Privacy policy

Thank you for your interest in our online portal. It is extremely important to us to make sure that your privacy is protected. Detailed information about how personal data is processed in accordance with Article 13 of the General Data Protection Regulation (GDPR) can be found below. If you have any questions or comments about this data protection information, please contact our data protection officer at datenschutz@c-hafner.de or the party responsible for our data processing,

C.Hafner GmbH + Co. KG
Maybachstraße 4
71299 Wimsheim
Germany

Tel.: 07044 90333-0
Fax: 07044 90334-0
E-mail: info@c-hafner.de


Personal data is processed in two categories:

1. For contract implementation and advertising purposes, e.g. for sending out newsletters and advertising mail, we process all necessary data. Data is supplied to external service providers who play a part in implementing a contract (e.g. delivery firms, payment processors) to the extent necessary in each individual case.

2. When you visit our website, a range of information is automatically exchanged between your device and our server. This may include personal data. We use the information gathered in this way to optimise our website or to show advertising in your device's browser.

In this section, you can learn more about the purposes for which personal data is processed, the legal basis for this processing, the legitimate interests that we and some third parties have in processing it and the different categories of recipient to whom it may be supplied.


Data collection and use for the purpose of implementing a contract and opening a customer account

We process personal data for the purpose of implementing a contract and opening a customer account if it is supplied voluntarily when placing an order, when contacting us (e.g. by e-mail or using our contact form) or when opening a customer account. The data being collected can be seen from the different input forms used.

The data concerned is principally the following:
 

  • first name, last name
  • invoice address, delivery address
  • e-mail address
  • invoicing and payment data
  • date of birth, if necessary
  • telephone number, if necessary.
     

The legal basis for the processing of personal data for the purpose of contract implementation is Article 6 (1) (b) GDPR. Upon subscription to our newsletter using an e-mail address, a confirmation e-mail will be sent in accordance with Article 6 (1) (c) GDPR. Once a purchase has been made, we reserve the right, in accordance with Article 6 (1) (f), to send a newsletter containing offers for similar goods, unless explicitly informed otherwise. If contact details are not used for advertising purposes, we are permitted to store the data collected for contract implementation purposes until the end of the statutory or any contractual warranty/guarantee period. On the expiry of this period, we will continue to store contract information that is required by commercial and tax law for the relevant statutory periods. During this period (generally 10 years from conclusion of the contract), data will only be processed again if the tax authorities conduct an audit.

Opening of a customer account is voluntary. The legal basis for opening such an account is consent within the meaning of Article 6 (1) (a) GDPR. We are happy to inform customers, which data is stored in their account upon request.

In order to fulfil the contract concluded upon making a purchase, the following data processing is also necessary:



Disclosure of data for contract fulfilment and identity and credit checks

We supply e-mail addresses and possibly telephone numbers to the delivery firm we employ if this is necessary for delivery of the goods ordered, and as long as consent has been given either during or after placing an order, so that the firm can contact the customer itself in order to arrange delivery or inform the customer of arrival times.

Consent can be withdrawn at any time by contacting us or the delivery firm. To do this through us, please write to the e-mail or postal address included in our Company Details. If direct contact to our delivery firm is preferred, please write to logistik@c-hafner.de so that we can provide contact details.

For payment processing purposes, we supply the necessary data to the relevant bank and the payment service provider we employ or the payment service provider selected by the customer upon ordering.

We use a payment service provider based outside of the European Union. Personal data is only supplied to this company to the extent necessary for the fulfilment of a contract.

If necessary, we will conduct identity checks, on the legal basis of Article 6 (1) (b) and (f) GDPR, by obtaining information from service providers. This is to protect a customers identity and prevent attempts to commit fraud at our expense. Our enquiry and the results will be stored together with the corresponding customer account/guest account for the duration of our contractual relationship.
 

Credit checks and scores
If we supply goods before receiving payment, e.g. purchasing on invoice, we reserve the right to protect our legitimate interests by obtaining identity and credit rating information from providers specialising in this area (commercial credit agencies). For this purpose we supply personal data as required for a credit check to the following company/companies:

Creditreform Pforzheim Müller & Schott KG
Maximilianstraße 46
75172 Pforzheim, Germany.

The credit report obtained may include probability figures (credit scores) calculated using scientifically recognised mathematical/statistical methods and based, for example, on address data. We use the information obtained about the statistical likelihood of a payment default in order to make a balanced decision about whether or not to accept an order. The legitimate interests of customers will be protected as required by law.

The legal basis for these information transfers is Art. 6 (1) (b) and Art. 6 (1) (f) GDPR. Data may only be transferred in accordance with these regulations if this is necessary in order to protect legitimate interests of our company or a third party and provided these interests are not overridden by the basic rights and freedoms of those affected to have their personal data protected.

Cases can be stated to the aforementioned credit agency and decisions can be contested.



Data processing for advertising

In accordance with Art. 6 (1) (f) GDPR, the party responsible for processing data for advertising purposes has a legitimate interest in doing so. On this legal basis, we reserve the right to make use of first name, last name, date of birth, street name, postcode and town for the purpose of personalised customer contact. The length of time for which personal data is stored for advertising purposes is determined by whether the storage is necessary for the purpose of targeted advertising. Our general policy is to delete data when no use has been made of it for advertising purposes for two years at the latest.



Own and third-party advertising

If a contract has been concluded or advertising materials requested, the recipients will be filed details as an existing or potential customer. In such cases names and addresses will be processed in order to send information about new products and services. In pursuit of our legitimate interests, we reserve the right to forward postal addresses to other companies belonging to our group and possibly to selected contract partners so that customer can also be informed about associated products.



Making advertising relevant

To ensure that we only send targeting advertising, we categorise and add additional information to customer profiles. This includes both statistical information and information about an individual (e.g. basic data from the customer profile). As stated, our aim is to only send advertising which is relevant to customer needs.

 

Processing to send out advertising

We have a service provider who sends out advertising for us, and we supply this provider with data for that purpose.



Right to object

Customers are entitled to object to future data processing for the above-mentioned purposes free of charge at any time, separately for each communication channel. To do this, it is sufficient to e-mail or write to the contact address supplied above.

Upon objection, relevant contact addresses will be blocked for any further data processing for advertising purposes. In exceptional cases, advertising may continue to be sent for a short period after the objection has been received as some advertising would already have been in the system and this should not be seen as an indication that the objection has not been acted upon.



Data use when you subscribe to the e-mail newsletter

When subscribing to our newsletter using the double opt-in procedure, we will use the data necessary or supplied separately in order to send the newsletter regularly. In this double opt-in procedure, enter your e-mail address on the form and we then send a confirmation link. After clicking on the confirmation link, the e-mail address is entered into our e-mail distribution list. E-mail address data will then be processed on the basis of consent as per Art. 6 (1) (a) GDPR. Consent can be withdrawn to any further such processing at any time. Newsletter registration can also be cancelled at any time by contacting us using the contact information supplied in our Company Details or by clicking on the link provided for this purpose at the end of each newsletter.

 

Data use for e-mail advertising without any newsletter subscription and right to object

If an e-mail adress is provided when purchasing goods or services, and if permission has not been refused, we reserve the right to pursue our legitimate interests by sending regular offers by e-mail which relate to products from our range similar to those already purchased. The e-mail address will then be processed in accordance with Art. 6 (1) (f) GDPR. Customers can object to the use of their e-mail address at any time by sending us a message using the contact information supplied in our Company Details or by clicking on the link provided for this purpose at the end of each newsletter.



Newsletter processing

We have a service provider who sends our newsletter out for us, and whom we supply with a customer's e-mail address for that purpose.



Tracking in newsletters

In our newsletters, anonymised tracking is carried out by a special tool, purely to determine whether the newsletter has been opened and, if so, how often a link in the newsletter has been clicked on. No other data, especially personal data, is collected.


 

Internet technologies

Use of cookies

In order to ensure a good experience when visiting our website and to enable the use of certain functions, we use so-called "cookies" on some pages. The legal basis for any processing of personal data with these cookies is Art. 6 (1) (f) GDPR. Our interest in optimising our website by this means is legitimate within the meaning of that statutory provision. Cookies are small text files which are installed on a device. Some of the cookies we use are deleted at the end of the browser session, i.e. when a customer browser has been closed (so-called session cookies). Others remain on the device and enable us to recognise the browser when visits our website again (persistent cookies). Browser settings can be set to inform the user when cookies are going to be stored on the device, leaving teh user free to decide whether to accept them on a case-by-case basis, or to exclude cookie installation in specific cases or in general. If cookies are not accepted, some website functions may be restricted.



Google Analytics

This website uses functions of the web analysis service Google Analytics. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics uses so-called "cookies". These are text files that are stored on your computer and enable an analysis of your use of the website. The information generated by the cookie about your use of the website will generally be transmitted to and stored by Google on servers in the United States.The storage of Google Analytics cookies and the use of this analysis tool are based on Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in analysing user behaviour in order to optimise both its website and its advertising.

 

IP Anonymization

We have activated the IP anonymization function on this website. This will cause Google to shorten your IP address within member states of the European Union or other signatory states to the Agreement on the European Economic Area before it is transmitted to the United States. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and shortened there. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports on website activity and to provide other services relating to website activity and internet usage to the website operator. The IP address transmitted by your browser as part of Google Analytics is not combined with other data from Google.

 

Browser Plugin

You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website. In addition, you can prevent Google from collecting the data generated by the cookie and related to your use of the website (including your IP address) and Google from processing this data by downloading and installing the browser plug-in available under the following link: https://tools.google.com/dlpage/gaoptout?hl=en.

 

Objection to data collection

You can prevent Google Analytics from collecting your data by clicking on the following link. An opt-out cookie is set to prevent your information from being collected on future visits to this website: Disable Google Analytics.

For more information on how Google Analytics uses user data, please refer to Google's privacy policy: https://support.google.com/analytics/answer/6004245?hl=en.

 

Order processing

We have concluded a contract with Google for order processing and fully implement the strict requirements of the German data protection authorities when using Google Analytics.

 

Demographic characteristics of Google Analytics

This website uses the function "demographic features" of Google Analytics. This allows reports to be generated that contain information about the age, gender and interests of site visitors. This data comes from interest-related advertising by Google and visitor data from third parties. This information cannot be associated with any specific individual. You can deactivate this function at any time via the ad settings in your Google Account or generally prohibit Google Analytics from collecting your data as described under "Objection to data collection".

 

Storage period

Data stored by Google at the user and event level that is linked to cookies, user IDs (e.g. User ID) or advertising IDs (e.g. DoubleClick cookies, Android advertising ID) is anonymised or deleted after 14 months. Details can be found under the following link: https://support.google.com/analytics/answer/7667196?hl=en



Targeting

We use the targeting measures listed below in accordance with Art. 6 (1) (f) GDPR. Our purpose in doing this is to ensure that only relevant advertising appears on devices. The distibution of unnecessary or irrelevant advertising material is not intended to cause aggravation.



On-site targeting
Use of web analysis technologies

For the purpose of website analysis, data from this website is collected and stored automatically and then used to create pseudonymised usage profiles. This is done in pursuit of our, on balance, overriding legitimate interest in optimising the presentation of our offering, and cookies may be installed for the purpose. The pseudonymised usage profiles created will never be linked to personal data about the bearer of the pseudonym without the relevant party's separate, express consent. Future data collection and storage can be objected to at any time by clicking on this link. Following an objection, an opt-out cookie will be stored on the device. If cookies are deleted, the user will need to click on the link again. The cookie will be deleted automatically after 30 days.



Re-targeting

We also use Google AdWords re-targeting technologies, and this enables us to tailor our online offering to make it more interesting. For this purpose a cookie will be installed to collect pseudonymised interest data. Using this information, adverts for products/services from our range which are relevant to customers interests will be displayed on our partners' websites. No direct personal data will be stored, and no usage profiles will be linked to personal data. The relevant cookie will be stored for 30 days and then deleted automatically.



Objections/opt-out

In addition to the aforementioned deactivation methods, the use of the described targeting technologies can be blocked by changing your browser's cookie setting. You can also deactivate preference-based advertising using the preference manager, which can be accessed here.



Social media plug-ins

In accordance with Art. 6 (1) (f) GDPR, we use social plug-ins from the social media providers Facebook, Google+, Xing and YouTube in order to raise our company's profile. This is a form of advertising which qualifies as a legitimate interest within the meaning of the GDPR. Each individual provider is responsible for ensuring that operation of the plug-ins complies with data protection regulations. We use the so-called two-click method for these plug-ins to ensure the best-possible protection for visitors to our website.



Facebook

Our website uses Facebook plug-ins supplied by Facebook Inc. They are marked with a Facebook logo or have "Like" and/or "Share" buttons. A list of Facebook plug-ins, showing what they look like, can be found, by clicking on the following link. When such a plug-in (first click) is activated, the browser will establish a direct connection with Facebook's servers. The content of the plug-in will be sent directly to the browser by Facebook and integrated into the relevant page. By means of this integration, Facebook will learn that the browser has accessed the relevant page on our website, even without a Facebook profile or one that is inactive at the time. This information (including the IP address) will be sent by the browser directly to a Facebook server in the USA and stored there. If  logged into Facebook, Facebook will be able to link the visit to our website directly with the users Facebook profile. If plug-ins have been interacted with, for example by pressing the "Like" button, this information will likewise be sent directly to a Facebook server and stored there. The information will also be published as part of the users Facebook profile and shown to all Facebook friends.

For information about the scope and purpose of this data collection, processing and use by Facebook and related rights and setting options to protect privacy, please see Facebook's data protection information. If the customer does not wish Facebook to link the collected information regarding the customer's website visit directly to their Facebook profile, Facebook must be logged out of prior to accessing website.



YouTube with enhanced data protection

Our website uses plugins from the YouTube website. The website is operated by Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

We use YouTube in advanced privacy mode. According to YouTube, this mode means that YouTube does not store any information about visitors to this website before they view the video. However, YouTube's enhanced privacy mode does not necessarily preclude the sharing of information with YouTube partners. YouTube connects to the Google DoubleClick network whether or not you're watching a video.

When you start a YouTube video on our site, it connects to YouTube's servers. This will tell the YouTube server which of our pages you've visited. If you are logged in to your YouTube account, you can allow YouTube to associate your surfing behaviour directly with your personal profile. You can prevent this by logging out of your YouTube account.

In addition, YouTube may store various cookies on your device after you start a video. YouTube can use these cookies to obtain information about visitors to our website. This information is used, among other things, to collect video statistics, improve usability and prevent fraud. The cookies remain on your device until you delete them.

If necessary, after the start of a YouTube video, further data processing operations may be triggered over which we have no control.

YouTube is used in the interest of an appealing presentation of our online services. This constitutes a legitimate interest within the meaning of Art. 6 Para. 1 lit. f GDPR.

Further information on data protection at YouTube can be found in its data protection declaration at: https://policies.google.com/privacy?hl=en.

 

Web Fonts

For the consistent display of fonts, this site uses so-called web fonts provided by Google and Monotype Imaging Inc., 600 Unicorn Park Drive, Woburn, Massachusetts 01801 USA. When you visit a page, your browser loads the required web fonts into your browser cache in order to display texts and fonts correctly.

For this purpose, the browser you are using must connect to the Google and Monotype servers. When this happens, the providers are informed that our website was accessed via your IP address. The use of Google and Monotype web fonts is in the interest of presenting our online offerings in a consistent and aesthetically pleasing way. This constitutes a legitimate interest within the meaning of Art. 6 (1) (f) of the GDPR.

If your browser does not support web fonts, your computer will use a standard font. You can find further information on 

https://developers.google.com/fonts/faq and in Google's privacy policy: https://policies.google.com/privacy?hl=en-GB&gl=de.
https://www.fonts.com/
https://www.monotype.com/legal/privacy-policy/website-use-privacy-policy/

 

Recipients outside of the EU

With the exception of the processing described under the headings of Internet technologies and Social media plug-ins, we do not supply your data to recipients registered outside of the European Union or the European Economic Area. The aforementioned processing entails the transmission of data to servers operated by the tracking/targeting technology providers used by us. These servers are located in the USA. Transmission takes place in accordance with the principles of the "privacy shield" and standard contract clauses formulated by the EU Commission.



Your rights

In addition to the right to revoke consents given the following additional rights can be exercised if the relevant statutory conditions are fulfilled:
 

  • right to receive information about personal data stored by us in accordance with Art. 15 GDPR; in particular, information about the purposes of the data processing, the category of personal data, the categories of recipients to whom data has been or will be disclosed, the planned storage period and the source of data if it was not collected directly can be obtained by the customer,
     
  • right to amend incorrect data or to complete accurate, but incomplete data in accordance with Art. 16 GDPR,
     
  • right to have the data we hold about you deleted in accordance with Art. 17 GDPR, as long as this is not contrary to any statutory or contractual retention periods or other legal obligations/rights requiring continued storage,
     
  • right to restric the processing of data in accordance with Art. 18 GDPR, if the accuracy of the data is disputed, if the processing is illegitimate but the customer do not want the data to be deleted, if the party responsible no longer needs the data but the customer requires it in order to enforce, exercise or defend legal rights/claims, or if the customer have objected to the processing in accordance with Art. 21 GDPR,
     
  • right to data portability in accordance with Art. 20 GDPR, i.e. the right to have selected stored data sent in a commonly used, machine-readable format, or to demand its transmission to another responsible party,
     
  • right to complain to a regulatory authority; the regulatory authorities responsible for customary place of residence or place of work, or our registered place of business can, in general, be approached.
     


Right to object

Subject to the conditions of Art. 21 (1) GDPR, the processing of data may be objected to on grounds arising out of the particular circumstances of the person affected.

The aforementioned general right to object applies to all of the purposes of processing in accordance with Art. 6 (1) (f) GDPR described in this data protection information. In contrast to the special right to object which applies in the case of data processing for advertising purposes, we are only obliged to implement such a general objection if overriding reasons has been supplied (e.g. possible danger to life or health). Another option is to contact the regulatory authority responsible for us or our data protection officer.


Data security

All data personally supplied, including payment details, are transmitted by means of the generally used, safe SSL (Secure Socket Layer) standard. SSL is a secure, tried-and-tested standard which is also used, for example, in online banking. One method by which  the safe SSL connection can be checked is to look for the "s" added to the "http" (thus "https://...") or a padlock symbol in the browser's address bar.

We also implement appropriate technical and organisational security measures to protect your personal data stored by us against manipulation, partial or complete loss and unauthorised third-party access. These security measures are constantly improved in line with technological developments.