data privacy protection

Name and address of the controller

The controller in terms of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection regulations is the:

HMC Hightech Media Components GmbH & Co. KG
Knochenhauerstr. 11
28195 Bremen
Germany
e-mail info@hmcomponents.com

Supervisory authority - German State’s Data Protection Commissioners

The task of the German State’s Data Protection Commissioners (LfD) is to monitor compliance with data protection regulations both by the authorities and other public authorities as well as by commercial enterprises and other non-public bodies in Bremen, thus ensuring the right to informational self-determination.

Responsible authority in :

Die Landesbeauftragte für Datenschutz und Informationsfreiheit
Arndtstraße 1
27570 Bremerhaven
Germany
phone (04 21) 3 61-20 10 or (04 71) 5 96-20 10
fax (04 21) 49 61 84 95
e-mail: office@datenschutz.bremen.de
https://www.datenschutz.bremen.de

General information about data processing

1. Extent of processing personal data

   In principle, we only process our users’ personal data insofar as this is necessary, to provide a functioning website as well as our content and services. The processing of our users’ personal data only takes place on a regular basis with the consent of the user. An exception applies to cases, in which prior consent cannot be obtained for factual reasons and the processing of the data is permitted by law.

2. Legal basis for the processing of personal data

   Insofar as we obtain the consent of the data subject for the processing of personal data, art. 6 sec. 1 lit. a of the EU General Data Protection Regulation (GDPR) serves as the legal basis.

   In the processing of personal data necessary for the performance of a contract to which the data subject is a party, art. 6 sec. 1 lit. b of the GDPR serves as the legal basis. This also applies to processing operations required to carry out precontractual measures.

   Insofar as the processing of personal data is required to fulfill a legal obligation our company is subject to, art. 6 sec. 1 lit. c of the GDPR serves as the legal basis.

   In the event that vital interests of the data subject or another natural person require the processing of personal data, art. 6 sec. 1 lit. d of the GDPR serves as the legal basis.

   If processing is necessary to safeguard the legitimate interests of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not prevail over the former interest, art. 6 sec. 1 lit. f of the GDPR serves as the legal basis said processing.

3. 3. Collaboration with processors and third parties

   If, in the context of our processing, we disclose data to other persons and companies (processors or third parties), transmit it to them or otherwise grant access to the data, this will only be done on the basis of legal permission (e.g. if transmission of the data to third parties, such as to payment service providers, is required to fulfill the contract in accordance with art. 6 sec. 1 lit. b of the GDPR), you have consented, a legal obligation stipulates it or based on our legitimate interests (e.g. when using agents, web hosts, etc.).

   If we commission third parties with the processing of data based on a so-called “Agreement on data processing”, this is conducted based on art. 28 of the GDPR.

4. Transfers to third countries

   If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or do this in the context of using third party services or disclosure or transmission of data to third parties, this will only be done if it is to fulfill our (pre)contractual obligations, based on your consent, based on a legal obligation or based on our legitimate interests. Subject to legal or contractual permissions, we only process or have the data processed in a third country if the special requirements pursuant to art. 44 ff. of the GDPR are met. That means processing takes place e.g. on the basis of specific guarantees, such as the officially recognised identification of an EU compliant data protection standard (e.g. for the US through the Privacy Shield) or in compliance with officially recognised special contractual obligations (so-called "standard contractual clauses").

5. Data erasure and storage duration

   The data subject’s personal data will be erased or blocked as soon as the purpose of the storage is no longer given. Furthermore, such storage may take place if this is stipulated by the European or national legislative authorities in EU regulations, laws or other regulations to which the controller is subject. Blocking or erasure of the data also takes place if a retention period stipulated by the aforementioned standards expires, unless there is a need for the further storage of the data to conclude a contract or fulfill a contract. The data is blocked and not processed for other purposes. For instance, this applies to data, which must be retained for reasons subject to commercial or tax laws.

   According to legal requirements, retention is, in particular, carried out for 6 years in accordance with § 257 sec. 1 of the German Commercial Code (HGB) (trading books, inventories, opening balance sheets, annual accounts, business letters, accounting records, etc.) and for 10 years in accordance with § 147 sec. 1 of the General Tax Code (AO) (books, records, management reports, accounting records, commercial and business letters, documents relevant to taxation, etc.).

6. Security measures

   We take appropriate technical measures in accordance with art. 32 of the GDPR, taking the best available technology, the implementation costs and the nature, scope, circumstances and purposes of the processing as well as the different likelihood and severity of the risk to the rights and freedoms of natural persons into account and appropriate technical and organisational measures, to ensure a level of protection appropriate for the risk; in particular, measures include ensuring the confidentiality, integrity and availability of data by controlling physical access to the data as well as access it is affected by, input, disclosure, securing availability and its separation. Furthermore, we have established procedures, which ensure data subject rights being able to be exercised, data erasure and a reaction to data vulnerability. Moreover, we already consider the protection of personal data in the development phase or selection of hardware, software as well as procedures, according to the principle of data protection by technology design and by privacy-friendly default settings (article 25 of the GDPR).

   In particular, the encrypted transfer of data between your browser and our server belongs to the security measures. This also applies to the transmission of emails between our server and our clients.

7. Changes and updates to the privacy policy

   We kindly ask you to stay informed regarding the content of our privacy policy. We will adjust the privacy policy as soon as changes in the data processing we conduct require it. We will notify you as soon as the changes require your becoming active (e.g. consent) or other individual notification becomes necessary.

Data subject’s rights

If you your personal data/information is processed, you are a data subject in terms of the GDPR and you are entitled to the following rights vis-á-vis the controller:

1. Right of access by the data subject

   You can request a confirmation from the controller on whether or not we have processed your personal data.

   If your personal data has been processed, you can request to be informed of the following:

   1. the purposes for which the personal data is processed;
   2. the categories of personal data, which are processed;
   3. the recipients or categories of recipients, to whom your personal data was disclosed or will be disclosed;
   4. the planned duration of the storage of your personal data or, if specific information is not available here, criteria for determining the duration of storage;
   5. the existence of a right to rectification or erasure of your personal data, a right to the restriction of processing by the controller or a right to object to such processing;
   6. the existence of the right to lodge a complaint with a supervisory authority;
   7. all available information on the source of the data if the personal data is not collected from the data subject;
   8. the existence of automated decision-making including profiling according to art. 22 sec. 1 and 4 of the GDPR and - at least in these cases - conclusive information the logic involved as well as the scope and intended effects of such processing for the data subject.

   You have the right to request information on whether or not your personal data is transmitted to a third country or an international organisation. In this context, you can request being informed about the appropriate guarantees in accordance with art. 46 of the GDPR in connection with the transmission.

   This right of access can, insofar, be limited to the extent it is likely to render impossible or seriously affect the realisation of research or statistical purposes and the restriction is required to fulfil the research or statistical purposes.

2. Right to rectification

   You have a right to rectification and/or completion vis-á-vis the controller if your processed personal data is incorrect or incomplete. The controller must make the correction without delay.

   Your right to rectification can, insofar, be limited to the extent it is likely to render impossible or seriously affect the realisation of research or statistical purposes and the restriction is required to fulfil the research or statistical purposes.

3. Right to restriction of processing

   You can request a restriction of the processing of your personal data under the following conditions:

   1. if you contest the accuracy of your personal information for a period of time, which allows the controller to review the accuracy of the personal data;
   2. the processing is illegal and you object to the erasure of the personal data and instead, request the restriction of the use of the personal data;
   3. the controller no longer requires the personal data for the purposes of processing however, you require it to assert, exercise or defend legal claims or
   4. if you objected to processing pursuant to art. 21 sec. 1 of the GDPR and it is not yet determined whether the controller’s legitimate reasons override your reasons.

   If the processing of your personal data has been restricted, this data can only be processed - with the exception of its storage - with your consent and for the purpose of asserting, exercising or defending legal claims or protecting the rights of another natural person or legal entity or for reasons of a significant public interest of the Union or of a Member State.

   If processing was restricted according to the preceding conditions, you will be informed by the controller before the restriction is lifted.

   Your right to restriction of processing can, insofar, be limited to the extent it is likely to render impossible or seriously affect the realisation of research or statistical purposes and the restriction is required to fulfil the research or statistical purposes.

4. Right to erasure

   1. Obligation to erase

      You can request the controller to immediately erase your personal data and the controller is obligated to You can request the controller to immediately erase your personal data and the controller is obligated to immediately erase said data, provided that one of the following reasons applies:

      1. Your personal data is no longer required for the purposes, for which it was collected or otherwise processed.
      2. You revoke your consent, which was based on processing in accordance with art. 6 sec. 1 lit. a or art. 9 sec. 2 lit. a of the GDPR and there is no other legal basis for processing.
      3. You object to processing in accordance with art. 21 sec. 1 of the GDPR and there are no overriding legitimate reasons for said processing or you object to processing in accordance with art. 21 sec. 2 of the GDPR.
      4. Your personal data was processed illegally.
      5. The erasure of your personal data is required to fulfill a legal obligation under European Union law or the law of the Member States, which the controller is subject to.
      6. Your personal data was collected with regard to the offers of information society services in accordance with art. 8 sec. 1 of the GDPR.

   2. Information to third parties

      If the controller publicised your personal data and is obligated to erase it in accordance with art. 17 sec. 1 of the GDPR, the controller will take appropriate measures taking the available technology and implementation costs into account, including technical means, to inform data controllers, which process the personal data, that you have requested them to erase all links pertaining to this personal data or copies or replications of this person data.

   3. Exceptions

      There is no right to erasure if the processing is required

      1. to exercise the right to freedom of expression and information;
      2. to fulfill a legal obligation required by the law of the European Union or the Member States, which the controller is subject to or to carry out a task in the public interest or is carried out in exercising official authority, which was delegated to the controller;
      3. for reasons of public interest in the field of public health in accordance with art. 9 sec. 2 lit. h and i as well as art. 9 sec. 3 of the GDPR;
      4. for archival purposes of public interest, scientific or historical research purposes or for statistical purposes in accordance with article 89 sec. 1 of the GDPR, to the extent that the law referred to in section a) is likely to render impossible or seriously affect the achievement of the objectives of that processing, or
      5. to assert, exercise or defend legal claims.

5. Right to information

   If you asserted the right to rectification, erasure or restriction of processing vis-á-vis the controller, the controller is obligated to notify all recipients, to which your personal data was disclosed, of this correction or erasure of the data or restriction of processing, unless this proves to be impossible or involves a disproportionate effort.

   You have the right to request the controller to inform you of these recipients.

6. Right to data portability

   You have the right to receive the personal data you provided to the controller in a structured, prevalent and machine-readable format. You also have the right to transfer this data to another controller without any hindrance by the controller the personal data was made available to, provided that

   1. the processing is based on consent in accordance with art. 6 sec. 1 lit. a of the GDPR or art. 9 sec. 2 lit. a of the GDPR or on a contract in accordance with art. 6 sec. 1 lit. b of the GDPR and
   2. processing is conducted using automated procedures.

   In exercising this right, you also have the right to initiate that your personal data is directly transmitted to another controller by a controller, insofar as this is technically feasible. The freedoms and rights of other persons can not be affected by this.

   The right to data portability does not apply to the processing of personal data necessary for the performance of a task in the public interest or which takes place in exercising official authority, which was delegated to the controller.

7. Right to object

   You have the right to object to the processing of your personal data at any time for reasons that arise from your particular situation and which is carried out in accordance with art. 6 sec. 1 lit. e or f of the GDPR; this also applies to a profiling based on these provisions.

   The controller will no longer process your personal data unless it can verify compelling grounds for processing worthy of protection, which override your interests, rights and freedoms or processing serves asserting, exercising or defending legal claims.

   If your personal data is processed to engage in direct advertising, you have the right to object to this processing of your personal data for the purpose of such advertising at any time; this also applies to profiling, insofar as it is associated with such direct advertising.

   If you object to processing for the purpose of direct advertising, your personal data will no longer be processed for these purposes.

   Regardless of Directive 2002/58/EC, you have the option, in connection with the use of information society services, of exercising your right to object using automated procedures, which apply technical specifications.

   You also have the right, for reasons that arise from your particular situation, to object to the processing of your personal data, which takes place for scientific or historical research purposes or for statistical purposes in accordance with art. 89 sec. 1 of the GDPR.

   Your right to object can, insofar, be limited to the extent it is likely to render impossible or seriously affect the realisation of research or statistical purposes and that the restriction is required to fulfil the research or statistical purposes.

8. Right to revoke consent in line with data privacy

   You have the right to revoke your consent in line with data privacy at any time. The revocation of consent does not affect the legality of processing conducted based on consent until the revocation has been effected.

9. Automated individual decision-making including profiling

   You have the right not to be subjected to a decision-making process based solely on automated processing - including profiling - which will have a legal effect on you or which will significantly affect you in a similar manner. This does not apply if the decision

   1. (1) is required for the conclusion or implementation of a contract between you and the controller,
   2. s permissible based on Union or Member State legislation, which the controller is subject to and these statutory provisions contain adequate measures, to safeguard your rights and freedoms and your legitimate interests or
   3. (3) take place with your explicit consent.

   However, these decisions cannot be based on special categories of personal data according to art. 9 sec. 1 of the GDPR, unless art. 9 sec. 2 lit. a or g of the GDPR applies and reasonable measures have been taken to protect the rights and freedoms as well as your legitimate interests.

   Regarding the cases referred to in (1) and (3), the controller will take appropriate measures to uphold the rights and freedoms and your legitimate interests, which at least include the right to obtain the intervention of an individual on the part of controller, to express one’s own position and be heard on contesting the decision.

10. Right to lodge a complaint with a supervisory authority

    Regardless of any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular, in the Member State of your abode, place of work or place of alleged violation if you believe, that the processing of your personal data violates the GDPR.

    The supervisory authority the complaint was lodged with must inform the complainant of the status and results of the complaint including the possibility of a judicial remedy in accordance with art. 78 of the GDPR.

Hosting of the website and creation of logfiles

1. Description and scope of data processing

   Our website is hosted by our provider, with whom we have concluded an agreement for data processing. He provides us with infrastructure, storage space on the web server and is responsible for the technical support of the website.

   Each time you access our website, our server automatically collects data and information from the system of the accessing computer.

   The following data will be collected:

   • the IP address of the user,
   • date and time of access,
   • the http request method (GET, POST etc.),
   • the transmission protocol used (http1.0, http1.1 etc.),
   • status information of the server (successful call, redirection etc.),
   • the amount of data transferred,
   • Websites from which the user's system reaches our website,
   • the address of the page accessed, including data transmitted via GET, and
   • information about the browser type and version used as well as the operating system of the user.

   In the event of a security-relevant incident, all headers of the http communication between browser and server as well as the returned content of the server response are logged.

   The data is also stored in the log files of our system. These data are not stored together with other personal data of the user.

2. Legal basis for data processing

   The legal basis for the temporary storage of data and log files is art. 6 sec. 1 lit. f GDPR.

3. Purpose of data processing

   The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user's computer. For this purpose, the IP address of the user must remain stored for the duration of the session.

   The data is stored in log files in order to ensure the functionality of the website. The data is also used to optimise the website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context.

   These purposes also include our legitimate interest in data processing pursuant to art. 6 sec. 1 lit. f GDPR.

4. Duration of storage

   The data will be erased as soon as they are no longer necessary to achieve the purpose for which they were collected. In the case of the collection of data to provide the website, this is the case when the respective session is terminated.

   If the data is stored in log files, this is the case after fourteen days at the latest. Storage beyond this is possible. In this case, the IP addresses of the users are deleted or alienated so that an assignment of the calling client is no longer possible.

5. Possibility of objection and removal

   The collection of data for the provision of the website and the storage of data in log files is mandatory for the operation of the website. Consequently, there is no possibility of objection on the part of the user.

Contact form and e-mail contact

1. Description and scope of data processing

   A contact form is available on our website, which can be used for electronic contact. If a user makes use of this option, all data entered in the respective input mask will be transmitted to us and stored.

   At the time the message is sent, the following data will also be stored:

   • IP address of the user,
   • date and time of sending.

   Your consent will be obtained for the processing of the data as part of the sending process and reference will be made to this data protection declaration.

   Alternatively, you can contact us via the e-mail address provided. In this case, the personal data of the user transmitted with the e-mail will be stored.

   The data will not be shared with third parties in this context. The data will be used exclusively for the processing of the conversation.

2. Legal basis for data processing

   The legal basis for the processing of the data is art. 6 sec. 1 lit. a GDPR if the user has given his consent.

   The legal basis for processing the data transmitted in the course of sending an e-mail is art. 6 sec. 1 lit. f GDPR. If the purpose of the e-mail contact is to conclude a contract, the additional legal basis for the processing is art. 6 sec. 1 lit. b GDPR.

3. Purpose of data processing

   The processing of the personal data from the input mask serves us exclusively for the processing of the establishment of contact. In the case of contact by e-mail, this also constitutes the necessary legitimate interest in the processing of the data.

   The other personal data processed during the sending process serve to prevent misuse of the contact form and to ensure the security of our information technology systems.

4. Duration of storage

   The data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected. For the personal data from the input mask of the contact form and those sent by e-mail, this is the case when the respective conversation with the user has ended. The conversation ends when it can be inferred from the circumstances that the facts in question have been conclusively clarified.

   The additional personal data collected during the sending process will be deleted after a period of fourteen days at the latest.

5. Possibility of objection and removal

   The user has the possibility to revoke his consent to the processing of personal data at any time.

   If the user contacts us by e-mail, he can object to the storage of his personal data at any time in the same way. In such a case, the conversation cannot be continued.

   In other cases, the objection must be sent to us by e-mail or in paper form (letter).

   In this case, all personal data stored in the course of establishing contact will be deleted.