Privacy / Data protection

1. About us

We, Humbaur GmbH, are responsible for collecting, processing and storing your data. Refer to our imprint at any time for details about us.

Our top priority is to handle your personal data with care. When processing your data, we adhere to statutory provisions such as the General Data Protection Regulation (GDPR), as well as the associated national provisions.

This privacy statement applies to all of our company’s websites that can be accessed under our domains (https://www.humbaur.com, https://shop.humbaur.comhttps://partner.humbaur.com, https:// ***.humbaur.com). If our websites lead you to websites of other operators, the respective data protection regulations for those sites will apply. The relevant operators of these websites are responsible for the content of their data protection regulations.

As we would like to provide you with a comprehensive overview of how your personal data is processed, below you will find an overview of all of our services in the context of which we collect and process personal data.

Where specific or additional conditions apply to individual services or we ask you to provide your consent, we will specifically notify you of this before you use the relevant service (subscribe to the newsletter or make a purchase from our online shop, for example).

In addition, we take a variety of security measures to protect your personal data. This means that data is transmitted between your web browser and our servers in an encrypted manner as a matter of principle, for example; in addition, we implement a range of technical and organisational measures to protect your data.

2. Why we process your data

As a matter of principle, you can visit our websites without having to disclose your identity. Should you wish to register for one of our personalised services, use our online shop, register for our newsletter or wish to contact us, we will ask you to provide your name and other personal information. It is your prerogative as to whether you provide this (additional) data. Data that is essential in order for us to be able to provide our services to you is identified as such.

Your personal data is collected and processed for the following purposes on the basis of the following legal bases:

  • Contract initiation in accordance with Art. 6 (1)(a) and (b) of the GDPR
  • Contract execution in accordance with Art. 6 (1)(b) of the GDPR
  • Customer management in accordance with Art. 6 (1)(b), (c) and (f) of the GDPR
  • Communication and data exchange in accordance with Art. 6 (1)(a), (b), (c) and (f) of the GDPR
  • Public image and advertising in accordance with Art. 6 (1)(f) of the GDPR
  • Implementing declarations of consent in accordance with Art. 6(1)(a) of the GDPR
  • Ensuring proper operation of a data processing system in accordance with Art. 6(1)(c) and (f) of the GDPR
  • Applicant selection process within the framework of personnel management and resource management in accordance with Art. 6(1)(a) of the GDPR, in conjunction with Section 26 of the new German Federal Data Protection Act (Bundesdatenschutzgesetz — BDSG-Neu)

3. The information that we collect from you and process

We collect different categories of personal data from you. Personal data means any information relating to an identified or identifiable natural person; a natural person is considered to be identifiable if he or she can be identified, directly or indirectly, in particular by reference to an identifier such as a name. Personal data includes information such as your name, your address, your telephone number and your date of birth (if specified), for example. Statistical information that cannot be linked to you directly or indirectly, such as the popularity of individual web pages of ours or the number of site users, is not considered to be personal data. We refer to data that is collected directly and indirectly. In both cases, data will be collected only to the extent necessary; the data will be processed exclusively for the purposes stated under Clause 2. It is your prerogative whether you would like to send data to us which, although will optimise the way in which you use our services, is not essential for this purpose. The relevant data fields are labelled "optional".

Data that is collected directly includes:

  • Title and name, e.g. to personalise your user account or to order from our online shop
  • Email address and, if necessary, a password of your choosing, for example, in order to subscribe to our newsletter, use your customer account or to contact us via our contact form
  • Customer login details for using the protected partner area
  • Address, e.g. in order to process orders (delivery) through our online shop
  • Payment details in order to process payment for your order
  • Application details in order to use our electronic application process
  • Information that you actively and intentionally provide us within in the context of using our services
  • Additional data that you provide us with voluntarily, for example any data fields that you complete despite them being labelled "optional"

When using our services, data will also be collected about you indirectly:

  • Technical connection data relating to visits to the website, for example, the page of our website accessed, your IP address truncated by the last three digits, date and time of access, end device used
  • Data that is collected through website tracking and newsletter tracking
  • Data that we receive from our service providers when processing orders via the online shop, for example, information about payment disruptions or delivery notifications

Minors:

Our website is not intended for minors and we do not knowingly collect personal data from minors (with the exception of applications).

Individuals under the age of 16 may only provide us with personal data if their parent or guardian has given their own consent or has agreed to the minor’s consent. For this purpose, we must be informed of the contact details of the parent or guardian in accordance with Art. 8 (2) of the GDPR in order for us to be assured that the parent or guardian has given their consent or approval. This data, as well as the data about the minor, will then be processed in accordance with this privacy statement.

If we find that a minor under the age of 16 has sent personal data to us without their parent or guardian having given their own consent or having agreed to the minor’s consent, we will immediately delete the data.

4. Who has access to your data and whom we send your data to

a) Access

Access to your personal data stored by us is limited to our employees and appointed service providers whose tasks require them to handle this personal data.

Insofar as third parties have access to your data, we have obtained consent from you for this purpose or there is a legal basis for this.

We also engage service providers to provide services and to process your data (including for hosting, sending newsletters, delivering goods that have been ordered, processing payments, sending letters or emails, as well as for maintaining and analysing databases, safeguarding our web servers and website tracking). Where specific provisions apply in these cases, we have listed these below for each relevant service. The service providers process the data solely on our instructions and are obliged to comply with the applicable data protection provisions. All processors have been carefully selected and only gain access to your data to the extent necessary and for the required period that is necessary to deliver the services and/or to the extent to which you have consented to data processing and data use.

b) Exchanging data within the group of undertakings

An exchange of data within the group of undertakings to which we belong takes place exclusively within the EU/EEA and only for internal management purposes. By "group of undertakings", we refer to affiliated companies within the meaning of Art. 4 No. 19 of the GDPR.

c) Data transfer to third countries and legal basis

The servers of some of the service providers that we use are located in the USA and in other countries outside the European Union. Companies in these countries are subject to a data protection law that does not generally protect personal data to the same extent as it is protected in the Member States of the European Union. Where your data is processed in a country that has a level of data protection that is recognised to be lower than the level within the European Union, we will employ contractual arrangements or other recognised instruments to ensure that your personal data is adequately protected. We will explicitly draw your attention to this point once more within the scope of the individual services.

Where personal data is transferred to third countries, this is done on the basis of the EU Commission’s adequacy decision on the EU-U.S. Privacy Shield in accordance with Art. 45 of the GDPR or on the basis of the standard contractual clauses adopted by the EU in 2010 in accordance with Art. 46 (2)(c) of the GDPR in conjunction with the EU Commission's decision of 05/02/2010 (2010/87/EU) or in accordance with Art. 49 (1)(a) of the GDPR.

d) Data transfer to law enforcement authorities and criminal investigation authorities

In exceptional cases, we will forward personal data to law enforcement authorities and criminal investigation authorities. This is carried out on the basis of corresponding statutory obligations, arising from the German Code of Criminal Procedure (Strafprozessordnung), the German Fiscal Code (Abgabenordnung), the German Money Laundering Act (Geldwäschegesetz) or state police laws, for example.

5. Retention periods

We retain personal data within the framework of statutory provisions or your given consent.

We take the following criteria into account when determining the specific retention period:

We retain personal data until the purposes for which it was collected cease to apply (e.g. when a contractual relationship comes to an end or as a result of the final activity being performed if a continuing obligation is not in place, or in the case of revocation of consent to specific data processing).

Data will only be retained for longer than this if

  • Statutory retention obligations are in place (e.g. in accordance with the German Fiscal Code or the German Commercial Code [Handelsgesetzbuch])
  • The data is still required to establish and pursue legal claims or to defend against legal claims, for example, due to technological and forensic requirements for defending against and prosecuting attacks on our web servers
  • Erasure would not be in the legitimate interests of the data subject

or any other exception in accordance with Art. 17 (3) of the GDPR applies.

6. Your rights

You have a number of statutory rights, which we would like to draw to your attention below. Of course, you can also contact our data protection officer using the contact details below if you have any questions relating to your personal data that we have collected and processed.

a) Right of access and right to data portability

You have the right to access information regarding your personal data processed by us at any time.

Where data processing takes place based on your consent or in accordance with Art. 6 (1)(b) of the GDPR on the basis of a contract, you may also request, in accordance with Art. 20 (1) of the GDPR, the provision of the personal data that is stored about you in a structured, commonly used and machine-readable format. At your request, we will also forward the data directly to a recipient as defined by you.

b) Right to rectification, restriction and erasure

In addition, you may ask us to rectify, restrict (block) or erase your personal data pursuant to Articles 16 to 18 of the GDPR if we have incorrectly processed the data, if there is a reason for restricting further data processing, or if data processing has become unlawful for a variety of reasons, or if the retention of the data is inadmissible for other legal reasons. We would like to point out that statutory retention periods may restrict your right to erasure.

c) Rights to object

If our data processing is based exclusively on our legitimate interests in accordance with Art. 6 (1)(f) of the GDPR, you may opt out from this data processing in accordance with Art. 21 (1) of the GDPR. We will then stop processing your data, unless we are able to demonstrate legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is used to establish, exercise or defend a legal claim. In addition, you always have the right to object to your data being used for direct marketing purposes in future in accordance with Art. 21 (2) of the GDPR.

d) Right of withdrawal

If you have consented to our processing of your personal data, you have a right of withdrawal with future effect in accordance with Art. 7 (3) of the GDPR.

e) Right to lodge a complaint with the supervisory authority

You have the right to lodge a complaint with a supervisory authority if you believe that our processing of your personal data violates the European General Data Protection Regulation or other national and international data protection laws.

The contact details of the relevant supervisory authority for us are:

Bayrisches Landesamt für Datenschutz (BayLDA) (Data Protection Authority of Bavaria)
Promenade 27
91522 Ansbach
Germany
Phone: +49 (0) 981 53 1300
poststelle@lda.bayern.de

f) Contact details

In order to exercise your rights, you can send an informal notification to us using the following contact details. Please direct the withdrawal of your consent to the following contact details, indicating which declaration of consent you would like to withdraw:

Controller
Humbaur GmbH
Mercedesring 1
86368 Gersthofen
Germany
Phone: +49 (0) 821 24929-0
Email: datenschutz@humbaur.com

Data protection officer
it.sec GmbH
Einsteinstr. 55
89077 Ulm
Germany
Datenschutz@it-sec.de

7. Using our websites — profiling, cookies and web tracking

a) Basic information about cookies and opt-out options

We use cookies in some areas of our website to identify the preferences of visitors and to enable us to optimise the design of the website accordingly, for example. This makes navigation easier and enhances the user-friendliness of a website. Cookies also help us to identify particularly popular areas of our website. Cookies are small files that are stored on the hard drive of a visitor. They allow information to be held for a certain period of time and enable the visitor’s computer to be identified. We use permanent cookies to improve user guidance and the way in which services are presented to the individual. We also use session cookies, which are automatically deleted when you close your browser. You can set your browser so that it informs you about the placement of cookies. This means that you will be clear about how the cookies are being used. The legal bases are formed by Art. 6 (1)(c) in conjunction with Art. 32 and Art. 6 (1)(f) of the GDPR. We have a legitimate interest in safeguarding our web server to defend it against attacks, for example, and to ensure the functionality of our services.

We only use cookies that are not essential from a technical point of view if you have provided your explicit consent for us to do so, which, of course, you can withdraw at any time.

In this regard, you have agreed to the following declaration in the context of our cookie information on our website:

This website uses tracking cookies or tracking software to, among other things, provide you with the full range of services on our website and thus a better online experience. You can find more information about the cookies and web tracking processes that we use, and the consent you have provided for this purpose, in our privacy statement at [add link]. However, cookies that are not essential from a technical point of view and/or our tracking software will only be activated once you have given us your consent. [Agreed]

If you fully exclude the use of cookies, you will not be able to use individual features of our website, including the option to opt-out from tracking based on cookies. You may need to allow the opt-out cookies for those services for which you wish to prevent tracking.

Please keep in mind that deleting all cookies also means that opt-out cookies are deleted. You must therefore reset these cookies where applicable. Cookies are also linked to the browser, meaning they need to be set separately for each of the browsers you use on each of the devices you use. The links that are necessary for this purpose can be found below in the description of the respective services.

We use the following cookies, provided you allow them and have not set one or multiple opt-out cookies, for the purposes specified in more detail below:

Name of cookieIntended purposeStorage durationEssential from a technical point of viewOption to withdraw consent (if cookie not essential from a technical point of view)
_gat_UA-6476217-2Used to reduce the number of requests to Google Analytics1 minuteNoSee below
_gat_UA-6476217-4Used to reduce the number of requests to Google Analytics1 minuteNoSee below
_gat_UA-6476217-28Used to reduce the number of requests to Google Analytics1 minuteNoSee below
_gat_UA-6476217-30Used to reduce the number of requests to Google Analytics1 minuteNoSee below
_gidUser identification by Google Analytics24 hoursNoSee below
_gaUser identification by Google Analytics2 yearsNoSee below
_gatUsed to reduce the number of requests to Google Analytics1 minuteNoSee below
__utmaIdentification of users and sessions by Google Analytics2 yearsNoSee below
__utmtUsed to reduce the number of requests to Google Analytics10 minutesNoSee below
__utmbDetection of new sessions/visits in Google Analytics30 minutesNoSee below
__utmzSaves the traffic source or campaign that explains how the user has reached the site (Google Analytics)6 monthsNoSee below
fe_typo_userCMS-specific session cookieExpires when you close the browserYes 
PHPSESSIDCMS-specific session cookieExpires when you close the browserYes 
frontendCMS-specific session cookie1 hourYes 
frontend_cidCMS-specific session cookie1 hourYes 
geoipIdentification of whether information with country reference has been seen1 monthYes 
cookieconsent_dismissedIdentification of whether tracking and use of cookies is permitted1 yearYes 

b) Google Analytics

The websites use Google Analytics, a web analytics service provided by Google LLC ("Google"). Google Analytics uses "cookies", text files that are stored on your computer and enable the way in which you use the website to be analysed. The information generated by the cookie about the way in which you use this website is typically sent to a Google server in the USA, where it will be stored. However, where IP anonymisation is activated on this website, Google will truncate your IP address beforehand within Member States of the European Union or in other Contracting Parties to the Agreement on the European Economic Area. The full IP address will only be transferred to a Google server in the USA and truncated there in exceptional cases. Google will use this information on our behalf to evaluate how you use the website, to compile reports about activity on the website and to provide further services associated with website usage and Internet usage to the website operator. The IP address provided by your browser within the scope of Google Analytics will not be combined with other data from Google. One way of opting out of web analytics by Google Analytics is to set an opt-out cookie which tells Google not to save or use your data for the purposes of web analytics. Please note that with this solution, you will only be able to opt out of web analytics for as long as the opt-out cookie is stored by the browser. If you wish to set the opt-out cookie now, please click on https://developers.google.com/analytics/devguides/collection/gajs/?hl=en#disable.

You can also prevent cookies from being stored by configuring the relevant setting in your browser software; however, we would like to point out that if you do so, you may not be able to use all of this website's functions. You can also prevent the data generated by the cookie relating to your use of the website (including your IP address) being sent to Google and the processing of this data by Google by downloading and installing the browser plugin available at the following link. The current link is: tools.google.com/dlpage/gaoptout.

Data recipient: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active

c) Google Tag Manager

Google Tag Manager is a Google product that allows us to manage website tags for applications such as Google Analytics via an interface. Tag Manager is a cookie-free domain which does not collect any personal data.

d) Google AdWords

Our website uses the "Google AdWords" service, which enables marketers to place adverts in Google search hit lists and in the Google advertising network. This is based on pre-defined keywords, by means of which an ad is only placed in the hit lists if a search is carried out using the keywords.

As part of this process, Google AdWords aims to advertise our website by inserting relevant adverts on the websites of third parties, in the Google search hit lists, and by presenting relevant third-party advertising through our website.

Google places a cookie when you click on a corresponding Google ad that refers to our website. Both we and Google can use the cookie to ascertain whether or not you have accessed our website and generated sales via an AdWords ad.

The resulting data will be used by Google to generate statistics (e.g. total number of users directed via Google AdWords, success of our AdWords campaign) in relation to our website. Neither we nor any other Google AdWords advertising customers receive information from Google that could be used to identify you.

However, the set cookie will be used to store personal information, for example, about the websites that you have visited. Google may pass this data on to third parties.

You can opt out of interest-based advertising by Google at any time by clicking on the following opt-out link:

https://www.google.com/settings/ads

Data recipient: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active

d) Social media buttons

Our website uses social media buttons (YouTube, Facebook, Instagram, Twitter, Xing) to allow you to interact with third parties.

These social media buttons are not integrated as plug-ins via an iFrame, but are stored as links. When you click on the social media buttons, you are directed to the relevant provider’s site. The relevant provider is then responsible for complying with data protection provisions and for ensuring that the information provided there on data processing is accurate, up-to-date and complete in accordance with Art. 4 No. 17 of the GDPR.

8. Supplementary notes and provisions for individual services

a) Newsletter

At your express request, we will send you our newsletter about the topics that you have chosen, as well as information about our company. Please note that the newsletter will only be sent if you have expressly confirmed your subscription request as part of our double opt-in process.

The personal data collected when subscribing to the newsletter will only be used to send and personalise the newsletter (in order to address the letter to you personally, for example). You can revoke your consent to us storing the personal data that you have provided to us in order for us to be able to send the newsletter to you at any time with future effect. Each newsletter contains a corresponding link to allow you to withdraw your consent; alternatively, please feel free to contact us directly so that we can implement the withdrawal of your consent. We have provided you with details about the consent you have given in the double opt-in mail.

Analysing newsletter usage

Our newsletter contains tracking pixels. A tracking pixel is a graphic in HTML emails used when opening the email to allow a log file to be recorded and a record of the links activated from the newsletter to be created and subsequently analysed. This allows us to use statistical analyses to evaluate how successful our newsletter campaigns have been and to optimise our newsletter in order to inform you about topics and offers that are better suited to your interests, for instance.

The personal data collected in this way will be processed by our service providers listed below.

If you do not agree to this, you can unsubscribe to the newsletter at any time by clicking on the unsubscribe link in the relevant newsletter or by sending an email to newsletter(at)humbaur.com.

Data recipient: Mailchimp, The Rocket Science Group, LLC, 675 Ponce de Leon AVE NE, Suite 5000, Atlanta, GA 30308 USA

b) Contact form

Data that you share with us via our contact form is processed for communication purposes and for the purpose of data exchange, in other words in order to respond to your specific query. This data is stored for the period of time necessary to process it for these purposes or until any ensuing retention periods expire. The only mandatory piece of information you need to provide here is your email address.

c) Competition

From time to time, you will have the opportunity to take part in competitions or similar campaigns via our website. Within the context of these campaigns, personal data, the scope of which is indicated in the respective entry form, may also be collected and retained for processing purposes. Data that is not essential for us to run the competition but allows us to notify you more quickly if you win is explicitly identified as optional information. The personal details that you provide us with in the context of a competition campaign of this kind will solely be used to deliver the campaign (in the case of a competition, for example, to determine the prize, send notification of a win, and to deliver the prize). After the campaign is over, the data of the participants who have not won the competition will be deleted immediately. In the case of the competition winner, their data will be deleted once the statutory retention period has expired.

d) Email application process

We give you the option to apply to us by email. Your electronic application data will be received by the relevant personnel department and will only be forwarded to the department in which the position you are applying for is located or to the individuals entrusted with processing the application. All parties involved will handle your application documentation with the utmost care and treat it as strictly confidential.

Once the application process is complete, we will store your application documentation for another three months, after which time we will delete or destroy any copies, unless we have entered into an employment contract with you. Should we wish to include your application documentation in our pool of applicants, we will contact you to this effect. As part of the notification, you can actively consent to your documents being retained for longer.

Please note that applications that you send to us via email will be delivered to us unencrypted. We therefore recommend using encryption software.

e) Online shop

Our website provides an online shop from which you can purchase our products. We use the data collected from you via the online shop to perform the contract, in particular in order to allow you to purchase products, take delivery of products, and make payment.

If necessary, we will also process your data in this context to carry out a credit check if this is required in order to perform the contract, Art 6 (1)(b) of the GDPR, or we have a legitimate interest in doing so, Art. 6 (1)(f) of the GDPR. We have a legitimate interest if we are about to enter into a contract with you that involves a risk of financial default for us (such as instalment plans, order/delivery on account) and the conclusion of the contract is solely dependent upon your credit rating.

Depending on the chosen shipping method, we will forward the necessary data, if available and provided you have given your consent for us to do so, including your email address and telephone number for the purposes of parcel notification, agreeing deadlines, and communicating parcel tracking information, to your chosen shipping service provider for the purposes of shipping and delivery.

We will also transfer the data that is necessary to make the payment and to carry out the risk assessment, where applicable, to the payment service provider of your choosing. The following additional information and provisions apply to this end:

aa) PayPal payment method

When making a purchase from our online shop, you have the option to pay using the payment provider PayPal. The payment is processed either via your PayPal or via PayPal using your credit card or bank account. PayPal also provides buyer protection and fiduciary services.

When choosing the payment provider PayPal when making a purchase via the online shop, data will automatically be sent to PayPal. When you choose PayPal as the method of payment, you specifically consent to this transfer of personal data (first name and surname, address, email address, IP address, telephone number(s), order details, delivery dates) for the purposes of making the payment and preventing fraud.

Data is exchanged not only for the purposes of making the payment, but also for identification purposes, to prevent fraud, and to reduce our risk of financial default. In this respect, data about your financial situation as well as about previous purchasing and payment behaviour may also be exchanged. In this context, data will also be exchanged by PayPal with credit agencies, provided that there is a legitimate interest and the legitimate interests of the data subject are not contravened.

Data may be passed on to affiliated companies; this also applies to downstream service providers (processors, controllers with joint responsibility, and third parties, if required in order to perform the contract).

You may withdraw the foregoing consent at any time with future effect vis-à-vis PayPal. Withdrawal has no effect on data transfers carried out in the past.

The applicable data protection provisions for PayPal can be found at https://www.paypal.com/uk/webapps/mpp/ua/privacy-full.

Data recipient: PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22–24 Boulevard Royal, 2449 Luxembourg, Luxembourg

bb) Instant transfer payment method

When making a purchase from our online shop, you have the option to pay using an instant transfer via the payment provider SOFORT GmbH.

Using the above method of payment allows you to confirm payment to us as the seller in real time, meaning we can immediately start dispatching your order.

When choosing instant transfer as your method of payment, data will automatically be sent to SOFORT GmbH. When you choose to pay via instant transfer, you specifically consent to this transfer of personal data (first name and surname, address, email address, IP address, telephone number(s), bank details, PIN, transaction authentication number, purchase price) for the purposes of making the payment and preventing fraud.

Data is exchanged not only for the purposes of making the payment, but also for identification purposes and to prevent fraud. In this respect, data about your financial situation as well as about previous purchasing and payment behaviour may also be exchanged. In this context, data will also be exchanged by SOFORT GmbH with credit agencies, provided that there is a legitimate interest and the legitimate interests of the data subject are not contravened.

Data may be passed on to affiliated companies; this also applies to downstream service providers (processors, controllers with joint responsibility, and third parties, if required in order to perform the contract).

You may withdraw the foregoing consent at any time with future effect vis-à-vis SOFORT GmbH. Withdrawal has no effect on data transfers carried out in the past.

The applicable data protection provisions for SOFORT GmbH can be found at https://www.sofort.com/ger-DE/datenschutzerklaerung-sofort-gmbh/.

Data recipient: SOFORT GmbH, Fußbergstraße 1, 82131 Gauting, Germany.

f) Customer account

Our website provides you with the option to create a personal customer account for our shop. You need to register once before being able to use the shop for the first time. To do so, you need to provide us with the following information:

  • Title (optional)
  • First name, surname
  • Email address
  • Password.

The customer account allows you:

  • To enjoy a faster ordering process
  • To save multiple shipping addresses
  • To view and keep track of orders

Your data will be stored within the shop system and in our order processing system. You can use the shop system settings to delete your customer account at any time.

g) Partner portal

We have set up a partner portal for our business partners. Access will be set up for you automatically in the form of a company account as soon as you or your company enter into a lasting business relationship with Humbaur GmbH and will end as soon as the business relationship is terminated. The partner portal can be used, among other things, to view up-to-date information about orders and invoices, research spare parts, request promotional material and access additional information about our products.

h) Humbaur Rent 24/7

Data usage for security and user experience

With the automatic driving licence check, we use artificial intelligence to encrypt your data reliably and to the highest security standards in compliance with the strictest data protection regulations, protecting it from unauthorised access. In doing so, we also enable our business customers to ensure that only pre-checked and trustworthy customers can rent vehicles. This makes it virtually impossible to forge ID cards, passports or driving licences.

Why is driving licence data or identification requested?

In order to avoid fraud, but also for basic legal reasons, we are obliged to request your driving licence. Neither Humbaur nor our rental partners are legally permitted to make vehicles available to customers without a driving licence.
At the same time, we use identification checks using smartphones and/or ID to ensure that no one misuses our service. This serves to protect our rental companies and customers alike.

What data is stored?

We collect all necessary information to enable our service. This concerns all legally required data that are indispensable to conduct a rental. This enables you to find, select and hire a vehicle of your choice. Information exchanged in the process includes user information such as name and address as well as the current location and temporarily requested information on the location of our vehicles.
At the same time, we also use anonymised profiles to monitor our rental companies’ fleets. We do so to prevent theft, damage to property and vandalism, as well as to avoid dangerous situations caused by overloading or excessive speeding. 

How is your data protected?

As a German company with a European focus, data protection is of a very high priority for us. This is why we automatically implement features on our platform that prevent fraud or security attacks. We work exclusively with partners from the European Union. Our applications are processed in German data centres with the highest security requirements by professional market leaders. Our partners are all ISO 270001 certified. The same applies to operation in the data centre itself. For communication between systems, we only use encrypted connections with the most secure encryption algorithms (SSL, AES).

i) Processing data for direct advertising

Advertising by post

To the extent permitted by law, we may also use your name and postal address that you have provided us with to advertise our own products. The legal basis is formed by Art. 6 (1)(f) in conjunction with Recital 47 of the GDPR. We have a legitimate interest in promoting sales to and demand from our existing customers. Of course, you can opt out of your data being processed for advertising purposes in future at any time. You simply need to send notification in text form using the above contact details. We will then delete your data from our mailing list. We will then retain the data proving that you have opted out for another six years in accordance with Art. 17 (3)(e) of the GDPR. However, during this time, your personal data will be blocked from being processed further.

Telephone advertising

To the extent permitted by law, for business customers, we may also use your name, company affiliation and your specified telephone number to inform you about our own products, on the basis of your assumed continued interest. The legal basis is formed by Art. 6 (1)(f) in conjunction with Recital 47 of the GDPR, Section 7, Para. 2, No. 2 of the German Act Against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb). We have a legitimate interest in promoting sales to and demand from our existing business customers. Of course, you can opt out of your data being processed for advertising purposes in future at any time. You simply need to send notification in text form using the above contact details. We will then delete your data from our mailing list. We will then retain the data proving that you have opted out for another six years in accordance with Art. 17 (3)(e) of the GDPR. However, during this time, your personal data will be blocked from being processed further.

i) Corporate presences ("fan pages") on social networks

Social network:

facebook.com   

The responsible party with whom the fan page is operated (the "Platform Operator"):

Facebook Ireland Ltd.
4 Grand Canal Square
Grand Canal Harbour
Dublin 2 Ireland

In an agreement pursuant to Art. 26, Para. 1 of the GDPR, the joint responsible parties determined which party fulfils which responsibility in accordance with the GDPR.

The agreement as defined by Art. 26, Para. 1 of the GDPR can be found at the following link:
https://www.facebook.com/legal/terms/page_controller_addendum
The Platform Operator makes the essential contents of this agreement available to the persons concerned.

Contact information for data protection:

The contact information for data protection can be found here via our linked Privacy Statement or the Data Protection Officer for the Platform Operator can be contacted using the following online form:
https://www.facebook.com/help/contact/540977946302970

Categories of persons concerned:

Visitors to our fan page who are registered with the social network as well as non-registered visitors

Categories of personal data:

Data that we process from registered visitors to our fan page:
The user name with which you registered, shared profile data (e.g. name, profession, addresses, contact information, as well as special categories of personal data such as religion, health data etc. if applicable), data created when sharing content, exchanging messages and from communications, data required as part of contract processing at the request of the registered visitors; otherwise, we only process pseudonymised data such as statistics and insights about interactions with our fan page, the articles, pages, videos and other content provided through the fan page (page activities, page views, "Like" information, reach, general demographic, location and interest-based information concerning age, gender, country, city, language), analyses about the success and background of our advertisements, other analyses and measurements about ….
We cannot link the pseudonymised data with the corresponding attribution characteristics (e.g. name). It is therefore not possible for us to identify individual visitors; visitors thus remain anonymous to us.

The data we collect from non-registered visitors to our fan page includes:
pseudonymised data such as statistics and insights about interactions with our fan page, the articles, pages, videos and other contents provided through the fan page (page activities, page views, "Like" information, reach, general demographic, location and interest-based information concerning age, gender, country, city, language), analyses about the success and background of our advertisements, other analyses and measurements about the use of our fan page.
We cannot link the pseudonymised data with the corresponding attribution characteristics (e.g. name). It is therefore not possible for us to identify individual visitors; visitors thus remain anonymous to us.

A description of the data that the platform operator processes about registered and non-registered visitors to our fan page can be found at the following link:
https://www.facebook.com/privacy/explanation

Origin of the data

We receive the data directly from the persons concerned or from the Platform Operator.

Legal basis for the data processing

We process the data with the following legal basis:

  • Art. 6 Para. 1 (a) of the GDPR: The data subject has given consent
  • If applicable, Art. 6 Para. 1 (b) of the GDPR: Performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
  • Art. 6, Para. 1 (f) of the GDPR: legitimate Interest
  • Optimising our fan page
  • Promoting sales of or demand for our products and services
  • Simplifying communication and data exchange

We only process special categories of personal data with the following legal basis, if at all:

  • Art. 9 Para. 2 (a) of the GDPR: The data subject has given consent
  • Art. 9 Para. 2 (e) of the GDPR: Processing relates to personal data which is manifestly made public by the data subject

Information about the legal basis that supports data processing activities by the Platform Operator can be found at the following link:
https://www.facebook.com/about/privacy/legal_bases
The Platform Operator will obtain the consent of the persons concerned in advance if the persons concerned are tracked through the collection of their data, whether this takes place through the use of cookies or comparable techniques or through the storage of IP addresses.
In particular, the Platform Operator is obliged to inform the persons concerned for what purposes and on what legal basis the first visit to a fan page creates entries in the visitors' local storage, even for non-registered visitors, and whether personal data from non-registered visitors (e.g. IP address or any other data that is compressed into personal data) is used for the creation of profiles.

Purposes of data processing

The data is processed for the following purposes:

  • External representation and advertising
  • Communication and data exchange
  • Event management
  • If applicable, initiation and processing of the contract

Storage duration

The storage and deletion of data is the duty of the Platform Operator in accordance with the agreement as defined by Art. 26 Para. 1 of the GDPR. Information about this duty can be found at the following link:
https://www.facebook.com/privacy/explanation

Categories of recipients

Only our employees and service providers who maintain our fan page and require the data for the above-mentioned purposes have access to the data we process. If the persons concerned post their data publicly on our fan page, this data can be viewed by other registered and also non-registered visitors where applicable.

Information about the categories of recipients to which the platform operator discloses the data or enables registered visitors to disclose their data as well as information on internal data exchange can be found at the following link: https://www.facebook.com/privacy/explanation

Data transfers to third countries

If the persons concerned post their data publicly on our fan page, this data can be viewed by other registered and also non-registered visitors around the world.

In operating our fan page, the Platform Operator also transfers data to third countries.
The associated data transfers to third countries are protected by an adequacy decision by the EU Commission in accordance with Art. 45 of the GDPR or by appropriate guarantees in accordance with Art. 46 of the GDPR:
https://www.facebook.com/privacy/explanation

Facebook Inc. holds Privacy Shield certification: https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active.
As a result of the agreements for the EU-US Privacy Shield, Facebook must therefore also grant various rights to the persons concerned, who can then assert these rights directly against Facebook.

Logic and scope involved for profiling or for an automated individual decision based on the collected data

The Platform Operator is obliged to inform the persons concerned if they are tracked through the collection of their data, whether this takes place through the use of cookies or comparable techniques or through the storage of IP addresses, in accordance with the agreement as defined by Art. 26 Para. 1 of the GDPR. In particular, the Platform Operator is obliged to specify the purposes and legal basis to the persons concerned if a session cookie and three cookies with time limits of between four months and two years are saved as a result of visiting a sub-page within our fan page.
Information about this duty can be found at the following link:
https://www.facebook.com/privacy/explanation
https://www.facebook.com/policies/cookies/

Rights of the persons concerned

The joint responsible parties must grant the persons concerned various rights regarding the processing of their data; the persons concerned can assert these rights directly against the Platform Operator based on the agreement as defined by Art. 26 Para. 1 of the GDPR:
https://www.facebook.com/privacy/explanation
Where certain prerequisites exist in accordance with Art. 15 to Art. 18 of the GDPR, the persons concerned have a right to access, rectification or erasure of their personal data, or a right to limit the processing of that data by the responsible party. The persons concerned also have the right to revoke their consent to processing of their personal data at any time with effect for the future (Art. 7 Para. 3 of the GDPR). You can also object to further processing of your data that is exclusively based on the legitimate interest of the responsible party in accordance with Art. 6 Para. 1 (f) of the GDPR (Art. 21 Para. 1 of the GDPR) if grounds for the exemption of data processing arise from your particular personal situation and no other compelling legitimate grounds for further data processing exist on the part of the responsible party. If personal data is processed for the purposes of direct marketing, the persons concerned have the right to object to such processing at any time with effect for the future (Art. 21 Para. 2 of the GDPR). If data processing is based on the consent of the person concerned in accordance with Art. 6 Para. 1 (a), Art. 9 Para. 1 (a) of the GDPR or on a contract with the person concerned in accordance with Art. 6 Para. 1 (b) of the GDPR and takes place using automated procedures, the persons concerned can demand, in accordance with Art. 20 Para. 1 of the GDPR, to receive the personal data saved about them in a structured, commonly used and machine-readable format or to have this data transmitted to a third party specified by the person concerned.
In principle, the persons concerned have the right not to be subject a decision based solely on automated processing in accordance with Art. 22 Para. 1 of the GDPR. If an automated individual decision of this nature is permitted in accordance with Art. 22 Para. 2 (a) to (c) of the GDPR, the persons concerned are granted the following rights in accordance with Art. 22 Para. 3 of the GDPR: The right to express their own point of view, the right to obtain human intervention on the part of the responsible party and the right to contest the automated individual decision (right of appeal).

Furthermore, the persons concerned have the right to lodge a complaint with a supervisory authority if they think that processing of their personal data infringes the General Data Protection Regulation (GDPR), as stated in Art. 77 of the GDPR. The competent supervisory authority for the Platform Operator is:
Data Protection Commission
21 Fitzwilliam Square, Dublin 2
D02 RD28, Ireland
Website: http://gdprandyou.ie/contact-us/