Sto data protection notice
1 Privacy statement
This privacy statement explains how we process your personal data (hereinafter referred to as “data”).
1.1 Data controller
In accordance with the provisions in the General Data Protection Regulation (GDPR), the data controller is:
Sto SE & Co. KGaA
Ehrenbachstr. 1
79780 Stühlingen, Germany
Tel.: +49 77 44 57-0
Website: https://www.sto.de
E-mail: infoservice@sto.com
1.2 Contact details for our data protection officer
Matthias Rosa (external data protection officer)
Am Winterhafen 78
55131 Mainz, Germany
datenschutzbeauftragter@sto.com
1.3 General information on data processing
We process data as part of our business and website activities.
This includes disclosing data by transferring it to third parties and, where applicable, to non-member countries outside the European Union (hereinafter referred to as the “EU”) and the European Economic Area (hereinafter referred to as the “EEA”). In cases where we transfer data to parties or locations outside the EU or EEA, we identify this as outlined below.
2 Data processing
The specific items of data affected, purposes of processing, legal bases, recipients, and, where applicable, transfers to non-member countries are listed below.
2.1 Log file from website visit
We log your visit to our website. As part of this, we process:
• The name(s) of the page(s) on our website that you visited
• The date and time of your visit
• The quantity of data transferred
• The browser type you used and its version
• The operating system you used
• The referrer URL (the website you visited before ours)
• Your IP address
• The requesting provider
The legal basis for this data processing is our overriding legitimate interest in the ongoing provision and security of our website, in accordance with Article 6(1) f) of the GDPR.
The log file is deleted after a period of seven days unless it is required to provide evidence of or verify actual legal infringements that become known during this period.
2.2 Hosting
To maintain our online presence, we use the services of web hosting providers, which process all the aforementioned data associated with the operation of this website (log file of website visit) on our behalf.
The legal basis for this data processing is our overriding legitimate interest in the provision of our website, in accordance with Article 6(1) f) of the GDPR.
2.3 Establishing contact
If you establish contact with us, we will process the following data for the purposes of dealing with your request: your name, your contact details (if you provide them), and your message.
The legal basis for this data processing is our obligation to perform a contract and/or fulfil the obligations that apply to us prior to entering into a contract, in accordance with Article 6(1) b) of the GDPR, and/or our overriding legitimate interest in processing your request, in accordance with Article 6(1) f) of the GDPR.
2.4 Establishing contact in the case of job applications
If you establish contact with us in order to submit an application for employment with us – by e-mail or using a contact form, for example – the data that you have submitted (such as your name, e-mail address, and requested employment location), your message, and the application documents you have submitted will be processed exclusively for the purpose of dealing with your application.
The primary legal basis for this data processing is Section 26 of the BDSG (German Federal Data Protection Act), which states that data that is required in order to make a decision about entering into an employment relationship may be processed.
Should this be necessary on completion of the application process (as part of legal proceedings, for example), data processing to safeguard our legitimate interests is permitted according to Article 6(1) f) of the GDPR, specifically to pursue and/or defend a claim.
2.5 Contract performance and data management as part of our service provision
We process various items of data when providing our services and for the purposes of initiating and processing contractual relationships between you and us.
If you have assigned us to provide a service, we will process your data (name, contact details, and address, where provided) and all the information required to perform this assignment exclusively for the purpose of handling the contractual relationship.
In particular, this includes appropriate consulting services and support, correspondence with you, delivery and invoicing, and fulfilling our accounting and tax-related obligations.
Accordingly, the data will be processed on the basis of Article 6(1) b) of the GDPR and for the purpose of complying with our legal obligations in accordance with Article 6(1) c) of the GDPR.
Your data may be passed on to third parties where necessary for the purposes of processing the assignment.
We will pass on your address information to the company entrusted with making delivery. Where necessary to execute the contract, we will also pass on your e-mail address or your telephone number to the company entrusted with making delivery in order to arrange a delivery date (dispatch notification).
We will pass on your transaction data (name, date of order, payment method, date of dispatch and/or receipt, amount and payee, and where applicable, bank details or credit card details) to the payment provider commissioned with handling the payment.
This may also include passing data on to supervisory authorities for correspondence purposes and in order to assert and defend your rights.
In doing so, we will put all suitable measures in place to ensure that personal data is only transferred to the extent necessary for the underlying purpose.
2.6 Customer account
You must register before you can use our online shop. In addition to information about your company, personal data (contact person, e-mail address, name of the business owner) may also be processed in this case. We will also process your usage data (user name, password). This enables you to manage your orders and assignments and us to identify you as a customer. The legal basis for this data processing is your consent in accordance with Article 6(1) a) of the GDPR.
2.7 Newsletter
We offer you the option of receiving an e-mail newsletter so that we can share regular information about our company and our offers with you. If you subscribe to our newsletter, we will process the data you provide when doing so (e-mail address and other information shared voluntarily). To prevent abuse, once you have subscribed, we will send you an e-mail asking you to confirm your subscription (double opt-in procedure). Your subscription is logged so that we can verify that the subscription process complies with legal requirements. The data that is logged as part of this is the point in time at which you subscribed and confirmed, and your IP address.
The legal basis for sending the newsletter is your consent in accordance with Article 6(1) a) of the GDPR. The legal basis for processing the data connected with sending the confirmation e-mail for your subscription and for the related data logging process is our legitimate interest in verifying that your subscription is correct, in accordance with Article 6(1) f) of the GDPR.
In order to send the newsletter, we use service providers to which we transfer the data referred to above.
2.8 Personalised newsletter
Provided you consent to this in advance, you will receive a newsletter featuring personalised content from us.
By using the newsletter, we receive information regarding when an e-mail was opened. In addition, we analyse your user activity by determining which links you clicked on in the newsletter. We use this information to further tailor the content of our newsletter to your personal interests.
The legal basis for sending the newsletter is your consent in accordance with Article 6(1) a) of the GDPR.
2.9 Direct email advertising for existing customers
In order to offer you similar goods and services in connection with the goods and services you have purchased, we will send you direct mail to the email address you used in connection with the purchase.
The legal basis for sending this direct mail is Section 7 (3) UWG in conjunction with Art. 95 GDPR.
We use service providers to send the newsletter to whom we transmit the mentioned data. They process the data in accordance with instructions on our behalf.
2.10 Shop system, data management, and newsletter via Salesforce
In order to provide our shop system, manage our customer data, and send our personalised newsletter, we use systems from Salesforce.com Germany GmbH, Erika-Mann-Str. 63, 80636 Munich (“Salesforce”). The data that we process in the context of providing your customer account, purchase transactions, and personalised newsletter, including the analysis of your user activity, is therefore processed by us in Salesforce systems.
We do not process your data using Salesforce systems for any additional purposes. The legal basis for this processing therefore corresponds to the legal bases described under sections 2.5, 2.6, and 2.8 above.
Salesforce is a group of companies with branches worldwide. The group’s parent company is salesforce.com Inc., Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105, USA.
It is therefore possible that data may be transferred to the USA in the context of data processing undertaken by Salesforce. The EU Commission has not agreed a framework regarding the adequacy of the level of protection when data is transferred to the USA. However, Salesforce ensures an adequate level of data protection by means of binding corporate rules (BCR). These are binding internal regulations which have been approved by a European supervisory authority. You can access a copy of the BCR at the following link: https://compliance.salesforce.com/en/salesforce-bcrs
In addition, Salesforce ensures an adequate level of data protection by means of the EU standard contractual clauses. You can access a copy of the clauses at the following link: https://www.salesforce.com/content/dam/web/en_us/www/documents/legal/Agreements/data-processing-addendum.pdf
2.11 Requests for marketing support
Via our website, we offer trade/specialized companies the opportunity to receive offers for the conception of individual advertising material from our partner agencies. We will forward your inquiries via our contact form to our respective partner agency for further coordination with you. In addition to the information about your company, the selected motifs and products, personal data (contact person, email address, name of the company owner, telephone number) may also be processed.
The data processing takes place for the implementation of pre-contractual measures, which take place on your respective request. The legal basis for data processing is Art 6 I b) GDPR.
2.12 Cookies
Our website uses what are known as cookies. These are small text files that are stored on your device (PC, smartphone, tablet, etc.) by your web browser.
(a) Purposes
We use cookies with the technical properties that are required to ensure our web presence operates as best as possible. These cookies make it possible for you to navigate our website, and they provide other basic website functions.
We also use optional cookies that provide us with additional information for the purposes of analysing data traffic or conducting advertising and marketing, for example.
(b) Duration
The cookies that we use remain on your device for different durations:
Session cookies: these cookies are deleted from your device immediately after you close your web browser.
Permanent cookies: these cookies remain on your device even after you have closed your web browser, and enable us to do things like recognise you the next time you visit our website.
(c) Party cookies
First-party cookies refer to cookies that are set directly by us. Third-party cookies, on the other hand, are set by third-party websites when displaying content, for example (advertisements, images, tracking pixels, etc.).
(d) Legal basis for data processing
Fundamentally, the legal basis for processing data by means of cookies is your consent in accordance with Article 6(1) a) of the GDPR or our overriding legitimate interest in optimising and establishing functions on our web presence in accordance with Article 6(1) f) of the GDPR.
(e) Withdrawal and objection
In cases where data is processed on the basis of your consent, you may withdraw your consent (opt out) with effect for the future at any time. In cases where data is processed on the basis of our legitimate interest, you may object to any further data processing with effect for the future. To do this, you can use the options in our cookie settings. You can change or withdraw your consent at any time by clicking on the appropriate icon at the bottom left-hand corner of the website.
You can find more information about objecting to data processing in section 6 b) of this privacy statement.
(f) Cookie settings in your browser
You can also prevent data being processed through cookies in the future or restrict the extent to which this occurs by visiting the appropriate browser settings and making settings such as deactivating the use of cookies. As well as this, you can delete the cookies that are already stored in your browser settings. The following links provide more information about settings in different browsers:
• Mozilla Firefox: https://support.mozilla.org/en/kb/
• Internet Explorer: https://support.microsoft.com/en-gb/help/17442/
• Google Chrome: https://support.google.com/accounts/
• Opera: http://www.opera.com/en/help
• Safari: https://support.apple.com/kb/PH17191?
(g) Our cookies
Our cookie settings provide additional information on the specific cookies we set, the purposes of doing so, and the duration for which the cookies remain on your device. You can change or withdraw your consent at any time by clicking on the appropriate icon at the bottom left-hand corner of the website.
2.13 Consent banner from Cookie Information
So that we can document your selections relating to certain data processing procedures and communicate this information to third-party providers, our website uses the Cookie Information service (hereinafter referred to as “Cookie Information”) provided by Cookie Information A/S, Kristen Bernikows Gade 4, 1105 Copenhagen K, Denmark. Cookie Information uses the data processing procedures you select and communicates this information to third-party providers as appropriate.
This data processing is carried out in order to fulfil our legal obligation to process data in a way that is compliant with data protection requirements, in accordance with Article 6(1) c) of the GDPR.
You can find more information about how Cookie Information processes data at:
https://cookieinformation.com/cookie-and-privacy-policy
2.14 Analysis/Marketing
(a) Google services
Our website uses various services provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter referred to as “Google”). As part of this, there is the potential for data to be transferred to Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043 in the USA.
When data is transferred, an adequate level of data protection is ensured by using standard contractual clauses. They can be accessed here:
https://policies.google.com/privacy/frameworks?hl=en-gb&gl=en-gb
(b) Google Analytics
Our website uses the tracking tool Google Analytics in order to analyse your use of the website. This makes it possible to compile reports about activity on our web presence, provide further services associated with use of the website, and improve user-friendliness as a result.
The use of Google Analytics primarily involves using cookies to collect data about and systematically evaluate interactions by users of our website.
You can find details of the cookies we use in our cookie settings. You can change or withdraw your consent at any time by clicking on the appropriate icon at the bottom left-hand corner of the website.
We use Google Analytics with the “anonymizeIp()” extension. This truncates IP addresses within member states of the EU or EEA. If data is transferred to Google servers in the USA, the complete IP address is only transferred and truncated there in exceptional cases. In most cases, this prevents the possibility of the data being used to directly identify an individual person. In particular, it makes it impossible to link the data to the computer or other device that the visitor to the website used.
Google Analytics processes the following data:
• Bytes from the IP address of the system used by the website visitor (anonymised IP address)
• The website visited
• The website from which users access our website (referrer)
• The individual pages visited on our website
• The duration for which users remain on the website
• The frequency with which the website is visited
Google has itself stated that it will never unite your IP address with other Google data.
The legal basis for this data processing is your prior consent in accordance with Article 6(1) a) of the GDPR.
(c) Withdrawing consent
You can withdraw your consent with effect for the future at any time. To do this, you can use the options in our cookie settings. You can change or withdraw your consent at any time by clicking on the appropriate icon at the bottom left-hand corner of the website.
You can also amend these settings:
http://www.google.com/ads/preferences
Please also note the supplementary information about Google’s use of data in the Google Partner Network, which is available here:
http://www.google.com/intl/en-gb/policies/privacy/partners/
2.15 Google remarketing/retargeting
Our website uses what are known as tracking cookies from Google. When you visit our site, permanent cookies are used to store information regarding the websites you have visited, your IP address, the duration of your visit, other details regarding usage of the websites, and information on the content you are interested in. When you subsequently visit a partner website, we are able to show you personalised advertising based on the items you have viewed.
We process the data we obtain in this way on the basis of your consent in accordance with Article 6(1) a) of the GDPR.
You can withdraw your consent with effect for the future at any time. To do this, you can amend the options in our cookie settings.
The information regarding your use of this website generated by the cookie (including your IP address) is transferred and stored on a server in the USA by Google.
2.16 Facebook custom audiences (pixel/cookies)
Our website uses what is known as a tracking pixel from Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, a subsidiary of Facebook Inc. 1601, Willow Road Menlo Park, CA 94025, USA. We use the Facebook pixel to track the success of our Facebook advertising campaigns and to optimise how Facebook advertising campaigns are displayed to interested target groups.
When you click on a Facebook advertisement or visit our website, the pixel on our website is used to store a cookie on your device. The cookie processes data relating to whether you have accessed our website via a Facebook advertisement and enables your activity up to the point that you make a purchase to be analysed. This allows us to track the success rate of our Facebook advertising campaigns. In addition, the pixel processes data relating to the fact that you have visited our website, enabling the advertising shown to you on Facebook to be adapted to your interests.
When you visit our website, a direct connection to the Facebook servers is established via the Facebook pixel integrated on our website. The information regarding your use of this website generated by the cookie (including your IP address) is transferred to Facebook in the USA. When data is transferred, an adequate level of data protection is ensured by using standard contractual clauses. They can be accessed here.
The cookies remain on your device permanently – even after you have closed your web browser – and enable us to recognise you the next time you visit our website. The cookies lose their validity after a certain period of time. The data we collect is anonymous and does not enable us to identify the particular user. If you have signed up to Facebook, Facebook can assign the collected information to your account. Even if you do not have a Facebook account or are not logged into Facebook when you visit our website, it is possible that Facebook will process and store your IP address and additional identification data.
You can withdraw your consent to having your data processed via the Facebook pixel for our web domain with effect for the future at any time. To do this, you can amend the settings in our cookie banner. In addition, you can prevent cookies being placed on your device by amending the corresponding settings in your Facebook account:
https://www.facebook.com/settings?tab=ads
The legal basis for this data processing is your consent in accordance with Article 6(1) a) of the GDPR.
2.17 External content
We use dynamic content (hereinafter referred to as “content”) from third parties to optimise the appearance and content of our website. When you visit our website, a request is sent automatically to the corresponding content provider’s server via an interface. Certain log data (e.g. the user’s IP address) is transferred in this request. The dynamic content is then transferred to our website, where it is displayed.
We use external content in conjunction with the following functionalities:
(a) Integration of YouTube videos
We have integrated videos from the YouTube portal operated by YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA (hereinafter referred to as “YouTube”) into our website. When videos are played back, log data is transferred to YouTube’s servers in the USA. It is not possible to guarantee that an adequate level of data protection will be maintained in the USA.
The legal basis for this data processing is our overriding legitimate interest in optimising the marketing of our web presence in accordance with Article 6(1) f) of the GDPR.
More information is available at:
https://policies.google.com/privacy?hl=en-gb&gl=en-gb
(b) Google Maps
Our website uses Google’s map service Google Maps to provide you with an interactive map. When the map is displayed, data including your IP address and location is transferred to Google’s servers in the USA and stored there. This data is processed on the basis of our overriding legitimate interest in optimising the marketing of our offer in accordance with Article 6(1) f) of the GDPR.
There is the possibility of data being transferred to Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. It is not possible to guarantee that an adequate level of data protection will be maintained in the USA.
More information about data protection is available at:
https://policies.google.com/privacy?hl=en-gb&gl=en-gb
(c) reCAPTCHA
We use the external service reCAPTCHA to protect the forms on our website against spam and abuse. This is a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter referred to as “Google”). reCAPTCHA makes it possible to distinguish between input made by humans and fraudulent input made by automated software (also known as bots).
It processes the following data from you: the referrer URL, user’s IP address, user’s input actions, mouse movements around the reCAPTCHA checkboxes, detection and association with a Google account if the user is logged into this at the same time, information about the browser being used, browser size, browser resolution, browser plugins, language settings, date, scripts, and display instructions from the website.
This data is processed on the basis of our overriding legitimate interest in maintaining the security of our website in accordance with Article 6(1) f) of the GDPR.
3 Data retention
3.1 Data retention duration
We retain personal data only for as long as is necessary for the purposes for which it is being processed or until you withdraw your consent. Insofar as statutory retention requirements need to be complied with, the retention period for certain data can be up to 10 years, regardless of the purposes for which the data is being processed.
4 Your rights as a data subject
4.1 Information and access
You can request information about/access to all personal data we are holding for you, free of charge and at any time.
4.2 Rectification, erasure, restriction of processing, objection
If you no longer agree to your personal data being stored or if your personal data is no longer correct, on receipt of a corresponding instruction from you, we will have your data erased or blocked or make the necessary corrections (insofar as this is possible under applicable law). The same applies if we are to restrict the processing of your data in the future. In particular, you have the right to object in cases where your data is necessary for the performance of a task in the public interest or our legitimate interest, including any profiling that is based on this. You also have the right to object in cases where data is processed for direct marketing purposes.
4.3 Your right to withdraw consent with effect for the future
You can withdraw consent with effect for the future at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
4.4 Data portability
If data is being processed on the basis of a contract or negotiations prior to entering into a contract, on the basis of consent, or using automated methods, you have the right to data portability. On request we will provide your data to you in a commonly used, structured, and machine-readable format so that you can transfer this data to another controller should you wish to do so.
4.5 Right to lodge a complaint
You also have the option to lodge a complaint with a supervisory authority in relation to your rights as a data subject:
https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html
4.6 Restrictions
The above rights do not apply to data where we are not able to identify the data subject (if the data has been anonymised for analysis purposes, for example). It may be possible for you to exercise your right to access/be informed, right to erasure, right to block, right to rectification, or transfer to another organisation in relation to this data if you provide us with additional information that will enable us to identify you.
5 Exercising your rights as a data subject
5.1 Exercising your rights as a data subject
If you have any questions about the processing of your personal data or if you wish to exercise your right to access/be informed, right to rectification, right to block, right to object, or right to erasure, or should you wish to submit a request for your data to be transferred to another organisation, please contact datenschutzbeauftragter@sto.com.