Privacy Policy    

The TOOL FACTORY Cutting Tool Solutions GmbH (hereinafter referred to as “we”) takes protection of your personal data (hereinafter referred to as “data”) very seriously. With the following Privacy Policy, we would therefore like to explain to you how and to which extent personal data is processed on our website www.tool-factory.de and when using our services offered there (together referred to as “services”). This information is available at any time under https://www.tool-factory.de/en/privacy_policy.

Directly responsible for the data processing in the context of using our services and controller in the meaning of the European General Data Protection Regulation (GDPR) is:

TOOL FACTORY Cutting Tool Solutions GmbH
Linde 9
51399 Burscheid / Germany
Tel.+49 2174 79153 - 0
Fax+49 2174 79153-6
Email: info@tool-factory.de

In-house data protection officer: Manuela Heumer

1. What are personal data?

Subject-matter of the data protection is personal data. Personal data means all information relating to an identified or identifiable natural person (“data subject”) (Article 4 No. 1 GDPR). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

2. How are such data collected and processed?

A processing of data during the use of our services can have different ways. It may be performed directly on our systems, at a company that we have commissioned and that is bound by instructions, or at third parties (see also Sections 3 et seq.).
An important instrument for data processing in the online environment are techniques such as cookies, which can temporarily store or retrieve information on your terminal device. We would now like to explain these techniques to you:

Cookies

So-called cookies use small text files that are stored on your terminal device. They serve to store various information beyond the current browser session, i.e. regardless of, for example, whether the window is closed or not. This information can then be read again at a future time, i.e. when you visit our website again or use our services later.

Such cookies can be used in various contexts:

Session cookies

On the one hand, they serve for the caching of login information, identifiers, or settings for a specific user as well as any input already completed (hereinafter referred to as "session objects").

Such session objects therefore include data such as a unique identifier (so-called "session ID" as pseudonym), which can be used to assign a variety of requests during the shared session and enable your terminal device to be recognized. This assignment can also be performed if you interrupt the usage of the services offered or have used another service in the interim.

The setting of session objects is necessary, for example, in order not to lose entries already made by you in connected input masks and to facilitate the restoration of such entries in the event of a malfunction (e.g. if the Internet connection is disconnected for a short time while a subsequent input mask is being opened) as well as the corrections already made (e.g. when using the "Back" button of your browser). On the other hand, session objects may also be required to provide various other features such as a login function within a user system. Their use complies in this respect with the approved technical and organisational measures to prevent unintentional access to your data by third parties.

Due to the possibility of assigning different requests during a common session, session objects can also be used to record your usage behaviour of one or more Internet services (e.g. on one Internet page or across several Internet pages) or to provide you with intended advertising and to ensure that you do not, for example, fraudulently click on advertising banners more than once.

Preference cookies and local storage

On the other hand, cookies also serve to save your preferred settings when using Internet services and to support you in finding the information you require about the services offered (hereinafter referred to as "preference objects"). Without the use of such preference objects, some functionalities could not be made available at all or only under considerable restrictions.

Such kind of preference objects, if considered by themselves and unlike session objects, do not allow to assign different browser requests during a shared session, because they only contain setting parameters.

How to disable and delete cookies

In most Internet browsers you will find under the menu item "Help" information on how to prevent the acceptance of cookies by technical means and the settings your browser uses to inform you about the placement of a new cookie. Please note that some functions of our website may no longer be available if cookies are disabled.

Usage of the preceding techniques when using our services

In the context of describing the individual processing activities in Section 3, we will explain to you which of the above-mentioned techniques we use and for which reason.

3.    What data do we collect, for what purpose and what happens to your data?

3.1.    General data processing when calling up our services


Data that we process when you visit our website

a)    Providing our website

When you visit our website, i.e. even during a simple session and without using specific services in detail, the following data is always processed without drawing any conclusions about your person:

•    the previously visited website (so-called referrer URL);
•    the individual pages of our website, which are accessed by you;
•    the date and time of the access;
•    the Internet protocol address (IP address) of the accessing terminal device;
•    the type of terminal device used for access (e.g. computer, mobile phone, etc.);
•    the browser and operating system of the terminal device, including the version number and the language set there.

This information is needed to:

•    deliver the contents of our website correctly;
•    optimise the content of our website and its presentation, e.g. adapt the content for viewing on a mobile device;
•    ensure the long-term operability of our information technology systems and the technology of our website; and
•    provide law enforcement authorities with the information they need to prosecute a cyber-attack.

We process these data as long as it is necessary for the aforementioned purposes. These are then anonymised by us and evaluated both statistically and with the aim of increasing data protection and data security in our company in order to ultimately ensure an optimum level of protection for the personal data processed by us. The processing of your data thus takes place in order to provide our services and is therefore based on point (b) of Art. 6(1) sentence 1 GDPR. It also serves to ensure the best possible presentation and integrity of our services and is therefore also in our legitimate interest in this respect pursuant to point (f) of Art. 6(1) sentence 1 GDPR.

For data processing within the scope of your visit to our website, we use our host provider as processor within the meaning of Art. 28 et seq. GDPR:

Website:     medienloge – Grünenbacher Str. 29 – 51545 Waldbröl, Germany
Webshop:    GWS GmbH - Willy-Brand-Weg 1 - 48155 Münster, Germany


b) Optimizing the presentation and expanding the functionality of our website

It self-evident that we would like to offer you the best possible user experience and therefore be able to provide our services quickly and optimize them for display on your respective terminal device. Of course, we would also like to prepare our multimedia offer in this respect and integrate further content to this extent.

For these purposes, we use the tools mentioned in this Section to optimize the display and enhance the functionality of our website. The relevant data processing is carried out in our aforementioned legitimate interests and is therefore based on point (f) of Art. 6(1) sentence 1 GDPR.
You can find details on the concrete data processing operations in the following notes.

•    Google Maps

We use Google Maps (hereinafter referred to as "Google Service") of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter referred to as "Google"). This Google service enables us to offer you enhanced functionality on our website, such as dynamic content and animations, the display of fonts not installed on your device and the integration of multimedia content such as maps and videos.

Where necessary, Google processes personal data and partially uses the session objects mentioned in Section 2 in order to provide the relevant content and to prevent misuse of the Google service.

As part of the data processing in this regard, data is transferred to a Google server in the USA and processed and stored there. Google is privacy shield certified and is committed to complying with the EU-U.S. Privacy Shield Agreement on the collection, use and retention of personal data from EU member states as published by the U.S. Department of Commerce.

In addition to the options described in Section 2 for disabling session objects, you may restrict data processing by Google Services by enabling your browser's "do-not-track" setting.

Google collects and processes data as an independent responsible party (controller) within the meaning of the GDPR, so that there is no order processing.
For more information about data processing by Google, please see Google's privacy policy. These can be found at the following Internet address https://policies.google.com/.

c)    Measurement of reach and usage analysis

Of course, we would like to design our services according to your needs and offer you the best possible user experience. Therefore, we continuously check the functionality of our services and correct functions that are found to be faulty or user-unfriendly. A further concern is to know whether and to what extent our services reach the target group we address. For these purposes it is necessary to understand where, how and to what extent you use our services.
To obtain this information, we use the measurement of reach and usage analysis tools mentioned in this Section. The relevant data processing is carried out in our aforementioned legitimate interests and is therefore based on point (f) of Art. 6(1) sentence 1 GDPR.

•    Google Analytics

We use the web analysis service Google Analytics of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter referred to as "Google"), which creates pseudonymised user profiles using the session objects mentioned in Section 2. This enables us to collect information about click and surf behaviour when using our services.

The following data will be processed:

•    IP address and geolocation based on IP address;
•    Device, operating system/browser including settings (such as resolution);
•    Screen size;
•    User behaviour, including scrolling and clicking behaviour.

As part of the data processing in this regard, data is transferred to a Google server in the USA and processed and stored there. Google is privacy shield certified and is committed to complying with the EU-U.S. Privacy Shield Agreement on the collection, use and retention of personal data from EU member states as published by the U.S. Department of Commerce.

In addition to the options described in Section 2 for disabling session objects, you can prevent data processing related to the Google Analytics service by installing the browser add-on provided for this purpose by Google on the page https://tools.google.com/dlpage/gaoptout?hl=de or by setting an "opt-out" cookie by clicking on the following link with JavaScript enabled: [Please complete the functional link: Deactivate Google Analytics on this website]. The "opt-out" cookie set here only applies to the browser which you use for the above setting option. Since it is stored on your terminal device, you must repeat the setting once again if you delete cookies in your browser.

For more information about data processing by Google, please see Google's privacy policy. These can be found at the following Internet address https://policies.google.com/. You can also find Google's answers to privacy questions on the website https://support.google.com/analytics/answer/6004245?hl=en.

3.2. Data that we process when you get in touch with us

If you contact us via the contact options that we offer, in particular our contact forms or the e-mail addresses, telephone numbers and fax numbers that you provide, we process not only the date and time of your enquiry but also data that you voluntarily provide to us. We will inform you whether it is necessary or voluntary to enter data on a case-by-case basis. Voluntary information may be - unless such information is already required by the choice of the respective communication medium - e.g. your title, your (academic) title, your name, your (mobile) telephone number, your e-mail address. We use these data to process your contact enquiry or request. The processing of your data will therefore take place on your request and is based on point (b) of Art. 6(1) sentence 1 GDPR.
If you provide voluntary information, the data processing will also be based on your consent and is therefore based on point (a) of Art. 6(1) sentence 1 GDPR.
If you have a user account with us (see Section 3.3), we will assign the data transmitted in the context of the contact request to your user account and store it there. This processing of your data is necessary for the proper handling of your request and the identification of your person in the case of inquiries about our products and services as well as for the documentation of your requests in connection with our contractual relationship. In this respect, it is based on point (b) of Art. 6(1) sentence 1 GDPR and on our related legitimate interest pursuant to point (f) of Art. 6(1) sentence 1 GDPR.

When using a contact form, your Internet protocol address (IP address) is also stored. This storage is performed to make sure that our services are available and to prevent their misuse. If necessary, it makes it possible to investigate criminal offences committed and to enforce the private rights of third parties. In this sense, it is necessary to store your IP address for our own secure purposes. In principle, a passing on of these data to third parties does not take place, unless a corresponding legal obligation to pass on these data exists or the passing on serves the criminal prosecution. The legal basis for the processing of these data is point (f) of Art. 6(1) sentence 1 GDPR.

If the request is made in the context of usage of our services or in the context of our contractual relationship including its initiation, the data transmitted or collected during the request will be stored for the duration of our contractual relationship. Otherwise the data will only be stored as long as this is required to respond to your request. A storage going beyond this is however possible in the cases mentioned in number 5.
If you send us your application documents using our contact form or the e-mail address provided for applications, we will process the data therein. We use these data exclusively to carry out the application process. Your data is therefore processed due to your active transfer and is therefore based on your consent and therefore on point (a) of Art. 6(1) sentence 1 GDPR. This also applies to any consent given by you to keep the application documents for future possible application processes.

3.3.    Data that we process when you register as a user and use our services as a registered user

You have the possibility to register in our shop as a user or contact person in your company by providing personal data and to use our services as a registered user. Your data will be processed according to the following instructions:

We require your title, name, address, email address and a password to be determined by you in order to identify you as our contractual partner or contact person and to enable us to fulfil the contract and provide our services to registered users and to send you updates and notifications regarding your user account. The processing of the above data for the fulfilment of the contract is based on point (b) of Art. 6(1) sentence 1 GDPR.

A confirmation email will be sent to the email address you provided during registration. When you register as a user and when you log in as a registered user, your Internet protocol address (IP address) is stored along with the current date and time. This storage is performed to ensure the provision of our services and to prevent their misuse. If necessary, these data make it possible to investigate criminal offences committed and to enforce the private rights of third parties, in particular to provide proof of your registration. In this respect, the storage of these data is necessary for our security, is therefore in our legitimate interest and is based on point (f) of Art. 6(1) sentence 1 GDPR.

The above data will be stored until your user profile is deleted. A storage going beyond this is possible in the cases mentioned in Section 5.

3.4.    Data that we process when you use our ordering system

You have the possibility to order goods via our ordering system. In addition to the information on the goods ordered, we also need your title, your name, your address, your (mobile) telephone number and your email address in order to identify you as our contractual partner or contact person, to be able to check your order and - if we have checked your order successfully and confirmed it accordingly - to enable fulfilment of the contract. If you have a user account with us (see Section 3.3), we will store the data transmitted within the scope of the order inquiry in the order history of your user account. The processing of the above data for the fulfilment of the contract is based on point (b) of Art. 6(1) sentence 1 GDPR.

When you use our ordering system, your Internet protocol address (IP address), the date and time of the respective order enquiry are also saved. This storage is performed to ensure the provision of our services and to prevent their misuse. These data make it possible, if necessary, to investigate criminal offences committed and to enforce the private rights of third parties. In this respect, the storage of these data is necessary for our security. In principle, a passing on of these data to third parties does not take place, unless a corresponding legal obligation to pass on these data exists or the passing on serves the criminal prosecution. The legal basis for the processing of these data is point (f) of Art. 6(1) sentence 1 GDPR.

These data are stored for the duration of our contractual relationship. A storage going beyond this is possible in the cases mentioned in Section 5.

3.5.    Processing of data for payment processing

We offer you various payment methods for payment processing, in which in addition to the amount to be paid and a pseudonymous transaction number, various data is transmitted.

The payment service providers named therein will use the data mainly for processing the payment and, if necessary, for getting in contact with regard to the payment and for providing customer service in this matter. Your data may be passed on if this is necessary to fulfil the contractual obligations or if the data is to be processed on behalf of the respective payment service provider. The processing of the data takes place in this respect for the payment processing and is based on point (b) of Art. 6(1) sentence 1 GDPR.

In addition, the payment service provider may disclose the data to third parties where required by law with regard to the type of payment (e.g. to prevent money laundering under the Money Laundering Act). Please note that the payment service provider is subject to numerous obligations regarding the retention of the data provided by you. This includes ensuring that transactions can be adequately processed, settled, reimbursed, or charged back, helping to detect fraud, and complying with anti-money laundering and other laws and regulations applicable to the payment service provider and its financial service providers. Therefore, the payment service provider shall retain certain data in order to fulfil its obligations. Data processing is therefore based on point (c) of Art. 6(1) sentence 1 GDPR.

Your data will also be disclosed if this is necessary to protect our rights, the rights of the payment service provider, to enforce the conditions of the payment service provider or to comply, inter alia, with requirements of law enforcement authorities. Such a transfer is based on point (f) of Art. 6(1) sentence 1 GDPR.

As far as this is required by law, we store the data of the payment processing at least for the statutory minimum duration of 10 years (sec. 147(3) of the German Fiscal Code). If no longer storage period is possible or necessary in accordance with Section 5, these shall subsequently be erased.

4.    How do we handle your data?

When processing data, it is our aim to always achieve the highest possible level of security within the scope of the respective purpose of use. Although absolute protection cannot be guaranteed, we have therefore taken security precautions to protect your data.

This includes, for example, that we always transmit your data in encrypted form only. For this purpose, we use the SSL (Secure Socket Layer) coding system, which is intended to prevent the data streams from being intercepted by third parties and your data from being viewed in plain text. You can recognise the use of the SSL coding system by the "https://" in the address line of your browser and, in common browsers, by a corresponding lock symbol that appears next to the address line. So, you can be sure that your data will be transmitted securely to us.

5.    How long do we retain your data?

We process and retain personal data for the period of time that is necessary to achieve the purpose specified (see Section 3).

After completion of the purpose for which the personal data was transmitted to us or if you wish your personal data to be erased, we will erase these data unless we are legally entitled (for example, for evidence purposes in the context of the processing of our contractual relationship) or obliged (for example, for tax reasons) to retain it. This storage period may be longer than required for the original purpose (rule storage period). In the case of retaining accounting documents, for example, we are obliged to retain them for a period of 10 years (sec. 147 (3) of the German Fiscal Code).

If the original purpose of use has been achieved or no longer applies, we will not use the personal data for further processing. With omission of the authorization and/or expiration of the legal storage obligations we thereupon erase the data finally.

6.    Do we pass on your data to third parties?

We can arrange for data to be passed on to one or more persons or companies who process the data for us as controller within the scope of the purposes described above (so-called processors).

We have currently commissioned the following persons or companies to carry out data processing (order processing pursuant to Art. 28 GDPR):

Website:     medienloge – Grünenbacher Str. 29 – 51545 Waldbröl, Germany
Webshop:    GWS GmbH - Willy-Brand-Weg 1 - 48155 Münster, Germany

These processors process your data with the necessary care. They are subject to our control and are subject to our instructions. This ensures that data processing is always carried out in compliance with your rights, in particular those set out in Section 7 below.

Passing on your data to third parties other than our processors only takes place in accordance with the description in Section 3. These are:

•    Google LLC (see Section 3.1(b) and 3.1(c))


7.    What rights do you have?

You shall have the following rights regarding the use of your data. You may assert the rights in Sections 7.1 to 7.8 against us as controller. In the context of the right to lodge a complaint with a supervisory authority described in Section 7.9, you must address yourself directly to the supervisory authority.

7.1.    Right of access

You shall have the right to obtain from us, free of charge and at any time, information about the personal data stored about you and a copy of this information. You shall also have the right to access to the following information:

•    the purposes of the processing
•    the categories of personal data concerned
•    the recipients or categories of recipients to whom the personal data have been or will be disclosed, recipients in third countries or international organisations in particular
•    where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
•    the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
•    the right to lodge a complaint with a supervisory authority;
•    where the personal data are not collected from the data subject: any available information as to their source
•    the existence of automated decision-making, including profiling, in accordance with Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject

You shall also have the right to know whether personal data has been transferred to a third country or to an international organisation. In this case, you shall have the right to receive information about the appropriate safeguards relating to the transfer.

Your right of access is mainly based on Art. 15 GDPR.

7.2.    Right to rectification of inaccurate data and completion of incomplete data

You shall have the right to request without undue delay the rectification of inaccurate personal data concerning you. Considering the purposes of the processing, you shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Your right to rectify incorrect and incomplete data is based on Art. 16 GDPR.

7.3.    Right to data erasure (‘right to be forgotten’)

You shall have the right to demand that we erasure your personal data without undue delay where one of the following grounds apply and where processing is not necessary:

•    The personal data have been collected for such purposes or processed in any other way for which they are no longer necessary.
•    You withdraw consent on which the processing is based according to point (a) of Article 6(1) GDPR, or point (a) of Article 9(2) GDPR, and where there is no other legal ground for the processing.
•    You object to the processing pursuant to Art. 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21(2) GDPR.
•    The personal data have been unlawfully processed.
•    We are obliged to erase your personal data for compliance with a legal obligation under Union law or the law of the Member States.
•    The personal data have been collected in relation to the offer of information society services referred to in Art. 8(1) GDPR.

If one of the above grounds applies and you request the deletion of personal data stored by us, we will arrange this without undue delay.

Your right to data erasure is based on Art. 17 GDPR.

7.4.    Right to restriction of processing

You shall have the right to obtain from the controller restriction of processing where one of the following applies:

•    The accuracy of the personal data is contested by you, for a period enabling us to verify the accuracy of the personal data.
•    The processing is unlawful, and you oppose the erasure of the personal data and request the restriction of their use instead.
•    We do no longer need the personal data for the purposes of the processing, but they are required by you for the establishment, exercise, or defence of legal claims.
•    You have objected to processing pursuant to Art. 21(1) GDPR and verification is pending whether the legitimate grounds of the controller override those of the data subject.

If one of the above conditions applies and you request the restriction of personal data stored by us, we will arrange this without undue delay.

Your right to restriction of processing is based on Art. 18 GDPR.

7.5.    Right to data portability

You shall have the right to receive the personal data concerning you, which you have provided to us in a structured, common, and machine-readable format. This includes and you shall have the right to transmit this data to another controller without any hindrance on our part, provided that (i) the processing is based on the consent pursuant to point (a) 6(1) GDPR or point (a) Art. 9(2) GDPR or on a contract pursuant to point (b) Art. 6(1) GDPR and (ii) the processing is carried out by automated means, provided that the processing is not necessary for the performance of a task that is in the public interest or in the exercise of official authority that has been vested in us.

Furthermore, in exercising your right to data transferability, you shall have the right to have the personal data transferred directly from one controller to another controller, where technically feasible and as long as rights and freedoms of other persons are not impaired.

Your right to data portability in this respect is based on Art. 20 GDPR.

7.6.    Right to object

You shall have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on Point (e) or (f) of Article 6(1) GDPR. This shall also apply to profiling based on these provisions.

In the event of objection, we will no longer process the personal data unless we can prove compelling grounds for processing which override your interests, rights, and freedoms, or for the establishment, exercise, or defence of legal claims.

If we process personal data for direct marketing purposes, you shall have the right to object at any time to the processing of personal data for the purpose of such marketing. This also includes profiling to the extent that it is related to such direct marketing. Where you object to processing for direct marketing purposes, we will no longer process personal data for such purposes.

Where personal data are processed with us for scientific or historical research purposes or statistical purposes pursuant to Article 89(1) GDPR, you, on grounds relating to your particular situation, shall additionally have the right to object to processing of personal data concerning you, unless such a processing is necessary for the performance of a task carried out for reasons of public interest.

In connection with the use of Information Society services, notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications. With regard to the exercise of your right to object, we would like to draw your attention to the possibilities for the immediate deactivation of individual data processing processes mentioned in Section 3.

Your right to object is based on Article 21 GDPR.

7.7.    Automated individual decision-making, including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning you or similarly significantly affects you, unless the decision is necessary for entering into, or performance of, a contract between you and us, or is authorized by the laws of the Union or Member States to which we are subject and which also lay down suitable measures to safeguard your rights and freedoms and legitimate interests or are based on your explicit consent.

If the decision to enter into or perform a contract between you and us is necessary or with your express consent, we shall take suitable measures to safeguard your rights and freedoms and your legitimate interests, at least the right to obtain human intervention on the part of our company, to express our point of view and to contest the decision.
If you wish to exercise any rights relating to automated decisions, you can contact our data protection officer or another of our employees at any time.

These rights are based on Article 22 GDPR.

7.8.    Right to withdraw consent under data protection law

You shall have the right to withdraw your consent to the processing of personal data in whole or in part at any time.

The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

If you wish to exercise your right to withdraw your consent, you can contact our data protection officer or another of our employees at any time. The contact details can be found at the top of this Privacy Policy, just before the summary.

Your right to withdraw a consent granted under data protection law is based on Article 7(3) GDPR.

7.9.    Right to lodge a complaint with the supervisory authority

You have the right to lodge a complaint with the supervisory authority. This right is based on Article 56(2) GDPR.

8.    Changes to this Privacy Policy

The use of collected data is always subject to the Privacy Policy that are effective at the time when the data is collected.

We reserve the right to change the Privacy Policy in order to adapt them to any changes in the factual and legal situation. In this case, we will publish the new and updated version of these Privacy Policy on our website. We will point out any changes to this data protection information at a suitable place. This applies in particular in cases where we intend to use data that has already been collected in a deviating from the original purpose.

If the use of your personal data is based on your consent, we will only use your data to the extent to which you have consented, regardless of any interim amendment to these Privacy Policy. If necessary, we will ask you in this case for a renewed consent in accordance with an intended change of data usage.