The data protection declaration of C. Gerhardt GmbH & Co KG is based on definitions that were used by European issuers of directives and regulations when drawing up the General Data Protection Regulation (GDPR). Our data protection declaration is intended to be easy to read and understand for both the public and our customers and business partners. To guarantee this, we would like to explain the terms used beforehand.
In this data protection declaration, we use terms including the following:
• Personal data
Personal data refers to all information that refers to an identified or identifiable natural person (hereinafter referred to as the "affected person"). Identifiable refers to a natural person who, directly or indirectly, can be identified, in particular by means of assignment to an identifier such as a name, an ID number, location data, an online identifier or one or more characteristics that are the expression of the physical, physiological, genetic, mental, economic, cultural or social identify of this natural person.
• Affected person
The affected person is every identified or identifiable natural person whose personal data is processed by the party responsible for processing.
Processing refers to any step or any set of steps - with or without the help of automated procedures - in conjunction with personal data such as collecting, recording, organising, ordering, saving, adjusting or changing, reading out, querying, use, exposure by transmission, dissemination or another form of provision, comparison or linking, limiting, deleting or destroying.
• Limitations on processing
A limitation on processing refers to marking stored personal data with the aim of limiting its future processing.
Profiling is every type of automated processing of personal data comprising the use of these personal data in order to evaluate certain personal aspects related to a natural person, in particular with regard to analysing and predicting work performance, economic status, health, personal preference, interests, reliability, behaviour, location or change of location of the natural person in question.
Pseudonymisation is the processing of personal data in a way in which the personal data can no longer be matched to a specific affected person without consulting additional information, as long as this additional information is stored separately and is subject to technical and organisational measures that guarantee that the personal data cannot be matched to an identified or identifiable natural person.
• Responsible party or responsible party for processing
The responsible body, or the body responsible for processing, is a natural or legal person, authority, facility or other body who, alone or together with others, makes decisions regarding the purposes and means of processing of personal data. If the purposes and means of this processing are specified by EU law or law of member states, the responsible party and/or the criteria of his/her appointment can be specified by EU law or the law of the member states.
The processor is a natural or legal person, authority, facility or other body that processes personal data on the order of the responsible party.
The recipient is a natural or legal person, authority, facility or other body to whom personal data is revealed, independently of whether this person is a third party or not. Authorities who may receive personal data as part of a specific investigation order under EU law of law of member states are, however, not considered recipients.
• Third party
A third party is a natural or legal person, authority, facility or other body apart from the affected person, the responsible party, the job processor and the people that are under the immediate responsibility of the responsible party or the job processor and have been given the right to process the personal data.
Consent refers to any unambiguous expression of willingness in the form of a declaration or other clear, confirming action given voluntarily by the person for the case in question in an informed manner. With this declaration, the affected person shows that he/she is in agreement with the processing of the personal data affecting him/her.
2. General information and mandatory information
We - C. Gerhardt GmbH & Co KG - as the operator of these pages, take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with legal data protection provisions and this data protection declaration.
Note on the responsible authority
The party responsible for data processing on this website is:
C. Gerhardt GmbH & Co KG
Telefon: +49 2223 2999-0
The responsible body is the natural or legal person who, alone or together with others, decides regarding the purposes and means of processing of personal data (e.g. name, e-mail addresses or similar).
SSL and/or TLS encryption
This page uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content such as orders or queries that you send to us as the page operators. You can tell that the connection is encrypted when the address line in your browser changes from "http://" to "https://" and the lock icon appears in your browser line.
If SSL and/or TLS encryption is activated, the data that you transmit to us cannot be read by third parties.
Affected person’s rights according to the GDPR
Right to disclosure
The affected person has the right to demand a confirmation from the responsible party as to whether personal data about him/her is being processed; if this is the case, he/she has a right to information regarding this personal information and a right to the following information:
- the processing purposes;
- the categories of personal data that are processed;
- the recipients or categories of recipients to whom the personal data has been revealed or is yet to be revealed, particularly in the case of recipients in third countries or at international organisations;
- if possible, the planned duration for which the personal data is stored or, if this is not possible, the criteria for determining this duration;
- the existence of a right to correct or delete the personal data referring to them or to have the processing by the responsible party limited or a right to object to processing altogether;
- the existence of a right to complain to a regulatory authority;
- if the personal data is not collected from the affected person, all available information regarding the submitter of the data;
- the existence of automatic decision-making, including profile, as per Article 22 Sections 1 and 4 and - at least in these cases - useful information regarding the logic involved as well as the scope and intended effects of this kind of processing for the affected person.
- If personal data is transmitted to a third country or to an international organisation, the affected person has the right to be informed about the applicable guarantees as per Article 46 in conjunction with said transmission.
- 1The responsible party provides a copy of the personal data that is the subject of processing. 2For all additional copies requested by the affected person, the responsible party can demand a reasonable fee based on the administrative costs. 3If the affected person submits the application electronically, the information is to be provided in a common electronic format unless the affected person specifies otherwise.
- The right to receive a copy as per Section 3 may not impair the rights and freedoms of others.
- Right to correction The affected person has the right to request that the responsible party immediately correct any incorrect data held about the affected person. Taking the purposes of processing into account, the affected person has the right to demand that incomplete personal data be completed - even by means of a complementary declaration.
Right to correction
The affected person has the right to request that the responsible party immediately correct any incorrect data held about the affected person. Taking the purposes of processing into account, the affected person has the right to demand that incomplete personal data be completed - even by means of a complementary declaration.
Right to deletion ("right to be forgotten")
Every affected person has the right to demand that the responsible party delete the affected personal data immediately. The responsible party is legally required to delete personal data immediately if one of the following reasons applies:
- The personal data was collected for purposes or in some other manner for which the data is no longer necessary.
- The affected person revokes their consent upon which processing was based as per Art. 6 Section 1 Letter a GDPR or Art. 9 Section 2 Letter a GDPR, and there is no other legal basis for the processing.
- The affected person submits an objection to processing as per Art. 1 Section 1 GDPR, and there are no pressing justified reasons for processing, or the affected person submits an objection to processing as per Art. 21 Section 2 GDPR.
- The personal data has been processed unlawfully.
- The deletion of the personal data is necessary to fulfil a legal requirement under EU law or the law of a member state to which the responsible party is subject.
- Personal data was collected in relation to services offered by the information business as per Art. 8 Section 1 of the GDPR.
If the responsible party has made the personal data public and if he/she is required to delete it as per Section 1, he/she will put suitable measures in place - taking the available technology and the implementation costs into account - including technical measures, in order to inform persons responsible for data processing that an affected person has demanded that they delete all links to this personal data or all copies or replicates of this personal data.
Right to limitations on processing
The affected person has the right to demand that the responsible party limit processing if one of the following prerequisites applies:
- the correctness of the personal data is disputed by the affected person for a duration that allows the responsible party to check the correctness of the personal data,
- the processing is unlawful and the affected person rejects the deletion of the personal data and instead demands limitation of the use of personal data;
- the responsible person no longer needs the personal data for the purposes of processing, but the affected person needs them to assert, exercise or defend legal claims, or
- the affected person has submitted a formal objection to processing as per Article 21, Section 1 GDPR as long as it has not been determined whether the justified grounds of the responsible party outweigh those of the affected person.
Right to data portability
The affected person has the right to receive their personal data that they have provided to a responsible party in a structured, common and machine-readable format. He/she also has the right to transfer this data to another responsible party without impairment by the first responsible party to whom the data was provided, as long as the processing is based on consent as per Article 6 Section 1 letter a GDPR or Article 9 Section 2 letter GDPR or on a contract as per Article 6 Section 1 letter b GDPR and as long as the processing takes place by means of automated processes.
When executing his/her right to data portability as per Section 1 GDPR, the affected person has the right to ensure that the personal data is transferred directly by a responsible party to another responsible party if this is technically feasible.
The exercise of this right is unaffected by Article 17 of the GDPR.â€¨This right does not apply to processing that is required to carry out a task that is in the public interest or to exercise public power that has been conferred on the responsible party.
The right to data portability may not impair the rights and freedoms of others.
Right to disagreement
The affected person has the right - for reasons arising out of his/her particular situation - to submit an objection to the processing of personal data related to him/her at any time if this processing is covered by Article 6 Section 1 letters e or f GPDR; this also applies to profiling based on these provisions.
The responsible party no longer processes the personal data unless he/she can prove mandatory reasons requiring protection that outweigh the interests, rights and freedoms of the affected person or unless processing is required for the assertion, execution or defence of legal claims.
If personal data is processed for the purposes of direct advertising, the affected person has the right to submit an objection to the processing of their personal data for advertising purposes at any time; this also applies to profiling if it is in conjunction with direct advertising.
If the affected person disagrees with processing for the purposes of direct advertising, the personal data can now longer be used for these purposes.
By the time of the first communication, at the latest, the affected person must be made aware of the right contained in Art. 21 Sections 1 and 2 GDPR; this information must be in a comprehensible form and must be separated from other information.
In conjunction with the use of services from the information company, the affected person, regardless of Directive 2002/58/EC, can exercise his/her right to object by means of automated processes in which technical specifications are used.
Die betroffene Person hat das Recht, aus Gründen, die sich aus ihrer besonderen Situation ergeben, gegen die sie betreffende Verarbeitung sie betreffender personenbezogener Daten, die zu wissenschaftlichen oder historischen Forschungszwecken oder zu statistischen Zwecken gemäß Artikel 89 Absatz 1 DSGVO erfolgt, Widerspruch einzulegen, es sei denn, die Verarbeitung ist zur Erfüllung einer im öffentlichen Interesse liegenden Aufgabe erforderlich.
Automated decisions in individual cases, including profiling
The affected person has the right not to be subject to a decision made based on an exclusively automatic processing - including profiling - that has legal consequences for him/her or significantly impairs him/her in a similar manner.
This does not apply if the decision
- as is required for the completion of fulfilment of a contract between the affected person and the responsible party,
- is permissible due to legal provisions of the European Union or the member states to which the responsible party is subject and assuming that these legal provisions contain suitable measures to protect the rights and freedoms as well as the justified interests of the affected person.
- takes place with the express consent of the person affected.
In the cases mentioned under letters a and c, the responsible party puts suitable measures in place in order to protect the rights and freedoms and the justified interests of the affected person. This includes at least the right to request intervention by a person ordered by the responsible party, to represent one’s own point of view and to challenge the decision.
Decisions may not be based on special categories of personal data as per Article 9 Section 1 GDPR, unless Article 9 Section 2 letter a or g GDPR apply and suitable measures have been put in place to protect the rights and freedoms and the justified interests of the affected person.
Right of revocation for the data-protection-related consent
The affected person has the right to revoke consent to the processing of personal data at any time. If the affected person would like to make use of his/her right to revoke consent, he/she can contact the party responsible for processing. The legality of the data processing carried out before revocation remains unaffected by said revocation.
Right to complain to the responsible regulator authority
In the event of breaches of data protection rules, the affected party has the right to complain to the competent regulatory authority. The responsible regulatory authority in data-protection-related questions is the state data protection officer of the state in which our company has its headquarters. A list of data protection officers and their contact data can be found here: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html.
Legal basis of processing
Art. 6 I lit. a of the GDPR is used by our company as a legal basis for processing steps for which we obtain consent for a certain processing purpose. If the processing of personal data is required to fulfil a contract to which the affected person is party, such as in the case of processing steps that are needed for a delivery of goods or the provision of another service or return service, processing is based on Art. 6 I lit. b GDPR. The same applies for processing steps that are required to carry out precontractual measures, such as in the event of queries regarding our products or services. If our company is subject to a legal requirement that makes processing of personal data necessary, such as to fulfil tax-related duties, the processing is based on Art. 6 I lit. c GDPR. In rare cases, the processing of personal data may be necessary in order to protect critical interests of the affected person or another natural person. This, for example, would be the case if a visitor to our company should be injured and his name, age, health insurance data or other critical information needed to be conveyed to a doctor, a hospital or other third parties. Processing in this case would be based on Art. 6 I lit. d GDPR. Finally, processing procedures may be based on Art. 6 I lit. f of the GDPR. This legal basis forms the foundation for processing steps that are not covered by any of the aforementioned legal bases if processing is required to protect a justified interest of the company or a third party, as long as the interests, basis rights and basic freedoms of the affected person do not have precedence. We are allowed to perform processing steps of this nature in particular because they were mentioned explicitly by European legislation. He/she makes the assumption that a legitimate interest could be present if the affected person is a customer of the responsible party (recital 47, paragraph 2 of GDPR).
Legitimate interests in processing pursued by the responsible party or a third party
If the processing of personal data is based on Article 6 I lit. f GDPR, our legitimate interest lies in the execution of our business activities to the benefit of all employees and shareholders.
• Duration for which the personal data is stored
The criterion for the duration of storage of personal data is the applicable legal retention period. After the period has elapsed, the data in question is deleted as a matter of routine as long as they are no longer required to fulfil or initiate a contract.
Legal or contractual provisions regarding the supply of personal data; necessity for conclusion of a contract; duty of the affected person to supply personal data; possible consequences of failure to supply
We will inform you that the provision of personal data may be legally required (e.g. tax regulations) or may result from contractual provisions (e.g. details about the contractual partner). It may sometimes be necessary for the affected person to provide us with personal data that then needs to be processed by us at conclusion of a contract. The affected person is, for example, required to provide us with personal data when our company concludes a contract with said person. Non-provision of personal data would mean that the contract with the affected person cannot be concluded. Before provision of personal data by the affected person, the affected person must contact one of our employees. Our employee can provide the affected person with information on a case-by-case basis as to whether the provision of personal data is legally or contractually required or is necessary for conclusion of the contract, whether there is a duty to provide the personal data and which consequences the non-provision of personal data would have.
Disagreement with advertising e-mails
We hereby object to the use of the contact data published in the legal notice for the transmission of advertising and information material that has not been explicitly requested. The operators of the pages explicitly reserve the right to take legal steps in the event of unsolicited sending of advertising information, such as by means of spam e-mails.
3. Data protection officer
Legally mandated data protection officer
We have appointed a data protection officer for our company.
Mr Dirk Schietsch
Society Solutions GmbH
Widdersdorfer Straße 190
50825 Köln, Germany
Telefon: +49 221 33 77 59 0
4. Data recording on our website
Who is responsible for data collection on this website?
Data processing on this website is carried out by C. Gerhardt GmbH & Co KG. Our contact data can be found in the legal notice on this website.
What do we use your data for?
Some of the data is collected in order to guarantee fault-free provision of the website, to protect us from cyber attacks (or to be able to pursue same) or to obtain statistical information about visitors to our website.
The websites use what are known as cookies. Cookies do not do any damage to your computer and do not contain any viruses. Cookies are used to make our offering more user friendly, more efficient and more secure. Cookies are small text files that are placed on your computer and stored by your browser.
Most of the cookies we use are what are known as "session cookies". These are deleted after the end of your visit. Other cookies remain stored on your end device until you delete them. These cookies allow us to recognise your browser again the next time you visit.
You can set your browser to inform you when cookies are placed on your computer and only to allow cookies in individual cases, to exclude the acceptance of cookies in certain cases or in general, and to activate automatic deletion of cookies when the browser is closed. If cookies are deactivated, the functionality of this website may be restricted.
Cookies that are needed to execute the electronic communication process or to provide certain functions you desire (e.g. shopping cart function) are stored based on Art. 6 Section 1 lit. f GDPR. The operator of the website has a legitimate interest in saving cookies in order to ensure technically faultless and optimised provision of his/her services. If other cookies (e.g. cookies to analyse your surfing behaviour) are saved, these are discussed separately in this data protection declaration.
Server log files
The provider of the pages collects and stores information automatically in what are known as server log files. Your browser transmits these to us automatically. These are:
- Browser type and browser version
- Operating system used
- Location (country, region, city)
- Screen resolution
- Time of visit
- IP address (anonymised)
- Visited websites and subpages
- Duration of visit
- Number of visitors (recurring visitors)
- other similar data and information used for defence in the event of cyber attacks on our systems
This data is not merged with other sources of data.
The basis for data processing is Art. 6, Section 1, lit. f of the GDPR, which allows the processing of data to fulfil a contract or precontractual measures.
Contact options via the Internet page
For legal reason, the website of C. Gerhardt GmbH & Co. KG contains information that allows quick electronic contact with our company as well as immediate communication with us, which also includes a general e-mail address. If you, as an affected person, contact the party responsible for processing via e-mail or via a contact form on the website, the personal data you enter will be stored automatically. This personal data, transmitted voluntarily by you, the affected person, is stored for the purposes of editing or making contact.
Processing of the data entered into the contact form is thus based entirely on your consent (Art. 6 Section 1 lit. a GDPR). You can revoke this consent at any time. A free-form message via e-mail to us is sufficient. The legality of the data processing steps carried out before revocation remains unaffected by said revocation.
The data you entered in the contact form remains in our possession until you request that we delete it, you revoke your permission to store it or the reason for data storage no longer applies (e.g. after your query has been dealt with). Mandatory legal provisions - particularly retention periods - remain unaffected.
Data protection in job applications and within the job application process
The company C. Gerhardt GmbH & Co. KG collects and processes personal data from applicants for the purpose of carrying out the application process. Processing can also be carried out electronically. This is particularly the case if an applicant sends application documents to the party responsible for processing via electronic means, such as via e-mail or via a web form found on the Internet page. If an employment contract is concluded between C. Gerhardt GmbH & Co. KG and the applicant, the data transferred is stored for the purposes of setting up the employment relationship, taking the legal provisions into account. If no employment contract is concluded between C. Gerhardt GmbH & Co. KG and the applicant, the application documents are deleted automatically two months after announcement of the refusal unless justified interests of C. Gerhardt GmbH & Co. KG stand in the way of deletion. Other legitimate interest refers, for example, to a burden of proof within proceedings as per the General Equal Treatment Act (GETA).
5. Plugins and tools
Our website uses plugins from YouTube, a site operated by Google. The operator of the pages is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA.
If you visit a website equipped with a YouTube plugin, a connection is established with the YouTube servers. The YouTube server is told which of our sites you have visited.
If you are logged into your YouTube account, you allow YouTube to match your surfing behaviour directly to your personal profile. You can prevent this by logging out of your YouTube account.
YouTube is used in order to be able to provide an attractive representation of our online offerings. This represents a legitimate interest as defined in Art. 6 Section 1. lit. f GDPR.
You will find more information on how user data is handled in YouTube’s data protection declaration at:
Google Ads and Ads Remarketing
We use Google Ads Conversion services to place advertising (known as Google Ads) on external websites in order to attract attention to our own services. We can compare and analyse the advertising campaign data to determine how successful the individual advertising measures are. Our purpose in doing so is to show you advertising that is of interest to you, to make our website more interesting to you, and to calculate advertising costs fairly.
These adverts are supplied by Google via its “Ad Server”. To enable this, we use Ad Server cookies in order to measure specific parameters and thus gauge the success of advertising, such as the displaying of ads or user clicks. If you reach our website via an advert from Google, Google Ads saves a cookie on your device. This cookie generally includes – for analytical purposes – the unique cookie ID, the number of ad impressions per placement (frequency), the last impression (relevant for post-view conversions) and opt-out information (indication that a user no longer wants to be contacted).
These cookies enable Google to recognise your Internet browser on repeat visits. If a user visits customers ads on specific pages of the website and the cookie on that user’s computer has not yet expired, Google and the customer can recognise the fact that a user has clicked on the ad and has been forwarded to the corresponding site. Each Ads customer receives a different cookie. This means it is not possible to track cookies via the Ads customers’ websites. We ourselves do not collect or process any personal data as part of these advertising measures, we merely receive statistical evaluations from Google. We can use these evaluations to work out which of the advertising measures we employ are most effective. We do not receive any other data about the use of advertising materials, and, specifically, we cannot identify users on the basis of the information we receive.
Due to the marketing tools used, your browser automatically establishes a direct connection to the Google server. We have no influence over the scope and further use of the data collected by Google with the help of this tool, and we therefore inform you of the following, in accordance with the information available to us: When Ads Conversion is used, Google receives the information that you have accessed the corresponding part of our web presence or have clicked on one of our ads. If you are registered with a Google service, Google can assign this visit to your account. Even if you are not registered with Google or have not logged in, there is a possibility that Google can find out and store your IP address.
Google Ads Remarketing
We use the Remarketing function of the Google Ads service. The Remarketing function enables us to present targeted advertising to users of our website, based on their interests, on other websites within the Google advertising network (in Google search or on YouTube, known as “Google Ads” or on other websites). This involves analysing the way that users interact with our website, e.g. which offers they have shown interest in, in order to display targeted advertising to the users on other websites even after they have visited our website. To do this, Google saves cookies on the devices of users who visit specific Google services or websites in the Google display network. These cookies are used to record visits by users. The cookies enable unique identification of a web browser on a specific device, they are not used to identify a person.
Cookies/tools used: type C. (marketing cookies)
Main service provider: Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland.
Transmission to third countries is possible. What are known as standard contractual clauses in accordance with Art. 46 GDPR have been concluded as suitable guarantees. The adequacy decision also applies to third countries/companies for which there is an adequacy decision. For more information, visit: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu_de.
Life span of the cookies: up to 180 days (this only applies to cookies set via this website).
Art. 6 (1)(a) GDPR (Consent)
Google Analytics (with anonymisation function)
This website uses the Google Analytics component (with anonymisation function). Google Analytics is a web analysis service. Web analysis involves gathering, collecting and evaluating data on the behaviour of visitors to websites. Among other data, a web analysis service records data on the website (known as the referrer) from which a person in question reaches another website, data on which subpages the person accesses, or data on how often and for how long a person visits a subpage. A web analysis is primarily used to optimise a website and for cost-benefit analyses of online advertising.
The Google Analytics component is operated by Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.
We only use Google Analytics with IP anonymization enabled.
This means that the IP address of the user is shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and shortened there.
The purpose of the Google Analytics component is to analyse streams of visitors to our website. Among other purposes, Google uses the data and information collected here to evaluate the use of our website, to compile online reports that indicate to us activities on our websites and to provide other services connected to the use of our website.
Google Analytics sets a cookie on the person in question’s information technology system. The meaning of cookies is explained above. By setting cookies, Google is able to analyse the use of our website. Each time a person accesses an individual page on this website that is operated by the body responsible for processing and on which a Google Analytics component has been integrated, the internet browser on the person in question’s IT system is automatically triggered by the Google Analytics component to transmit data to Google for the purposes of online analysis. In the context of this technical procedure, Google receives information about personal data, such as the person in question’s IP address, which Google uses, among other purposes, to trace the origin of visitors and clicks and, as a consequence, in order to enable the calculation of commissions.
Personal information is stored by means of the cookie, including the time of access, the location from which the site was accessed, and the frequency of visits to our website by the person in question. Each time a person visits our website, these personal data, including the IP address of the internet connection used by the person in question, are transferred to Google in the United States of America. These personal data are saved by Google in the United States of America. Under certain circumstances, Google may forward these personal data collected using this technical procedure to third parties.
The person in question can prevent cookies from being set by our website, as explained above, at any time by making the corresponding setting on their internet browser, thereby permanently refusing the setting of cookies. This setting on the internet browser would also prevent Google from setting a cookie on the person in question’s IT system. In addition, a cookie that has already been set by Google Analytics can also be deleted via the internet browser or using other software programs.
As an alternative to the browser add-on or within browsers on mobile devices, please click this link to prevent Google Analytics from collecting data from this website in the future:
An opt-out cookie is stored on your device. If you delete your cookies, you must click this link again.
We also use Google Analytics to evaluate data from double-click cookies and AdWords for statistical purposes. If you object to this, you can deactivate this via the Ad Settings manager (http://www.google.com/settings/ads/onweb/?hl=en).
6. Changes to our data protection provisions
We reserve the right to adapt this data protection declaration to ensure that it always corresponds to current legal requirements or to implement changes to our services in the data protection declaration, e.g. when introducing new services. The new data protection declaration then applies to your next visit.