Data protection
Policy
As the operator of the www.hack.ag website, HACK AG takes the protection of your personal data seriously. We handle your personal data in a confidential manner and in accordance with the statutory data protection regulations, as well as this Privacy statement.
I. Name and address of the controller
The controller within the meaning of the General Data Protection Regulation and other national data protection laws of the member states, as well as other provisions of data protection law, is:
Hack AG
Karl-Hack-Allee 1
D-56581 Kurtscheid
Phone: +49 2634 9660-0
Fax: +49 2634 8000
Email: info@hack.ag
II. Company data protection officer
The company data protection officer is
Andrea Thiel
Karl-Hack-Allee 1
D-56581 Kurtscheid
Email: datenschutz@hack.ag
III. General information about data processing
1. Scope of the processing of personal data
In principle, we only process the personal data of our users insofar as this is required for the provision of a functional website, as well as our content and services. The processing of the personal data of our users only takes place on a regular basis with the consent of the user. There shall only be an exception in such cases in which it is not possible to obtain prior consent for practical reasons and the data processing is permissible in accordance with statutory provisions.
2. Legal basis for processing personal data
Insofar as we collect the consent of the data subject for the processing of personal data, Article 6 ( 1) lit. a of the EU General Data Protection Regulation (GDPR) serves as the legal basis.
For the processing of personal data that is necessary for the performance of a contract, the contracting party of which is the data subject, Article 6 ( 1) lit. b GDPR serves as the legal basis. This also applies to processing that is required for the implementation of pre-contractual measures.
Insofar as the processing of personal data is required for compliance with a legal obligation to which the company is subject, Article 6 ( 1) lit. c GDPR serves as the legal basis.
In the event that processing of personal data is required in order to protect the vital interests of the data subject or another natural person, Article 6 A( ) 1 lit. d GDPR serves as the legal basis.
In the event processing is necessary for the purposes of the legitimate interests pursued by our company or a third party and the interests, fundamental rights and fundamental freedoms of the data subject do not outweigh the former interests, Article 6 ( 1) lit. f GDPR serves as the legal basis for processing.
3. Erasure of data and storage periods
The personal data of the data subject shall be erased or blocked when the purpose of storage ceases to apply. Storage beyond this point in time may take place if this is provided for by European or national legislation in regulations under Union law, laws or other provisions to which the controller is subject. Erasure or blocking of the data shall still take place on the expiry of a storage period set out in the above-mentioned standards, except where further storage of the data is required for the conclusion of a contract or performance of a contract.
IV. Provision of the website and creation of log files
1. Description and scope of data processing
Each time our website is accessed, our system collects data and information from the computer system of the device accessing the website on an automated basis.
The following data is collected in connection with this:
- Browser type and browser version
- Operating system used
- Referrer URL
- Host name of the computer accessing the website
- Time of the server request
- IP address
The data is also saved in the log files of our system. This data is not merged with other data sources. The IP address is stored in an anonymised manner.
2. Purpose of storage
Data storage takes place for the purpose of error analysis.
3. Legitimate interest
We also have a legitimate interest to data processing in terms of error analysis and the maintenance of the usability of our website that is enabled by such analysis.
4. Storage period
The data is erased after the expiry of a maximum of one full week.
5. Legal basis
The legal basis for the temporary storage of the data and the log files is Article 6 (1) lit. f GDPR.
6. Opportunities to withdraw consent and for deletion
The collection of the data for the provision of the website and storage of the data in log files is essential for the operation of the website. Consequently, the user may not withdraw consent.
V. Google Analytics
1. Description and scope of data processing
This website uses functions provided by the web analysis service Google Analytics. The provider is Google LLC., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Google Analytics uses “cookies”. These are text files stored on your computer that enable analysis of your use of the website to be carried out. The information created by the cookie about your use of this website is generally sent to a Google server in the USA and stored there.
We have activated the IP anonymisation function on this website. This means that Google will abbreviate your IP address in member states of the European Union or in other signatory states to the Agreement on the European Economic Area before transmitting the IP address to the USA. Only in exceptional cases will the full IP address be sent to a Google server in the USA and stored there. On behalf of the operator of this website, Google will use this information to evaluate your use of this website, compile reports about the website activity and provide the website operator with additional services relating to the website use and internet use. The IP address transmitted by your browser within the framework of Google Analytics is not connected to other data by Google. For the purpose of using Google Analytics, we have concluded a contract data processing agreement with Google.
2. Legal basis
The storage of Google Analytics cookies takes place on the basis of Article 6 (1) lit. f GDPR.
3. Purpose of processing
The purpose of the data processing is to optimise our advertising and to improve our web service on an ongoing basis, in particular to increase the level of user-friendliness in order to make orientation easier for users. This is also the basis for our legitimate interest.
4. Storage period
Sessions and campaigns are terminated on expiry of a certain period of time. As standard, sessions are terminated after 30 minutes of no activity and campaigns after six months. The time limit for campaigns may be a maximum of two years. You can find out more information about the terms of use and data protection at https://www.google.com/analytics/terms/de.html
5. Withdrawal of consent/deletion, prevention
You may prevent the storage of cookies by changing the settings on your browser software accordingly. However, we would point out that, if you do so, you may not be able to use all the functions of this website in full (cf. the details provided in IV of this Privacy statement). Furthermore, you can prevent the provision of the data created by the cookie that relates to your use of the website (including your IP address) to Google, as well as the processing of this data by Google, by downloading and installing the browser plug-in that is available using the following link:
https://tools.google.com/dlpage/gaoptout?hl=de.
You can find out more about how user data is managed by Google Analytics in the Google Privacy Policy:
https://support.google.com/analytics/answer/6004245?hl=de.
6. Decision on adequacy
Insofar as data is transmitted to the USA for the use of Google Analytics, the basis for this is the Decision on adequacy of the European Commission dated 12.07.2016 (C(2016) 4176) for the regulations of the Privacy Shield agreement. Google is subject to the Privacy Shield regulations. You can view the certificate here: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI
VI. YouTube
1. Description and content of data processing
We integrate videos on the platform YouTube, a service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, (hereinafter referred to as ‘Google’). You can view the Privacy Policy at https://www.google.com/policies/privacy/.
As a third-party provided, Google may only sent the content that is offered to your browser using your IP address. Google places cookies on your browser and uses your IP address for the purpose of communication.
2. Legal basis for the data processing
The legal basis for data processing is Article 6 ( 1) lit. f GDPR.
3. Purpose of data processing
The purpose of the data processing is the provision of video content by a third-party provider without using storage space on the server of our website in order to expand the services offered on our website. This is also the basis for our legitimate interest.
4. Duration of storage
You may deactivate or restrict the transmission of cookies by changing the settings on your internet browser. Cookies that have already been saved may be deleted at any time. This may also take place on an automated basis. If cookies are deactivated for our website, it may no longer possible to use all the functions of the website in full.
Insofar as you do not deactivate the transmission of cookies or you do not actively delete cookies, the cookies saved by Google are deleted after eight months at the latest.
5. Decision on adequacy
Insofar as data is transmitted to the USA for the use of YouTube, the basis for this is the Decision on adequacy of the European Commission dated 12.07.2016 (C(2016) 4176) for the regulations of the Privacy Shield agreement. Google is subject to the Privacy Shield regulations. You can view the certificate here: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI
VII. Google Fonts
1. Content and scope of data processing
In order to ensure that text appears uniform, this website uses Web Fonts, a service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. When you access a page on the website, your browser loads the required Web Fonts in your browser cache in order to display the text and fonts correctly. In order to do so, a connection is created between the user and the Google server, meaning that the user’s IP address is transmitted to Google.
If your browser does not support Web Fonts, your computer will use a standard font.
You can find out more about Google Web Fonts at https://developers.google.com/fonts/faq and in the Google Privacy Policy: https://www.google.com/policies/privacy/.
2. Legal basis
The legal basis for data processing is Article 6 (1) lit. f GDPR.
3. Purpose of processing
The purpose of the data processing is displaying the content that is provided on our website in a uniform, appealing font in order to make it appear more user-friendly. This is also the basis for our legitimate interest.
4. Prevention / termination of data collection
If you have already accessed the page, you may prevent further transmissions to Google by leaving the page.
5. Decision on adequacy
Insofar as data is transmitted to the USA for the use of Google Maps, the basis for this is the Decision on adequacy of the European Commission dated 12.07.2016 (C(2016) 4176) for the regulations of the Privacy Shield agreement. Google is subject to the Privacy Shield regulations. You can view the certificate here: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI
VIII. Facebook
1. Facebook usage
In addition to the website hack.ag, we also have a presence on the social network Facebook, which is operated in Europe by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (hereinafter referred to as ‘Facebook’). You can visit our Facebook page using the corresponding buttons. If you do so, personal data may be transmitted to Facebook. If it possible that, in addition to the data entered by you on Facebook, further information is processed by Facebook.
Furthermore, Facebook may process the most important data of the computer system from which you visit Facebook, for example your IP address, the processor type that is being used and the browser version, including plug-ins.
When you visit our Facebook page, Facebook collects, for example, your IP address and additional information that is stored on your computer in the form of cookies. This information is used in order to provide us, as the operator of the Facebook pages, with statistical information about the use of the Facebook page. Facebook provides more information about this here: http://de-de.facebook.com/help/pages/insights. The data about you that is collected in connection with this is processed by Facebook Ltd and may be transmitted to countries outside the European Union. Facebook provides general information about the information that it receives and how this is used in its Data Policy. Information with regard to contact details for Facebook and setting options for advertising is also provided there. The Data Policy can be viewed using the following link: http://de-de.facebook.com/about/privacy.
You can view the full version of the Facebook Data Policy here: https://de-de.facebook.com/full_data_use_policy
If you are logged into your Facebook account during your visit to our Facebook page, Facebook is able to identify this and connect your visit to your account. You can read more about the purpose and scope of data collection by Facebook, the further processing of your data there and your rights in the Facebook Data Policy, which you can access using the following link:
https://de-de.facebook.com/about/privacy/
2. Facebook Messages
a) Description and scope of data processing
If you are logged into your Facebook account during your visit to our Facebook page, you can send us a message via Facebook by pressing the “Message” button. In the event you contact us via Facebook, the personal data of the user that is transmitted with the email is saved. We exclusively use the data for processing the conversation.
b) Legal basis for the data processing
The legal basis for data processing is Article 6 ( 1) lit. f GDPR. If the intention of your contact is to prepare or conclude a contract with us, the additional legal basis is Article 6 (1) lit. b GDPR. If a contract is entered into in this case and a legal obligation to retain the message exists, the further legal basis during the period of the retention obligation is Article 6 (1) lit. c GDPR.
c) Purpose of data processing
The processing of personal data from the email shall be used by us for the sole purpose of contacting the recipient. This also constitutes the necessary legitimate interest in the data processing.
Insofar as the contact serves the purpose of the preparation, establishment or implementation of a contractual relationship with us, this constitutes the additional purpose of processing. If a legal obligation to retain your message arises as a result, the storage also services the purpose of fulfilling the retention obligation.
d) Duration of storage
The data is deleted as soon as it is no longer required for the purpose of its collection. For the personal data that is transmitted by email, this is the case when the respective conversation with the user has been concluded. The conversation shall be considered to have been concluded when the circumstances indicate that the matter in question has been concluded in full.
If the contact serves the purpose of the preparation, establishment or implementation of a contractual relationship with us, we will store the data for the period in which claims and other rights could exist on the basis of the contractual relationship (e.g. warranty claims / claims for compensation for damages). The duration usually corresponds to the respective statutory limitation period.
Insofar as there is a statutory retention obligation (Section 147 AO; Section 257 HGB), we store the data until the expiry of the statutory retention period.
5. Opportunities to object and for deletion
The user has the opportunity to object to the storage of its personal data at any time. In this case, the conversation may not be continued.
The objection may be provided by email, for example. In this case, we delete, if we are not legally obliged to retain the conversation, all personal data that was saved in the course of making this contact, including the withdrawal of consent.
Insofar as we require the personal data that has been stored to establish or implement a contractual relationship with you, there shall be no right to object to the storage.
IX. Competition
1. Description and content of data processing
We offer competitions on our social media pages, in which we give away a certain number of our products to a select number of all the participants or, in the case of skill games, a select number of all participants with the correct solution. We collect the data that is provided by the user and store this on our respective social media page. Depending on the competition, this is the user name and/or the email address. If an email address is required to be provided in order to participate, we save the email address and the message text. We inform the winners and ask them to provide their name and address details in order to send the prize.
2. Legal basis
The legal basis for processing is Article 6 (1) lit. f GDPR.
3. Purpose of processing
The purpose of processing is the implementation of the competition as a promotional offer and, within this context, in particular to make contact with the winners in order to provide the winners with their prize.
4. Storage period
We save the data during the course of the competition and delete it afterwards. We store the winners’ details until the winners have received their prize.
5. Right to withdraw consent
You may withdraw consent to the processing of your data. You may withdraw consent by informing us by email, for example, or by sending us a message via the respective social media network. If you withdraw consent, the processing of your data will not continue. We will then delete your data. This means that you cannot continue to participate in the competition and cannot receive a prize.
X. Email contact
1. Description and scope of data processing
In the event you contact us using the email address that is provided, the personal data of the user that is transmitted with the email is saved.
No data is passed on to third parties in connection with this. The data is exclusively used for processing the conversation.
2. Legal basis for the data processing
The legal basis for data processing is Article 6 ( 1) lit. f GDPR. If the intention of the contact is to conclude a contract, the additional legal basis for the processing shall be Article 6 ( 1) lit. b GDPR.
3. Purpose of data processing
The processing of personal data from emails shall be used by us for the sole purpose of contacting the recipient. This also constitutes the necessary legitimate interest in the data processing.
If, as a result of making this contact, a contract is concluded or relationship similar to a contract arises, from which mutual rights and obligations may arise, we delete the data if it has been ascertained that no rights and obligations result from this relationship any more. This is often the case after the expiry of the limitation periods that are valid in the respective case. If there are any statutory retention obligations (e.g. for tax or commercial law purposes), we delete the data after the expiry of this retention period.
4. Duration of storage
The data is deleted as soon as it is no longer required for the purpose of its collection. For the personal data that is transmitted by email, this is the case when the respective conversation with the user has been concluded. The conversation shall be considered to have been concluded when the circumstances indicate that the matter in question has been concluded in full.
5. Opportunities to withdraw consent and for deletion
The user has the opportunity to withdraw consent to the storage of its personal data at any time. In this case, the conversation may not be continued.
The withdrawal of consent may be provided by email or via our contact form. In this case, we delete, insofar as we are not legally obliged to retain the conversation, all personal data that was saved in the course of making this contact, including the withdrawal of consent.
There shall be no right to withdraw consent insofar as the processing is based on Article 6 (1) lit. b GDPR and the contact serves to initiate, conclude or perform a contract.
XI. Rights of the data subject
If your personal data is processed, you are a data subject within the meaning of GDPR and have the following rights with regard to the controller:
1. The right to be informed
You may request confirmation from the controller as to whether personal data concerning you is processed by us.
If such processing takes place, you may request the following information from the controller:
(1) the purposes for which the personal data is processed;
(2) the categories of personal data being processed;
(3) the recipients and/or the categories of recipients to which the personal data in question has been disclosed or is still being disclosed;
(4) the planned duration of the storage of the personal data concerning you or, if no specific details of this can be provided, criteria for the determination of the storage period;
(5) the existence of the right to rectification or erasure of the personal data concerning you, the right to restriction of processing by the controller or the right to object against this processing;
(6) the existence of the right to lodge a complaint with a supervisory authority;
(7) all the available information about the origin of the data insofar as the personal data was not collected from the data subject;
(8) the existence of automated decision-making including profiling pursuant to Article 22 ( 1) and (4) GDPR and, at least in these cases, detailed information about the logic involved, as well as the scope and intended effect of processing of this kind for the data subject.
You have the right to request information as to whether the personal data concerning you is transmitted to a third country or an international organisation. In this regard, you may request to be informed about the suitable safeguards pursuant to Article 46 GDPR in connection with the transmission.
2. Right to rectification
With regard to the data controller, you have the right to rectification and/or completion insofar as the personal data that has been processed concerning you is incorrect or incomplete. The controller shall carry out the rectification without undue delay.
3. Right to limitation of processing
Under the following prerequisites, you may request the limitation of processing of the personal data concerning you:
(1) You dispute the correctness of the personal data concerning you for a period of time that enables the controller to review the correctness of the personal data concerning you;
(2) The processing is unlawful and you reject the erasure of the personal data and, instead, request the restriction of the use of the personal data;
(3) The controller no longer requires the personal data for the purpose of the processing, however requires this data for asserting, exercising or defending legal claims, or
(4) You have objected to the processing in accordance with Article 21 ( 1) GDPR and it has not yet been established whether the legitimate interests of the controller outweigh your reasons.
In the event that the processing of the personal data concerning you has been restricted, this data, except from the storage thereof, may only be processed with your consent or to assert, exercise or defend legal claims or to protect the rights of another natural or legal person or for reasons of substantial public interest of the Union of a Member State.
If the processing has been restricted in accordance with the abovementioned provisions, you will be informed by the data controller before the restriction is lifted.
4. Right to erasure
a) Erasure obligation
You may ask the controller to delete the personal data concerning you without undue delay, which obliges the controller to delete this data without undue delay, insofar as one of the following reasons is applicable:
(1) The personal data concerning you is no longer required for the purposes for which it was collected or otherwise processed.
(2) You withdraw your consent on which the processing was based in accordance with Article 6 ( 1) lit. a or Article 9 ( 2) lit. a GDPR and there is no other legal basis for processing.
(3) You object to the processing in accordance with Article 21 ( 1) GDPR and there are no overriding legitimate reasons for the processing or you object to the processing in accordance with Article 21 ( 2) GDPR.
(4) The personal data concerning you was processed unlawfully.
(5) The erasure of the personal data concerning you is required for the fulfilment of a legal obligation pursuant to Union law or the law of the Member States to which the controller is subject.
(6) The personal data concerning you was processed in relation to the offer of information society services in accordance with Article 8 ( 1) GDPR.
b) Information to third parties
If the controller has published the personal data in question and is obliged to erase such data in accordance with Article 17 ( 1) GDPR, it shall, taking the available technology and implementation costs into account, take appropriate measures, including technical measures, in order to inform the controllers processing the personal data that you, as the data subject, have requested the erasure of all links to this personal data or of copies or replications of this personal data.
c) Exceptions
The right to erasure shall not apply insofar as the processing is necessary
(1) in order to exercise the right to freedom of expression and information;
(2) in order to fulfil a legal obligation required for the processing pursuant to Union law or the law of the Member States to which the controller is subject, or to complete a task that is in the public interest or takes place in the exercise of official authority vested in the controller;
(3) for reasons of public interest in the field of public health pursuant to Article 9 ( 2) lit. h and i and Article 9 ( 3) GDPR;
(4) for archiving purposes that are in the public interest, scientific or historical research purposes or for statistical purposes pursuant to Article 89 ( 1) insofar as the right set out in a) is not expected to make achieving the goals of this processing impossible or seriously impede this, or
(5) for the assertion, exercise or defence of legal claims.
5. Right to information
If you have exercised the right to rectification, erasure or restriction of processing with regard to the controller, the controller shall be obliged to inform all recipients of the personal data concerning you that has been published about the rectification, erasure of the data or restriction of the processing, unless this proves to be impossible or is associated with a disproportionate level of effort.
With regard to the controller, you have the right to be informed about these recipients.
6. Right to data portability
You have the right to receive the personal data concerning you with which you provided the controller in a structured, commonly-used and machine-readable format. In addition, you have the right to transfer this data to another controller without hindrance by the controller to whom the personal data was provided, insofar as
(1) the processing is carried out on the basis of consent in accordance with Article 6 ( 1) lit. a GDPR or Article 9 ( 2) lit. a GDPR or is based on a contract pursuant to Article 6 ( 1) lit. b GDPR and
(2) the processing takes place using an automated procedure.
Furthermore, in exercising this right, you also have the right to require the personal data concerning you to be transmitted directly from one controller to another controller insofar as this is technically possible. The freedoms and rights of any other persons may not be affected by this.
The right to data portability does not apply for the processing of personal data that is required to complete a task that is in the public interest or takes place in the exercise of official authority vested in the controller.
7. Right to object
For reasons arising from your particular situation, you have the right to object to the processing of the personal data concerning you at any time that takes place on the basis of Article 6 ( 1) lit. e or f GDPR; this also applies for profiling based on these provisions.
The controller shall not continue to process the personal data concerning you unless it is able to provide compelling legitimate reasons for the processing that outweigh your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims.
In the event the personal data concerning you is used to carry out direct marketing, you have the right to raise an objection to the processing of the personal data concerning you for the purpose of marketing of this kind at any time; this also applies to profiling insofar as this is connected to this direct marketing.
If you object to the processing for the purposes of direct marketing, the personal data concerning you shall no longer be used for such purposes.
In connection with the use of information society services, you have the opportunity to assert your right to object using automated processes for which technical specifications are used, regardless of Directive 2002/58/EC.
8. Right to object to the declaration of consent relating to data protection law
Insofar as you provided a declaration of consent under data protection law, you have the right to withdraw this consent at any time. The withdrawal of consent shall not affect the lawfulness of the processing that takes place up to the point in time of the withdrawal.
9. Automated decision making in individual cases, including profiling
You have the right to not be subject to a decision that is based exclusively on automated process, including profiling, that produces a legal effect for you or has any other similar significant negative effect for you. This does not apply if the decision
(1) is necessary for the conclusion or the performance of a contract between you and the data controller,
(2) is permissible on the basis of the legal provisions of the Union or the Member States to which the controller is subject and these legal provisions contain appropriate measures for protecting your rights and freedoms, as well as your legitimate interests, or
(3) takes place with your express consent.
However, these decisions may not be based on particular categories of personal data pursuant to Article 9 ( 1) GDPR, insofar as Article 9 ( 2) lit. a or g GDPR is not valid, and appropriate measures have been taken to protect rights and freedoms, as well as your legitimate interests.
In view of the cases mentioned in (1) and (3), the controller shall take appropriate measures to protect the rights and freedoms, as well as your legitimate interests, in relation to which at least the right to initiate intervention by an individual on the part of the controller, to highlight one’s own position and to appeal the decision are included in this.
10. Right to lodge a complaint with a supervisory authority
Irrespective of any other administrative or judicial legal remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State in which you live, work or in which the presumed infringement took place, if you are of the opinion that the processing of the personal data concerning you is in breach of GDPR.
The supervisory authority with which the complaint was lodged informs the party bringing the complaint about the status and results of the complaint, including the possibility of judicial remedy pursuant to Article 78 GDPR.
The responsible supervisory authority for data protection matters for our company is the state data protection officer in the federal state in which our company has its headquarters. You can find a list of data protection officers and their contact details using the following link: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html.
