Data Protection Declaration

I. Introduction

The aim of the following information is to give you, as a "data subject", an overview of how we process your personal data and your rights under data protection laws. It is generally possible to use our website without entering any personal data. However, if you wish to make use of particular services that we offer via our website, it may be necessary to process personal data. If the processing of personal data is necessary and there is no legal basis for this processing, we will generally obtain your consent.

The processing of personal data, such as your name, address or email address, is always carried out in line with the General Data Protection Regulation (GDPR) and in accordance with the country-specific data protection regulations applicable to PfG GmbH. This privacy notice tells you about the scope and purpose of the personal data that we collect, use and process.

As the controller (the party responsible for data processing), we have implemented numerous technical and organisational measures to provide the most comprehensive protection possible for personal data processed via this website. However, Internet-based data transmissions can be liable to security vulnerabilities, and as such absolute protection cannot be guaranteed. For this reason, you are welcome to send personal data to us by alternative means, for example by telephone or post.

You can also take simple measures that are easy to implement to protect your data against unauthorised access by third parties. With that in mind, we would like to share some tips on how to keep your data safe:

  • Protect your account (login, user or customer account) and your IT system (computer, laptop, tablet or mobile device) with secure passwords.
  • Only you should have access to the passwords.
  • Make sure that you use your passwords only for one account (login, user or customer account) at a time.
  • Do not use the same password for different websites, applications or online services.
  • Particularly when using publicly accessible or shared IT systems, the following applies: You should always log out of a website, application or online service after each login.

Passwords should be at least 12 characters long and should not be easy to guess. Therefore, they should not contain common words from everyday life, your own names or relatives' names. They should contain upper- and lower-case letters, numbers and special characters.

2. Controller

The controller within the meaning of the GDPR is:
PfG GmbH
Tecklenburger Str. 161, 48477 Hörstel, Germany
Telephone: +49 (0)5454-80-0
Email: info(at)pfg-gmbh.com
Representative of the controller: Cornelius Everke, Michael Koch

3. Data protection officer

You can reach the data protection officer using the following contact details:
Thomas Otten
Email: datenschutz-PfG@audatis.de
You can contact our data protection officer directly at any time should you have any questions or suggestions about data protection.

4. Definitions

The privacy notice is based on the terms used by the European legislator when adopting the General Data Protection Regulation (GDPR). Our privacy notice is designed to be easy to read and understand by the public, our customers and our business partners. To that end, we would like to explain the terms used in advance.
In this privacy notice, we use the following terms, among others:

1. Personal data

Personal data is any information that relates to an identified or identifiable natural person. An identifiable person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

2. Data subject

A data subject is any identified or identifiable natural person whose personal data is processed by the controller (our company).

3. Processing

Processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

4. Restriction of processing

Restriction of processing is the marking of stored personal data with the aim of restricting its processing in the future.

5. Profiling

Profiling is any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

6. Pseudonymisation

Pseudonymisation is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

7. Data processor

A processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

8. Recipient

A recipient is a natural or legal person, public authority, agency or another body to which the personal data is disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.

9. Third party

A third party is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

10. Consent

Consent is any freely given, specific, informed and unambiguous indication of the data subject's wishes by which the data subject, by a statement or by another clear affirmative action, signifies agreement to the processing of personal data relating to them.

5. Legal basis of the processing

Article 6(1)(a) GDPR (in conjunction with Section 25(1) of the German Telecommunications and Telemedia Data Protection Act [Telekommunikation-Telemedien-Datenschutz-Gesetz, TTDSG]) serves as the legal basis for processing operations carried out by our company in which we obtain consent for a specific processing purpose.

If the processing of personal data is necessary for the performance of a contract to which you are party, as is the case, for example, with processing operations necessary for the delivery of goods or the provision of another service or consideration, the processing is based on Article 6(1)(b) GDPR. The same applies to processing operations that are necessary for pre-contractual measures, for example in cases of enquiries about our products or services.

If our company is subject to a legal obligation that requires the processing of personal data, for example to fulfil tax obligations, processing is based on Article 6(1)(c) GDPR.

In rare cases, processing personal data may become necessary to protect the vital interests of the data subject or another natural person. This would be the case, for example, if a visitor were injured on our premises and their name, age, health insurance data or other vital information needed to be passed on to a doctor, hospital or other third party. Processing would then be carried out in accordance with Article 6(1)(d) GDPR.

Finally, processing operations could be carried out in accordance with Article 6(1)(f) GDPR. This legal basis is used for processing operations that are not covered by any of the legal bases mentioned above, if processing is necessary to safeguard a legitimate interest of our company or a third party, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject. We are allowed to perform such processing operations in particular because they have been specifically mentioned by the European legislator. In this respect, the legislator took the view that a legitimate interest could be assumed if you are a customer of our company (Recital 47 sentence 2 GDPR).

Our offer is generally aimed at adults. Persons under the age of 16 may not transmit any personal data to us without the consent of their parents or legal guardians. We do not request or collect personal data from children and young people or share such data with third parties.

6. Technology

6.1 SSL/TLS encryption

This site uses SSL or TLS encryption to ensure the security of data processing and to protect the transmission of confidential content, such as orders, login data or contact requests, that you send to us as the operator. You can recognise an encrypted connection by the "https://" and padlock symbol in your browser address bar instead of "http://".
We use this technology to protect your transmitted data.

6.2 Data collection when visiting the website

If you use our website for information purposes only, i.e. if you do not register or otherwise provide us with information, we only collect the data that your browser transmits to our server (in server log files). Our website collects a range of general data and information each time you or an automated system visits a page. This general data and information is stored in the server log files. The following may be collected:
1. the browser types and versions used,
2. the operating system used by the accessing system,
3. the website from which an accessing system reaches our website (known as a referrer),
4. the sub-websites accessed via an accessing system on our website,
5. the date and time of the visit to the website,
6. an abbreviated Internet protocol address (anonymised IP address) and
7. the Internet service provider of the accessing system.

When using this general data and information, we do not make any inferences about you as a person. Rather, this information is needed to
1. deliver the contents of our website correctly,
2. optimise the content of our website as well as the advertising for it,
3. ensure the long-term functionality of our IT systems and the technology used to deliver our website and
4. provide law enforcement authorities with the information necessary for prosecution in the event of a cyber attack.

We therefore analyse this data and information that is collected statistically as well as in order to improve data protection and data security at our company with the ultimate aim of ensuring an optimal level of protection for the personal data we process. The anonymous data in the server log files is stored separately from any personal data provided by a data subject.
The legal basis for this data processing is Article 6(1)(f) GDPR. Our legitimate interest is derived from the data collection purposes listed above.

6.3 Encrypted payment transactions

If, after concluding a fee-based contract, there is an obligation to provide us with your payment data (e.g. the provision of the account number when issuing the direct debit authorisation), this data is required for payment processing.
Payment transactions executed via standard methods of payment (Visa/MasterCard or direct debit) are carried out exclusively via an encrypted SSL or TLS connection. You can recognise an encrypted connection by the fact that the "http://" in your browser address bar changes to "https://" and a padlock symbol appears.
We use this technology to protect your transmitted data.

7. Cookies

7.1 General information about cookies

Cookies are small files that your browser automatically creates and are stored on your IT system (laptop, tablet, smartphone etc.) when you visit our site.

The cookie stores information that results from the connection with the specific end device used. However, this does not mean that we immediately learn your identity.

The purpose of cookies is to make the use of our website a more pleasant experience for you. We use what are referred to as session cookies to recognise when you have already visited individual pages of our website before. These cookies are deleted automatically after you leave our site.

We also use temporary cookies, which are stored on your device for a specific period of time, to optimise the user experience. If you visit our website again to use our services, it will automatically detect that you have visited the site before and remember which entries and settings you made so that you do not have to repeat them.

In addition, we use cookies to collect statistics on the use of our website and to evaluate our website in order to optimise it for you. These cookies allow us to automatically recognise that you have visited our website before when you return to our site. The cookies used for this purpose are automatically deleted after a set period of time. The relevant storage duration of the cookies can be found in the settings of the consent tool used.

8. Content of our website

8.1 Data processing in connection with the opening of a customer account and the performance of a contract

Pursuant to Article 6(1)(b) GDPR, data may be collected and processed if you have provided us with this data in connection with the performance of a contract or the opening of a customer account. The types of data that are collected can be determined from the relevant input forms. You can delete your customer account at any time, for example by emailing the controller (using the email address provided above). We will store and use the data that you provide for performance of the contract. Once the contract has been performed in full or your customer account has been deleted, your data will be blocked until expiry of the relevant retention periods under tax and commercial law and then erased, unless you have expressly consented to further use of your data or we are permitted by law to continue using the data; we will inform you below of any such permitted uses of your data.

8.2 Data processing for order handling

To the extent necessary, and within the framework of contract performance, the personal data that we collect will be transferred to the shipping company responsible for delivering the goods. Insofar as is necessary for the purpose of processing your payment, we will transfer your payment details to the relevant financial institution. If payment service providers are used, we will explicitly inform you thereof in the following paragraphs. The legal basis for this transfer of data is Article 6(1)(b) GDPR.

8.3 Conclusion of contracts for online shop, dealers and shipment of goods

We only transfer personal data to third parties if this is necessary in connection with performance of the contract, for example to the companies responsible for delivering the goods or the financial institution responsible for processing the payment. Further data transfers will not take place or will only take place if you have expressly consented to them. Your data will not be transferred to third parties, e.g. for advertising purposes, without your express consent.
The basis for data processing is Article 6(1)(b) GDPR, which permits the processing of data in connection with the performance of a contract or pre-contractual measures.

8.4 Contact/contact form

Your personal data will be collected if you make contact with us (e.g. via a contact form or by email). The types of data collected if you use a contact form to contact us can be determined from the relevant contact form. The data will be stored and used exclusively for the purpose of answering your query or for making contact, and for the associated technical administrative matters. The legal basis for the processing of the data is our legitimate interest in responding to your query pursuant to Article 6(1)(f) GDPR. If you have made contact for the purpose of concluding a contract, Article 6(1)(b) GDPR will serve as an additional legal basis for processing. Once your query has been answered, your data will be deleted; this can be assumed to be the case if it is clear from the circumstances that the matter has been concluded and if there are no statutory retention obligations that would prevent deletion of the data.

8.5 Application management/list of vacancies

We collect and process job applicants' personal data for the purpose of handling the application procedure. This data may also be processed electronically. In particular, this will be the case if an applicant sends us the relevant application documents electronically, for example by email or via a web form on the website. If we enter into an employment or service contract with an applicant, the data that has been transferred will be stored in accordance with the statutory provisions for the purpose of handling the employment relationship. If we decide not to enter into a contract with the applicant, the application documents will automatically be deleted two months after the applicant has been notified of the corresponding decision, provided that there are no other legitimate interests on our part that would prevent their deletion. Other legitimate interests in this connection include e.g. an obligation to provide evidence in proceedings under the German General Equal Treatment Act [Allgemeines Gleichbehandlungsgesetz, AGG].
The legal basis for the processing of your data is Article 88 GDPR in conjunction with Section 26(1) of the German Federal Data Protection Act [Bundesdatenschutzgesetz, BDSG].

8.6 Handling of customer and supplier data

We will process your data (including your personal data) for the purpose of arranging, performing and handling contractual relationships, for preparing offers and for invoicing, as well as for making contact and providing information as part of the customer service relationship.

1. Legal basis for data processing
The processing of data is necessary for performance of a contract or pre-contractual measures pursuant to Article 6(1)(b) GDPR or to protect our legitimate interest pursuant to Article 6(1)(f) GDPR, and there are no overriding interests or fundamental rights and freedoms on the part of the data subject.

2. Categories of recipients
Internal recipients include Consulting, Contract Management, Accounting, Controlling and Back Office. We also use service providers (contract processors) to fulfil our tasks, such as IT service providers and hosting providers, and transfer data to authorities or courts within the scope of our legal obligations.

8.7. Handling of visitor data

We will process your data (including your personal data) for the purpose of checking whether you are entitled to access the building. We will store the following data in this connection:
contact details of visitors (title, surname, first name, email address)
details of the actual visit (location, building, date, time)
1. Legal basis for data processing
Processing is necessary for the purpose of monitoring access to the building and protecting our legitimate interest pursuant to Article 6(1)(f) GDPR; there are no overriding interests or fundamental rights and freedoms on the part of the data subject.

2. Retention period
Your personal data will be stored for a period of one year from your last visit.

9. Newsletter

9.1 Newsletter for existing customers

If you have provided us with your email address when purchasing goods or services, we reserve the right to send you regular offers by email regarding goods or services from our range that are similar to those that you have already purchased. Pursuant to Section 7(3) of the German Act against Unfair Competition [Gesetz gegen den unlauteren Wettbewerb, UWG], we do not have to obtain any separate consent from you for this. Data will be processed in this connection solely on the basis of our legitimate interest in personalised direct advertising pursuant to Article 6(1)(f) GDPR. If you initially object to the use of your email address for this purpose, we will not send you any emails. You are entitled to object to the use of your email address for the aforementioned advertising purposes at any time with future effect, by emailing the controller (email address provided above). You will only be charged the transmission costs in accordance with the basic tariffs. Once we receive your objection, we will immediately stop using your email address for advertising purposes.

9.2 Advertising newsletter

You can subscribe to our company's newsletter on our website. The personal data transferred to us is defined from the input screen when you subscribe to the newsletter.
We send a newsletter to our customers and business partners at regular intervals to inform them about our offers. As a basic principle, you may only receive our company's newsletter if
1. you have a valid email address, and
2. you have registered to receive a newsletter.
For legal reasons, a double opt-in confirmation email will be sent to the email address you first provided when subscribing to the newsletter. This confirmation email is used to check that you are the owner of the email address and that you have authorised a subscription to the newsletter.
When you register for the newsletter, we also store the IP address (assigned by your Internet Service Provider or ISP) of the IT system you used at the time you registered, as well as the date and time of your registration. It is necessary to collect this data as a basis for investigating any (potential) misuse of your email address at a later date, or in other words as a means of protecting our legal interests.
The personal data collected in connection with a subscription to the newsletter will be used exclusively for the purpose of sending out the newsletter. Subscribers to the newsletter may also receive emails insofar as this is necessary for operation of the newsletter service or if an additional registration is required, for example if changes are made to the newsletters that are offered or if technical changes are made. The personal data collected in connection with a subscription to the newsletter is not transferred to third parties. You can cancel your subscription to our newsletter at any time. Consent to the storage of personal data that has been granted for the purpose of receiving the newsletter can be withdrawn at any time. Each newsletter contains a link that can be followed to withdraw consent. It is also possible to unsubscribe from the newsletter at any time directly on our website or to contact us in another way with an unsubscribe request.
The legal basis for processing data for the purpose of sending out the newsletter is Article 6(1)(a) GDPR.

9.3 Episerver

We use Episerver to send newsletters. The provider is Episerver GmbH, Wallstraße 16, 10179 Berlin. Episerver is a service that can be used to organise and analyse newsletter delivery. The data entered to receive the newsletter (e.g. email address) is stored on Episerver's servers.
Our newsletters sent via Episerver enable us to analyse the behaviour of newsletter recipients. For example, we can analyse how many recipients have opened the newsletter and how often each link in the newsletter was clicked on. With the aid of conversion tracking, we can also analyse whether a predefined action (e.g. purchase of a product on our website) has taken place after clicking on the link in the newsletter.
In the case of newsletters sent to our existing customers, the analysis is carried out on the basis of our legitimate interest in determining the success of our newsletter as well as optimising the content of the newsletter (Article 6(1)(f) GDPR). If you register to receive our newsletter, the analysis is carried out on the basis of your consent to this processing, which was granted as part of the registration process (Article 6(1)(a) GDPR).
If you do not want the Episerver analysis to be conducted, you must unsubscribe from the newsletter. We provide an unsubscribe link in every newsletter for this purpose. You can also unsubscribe from the newsletter directly on the website.
We will retain the data that you have provided in order to subscribe to the newsletter until you unsubscribe from the newsletter. Once you have unsubscribed from the newsletter, this data will blocked on both our servers and Episerver's servers so that it cannot be used to send any further newsletters. If you wish to request the deletion of your data stored for the purposes of the newsletter, please notify us accordingly. Data that we have stored for other purposes (e.g. email addresses for the member area) is not affected by this.
For more information on Episerver's privacy policy, visit: https://www.episerver.com/de/legal/datenschutz.

10. Our social networking activities

We have our own pages on social networks in order to communicate with you and provide you with information about our services. If you visit one of our social media pages, we and the provider of the social media platform concerned are jointly responsible for the processing operations triggered by this visit in accordance with Article 26 GDPR.
We are not the original provider of these pages; we use them only within the scope of the opportunities offered to us by the relevant providers.
As a precautionary measure, we would therefore like to point out that your data may also be processed outside the European Union or the European Economic Area. Use of the data may therefore involve data protection risks since it may be more difficult for you to exercise your rights, e.g. the right to information, the right to erasure, the right to object etc., and data is frequently processed directly by social networks for advertising purposes or to analyse user behaviour in a manner that is beyond our control. If the provider creates user profiles, this often involves the use of cookies or the assignment of user behaviour to the member profile you have created on the social networks.
The described processing of personal data is carried out in accordance with Article 6(1)(f) GDPR on the basis of our legitimate interest and the legitimate interest of the respective provider in communicating with you in a timely manner or informing you about our services. If you, as a user, are required to give your consent to data processing to the respective provider, the legal basis is Article 6(1)(a) GDPR in conjunction with Article 7 GDPR.
Since we do not have access to the providers' databases, we would like to point out that it is advisable for you to contact the relevant provider directly to exercise your rights (e.g. to information, correction, erasure etc.). Further information on the processing of your data by social networks is listed below for the individual providers of social networks on which we have a presence:

10.1 Facebook

(Joint) data controller in Europe:
Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
Privacy policy:
https://www.facebook.com/about/privacy

10.2 Instagram

(Joint) data controller in Germany:
Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
Privacy policy:
https://instagram.com/legal/privacy/

10.3 LinkedIn

(Joint) data controller in Europe:
LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland
Privacy notice:
https://www.linkedin.com/legal/privacy-policy

10.4 YouTube

(Joint) data controller in Europe:
Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Privacy notice:
https://policies.google.com/privacy

11. Website tracking

11.1 Google Analytics

On our website we use Google Analytics, a web analytics service provided by Google Ireland Limited (https://about.google/intl/en/) Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). In this context, we create pseudonymous user profiles and use cookies (see the section "Cookies"). The information generated by the cookie concerning your use of the website, such as
1. 1. the browser type/version,
2. 2. the operating system used,
3. 3. the referrer URL (the last page you visited before our website),
4. 4. the host name of the computer used to access the website (IP address) and
5. 5. the time of the server request,
are transferred to a Google server in the USA and stored there. This information is used to assess the use of the website, to compile reports on website activities and to provide other services related to the use of the website and of the Internet for the purposes of market research, as well as to allow us to design our website to better suit user needs. This information may also be transferred to third parties if required by law or if these third parties are processing this data on our behalf. Under no circumstances will your IP address be combined with other data from Google. IP addresses are anonymised to ensure that it is not possible to make any associations (IP masking).
You can prevent the storage of cookies using the appropriate settings in your browser; however, please note that if you do so, you may not be able to access the full functionality of some of the features of our website.
These processing operations will only be carried out if you grant express consent pursuant to Article 6(1)(a) GDPR.
You can also prevent the collection of data generated by the cookie and related to your use of this website (including your IP address) as well as Google's processing of this data by downloading and installing a browser add-on (https://tools.google.com/dlpage/gaoptout?hl=en-GB).
As a US company, the parent company Google LLC is certified under the EU-US Data Privacy Framework. Accordingly, an adequacy decision has been issued pursuant to Article 45 GDPR, which means that personal data may be transferred without the provision of further guarantees or additional measures.
The privacy policy for Google Analytics can be viewed at: https://support.google.com/analytics/answer/6004245?hl=en-gb.

12. Plugins and other services

12.1 Google Maps

We use Google Maps (API) on our website. Google Maps is operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Ireland Limited is part of the Google group of companies headquartered at 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Google Maps is a web service used to display interactive (land) maps to visualise geographic information. For example, this service allows us to show you our location and makes it easier for you to reach us.
When you visit subpages that incorporate Google Maps, information about your use of our website (such as your IP address) is transferred to Google servers in the USA and stored there, provided that you have given your consent in accordance with Article 6(1)(a) GDPR. In addition, Google Maps downloads Google Fonts, Google Photos and Google Stats. The provider of these services is also Google Ireland Limited. When you visit a page that incorporates Google Maps, your browser loads the web fonts and photos required to display Google Maps into your browser cache. The browser that you use also establishes a connection to Google's servers for this same purpose. This lets Google know that our website has been accessed via your IP address. This happens regardless of whether Google provides a user account that you are logged into or whether there is no user account. If you are logged into Google, your data will be assigned directly to your account. If you do not want this data to be associated with your Google profile, you must log out of your Google user account. Google stores your data (even for users who are not logged in) as user profiles and analyses them. You have the right to object to the creation of these user profiles, and must contact Google to exercise this right.
If you do not consent to the future transfer of your data to Google in connection with the use of Google Maps, there is also the option to deactivate the Google Maps web service completely by disabling the JavaScript application in your browser. It will then not be possible to use Google Maps or the map display on this website.
These processing operations will only be carried out if you grant express consent pursuant to Article 6(1)(a) GDPR.
Google's terms of service can be viewed at https://policies.google.com/terms?hl=en-gb, and the additional terms of service for Google Maps can be found at https://www.google.com/intl/en-gb/help/terms_maps/.
As a US company, the parent company Google LLC is certified under the EU-US Data Privacy Framework. Accordingly, an adequacy decision has been issued pursuant to Article 45 GDPR, which means that personal data may be transferred without the provision of further guarantees or additional measures.
The privacy policy for Google Maps can be viewed at: https://www.google.com/policies/privacy/.

12.2 Google Photos

We use Google Photos, a service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, to store the images that are embedded on our website.
Embedding involves the integration of certain third-party content (text, video or image data) that is provided by another website (Google Photos) and then appears on our own website. An embed code is used for the embedding. If we have integrated an embed code, the external content from Google Photos is displayed immediately by default as soon as our website is visited.
As part of the technical implementation of the embed code, which enables the Google Photos images to be displayed, your IP address is transferred to Google Photos. Google Photos also collects our website, the type of browser used, the browser language and the time and length of access. In addition, Google Photos may collect information about which of our subpages you have visited and which links you have clicked on, as well as other interactions you have performed on our site. This data may be stored and analysed by Google Photos.
These processing operations will only be carried out if you grant express consent pursuant to Article 6(1)(a) GDPR.
This US company is certified under the EU-US Data Privacy Framework. Accordingly, an adequacy decision has been issued pursuant to Article 45 GDPR, which means that personal data may be transferred without the provision of further guarantees or additional measures.
Google's privacy policy can be viewed at: https://www.google.com/policies/privacy/.

12.3 Google Tag Manager

We use the Google Tag Manager service on this website. Google Tag Manager is operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Ireland Limited is part of the Google group of companies headquartered at 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
This tool allows "website tags" (i.e. keywords that are embedded in HTML elements) to be implemented and managed via an interface. Google Tag Manager enables us to automatically track which button, link or personalised image you have actively clicked on and then record which content on our website is particularly interesting to you.
The tool also triggers other tags that may collect data about you on your device. Google Tag Manager does not access this data. If a deactivation has been made at the domain or cookie level, it remains in place for all tracking tags, insofar as these are implemented with the Google Tag Manager.
These processing operations will only be carried out if you grant express consent pursuant to Article 6(1)(a) GDPR.
As a US company, the parent company Google LLC is certified under the EU-US Data Privacy Framework. Accordingly, an adequacy decision has been issued pursuant to Article 45 GDPR, which means that personal data may be transferred without the provision of further guarantees or additional measures.
For more information on Google Tag Manager and Google's privacy policy, please visit: https://www.google.com/policies/privacy/.

12.4 Google Fonts

Our website uses web fonts to ensure that fonts are displayed consistently. Google Fonts is provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Ireland Limited is part of the Google group of companies headquartered at 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
These processing operations will only be carried out if you grant express consent pursuant to Article 6(1)(a) GDPR.
As a US company, the parent company Google LLC is certified under the EU-US Data Privacy Framework. Accordingly, an adequacy decision has been issued pursuant to Article 45 GDPR, which means that personal data may be transferred without the provision of further guarantees or additional measures.
Further information on Google Fonts can be found at https://developers.google.com/fonts/faq and Google's privacy policy is available at https://www.google.com/policies/privacy/.

12.5 YouTube

videos in extended data protection mode (YouTube-NoCookies)
Some subpages on our website contain links to YouTube. As a general rule, we are not responsible for the content on linked websites. However, if you follow a link to YouTube, we would like to point out that YouTube stores the data of its users (e.g. personal information, IP address) in accordance with its own data use policies and uses it for business purposes.
YouTube is operated by YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA.
We also directly incorporate videos stored on YouTube on some of the subpages of our website. This means that content from the YouTube website is displayed in sections of a browser window. If you visit a (sub)page of our website that contains integrated YouTube videos, a connection to the YouTube servers is established and the content is displayed on the website by sending a corresponding message to your browser.
YouTube content is only incorporated in "extended data protection mode". This mode, which is provided by YouTube itself, ensures that YouTube does not initially store cookies on your device. However, when you visit the pages concerned, the IP address and, where necessary, other data is transmitted. In particular, this includes information on which of our webpages you have visited. However, this information cannot be linked to you unless you have logged into YouTube or another Google service or are permanently logged in before you visit the site. Because YouTube content is incorporated in extended data protection mode, when you click on an incorporated video to start playing it, YouTube will only store cookies on your device that do not contain personally identifiable data, unless you are currently logged into a Google service. You can prevent these cookies from being stored by configuring your browser settings and extensions accordingly.
The request for the video also constitutes your consent to the placement of the corresponding cookie (Article 6(1)(a) GDPR).
This US company is certified under the EU-US Data Privacy Framework. Accordingly, an adequacy decision has been issued pursuant to Article 45 GDPR, which means that personal data may be transferred without the provision of further guarantees or additional measures.
YouTube's privacy policy can be viewed at: https://www.google.com/policies/privacy/.

12.6. ThingLink

ThingLink processes data visually (videos, panoramas etc.) for our website. ThingLink collects the following data in an embedded display: IP address, browser, statistics (views, hovers, clicks per image). This data is stored for 30 days. The provider is Thinglink Oy, Bulevardi 7, 00120 Helsinki, Finland. Privacy notice: https://www.thinglink.com/privacy.
The legal basis for the processing is based on your consent given in accordance with Article 6(1)(a) GDPR.

12.7 Sklik/imedia.cz

We use the Seznam Sklik conversion tracking technology and retargeting feature on our website. This service is provided by seznam.cz, a.s., Prag 5- Smíchov, Radlická 3294/10, 15000, Czech Republic (hereinafter: Sklik).
This technology enables personalised ads to be displayed in the Sklik partner network for visitors to our website.
Sklik provides further information on its privacy practices at
https://o.seznam.cz/ochrana-udaju/

12.8 Fastly

We use the CDN service "Fastly" provided by Fastly, Inc., Attention:General Counsel, 475 Brannan St., Suite 300 San Francisco, CA 94107. This is a content delivery network (CDN). A CDN is a network of powerful servers that cache content in multiple locations around the world. The legal basis for the use of Fastly and the transfer of your data to it is Article 6(1)(f) GDPR (legitimate interest in data processing), unless otherwise specified for the service concerned. The legitimate interest arises from our need for our website to load quickly without any technical issues and our need to relieve the burden on our IT infrastructure.
For more information on how user data is handled, see Fastly's privacy policy: https://www.fastly.com/privacy/.

13. PfG Control app

When you download the app, the required information is transferred to the operator of the relevant store. Furthermore, the store independently collects various data records and analyses your usage patterns. We have no influence over this data processing and are not responsible for it. We only process data if doing so is necessary in order for you to download the app to your device. The legal basis for this is our legitimate interest in making the app available for you to download from app stores (as per Art. 6(1)(f) GDPR). The legal basis for concluding a user agreement with you for our app when you download the app is Art. 6(1)(b) GDPR. When you download our app, your personal data is transferred to a third country, specifically to the USA; we assume that you consent to this due to the fact that you downloaded the app in the first place. We have also concluded EU standard contractual clauses with the operators of the stores.
You need to create a user account in order to use our app. The legal basis for processing personal data in connection with this is Art. 6(1)(b) GDPR.
Alternatively, our app has an integrated social login feature that enables you to log in using existing credentials from a social networking service. The legal basis for using the social login feature is Art. 6(1)(a) GDPR, i.e. this feature is only used and integrated once you have given your consent. Your consent also covers any transferral of data to a third country.
We do not know exactly how the operator of the respective social network processes your personal data. However, it can be assumed firstly that the operator of the social network will assign your data to your social media profile and use that data for advertising, market research and profiling purposes, and secondly that your data will be transferred to a third country, e.g. the USA. We have no influence over data processing by the operator of the respective social network.
To justify data transfer to a third country, we have concluded EU standard contractual clauses with social network operators in addition to obtaining your consent.
Using the features of our app
The app gives you convenient control over all your smart PfG garden and aquarium products, either locally via Bluetooth or remotely from anywhere in the world via our cloud.
The legal basis for processing personal data in this context is the user agreement for the app that we concluded with you (as per Art. 6(1)(b) GDPR).
If an account is created for you by a primary user as part of a multi-user account, we will receive your personal data from the primary user.

Use of Google Analytics

This app uses Google Analytics, a service provided by Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland. The legal basis for the use of Google Analytics is your consent pursuant to Art. 6(1)(a) GDPR, which also applies to your data potentially being transferred to the USA.
The information created when you use our services may be transferred to a Google server in the USA and stored there. We have therefore agreed EU standard contractual clauses with Google, which we use in conjunction with your consent as the basis for transferring your personal data to the USA.
We use Google Analytics to analyse your usage patterns so that we can continually improve our app and our services.

Voluntary customer surveys
Every so often we will invite you to take part in voluntary customer surveys, the results of which we use for internal analyses, product improvements and advertising purposes. The legal basis for this is your consent pursuant to Art. 6(1)(a) GDPR.

Direct marketing by email
When we receive your email address upon conclusion of the user agreement for this app, we will occasionally use it to send you direct marketing for our garden and aquarium products and services. You can object to us using your email address for this purpose at any time, for example by sending an email to datenschutzbeauftragter@PfG.com. We will also make you aware of your right to object each time we send you a marketing email.

Integration of Alexa and Google voice assistants
We offer the ability to integrate the Alexa and Google voice assistants. The legal basis for this is your consent in accordance with Art. 6(1)(a) GDPR. This also applies to transferring data to third countries, in particular the USA, which is required when using these systems. We have also concluded EU standard contractual clauses with the providers of these systems.

Storage period and criteria used to determine the storage period

We will process your data for as long as your user account remains active. If you delete your user account, your data will be erased immediately unless we are legally obliged by, for example, the storage and documentation requirements of tax and commercial law (German Commercial Code, German Criminal Code and German Fiscal Code) to store your data for longer or you have consented to a longer storage period pursuant to Art. 6(1)(a) GDPR.

Recipients or categories of recipients

Recipient Purpose Legal basis
Microsoft Corporation Operating our app
in the Microsoft Azure Cloud EU standard contractual clauses + consent
One Microsoft Way
Redmond,
WA 98052-6399 USA

Amazon Europe Core S.à r.l Alexa integration EU standard contractual clauses + consent
38 Avenue John F. Kennedy
1855 Luxembourg

Google Ireland Limited Assistant integration Google EU standard contractual clauses + consent
Gordon House, Barrow Street
Dublin 4, Ireland

Your data will not be subject to automated decision-making, including profiling.

14. Your rights as a data subject

14.1 Right to confirmation

You have the right to request confirmation from us as to whether personal data concerning you is being processed.

14.2 Right of access – Article 15 GDPR

You have the right to obtain information from us free of charge at any time about the personal data stored relating to you, as well as a copy of this data in accordance with the statutory provisions.

14.3 Right to rectification – Article 16 GDPR

You have the right to request the correction of inaccurate personal data concerning you. Taking into account the purposes of the processing, you also have the right to request the completion of incomplete personal data.

14.4 Right to erasure – Article 17 GDPR

You have the right to request that we erase the personal data concerning you immediately, provided that one of the reasons provided for by law applies and provided that the processing or retention of the data is not necessary.

14.5 Right to restriction of processing – Article 18 GDPR

You have the right to obtain the restriction of processing from us if one of the legal requirements is met.

14.6 Right to data portability – Article 20 GDPR

You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format. You also have the right to transfer this data to another controller to whom the personal data has been provided without hindrance by us, provided that the processing is based on consent pursuant to Article 6(1)(a) GDPR or Article 9(2)(a) GDPR or on a contract pursuant to Article 6(1)(b) GDPR and the processing is carried out by automated means, unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.
In addition, when exercising your right to data portability pursuant to Article 20(1) GDPR, you have the right to have the personal data transmitted directly from one controller to another, insofar as this is technically feasible and insofar as this does not impinge on the rights and freedoms of other persons.

14.7 Right to object – Article 21 GDPR

You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on Article 6(1)(e) (data processing in the public interest) or Article 6(1)(f) (data processing based on a balancing of interests) of the GDPR.
This also applies to profiling based on these provisions in accordance with Article 4(4) GDPR.
If you file an objection, we will no longer process your personal data, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing is carried out for the establishment, exercise or defence of legal claims.
In individual cases, we process personal data for direct marketing purposes. You may object to the processing of personal data for these marketing purposes at any time. This also applies to profiling, insofar as it is performed in connection with such direct marketing. If you object to processing for direct marketing purposes, we will no longer process your personal data for these purposes.
In addition, where personal data is processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1) GDPR, you have the right to object, on grounds relating to your particular situation, to the processing of personal data concerning you, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.

14.8 Right to withdraw data protection consent

You have the right to withdraw your consent to the processing of personal data at any time with effect for the future.

14.9 Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with a supervisory authority responsible for data protection about our processing of personal data.

15. Routine storage, erasure and blocking of personal data

We process and store your personal data only for the period necessary to achieve the purpose of storage or for the period required by the laws applicable to our company.
Once the purpose of storage ceases to apply or a prescribed retention period expires, the personal data will be routinely blocked or erased in accordance with the statutory provisions.

16. Retention period for personal data

The criterion for the length of time that personal data is stored for is the respective statutory retention period. Once this period expires, the data concerned will be routinely erased, unless it is still required for the performance or initiation of a contract.