Contact
Contact
Imprint
Launch an impulse. Talk to us.

Imprint

European Association for Panels and Profiles
Europark Fichtenhain A 13a
47807 Krefeld
Germany

Phone +49 2151 93630-0
Fax +49 2151 93630-29

Internet: www.ppa-europe.eu; www.epaq.eu
Authorised representative of the board: Jean-Christophe Kennel

Registered court: Krefeld County Court

Registered number: VR 4539

Responsibility for contents according to § 10 paragraph 3 MDStV:
Dr.-Ing. Ralf Podleschny (address as above)

Disclaimer:
Despite careful examination of the contents, we accept no responsibility for the content of external links. The operators of the linked pages are solely responsible for their contents.

Privacy Statement

This Privacy Policy gives information about the nature, scope and purpose of the processing of personal data (hereinafter referred to as “Data”) within the context of our online offering and the related websites, features and content, as well as external online presence, e.g. our social media profile (collectively referred to as the “Online offering”). With regard to the terminology used, e.g. “Processing” and “Controller”, please refer to the definitions in Article 4 of the General Data Protection Regulation (GDPR).

Controller

PPA-Europe e.V.
European Association for Panels and Profiles
Europark Fichtenhain A 13 a
D-47807 Krefeld

Phone: +49 (0)2151 93630-0
Fax:     +49 (0)2151 93630-29

Types of data processed:

- Inventory data (e.g. names, addresses)
- Contact data (e.g. e-mail addresses, phone numbers)
- Content data (e.g., text input, photos, videos)
- Usage data (e.g. websites visited, interest in content, access times)
- Meta/communication data (e.g. device information, IP addresses)

Types of persons concerned (data subjects)

Visitors and users of the online offering (hereinafter jointly referred to as “users”).

Purpose of the data processing

- Provision of the online offering, its features and contents
- Replying to contact requests and communicating with users
- Security measures
- Reach measurement / Marketing

Definitions

“Personal data” means any information relating to an identified or identifiable natural person (hereinafter called the “data subject”); an identifiable natural person is someone who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier (e.g. a cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Processing” refers to any operation or sequence of operations performed on personal data or on sets of personal data, whether this is automated or not. It is a broad term and covers practically all procedures where handling data is involved.

“Pseudonymisation” refers to the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data cannot be attributed to an identified or identifiable natural person.

“Profiling” refers to any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

“Controller” refers to the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data.

“Processor” refers to a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Relevant legal basis

In accordance with Art. 13 of the GDPR, we inform you about the legal basis of our data processing. Unless the legal basis is specifically mentioned in the privacy statement, the following apply: The legal basis for obtaining consent is Article 6 (1) sub. a and Art. 7 of the GDPR, the legal basis for the data processing for the provision of our services and fulfilment of our contractual obligations as well as answering inquiries is Art. 6 para. 1 sub. b of the GDPR, the legal basis for data processing in order to fulfil our legal obligations is Art. 6 (1) sub. c of the GDPR, and the legal basis for data processing in order to protect our legitimate interests is Article 6 (1) sub. f of the GDPR. In the case where the vital interests of the data subject or another natural person require the processing of personal data, Art. 6 para. 1 sub. D of the DSGVO is the legal basis.

Security measures

In accordance with Art. 32 of the GDPR, and taking account of the current state-of-the-art of technology, costs of implementation and the nature, scope, context and purposes of data processing as well as the likelihood and severity of the risk to affect the rights and freedoms of natural persons, we will take appropriate technical and organisational measures to ensure a level of protection commensurate with the risk.

In particular, such measures include ensuring the confidentiality, integrity and availability of the data by controlling physical access to the data as well as the authorised access, input, disclosure, availability and disconnection of the data. In addition, we have established pro­cedures to ensure the exercise of data subject rights, deleting of data and the response to breaches in data protection. Furthermore, personal data protection is already a key factor in the development and selection of hardware, software and procedures, based on the principle of ‘data protection by design’ and ‘data protection by default’ (Article 25 of the GDPR).

Collaboration with people processing orders and third parties

Where we disclose data to other persons and companies (order processors and third parties) within the scope of our data processing, transfer data or otherwise grant access to data, this is only done on the basis of a legal authorisation (e.g. where transfer of the data to third parties such as a payment service provider is required in accordance with Art. 6 (1) (b) of the GDPR), if you have given your consent, if there is a legal obligation to do so or on the basis of our legitimate interests (e.g. for the use of subcontractors, web-hosting providers, etc.).

Where we subcontract data processing to a third party to on the basis of a “data processing contract”, this is done in accordance with Art. 28 of the GDPR.

Data transfer to third countries

In the case where data is processed in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or data is processed in the context of the use of third party services or disclosure or transfer of data to third parties, this is only done to fulfil our (pre)contractual obligations, subject to your consent, due to legal requirements or based on our legitimate interests. Subject to legal or contractual permissions, we process or have the data processed in a third country only according to the specific requirements of Art. 44 ff. of the GDPR, i.e. the data processing is subject to specific guarantees such as the officially recognised EU level of data protection (cf. in the USA through the “Privacy Shield”) or in compliance with officially recognised special contractual obligations (so-called “Standard Contractual Clauses”).

Rights of persons concerned (data subjects)

You have the right to request confirmation whether relevant data has been processed, to receive details about this data as well as to further information and a copy of the data in accordance with Art. 15 of the GDPR.

In accordance with Art. 16 of the GDPR, you have the right to demand the completion of the personal data or the rectification of incorrect personal data.

In accordance with Art. 17 of the GDPR, you have the right to demand that the relevant data be deleted without delay or, alternatively, to require data processing to be restricted in accordance with Art. 18 of the GDPR.

In accordance with Art. 20 of the GDPR, you have the right to request the personal data which concerns you and which you provided to us, and to transmit this information to other responsible people.

In accordance with Art. 77 of the GDPR, you also have the right to lodge a complaint with the competent supervisory authority.

Right of withdrawal

You have the right to withdraw your consent with future effect in accordance with Art. 7 (3) of the GDPR.

Right to object

You have the right to object to the future processing of your data at any time in accordance with Art. 21 of the GDPR. The objection may in particular be made against processing for direct marketing purposes.

Cookies and the right to refuse direct mailings

“Cookies” are small files that are stored on the users' computers. Cookies may contain a variety of information. Cookies serve primarily to store information about a user (or the device on which the cookie is used) during or after a visit to an online website. Temporary cookies – also known as “session cookies” or “transient cookies” – are cookies that are deleted when a user leaves an online website and closes his browser. Such cookies are used, for example, to store the content of a shopping cart in an online shop or the user’s login status. Permanent cookies – or “persistent cookies” – are those that remain stored on the device, even after the browser has been closed. Thus, e.g. the login details for a website may be stored, where the user gives permission, for reuse at a later date. Likewise, the interests of the users can be stored in such a cookie, to record the users range of interests or for marketing purposes. A “third-party cookie” refers to a cookie of a provider other than the controller in connection with the online offering. (In contrast to this, the controller’s own cookies may be referred to as “first-party cookies”.)

Our use of temporary and permanent cookies is explained in the context of our privacy policy.

If users do not wish cookies to be stored on their devices, they are asked to disable the appropriate option in the system settings of their browser. Cookies which have been saved can subsequently be deleted in the system settings of the browser. Disabling cookies may impair the functional performance of the online offering.

A general restriction of the use of cookies for online marketing purposes can be made for a variety of services, especially in the case of tracking, via the US website http://www.aboutads.info/choices/ or the EU site http://www.youronlinechoices.com/. Furthermore, the storage of cookies can be disabled by the appropriate setting of the browser. Please note that this setting may also disable the use of some features of the online offering.

Deletion of data

The data processed by us will be deleted or restricted in accordance with Articles 17 and 18 of the GDPR. Unless explicitly stated in this privacy statement, the data stored by us will be deleted as soon as it is no longer required for their intended purpose, provided this does not contravene any applicable legal requirements with regard to information retention. Where data is not deleted for legal or other reasons, its use will be restricted, i.e. the data will be blocked and may not be processed for any other reason. This applies, for example, to data that must be kept for commercial or tax purposes.

The statutory data storage period in Germany is 10 years, in accordance with §§ 147 Sec. 1 AO, 257 Sec. 1 Nos. 1 and 4, Sec. 4 of the German Commercial Code (for books, records, financial reports, accounting records, account books, tax relevant documents, etc.) and 6 years in accordance with § 257 (1) Nos. 2 and 3, Sec. 4 of the German Commercial Code (for business correspondence).

The statutory data storage period in Austria is 7 years in accordance with § 132 Sec. 1 BAO (for accounting documents, receipts/invoices, vouchers, documents, business documents, accounts of income and expenditure, etc.), 22 years in connection with real estate and 10 years in the case of documents relating to electronically supplied services, telecommunic­ations, broadcasting and television services provided to non-entrepreneurs in EU member states for which the Mini-One-Stop-Shop (MOSS) is used.

Online shop and customer account order processing

We process our customers’ data as part of the ordering process in our online shop, to enable them to choose and order products and services, as well as make payments and deliver / execute them.

The data processed includes inventory data, communication data, contract data and payment details. The persons concerned by the data processing include our customers, prospective customers and other business partners. The data processing is carried out for the purpose of providing contracted services within the scope of operating an online shop including billing, delivery and customer services. For this we use session cookies for the storage of the shopping cart content and permanent cookies for the storage of the login status.

Data processing is carried out according to Art. 6 Sec. 1 sub. b (execution of order transactions) and c (legally required archiving) of the GDPR. The details marked as mandatory for specifying and fulfilling the order are required. Data is only disclosed to third parties within the framework of deliveries, payments or as part of the legal requirements and obligations towards legal advisors and authorities. Data will only be processed in third countries where this is necessary for the fulfillment of the order (for example, at the customer's request, upon delivery or payment).

Users can optionally create a user account, in particular to help them keep track of their orders. During the registration process, the user is informed what information is mandatory. User accounts are private and cannot be indexed by search engines. When a user closes his user account, the data relating to the user account will be deleted, except where data retention is required for commercial or tax reasons according to Art. 6 Sec. 1 sub. c of the GDPR. Information will remain in a customer’s account until it is deleted, with subsequent archiving where there is a legal obligation. It is the responsibility of the users to save their data upon termination prior to the end of the contract.

As part of the registration and login procedure when using our online services, we store the IP address and login time of the respective user. The storage is based on our legitimate interests as well as the user’s own interest in protection against misuse and other unauthorised access. As a general principle, data is not communicated to third parties, except where it is necessary to assert our claims or where there is a legal obligation in accordance with Art. 6 Sec. 1 sub. c of the GDPR.

The data is deleted after expiry of the legal warranty period and comparable obligations. The need for continuing retention of the data is reviewed every three years; in the case of legal archiving obligations, the data will be deleted after the expiry date (end of commercial retention period (6 years) or retention period according to tax law (10 years)).

Services of the Association

We process our clients’ data as part of our contractual services that include conceptual and strategic consulting, campaign planning, software and design development/consulting or updating, implementation of campaigns and processes/handling, server administration, data analysis & consulting services and training services.

For this purpose, we process inventory data (e.g. customer master data, such as names & addresses), contact data (e.g. e-mail addresses and phone numbers), content data (e.g. text input, photos and videos), order data (e.g. order details and conditions), payment details (e.g. bank details and payment history), usage and metadata (e.g. as part of the evaluation and marketing performance measurement). As a general principle, we do not process special categories of personal data, except where this is part of the ordering process. Those concerned include our customers, prospective customers and/or their customers, users, website visitors and employees as well as third parties. The purpose of the data processing is the provision of order services, billing and other customer services. The legal basis for this data processing is Art. 6 Sec. 1 sub. b of the GDPR (contractual services), Art. 6 Sec. 1 sub. f of the GDPR (analysis, statistics, optimisation and security measures). We process data necessary for entering into and exercising the contractual services, indicating where the details are mandatory. Information will only be disclosure to external parties where this is required for completion of the order. In the processing the data provided to us within the framework of an order, we act according to the client’s instructions and the legal requirements regarding order processing in accordance with Art. 28 of the GDPR. The data is used for no other purpose than for processing the order.

The data is deleted after expiry of the legal warranty period and comparable obligations. The need for continuing retention of the data is reviewed every three years; in the case of legal archiving obligations, the data will be deleted after the expiry date (6 years, in accordance with § 257 (1) of the German Commercial Code, 10 years according to § 147 (1) of the General Tax Code). In the case of data provided to us in the context of an order by the client, the data will be deleted as specified in the order, in principle when the order has been com­pleted.

Administration, financial accounting, office organisation, contact management

We process data in the context of administrative tasks and organisation of our business, financial accounting and compliance with legal obligations, such as archiving. In doing so, we process the same data as required for providing our contractual services. The data processing principles followed are in accordance with Art. 6 Sec. 1 sub. c. and Art. 6 Sec. 1 sub. f of the GDPR. The processing applies to customers, prospective customers, business partners and website visitors. The purpose and interest in processing are administration, financial accounting, office organisation and data archiving, i.e. tasks that serve to maintain our business, perform our duties and provide our services. The deletion of the data with regard to contractual services and contractual communication corresponds to the information provided for these processing activities.

We disclose or transmit data to the financial administration, consultants such as tax accountants & auditors, other payment offices and payment service providers.

Furthermore, based on our business interests, we store information about suppliers, hosts and other business partners, e.g. to facilitate subsequent contacting. We generally store such predominantly company-related data permanently.

Provision of statutory and commercial services

We process the data of our members, supporters, prospective customers, customers and others in accordance with Art. 6 Sec. 1 sub. b. of the DSGVO, where we offer them contractual services or in the context of an existing business relationship, e.g. with members; or if we ourselves are recipients of any services and benefits. Otherwise, we process the data of persons concerned in accordance with. Art. 6 Sec. 1 sub. f. of the DSGVO based on our legitimate interests, e.g. for administrative reasons or public relations.

The data thus processed, the nature, scope, purpose and need for processing are determined by the underlying contractual relationship. This basically includes inventory and master data relating to persons (e.g. names, addresses, etc.) as well as contact data (e.g. e-mail addresses, phone number, etc.), order data (e.g. services used, communicated content and information, names of contact persons) and where paid services or products are offered, payment details (e.g. bank details, payment history, etc.).

Data no longer required for fulfilling our statutory or commercial purposes is deleted. This depends on the respective tasks and contractual relationships. Where data processing for business purposes is concerned, we retain the data for as long as it may be relevant to the transaction or may be required to meet any warranty or liability obligations. The need for continuing retention of the data is reviewed every three years; otherwise statutory retention obligations apply.

Registration feature

Users can set up a user account. During the registration process, the user is informed what information is mandatory based on Art. 6 Sec. 1 sub. b of the GDPR. In particular, the data required includes the user’s login information (name, password and an e-mail address). The data entered during registration will be used for the purpose of logging in and using the user account.

Users can be informed by e-mail about details relevant to their user account, e.g. technical changes. When a user closes their user account, any data relating to the user account will be deleted, subject to any statutory retention requirements. It is the responsibility of the users to save any data they require prior to the end of the contract. We are entitled to irretrievably delete all user data which may have been stored during the course of the contract.

As part of the registration and login procedure when using our online services, we store the IP address and login time of the respective user. The storage is based on our legitimate interests as well as the user’s own interest in protection against misuse and other unauthorised access. This data will not be transferred to third parties, unless it is necessary to assert our claims or where there is a legal obligation in accordance with Art. 6 Sec. 1 sub. c. of the GDPR. The IP addresses will be anonymised or deleted at the latest after 7 days.

Contact

When contacting us (for example using the contact form, e-mail, by phone or via social media), the user’s information needed to handle the contact inquiry will be processed in accordance with Art. 6 Sec. 1 sub. b. (contractual/pre-contractual matters), Art. 6 Sec. 1 sub. f (other inquiries) of the GDPR. User information can be stored in a Customer Relationship Management (CRM) system or comparable database.

Inquiries will be deleted when they are no longer relevant. Their relevance is reviewed every two years; any legal obligations relating to archiving will be taken into account.

Hosting and sending of e-mails

The hosting services we use are designed to provide the following services: infrastructure and platform services, computing capacity, storage and database services, e-mail delivery, security and technical maintenance services, which we use for the purposes of operating this online service.

For this purpose we, or our hosting provider, process inventory data, contact data, content data, contract data, usage data, meta and communication data of customers, interested parties and visitors to this online offering, based on our legitimate interest in providing efficient and secure access to this online offering in accordance with Art. 6 Sec. 1 sub. f in conjunction with Art. 28 (order processing contract) of the GDPR.

Collection of access data and log files

Based on our legitimate interests in accordance with Art. 6 Sec. 1 sub. f of the GDPR, we – or our hosting provider – collect data about every access to the server on which this service is provided (so-called server log files). The access data includes the name of the web page viewed, file, date and time, amount of data transferred, notification of successful retrieval, browser type and version, the user's operating system, referrer URL (i.e. the previously visited webpage), IP address and requesting provider.

Log file information is stored for security purposes (for example, to investigate abusive or fraudulent activities) for max. 7 days and then deleted. Data required for evidence purposes is excluded from deletion and retained until final clarification of the incident.

Content Delivery Network from Cloudflare

We use a so-called “Content Delivery Network” (CDN) from Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA. Cloudflare is certified under the Privacy Shield Agreement, thus guaranteeing compliance with European privacy legislation.

A CDN is a service that helps deliver content from our online offering, especially large media files such as graphics or scripts using regionally distributed servers connected together via the internet. User data is processed solely for the specified purposes and to maintain the security and functionality of the CDN.

The use of the CDN is based on our legitimate interests, i.e. our interest in secure and efficient provision, analysis and optimisation of our online offering in accordance with Art. 6 Sec. 1 sub. f of the GDPR.

For more information, see the Cloudflare Privacy Policy:

 

Updated: February 2019

>

© European Association for Panels and Profiles, Imprint and Privacy Statement; created by Monsun Media GmbH Werbeagentur Osnabrück