Sto data protection notice
This privacy statement explains how we process your personal data (hereinafter referred to as “data”).
1. Data controller
In accordance with the provisions in the General Data Protection Regulation (GDPR), the data controller is:
Sto SE & Co. KGaA
D- 79780 Stühlingen
Tel.: +49 77 44 57-0
2. Contact details for our data protection officer
Matthias Rosa als ext. Datenschutzbeauftragter
Am Winterhafen 78
3. General information on data processing
We process data as part of our business and website activities.
This includes disclosing data by transferring it to third parties and, where applicable, to non-member countries outside the European Union (hereinafter referred to as the “EU”) and the European Economic Area (hereinafter referred to as the “EEA”). In cases where we transfer data to parties or locations outside the EU or EEA, we identify this as outlined below.
4. Data processing
The specific items of data affected, purposes of processing, legal bases, recipients, and, where applicable, transfers to non-member countries are listed below:
a) Log file from website visit
We log your visit to our website. As part of this, we process:
• The name(s) of the page(s) on our website that you visited
• The date and time of your visit
• The quantity of data transferred
• The browser type you used and its version
• The operating system you used
• The referrer URL (the website you visited before ours)
• Your IP address
• The requesting provider
The legal basis for this data processing is our overriding legitimate interest in the ongoing provision and security of our website, in accordance with Article 6(1) f) of the GDPR.
The log file is deleted after a period of seven days unless it is required to provide evidence of or verify actual legal infringements that become known during this period.
To maintain our online presence, we use the services of web hosting providers, which process all the aforementioned data associated with the operation of this website (log file of website visit) on our behalf.
The legal basis for this data processing is our overriding legitimate interest in the provision of our website, in accordance with Article 6(1) f) of the GDPR.
c) Establishing contact
If you establish contact with us, we will process the following data for the purposes of dealing with your request: your name, your contact details (if you provide them), and your message.
The legal basis for this data processing is our obligation to perform a contract and/or fulfil the obligations that apply to us prior to entering into a contract, in accordance with Article 6(1) b) of the GDPR, and/or our overriding legitimate interest in processing your request, in accordance with Article 6(1) f) of the GDPR.
d) Establishing contact in the case of job applications
If you establish contact with us in order to submit an application for employment with us – by e-mail or using a contact form, for example – the data that you have submitted (such as your name, e-mail address, and requested employment location), your message, and the application documents you have submitted will be processed exclusively for the purpose of dealing with your application.
The primary legal basis for this data processing is Section 26 of the BDSG (German Federal Data Protection Act), which states that data that is required in order to make a decision about entering into an employment relationship may be processed.
Should this be necessary on completion of the application process (as part of legal proceedings, for example), data processing to safeguard our legitimate interests is permitted according to Article 6(1) f) of the GDPR, specifically to pursue and/or defend a claim.
e) Contract performance and data management as part of our service provision
We process various items of data when providing our services and for the purposes of initiating and processing contractual relationships between you and us.
If you have assigned us to provide a service, we will process your data (name, contact details, and address, where provided) and all the information required to perform this assignment exclusively for the purpose of handling the contractual relationship.
In particular, this includes consulting services and support, correspondence with you, invoicing, and fulfilling our accounting and tax-related obligations.
Accordingly, the data will be processed on the basis of Article 6(1) b) of the GDPR and for the purpose of complying with our legal obligations in accordance with Article 6(1) c) of the GDPR.
Your data may be passed on to third parties where necessary for the purposes of processing the assignment.
In particular, this may include passing data on to supervisory authorities for correspondence purposes and in order to assert and defend your rights.
In doing so, we will put all suitable measures in place to ensure that personal data is only transferred to the extent necessary for the underlying purpose.
We offer you the option of receiving an e-mail newsletter so that we can share regular information about our company and our offers with you. If you subscribe to our newsletter, we will process the data you provide when doing so (e-mail address and other information shared voluntarily). To prevent abuse, once you have subscribed, we will send you an e-mail asking you to confirm your subscription (double opt-in procedure). Your subscription is logged so that we can verify that the subscription process complies with legal requirements. The data that is logged as part of this is the point in time at which you subscribed and confirmed, and your IP address.
The legal basis for sending the newsletter is your consent in accordance with Article 6(1) a) of the GDPR. The legal basis for processing the data connected with sending the confirmation e-mail for your subscription and for the related data logging process is our legitimate interest in verifying that your subscription is correct, in accordance with Article 6(1) f) of the GDPR.
In order to send the newsletter, we use service providers to which we transfer the data referred to above.
g) Personalized newsletter
If you agree to this in advance, you will receive a newsletter from us with individualized content.
Through the use of the newsletter, we receive information about when an e-mail was opened. Furthermore, we analyse your user behaviour by determining which links you clicked on in the newsletter. We use this information to further tailor the content of our newsletter to your individual interests.
The legal basis for sending the newsletter is your consent in accordance with Art. 6 (1) a) of the GDPR.
Our website uses what are known as cookies. These are small text files that are stored on your device (PC, smartphone, tablet, etc.) by your web browser.
We also use optional cookies that provide us with additional information for the purposes of analysing data traffic or conducting advertising and marketing, for example.
The cookies that we use remain on your device for different durations:
Session cookies: These cookies are deleted from your device immediately after you close your web browser.
Permanent cookies: These cookies remain on your device even after you have closed your web browser, and enable us to do things like recognise you the next time you visit our website.
(3) Party cookies
First-party cookies refer to cookies that are set directly by us. Third-party cookies, on the other hand, are set by third-party websites when displaying content, for example (advertisements, images, tracking pixels, etc.).
(4) Legal basis for data processing
Fundamentally, the legal basis for processing data by means of cookies is your consent in accordance with Article 6(1) a) of the GDPR or our overriding legitimate interest in optimising and establishing functions on our web presence in accordance with Article 6(1) f) of the GDPR.
(5) Withdrawal and objection
In cases where data is processed on the basis of your consent, you may withdraw your consent (opt out) with effect for the future at any time. In cases where data is processed on the basis of our legitimate interest, you may object to any further data processing with effect for the future. To do this, you can use the options in our cookie settings. You can change or withdraw your consent at any time by clicking on the appropriate icon at the bottom left-hand corner of the website.
You can find more information about objecting to data processing in section 6 b) of this privacy statement.
(6) Cookie settings in your browser
• Mozilla Firefox: https://support.mozilla.org/en/kb/
• Internet Explorer: https://support.microsoft.com/en-gb/help/17442/
• Google Chrome: https://support.google.com/accounts/
• Opera: http://www.opera.com/en/help
• Safari: https://support.apple.com/kb/PH17191?
(7) Our cookies
Our cookie settings provide additional information on the specific cookies we set, the purposes of doing so, and the duration for which the cookies remain on your device. You can change or withdraw your consent at any time by clicking on the appropriate icon at the bottom left-hand corner of the website.
i) Consent banner from Cookie Information
So that we can document your selections relating to certain data processing procedures and communicate this information to third-party providers, our website uses the Cookie Information service (hereinafter referred to as “Cookie Information”) provided by Cookie Information A/S, Kristen Bernikows Gade 4, 1105 Copenhagen K, Denmark. Cookie Information uses the data processing procedures you select and communicates this information to third-party providers as appropriate.
This data processing is carried out in order to fulfil our legal obligation to process data in a way that is compliant with data protection requirements, in accordance with Article 6(1) c) of the GDPR.
You can find more information about how Cookie Information processes data at: https://cookieinformation.com/cookie-and-privacy-policy
(1) Google services
Our website uses various services provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter referred to as “Google”). As part of this, there is the potential for data to be transferred to Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043 in the USA. When transferring data, the safeguarding of an appropriate level of data protection is ensured through the use of standard contractual clauses.
These can be found here: https://policies.google.com/privacy/frameworks?hl=de&gl=de
(2) Google Analytics
Our website uses the tracking tool Google Analytics in order to analyse your use of the website. This makes it possible to compile reports about activity on our web presence, provide further services associated with use of the website, and improve user-friendliness as a result.
The use of Google Analytics primarily involves using cookies to collect data about and systematically evaluate interactions by users of our website.
You can find details of the cookies we use in our cookie settings. You can change or withdraw your consent at any time by clicking on the appropriate icon at the bottom left-hand corner of the website.
We use Google Analytics with the “anonymizeIp()” extension. This truncates IP addresses within member states of the EU or EEA. If data is transferred to Google servers in the USA, the complete IP address is only transferred and truncated there in exceptional cases. In most cases, this prevents the possibility of the data being used to directly identify an individual person. In particular, it makes it impossible to link the data to the computer or other device that the visitor to the website used.
Google Analytics processes the following data:
• Three bytes from the IP address of the system used by the website visitor (anonymised IP address)
• The website visited
• The website from which users access our website (referrer)
• The individual pages visited on our website
• The duration for which users remain on the website
• The frequency with which the website is visited
Google has itself stated that it will never unite your IP address with other Google data.
The legal basis for this data processing is your prior consent in accordance with Article 6(1) a) of the GDPR.
(3) Withdrawing your consent
You can withdraw your consent with effect for the future at any time. To do this, you can use the options in our cookie settings. You can change or withdraw your consent at any time by clicking on the appropriate icon at the bottom left-hand corner of the website. You can also amend these settings at http://www.google.com/ads/preferences.
Please also note the supplementary information about Google’s use of data in the Google Partner Network, which is available here:http://www.google.com/intl/en-gb/policies/privacy/partners/
k) Google Remarketing/Retargeting
We use so-called tracking cookies from Google on our website. When you visit our site, permanent cookies are used to store information about the websites visited, the visitor's IP address, the duration of the visit, other information about the use of the websites and information about the content in which the user is interested. If you then visit a partner website, we can display personalized advertising for you based on the articles we have viewed.
We process the data obtained in this way on the basis of your consent in accordance with Article 6 (1) a) GDPR.
You can revoke your consent at any time with effect for the future by adjusting the setting options under our cookie settings.
The information generated by the cookie about your use of this website (including your IP address) is transmitted to a Google server in the USA and stored there.
l) Facebook Custom Audiences (Pixel/Cookies)
We use a so-called tracking pixel from Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbor, Dublin 2, Ireland, a subsidiary of Facebook Inc. 1601, Willow Road Menlo Park, CA 94025, USA on our website. We use Facebook Pixel to track the success of our own Facebook advertising campaigns and to optimize the display of Facebook advertising campaigns to interested target groups.
After clicking on a Facebook ad or visiting our website, a cookie is stored on your device using the pixel on our website. The cookie processes data on whether you have reached our website via a Facebook advertisement and enables the behavior of the user to be analyzed until the purchase is completed. This allows us to understand the success rate of our Facebook advertising campaigns. In addition, the pixel processes data about the fact that you have visited our website and enables the advertising displayed on Facebook to be adapted to your interests.
When you visit our website, a direct connection to the Facebook servers is established via the Facebook pixel integrated on our website. The information generated by the cookie about your use of this website (including your IP address) is transmitted to Facebook in the USA. When transferring data, the maintenance of an appropriate level of data protection is ensured through the use of standard contractual clauses. These can be found here:
The cookies remain permanently on your device even after you close the web browser and enable you to be recognized on your next visit to our website. The cookie loses its validity after a period. The data collected are anonymous for us and do not allow us to draw any conclusions about the user. If you are registered with Facebook, Facebook can assign the information recorded to your account. Even if you do not have a Facebook account or are not logged in when visiting our website, your IP address and other identification data can be processed and stored by Facebook..
You can revoke your consent to data processing by Facebook Pixel for our web domain at any time with effect for the future by adjusting your settings in our cookie banner. You can also prevent cookies from being set by adjusting the corresponding settings in your Facebook account at https://www.facebook.com/settings?tab=ads
The legal basis for data processing is your consent in accordance with Art. 6 Para. 1 a) GDPR.
m) External content
We use dynamic content (hereinafter referred to as “content”) from third parties to optimise the appearance and content of our website. When you visit our website, a request is sent automatically to the corresponding content provider’s server via an interface. Certain log data (e.g. the user’s IP address) is transferred in this request. The dynamic content is then transferred to our website, where it is displayed.
We use external content in conjunction with the following functionalities:
(1) Integration of YouTube videos
We have integrated videos from the YouTube portal operated by YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA (hereinafter referred to as “YouTube”) into our website. When videos are played back, log data is transferred to YouTube’s servers in the USA. It is not possible to guarantee that an appropriate level of data security will be maintained in the USA.
The legal basis for this data processing is our overriding legitimate interest in optimising the marketing of our web presence in accordance with Article 6(1) f) of the GDPR.
More information is available at: https://policies.google.com/privacy?hl=en-gb&gl=en-gb
(2) Google Maps
Our website uses Google’s map service Google Maps to provide you with an interactive map. When the map is displayed, data including your IP address and location is transferred to Google’s servers in the USA and stored there. This data is processed on the basis of our overriding legitimate interest in optimising the marketing of our offer in accordance with Article 6(1) f) of the GDPR.
There is the possibility of data being transferred to Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. It is not possible to guarantee that an appropriate level of data security will be maintained in the USA.
More information about data protection is available at: https://policies.google.com/privacy?hl=en-gb&gl=en-gb
We use the external service reCAPTCHA to protect the forms on our website against spam and abuse. This is a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter referred to as “Google”). reCAPTCHA makes it possible to distinguish between input made by humans and fraudulent input made by automated software (also known as bots).
It processes the following data from you: the referrer URL, user’s IP address, user’s input actions, mouse movements around the reCAPTCHA checkboxes, detection and association with a Google account if the user is logged into this at the same time, information about the browser being used, browser size, browser resolution, browser plugins, language settings, date, scripts, and display instructions from the website.
This data is processed on the basis of our overriding legitimate interest in maintaining the security of our website in accordance with Article 6(1) f) of the GDPR.
5. Data retention duration
We retain personal data only for as long as is necessary for the purposes for which it is being processed or until you withdraw your consent. Insofar as statutory retention requirements need to be complied with, the retention period for certain data can be up to 10 years, regardless of the purposes for which the data is being processed.
6. Your rights as a data subject
a) Information and access
You can request information about/access to all personal data we are holding for you, free of charge and at any time.
b) Rectification, erasure, restriction of processing (blocking), objection
If you no longer agree to your personal data being stored or if your personal data is no longer correct, on receipt of a corresponding instruction from you, we will have your data erased or blocked or make the necessary corrections (insofar as this is possible under applicable law). The same applies if we are to restrict the processing of your data in the future. In particular, you have the right to object in cases where your data is necessary for the performance of a task in the public interest or our legitimate interest, including any profiling that is based on this. You also have the right to object in cases where data is processed for direct marketing purposes.
c) Your right to withdraw consent with effect for the future
You can withdraw consent with effect for the future at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
d) Data portability
If data is being processed on the basis of a contract or negotiations prior to entering into a contract, on the basis of consent, or using automated methods, you have the right to data portability. On request we will provide your data to you in a commonly used, structured, and machine-readable format so that you can transfer this data to another controller should you wish to do so.
e) Right to lodge a complaint
You also have the option to lodge a complaint with a supervisory authority in relation to your rights as a data subject:
The above rights do not apply to data where we are not able to identify the data subject (if the data has been anonymised for analysis purposes, for example). It may be possible for you to exercise your right to access/be informed, right to erasure, right to block, right to rectification, or transfer to another organisation in relation to this data if you provide us with additional information that will enable us to identify you.
7. Exercising your rights as a data subject
If you have any questions about the processing of your personal data or if you wish to exercise your right to access/be informed, right to rectification, right to block, right to object, or right to erasure, or should you wish to submit a request for your data to be transferred to another organisation, please contact datenschutzbeauftragter[at]sto.com.