With the following information we would like to give you as a “data subject” an overview of the processing of your personal data by us and your rights under the data protection laws. It is generally possible to use our website without entering personal data. However, if you wish to make use of special services of our company via our website, it may become necessary to process personal data. If it is necessary to process personal data and there is no legal basis for such processing, we will obtain your consent.
As controllers of personal data processing, we have implemented numerous technical and organisational measures to ensure that the personal data processed via this website is protected as best as possible. Nevertheless, Internet-based data transmissions can generally have security gaps, so that absolute protection cannot be guaranteed. For this reason, you are free to transmit personal data to us by alternative means, for example by telephone or post.
The controller within the meaning of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection regulations depends on which of the following companies is:
decor metall GmbH
Benzstraße 1-5, 32108 Bad Salzuflen, Germany
Phone: +49 5222 286-0
Fax: +49 5222 286-1 89
Representative of the controller: Thomas Löhr, Marcus Wenzel
You can contact the Data Protection Officer as follows:
You can contact our Data Protection Officer directly at any time with all questions and suggestions regarding data protection.
1. Personal data
Personal data is any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
2. Data subject
Data subject is any identified or identifiable natural person whose personal data are processed by the controller (our company).
Processing is any operation or set of operations, performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, organisation, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
4. Restriction of processing
Restriction of processing is the marking of stored personal data with the aim of limiting their future processing.
Profiling is any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Pseudonymisation is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
Processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Recipient is a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. 2However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
9. Third party
Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Consent is any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Article 6 (1) lit. a GDPR serves as a legal basis for our company for processing operations for which we obtain consent for a specific processing purpose.
If the processing of personal data is necessary for the performance of a contract to which you are party, such as processing operations necessary for the supply of goods or any other service or consideration, the processing is based on Article 6 (1) (b) GDPR. The same applies to processing operations necessary for the conducting pre-contractual measures, for example in case of inquiries about our products or services.
If our company is subject to a legal obligation obligating us to process personal data, for example to fulfil tax obligations, such processing is based on Art. 6 (1) (c) GDPR.
In rare cases, the processing of personal data might be necessary to protect vital interests of the data subject or another natural person. This would be the case, for example, if a visitor to our company was injured and his name, age, health insurance details or other vital information had to be passed on to a doctor, hospital or other third party. The processing would then be based on Article 6 (1) (d) GDPR.
Finally, processing operations could be based on Article 6(1) (f) GDPR. Processing operations which are not covered by any of the above legal bases are based on this legal basis if the processing is necessary to safeguard a legitimate interest of our company or of a third party, provided that the interests, fundamental rights and freedoms of the data subject do not prevail. We are permitted to carry out such processing operations in particular because they have been specifically mentioned by the European legislator. According to the view of the European legislator a legitimate interest can be assumed if you are a customer of our company (Recital 47 sentence 2 GDPR).
6.1 SSL/TLS Encryption
This site uses SSL or TLS encryption to ensure the security of data processing and to protect the transmission of confidential content, such as orders, login data or contact requests that you send to us as the operator. You can identify an encrypted connection by the fact that the address line of your browser contains “https://” instead of “http://” and by the lock symbol in your browser line.
If the SSL or TLS encryption is activated, the data that you transmit to us cannot be read by third parties.
6.2 Data collection when visiting the website
When using our website for informational purposes only, i.e. if you do not register or otherwise provide us with information, we only collect the data that your browser sends to our server (in so-called “server log files”). Our website collects a number of general data and information every time you or an automated system access a page. This general data and information is stored in the server log files. The following can be recorded
When using this general data and information, we do not draw any conclusions about your person. This information is rather required to
This collected data and information is evaluated by us with the aim of increasing data protection and data security in our company in order to ultimately ensure an optimum level of protection for the personal data processed by us. The data of the server log files are stored separately from all personal data provided by a data subject.
The legal basis for the data processing is Art. 6 (1) (f) GDPR. Our legitimate interest follows from the above-mentioned purposes for data collection.
For some services and information on our website (e.g. online application or newsletter registration) we need to receive personal data from you, such as your name, address, or e-mail address.
We collect such data only if they are necessary for processing your request. Your enquiries and the data and information contained therein will be forwarded internally to employees of our company or companies commissioned by us (e.g. trading partners) who will support us in processing your request.
Since decor metall is a globally active company, it may be necessary to forward your personal data to local business partners, whose registered office may also be located outside the European Economic Area, in order to better process your request.
We only pass on your personal data to third parties if either:
Prior to transfer your personal data to countries outside the European Union and the EEA, we ensure an adequate level of data protection in the country concerned (e.g. by entering into EU Standard Contract Clauses).
In order to obtain a copy of the respectively applicable regulations please contact us using the contact details given in Sections 2 and 3.
8.1 Technically necessary cookies
8.2 Cookies for adaptation to user needs and for statistical analysis
9.1 Contact / Contact form
Personal data is collected when contacting us (e.g. via contact form or e-mail). Which data is collected in the case of a contact form can be seen from the respective contact form. These data are stored and used exclusively for the purpose of answering your request or for contacting you and the associated technical administration. The legal basis for processing the data is our legitimate interest in answering your request in accordance with Art. 6 Para. 1 letter f DS-GVO. If your contact is aimed at the conclusion of a contract, an additional legal basis for processing is Art. 6 Para. 1 letter b DS-GVO. Your data will be deleted after the final processing of your request. This is the case if it is clear from the circumstances that the matter in question has been conclusively clarified and provided that there are no legal obligations to retain data.
9.2 Application management / job exchange
We collect and process the personal data of applicants for the application procedure on the basis of § 26 (1) sentence 1 Federal Data Protection Act (BDSG). The processing can also take place electronically. This is particularly the case if an applicant submits the relevant application documents to us electronically, for example by e-mail or via a web form on the website. If we enter into an employment agreement with an applicant, the data transmitted will be stored for the purpose of performance of the employment relationship in compliance with the statutory provisions. If we do not enter into an employment agreement with the applicant, the application documents are automatically deleted two months after notification of the rejection decision, provided that no other legitimate interests on our part stand in the way of deletion. Other legitimate interests in this sense include, for example, a burden of proof in proceedings under the General Equal Treatment Act (AGG). In this respect, data processing is carried out solely on the basis of our legitimate interest in accordance with Art. 6 (1) (f) GDPR.
10.1 Advertising newsletter
On our website you have the possibility to subscribe to the newsletter of our company. Which personal data is transmitted to us when subscribing for the newsletter is determined by the input mask used for this purpose.
We inform our customers and business partners at regular intervals about our offers by means of a newsletter. The newsletter of our company can only be received by if
For legal reasons, a confirmation e-mail will be sent to the e-mail address you entered for sending the newsletter using the double opt-in procedure. This confirmation mail is used to check whether you, as the owner of the e-mail address, have authorized subscription to the newsletter.
When you register for the newsletter, we also save the IP address assigned by your Internet service provider (ISP) for the IT system you are using at the time of registration as well as the date and time of registration. The collection of this data is necessary in order to be able to trace the (possible) misuse of your e-mail address at a later date and therefore serves as a legal safeguard.
The personal data collected during registration for the newsletter will be used exclusively for sending our newsletter. In addition, subscribers to the newsletter could be informed by e-mail if this is necessary for the operation of the newsletter service or for registration, as might be the case if there are changes to the newsletter offer or if technical conditions change. The personal data collected within the scope of the newsletter service will not be passed on to third parties. The subscription to our newsletter can be cancelled by you at any time. The consent to the storage of personal data, which you have given us for the newsletter service, can be withdrawn at any time. For the purpose of withdrawing your consent, you will find a link in every newsletter. It is also possible to unsubscribe from the newsletter directly on our website or to inform us of this in another way.
The legal basis for data processing for the purpose of sending the newsletter is Art. 6 (1) (a) GDPR.
This website uses Sendinblue to send newsletters. The provider is Sendinblue GmbH, Köpenicker Str. 126, 10179 Berlin, Germany.
Sendinblue is a service which enables the management and analysis of newsletters. The data you enter for a newsletter subscription will be stored on Sendinblue’s servers in Germany.
If you do not want Sendinblue to perform the data analysis, you must unsubscribe from the newsletter. We provide a link for this in each newsletter. You can also unsubscribe from the newsletter directly on our website.
The consent given by you can be withdrawn at any time. You can also prevent the processing at any time by unsubscribing from the newsletter. You can also prevent the storage of cookies by setting your web browser accordingly. Also, disabling Java Script in your web browser or installing a Java Script Blocker (such as https://noscript.net or https://www.ghostery.com) may prevent you from storing and transferring personal information. We point out that through these measures may no longer all the features of our website are available.
We use Sendinblue to analyse our newsletter campaigns. For example, we can see whether a newsletter email has been opened and what links have been clicked. This allows us to determine what links have been clicked particularly often.
We can also see whether certain previously defined actions were performed after opening/clicking (conversion rate). For example, we can see whether you have made a purchase after clicking on the newsletter.
Sendinblue also enables us to subdivide newsletter recipients according to different categories (“clusters”). Newsletter recipients can be subdivided according to age, gender or place of residence, for example. This enables us to better tailor newsletters to each target group.
Detailed information about the features of Sendinblue can be found at the following link: https://www.newsletter2go.de/features/newsletter-software/.
The legal basis for data processing is your consent (Art. 6 (1) (a) GDPR). You can revoke this consent at any time. Withdrawal of consent does not affect the legality of data processing carried out previously.
The data you provide us for the purpose of subscribing to the newsletter will be stored by us until you unsubscribe from the newsletter, and will then be erased from both our servers and Sendinblue’s servers after you unsubscribe from the newsletter. Data we retain for other purposes (e.g. email addresses for the members’ area) shall remain unaffected.
To enable us to communicate with you in social networks and to inform you about our services, we are represented there with our own pages. If you visit one of our social media sites, we are jointly responsible with the provider of the respective social media platform in terms of the processing operations triggered by this, which involve personal data, in accordance with Art. 26 GDPR.
We are not the original provider of these pages, but only use them within the scope of the possibilities offered to us by the respective providers.
Therefore, as a precautionary measure we would like to point out that your data may also be processed outside the European Union or the European Economic Area. Any use of social networks may therefore create data protection risks for you, as it may be difficult to safeguard your rights, e.g. to access, erasure, objection, etc., and processing in social networks is often carried out directly by the providers for advertising purposes or for analysis of user behaviour, without this being able to be influenced by us. If user profiles are created by the provider, cookies are often used, or the user behaviour is directly assigned to your own member profile of the social networks (if you are logged in here).
In accordance with Art. 6 (1) (f) GDPR, the processing of personal data described above is carried out on the basis of our legitimate interest and the legitimate interest of the respective provider, in order to be able to communicate with you in a modern way or to inform you about our services. If you have to give your consent to data processing as a user with the respective providers, the legal basis for processing is Art. 6 (1) (a) GDPR in conjunction with Art. 7 GDPR.
As we do not have access to the data stocks of the providers, we would like to point out that your rights (e.g. to access, rectification, erasure, etc.) are best asserted directly against the respective provider. Further information on the processing of your data in the social networks and the possibility to make use of your right of objection or revocation (so-called opt-out), we have listed below with the respective provider of social networks used by us:
(Joint-)Controller for data processing in Europe:
Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
Opt-out and advertising settings:
(Joint-)Controller for data processing in Europe:
LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland
Opt-out and advertising settings:
(Joint-)Controller for data processing in Europe:
Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland
Opt-out and advertising settings:
(Joint-)Controller for data processing in Germany:
XING AG, Dammtorstrasse 29-32, 20354 Hamburg, Germany
Requests for information for XING members:
On our websites we use Google Analytics, a web analysis service of Google Ireland Limited (https://www.google.de/intl/de/about/) (Gordon House, Barrow Street, Dublin 4, Ireland; hereinafter “Google”). In this context, pseudonymised user profiles are created and cookies (see item “Cookies”) are used. The information generated by the cookie about your use of this website such as
is transmitted to a Google server in the USA and stored there. The information is used to evaluate the use of the website, to compile reports on the website activities, to conduct market research and to provide further services associated with the use of the website and the Internet. This information may also be transferred to third parties if required by law or if third parties process this data on our behalf. Under no circumstances will your IP address be combined with further Google data. The IP addresses are made anonymous, so that assignment to you is not possible (IP masking).
The use of Google Analytics is based on your consent in accordance with Art. 6 (1) (a) GDPR.
You can prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) and the processing of this data by Google by downloading and installing a browser add-on (https://tools.google.com/dlpage/gaoptout?hl=de).
As an alternative to the browser add-on, especially for browsers on mobile devices, you can also prevent Google Analytics from collecting data by clicking on the following link: Disable Google Analytics. An opt-out cookie will be set to prevent the future collection of your data when you visit this website. The opt-out cookie is only valid in this browser and only for our website and is stored on your device. If you delete the cookies in this browser, you will have to set the opt-out cookie again.
You can find further information on data protection in connection with Google Analytics in the Google Analytics Help (https://support.google.com/analytics/answer/6004245?hl=de).
13.1 Google Maps
On our website we use Google Maps (API) from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Maps is a web service for displaying interactive (land) maps to visually present geographical information. By using this service, you can, for example, see our location and make it easier for you to find us.
Information about your use of our website (such as your IP address) is transmitted to Google servers in the USA and stored there when calling up sub-pages in which Google Maps is integrated. This happens regardless of whether Google provides a user account through into which you are logged in or whether no such user account exists. If you are logged in at Google, your data will be assigned directly to your account. If you don’t want to be associated with your Google profile, you must log out of your Google Account. Google stores your data (even for users who are not logged in) as user profiles and evaluates them. You have a right of objection to the creation of these user profiles, whereby you must contact Google to exercise this right.
These processing operations are carried out only if express consent is granted in accordance with Art. 6 (1) (a) of the GDPR.
13.2 Vimeo (videos)
Our website integrates plugins from the video portal Vimeo of Vimeo, LLC, 555 West 18th Street, New York, New York 10011, USA. When you call up a page of our website that contains such a plugin, your browser establishes a direct connection to the Vimeo servers. The content of the plugin is transmitted by Vimeo directly to your browser and integrated into the page. This integration informs Vimeo that your browser has called up the corresponding page on our website, even if you do not have a Vimeo account or are not currently logged in to Vimeo. This information (including your IP address) is transmitted by your browser directly to a Vimeo server in the USA and stored there.
If you are logged in to Vimeo, Vimeo can immediately assign your visit to our website to your Vimeo account. When you interact with the plugins (such as when you press the start button on a video), this information is also sent directly to a Vimeo server and stored there.
The data processing operations described are carried out in accordance with Art. 6 (1) (f) GDPR on basis of Vimeo’s legitimate interest in market research and the needs-based design of the service.
If you do not want Vimeo to associate the data collected through our website directly with your Vimeo account, you must log out of Vimeo before visiting our website.
For videos from Vimeo that are integrated on our site, the tracking tool Google Analytics is automatically integrated. This is Vimeo’s own tracking, which we do not have access to and which cannot be influenced by our site. Google Analytics uses so-called “cookies” for tracking purposes. These are text files that are stored on your computer and enable an analysis of your use of the website. The information generated by the cookie about your use of this website is usually transferred to a Google server in the USA and stored there.
These processing operations are carried out only if express consent is granted in accordance with Art. 6 (1) (a) of the DS-GVO.
13.3 YouTube (videos)
We have integrated components from YouTube on this website. YouTube is an Internet video portal that allows video publishers to post video clips for free and other users to view, rate and comment on them, also free of charge. YouTube allows the publication of all types of videos, which is why complete film and television programmes, but also music videos, trailers or videos created by users themselves can be accessed via the Internet portal.
YouTube is operated by YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. YouTube, LLC is a subsidiary of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Each time you call up one of the individual pages of this website, which is operated by us and on which a YouTube component (YouTube video) has been integrated, the Internet browser on your IT system is automatically prompted by the respective YouTube component to download a display of the corresponding YouTube component from YouTube. More information about YouTube can be found at https://www.youtube.com/yt/about/de/. As part of this technical process, YouTube and Google are informed which specific subpage of our website you are visiting.
If the person concerned is logged in to YouTube at the same time, YouTube recognizes which specific page of our website you are visiting by calling up a subpage containing a YouTube video. This information is collected by YouTube and Google and assigned to your YouTube account.
YouTube and Google receive information through the YouTube component that you have visited our website whenever you are logged in to YouTube at the same time you access our website, whether or not you click on a YouTube video. If you do not want this information to be sent to YouTube and Google in this way, you can prevent it from being sent by logging out of your YouTube account before you visit our website.
These processing operations are carried out only if express consent is granted in accordance with Article 6 (1) (a) of the DS-GVO.
14.1 Right to confirmation
You have the right to ask us to confirm whether personal data concerning you is being processed.
14.2 Right to access Art. 15 GDPR
You have the right to receive information from us free of charge at any time about the personal data stored about you and a copy of this data in accordance with the statutory provisions.
14.3 Right of rectification Art. 16 DS-GVO
They have the right to request the rectification of incorrect personal data concerning them. The data subject shall also have the right to request the completion of incomplete personal data, having regard to the purposes of the processing.
14.4 Erasure Art. 17 GDPR
You have the right to request that the personal data concerning you is deleted without undue delay, provided that one of the reasons provided by law applies and provided that the processing or storage is not necessary.
14.5 Restriction of processing Art. 18 GDPR
You have the right to demand that we restrict processing if one of the legal requirements is met.
14.6 Data portability Art. 20 GDPR
You have the right to receive the personal data concerning you which you have provided to us in a structured, common, and machine-readable format. You also have the right to transfer this data to another controller without hindrance from us provided that the processing is based on the consent pursuant to Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR or on a contract pursuant to Art. 6 (1) (b) GDPR and the processing is carried out with the aid of automated procedures, unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority that has been entrusted to us.
Furthermore, when exercising your right to data portability in accordance with Art. 20 (1) GDPR, you have the right to request that personal data be transferred directly from one controller to another, insofar as this is technically feasible and provided that this does not affect the rights and freedoms of other persons.
14.7 Right to object Art. 21 GDPR
You have the right to object at any time, for grounds arising from your particular situation, to the processing of personal data concerning you that is carried out on the basis of Art. 6 (1) (e) (data processing in the public interest) or Art. 6 (1) (f) (data processing based on a balancing of interests) GDPR.
This also applies to profiling based on these provisions within the meaning of Art. 4 No. 4 GDPR.
If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate reasons for processing which override your interests, rights and freedoms, or unless the processing serves the establishment, exercise or defence of legal claims.
In individual cases, we process personal data in order to carry out direct marketing. You can object to the processing of personal data for the purpose of such marketing at any time. This also applies to profiling, insofar as it is connected with such direct marketing. If you object to our processing for the purposes of direct marketing, we will no longer process your personal data for these purposes.
In addition, you have the right to object, on grounds arising from your particular situation, to the processing of personal data concerning you which is carried out by us for the purposes of scientific or historical research or for statistical purposes in accordance with Art. 89 (1) GDPR, unless such processing is necessary for the performance of a task carried out in the public interest.
You are free to exercise your right to object in connection with the use of information society services, notwithstanding Directive 2002/58/EC, by means of automated procedures using technical specifications.
14.8 Withdrawal of consent
You have the right to withdraw your consent to the processing of personal data at any time with effect for the future.
14.9 Complaint to a supervisory authority
You have the right to complain to a supervisory authority responsible for data protection about our processing of personal data.
We process and store your personal data only for the period of time required to achieve the purpose of storage or if storage is provided for by the legal provisions to which our company is subject.
If the purpose of storage ceases to exist or if a legal retention period expires, the personal data is deleted routinely and in accordance with legal requirements.
It may become necessary to amend this data protection declaration as a result of the further development of our websites and offers or due to changes in legal or regulatory requirements.