Thank you very much for your interest in our company. Data protection is a particularly high priority for the management of GWF AG. You can browse GWF AG’s website without having to provide any personal data. Nonetheless, if you, as a data subject wish to take advantage of our website’s special enterprise services, processing of your personal data could become necessary. If the processing of personal data is necessary and there is no legal basis for such processing, we generally seek to obtain a data subject’s consent.
The processing of any personal data by GWF AG, such as a data subject’s name, address, email account, or telephone number, will always be in compliance with data protection and privacy legislation applicable to the country. Our company would like to provide the public through this privacy policy with information about the nature, scope and purpose of the personal data we collect, use and process. In addition, it informs data subjects of their rights.
As the controller within the meaning of the General Data Protection Regulation, GWF AG has taken numerous technical and organisational measures to ensure the most complete protection of the personal data processed through this website. Nevertheless, data transmitted over the internet will always be vulnerable to security breaches, so protection can never be absolutely guaranteed. Therefore, any data subject is free to use alternative means, such as the telephone, to provide his or her personal data to us.
1. Definitions
The terms found in European directives and regulations implementing the General Data Protection Regulation (GDPR) are used in GWF AG’s privacy policy. It should be easy for the public, as well as for our customers and business partners, to read and understand. In order to ensure this, we would like in advance to explain the terms used here.
Besides others, the terms below are used in this privacy policy:
Personal data
Any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Data subject
Any identified or identifiable natural person whose personal data are processed by the controller.
Processing
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Restriction of processing
Marking of stored personal data with the aim of limiting their processing in the future.
Profiling
Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Pseudonymisation
Processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
Controller
Natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by European Union or Member State law, the controller or the specific criteria for its nomination may be provided for by European Union or Member State law.
Processor
Natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Recipient
Natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.
Third party
Natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Consent
Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
2. Name and address of the controller
The controller within the meaning of the General Data Protection Regulation, other data protection laws applicable in the Member States of the European Union and other provisions of a data protection nature is
GWF AG
Obergrundstrasse 119
6005 Luzern
Switzerland
T +41 41 319 51 56
M +41 79 841 20 90
dataprotection@gwf-group.com
www.gwf.ch
GWF Technologies GmbH
Gewerbestrasse 46f
87600 Kaufbeuren
Germany
T +41 41 319 51 56
M +41 79 841 20 90
dataprotection@gwf-group.com
www.gwf-technologies.de
GWF Labs GmbH
Bernd-Rosemeyer-Str.10
30880 Laatzen
Germany
T +41 41 319 51 56
M +41 79 841 20 90
dataprotection@gwf-group.com
www.gwf-labs.de
GWF Österreich GmbH
Felberstrasse 80
1150 Wien
Austria
T +41 41 319 51 56
M +41 79 841 20 90
dataprotection@gwf-group.com
www.gwf-group.com
GWF Ltd
Studio 5, Capability House
Wrest Park, Silsoe,
Bedford, MK45 4HR
England
T +41 41 319 51 56
M +41 79 841 20 90
dataprotection@gwf-group.com
www.gwf-group.com
GWF Labs MIKE
Ganas & Ganas Building Complex
9th Km Thessaloniki-Thermi
GR-57001 Thermi
Greece
T +41 41 319 51 56
M +41 79 841 20 90
dataprotection@gwf-group.com
www.gwf-labs.gr
GWF Sp. z o. o.
ul. Wybieg 7,
61-315 Poznan
Poland
T +41 41 319 51 56
M +41 79 841 20 90
dataprotection@gwf-group.com
www.gwf-group.com
GWF USA, INC.
P.O. Box 772817
Ocala, Florida 34477
USA
T +41 41 319 51 56
M +41 79 841 20 90
dataprotection@gwf-group.com
www.gwf-group.com
3. Cookies
GWF AG’s website uses cookies. Cookies are text files stored on a computer system through an internet browser.
Cookies are used by many websites and servers. Many of them contain a so-called “cookie-ID”. A cookie ID uniquely identifies each cookie. It contains a distinctive character string assigning websites and servers to the specific browser in which the cookie was stored. This enables visited websites and servers to distinguish the data subject’s browser from other internet containing other cookies. Unique cookie IDs can identify and recognise a specific internet browser.
Through the use of cookies, GWF AG can provide visitors to its website with more user-friendly services that without them would not be possible.
Cookies optimise the information and what we offer on our website in the interests of its users. As earlier mentioned, they enable us to recognise who is visiting it. Recognising visitors makes it easier for them to use our website. For example, anybody visiting it that uses cookies does not have to re-enter access data each time he or she visits it because the website does this with the cookie stored in the visitor’s computer system. Another example is the shopping basket cookie found in online shops. The shop’s cookie remembers what a customer has placed in the virtual shopping basket.
Data subjects can at any time disable our website’s placing of cookies with the appropriate setting on the browser they use, thus permanently objecting thereto. In addition, cookies may be deleted at any time with the browser or other software programmes. Any common internet browser can do this. But not all of the functions of our website may be fully usable if a data subject disables cookie settings on his or her browser.
4. Recording of general data and information
Anytime a data subject or an automated system calls up GWF AG’s website, it records a range of general data and information, which is then stored in the server’s log files. The following data may be collected: (1) browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system reaches our website (so-called “referrers”), (4) sub-websites accessed via the accessing referrer on our website, (5) date and time of access to the website, (6) an internet protocol address (IP address), (7) the accessing referrer’s internet service provider, and (8) other similar data and information to avert danger were our information technology system to be attacked.
GWF AG draws no conclusions about the data subject from these general data and information. Rather, this information is needed to (1) deliver the content of our website correctly, (2) optimise our website content as well as advertise it, (3) ensure the long-term viability of our information technology systems and website technology; and (4) provide law enforcement authorities with the information necessary for criminal prosecution in case of a cyber-attack. Therefore, GWF AG anonymously analyses collected data and information statistically and with the aim of increasing our company’s data protection and data security capabilities in order to ensure an optimal level of protection for the personal data we process. Anonymous data in the server log files are stored separately from any personal data a data subject provides.
5. Subscribing to our newsletter
Visitors to the GWF AG website have the opportunity to subscribe to our company newsletter. When you subscribe to our newsletter, whatever personal data are transmitted to the controller is determined by the input mask used for this purpose.
GWF AG communicates at regular intervals what it offers to its customers and business partners. In principle, data subjects only receive the company newsletter (1) if they have a valid email address and (2) they have registered to receive the newsletter. For legal reasons, a confirmation email will be sent to the email address entered by the data subject when the newsletter is sent for the first time, using double opt-in. The confirmation email checks whether the data subject, in this case the email address holder, has authorised receipt of the newsletter.
When a data subject registers for the newsletter, GWF AG stores the IP address for the data subject’s computer assigned by the internet service provider (ISP) and the date and time of registration. The collection of these data is necessary in order to trace any possible misuse of the data subject’s email address at a later date and serves as a legal safeguard for the controller.
The personal data collected when a data subject subscribes to the newsletter is used solely for sending it. In addition, an email could be sent to subscribers of the newsletter if this is necessary in order to operate the newsletter service or for any related registration, should there be changes to how the newsletter is offered or because of technical circumstances. No personal data collected as part of the newsletter service will ever be passed on to third parties. The subscription to our newsletter can be cancelled by the data subject at any time. Consent to the storage of personal data a data subject has provided us for sending the newsletter can be revoked at any time. A link to unsubscribe can be found in each newsletter for the purpose of revoking consent. It is furthermore possible to unsubscribe from the newsletter at any time either directly from the controller’s website or by communicating to the controller in another way.
6. Newsletter tracking
GWF AG’s newsletter contains tracking pixels. These are miniature graphics embedded in emails sent in HTML format to enable log file recording and analysis. They allow the success or failure of online marketing campaigns to be statistically evaluated. An embedded tracking pixel lets GWF AG recognise whether and when a data subject has opened an email and which links therein were called up by him or her.
Such personal data collected by tracking pixels in the newsletters are stored and analysed by the controller in order to optimise dispatch of the newsletter and to better adapt the content of future newsletters to the data subject’s interests. They will not be passed on to third parties. Data subjects are entitled to use the double opt-in at any time to revoke the separate declaration of consent they have given. Once consent has been revoked, the controller will delete these personal data. Unsubscribing from GWF AG’s newsletter is automatically considered a revocation of consent.
7. Contacting through the website
The law requires GWF AG’s website to contain information that allows quick electronic contact to our company and direct communication with us, which also includes a general email address. Any personal data that are transmitted by a data subject either emailing the controller or using a contact form will be automatically stored. Such personal data the data subject voluntarily provide to the controller will be stored for the purposes of processing or contacting him or her. These personal data will not be passed on to third parties.
8. Routine deletion and blocking of personal data
The controller will process and store a data subject’s personal data only for the time necessary for storage purposes or required by European Union directives and regulations, or other legislation or regulations to which the controller is subject.
If the purpose for storing the personal data no longer applies or if the storage period prescribed in European directive, regulations or legislation expires, the personal data will be routinely blocked or deleted in accordance with statutory provisions.
9. Rights of data subjects
Right of confirmation
Every data subject has the right, granted by European Union directives and regulations, to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed. Any data subject wishing to exercise the right of confirmation may, at any time, contact an employee of the controller.
Right of access
Every data subject whose personal data are being processed has the right, granted by European Union directives and regulations, to obtain any time, free of charge, access to personal data relating to him or her which have been stored and a copy of them. In addition, European Union directives and regulations grant data subjects access to the following information:
- The purpose of the processing
- The categories of personal data concerned
- The recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations
- Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period
- The existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing
- The right to lodge a complaint with a supervisory authority
- Where the personal data are not collected from the data subject, any available information as to their source
- The existence of automated decision making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject
Data subjects additionally have the right to be informed whether personal data have been transferred to a third country or to an international organisation. If so, they have the right to be informed of the appropriate safeguards relating to the transfer.
Any data subject wishing to exercise the right of access may, at any time, contact an employee of the controller.
Right to rectification
Every data subject whose personal data are being processed has the right, granted by European Union directives and regulations, to request the immediate rectification of any inaccurate personal data concerning them. Furthermore, he or she has the right, taking into account the purposes of the processing, to have incomplete personal data completed, including by means of providing a supplementary statement.
Any data subject wishing to exercise the right to rectification may, at any time, contact an employee of the controller.
Right to erasure (‘right to be forgotten’)
Every data subject whose personal data are being processed has the right, granted by European Union directives and regulations, to obtain from the controller the erasure of personal data concerning him or her without undue delay where one of the following grounds applies and insofar as the processing is not necessary:
- The personal data are no longer necessary in relation to such purposes for which they were collected or otherwise processed.
- The data subject withdraws consent on which the processing is based according to Art. 6(1)(a), or Art. 9(2)(a) of the GDPR, and where there is no other legal ground for the processing.
- The data subject objects to the processing pursuant to Art. 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Art. 21(2) of the GDPR.
- The personal data have been unlawfully processed.
- The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
- The personal data have been collected in relation to the offer of information society services referred to in Art. 8(1) of the GDPR.
If one of the aforementioned reasons applies, and a data subject wishes to arrange for the erasure of personal data stored by GWF AG, he or she may, at any time, contact an employee of the controller. Any person employed by GWF AG will ensure that the personal data are erased without delay.
Where GWF AG has made personal data public and it, as the controller, is obliged to delete them pursuant to Art. 17(1) of the GDPR. GWF AG, taking account of available technology and the cost of implementation, will take reasonable steps, including technical measures, to inform other controllers which are processing the personal data that the data subject has requested the erasure of any links to, or copy or replication of, those personal data, unless the processing is necessary. An employee of GWF AG will arrange for the necessary action to be taken in individual cases.
Right to restriction of processing
Every data subject whose personal data are being processed has the right, granted by European Union directives and regulations, to obtain from the controller restriction of processing where one of the following applies:
- The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data.
- The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead.
- The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims.
- The data subject has objected to processing pursuant to Art. 21(1) of the GDPR and pending the verification whether the legitimate grounds of the controller override those of the data subject.
Provided that one of the above conditions is met and the data subject wishes to request the restriction of the processing of his or her personal data stored by GWF AG, he or she may, at any time, contact an employee of the controller. An employee of GWF AG will arrange for the restriction of processing.
Right to data portability
Every data subject whose personal data are being processed has the right, granted by European Union directives and regulations, to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured, commonly used and machine-readable format. In addition, he or she has the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent pursuant to Art. 6(1)(a), or Art. 9(2)(a) of the GDPR or on a contract pursuant to Art. 6(1)(b) of the GDPR and the processing is carried out by automated means, unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
When the data subject exercises his or her right to data portability pursuant to Art. 20(1) of the GDPR, he or she has the right to have the personal data transmitted directly from one controller to another, where technically feasible and provided this does not affect the rights and freedoms of others.
Data subjects may contact an employee of GWF AG at any time to assert their right to data portability.
Right to object
Every data subject whose personal data are being processed has the right, granted by European Union directives and regulations, to object on grounds relating to his or her particular situation, at any time to the processing of personal data concerning him or her which is based on Art. 6(1)(e) or (f) of the GDPR, including profiling based on those provisions.
If the data subject objects, GWF AG will no longer process his or her personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Where GWF AG processes personal data for direct marketing purposes, data subject will have the right to object at any time to the processing of their personal data concerning them for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where a data subject objects to GWF AG processing his or her personal data for direct marketing purposes, the company will no longer process them for such purposes.
In addition, a data subject has the right, on grounds relating to his or her particular situation, to object to GWF AG processing personal data concerning him or her for scientific or historical research or statistical purposes pursuant to Art. 89(1) of the GDPR, unless such processing is necessary for the performance of a task carried out for reasons of public interest.
Data subjects may directly contact an employee of GWF AG or other staff at any time to exercise their right to object. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, a data subject may exercise his or her right to object by automated means using technical specifications.
Automated individual decision-making, including profiling
Every data subject whose personal data are being processed has the right, granted by European Union directives and regulations, not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, unless the decision (1) is necessary for entering into, or performance of, a contract between the data subject and a data controller; or (2) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or (3) is based on the data subject’s explicit consent.
If the decision (1) is necessary for entering into, or performance of, a contract between the data subject and a data controller; or (2) based on the data subject’s explicit consent, GWF AG will implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
Any data subject wishing to exercise rights concerning automated decision-making may, at any time, contact an employee of the controller.
Right to revoke consent under data protection laws
Every data subject whose personal data are being processed has the right, granted by European Union directives and regulations, to revoke consent to the processing of his or her personal data.
Any data subject wishing to exercise his or her right to revoke consent may, at any time, contact an employee of the controller.
10. Data protection for job candidates and in the application process
When handling applications, the controller collects and processes the personal data of applicants. Applications can be likewise processed electronically. This is especially the case where a candidate submits an application to the controller electronically, for example by emailing it or using the web form located on the website. The transmitted data will be stored and, if the controller concludes an employment agreement with the candidate, then processed in compliance with statutory provisions when he or she is accepted for the job. If no contract is concluded between the controller and the candidate, the application files will be automatically deleted two months after the candidate has been sent a rejection letter, unless otherwise justified by the controller. In this sense, other legitimate interest means, as an example, the duty to provide evidence when the controller has the burden of proof in proceedings conducted under the German General Equal Treatment Act (AGG).
11. Privacy policy on the use and application of Google Analytics (anonymisation function enabled)
The controller has integrated the Google Analytics component (with the anonymisation function) on this website. Google Analytics is a web analytics service. Web analytics is the collection, gathering, and analysis of data on the behaviour of visitors to websites. A web analysis service collects, among other things, data about the website from which a data subject has come (the so-called “referrer”), which sub-pages of the website have been visited, and how often and for what duration a sub-page has been viewed. Web analytics are mainly used for the optimisation of a website and in order to carry out a cost-benefit analysis of internet advertising.
The operator of the Google Analytics component is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, United States.
The controller uses “_gat._anonymizeIp”, a web analytics application from Google Analytics. By means of this application, the IP address of the data subject’s internet access will be shortened and anonymised by Google if the access to our website is from a Member State of the European Union or from another contracting State to the Agreement on the European Economic Area.
The purpose of the Google Analytics component is to analyse visitor flows on our website. Among other things, Google uses the data and information obtained to evaluate the use of our website, to compile for us online reports showing the activities on our pages, and to provide other services related to the use of the website.
Google Analytics places a cookie on the data subject’s information technology system. There is an explanation above of what cookies are. Placing the cookie in the system enables Google to analyse the use of our website. Each time a data subject accesses one of the pages on this website, operated by the controller on which a Google Analytics component has been integrated, the component automatically triggers the browser on the data subject’s information technology system to transmit data to Google for online analysis. This technical procedure enables Google to obtain knowledge of personal data, such as the data subject’s IP address, which Google uses, among other things, to trace the origin of visitors and clicks and subsequently to calculate commissions.
The cookie stores personal information, such as access time, the location from which the access originated, and the frequency of visits to our website by the data subject. With each visit to our website, such personal data, including the address the data subject used to access the internet, will be transmitted to Google in the US. These personal data are then stored by Google there. Google may share such data collected through the technical process with third parties.
Data subjects can at any time disable our website’s placing of cookies, as already outlined above, with the appropriate setting on the browser they use, thus permanently objecting thereto. Setting the browser in this way would also prevent Google Analytics from placing a cookie on the data subject’s information technology system. In addition, cookies already placed by Google Analytics may be deleted at any time with the browser or other software programmes.
Data subjects also have the option to object to the collection of data generated by Google Analytics related to the use of this website, as well as to the processing of these data by Google and to prevent such processing. To do so, the data subject must download and install a browser add-on by clicking on https://tools.google.com/dlpage/gaoptout. This browser add-on tells Google Analytics through JavaScript that no data and information regarding visits to webpages may be transmitted to Google Analytics. The installation of browser add-ons is considered by Google to be an objection. If the data subject’s information technology system is later deleted, formatted, or newly installed, then he or she has to reinstall the browser add-ons in order to disable Google Analytics. If the browser add-on was uninstalled or disabled by the data subject or another person within his or her control, there is the option of reinstalling or reactivating it.
Further information and Google’s applicable privacy policy can be retrieved at https://www.google.de/intl/de/policies/privacy/ and http://www.google.com/analytics/terms/de.html. Google Analytics is explained in more detail at https://www.google.com/intl/de_de/analytics/
12. Legal basis for processing
Art. 6(I)(a) of the GDPR serves as the legal basis for our company’s processing operations wherein we obtain consent for a specific processing purpose. Where the processing of personal data is necessary for the performance of a contract to which the data subject is party, such as processing operations necessary for the supply of goods or the provision of any other service or consideration, the processing is based on Art. 6(I)(b) of the GDPR. The same applies to such processing in order to take steps prior to the entering of a contract, such as when there are enquiries about our product and services. If our company is required to process personal data in order to comply with a legal obligation for which it is subject, such as compliance with tax obligations, the processing is based on Art. 6(I)(c) of the GDPR. In rare cases, the processing of personal data might be necessary to protect the vital interests of the data subject or another natural person. This would be the case, for instance, were a visitor to our company to be injured and his or her name, age, health insurance data or other vital information would have to be passed to a physician, hospital or other third party. Then the processing would be based on Art. 6(I)(d) of the GDPR.
Finally, processing operations could be based on Art. 6(I)(f) of the GDPR. The legal basis for processing operations not covered by any of the others mentioned above would be this provision of the GDPR if the processing is necessary for the purposes of the legitimate interests pursued by our company or a third party, unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject. Such processing operations by us are legally permissible because they have been specifically mentioned by a legislative authority. In this respect, the authority took the view that a legitimate interest could be assumed if the data subject is a client of the controller (second sentence of Recital 47 GDPR).
13. Legitimate interests pursued by the controller or a third party
Where the processing of personal data is based on Article 6(I)(f) of the GDPR, our legitimate interest is the conduct of our business activities for the well-being of our employees and our shareholders.
14. Duration for which personal data will be stored
The criterion used to determine the period for storing personal data is the respective statutory retention period. Upon the period’s expiration, the corresponding data are routinely deleted unless they are necessary for the fulfilment or initiation of a contract.
15. Legal or contractual requirements to provide personal data, requirement necessary to enter into a contract, obligation of a data subject to provide personal data, and possible consequences from failure to provide the personal data
We clarify that the provision of personal data is partly required by law (e.g. fiscal regulations) or can also result from contractual provisions (e.g. information about the partner in the contract).
Sometimes it may be necessary, in order to conclude a contract, for the data subject to provide us with personal data that would have to be subsequently processed by us. For example, data subjects are obliged to provide us with their personal data when our company signs a contract with them. Failure to provide personal data would mean that no contract with them could be concluded.
A data subject would be required to contact an employee before he or she could provide personal data. Then our employee would clarify to the data subject whether the law or contract requires the provision of the personal data, or if they are necessary for the conclusion of the contract, whether there is an obligation to provide the personal data, and the consequences of the data subject’s failure to provide the personal data.
16. Existence of automated decision-making
As a responsible company, GWF MessSysteme AG does not use either automatic decision-making or profiling.