Kontakt
More information?
We are pleased to help:
+49(0)222329990

Data Protection

1. Definitions

The data protection declaration of C. Gerhardt GmbH & Co KG is based on definitions that were used by European issuers of directives and regulations when drawing up the General Data Protection Regulation (GDPR). Our data protection declaration is intended to be easy to read and understand for both the public and our customers and business partners. To guarantee this, we would like to explain the terms used beforehand.
In this data protection declaration, we use terms including the following:

• Personal data

Personal data refers to all information that refers to an identified or identifiable natural person (hereinafter referred to as the “affected person”). Identifiable refers to a natural person who, directly or indirectly, can be identified, in particular by means of assignment to an identifier such as a name, an ID number, location data, an online identifier or one or more characteristics that are the expression of the physical, physiological, genetic, mental, economic, cultural or social identify of this natural person.

• Affected person

The affected person is every identified or identifiable natural person whose personal data is processed by the party responsible for processing.

• Processing

Processing refers to any step or any set of steps – with or without the help of automated procedures – in conjunction with personal data such as collecting, recording, organising, ordering, saving, adjusting or changing, reading out, querying, use, exposure by transmission, dissemination or another form of provision, comparison or linking, limiting, deleting or destroying.

• Limitations on processing

A limitation on processing refers to marking stored personal data with the aim of limiting its future processing.

• Profiling

Profiling is every type of automated processing of personal data comprising the use of these personal data in order to evaluate certain personal aspects related to a natural person, in particular with regard to analysing and predicting work performance, economic status, health, personal preference, interests, reliability, behaviour, location or change of location of the natural person in question.

• Pseudonymisation

Pseudonymisation is the processing of personal data in a way in which the personal data can no longer be matched to a specific affected person without consulting additional information, as long as this additional information is stored separately and is subject to technical and organisational measures that guarantee that the personal data cannot be matched to an identified or identifiable natural person.

• Responsible party or responsible party for processing

The responsible body, or the body responsible for processing, is a natural or legal person, authority, facility or other body who, alone or together with others, makes decisions regarding the purposes and means of processing of personal data. If the purposes and means of this processing are specified by EU law or law of member states, the responsible party and/or the criteria of his/her appointment can be specified by EU law or the law of the member states.

• Processor

The processor is a natural or legal person, authority, facility or other body that processes personal data on the order of the responsible party.

• Recipient

The recipient is a natural or legal person, authority, facility or other body to whom personal data is revealed, independently of whether this person is a third party or not. Authorities who may receive personal data as part of a specific investigation order under EU law of law of member states are, however, not considered recipients.

• Third party

A third party is a natural or legal person, authority, facility or other body apart from the affected person, the responsible party, the job processor and the people that are under the immediate responsibility of the responsible party or the job processor and have been given the right to process the personal data.

• Consent

Consent refers to any unambiguous expression of willingness in the form of a declaration or other clear, confirming action given voluntarily by the person for the case in question in an informed manner. With this declaration, the affected person shows that he/she is in agreement with the processing of the personal data affecting him/her.

2. General information and mandatory information

Data protection

We – C. Gerhardt GmbH & Co KG – as the operator of these pages, take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with legal data protection provisions and this data protection declaration.

Note on the responsible authority

The party responsible for data processing on this website is:

C. Gerhardt GmbH & Co KG

Cäsariusstraße 97

53639 Königswinter

Telefon: +49 2223 2999-0

E-Mail: info@gerhardt.de

The responsible body is the natural or legal person who, alone or together with others, decides regarding the purposes and means of processing of personal data (e.g. name, e-mail addresses or similar).

SSL and/or TLS encryption

This page uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content such as orders or queries that you send to us as the page operators. You can tell that the connection is encrypted when the address line in your browser changes from “http://” to “https://” and the lock icon appears in your browser line.

If SSL and/or TLS encryption is activated, the data that you transmit to us cannot be read by third parties.

Affected person’s rights according to the GDPR

Right to disclosure
The affected person has the right to demand a confirmation from the responsible party as to whether personal data about him/her is being processed; if this is the case, he/she has a right to information regarding this personal information and a right to the following information:

  • the processing purposes;
  • the categories of personal data that are processed;
  • the recipients or categories of recipients to whom the personal data has been revealed or is yet to be revealed, particularly in the case of recipients in third countries or at international organisations;
  • if possible, the planned duration for which the personal data is stored or, if this is not possible, the criteria for determining this duration;
  • the existence of a right to correct or delete the personal data referring to them or to have the processing by the responsible party limited or a right to object to processing altogether;
  • the existence of a right to complain to a regulatory authority;
  • if the personal data is not collected from the affected person, all available information regarding the submitter of the data;
  • the existence of automatic decision-making, including profile, as per Article 22 Sections 1 and 4 and – at least in these cases – useful information regarding the logic involved as well as the scope and intended effects of this kind of processing for the affected person.
  • If personal data is transmitted to a third country or to an international organisation, the affected person has the right to be informed about the applicable guarantees as per Article 46 in conjunction with said transmission.
  • 1The responsible party provides a copy of the personal data that is the subject of processing. 2For all additional copies requested by the affected person, the responsible party can demand a reasonable fee based on the administrative costs. 3If the affected person submits the application electronically, the information is to be provided in a common electronic format unless the affected person specifies otherwise.
  • The right to receive a copy as per Section 3 may not impair the rights and freedoms of others.
  • Right to correction
The affected person has the right to request that the responsible party immediately correct any incorrect data held about the affected person. Taking the purposes of processing into account, the affected person has the right to demand that incomplete personal data be completed – even by means of a complementary declaration. 
Right to correction

The affected person has the right to request that the responsible party immediately correct any incorrect data held about the affected person. Taking the purposes of processing into account, the affected person has the right to demand that incomplete personal data be completed – even by means of a complementary declaration. 

Right to deletion (“right to be forgotten")

Every affected person has the right to demand that the responsible party delete the affected personal data immediately. The responsible party is legally required to delete personal data immediately if one of the following reasons applies: 

  • The personal data was collected for purposes or in some other manner for which the data is no longer necessary.
  • The affected person revokes their consent upon which processing was based as per Art. 6 Section 1 Letter a GDPR or Art. 9 Section 2 Letter a GDPR, and there is no other legal basis for the processing.
  • The affected person submits an objection to processing as per Art. 1 Section 1 GDPR, and there are no pressing justified reasons for processing, or the affected person submits an objection to processing as per Art. 21 Section 2 GDPR.
  • The personal data has been processed unlawfully.
  • The deletion of the personal data is necessary to fulfil a legal requirement under EU law or the law of a member state to which the responsible party is subject.
  • Personal data was collected in relation to services offered by the information business as per Art. 8 Section 1 of the GDPR.

If the responsible party has made the personal data public and if he/she is required to delete it as per Section 1, he/she will put suitable measures in place – taking the available technology and the implementation costs into account – including technical measures, in order to inform persons responsible for data processing that an affected person has demanded that they delete all links to this personal data or all copies or replicates of this personal data.

Right to limitations on processing

The affected person has the right to demand that the responsible party limit processing if one of the following prerequisites applies: 

  • the correctness of the personal data is disputed by the affected person for a duration that allows the responsible party to check the correctness of the personal data,
  • the processing is unlawful and the affected person rejects the deletion of the personal data and instead demands limitation of the use of personal data;
  • the responsible person no longer needs the personal data for the purposes of processing, but the affected person needs them to assert, exercise or defend legal claims, or
  • the affected person has submitted a formal objection to processing as per Article 21, Section 1 GDPR as long as it has not been determined whether the justified grounds of the responsible party outweigh those of the affected person.
Right to data portability

The affected person has the right to receive their personal data that they have provided to a responsible party in a structured, common and machine-readable format. He/she also has the right to transfer this data to another responsible party without impairment by the first responsible party to whom the data was provided, as long as the processing is based on consent as per Article 6 Section 1 letter a GDPR or Article 9 Section 2 letter GDPR or on a contract as per Article 6 Section 1 letter b GDPR and as long as the processing takes place by means of automated processes.



When executing his/her right to data portability as per Section 1 GDPR, the affected person has the right to ensure that the personal data is transferred directly by a responsible party to another responsible party if this is technically feasible.



The exercise of this right is unaffected by Article 17 of the GDPR.
This right does not apply to processing that is required to carry out a task that is in the public interest or to exercise public power that has been conferred on the responsible party.



The right to data portability may not impair the rights and freedoms of others.

Right to disagreement

The affected person has the right – for reasons arising out of his/her particular situation – to submit an objection to the processing of personal data related to him/her at any time if this processing is covered by Article 6 Section 1 letters e or f GPDR; this also applies to profiling based on these provisions.

The responsible party no longer processes the personal data unless he/she can prove mandatory reasons requiring protection that outweigh the interests, rights and freedoms of the affected person or unless processing is required for the assertion, execution or defence of legal claims.

If personal data is processed for the purposes of direct advertising, the affected person has the right to submit an objection to the processing of their personal data for advertising purposes at any time; this also applies to profiling if it is in conjunction with direct advertising.  

If the affected person disagrees with processing for the purposes of direct advertising, the personal data can now longer be used for these purposes.

By the time of the first communication, at the latest, the affected person must be made aware of the right contained in Art. 21 Sections 1 and 2 GDPR; this information must be in a comprehensible form and must be separated from other information.

In conjunction with the use of services from the information company, the affected person, regardless of Directive 2002/58/EC, can exercise his/her right to object by means of automated processes in which technical specifications are used.

Die betroffene Person hat das Recht, aus Gründen, die sich aus ihrer besonderen Situation ergeben, gegen die sie betreffende Verarbeitung sie betreffender personenbezogener Daten, die zu wissenschaftlichen oder historischen Forschungszwecken oder zu statistischen Zwecken gemäß Artikel 89 Absatz 1 DSGVO erfolgt, Widerspruch einzulegen, es sei denn, die Verarbeitung ist zur Erfüllung einer im öffentlichen Interesse liegenden Aufgabe erforderlich.


Automated decisions in individual cases, including profiling

The affected person has the right not to be subject to a decision made based on an exclusively automatic processing – including profiling – that has legal consequences for him/her or significantly impairs him/her in a similar manner. 

    This does not apply if the decision 

    • as is required for the completion of fulfilment of a contract between the affected person and the responsible party,
    • is permissible due to legal provisions of the European Union or the member states to which the responsible party is subject and assuming that these legal provisions contain suitable measures to protect the rights and freedoms as well as the justified interests of the affected person.
    • takes place with the express consent of the person affected.

    In the cases mentioned under letters a and c, the responsible party puts suitable measures in place in order to protect the rights and freedoms and the justified interests of the affected person. This includes at least the right to request intervention by a person ordered by the responsible party, to represent one’s own point of view and to challenge the decision.

    ns des Verantwortlichen, auf Darlegung des eigenen Standpunkts und auf Anfechtung der Entscheidung gehört.



    Decisions may not be based on special categories of personal data as per Article 9 Section 1 GDPR, unless Article 9 Section 2 letter a or g GDPR apply and suitable measures have been put in place to protect the rights and freedoms and the justified interests of the affected person.

    Right of revocation for the data-protection-related consent

    The affected person has the right to revoke consent to the processing of personal data at any time. If the affected person would like to make use of his/her right to revoke consent, he/she can contact the party responsible for processing. The legality of the data processing carried out before revocation remains unaffected by said revocation.

    Right to complain to the responsible regulator authority

    In the event of breaches of data protection rules, the affected party has the right to complain to the competent regulatory authority. The responsible regulatory authority in data-protection-related questions is the state data protection officer of the state in which our company has its headquarters. A list of data protection officers and their contact data can be found here: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html.

     

    Legal basis of processing

    Art. 6 I lit. a of the GDPR is used by our company as a legal basis for processing steps for which we obtain consent for a certain processing purpose. If the processing of personal data is required to fulfil a contract to which the affected person is party, such as in the case of processing steps that are needed for a delivery of goods or the provision of another service or return service, processing is based on Art. 6 I lit. b GDPR. The same applies for processing steps that are required to carry out precontractual measures, such as in the event of queries regarding our products or services. If our company is subject to a legal requirement that makes processing of personal data necessary, such as to fulfil tax-related duties, the processing is based on Art. 6 I lit. c GDPR. In rare cases, the processing of personal data may be necessary in order to protect critical interests of the affected person or another natural person. This, for example, would be the case if a visitor to our company should be injured and his name, age, health insurance data or other critical information needed to be conveyed to a doctor, a hospital or other third parties. Processing in this case would be based on Art. 6 I lit. d GDPR. Finally, processing procedures may be based on Art. 6 I lit. f of the GDPR. This legal basis forms the foundation for processing steps that are not covered by any of the aforementioned legal bases if processing is required to protect a justified interest of the company or a third party, as long as the interests, basis rights and basic freedoms of the affected person do not have precedence. We are allowed to perform processing steps of this nature in particular because they were mentioned explicitly by European legislation. He/she makes the assumption that a legitimate interest could be present if the affected person is a customer of the responsible party (recital 47, paragraph 2 of GDPR). 

    Legitimate interests in processing pursued by the responsible party or a third party

    If the processing of personal data is based on Article 6 I lit. f GDPR, our legitimate interest lies in the execution of our business activities to the benefit of all employees and shareholders.

    
Duration for which the personal data is stored

    The criterion for the duration of storage of personal data is the applicable legal retention period. After the period has elapsed, the data in question is deleted as a matter of routine as long as they are no longer required to fulfil or initiate a contract.

    Legal or contractual provisions regarding the supply of personal data; necessity for conclusion of a contract; duty of the affected person to supply personal data; possible consequences of failure to supply

    We will inform you that the provision of personal data may be legally required (e.g. tax regulations) or may result from contractual provisions (e.g. details about the contractual partner). It may sometimes be necessary for the affected person to provide us with personal data that then needs to be processed by us at conclusion of a contract. The affected person is, for example, required to provide us with personal data when our company concludes a contract with said person. Non-provision of personal data would mean that the contract with the affected person cannot be concluded. Before provision of personal data by the affected person, the affected person must contact one of our employees. Our employee can provide the affected person with information on a case-by-case basis as to whether the provision of personal data is legally or contractually required or is necessary for conclusion of the contract, whether there is a duty to provide the personal data and which consequences the non-provision of personal data would have. 

    Disagreement with advertising e-mails

    We hereby object to the use of the contact data published in the legal notice for the transmission of advertising and information material that has not been explicitly requested. The operators of the pages explicitly reserve the right to take legal steps in the event of unsolicited sending of advertising information, such as by means of spam e-mails.

    3. Data protection officer

    Legally mandated data protection officer

    We have appointed a data protection officer for our company.

    Mr Dirk Schietsch
    
Society Solutions GmbH

    Widdersdorfer Straße 190
    
50825 Köln, Germany
    Telefon: +49 221 33 77 59 0

    E-Mail: ds-fpb@society.de

    4. Data recording on our website

    Who is responsible for data collection on this website?

    Data processing on this website is carried out by C. Gerhardt GmbH & Co KG. Our contact data can be found in the legal notice on this website.

    What do we use your data for?

    Some of the data is collected in order to guarantee fault-free provision of the website, to protect us from cyber attacks (or to be able to pursue same) or to obtain statistical information about visitors to our website.

     

    Cookies

    The websites use what are known as cookies. Cookies do not do any damage to your computer and do not contain any viruses. Cookies are used to make our offering more user friendly, more efficient and more secure. Cookies are small text files that are placed on your computer and stored by your browser.

    Most of the cookies we use are what are known as “session cookies”. These are deleted after the end of your visit. Other cookies remain stored on your end device until you delete them. These cookies allow us to recognise your browser again the next time you visit.

    You can set your browser to inform you when cookies are placed on your computer and only to allow cookies in individual cases, to exclude the acceptance of cookies in certain cases or in general, and to activate automatic deletion of cookies when the browser is closed. If cookies are deactivated, the functionality of this website may be restricted.

    Cookies that are needed to execute the electronic communication process or to provide certain functions you desire (e.g. shopping cart function) are stored based on Art. 6 Section 1 lit. f GDPR. The operator of the website has a legitimate interest in saving cookies in order to ensure technically faultless and optimised provision of his/her services. If other cookies (e.g. cookies to analyse your surfing behaviour) are saved, these are discussed separately in this data protection declaration.

    Server log files

    The provider of the pages collects and stores information automatically in what are known as server log files. Your browser transmits these to us automatically. These are:

    • Browser type and browser version
    • Operating system used
    • Location (country, region, city)
    • Screen resolution
    • Device
    • Time of visit
    • IP address (anonymised)
    • Visited websites and subpages
    • Duration of visit
    • Number of visitors (recurring visitors)
    • other similar data and information used for defence in the event of cyber attacks on our systems

    This data is not merged with other sources of data.

    The basis for data processing is Art. 6, Section 1, lit. f of the GDPR, which allows the processing of data to fulfil a contract or precontractual measures.

     

    Contact options via the Internet page

    For legal reason, the website of C. Gerhardt GmbH & Co. KG contains information that allows quick electronic contact with our company as well as immediate communication with us, which also includes a general e-mail address. 
If you, as an affected person, contact the party responsible for processing via e-mail or via a contact form on the website, the personal data you enter will be stored automatically. This personal data, transmitted voluntarily by you, the affected person, is stored for the purposes of editing or making contact. 

    Processing of the data entered into the contact form is thus based entirely on your consent (Art. 6 Section 1 lit. a GDPR). You can revoke this consent at any time. A free-form message via e-mail to us is sufficient. The legality of the data processing steps carried out before revocation remains unaffected by said revocation.

    The data you entered in the contact form remains in our possession until you request that we delete it, you revoke your permission to store it or the reason for data storage no longer applies (e.g. after your query has been dealt with). Mandatory legal provisions – particularly retention periods – remain unaffected.

    Data protection in job applications and within the job application process

    The company C. Gerhardt GmbH & Co. KG collects and processes personal data from applicants for the purpose of carrying out the application process. 
Processing can also be carried out electronically. This is particularly the case if an applicant sends application documents to the party responsible for processing via electronic means, such as via e-mail or via a web form found on the Internet page. 
If an employment contract is concluded between C. Gerhardt GmbH & Co. KG and the applicant, the data transferred is stored for the purposes of setting up the employment relationship, taking the legal provisions into account. 
If no employment contract is concluded between C. Gerhardt GmbH & Co. KG and the applicant, the application documents are deleted automatically two months after announcement of the refusal unless justified interests of C. Gerhardt GmbH & Co. KG stand in the way of deletion. Other legitimate interest refers, for example, to a burden of proof within proceedings as per the General Equal Treatment Act (GETA).

    5. Plugins and tools

    YouTube

    Our website uses plugins from YouTube, a site operated by Google. The operator of the pages is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA.

    If you visit a website equipped with a YouTube plugin, a connection is established with the YouTube servers. The YouTube server is told which of our sites you have visited.

    If you are logged into your YouTube account, you allow YouTube to match your surfing behaviour directly to your personal profile. You can prevent this by logging out of your YouTube account.

    YouTube is used in order to be able to provide an attractive representation of our online offerings. This represents a legitimate interest as defined in Art. 6 Section 1. lit. f GDPR.

    You will find more information on how user data is handled in YouTube’s data protection declaration at: https://policies.google.com/privacy?hl=en-GB&gl=de.

     

    MATOMO (formerly PIWIK)

    This website uses Matomo. Matomo is an open source software tool for web analysis. Web analysis is the recording, collection and evaluation of data on the behaviour of visitors to Internet sites. A web analysis tool collects, among other things, data on which website a person affected came to a website (so-called referrer), which subpages of the website were accessed or how often and for how long a subpage was viewed. A web analysis is mainly used to optimize a website and for cost-benefit analysis of Internet advertising.

    The software is operated on the server of the person responsible for the processing; the data protection-sensitive log files are stored exclusively on this server.

    The purpose of the Matomo component is to analyse the flow of visitors to our website. The data controller uses the data and information obtained to evaluate the use of this website in order to compile online reports showing the activities on our website.

    Matomo places cookies on the information technology system of the person concerned. What cookies are has already been explained above. The setting of cookies enables us to analyse the use of our website. Each time one of the individual pages of this website is called up, the Internet browser on the information technology system of the person concerned is automatically caused by the Matomo component to transmit data to our server for the purpose of online analysis. As part of this technical procedure, we obtain knowledge of personal data, such as the IP address of the person concerned, which among other things serves us to trace the origin of visitors and clicks.

    Cookies are used to store personal information, such as access time, the location from which access came and the frequency of visits to our website. Whenever you visit our website, this personal data, including the IP address of the Internet connection used by the person affected, is transmitted to our server. This personal data is stored by us. We do not pass this personal data on to third parties.

    The person affected can prevent the setting of cookies by our website at any time, as already described above, by means of an appropriate setting of the Internet browser used and thus permanently object to the setting of cookies. Such a setting of the Internet browser used would also prevent Matomo from placing cookies on the information technology system of the person affected. In addition, a cookie already set by Matomo can be deleted at any time via an Internet browser or other software programs.

    Furthermore, the affected person has the possibility to object to the collection of data generated by the Matomo relating to the use of this website and to prevent such collection. To do this, the person affected must set "Do Not Track" in their browser.

    With the setting of the opt-out cookie, however, it is possible that the Internet pages of the data controller may no longer be fully usable by the data subject.

    Further information and Matomo's current privacy policy can be found at https://matomo.org/privacy/

    6. Changes to our data protection provisions

    We reserve the right to adapt this data protection declaration to ensure that it always corresponds to current legal requirements or to implement changes to our services in the data protection declaration, e.g. when introducing new services. The new data protection declaration then applies to your next visit.