Directly responsible for the data processing in the context of using our services and controller in the meaning of the European General Data Protection Regulation (GDPR) is:
TOOL FACTORY Cutting Tool Solutions GmbH
51399 Burscheid / Germany
Tel.+49 2174 79153 - 0
Fax+49 2174 79153-6
In-house data protection officer: Manuela Heumer
1. What are personal data?
Subject-matter of the data protection is personal data. Personal data means all information relating to an identified or identifiable natural person (“data subject”) (Article 4 No. 1 GDPR). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
2. How are such data collected and processed?
A processing of data during the use of our services can have different ways. It may be performed directly on our systems, at a company that we have commissioned and that is bound by instructions, or at third parties (see also Sections 3 et seq.).
An important instrument for data processing in the online environment are techniques such as cookies, which can temporarily store or retrieve information on your terminal device. We would now like to explain these techniques to you:
3. What data do we collect, for what purpose and what happens to your data?
3.1. General data processing when calling up our services
Data that we process when you visit our website
a) Providing our website
When you visit our website, i.e. even during a simple session and without using specific services in detail, the following data is always processed without drawing any conclusions about your person:
• the previously visited website (so-called referrer URL);
• the individual pages of our website, which are accessed by you;
• the date and time of the access;
• the Internet protocol address (IP address) of the accessing terminal device;
• the type of terminal device used for access (e.g. computer, mobile phone, etc.);
• the browser and operating system of the terminal device, including the version number and the language set there.
This information is needed to:
• deliver the contents of our website correctly;
• optimise the content of our website and its presentation, e.g. adapt the content for viewing on a mobile device;
• ensure the long-term operability of our information technology systems and the technology of our website; and
• provide law enforcement authorities with the information they need to prosecute a cyber-attack.
We process these data as long as it is necessary for the aforementioned purposes. These are then anonymised by us and evaluated both statistically and with the aim of increasing data protection and data security in our company in order to ultimately ensure an optimum level of protection for the personal data processed by us. The processing of your data thus takes place in order to provide our services and is therefore based on point (b) of Art. 6(1) sentence 1 GDPR. It also serves to ensure the best possible presentation and integrity of our services and is therefore also in our legitimate interest in this respect pursuant to point (f) of Art. 6(1) sentence 1 GDPR.
For data processing within the scope of your visit to our website, we use our host provider as processor within the meaning of Art. 28 et seq. GDPR:
Website: medienloge – Grünenbacher Str. 29 – 51545 Waldbröl, Germany
Webshop: GWS GmbH - Willy-Brand-Weg 1 - 48155 Münster, Germany
3.2. Data that we process when you get in touch with us
If you contact us via the contact options that we offer, in particular our contact forms or the e-mail addresses, telephone numbers and fax numbers that you provide, we process not only the date and time of your enquiry but also data that you voluntarily provide to us. We will inform you whether it is necessary or voluntary to enter data on a case-by-case basis. Voluntary information may be - unless such information is already required by the choice of the respective communication medium - e.g. your title, your (academic) title, your name, your (mobile) telephone number, your e-mail address. We use these data to process your contact enquiry or request. The processing of your data will therefore take place on your request and is based on point (b) of Art. 6(1) sentence 1 GDPR.
If you provide voluntary information, the data processing will also be based on your consent and is therefore based on point (a) of Art. 6(1) sentence 1 GDPR.
If you have a user account with us (see Section 3.3), we will assign the data transmitted in the context of the contact request to your user account and store it there. This processing of your data is necessary for the proper handling of your request and the identification of your person in the case of inquiries about our products and services as well as for the documentation of your requests in connection with our contractual relationship. In this respect, it is based on point (b) of Art. 6(1) sentence 1 GDPR and on our related legitimate interest pursuant to point (f) of Art. 6(1) sentence 1 GDPR.
When using a contact form, your Internet protocol address (IP address) is also stored. This storage is performed to make sure that our services are available and to prevent their misuse. If necessary, it makes it possible to investigate criminal offences committed and to enforce the private rights of third parties. In this sense, it is necessary to store your IP address for our own secure purposes. In principle, a passing on of these data to third parties does not take place, unless a corresponding legal obligation to pass on these data exists or the passing on serves the criminal prosecution. The legal basis for the processing of these data is point (f) of Art. 6(1) sentence 1 GDPR.
If the request is made in the context of usage of our services or in the context of our contractual relationship including its initiation, the data transmitted or collected during the request will be stored for the duration of our contractual relationship. Otherwise the data will only be stored as long as this is required to respond to your request. A storage going beyond this is however possible in the cases mentioned in number 5.
If you send us your application documents using our contact form or the e-mail address provided for applications, we will process the data therein. We use these data exclusively to carry out the application process. Your data is therefore processed due to your active transfer and is therefore based on your consent and therefore on point (a) of Art. 6(1) sentence 1 GDPR. This also applies to any consent given by you to keep the application documents for future possible application processes.
3.3. Data that we process when you register as a user and use our services as a registered user
You have the possibility to register in our shop as a user or contact person in your company by providing personal data and to use our services as a registered user. Your data will be processed according to the following instructions:
We require your title, name, address, email address and a password to be determined by you in order to identify you as our contractual partner or contact person and to enable us to fulfil the contract and provide our services to registered users and to send you updates and notifications regarding your user account. The processing of the above data for the fulfilment of the contract is based on point (b) of Art. 6(1) sentence 1 GDPR.
A confirmation email will be sent to the email address you provided during registration. When you register as a user and when you log in as a registered user, your Internet protocol address (IP address) is stored along with the current date and time. This storage is performed to ensure the provision of our services and to prevent their misuse. If necessary, these data make it possible to investigate criminal offences committed and to enforce the private rights of third parties, in particular to provide proof of your registration. In this respect, the storage of these data is necessary for our security, is therefore in our legitimate interest and is based on point (f) of Art. 6(1) sentence 1 GDPR.
The above data will be stored until your user profile is deleted. A storage going beyond this is possible in the cases mentioned in Section 5.
3.4. Data that we process when you use our ordering system
You have the possibility to order goods via our ordering system. In addition to the information on the goods ordered, we also need your title, your name, your address, your (mobile) telephone number and your email address in order to identify you as our contractual partner or contact person, to be able to check your order and - if we have checked your order successfully and confirmed it accordingly - to enable fulfilment of the contract. If you have a user account with us (see Section 3.3), we will store the data transmitted within the scope of the order inquiry in the order history of your user account. The processing of the above data for the fulfilment of the contract is based on point (b) of Art. 6(1) sentence 1 GDPR.
When you use our ordering system, your Internet protocol address (IP address), the date and time of the respective order enquiry are also saved. This storage is performed to ensure the provision of our services and to prevent their misuse. These data make it possible, if necessary, to investigate criminal offences committed and to enforce the private rights of third parties. In this respect, the storage of these data is necessary for our security. In principle, a passing on of these data to third parties does not take place, unless a corresponding legal obligation to pass on these data exists or the passing on serves the criminal prosecution. The legal basis for the processing of these data is point (f) of Art. 6(1) sentence 1 GDPR.
These data are stored for the duration of our contractual relationship. A storage going beyond this is possible in the cases mentioned in Section 5.
3.5. Processing of data for payment processing
We offer you various payment methods for payment processing, in which in addition to the amount to be paid and a pseudonymous transaction number, various data is transmitted.
The payment service providers named therein will use the data mainly for processing the payment and, if necessary, for getting in contact with regard to the payment and for providing customer service in this matter. Your data may be passed on if this is necessary to fulfil the contractual obligations or if the data is to be processed on behalf of the respective payment service provider. The processing of the data takes place in this respect for the payment processing and is based on point (b) of Art. 6(1) sentence 1 GDPR.
In addition, the payment service provider may disclose the data to third parties where required by law with regard to the type of payment (e.g. to prevent money laundering under the Money Laundering Act). Please note that the payment service provider is subject to numerous obligations regarding the retention of the data provided by you. This includes ensuring that transactions can be adequately processed, settled, reimbursed, or charged back, helping to detect fraud, and complying with anti-money laundering and other laws and regulations applicable to the payment service provider and its financial service providers. Therefore, the payment service provider shall retain certain data in order to fulfil its obligations. Data processing is therefore based on point (c) of Art. 6(1) sentence 1 GDPR.
Your data will also be disclosed if this is necessary to protect our rights, the rights of the payment service provider, to enforce the conditions of the payment service provider or to comply, inter alia, with requirements of law enforcement authorities. Such a transfer is based on point (f) of Art. 6(1) sentence 1 GDPR.
As far as this is required by law, we store the data of the payment processing at least for the statutory minimum duration of 10 years (sec. 147(3) of the German Fiscal Code). If no longer storage period is possible or necessary in accordance with Section 5, these shall subsequently be erased.
4. How do we handle your data?
When processing data, it is our aim to always achieve the highest possible level of security within the scope of the respective purpose of use. Although absolute protection cannot be guaranteed, we have therefore taken security precautions to protect your data.
This includes, for example, that we always transmit your data in encrypted form only. For this purpose, we use the SSL (Secure Socket Layer) coding system, which is intended to prevent the data streams from being intercepted by third parties and your data from being viewed in plain text. You can recognise the use of the SSL coding system by the "https://" in the address line of your browser and, in common browsers, by a corresponding lock symbol that appears next to the address line. So, you can be sure that your data will be transmitted securely to us.
5. How long do we retain your data?
We process and retain personal data for the period of time that is necessary to achieve the purpose specified (see Section 3).
After completion of the purpose for which the personal data was transmitted to us or if you wish your personal data to be erased, we will erase these data unless we are legally entitled (for example, for evidence purposes in the context of the processing of our contractual relationship) or obliged (for example, for tax reasons) to retain it. This storage period may be longer than required for the original purpose (rule storage period). In the case of retaining accounting documents, for example, we are obliged to retain them for a period of 10 years (sec. 147 (3) of the German Fiscal Code).
If the original purpose of use has been achieved or no longer applies, we will not use the personal data for further processing. With omission of the authorization and/or expiration of the legal storage obligations we thereupon erase the data finally.
6. Do we pass on your data to third parties?
We can arrange for data to be passed on to one or more persons or companies who process the data for us as controller within the scope of the purposes described above (so-called processors).
We have currently commissioned the following persons or companies to carry out data processing (order processing pursuant to Art. 28 GDPR):
Website: medienloge – Grünenbacher Str. 29 – 51545 Waldbröl, Germany
Webshop: GWS GmbH - Willy-Brand-Weg 1 - 48155 Münster, Germany
These processors process your data with the necessary care. They are subject to our control and are subject to our instructions. This ensures that data processing is always carried out in compliance with your rights, in particular those set out in Section 7 below.
Passing on your data to third parties other than our processors only takes place in accordance with the description in Section 3.
7. What rights do you have?
You shall have the following rights regarding the use of your data. You may assert the rights in Sections 7.1 to 7.8 against us as controller. In the context of the right to lodge a complaint with a supervisory authority described in Section 7.9, you must address yourself directly to the supervisory authority.
7.1. Right of access
You shall have the right to obtain from us, free of charge and at any time, information about the personal data stored about you and a copy of this information. You shall also have the right to access to the following information:
• the purposes of the processing
• the categories of personal data concerned
• the recipients or categories of recipients to whom the personal data have been or will be disclosed, recipients in third countries or international organisations in particular
• where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
• the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
• the right to lodge a complaint with a supervisory authority;
• where the personal data are not collected from the data subject: any available information as to their source
• the existence of automated decision-making, including profiling, in accordance with Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject
You shall also have the right to know whether personal data has been transferred to a third country or to an international organisation. In this case, you shall have the right to receive information about the appropriate safeguards relating to the transfer.
Your right of access is mainly based on Art. 15 GDPR.
7.2. Right to rectification of inaccurate data and completion of incomplete data
You shall have the right to request without undue delay the rectification of inaccurate personal data concerning you. Considering the purposes of the processing, you shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Your right to rectify incorrect and incomplete data is based on Art. 16 GDPR.
7.3. Right to data erasure (‘right to be forgotten’)
You shall have the right to demand that we erasure your personal data without undue delay where one of the following grounds apply and where processing is not necessary:
• The personal data have been collected for such purposes or processed in any other way for which they are no longer necessary.
• You withdraw consent on which the processing is based according to point (a) of Article 6(1) GDPR, or point (a) of Article 9(2) GDPR, and where there is no other legal ground for the processing.
• You object to the processing pursuant to Art. 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21(2) GDPR.
• The personal data have been unlawfully processed.
• We are obliged to erase your personal data for compliance with a legal obligation under Union law or the law of the Member States.
• The personal data have been collected in relation to the offer of information society services referred to in Art. 8(1) GDPR.
If one of the above grounds applies and you request the deletion of personal data stored by us, we will arrange this without undue delay.
Your right to data erasure is based on Art. 17 GDPR.
7.4. Right to restriction of processing
You shall have the right to obtain from the controller restriction of processing where one of the following applies:
• The accuracy of the personal data is contested by you, for a period enabling us to verify the accuracy of the personal data.
• The processing is unlawful, and you oppose the erasure of the personal data and request the restriction of their use instead.
• We do no longer need the personal data for the purposes of the processing, but they are required by you for the establishment, exercise, or defence of legal claims.
• You have objected to processing pursuant to Art. 21(1) GDPR and verification is pending whether the legitimate grounds of the controller override those of the data subject.
If one of the above conditions applies and you request the restriction of personal data stored by us, we will arrange this without undue delay.
Your right to restriction of processing is based on Art. 18 GDPR.
7.5. Right to data portability
You shall have the right to receive the personal data concerning you, which you have provided to us in a structured, common, and machine-readable format. This includes and you shall have the right to transmit this data to another controller without any hindrance on our part, provided that (i) the processing is based on the consent pursuant to point (a) 6(1) GDPR or point (a) Art. 9(2) GDPR or on a contract pursuant to point (b) Art. 6(1) GDPR and (ii) the processing is carried out by automated means, provided that the processing is not necessary for the performance of a task that is in the public interest or in the exercise of official authority that has been vested in us.
Furthermore, in exercising your right to data transferability, you shall have the right to have the personal data transferred directly from one controller to another controller, where technically feasible and as long as rights and freedoms of other persons are not impaired.
Your right to data portability in this respect is based on Art. 20 GDPR.
7.6. Right to object
You shall have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on Point (e) or (f) of Article 6(1) GDPR. This shall also apply to profiling based on these provisions.
In the event of objection, we will no longer process the personal data unless we can prove compelling grounds for processing which override your interests, rights, and freedoms, or for the establishment, exercise, or defence of legal claims.
If we process personal data for direct marketing purposes, you shall have the right to object at any time to the processing of personal data for the purpose of such marketing. This also includes profiling to the extent that it is related to such direct marketing. Where you object to processing for direct marketing purposes, we will no longer process personal data for such purposes.
Where personal data are processed with us for scientific or historical research purposes or statistical purposes pursuant to Article 89(1) GDPR, you, on grounds relating to your particular situation, shall additionally have the right to object to processing of personal data concerning you, unless such a processing is necessary for the performance of a task carried out for reasons of public interest.
In connection with the use of Information Society services, notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications. With regard to the exercise of your right to object, we would like to draw your attention to the possibilities for the immediate deactivation of individual data processing processes mentioned in Section 3.
Your right to object is based on Article 21 GDPR.
7.7. Automated individual decision-making, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning you or similarly significantly affects you, unless the decision is necessary for entering into, or performance of, a contract between you and us, or is authorized by the laws of the Union or Member States to which we are subject and which also lay down suitable measures to safeguard your rights and freedoms and legitimate interests or are based on your explicit consent.
If the decision to enter into or perform a contract between you and us is necessary or with your express consent, we shall take suitable measures to safeguard your rights and freedoms and your legitimate interests, at least the right to obtain human intervention on the part of our company, to express our point of view and to contest the decision.
If you wish to exercise any rights relating to automated decisions, you can contact our data protection officer or another of our employees at any time.
These rights are based on Article 22 GDPR.
7.8. Right to withdraw consent under data protection law
You shall have the right to withdraw your consent to the processing of personal data in whole or in part at any time.
The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
Your right to withdraw a consent granted under data protection law is based on Article 7(3) GDPR.
7.9. Right to lodge a complaint with the supervisory authority
You have the right to lodge a complaint with the supervisory authority. This right is based on Article 56(2) GDPR.