We very much welcome your interest in our company. Data protection is of particular importance to the management of EFR GmbH. It is possible to use the EFR GmbH websites without providing details of personal data. However where a data subject wishes to use particular services provided by our company via our website it may be necessary to process personal data. If the processing of personal data is necessary and if there is no statutory basis for such processing, we generally obtain consent from the data subject.
The processing of personal data, for instance the name, address, email address or telephone number of a data subject, is always carried out in accordance with the General Data Protection Regulation and in accordance with the country-specific data protection provisions applicable to EFR GmbH. By means of this data protection statement our company seeks to give information to the public concerning the type, extent and purpose of the personal data collected, used and processed by us. In addition data subjects have their rights clarified by this data protection statement.
As controller responsible for processing, EFR GmbH has implemented numerous technical and organizational measures in order to ensure as complete as possible protection of the personal data processed on this website. Nonetheless internet-based data transmissions can have security vulnerabilities with the consequence that absolute protection cannot be guaranteed. For this reason it is open to any data subject to transfer personal data to us by alternative methods, for example by telephone.
The data protection statement of EFR GmbH is based on the terms used by the European directives and regulations legislator on the adoption of the General Data Protection Regulation (GDPR). Our data protection statement is intended to be easily readable and comprehensible both for the public and for our customers and business partners. To ensure this we would like firstly to explain the terms used.
In this data protection statement we use, among others, the following terms:
Personal data are all information relating to an identified or identifiable natural person (hereinafter “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
A data subject is an identified or identifiable natural person, whose personal data are processed by the controller responsible for the processing.
Processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Restriction of processing is the marking of stored personal data with the aim of limiting their processing in the future.
Profiling is any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
Pseudonymisation is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
Controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Recipient is a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. Public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.
Third party is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
Consent is any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.
Controller within the meaning of the General Data Protection Regulation, other data protection laws applicable in the Member States of the European Union and other provisions of a data protection nature:
Nymphenburger Straße 20 b
Tel.: +49 (0)89 9041020-0
By using cookies EFR GmbH can provide the visitors to this website with more user-friendly services that would not be possible without setting cookies.
By means of cookies the information and offers on our website can be optimized with the user in mind. Cookies make it possible, as already mentioned, for us to recognize the users of our website. The aim of this recognition is to make it easier to use our website. The users of a website that utilizes the cookies need not for example enter their login data again on each visit to the website, since this is done by the website and the cookie downloaded onto the user’s computer system. A further example is the cookie of a shopping basket on the online shop. Using a cookie the online shop memorizes the item that a customer has put in the virtual shopping basket.
The data subject can prevent the placing of cookies by our website at any time via a corresponding setting of the Internet browser used and thus permanently object to the placing of cookies. In addition, cookies that have already been used can be deleted at any time on an Internet browser or other software program. This is possible in all common Internet browsers. If the data subject deactivates the placing of cookies in the Internet browser used, then in certain circumstances not all functions of our website will be fully useable.
The EFR GmbH website collects a range of general data and information every time a data subject or an automated system visits the website. These general data and information are stored in the log files of the server. The website can collect (1) browser type and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system arrives at our website (so-called referrer), (4) the sub-websites that are controlled via an accessing system on our website, (5) the date and time of use of the website, (6) an Internet protocol address (IP address), (7) the Internet service provider of the accessing system and (8) other similar data and information that provide security in the event of attacks on our information technology systems.
Using these general data and information EFR GmbH does not draw any conclusions about the data subject. Rather, this information is needed in order (1) to deliver the contents of our website correctly, (2) to optimize the contents of our website and its promotion, (3) to ensure the durable functionality of our information technology systems and of the engineering of our website and (4) in the event of a cyber-attack to provide prosecution authorities with the information necessary for prosecution. These anonymously collected data and information are thus evaluated by EFR GmbH on the one hand statistically and also with the purpose of increasing data protection and data security in our company, in order ultimately to ensure an optimal level of protection for the personal data processed by us. The anonymous data in the server log files are stored separately from all personal data provided by a data subject.
The data subject has the option of registering themselves on the website of the controller by stating personal data. The input mask used for the registration determines the type of personal data thus transmitted to the controller. The personal data input by the data subject are collected and stored exclusively for internal use by the controller and for its own purposes. The controller can arrange the transfer to one or more processors, for instance to a parcel service provider, who use the personal data similarly exclusively for an internal use attributable to the controller.
On registering on the website of the controller, the assigned IP address of the Internet service provider (ISP) of the data subject, the date and the time of the registration are also stored. The storage of these data occurs against the background that only in this way can the misuse of our services be prevented, and these data make it possible if necessary to solve committed offenses. In this respect the storage of these data is necessary for the protection of the controller. Disclosure of these data to third parties is not made provided no stat utory obligation exists for disclosure or disclosure does not serve the purposes of law enforcement.
The registration of the data subject by voluntarily providing personal data serves to enable the controller to offer the data subject content or services that because of the nature of the matter can only be offered to registered users. Registered persons have the option to amend at any time the personal data provided at registration or to have it completely erased from the database of the controller.
The controller shall provide any data subject at any time on request with details of the personal data stored concerning the data subject. Further, the controller shall rectify or erase personal data at the request or instruction of the data subject, to the extent that there is no statutory retention requirement preventing this. All staff members of the controller are available to the data subject as contacts in this connection.
On the EFR GmbH website users are given the option of subscribing to our company’s newsletter. The input mask used for ordering the newsletter determines the type of personal data transmitted to the controller.
EFR GmbH provides information to its customers and business partners concerning offers by the company periodically by means of newsletters. Our company newsletter can be received by the data subject only when (1) the data subject has a valid email address and (2) the data subject registers for the newsletter delivery. For legal reasons a confirmation email is sent in the double opt-in process to the email address entered by a data subject the first time for the newsletter delivery. This confirmation email serves to check whether the owner of the email address as data subject has authorized the receipt of the newsletter.
When the application for the newsletter is made we also store the IP address given by the Internet service provider (ISP) for the computer system used by the data subject at the time of the application and the date and time of the application. The collection of this data is necessary in order to be able to trace the (possible) misuse of the email address of a data subject at a later time and thus serves to provide legal protection to the controller.
The personal data collected in the course of applying for the newsletter are used exclusively for the delivery of our newsletter. In addition subscribers of the newsletter may be informed by email, in so far as this is necessary for the operation of the newsletter service or a registration relating to this, how this might be the case in the event of changes to the newsletter offering or in the event of changes in the technical conditions. No personal data collected in the course of the newsletter service is passed to third parties. The subscription to our newsletter can be terminated by the data subject at any time. The consent to the storage of personal data that the data subject has given to us for the delivery of the newsletter can be withdrawn at any time. For the purposes of withdrawal of the consent there is a corresponding link in each newsletter. In addition there is also the option of unsubscribing from the newsletter at any time directly on the website of the controller or informing the controller of this by another means.
The EFR GmbH newsletters contain so-called tracking pixels. A tracking pixel is a miniature graphic that is embedded in emails that are sent in HTML format, in order to enable a log file recording and a log file analysis. This enables a statistical evaluation of the success or failure of online marketing campaigns to be made. With the embedded tracking pixel EFR GmbH can recognize whether and when an email has been opened by a data subject and which links in the email have been accessed by the data subject.
Such personal data collected via the tracking pixels contained in the newsletters are stored and evaluated by the controller in order to optimize the delivery of the newsletter and to customize the content of future newsletters still better to the interests of the data subject. These personal data are not passed on to third parties. Data subjects may at any time withdraw the separate declaration of consent given via the double opt in procedure in relation to this. Following a withdrawal these personal data are erased by the controller. Unsubscribing from receipt of the newsletter is construed automatically by EFR GmbH as withdrawal.
Because of statutory requirements the EFR GmbH website contains information that enables rapid electronic contact with our company and direct communication with us, which also includes a general address for so-called electronic post (email address). Where a data subject initiates contact with the controller by email or using a contact form, the personal data provided by the data subject is automatically stored. Such personal data provided voluntarily by a data subject to the controller are stored for the purposes of processing or making contact with the data subject. There is no disclosure of these personal data to third parties.
The controller processes and stores personal data of the data subject only for the period of time necessary to achieve the purpose of storage or for so long as this has been provided for by the European directives and regulations legislator or another legislator in laws or regulations which the controller is subject to. Where the purpose of storage no longer applies or where a storage period prescribed by the European directives and regulations legislator or another responsible legislator expires, the personal data are blocked or erased routinely and in accordance with the statutory provisions.
Every data subject has the right granted by the European directives and regulations legislator to demand from the controller confirmation of whether personal data concerning them is processed. If a data subject wishes to exercise this right to confirmation, they can at any time contact a staff member of the controller for this purpose.
Every data subject affected by the processing of personal data has the right granted by the European directives and regulations legislator to obtain at any time from the controller free of charge information on the personal data stored concerning themselves and a copy of this information. In addition the European directives and regulations legislator has permitted the data subject to obtain information about the following: the purposes of the processing; the categories of personal data that are processed; the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations; where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; the existence of a right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; the existence of a right to lodge a complaint with a supervisory authority; where the personal data are not collected from the data subject, any available information as to their source; the existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) GDPR and — at least in these cases — meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. In addition the data subject has a right to information whether personal data have been transferred to a third country or to an international organization. Where this is the case the data subject also has the right to be informed of the appropriate safeguards relating to the transfer. If a data subject would like to exercise this right to information, they can at any time contact a staff member of the controller for this purpose.
Every data subject affected by the processing of personal data has the right granted by the European directives and regulations legislator to require the prompt rectification of inaccurate personal data concerning them. In addition the data subject has the right, taking into account the purposes of the processing, to require that incomplete personal data is completed — including by means of providing a supplementary statement. If a data subject would like to exercise this right to rectification, they can at any time contact a staff member of the controller for this purpose.
Every data subject affected by the processing of personal data has the right granted by the European directives and regulations legislator to require the controller to erase personal data concerning them promptly, where one of the following grounds applies and to the extent that processing is not necessary: The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed. The data subject withdraws their consent, on which the processing is based according to point (a) of Article 6(1) GDPR or point (a) of Article 9 (2) GDPR, and there is no other legal ground for the processing. The data subject objects to the processing pursuant to Article 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21 (2) GDPR. The personal data have been unlawfully processed. The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject. The personal data have been collected in relation to the offer of information society services referred to in Article 8 (1) GDPR. Where one of the foregoing grounds applies and a data subject wishes to arrange for the erasure of personal data stored by EFR GmbH, they can at any time contact a staff member of the controller for this purpose. The EFR GmbH staff member will arrange for the erasure requirement to be complied with promptly. Where EFR GmbH has made the personal data public and our company is obliged as controller to erase the personal data pursuant to Article 17 (1) GDPR, then EFR GmbH taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform other controllers processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data, to the extent that processing is not necessary. EFR GmbH staff members shall do what is necessary in individual cases.
Every data subject affected by the processing of personal data has the right granted by the European directives and regulations legislator to obtain from the controller restriction of processing where one of the following conditions applies: The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data. The processing is unlawful, the data subject opposes the erasure of the personal data and requests the restriction of their use instead. The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims. The data subject has objected to processing pursuant to Article 21 (1) GDPR and it is not yet verified whether the legitimate grounds of the controller override those of the data subject. Where one of the foregoing conditions is present and a data subject wishes to restrict the personal data stored by EFR GmbH, they can at any time contact a staff member of the controller for this purpose. The EFR GmbH staff member shall arrange the restriction of processing.
Every data subject affected by the processing of personal data has the right granted by the European directives and regulations legislator to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used and machine-readable format. They also have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent pursuant to point (a) of Article 6 (1) GDPR or point (a) of Article 9 (2) GDPR or on a contract pursuant to point (b) of Article 6 (1) GDPR and the processing is carried out by automated means, in so far as the processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In addition the data subject in exercising their right to data portability pursuant to Article 20 (1) GDPR has the right to have the personal data transmitted directly from one controller to another, where technically feasible, and in so far as the rights and freedoms of others are not adversely affected thereby. To exercise the right to data portability the data subject can at any time contact a staff member of EFR GmbH.
Every data subject affected by the processing of personal data has the right granted by the European directives and regulations legislator to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them which is based on point (e) or (f) of Article 6 (1) GDPR. This applies also to profiling based on those provisions. EFR GmbH shall no longer process the personal data in the event of an objection, unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or the processing serves in the establishment, exercise or defense of legal claims. Where EFR GmbH processes personal data for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning them for such marketing. This applies also to profiling to the extent that it is related to such direct marketing. Where the data subject objects to EFR GmbH to the processing for direct marketing purposes, the personal data shall no longer be processed for such purposes by EFR GmbH. Additionally the data subject has the right, on grounds relating to their particular situation, to object to processing of personal data concerning them by EFR GmbH for scientific or historical research purposes or statistical purposes pursuant to Article 89 (1) GDPR, unless such processing is necessary for the performance of a task carried out for reasons of public interest. To exercise the right to object the data subject can contact directly any staff member of EFR GmbH or another staff member. The data subject may also in the context of the use of information society services, notwithstanding Directive 2002/58/EC, exercise their right to object by automated means using technical specifications.
Every data subject affected by the processing of personal data has the right granted by the European directives and regulations legislator not to be subject to a decision based solely on automated processing — including profiling — which produces legal effects concerning them or similarly significantly affects them, in so far as the decision (1) is not necessary for entering into, or performance of, a contract between the data subject and the controller, or (2) is not authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests or (3) is not based on the data subject’s explicit consent. If the decision (1) is necessary for entering into, or performance of, a contract between the data subject and the controller or (2) is based on the data subject’s explicit consent, EFR GmbH shall take suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, including at least the right to obtain human intervention on the part of the controller, to express their point of view and to contest the decision. If the data subject wishes to assert their rights in relation to automated decisions, they can at any time contact a staff member of the controller.
Every data subject affected by the processing of personal data has the right granted by the European directives and regulations legislator to withdraw their consent to the processing of personal data at any time. If the data subject wishes to assert their right of withdrawal of a consent, they can at any time contact a staff member of the controller for this purpose.
Article 6 (1)(a) GDPR is the legal basis for our company to conduct processing operations for which we obtain a consent for a specific processing purpose. If the processing of personal data is necessary for the performance of a contract to which the data subject is party, as for example is the case for processing operations that are necessary for the supply of goods or the provision of another service or consideration, then the processing is based on Article 6 (1)(b) GDPR. The same applies for such processing operations as are required for the implementation of pre-contractual measures, for example in case of inquiries concerning our products or services. If our company is subject to a legal obligation as a consequence of which a processing of personal data is required, such as for example compliance with tax responsibilities, then the processing is based on Article 6 (1)(c) GDPR. In rare cases the processing of personal data could be required in order to protect the vital interests of the data subject or of another natural person. This would for example be the case where a visitor to our plant was injured and consequently their name, age, health insurance data or other vital information had to be passed to a doctor, hospital or other third party. In that case the processing would be based on Article 6 (1)(d) GDPR. Finally processing operations might be based on Article 6 (1)(f) GDPR. Processing operations not covered by the foregoing legal bases have this legal basis when the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. We are permitted to conduct such processing operations in particular because they are referred to specifically by the European legislator. In that regard the legislator took the view that a legitimate interest may be assumed where the data subject is a customer of the controller (recital 47 sentence 2 GDPR).
If the processing of personal data is based on Article 6 (1)(f) GDPR our legitimate interest is the conduct of our business for the benefit of our staff members and our stockholders.
The criterion for the duration of the storage of personal data is the respective statutory period of retention. After expiry of the period the corresponding data is routinely erased to the extent that it is no longer required in order to perform or initiate the contract.
We inform you that the provision of personal data is partially legally prescribed (e.g. tax regulations) or can also arise from contractual arrangements (e.g. information to the contractual partner). Sometimes it can be necessary for the conclusion of a contract that a data subject makes personal data available to us that subsequently has to be processed by us. The data subject is for instance under an obligation to provide personal data to us if our company concludes a contract with them. Not providing the personal data would have the consequence that the contract could not be concluded with the party concerned. Before the provision of personal data by the party concerned that party must contact one of our staff members. Our staff member will inform the party concerned on a case-by-case basis whether the provision of the personal data is legally or contractually required or necessary for the conclusion of the contract, whether there is an obligation to provide the personal data and the consequences that non-provision of the personal data could have.
As a responsible company we choose not to operate automated decision-making or profiling.