored and processed by Facebook so that a connection to the user profile in each case is possible, and Facebook can use the data for its own advertising purposes in accordance with the Facebook privacy policy ((https://www.facebook.com/about/privacy/). You can make it possible for Facebook and its partners to place advertisements on and outside of Facebook. Moreover, a cookie can be stored on your computer for these purposes.

(2) Please click here if you wish to disable the advertising. https://www.facebook.com/ads/website_custom_audiences/

Section 4       Use of Google Maps

(1) Some of the pages of the site use Google Maps API for the visual display of geographical information. When Google Maps is used, Google also collects, processes and uses data about the visitors’ use of the map functions. You will find more detailed information about the data processing done by Google in the Google privacy remarks. You can also go to the company’s privacy centre to modify your personal privacy settings.

(2) You will find comprehensive instructions for managing your own data with respect to Google products here.

Section 5       Embedded YouTube Videos

We embed YouTube videos on some of our websites. The operator of these plugins is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. When you visit a site with the YouTube plugin, a connection to the YouTube servers is created, and the pages you access are communicated to YouTube. If you are logged on to your YouTube account, YouTube can attribute your surfing activities to you personally. You can prevent this by logging off your YouTube account prior to accessing the sites.

If a YouTube video is launched, the provider places cookies that collect information about the user’s behaviour.

If you have disabled the storage of cookies for the Google ad program, you will not need to be concerned about any such cookies when you view YouTube videos. However, YouTube stores non-personal use information in other cookies as well. If you want to prevent this, you must block the storage of cookies in your browser settings.

Additional information about privacy at “YouTube” can be found in the provider’s privacy statement at: https://www.google.en/intl/de/policies/privacy/.

Section 6       Social Plugins

We offer to you the opportunity to use so-called “social media buttons” on our website. We use the solution “Shariff” during implementation to protect your data. The program integrates these buttons into the website solely in form of a graphic that contains a link to the corresponding website of the button provider. When you click on the graphic, you are transferred to the services of the corresponding provider. Only then are your data sent to the relevant provider. If you do not click on the graphic, there is no exchange whatsoever between you and the providers of the social media buttons. You will find information about the collection and use of your data on social networks in the terms and conditions of use of the specific providers. Click on this link for more information about the Shariff solution: www.heise.de/ct/artikel/Shariff-Social-Media-Buttons-mit-Datenschutz-2467514.html.

We have integrated the social media buttons of the following companies on some of the pages of the group site:

Facebook, Inc. (1601 S. California Ave - Palo Alto - CA 94304 - USA) Within the European legal jurisdiction, the responsible party is Facebook Ireland Ltd., headquarters at 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

Twitter Inc. (795 Folsom St. - Suite 600 - San Francisco - CA 94107 - USA) Within the European legal jurisdiction, the responsible party is Twitter Ireland Ltd., headquarters at 1 Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland.

Section 7       Collection and Storage of Personal Data

(1 ) More extensive personal information is collected solely if and when you have voluntarily provided it to us, e.g. when submitting a query or registering on the site.

(2) If you contact us using email or a contact form, the information you provide for the purpose of processing the query and for possible follow-up questions will be stored. Your personal data are always used solely within the scope of the consent you have given us. You are free at any time to withdraw any consent you have given.

(3 ) The procedures we use during all data processing activities (e.g. collection, processing and transmission) are in compliance with legal statutes. The following explanatory remarks will provide you with an overview of the nature of the data that are collected, how these data are used and transferred to other parties, what security measures we implement for the protection of your data and the options available to you for obtaining information about the information that has been given to us.

(4) When you register for the use of our personalised services, some additional personal data such as your name, address and contact and communication data such as phone number and email address are also collected. When you have registered with us, you can access content and services we offer solely to registered users. Registered users also have the opportunity to modify or erase themselves any data provided during registration as necessary. Naturally, we will in addition provide to you at any time information about the personal data concerning you that we have stored. We will also be happy to rectify or erase any such data at your request, provided that this is not prohibited by statutory retention obligations.

(5) In keeping with the principle of data economy, only the data we require to answer your queries or for the performance and processing of orders will be requested (e.g. your complete name and/or complete company name as well as that of the authorised representative(s), your email address, any customer number that may have previously been issued and your address). In addition, you must select a user name and a password for the registration; the two together will simplify your login without re-entry of the data. We save the data you have entered to set up your customer account.

(6) We process data from other sources if you already have a customer account with us or with our distribution partners or our representative offices. We then add the data from your query or your order data to your customer account. It is possible that we will collect creditworthiness data from our commercial credit insurers and add the information to your customer account for new customers and commercial customers.

Section 8       Newsletter

(1) As a registered user of our B2B platform Tormaticsales, you can sign up for our email newsletter service. In this case, we must collect and store your email address. We use it solely and exclusively to send newsletter emails notifying you of current offers. Subscribers may also be notified by email of circumstances relevant for the service or the registration (e.g. changes in the newsletter service or technical matters).

(2) We require a valid email address for valid registration. To ensure that the registration is actually coming from the owner of an email address, we utilise the “double opt-in” procedure. During this procedure, we record the request for the newsletter, the sending of a confirmation email and the receipt of the answer requested in the confirmation. No other data are collected. The data are used solely and exclusively for the transmission of the newsletter and are not transferred to third parties.

(3) You may withdraw your consent for the storage of your personal data and their use for the transmission of the newsletter at any time. You will find a link that can be used for this purpose in every newsletter. In addition, you can unsubscribe directly on this website at any time by clicking on the field “Unsubscribe to newsletter” on our internet site, or you can use the contact information found at the end of this privacy information to notify us of your request. Your data will then be erased.

Section 9       Cookies

(1) This internet site uses cookies. Cookies are small text files that are transmitted from a website server to your hard drive. We automatically obtain at this time certain data about your computer and your internet connection such as IP address, browser used and operating system.

(2) Cookies cannot be used to launch programs or to transfer viruses to a computer. We can use the information contained in the cookies to simplify your navigation and to ensure the correct display of our websites.

(3) Under no circumstances are the data we collect in this way transferred to third parties or is a link to personal data established without your consent.

(4) Naturally, you can always view our website even without cookies. You can prevent the use of cookies by setting your browser to block cookies. You will be able to see, as a minimum, the most important parts of these sites as before. Keep in mind, however, that certain functions of our website and the services that can be accessed through your registration and login on the Extranet and the connected trading platforms do not work if you have disabled the use of cookies.

(5) Cookies have different functions. Some cookies are required for specific functions or services on our internet sites, e.g. to defend against attacks on the internet sites or to recognise you as a registered user of our trading platform. Unless the required cookies are available, the functions and services cannot be utilised, and you will receive error messages or information instead of the desired function. You can, however, at any time grant the consent not previously given or restore withdrawn consent by removing the blocks for the specific cookie and re-accessing the internet site or refreshing the internet site in your browser.

(6) We have implemented the extended cookie alert banner Cookiebot to simplify your handling of cookies on our internet sites and refer to the following procedure instructions. Cookiebot is a service provided by Cybot A/S, Havnegade 39, DK-1058 Copenhagen, Denmark. The cookies required for the internet site functions and the offered services have been set as defaults. If you click on the “OK” button of the banner, you grant your consent (which may be withdrawn at any time) to the use of the default cookies.

(7) The additional function groups and other functions of the integrated cookies are explained and the duration (limited term) of the cookies, at the end of which the cookies automatically expire, is shown in the service’s cookie list. You can disable the cookies singly as well as in function groups. Please note that the cookies also have functions that, while they are not absolutely necessary, may store your user habits and preferences. One example of this is your decision in a dual-language country for one of the two language versions that are offered. The Cookiebot default setting means that you must remove the green tick in the overview to restrict your consent statement accordingly so that you can use the site as usual. If you also allow us to collect statistics (analysis cookies) and to personalise advertising (tracking and profiling cookies), we can send you the tailored information to which you are accustomed, remind you of content you have already viewed and optimise our internet sites on the basis of anonymous analysis of your user behaviour on our sites and platforms and in our services. We thank all of our users who help us in this way to improve constantly.

(8) These are the cookies we use:

Section 10     Security Information

(1) We have implemented many different security measures of reasonable and adequate scope for the protection of personal data.

(2) Our databases are protected by physical and technical measures as well as procedural measures that limit information access to specially authorised persons in conformity with this privacy statement. Our information system is located behind a software firewall to prevent access from other networks that are connected to the internet. Solely employees with a need to know information for the performance of specific tasks are granted access to personal data. Our employees have been trained in security matters and data protection practices. All of our employees and any and all third parties involved in data processing have been obligated to compliance with the German Federal Data Protection Act and to confidential handling of personal data.

(3) Whenever personal data are collected through our internet sites, the transmission is encrypted using the industry standard secure socket layer (“SSL”) technology via https.

(4) You should never reveal your password for your access to our internet sites to third parties, and you should change this password at regular intervals. When you leave our sites, you should always log out and close your browser to prevent any unauthorised users from obtaining access to your user account.

(5) We cannot warrant complete data security whenever email is used for communication.

Section 11     Use, Transfer and Erasure of Personal Data

(1) We use the personal data you have provided to us to answer your queries, process your orders and check your creditworthiness and for technical administration of the websites.

(2) Your personal data will be transferred to third parties solely if the transfer is required to process the contract or if you have given your express consent.

(3) In addition, we do not exclude the possibility that we will transfer anonymised use data for market research purposes. The identification of specific users is excluded in these cases (see above).

(4) We want to point out that in specific cases we are authorised and required by order of government agencies to provide information about data to the extent that this is necessary

• to prosecute criminal activities,

• to obtain state police protection from threats,

• to perform the legal tasks required of the national and state constitution protection authorities, the Federal Intelligence Service or the Military Counterintelligence Service

• or to defend intellectual property rights.

(5) The user data from visitors to the website are automatically erased immediately when the visitors leave the site. The term of the cookies is described in detail in Section 9. Data related to a query are erased once the follow-up correspondence has been completed and no later than six months after the last message that remained unanswered by the user. The data for specific quotations are either erased by the users themselves or at their request and no later than three years after issue of the quotation. Contract data are erased after complete performance of the contractual relationship, in particular after the expiration of warranty, guarantee or liability periods. These periods may be as long as 10 years after delivery of the products or acceptance of the contract performance for the manufacturers of construction products relevant for safety. Our data protection officer will be glad to answer any questions about the erasure policy.

Section 12     Your Privacy Rights

(1) You have the right to access pursuant to Art. 15 GDPR, the right to rectification pursuant to Art. 16 GDPR, the right to erasure pursuant to Art. 17 GDPR, the right to restriction of processing pursuant to Art. 18 GDPR and the right to data portability pursuant to Art. 20 GDPR. Sections 34 and 35 BDSG (Federal Data Protection Act) apply as well with respect to the rights to access and erasure. In addition, there is the right to lodge a complaint with a supervisory authority (Art. 77 GDPR and Section 19 BDSG).

(2) You have the right to obtain from us at any time information about your personal data that we have stored. You also have the right to rectification, blocking or (with the exception of the data storage related to business performance mentioned above) erasure of your personal data. You may contact Thorsten Werbeck, our data protection officer (thorsten.werbeck@novoferm.de), or the data protection officer or persons in charge of data protection at the representative office for your account at any time if you have any questions about the subject of privacy.

(3) Any data that have been blocked must be retained in a blocked file for control purposes so that the blocking of data can be respected at all times. You may also obtain the erasure of the data, provided that there are no statutory retention obligations prohibiting the erasure. If there is such a prohibition of erasure, we will at your request block data.

(4) You may make changes in or withdraw your consent by sending us a message of this content that will become effective for the future. You may withdraw consent at any time without giving your reasons and without observing any special formalities. You may use for this purpose any of the address and contact data of Novoferm tormatic GmbH shown above.

Section 13     Amendment of Our Privacy Policy

We reserve the right to adapt this privacy statement from time to time so that it always conforms to the latest legal requirements or to include changes in our services in the privacy statement, e.g. when we introduce new services or functions. The new privacy statement then applies when you visit the site again.

Section 14     Right to Object

(1) You have the right, on grounds relating to your particular situation

• as user of the internet site,

• as potential customer after contacting us and our distribution partners,

• as registered user of the associated trading platform Tormaticsales,

• or as a Novoferm tormatic GmbH customer,

to object at any time to processing of personal data concerning you which is based on point (f) of Art. 6 (1) GDPR (data processing on the grounds of a weighing of interests).

(2) If you lodge an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

(3) The objection may be lodged without special formality and can be sent to our address shown in Section 1. 

Novoferm Privacy Policy Internet Services

Record of Processing Activities Pursuant to Art. 30 GDPR

Excerpt from our platform Tormaticsales (see below):

The internet site www.tormatic.de/en (including its B2B trading platform Tormaticsales and the connected lead system, which functions as described above), which is controlled pursuant to data protection and telemedia law independently in legal terms by Novoferm tormatic GmbH, but managed on the same legal grounds, according to the same rules and on the basis of the same privacy policy, operates Novoferm GmbH as processor for the group company.

Complete text

1. Controller on our behalf within the sense of data protection (including the data protection regulations of the TMG [German Telemedia Act] is Novoferm GmbH

Venue: Coesfeld Local Court, HRB 7771

Value-added tax identification number: DE811152143

Managing Directors

Rainer Schackmann, Dipl.-Ing., CEO

Thomas Hage, Dipl.-Kfm.

Dirk Gössling, Dipl.-Ing.

Isselburger Strasse 31

46459 Rees

Phone:  (+49)02850-910-0

Fax:       (+49)02850-910-646

Internet:

www.novoferm.com (Novoferm Group)

www.novoferm.de  (Novoferm Germany)

 for the joint internet site of Novoferm Group consisting of

2. Mr Thorsten Werbeck

Herr Thorsten Werbeck

Isselburger Str. 31, 46459 Rees

Email: thorsten.werbeck@novoferm.de

has been appointed

as group data protection officer pursuant to Art. 37 (2) GDPR for the companies

• Novoferm GmbH, Isselburger Str. 31, 46459 Rees

• Novoferm Vertriebs GmbH, Schüttensteiner Str. 26, 46419 Isselburg

• Novoferm Riexinger Türenwerke GmbH, Industriestr. 12, 74336 Brackenheim

• Novoferm tormatic GmbH, Eisenhüttenweg 6, 44145 Dortmund

• TST Tor System Technik GmbH, Willi-Bleicher-Str. 7, 52353 Düren

3. User data for website services are stored and processed solely and exclusively for the duration of the use of the site and are erased at the latest upon the closure of the session. User data that have been voluntarily provided with respect to a query are processed, stored and transferred to the indicated distribution partners for processing of the query solely and exclusively for the processing of the query and within the limits of the granted consent; they are erased when the query has been fully processed. Master data from registration are stored for the duration of the utilisation contract and are collected, stored and erased on the basis of the agreed terms and conditions of use. We refer to the privacy policy concerning the handling of contract performance data in operating business.

4. Data subjects are defined as:

• Most broadly, all users of our internet sites in the described group site;

• Then potential buyers of our products and the services we offer;

• Then potential customers submitting queries whose master data are collected for the contact and transferred to the appropriate representative office or distribution partner (see above) for processing of the query and stored for review of the processing in the lead system;

• Then the potential and current customers whose data are processed by registered users (representative offices and distribution partners) in the quotation function of our online shops for processing of the queries, requests for submission of quotations or for further performance of contracts (follow-up orders, warranty requests etc.). Business transactions are stored for the representative office or the distribution partner for a period of 6 (six) years. As these parties are the contract partners for the customers, they are themselves responsible for data protection that is beyond our control (lead system, trading platforms).

5. The types of processed data:

• Most broadly, the anonymised user data for statistical purposes and for the optimisation of the user friendliness of our internet site described in detail in the privacy statement;

• The master data entered by users in the entry mask when establishing contact. The data are correlated to the purpose of the specific user query and include, in addition to the contact data required for processing (address data, marked with *), supplementary voluntary data fields for more convenient or direct establishment of contact (phone data) and free-text fields for limited text messages. In addition to instructions for processing or restrictions of the consent declaration, users can also transmit transaction data related to the content of their queries;

• The use of the postal code search requires merely the temporary entry of any postal code; a personal association with users is not established;

• During the use of the configurator, the user’s data records are stored solely in accordance with his or her express request and transferred to the distribution partner in the appropriate area solely with his or her express consent (“opt-in”). Here as well, the user must enter the master data for a contact query so that his or her query about the configuration can be processed. The technical and visual data of the configuration are collected and stored along with the master data;

• During registration and the conclusion of a utilisation agreement, all master data required for agreement processing and secure identification of the contract partner are collected. For the use of the B2B platforms (Extranet, trading platforms, online shop, lead system), additional master data of the user are required for verification of the entrepreneurial character within the sense of Section 13 BGB [Civil Code] and the master data of authorised representatives. For the use of the quotation function of the trading platforms and the use of the lead system functions, additional data concerning the authorised persons within the sense of data protection (access control) are collected (e.g. personalised email addresses and secure passwords);

• During the processing of leads, additional specific transaction data required for processing of the specific query may, under certain circumstances, be collected and merged and processed in conjunction with the data of the query. Such actions may include follow-up questions regarding the suitability of the selected Novoferm product or the precise installation situation (e.g. of the garage door) on the user’s property or in his or her building.

6. Possible recipients of the data:

• The target parties of the data transmission shown in the consent information (representative offices or distribution partners of Novoferm GmbH, e.g. Novoferm Vertriebs GmbH for the B2B market in Germany or the locally authorised distribution partner or the representative office in the target country of the user’s query for questions from other European countries);

• The company’s own employees obligated to compliance with the Novoferm data protection organisation and the privacy statement and to confidentiality, especially within the framework of their activities as system administrators and order data processors;

• Our processors (host service and service operators) contractually obligated to confidentiality and also subject to the European data security level as described in the privacy statement.

7. Data processing outside of the immediate territorial scope of the GDPR takes place solely for users from Switzerland on the basis of Swiss data protection law. Moreover, we also guarantee compliance with the level of European data security as a minimum for our users from Switzerland.

8. User data not related to transactions are erased at the latest immediately after conclusion of the use. Query data are erased after conclusion of the processing of the query to the extent that they do not remain permanently stored because of a subsequent business transaction and are finally erased on the basis of the erasure provisions for contract data (see above).

9. Level of security and security measures (Art. 32 GDPR)

We consider the level of security for address data that are usually available in public directories to be relatively low. We consider individual contact data, in particular transaction data for concrete installation queries, to be critical because in the worst case conclusions about reduced building security, even if only temporary, while work is being done on doors and other entrances and exits in the user’s buildings can be drawn from unauthorised data access with criminal intent in conjunction with address data. The risks related to loss of data are in contrast not a problem because even concrete user queries can be easily reproduced with little or manageable effort using the functions of the services.

We transmit even queries about contract initiation containing concrete user data via the contact forms or the configurator in encrypted form (SSL technology).

Our system administrators ensure that the transmitted data can be attributed solely and exclusively to the concrete lead and consequently the concrete user query. The system functions of the lead system ensure that the user’s data records can be read and processed solely and exclusively by the representative office in his or her area and the office’s distribution partners. (For instance, user query from Germany > access by Novoferm Vertriebs GmbH, user query from Nuremberg > supplementary access by the distribution partner in Nuremberg that prepares the contact quotation for delivery of the garage door or installation of the fire protection doors.)

All entries to the system are appropriately personalised, password-protected and used solely by persons who are contractually obligated to compliance with the Novoferm GmbH privacy policy and to implementation of the European (or Swiss, see above) level of data security within their own work organisation.

The availability and usability of the systems are guaranteed by physical and technical protective measures (firewall, secured servers in data centres, backup systems etc., all using state-of-the-art technology) as described in the general privacy policy.

The restoration of the system data from backups is guaranteed as described in the General Restoration Concept.

The inspection, analysis and evaluation of the effectiveness of the security measures is guaranteed by the PBE Concept of our group data protection officer.

Isselburg in May 2018

Thorsten Werbeck