ITG GmbH Internationale Spedition und Logistik
85445 Schwaig, Germany
E-mail address: email@example.com
Managing Directors: Holger Funk, Patrick Lindig
Data Protection Officer contact:
Types of personal information processed:
- Inventory data (e.g., names, addresses)
- Contact details (e.g., e-mail, phone numbers)
- Content data (e.g., text input, photographs, videos)
- Usage data (e.g., web pages visited, interest in content, access times).
- Meta/communication data (e.g., device information, IP addresses)
We also process:
- Contract data (e.g., subject matter of the contract, contract term, customer category)
- Payment data (e.g., bank details, payment history) via BSPAYONE (https://www.bspayone.com/DE/de/privacy) of our customers, prospective customers, and business partners for the purpose of providing contractual services, service and customer care, marketing, advertising, and market research.
Categories of data subjects
Visitors and users of the online offer (hereafter we also refer to the data subjects collectively as “users”).
Purpose of processing
- Provision of the online services, their functions, and their content
- Responding to contact requests and communicating with users
- Security measures
- Measuring reach/marketing
“Personal information” refers to any information relating to an identified or identifiable natural person (hereinafter the “data subject”); an identifiable natural person is anyone who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier (e.g., a cookie), or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. “Processing” means any operation or set of operations performed upon personal information, whether or not these actions are automated. The term is broad and encompasses virtually any handling of personal information. “Pseudonymization” refers to processing of personal information in such a way that the personal information can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures that ensure that the personal information is not attributed to an identified or identifiable natural person. “Profiling” refers to any automated processing of personal information that consists of using such personal information to evaluate certain personal aspects relating to a natural person, in particular to analyzing or predicting aspects relating to that natural person’s performance at work or their economic situation, health, personal preferences, interests, reliability, behavior, location, or change of location. “Data controller” refers to the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal information. “Data processor” refers to a natural or legal person, public authority, agency, or other body which processes personal information on behalf of the data controller.
Relevant legal bases
We take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk in accordance with art. 32 GDPR, taking into account the state of the art, the costs of implementation, and the nature, scope, circumstances and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons. In particular, the measures include ensuring the confidentiality, integrity and availability of personal information by controlling physical access to the personal information as well as access to, entry, disclosure of, assurance of availability of, and separation of the personal information. Furthermore, we have established procedures to ensure the exercise of data subject rights, deletion of data, and a response to jeopardizing the security of the data. In addition, we already take the protection of personal information into account during the development and selection of hardware, software, and processes in accordance with the principle of data protection through technology design and through data protection-friendly default settings (art. 25 GDPR).
Cooperation with data processors and third parties
If, in the course of our processing, we disclose personal information to other persons and companies (data processors or third parties), transmit it to them, or otherwise grant them access to the personal information, this will only be done on the basis of a legal permission (e.g., if transmission of the personal information to third parties, such as payment service providers, is required for the performance of the contract pursuant to art. 6 (1) (b) GDPR), if you have consented, if a legal obligation provides for this, or on the basis of our legitimate interests (e.g., when using commissioned parties, web hosts, etc.). If we commission third parties with the processing of personal information on the basis of a “data processing agreement,” this is done on the basis of art. 28 GDPR.
Your entered personal data will be forwarded to RECARO Holding GmbH, Jahnstraße 1, 70597 Stuttgart, Germany, for the purpose of internal customer analysis and, in the case of a legitimate interest according to §§ 15 AktG (German Stock Corporation Act), also to companies affiliated with RECARO Holding GmbH.
Transfers to third countries
If we process personal information in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if this is done in the context of the use of third-party services or disclosing or transferring personal information to third parties, this will only be done if it is necessary to fulfill our (pre-)contractual obligations, on the basis of your consent, due to a legal obligation, or on the basis of our legitimate interests. Subject to legal or contractual permissions, we process or allow the processing of personal information in a third country only if the special requirements of art. 44 et seq. GDPR are met. This means, for example, that processing takes place on the basis of special guarantees such as the officially recognized determination of a level of data protection that corresponds to that of the EU (e.g., for the USA through the “Privacy Shield”) or compliance with officially recognized special contractual obligations.
Rights of data subjects
You have the right to request confirmation as to whether personal information concerning you is being processed and to information about this personal information as well as further information and a copy of the personal information in accordance with art. 15 GDPR. According to art. 16 GDPR, you have the right to request the completion of the personal information concerning you or the correction of incorrect personal information concerning you. In accordance with art. 17 GDPR, you have the right to demand that the personal information concerning you will be deleted without delay or, alternatively, to demand restriction of the processing of the personal information in accordance with art. 18 GDPR. You have the right to request to receive the personal information concerning you that you have provided to us in accordance with art. 20 GDPR and to request its transfer to other data controllers. You also have the right to lodge a complaint with the competent supervisory authority pursuant to art. 77 GDPR:
Bavarian State Office for Data Protection Supervision (BayLDA), Promenade 27, 91522 Ansbach, Germany
Right to revoke consent
You have the right to revoke consent given according to art. 7 (3) GDPR with effect for the future.
Right to object
You may object at any time to future processing of personal information concerning you in accordance with art. 21 GDPR. You can object in particular to processing for purposes of direct advertising.
Cookies and the right to object to direct advertising
Deleting personal information
Data processing in the online shop and customer account
We process personal information of our customers in the context of order processing in our online shop to enable them to select and order the selected products and services as well to enable payment and delivery or execution of the order. The personal information processed includes master data, communication data, contract data, and payment data, and the data subjects of the processing include our customers, prospective customers, and other business partners. Processing is carried out for the purpose of providing contractual services within the framework of the operation of an online shop and of billing, delivery, and provision of customer services. We use session cookies to store the contents of the shopping cart and permanent cookies to store the login status. Processing is based on art. 6 (1) (b) (execution of order transactions) and (c) (legally required archiving) GDPR. In this context, the information marked as required is necessary as the basis of and for fulfillment of the contract. We disclose personal information to third parties only within the scope of delivery or payment or within the framework of legal permissions and obligations to legal advisors and authorities. Personal information is only processed in third countries if such processing is necessary for the fulfillment of the contract (e.g., at the customer’s request for delivery or payment). Users have the option to create a user account that allows them to view their orders in particular. During the registration process, the required mandatory information is provided to the users. The user accounts are not public and cannot be indexed by search engines. If a user has terminated their user account, their personal information with regard to the user account will be deleted, subject to its retention being necessary for reasons of commercial or tax law in accordance with art. 6 (1) (c) GDPR. Information in the customer account remains until it is deleted, with subsequent archiving in the event of a legal obligation. If the contract is terminated, it is the responsibility of the user to back up their personal information before the end of the contract. Within the scope of registration and renewed logins, as well as use of our online services, we store the IP address and the time of the respective user action. Storage is based on our legitimate interests as well as those of users in protecting against misuse and other unauthorized use of the system. This personal information generally will not be passed on to third parties unless it is necessary to do so to pursue our claims or if there is a relevant legal obligation pursuant to art. 6 (1) (c) GDPR. Deletion occurs after expiry of the legal warranty and comparable obligations, with the necessity of keeping the personal information reviewed every three years; if legal archiving obligations apply, the deletion takes place after they expire (end of the retention obligation under commercial law (6 years) and tax law (10 years).
External payment service providers
We employ external payment service providers whose platforms allow users and us to carry out payment transactions. These providers include Paypal (https://www.paypal.com/de/webapps/mpp/ua/privacy-full), Visa (https://www.visa.de/datenschutz), Mastercard (https://www.mastercard.de/de-de/datenschutz.html), and instant bank transfer provided by Sofort GmbH (https://www.sofort.com/integrationCenter-ger-DE/integration/datenschutz.html) In the context of contract performance, we use payment service providers on the basis of art. 6 (1) (b) GDPR. We also use external payment service providers on the basis of our legitimate interests pursuant to art. 6 (1) (f) GDPR in order to offer our users effective and secure payment options. The personal information processed by the payment service providers includes master data, such as name and address, bank data, such as account numbers or credit card numbers, passwords, TANs, and checksums, and contract, total, and recipient-related information. The information is necessary to carry out the transactions. However, the information entered is only processed by the payment service providers and stored on their systems. That is, we do not receive any account or credit card-related information but instead only information that confirms the success of the payment or lets us know that the payment did not go through. Under certain circumstances, the payment service providers may transmit personal information to credit agencies. This information is transmitted for the purpose of checking identity and creditworthiness. In this regard we refer to the terms and conditions and privacy policies of the payment service providers. The terms and conditions and privacy policies of the respective payment service providers apply to the payment transactions that can be accessed within the respective websites and transaction applications. We also refer to these for further information and assertion of revocation, information, and other data subject rights.
Administration, financial accounting, office organization, contact management
We process personal information in the context of administrative tasks as well as the organization of our operations, financial accounting, and compliance with legal obligations, such as archiving. In doing so, we process the same personal information that we process in the provision of our contractual services. The bases for such processing are art. 6 (1) (c) GDPR and art. 6 (1) (f) GDPR. Customers, interested parties, business partners, and website visitors are affected by the processing. The purpose of and our interest in the processing lies in the administration, financial accounting, office organization, and archiving of personal information, that is, tasks that serve to maintain our business activities, perform our tasks, and provide our services. The deletion of the personal information with regard to contractual services and contractual communication corresponds to the information mentioned in these processing activities. In this context, we disclose or transmit data to the tax authorities, advisors, such as tax consultants or auditors, and other fee offices and payment service providers. We also store information on suppliers, event organizers, and other business partners on the basis of our business interests, such as for the purpose of contacting them at a later date. We generally store this information, which is mainly company-related, for 10 years.
Business analyses and market research
In order to run our business economically and to be able to recognize market trends as well as the wishes of contractual partners and users, we analyze the data we have on business transactions, contracts, inquiries, and so on. In doing so, we process master data, communication data, contract data, payment data, usage data, and metadata on the basis of art. 6 (1) (f) GDPR, with the data subjects including contractual partners, interested parties, customers, visitors, and users of our online offer. The analyses are carried out for the purpose of business evaluations, marketing, and market research. In doing so, we can take into account the profiles of registered users with information about the services they have used, for example. The analyses serve to increase user-friendliness as well as to optimize our offer and that of the operational economy. The analyses are for our purposes only and are not disclosed externally unless they are anonymous analyses with aggregated values. The analyses can also be based on surveys conducted by e-mail or phone. If these analyses or profiles relate to a person, they are deleted or anonymized upon termination by the user or otherwise after two years from the conclusion of the contract. In other respects, the overall business analyses and general trend determinations are prepared anonymously wherever possible.
Users can create a user account. As part of the registration process, the required mandatory information is communicated to the users and processed on the basis of art. 6 (1) (b) GDPR for the purpose of provision of the user account. The processed personal information includes the login information (name, password, and an e-mail address) in particular. The personal information entered during registration is processed for the purposes of usage of the user account and its purpose. Users can be notified by e-mail in regard to information relevant to their user account, such as technical changes. If users have terminated their user account, their personal information relating to the user account will be deleted, subject to any legal obligation to retain such personal information. If the contract is terminated, it is the responsibility of the user to back up their personal information before the end of the contract. We are entitled to irretrievably delete all of the user’s personal information stored during the term of the contract. Within the scope of your use of our registration and login functions as well as the user account, we store the IP address and the time of the respective user action. Storage is based on our legitimate interests as well as those of users in protecting against misuse and other unauthorized use of the system. This personal information generally will not be passed on to third parties unless it is necessary to do so to pursue our claims or if there is a relevant legal obligation pursuant to art. 6 (1) (c) GDPR. The IP addresses are made anonymous or deleted after 7 days at the latest.
Comments and posts
When contacting us (e.g., by contact form, e-mail, telephone, or social media), the user’s personal information will be used to process and respond to the contact request pursuant to art. 6 (1) (b) (in the context of contractual/pre-contractual relations) and art. 6 (1) (f) (other inquiries) GDPR. User information may be stored in a customer relationship management system (“CRM System”) or similar inquiry management system. We delete the inquiries if they are no longer necessary. We review the necessity of deletion every two years, while also being subject to legal archiving obligations.
In the following, we inform you about our newsletter as well as the processes for signing up for and the dispatch of the newsletter, how we evaluate its statistical information, and your rights to object to processing of your personal information in this context. By subscribing to our newsletter, you agree to receive the newsletter and to the procedures we describe below. Newsletter content: We send newsletters, e-mails, and other electronic notifications with promotional information (hereinafter referred to as the “newsletter”) only with the consent of the recipients or other legal permission to do so. Insofar as the content of the newsletter is specifically described in the sign-up process, the user’s consent applies to receiving the content described. Apart from that, our newsletters contain information about our services and us. Double opt-in and logging: Signing up for our newsletter takes place by means of what is referred to as a double opt-in process. That is, after you sign up, you will receive an e-mail asking you to confirm your registration. This confirmation is necessary so that it is impossible for third parties to sign you up under your e-mail address without your permission. Subscriptions to the newsletter are logged in order to prove that the subscription process occurred in accordance with legal requirements. This logging includes storage of the time at which you signed up and confirmed your sign-up, along with your IP address. In addition, changes to the personal information stored with the service provider for newsletter dispatch are logged. Information for signing up: To subscribe to the newsletter, it is sufficient to provide your e-mail address. We ask you to optionally provide a name so that we can address you personally in the newsletter. Dispatch of the newsletter and the associated performance measurement are based on the consent of the recipients pursuant to art. 6 (1) (a) and art. 7 GDPR in conjunction with section 7 (2) (3) of the Unfair Competition Act (UCA) or, if consent is not required, on the basis of our legitimate interests in direct marketing pursuant to art. 6 (1) (f) GDPR in conjunction with section 7 (3) UCA. The logging of the sign-up process is based on our legitimate interests pursuant to art. 6 (1) (f) GDPR. We are interested in use of a user-friendly and secure newsletter system that serves our business interests, meets the expectations of users, and also allows us to prove that users consented to receipt of the newsletter. Unsubscribing/revocation – You can unsubscribe from our newsletter at any time, that is, revoke your consent to receiving it. The bottom of each newsletter contains a link for unsubscribing from the newsletter. We may store unsubscribed e-mail addresses for up to three years before deleting them based on our legitimate interest in proving that consent was previously given. Processing this personal information is limited to the purpose that it serves as a possible defense against claims against us. An individual deletion request is possible to fulfill at any time, provided that the previous existence of consent is confirmed at the same time.
Newsletter – Newsletter2Go
Newsletter performance measurement
The newsletters contain a so-called “web beacon,” that is, a pixel-sized file that is retrieved from our server when the newsletter is opened, or, if we use a newsletter dispatch service provider, from the server of this provider. When this web beacon is retrieved, technical information is collected, including information about your browser and system as well as your IP address and the time of the retrieval. This information is used for the improve the service from a technical standpoint based on the technical information or the target groups and their reading behavior based on their retrieval locations (which can be determined using the IP address) or the time of access. The statistical information collected also includes determinations of whether newsletters are opened, when they are opened, and which links within them are clicked. For technical reasons, such information can be assigned to individual newsletter recipients, but monitoring individual users is not our intention nor the intention of any newsletter dispatch service provider we might use. Rather, we use these evaluations to determine the reading habits of our users and to adapt our content to them or to send different content that corresponds to the interests of our users. It is unfortunately impossible to separately revoke permission for performance measurement; in this case it is necessary to completely unsubscribe from the newsletter.
Hosting and e-mail dispatch
The hosting services we use are for the provision of the following services: infrastructure and platform services, computing capacity, storage space and database services, e-mail dispatch, security services, and technical maintenance services that we use for the purpose of operating this online offer. We, or our hosting provider, process master data, contact data, content data, contract data, usage data, meta data, and communication data of customers, interested parties, and visitors of this online offer on the basis of our legitimate interests in efficient and secure provision of this online offer pursuant to art. 6 (1) (f) GDPR in conjunction with art. 28 GDPR (conclusion of a data processing contract).
Google Tag Manager
Google Tag Manager is a solution that allows us to manage website tags via an interface (so we can integrate Google Analytics and other Google marketing services into our online offer, for example). Google Tag Manager itself (which implements the tags) does not process any personal information of users. With regard to processing of users’ personal information, reference is made to the following information on Google services. Usage guidelines: https://www.google.com/intl/de/tagmanager/use-policy.html.
Google Universal Analytics
We use Google Analytics in the form of “Universal Analytics.” “Universal Analytics” refers to a method of Google Analytics in which user analysis is performed on the basis of a pseudonymous user ID, thus creating a pseudonymous profile of the user with information from the use of different devices (known as “cross-device tracking”).
Target group formation with Google Analytics
We use Google Analytics to display the ads placed within advertising services of Google and its partners only to those users who have also shown an interest in our online offer or who have certain characteristics (e.g., interests in certain topics or products determined on the basis of the websites visited), which we transmit to Google (for “remarketing audiences” or “Google Analytics audiences”). Through the use of remarketing audiences, we also would like to ensure that our ads match the potential interests of the users.
Google AdWords and conversion measurement
Facebook pixel, Custom Audiences and Facebook conversion
Online presence in social media
Integration of third-party services and content
On the basis of our legitimate interests (i.e., interest in the analysis, optimization, and cost-efficient operation of our online offer within the meaning of art. 6 (1) (f) GDPR), we use content or service offers of third-party providers within our online offer in order to integrate their content and services, such as videos or fonts (hereinafter uniformly referred to as “content”). This always requires that the third-party providers of this content are aware of the IP addresses of the users, since without the IP address they would not be able to send the content to their browsers. The IP address is thus required for display of this content. We endeavor to use only the content whose respective providers use the IP address only for delivery of the content. Third-party providers may also use “pixel tags” (invisible graphics also known as “web beacons”) for statistical or marketing purposes. The pixel tags can be used to evaluate information such as visitor traffic to the pages of this website. The pseudonymous information may also be stored in cookies on the user’s device and may contain data such as technical information about the browser and operating system, referring websites, time of visit, and other information about the use of our online offer, and it may be combined with such information from other sources.
Created with data protection generator by attorney Dr. Thomas Schwenke
*The term “customer” is used to refer to women, men, and intersex persons on a neutral basis.