Rights of data subjects & information

INFORMATION OBLIGATIONS ACC. ART. 13 GDPR

We hereby wish to inform you comprehensively about the processing of your data in our company and the data protection claims and rights to which you are entitled in accordance with Art. 13 of the European General Data Protection Regulation (EU GDPR).

1. Who is responsible for data processing and who can you contact?

Responsible is

LÖFFLER GmbH

Rosenstrasse 8

91244 Reichenschwand

Managing director authorized to represent: Werner Löffler

Phone: +49 (0) 91 51 - 83 00 8 - 0

Fax: +49 (0) 91 51 - 83 00 8 - 88

E-mail: datenschutz@loeffler.de (internal data protection team)

E-mail: info@loeffler.de (general inquiries)

The company data protection officer is

Fabian Fromm (external data protection officer)

Project 29 GmbH & Co. KG

Ostengasse 14

93047 Regensburg

E-mail: anfragen@projekt29.de

Phone: 0941-2986930

2. Which data is processed and from which sources does this data originate?

We process the data that we have received from you in the context of contract initiation or processing, on the basis of consent or in the context of your application to us or in the context of your employment with us.

Personal data includes the following:

Your master/contact data, for customers this includes e.g. first name and surname, address, contact details (e-mail address, telephone number, fax), bank details.

For business partners, this includes, for example, the name of their legal representative, company, commercial register number, VAT number, company number, address, contact details (e-mail address, telephone number, fax), bank details.

For visitors to our company, this includes name and signature.

For journalists, this includes first and last name, e-mail address, fax number.

For competition participants, this includes first and last name, e-mail address.

In addition, we also process the following other personal data:

• Information on the type and content of contract data, order data, sales and document data, customer and supplier history and consulting documents,

• Advertising and sales data,

• information from your electronic communication with us (e.g. IP address, log-in data),

• other data that we have received from you in the course of our business relationship (e.g. in discussions with customers),

• data that we generate ourselves from master/contact data and other data, e.g. by means of customer demand and customer potential analyses,

• the documentation of your declaration of consent for the receipt of e.g. newsletters.

• Photographs taken as part of events.

3. For what purposes and on what legal basis is the data processed?

We process your data in accordance with the provisions of the General Data Protection Regulation (GDPR) and the Federal Data Protection Act 2018 as amended:

• for the fulfillment of (pre-)contractual obligations (Art. 6 para. 1 lit. b GDPR):

Your data will be processed online or at our business location for the purpose of processing contracts with your employees in our company. The data is processed in particular when initiating business and when executing contracts with you.

• for the fulfillment of legal obligations (Art. 6 para. 1 lit.c GDPR):

The processing of your data is necessary for the purpose of fulfilling various legal obligations, e.g. from the German Commercial Code or the German Fiscal Code.

• to safeguard legitimate interests (Art. 6 para. 1 lit.f GDPR):

Based on a balancing of interests, data may be processed beyond the actual fulfillment of the contract to protect our legitimate interests or those of third parties. Data processing to protect legitimate interests takes place in the following cases, for example:

- Advertising or marketing (see no. 4),
              - Measures for business management and further development of services and products;
              - Maintaining a Group-wide customer database to improve customer service
              - in the context of legal prosecution
              - Sending of non-sales-promoting information and press releases.

• within the scope of your consent (Art. 6 para. 1 lit. a GDPR):

If you have given us your consent to process your data, e.g. to send you our newsletter, publish photos, competitions, etc., we will use your data for this purpose.

4. Processing of personal data for advertising purposes

You can object to the use of your personal data for advertising purposes at any time, either as a whole or for individual measures, without incurring any costs other than the transmission costs according to the basic rates.

Subject to the legal requirements of Section 7 (3) UWG, we are entitled to use the e-mail address you provided when concluding the contract for direct advertising for our own similar goods or services. You will receive these product recommendations from us regardless of whether you have subscribed to a newsletter.

If you do not wish to receive such recommendations from us by e-mail, you can object to the use of your address for this purpose at any time without incurring any costs other than the transmission costs according to the basic rates. A message in text form is sufficient for this. Of course, every e-mail always contains an unsubscribe link.

5. Who receives my data?

If we use a service provider in the sense of commissioned processing, we nevertheless remain responsible for the protection of your data. All processors are contractually obliged to treat your data confidentially and to process it only within the scope of providing the service. The processors commissioned by us will receive your data if they require the data to perform their respective service. These are, for example, IT service providers that we require for the operation and security of our IT system as well as advertising and address publishers for our own advertising campaigns.

Your data is processed in our customer database. The customer database supports the enhancement of the data quality of the existing customer data (duplicate cleansing, moved/deceased indicator, address correction) and enables the enrichment with data from public sources.

If there is a legal obligation and in the context of legal prosecution, authorities and courts as well as external auditors may be recipients of your data.

 In addition, insurance companies, banks, credit agencies and service providers may be recipients of your data for the purpose of contract initiation and fulfillment.

6. How long will my data be stored?

We process your data until the end of the business relationship or until the expiry of the applicable statutory retention periods (e.g. from the German Commercial Code, the German Fiscal Code); in addition, until the end of any legal disputes in which the data is required as evidence.

7. Is personal data transferred to a third country?

When transferring data to a third country, the legal provisions of the GDPR are complied with. In individual cases, data will only be transferred on the basis of an adequacy decision by the European Commission, standard contractual clauses, suitable guarantees or your express consent.

8. What data protection rights do I have?

You have the right to information, correction, deletion or restriction of the processing of your stored data, a right to object to the processing as well as a right to data portability and to complain in accordance with the requirements of data protection law.

Right to information:

You can request information from us as to whether and to what extent we process your data.

Right to rectification:

If we process your data that is incomplete or incorrect, you can request that we correct or complete it at any time.

Right to erasure:

You can demand that we erase your data if we process it unlawfully or if the processing interferes disproportionately with your legitimate protection interests. Please note that there may be reasons that prevent immediate erasure, e.g. in the case of statutory retention obligations.

Irrespective of the exercise of your right to erasure, we will erase your data immediately and completely, provided that there is no legal or statutory retention obligation to the contrary.

Right to restriction of processing:

You can demand that we restrict the processing of your data if

- you contest the accuracy of the data, for a period enabling us to verify the accuracy of the data

- the processing of the data is unlawful, but you oppose the erasure of the data and request the restriction of its use instead

- we no longer need the data for the intended purpose, but you still need this data to assert or defend legal claims, or

- you have objected to the processing of the data.

Right to data portability:

You may request that we provide you with the data you have provided to us in a structured, commonly used and machine-readable format and that you may transmit this data to another controller without hindrance from us, provided that

- we process this data on the basis of your revocable consent or for the performance of a contract between us, and

- this processing is carried out by automated means.

If technically feasible, you can request that we transfer your data directly to another controller.

Right to object:

If we process your data on the basis of legitimate interest, you can object to this data processing at any time; this would also apply to profiling based on these provisions. We will then no longer process your data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing serves the establishment, exercise or defense of legal claims. You can object to the processing of your data for the purpose of direct advertising at any time without giving reasons.

Right to lodge a complaint:

If you are of the opinion that we are violating German or European data protection law when processing your data, please contact us so that we can clarify any questions you may have. Of course, you also have the right to contact the supervisory authority responsible for you, the respective state office for data protection supervision.

If you wish to assert one of these rights against us, please contact our data protection officer. In case of doubt, we may request additional information to confirm your identity.

9. Am I obliged to provide data?

The processing of your data is necessary for the conclusion or fulfillment of the contract you have entered into with us. If you do not provide us with this data, we will generally have to refuse to conclude the contract or will no longer be able to perform an existing contract and will therefore have to terminate it. However, you are not obliged to give your consent to data processing with regard to data that is not relevant or legally required for the fulfillment of the contract.

Art. 13 GDPR Information Obligations – Photo Notice for Events

The protection of your personal data is of particular concern to us. We process your personal data (hereinafter referred to as "data") exclusively based on legal regulations.

During today’s event, we will be taking photographs in which you may appear directly or as part of the surroundings.

With this photo notice, we aim to inform you comprehensively, as required by Art. 13 of the European General Data Protection Regulation (EU GDPR), about the processing of your image data and your associated data protection claims and rights.

1. Who is responsible for data processing, and whom can you contact?

Responsible entity:
Löffler GmbH
Marketing
Rosenstraße 8
91244 Reichenschwand
Email: pr@loeffler.de
Phone: +49 9151 83008-62

Data Protection Officer:
Fabian Fromm
Projekt 29 GmbH & Co. KG
Ostengasse 14
93047 Regensburg
Email: anfragen@projekt29.de
Phone: +49 941-2986930

2. What data is processed, and where does it come from?

We process image data in the form of photographs taken of you during the event.

3. For what purposes and on what legal basis is the data processed?

We process this data in accordance with the provisions of the General Data Protection Regulation (GDPR) and the Federal Data Protection Act 2018, as amended:

• To protect legitimate interests (Art. 6 Para. 1 lit. f GDPR):
  Based on a balance of interests, data processing may be carried out to protect our legitimate interests.

4. Who receives my data?

If we engage a service provider (e.g., a photographer) for data processing, we remain responsible for protecting your data. All service providers are contractually obligated to treat your data confidentially and process it only within the scope of the service.

The photos taken of you will be published in the following media:

• Internet (homepage, newsletter, and social media platforms)
• Press

5. How long will my data be stored?

We store your data only until the purpose for which it was collected has been fulfilled or until you withdraw your consent to its use. Afterward, it will be deleted in accordance with GDPR regulations.

6. Are personal data transferred to a third country?

As a rule, we do not transfer data to a third country.

7. What data protection rights do I have?

You have the right to access, correct, delete, or restrict the processing of your stored data at any time. You also have the right to object to data processing, the right to data portability, and the right to lodge a complaint in accordance with the requirements of data protection law.

• Right of access:
  You can request information about whether and to what extent we process your data.

• Right to rectification:
  If we process data that is incomplete or incorrect, you can request its correction or completion at any time.

• Right to erasure:
  You can request the deletion of your data if we process it unlawfully or if its processing disproportionately interferes with your legitimate interests. Please note that there may be reasons that prevent immediate deletion, such as legally mandated retention obligations.
  Regardless of the exercise of your right to deletion, we will delete your data promptly and completely as long as there is no legal or contractual obligation to retain it.

• Right to restriction of processing:
  You can request the restriction of your data processing if:

  • You dispute the accuracy of the data for a period that allows us to verify its accuracy.
  • The processing is unlawful, but you oppose deletion and instead request a restriction of use.
  • We no longer need the data for its intended purpose, but you need it to assert or defend legal claims.
  • You object to the processing of your data.

• Right to data portability:
  You can request that we provide you with the data you have provided to us in a structured, commonly used, and machine-readable format. You can also request that we transfer this data directly to another responsible party where technically feasible, provided:

  • We process this data based on your revocable consent or a contract between us.
  • The processing is carried out using automated methods.

• Right to object:
  If we process your data to protect legitimate interests, you can object to this data processing at any time, including profiling based on these provisions. We will then no longer process your data unless we can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights, and freedoms, or the processing serves the assertion, exercise, or defense of legal claims. You can object to the processing of your data for direct marketing purposes at any time without providing reasons.

• Right to lodge a complaint:
  If you believe that we are violating German or European data protection law in processing your data, please contact us so we can clarify your concerns. You also have the right to file a complaint with your supervisory authority, such as the relevant state data protection office.

To exercise any of the aforementioned rights, please contact our Data Protection Officer. If in doubt, we may request additional information to verify your identity.

Privacy Information for Facebook and Instagram in Accordance with Articles 13 and 14 GDPR

Below, we inform you about the collection and use of personal data when using our Facebook and Instagram pages. Personal data includes any information that can be related to you personally, such as your Facebook or Instagram profile, images, email address, or IP address.

1. Data Controller

Löffler GmbH
Marketing
Rosenstraße 8
91244 Reichenschwand, Germany
Phone: +49 9151 83008-62
Email: pr@loeffler.de

Data Protection Officer
Fabian Fromm
Projekt 29 GmbH & Co. KG
Ostengasse 14
93047 Regensburg, Germany
Email: anfragen@projekt29.de
Phone: +49 941-2986930

2. Responsibility of the Platform Operators

Löffler GmbH and Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland (Meta), operate as joint controllers in accordance with Article 26(1) Sentence 1 GDPR for the social media platforms Facebook and Instagram.

Löffler GmbH has limited influence over the processing of personal data by Meta as the platform operator. While we aim to ensure data is handled in compliance with privacy regulations within the scope of our possibilities, we cannot fully disclose how Meta processes data.

Meta operates the IT infrastructure for the services and maintains a separate user relationship with you if you are a registered platform user. Information on Meta’s data processing and objection options can be found in Meta’s privacy policies:

• Facebook Privacy Policy
• Instagram Privacy Policy

3. Joint Responsibility

Löffler GmbH and Meta have a joint controller agreement under Article 26 GDPR. Details can be found here:

• https://www.facebook.com/legal/controller_addendum
• https://de-de.facebook.com/legal/terms/page_controller_addendum

Meta and Löffler GmbH act as joint controllers for web tracking methods on social media pages. Web tracking can occur even if you are not logged into the platforms. The legal basis for these web tracking methods is Meta’s legitimate interest under Article 6(1)(f) GDPR.

More information:

• Facebook Cookies
• Instagram Cookies

4. Purpose and Legal Basis of Processing

The purpose of data processing is to provide information on current offers, news, and promotions, as well as to interact with our visitors.

Legal Basis for Processing:

• Article 6(1)(f) GDPR (legitimate interest)
• Article 6(1)(b) GDPR (contractual communication, e.g., via Messenger)

We use Meta’s statistical information to optimize our social media presence under Article 6(1)(f) GDPR.

More information:

• Meta Legal Bases

5. Data Retention Period

There is no fixed retention period for published posts. Your data will be deleted as soon as it is no longer necessary, or processing will be restricted if legal retention obligations exist. You can delete your own posts at any time.

6. Data Recipients

Your data will only be shared with third parties if:

• A legal obligation exists,
• It is necessary for contract fulfillment,
• Or you have given your consent.

Data transfers to entities outside the EU/EEA occur only with your consent.

7. Rights of Data Subjects

You have the right to:

• Access,
• Rectification,
• Deletion,
• Restriction of processing,
• Data portability,
• Object to the processing of your data.

For data processed solely by us, contact us using the details provided in Section 1. For data processed solely or jointly by Meta, please contact Meta directly.

8. Complaint to the Data Protection Authority

If you believe your rights have been violated, you can file a complaint with the competent data protection authority:

Data Protection Commission
21 Fitzwilliam Square South
Dublin 2, D02 RD28, Ireland
Email: dpo@dataprotection.ie
More information: https://www.dataprotection.ie

9. Right to Object

You have the right to object to data processing based on your specific situation at any time (Article 21 GDPR). If you object to processing for direct marketing purposes, your data will no longer be processed for these purposes.