Data protection statement
This data protection statement provides you with information about the type, scope and purpose of the processing of personal data (hereinafter referred to as “data”) within our online services and the linked websites, functions and contents, and on external online presences such as our social media profiles (hereinafter collectively referred to as “online services”). With regard to the terms used here such as “processing (German: Verarbeitung)” and “controller (German: Verantwortlicher)”, we make reference to the definitions in Article 4 of the General Data Protection Regulation (GDPR).
MOLL bauökologische Produkte GmbH
Tel +49 62 02 - 27 82.0
Fax +49 62 02 - 27 82.21
Authorised representative managing directors:
Lothar Moll & Uwe Bartholomäi
Data Protection Officer
Tel +49 7131 - 2628 - 800
Types of data processed
- Master data (e.g., names, addresses)
- Contact data (e.g., e-mail, telephone numbers)
- Content data (e.g., entered text, photographs, videos)
- Usage data (e.g., visited websites, interest in contents, access times)
- Meta/communication data (e.g., device information, IP addresses)
Categories of data subjects
Visitors to and users of online services (hereinafter we also refer to data subjects collectively as “users”).
Purpose of processing
- Provision of online services, including their functions and contents.
- Responding to contact inquiries and communication with users.
- Security measures.
- Audience measurement/marketing
"Personal data" means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
"Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. This term is broadly defined and includes practically every operation with data.
"Pseudonymisation" means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
"Profiling" means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
"Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
"Pprocessor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Relevant legal bases
In accordance with Article 13 of the GDPR, we inform you of the legal bases for our data processing. Insofar as the legal basis is not identified in the data protection statement, the following applies: The legal basis for obtaining consent is point (a) of Article 6(1) and Article 7 of the GDPR, the legal basis for processing for the fulfilment of our services, the carrying out of contractual measures and for responding to inquiries is point (b) of Article 6(1) of the GDPR, the legal basis for processing for the fulfilment of our legal obligations is point (c) of Article 6(1) of the GDPR, and the legal basis for processing for the fulfilment of our legitimate interests is point (f) of Article 6(1) of the GDPR. In the case that the vital interests of the data subject or of other natural persons make it necessary to process personal data, point (d) of Article 6(1) of the GDPR serves as the legal basis.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we shall implement appropriate technical and organisational measures in accordance with Article 32 of the GDPR to ensure a level of security appropriate to the risk.
In particular, these measures include the securing of the confidentiality, integrity and availability of data by means of monitoring of physical access to the data and also of monitoring the accessing, entry, forwarding, securing of availability and isolation of individual element of these data. In addition, we have implemented procedures that ensure adherence to the rights of data subjects, the erasure of data and a reaction to threats to data. Moreover, we shall take into account the protection of personal data already during the development and/or selection of hardware, software and processes in accordance with the principle of data protection by design and by default (Article 25 of the GDPR).
Cooperation with processors and third parties
Insofar as we reveal data to other persons or companies (processors or third parties), transfer these data to them or grant them any other access to these data in the course of our processing, this shall occur only on the basis of legal permission (e.g. if transfer of data to third parties such as payment service providers is necessary for fulfilment of a contract in accordance with point (b) of Article 6(1) of the GDPR), if you have granted consent, a legal obligation foresees this or on the basis of our legitimate interests (e.g. when using contractors, web hosters, etc.).
Insofar as we engage third parties to process data on the basis of a so-called “processing contract”, this shall be done on the basis of Article 28 of the GDPR.
Transfer to third countries
Insofar as we process data in a third country (i.e. outside of the European Union (EU) or the European Economic Area (EEA)) or insofar as this occurs in the course of the use of the services of third parties or the revealing or transfer of data to third parties, this shall only take place if it occurs for the fulfilment of our (pre-)contractual obligations, on the basis of your consent, because of a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we process data or have them processed in a third country only if the special requirements of Article 44 ff. of the GDPR are in place; i.e., processing is carried out on the basis of of special guarantees, for example, such as the officially recognised identification of a level of data protection that corresponds to the EU (e.g. by means of the “Privacy Shield” for the USA) or the adherence to officially recognised special contractual obligations (so-called “standard contractual clauses”).
Rights of data subjects
You have the right to obtain confirmation as to whether or not personal data concerning you are being processed and to information about these data, further information and a copy of these data in accordance with Article 15 of the GDPR.
In accordance with Article 16 of the GDPR, you have the right to completion of data concerning you or to the rectification of inaccurate personal data concerning you.
In accordance with Article 17 of the GDPR, you have the right to request the erasure of personal data concerning you without undue delay or, alternatively, in accordance with Article 18 of the GDPR, a restriction of the processing of data.
In accordance with Article 20 of the GDPR, you have the right to receive the personal data concerning you that you have provided to us and to the transmission of these data to other controllers.
In addition, you have the right to lodge a complaint with a supervisory authority in accordance with Article 77 of the GDPR.
Withdrawal of consent
In accordance with Article 7(3) of the GDPR, you have the right to withdraw consent that you have granted, with effect for the future.
Right to object
You can object at any time to the future processing of data concerning you in accordance with Article 21 of the GDPR. In particular, the data subject can object to processing for direct marketing purposes.
Cookies and the right to object for direct marketing
“Cookies” refer to small files that are stored on the computers of users. Various items of information can be stored in these cookies. The primary purpose of a cookie is to store information about a user (or about the device that the cookie is stored on) during or also after the user’s visit to online services. Temporary cookies or “session cookies” or “transient cookies” refer to cookies that are erased after the user has left online services and closed his or her browser. For example, the content of a shopping cart in an online shop or a login status can be stored in a cookie of this sort. Cookies that remain stored after the browser is closed are referred to as “permanent“ or “persistent”. For example, the login status can be stored if users visit online services again after a few days. The interests of users, which are used for audience measurement or marketing purposes, can also be stored in a cookie of this sort. “Third-party cookies” are cookies placed by service providers other than the controller that operates the online services (in other cases, where only the cookies of the controller are concerned, these are referred to as “first-party cookies”).
We can use temporary and permanent cookies, and we provide information about this within the framework of our data protection statement.
If users do not wish cookies to be stored on their computer, they are requested to deactivate the relevant option in the system settings of their browser. Stored cookies can be erased in the system settings of your browser. The rejection of cookies can lead to limitation of the functioning of these online services.
Erasure of data
The data processed by us can be erased or the processing of these data can be restricted in accordance with Articles 17 and 18 of the GDPR. Insofar as this is not explicitly specified in this data protection statement, the data that we store are erased as soon as they are no longer required for their purpose and no legal obligations to keep these data are in conflict with the erasure of the data. If these data are not deleted because they are required for other legally permitted purposes, the processing of these data is restricted. This means that the data will be blocked and not processed for other purposes. For example, this applies to data that have to be kept for reasons relating to trade or tax law.
In line with the statutory requirements in Germany, data are to be kept for 10 years in accordance with § 147 para. 1 of the German Tax Code (AO) and § 257 para. 1 nos. 1 and 4 and para. 4 of the German Commercial Code (HGB) (accounts, records, status reports, accounting records, commercial books, documents relevant to taxation, etc.) and for 6 years in accordance with § 257 para. 1 nos. 2 and 3 and para. 4 of the German Commercial Code (HGB) (commercial letters).
In line with the statutory requirements in Austria, data are to be kept for 7 years in accordance with § 132 para. 1 of the Austrian Federal Tax Code (BAO) (accounting documents, invoices, accounts, business documents, statements of income and expenditure, etc.), for 22 years in connection with plots of land, and for 10 years for documents in connection with electronically provided services and for telecommunications, radio and television services that are provided to non-traders in EU member states and that are used by mini-one-stop-shops (MOSSs).
We process data from applicants solely for the purpose of and as part of the application procedure in accordance with the statutory regulations. Data from applicants are processed to fulfil our (pre-)contractual obligations as part of the application procedure pursuant to point (b) of Article 6(1) of the GDPR and point (f) of Article 6(1) of the GDPR insofar as data processing is necessary for us, for example as part of legal processes (§ 26 of the German Federal Data Protection Act (BDSG) also applies in Germany).
The application procedure requires that applicants provide us with their application data. The necessary application data are marked in cases where we provide an online form, otherwise these data arise in response to job advertisements and generally include information on the persons themselves, postal and contact addresses, and documents such as a cover letter, curriculum vitae, references and certificates that form part of an application. In addition, applicants can voluntarily provide us with further information.
When they send their application to us, applicants grant their consent to the processing of their data for the purposes of the application procedure in accordance with the type and scope specified in this data protection statement.
Insofar as particular categories of personal data pursuant to Article 9(1) of the GDPR are voluntarily provided as part of the application procedure, they shall be processed also in accordance with point (b) of Article 9(2) of the GDPR (e.g. data concerning health such as the existence of severe disability, ethnic origin). Insofar as particular categories of personal data pursuant to Article 9(1) of the GDPR are requested from applicants as part of the application procedure, they shall be processed also in accordance with point (a) of Article 9 (2) of the GDPR (e.g. data concerning health if these are necessary for carrying out the position).
Applicants can send their applications to us by means of an online form on our website, if such a form is provided. These data shall be transmitted to us in an encrypted manner in accordance with state-of-the-art technology.
In addition, applicants can transmit their applications to us by e-mail. However, we ask you to consider that e-mails are generally not sent in an encrypted manner and that applicants must ensure themselves that encryption is carried out. For this reason, we can assume no responsibility for the transmission path of the application between the sender and receipt on our server, and we therefore recommend that an online form or post should be preferred. After all, applicants still have the possibility of sending us their application by post as an alternative to the online form and e-mail.
The data made available by the applicants can be further processed by us for the purposes of an employment relationship if the application is successful. In other cases, the data of applicants are erased if their applications for a position are not successful. The data of applicants are also erased if an application is withdrawn; applicants are entitled to withdraw their applications at any time.
Erasure is carried out, subject to the legitimate withdrawal of applicants, after the expiry of a period of six months so that we can answer any follow-up questions on applications and fulfil our documentation obligations that result from the German General Equal Treatment Act. Invoices relating to any reimbursement of travel expenses are archived in accordance with the tax-law requirements.
Users have the option of creating a user account. In the course of registration, users are informed of items of required information that are obligatory and these items are processed on the basis of point (b) of Article 6(1) of the GDPR for the purposes of providing the user account. The data entered in the course of registration are used for the purposes of taking advantage of the user account and its purposes. Users can be informed by e-mail of information that is relevant for their user account, such as technical changes. If users cancel their user accounts, the users’ data relating to the user account are erased, subject to a statutory obligation to archive data. It is the responsibility of users to store their data before the end of the contract if they have cancelled. We are entitled to irrevocably erase all user data stored during the contract duration.
We store the IP address and time of the relevant user action in the course of the use of our registration and login functions and of the use of user accounts. This information is stored on the basis of our legitimate interests, and also protects the user against misuse and other unauthorised use. These data are generally not passed on to third parties unless this is necessary in order to pursue our claims or there is a statutory obligation to do so in accordance with point (c) of Article 6(1) of the GDPR. The IP addresses are anonymised or erased after 7 days at the latest.
Comments and other contributions
If users add comments and other contributions, their IP addresses can be stored on the basis of our legitimate interests pursuant to point (f) of Article 6(1) of the GDPR. This is done for our security in case somebody adds illegal content (insults, forbidden political propaganda, etc.) in their comments and other contributions. In this case, we can be held responsible for the comment or contribution and therefore have an interest in the identity of the contributor.
In addition, we reserve the right to process data entered by users for the purpose spam detection on the basis of our legitimate interests pursuant to point (f) of Article 6(1) of the GDPR.
The data entered as part of comments and other contributions are stored by us permanently until users object.
Users can subscribe to follow-up comments by granting their consent in accordance with point (a) of Article 6(1) of the GDPR. Users receive a confirmation e-mail to confirm that they are the owner of the e-mail address that was entered. Users can unsubscribe from current comment subscriptions at any time. The confirmation e-mail contains information on methods of withdrawing consent. For the purposes of documenting the consent of users, we store the registration time along with the IP address of users and erase this information when users unsubscribe from the subscription.
You can cancel your delivery of our newsletters at any time, i.e. you can withdraw your consent. We can store the unsubscribed e-mail addresses for up to three years on the basis of our legitimate interests before we erase them so that we have documentation of previously granted consent. The processing of these data is restricted to the purpose of defence against any possible claims. An application for individual erasure is possible at all times if the previous existence of consent is confirmed at the same time.
Akismet anti-spam testing
Our online services use the “Akismet” service, which is provided by Automattic, Inc., 60 29th Street #343, San Francisco, CA 94110, USA. This service is used on the basis of our legitimate interests pursuant to point (f) of Article 6(1) of the GDPR. This service helps to differentiate between comments from real people and spam comments. For this purpose, all comment data are sent to a server in the United States, where they are analysed and stored for comparison purposes for four days. If a comment is deemed to be spam, the data are stored beyond this period. These data include the name entered, e-mail address, die IP address, the contents of the comment, the referrer, information on the browser and computer system used, and the time of the entry.
Users are welcome to use pseudonyms or to omit their name or e-mail address. You can completely avoid transmission of data by not using our comment system. This would be a pity, but unfortunately we know of no other alternative that works as effectively.
Accessing of profile pictures using Gravatar
We use the Gravatar service provided by Automattic, Inc., 60 29th Street #343, San Francisco, CA 94110, USA, within our online services and, in particular, for the blog.
Gravatar is a service where users can login and enter their profile pictures and their e-mail addresses. If users add contributions or comments with this e-mail address on other online sites (mainly for blogs), their profile pictures can be displayed alongside their contributions or comments. For this purpose, the e-mail address provided by the user is transmitted to Gravatar in an encrypted manner to check whether a profile has been stored for this e-mail address. This is the sole purpose of transmission of the e-mail address and it is not used for other purposes, but is instead subsequently erased.
Gravatar is used on the basis of our legitimate interests pursuant to point (f) of Article 6(1) of the GDPR, as we offer the writers of contributions and comments the opportunity to personalise their contributions with a profile picture with the aid of Gravatar.
If users do not wish a user picture linked with their e-mail address on Gravatar to appear in their comments, they should use an e-mail address that is not stored with Gravatar when making their comments. In addition, we wish to state that it is possible to use an anonymous e-mail address or no e-mail address if users do not want their own e-mail address to be transmitted to Gravatar. Users can prevent the transmission of data completely by not using our comment system.
Establishing contact with us
When users establish contact with us (e.g. using the contact form, e-mail, telephone or social media), data from the users are processed in handling and dealing with the contact request in accordance with point (b) of Article 6(1) of the GDPR. The data entered by users can be stored in a Customer Relationship Management System (“CRM system”) or in a comparable inquiry organisation system.
We erase inquires if they are no longer required. We check the necessity for this every two years; the statutory archiving obligations also apply.
Here we provide you with information about the contents of our newsletter, the registration procedure, the delivery procedure, the statistical evaluation procedure, and your rights to withdraw consent. By subscribing to our newsletter, you grant your consent to receiving the newsletter and to the procedures described.
Content of the newsletter: We send newsletters, e-mails and other electronic notifications with promotional information (hereinafter referred to as “newsletters”) only with the consent of the recipients or with statutory permission. If the contents of a newsletter are described in detail in the course of registration for this newsletter, they are binding with regard to user consent. In addition to this, our newsletters contain information about our services and about us.
Double opt-in and logging: Registration for our newsletter involves a so-called double opt-in procedure. This means that after signing up, you receive an e-mail that asks you to confirm your registration. This confirmation is necessary so what nobody can sign up using somebody else’s e-mail address. Registrations for the newsletter are logged so as to document the registration process in accordance with the statutory requirements. This includes the storage of the time of registration, the time of confirmation and the IP address. The changes in your data that are stored by the delivery service provider are also logged.
Registration data: In order to register for the newsletter, it is sufficient if you provide your e-mail address. As an option, we also ask that you provide your name so that we can address you in person in the newsletter.
Sending of the newsletter and the associated measurement of success is carried out on the basis of the consent of the recipients in accordance with point (a) of Article 6(1) and Article 7 of the GDPR in conjunction with § 7 para. 2 no. 3 of the German Unfair Competition Act (UWG) and on the basis of statutory permission in accordance with § 7 para. 3 of the German Unfair Competition Act (UWG) or, if consent is not required, on the basis of our legitimate interests in direct marketing in accordance with point (f) of Article 6(1) of the GDPR in conjunction with § 7 para. 3 of the German Unfair Competition Act (UWG).
Logging of the registration procedure is carried out on the basis of our legitimate interests pursuant to point (f) of Article 6(1) of the GDPR. Our interest focuses on the implementation of a user-friendly and secure newsletter system that serves our business interests and also fulfils the expectations of users, as well as allowing for documentation of consent.
Cancellation/withdrawal of consent – you can cancel your delivery of our newsletters at any time, i.e. you can withdraw your consent. A link to cancel the newsletter can be found at the end of each newsletter. We can store the unsubscribed e-mail addresses for up to three years on the basis of our legitimate interests before we erase them so that we have documentation of previously granted consent. The processing of these data is restricted to the purpose of defence against any possible claims. An application for individual erasure is possible at all times if the previous existence of consent is confirmed at the same time.
Newsletter – Clever Reach
The newsletter is sent by our delivery service provider CleverReach GmbH & Co. KG, Mühlenstr. 43, 26180 Rastede, Germany. The data protection conditions of our delivery service provider are available in German at: https://www.cleverreach.com/de/datenschutz/. The delivery service provider is engaged on the basis of our legitimate interests pursuant to point (f) of Article 6(1) of the GDPR and of a processing contract in accordance with Article 28(3) sentence 1 of the GDPR.
The delivery service provider can use the data of the recipients in pseudonymised form, i.e. without the data being assigned to a user, in order to optimise or improve its own service, e.g. for technical optimisation of delivery and presentation of the newsletters or for statistical purposes. However, the delivery service provider does not use the data of our newsletter recipients in order to write to them itself or to pass these data to third parties.
Newsletter – measurement of success
The newsletters contain a so-called “web beacon”, i.e. a pixel-sized file that is accessed by our server or, if we use a delivery service provider, by its server when the newsletter is opened. As part of this access, technical information such as information on your browser and your system, and also your IP address and the time of access are collected.
This information is used for technical improvement of our service based on technical data or target groups and your reading behaviour based on the access locations (which can be determined with the aid of the IP address). The statistics collected also include whether the newsletter was opened, when it was opened and which links were clicked. This information can be associated with individual newsletter recipients for technical reasons; however, it is not our aim or, if a delivery service provider is used, the aim of the delivery service provider to observe individual users. Instead, we use these evaluations to identify the reading habits of our readers and to adapt our contents for them or to send differing contents that correspond to the interests of our users.
A separate objection to measurement of success is unfortunately not possible; in this case, the entire newsletter subscription must be cancelled.
Hosting and sending of e-mails
The hosting services that we engage are used to provide the following services: Infrastructure and platform services, computing capacity, storage and database services, sending of e-mails, security services and technical maintenance services that we use to run these online services.
In the course of this, we and/or our hosting providers process master data, contact data, content data, contract data, usage data, metadata and communication data of customers, interested parties und visitors to these online services on the basis of our legitimate interests in the efficient and secure provision of these online services in accordance with point (f) of Article 6(1) of the GDPR in conjunction with Article 28 of the GDPR (conclusion of a processing contract).
Collection of access data and log files
We and/or our hosting providers collect data relating to every accessing of the server that this service is located on (so-called serve log files) on the basis of our legitimate interests pursuant to point (f) of Article 6(1) of the GDPR. These access data include the name of the website that was accessed, file, date and time of access, amount of data transferred, notification of successful accessing, browser type and version, operating system of the user, referrer URL (the page visited previously), IP address and the requesting provider.
Log file information is stored for a maximum of 7 days for security reasons (e.g. when investigating acts of misuse or fraud) and are then erased. Data that have to be further processed for evidence purposes are excluded from erasure until investigation of the relevant incident has been completed.
Audience measurement with Matomo
As part of audience measurement with Matomo, the following data are processed on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and commercially viable operation of our online services pursuant to point (f) of Article 6(1) of the GDPR): the browser type and browser version that you use, the operating system that you use, your country of origin, the date and time of the server request, the number of visits, your time spent on the website and the external links that you activated. The IP address of users is anonymised before it is stored.
Users can object at any time to the anonymised collection of data by the Matomo program with effect for the future by clicking the link below. In this case, a so-called opt-out cookie is placed in your browser, which has the effect that Matomo will no longer collect any session data. However, if users delete their cookies, this also causes the opt-out cookie to be deleted and it must then be activated again by the users.
Logs with the data of users are erased after 6 months at the latest.