Data Protection Statement of Novoferm GmbH

Privacy Statement of Novoferm GmbH

For the Novoferm GmbH Group Site

Consisting of

www.novoferm.com

including Extranet (www.novoferm-händler.de, www.novoferm-handwerker.de and www.novoferm-architekten.de, www.novoferm-erfolgsportal.de and www.novoferm-extranet.de), online shop and trading platform NOVOSALES

www.novoferm.de

including Extranet (www.novoferm-händler.de, www.novoferm-handwerker.de and www.novoferm-architekten.de, online shop and trading platform NOVOSALES

and the sites of the Novoferm representative offices in the countries

www.novoferm.at  - Austria                                   

including the trading platform NOVOSALES Austria

www.novofermalsal.com - Spain

www.novofermgarageporte.dk and www.novoferm.dk - Denmark

www.novoferm.cz - Czech Republic

www.novoferm.gr - Greece

www.novofermindustrie.be and www.novoferm.be - Belgium

www.novoferm.it - Italy

www.novoferm.pl - Poland

www.novoferm.bg - Bulgaria

www.novoferm.fr - France

www.novoferm.ch - Switzerland

www.novoferm-romania.ro - Romania

www.novoferm.nl - The Netherlands

www.novoferm.co.uk - United Kingdom

www.novoferm.hu - Hungary

Last revised: 24/01/2023

General Information About Privacy

(1 ) Novoferm GmbH is happy to see your interest in our corporate group and its products. As Novoferm is a global company, we operate a number of different websites around the globe. Novoferm GmbH is responsible for operation of the group site of the European corporate group (controller) on the basis of the EU General Data Protection Regulation (hereinafter: GDPR). Since the company headquarters are located in Germany, German data protection authorities have jurisdiction pursuant to the German Federal Data Protection Act (hereinafter: BDSG).

This is the controller:

Novoferm GmbH

Venue: Coesfeld Local Court, HRB 7771

Value-added tax identification number: DE811152143

Represented by the managing directors

Rainer Schackmann, Dipl.-Ing., CEO

Thomas Hage, Dipl.-Kfm.

Dr. René Schmitz

Data protection officer: Thorsten Werbeck

Isselburger Strasse 31

D-46459 Rees

Phone: (+49 ) 02850-910-0

Fax: (+49) 02850-910-646

Internet:

www.novoferm.com(Novoferm Group)

www.novoferm.de (Novoferm Germany)

(2) Our representative offices in the countries shown above are responsible for compliance with local data protection laws. All representative offices are obligated to compliance with the GDPR and the following privacy statement. You will find the party responsible for data protection or the data protection officer of each of the representative offices in the records of processing activities following the statement or in the legal information on each of the representative office sites.

Privacy on the Extranet for Registered Users

The Extranet in German has been designed as a B2B platform for our commercial customers in Germany. You can access the Extranet pages from our online portals for dealers (www.novoferm-händler.de), tradespeople (www.novoferm-handwerker.de) and architects (www.novoferm-architekten.de). We use these sites for the presentation of Novoferm products in Germany exclusively to registered customers whose company offices are in Germany. Novoferm Vertriebs GmbH is in charge of sales in Germany; any queries you submit from Germany will be transferred to this company. For this reason, your registration and your access to the Extranet is contingent on your giving your consent to the transfer of your data to Novoferm Vertriebs GmbH. Novoferm Vertriebs GmbH complies fully with the content of the following rules of Novoferm GmbH. Mr Thorsten Werbeck, our data protection officer, is the group officer pursuant to Art. 37 (2) GDPR as well and in charge of data protection at Novoferm Vertriebs GmbH.

Privacy on the Trading Platforms NOVOSALES, NOVOSALES AUSTRIA and the online shop of Novoferm GmbH for Registered Users

All of the trading platforms have also been designed as B2B-only platforms.

Novoferm Vertriebs GmbH is in charge of sales in Germany; any orders you submit on the trading platform NOVOSALES will be transferred to this company. Your registration and access are therefore contingent on your giving your consent to the transfer of your data to Novoferm Vertriebs GmbH. Novoferm Vertriebs GmbH complies fully with the content of the following rules of Novoferm GmbH. Mr Thorsten Werbeck, our data protection officer, is the group officer pursuant to Art. 37 (2) GDPR as well and in charge of data protection at Novoferm Vertriebs GmbH.

This is the controller:

Novoferm Vertriebs GmbH

Venue: Coesfeld Local Court, HRB 12057

VAT identification number: DE 815126260

Represented by the managing director

Rainer Schackmann, Dipl.-Ing., CEO

Norbert Dyx, Dipl.-Ing., Dipl.-Kfm.

Thomas Hage, Dipl.-Kfm.

Data protection officer: Thorsten Werbeck

Schüttensteiner Str. 26

D-46419 Isselburg

Phone:                (+49 ) 02850-910-700

Fax:                     (+49) 02850-910-646

Email                  vertrieb@novoferm.de

Novoferm Austria GmbH is in charge of sales in Austria; any orders you submit on the trading platform NOVOSALES AUSTRIA will be transferred to this company. Your registration and access are therefore contingent on your giving your consent to the transfer of your data to Novoferm Austria GmbH. Novoferm Austria GmbH complies fully with the content of the following rules of Novoferm GmbH.

This is the controller:

Novoferm Austria GmbH

Represented by the managing director

Herrn Thomas Hage
Herrn Monther Khatib

Roter Hof 1/1

A-2000 Stockerau

Korneuburg Regional Court FN 235042a

VAT identification number: ATU 56947228

Data protection officer: Thorsten Werbeck

Phone: (+43)02266/98224

Fax: (+43)02266/9822499

Email: office@novoferm.at

The online shop for international orders and internal orders in the corporate group NOVOFERM is operated by Novoferm GmbH, which is responsible for compliance of the site with data protection law.

Our Processers Pursuant to Art. 28 GDPR and Section 62 BDSG [German Federal Data Protection Act]

(1) The company arvato systems GmbH, An der Autobahn 200, D-33333 Gütersloh, operates the website servers at the Gütersloh location and the commissioned data processing (storage and transfer to Novoferm and its distribution partners) on our behalf.

(2) The company Beyond Media GmbH, Mercedesstrasse 3, 74366 Kirchheim am Neckar (HRB 731659, Stuttgart Local Court), represented by its managing director Sven Heib, operates the website server at the Strasbourg location and the commissioned data processing (storage and transfer to Novoferm and its distribution partners) on our behalf. Our host service provider is also subject to German data protection laws.

(3) The support (including advertising), technical security monitoring and analysis of the group site is also provided by Beyond Media GmbH, Mercedesstrasse 3, 74366 Kirchheim am Neckar (HRB 731659, Stuttgart Local Court), represented by its managing director Sven Heib. The anonymous or pseudonymised data of our users are analysed on the basis of a contract for commissioned data processing pursuant to Art. 28 GDPR and Section 62 BDSG. Beyond Media GmbH, our service provider, is also subject to the Germany data protection provisions and is contractually obligated to confidentiality as well.

(4) The company AlloTools S.A., 2 Rue Kellermann, F-59100 Roubaix, France, at the location 140, Quai Du Sartel, F-59100 Roubaix, operates the “Configurator” service (with which visitors to some of our internet sites can configure their garage doors and transfer the data from the configuration to their local Novoferm distributor) and the commissioned data processing (storage and transfer to Novoferm and its distribution partners). The data security level in the EU member state France, just as German data protection law, is in conformity with the General Data Protection Regulation.

(5) The “Cookiebot” service described in Section 12 is a service offered by Cybot A/S, Havnegade 39, DK-1058 Copenhagen, Denmark. The data security level in the EU member state Denmark, just as German data protection law, is in conformity with the General Data Protection Regulation. Furthermore, all Novoferm contract partners are contractually obligated to confidentiality and are permitted to process the user data that are collected and stored for us in accordance with their contracts solely and exclusively for the purposes described in this privacy statement.

(6) We describe below in detail the advertising for our group site and how we monitor and optimise the group site in response to user interests.

(7) Please note as well the Terms and Conditions of Use found on the internet site of our group site that you visit and the supplementary information of our representative offices concerning the special regulations specific to the country where your Novoferm representative office is located.

(8) We operate the online shop Tormaticsales for registered users of the internet site www.tormatic.de on behalf of Novoferm tormatic GmbH on the basis of the Terms and Conditions of Use made public there and of the privacy statement of Novoferm tormatic GmbH; as the processor pursuant to Art. 28 GDPR and Section 62 BDSG, we are also legally and contractually subject to the provisions of these documents. User data are accessed solely and exclusively by the client. Any transfer of the data to which users have given their consent also takes place on the basis of the privacy policy of Novoferm tormatic GmbH that has been made public on the internet site www.tormatic.de.

Our Privacy Policy and Information

Section 1       Anonymous Use, Security, Analysis and Statistics

(1) Novoferm is very conscientious about the protection of the data provided by its website visitors and complies with the regulations of data protection laws. We would like to describe to you in the remarks below what personal data we ask for and store and how we work with these data. Personal data are any information that make it possible to identify a specific person. This includes in particular your name, address and telephone number, but extends as well to the IP address assigned by your provider or your email address.

(2) We seek to make most of the functions of our websites and our services available for anonymous use. Since internet sites must constantly be monitored and protected from attacks by hackers, bots and all types of malware, it is necessary to be able to identify users temporarily, as a minimum on the basis of the so-called metadata of their use of the sites. During your visits to our websites, the following data are recorded, whereby they are stored solely and exclusively for internal system-related and statistical purposes: names of the accessed pages, the browser used, the operating system and the referring domain, data and time of the access, search engines used, names of downloaded files and your IP address. All of the data related to your use of the site, especially your IP address, are erased as early as possible — no later, however, then immediately after the conclusion of your use of the site.

(3) The analysis of anonymous user data, which cannot be traced back during analysis to you personally as the user of the internet sites, helps us to determine the habits of our users so that we can design our services to be more user friendly and adapt them to the wishes and needs of our users. Our processor uses the analysis program Google Analytics for the anonymised analysis of the data. We will describe the functions of this program and the precautions taken to anonymise the user data below.

Section 2       Web Analysis Service “Google Analytics”, Opt-Out Procedure v. Cookiebot Statement

(1) This website uses Google Analytics, a web analysis service provided by Google, Inc. (“Google”). Google Analytics uses cookies (small text files, cf. also Section 12 below) that are stored on your computer and make it possible to analyse your use of the website. The information about your use of this website generated by the cookie is generally transmitted to a Google server in the USA and stored there. The data protection laws in the USA do not at this time meet in all respects the standards of the legal requirements of European data protection laws.

(2) We have enabled the function IP anonymisation on our website. Google consequently truncates your IP address within member states of the European Union or other party states to the treaty regarding the European Economic Area before transmitting it to the USA. The full IP address is transferred to a Google server in the USA and truncated there only in exceptional cases. Google, acting on behalf of the operator of this website, uses the collected information to evaluate your activities on the website, to compile reports about the website activities and to perform further services related to the use of the website and the internet for the website operator. The IP address communicated by your browser for Google Analytics is not associated with any other data of Google.

(3) Our processor uses the latest operating standard of Google Analytics, modified to meet the data security level required by the GDPR, namely, Universal Analytics, on the basis of a contract for commissioned data processing pursuant to Art. 28 GDPR and Section 62 BDSG. Universal Analytics makes possible cross-device tracking by means of a user ID, for example, and permits user-defined measurement values/standards. In accordance with the Terms and Conditions of Use of Universal Analytics, which apply to all users, no personal data may be sent to Analytics. We have obligated our processor and our employees to comply strictly with these Terms and Conditions of Use.

(4) The direct identification of an individual user from the user ID is supposed to be excluded. Nevertheless, the program functions (see above) mean that the Universal Analytics ID is presumably to be classified as an online identifier within the sense of Art. 4 (1) GDPR and consequently as personal data.

(5) We have therefore instructed our processor and our employees not even to enable the user ID and not to send any personal data to Google. (“Best Practices: support.google.com/analytics/answer/6366371)

(6) Google continues to place a cookie, of course. It is used to process the information type of browser, operating system used, referrer URL, IP address (truncated/anonymised) and the time of the server query. You can prevent the storage of cookies by making the appropriate settings in your browser software; however, we expressly point out to you that doing so may possibly prevent you from being able to use all of the functions on this site in their full scope. If you do not wish to accept any restrictions in the possible use of the site, you should instead utilise the provided function for disabling the analysis cookies the first time you visit our website (Cookiebot procedure in Section 12) or exercise your right to object , which is possible at any time.

(7) Furthermore, you can prevent the recording of the data generated by the cookie related to your use of the website (including your IP address) at Google and the processing of these data by Google by downloading and installing the browser plugin available at this link (https://tools.google.com/dlpage/gaoptout?hl=en). When using disabling functions (so-called opt-out solutions), however, you must in general make sure that your browser or the “cleaning program” with access to your browsing history is not set so that the opt-out cookies from the third-party provider are erased. Your decision in the Cookiebot procedure (cf. Section 12) is stored for one year; at the end of this period, you will be asked again for a decision. That is why we believe this is the better procedure.

(8) You will find additional information about the handling of user data with Google Analytics in the Google privacy statement  support.google.com/analytics/answer/6004245 or at http://www.google.com/intl/en/analytics/privacyoverview.html (general information about Google Analytics and privacy).

(9) Here you can deactivate Google Analytics:

Section 3       Advertising for Our Group Site Via Google AdWords, Remarketing

(1) Google AdWords

(2) Our website uses the Google conversion tracking. If you are referred to our website from an advertisement placed by Google, Google AdWords will place a cookie on your computer. The cookie for conversion tracking is placed on the computer whenever a user clicks on an advertisement placed by Google. These cookies expire after 30 days and are not used for the identification of individuals. If a user visits certain pages on our website and the cookie has not yet expired, we and Google can recognise that the user has clicked on the advertisement and has been transferred to this page. Every Google AdWords customer receives a different cookie, so it is not possible to track cookies via the websites of AdWords customers. The information acquired with the aid of the conversion cookie is used to prepare conversion statistics for AdWords customers who have decided to utilise conversion tracking. The customers learn the total number of users who have clicked on their advertisements and have been referred to a page marked with a conversion tracking tag. They do not, however, receive any information that would enable them to identify users personally.

(3) If you do not wish to participate in the tracking, you can refuse to accept the placement of cookie required for this purpose — for instance, by enabling the browser setting that generally prevents the automatic setting of cookies or by setting your browser to block any cookies from the domain “googleleadservices.com”.

(4) Please note that you must not erase the opt-out cookies as long as you do not want any measurement data to be recorded. If you erase all the cookies in your browser, you will have to place the relevant opt-out cookie again.

(5) Use of Google remarketing

(6) This website uses the remarketing function of Google, Inc. The purpose of the function is to present interest-related advertisements to website visitors within the Google advertising network. A so-called “cookie” is placed in the website visitor’s browser, which makes it possible to recognise the visitor whenever he or she accesses websites that are part of the Google advertising network. On these pages, advertisements related to content previously accessed by the visitor on websites using the Google remarketing function may be displayed to the visitor.

(7) According to information from Google, this procedure does not result in the collection of any personal data. If you nevertheless do not wish to use the Google remarketing function, you can disable it by making the appropriate settings at www.google.com/settings/ads. Alternatively, you can disable the use of cookies for interest-related advertising via the network advertising initiative by following the instructions at http://www.networkadvertising.org/managing/opt_out.asp.

Section 4       Facebook Pixel

(1) Subject to your consent, we utilise the “tracking pixel” of Facebook, Inc., 1601 S. California Ave., Palo Alto, CA 94304, USA (Facebook”) on some of our pages. The collected data are anonymous for us and do not enable us to draw any conclusions about the identity of the users. Nevertheless, the data are stored and processed by Facebook so that a connection to the user profile in each case is possible, and Facebook can use the data for its own advertising purposes in accordance with the Facebook privacy policy (https://www.facebook.com/about/privacy/). You can make it possible for Facebook and its partners to place advertisements on and outside of Facebook. Moreover, a cookie can be stored on your computer for these purposes.

(2) Please click here if you wish to disable the advertising. https://www.facebook.com/ads/website_custom_audiences/

Section 5       Use of Google Maps

(1) Some of the pages of the group site use Google Maps API for the visual display of geographical information. When Google Maps is used, Google also collects, processes and uses data about the visitors’ use of the map functions. You will find more detailed information about the data processing done by Google in the Google privacy remarks. You can also go to the company’s privacy centre to modify your personal privacy settings.

(2) You will find comprehensive instructions for managing your own data with respect to Google products here. (https://support.google.com/accounts/answer/3024190)

Section 6       Embedded YouTube Videos

We embed YouTube videos on some of our websites. The operator of these plugins is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. When you visit a site with the YouTube plugin, a connection to the YouTube servers is created, and the pages you access are communicated to YouTube. If you are logged on to your YouTube account, YouTube can attribute your surfing activities to you personally. You can prevent this by logging off your YouTube account prior to accessing the sites.

If a YouTube video is launched, the provider places cookies that collect information about the user’s behaviour.

If you have disabled the storage of cookies for the Google ad program, you will not need to be concerned about any such cookies when you view YouTube videos. However, YouTube stores non-personal use information in other cookies as well. If you want to prevent this, you must block the storage of cookies in your browser settings.

Additional information about privacy at “YouTube” can be found in the provider’s privacy statement at: www.google.en/intl/de/policies/privacy/.

Section 7       Social Plugins

We offer to you the opportunity to use so-called “social media buttons” on our website. We use the solution “Shariff” during implementation to protect your data. The program integrates these buttons into the website solely in form of a graphic that contains a link to the corresponding website of the button provider. When you click on the graphic, you are transferred to the services of the corresponding provider. Only then are your data sent to the relevant provider. If you do not click on the graphic, there is no exchange whatsoever between you and the providers of the social media buttons. You will find information about the collection and use of your data on social networks in the terms and conditions of use of the specific providers. Click on this link for more information about the Shariff solution: www.heise.de/ct/artikel/Shariff-Social-Media-Buttons-mit-Datenschutz-2467514.html.

We have integrated the social media buttons of the following companies on some of the pages of the group site:

Facebook, Inc. (1601 S. California Ave - Palo Alto - CA 94304 - USA)

Twitter, Inc. (795 Folsom St. - Suite 600 - San Francisco - CA 94107 - USA)

Google Plus/Google. Inc. (1600 Amphitheatre Parkway - Mountain View - CA 94043 - USA)

XING AG (Gänsemarkt 43 - 20354 Hamburg - Germany)

LinkedIn Corporation (2029 Stierlin Court - Mountain View - CA 94043 - USA)

Section 8       Hotjar

(1) We use the web analysis service Hotjar from Hotjar Ltd. on some of the websites of our group site. Hotjar Ltd. is a European company headquartered in Malta (Hotjar Ltd., Level 2, St Julians Business Centre, 3 Elia Zammit Street, St Julians STJ 1000, Malta, Europe, phone: +1 (855) 464-6788). The data security level in the EU member state Malta, just as German data protection law, is in conformity with the General Data Protection Regulation.

(2) This tool can be used to track movements on the websites in which Hotjar has been implemented (so-called heatmaps). They make it possible to see, for instance, how far users scroll and what buttons users click and how often. Moreover, the tool also makes it possible to obtain feedback directly from the users of the website. This enables us to obtain valuable information we can use to design our websites to be even faster and more customer-friendly.

(3) We pay close attention to the protection of your personal data when using this tool. We can track only what buttons are clicked, mouse movements, how far users scroll, the size of the device screen, the type of device and browser information, geographical location (country only) and the preferred language for the display of our website. Website sections in which personal data from you or third parties are displayed are automatically hidden by Hotjar and therefore cannot not be tracked at any time.

(4) Hotjar offers to users the opportunity to prevent the use of the Hotjar tool by means of a “Do Not Track Header” that stops the recording of any data during the visit to the website. This is a setting available in the current releases of all commonly used browsers. If this setting is enabled, your browser sends a message to Hotjar with the instruction to disable the tracking of the user. If you use various browsers/computers to access our websites, you must set up the “Do Not Track Header” for each browser/computer separately.

(5) Additional information about the provider’s data protection can be found on its internet site. The privacy statement is available in English at https://www.hotjar.com/privacy. The cookies that are used and their effective duration are described at www.hotjar.com/legal/policies/cookie-information. You can disable tracking by Hotjar with the opt-out function https://www.hotjar.com/opt-out that has been provided.

Section 9       Use of reCAPTCHA

(1) We use the service “reCAPTCHA” from the company Google, Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter: “Google”) to secure the entry forms on the pages of our group site. Using this service makes it possible to determine whether entries are being made by humans or the system is being misused by automated machine processing.

(2) As far as we know, the referrer URL, the IP address, the behaviour of the website visitors, information about operating system, browser and period of stay, cookies, display settings and scripts, the users’ entry behaviour and mouse movements in the area of the “reCAPTCHA” checkbox are transmitted to “Google”.

(3) The IP address transferred as part of “reCAPTCHA” is not associated with other data at Google unless you are logged on to your Google account at the time you use the “reCAPTCHA” plugin. If you wish to prevent this transmission and the storage of data about you and your behaviour on our website by “Google”, you must log out of your “Google” account before you access our site and use the “reCAPTCHA” plugin.

(4) The information obtained from the use of the service “reCAPTCHA” is used in accordance with the Google Terms and Conditions of Use https://www.google.com/intl/de/policies/privacy/.

Section 10     Collection and Storage of Personal Data

(1 ) More extensive personal information is collected solely if and when you have voluntarily provided it to us, e.g. when submitting a query or registering on the site.

(2) If you contact us using email or a contact form, the information you provide for the purpose of processing the query and for possible follow-up questions will be stored. Your personal data are always used solely within the scope of the consent you have given us. You are free at any time to withdraw any consent you have given.

(3 ) The procedures we use during all data processing activities (e.g. collection, processing and transmission) are in compliance with legal statutes. The following explanatory remarks will provide you with an overview of the nature of the data that are collected, how these data are used and transferred to other parties, what security measures we implement for the protection of your data and the options available to you for obtaining information about the information that has been given to us.

(4) When you register for the use of our personalised services, some additional personal data such as your name, address and contact and communication data such as phone number and email address are also collected. When you have registered with us, you can access content and services we offer solely to registered users. Registered users also have the opportunity to modify or erase themselves any data provided during registration as necessary. Naturally, we will in addition provide to you at any time information about the personal data concerning you that we have stored. We will also be happy to rectify or erase any such data at your request, provided that this is not prohibited by statutory retention obligations.

(5) In keeping with the principle of data economy, only the data we require to answer your queries or for the performance and processing of orders will be requested (e.g. your complete name and/or complete company name as well as that of the authorised representative(s), your email address, any customer number that may have previously been issued and your address). In addition, you must select a user name and a password for the registration; the two together will simplify your login without re-entry of the data. We save the data you have entered to set up your customer account.

(6) We process data from other sources if you already have a customer account with us or with our distribution partners or our representative offices. We then add the data from your query or your order data to your customer account. It is possible that we will collect creditworthiness data from our commercial credit insurers and add the information to your customer account for new customers and commercial customers.

Section 11     Newsletter

(1) As a registered user of our B2B platforms, you can sign up for our email newsletter service. In this case, we must collect and store your email address. We use it solely and exclusively to send newsletter emails notifying you of current offers. Subscribers may also be notified by email of circumstances relevant for the service or the registration (e.g. changes in the newsletter service or technical matters).

(2) We require a valid email address for valid registration. To ensure that the registration is actually coming from the owner of an email address, we utilise the “double opt-in” procedure. During this procedure, we record the request for the newsletter, the sending of a confirmation email and the receipt of the answer requested in the confirmation. No other data are collected. The data are used solely and exclusively for the transmission of the newsletter and are not transferred to third parties.

(3) You may withdraw your consent for the storage of your personal data and their use for the transmission of the newsletter at any time. You will find a link that can be used for this purpose in every newsletter. In addition, you can unsubscribe directly on this website at any time by clicking on the field “Unsubscribe to newsletter” on our internet site, or you can use the contact information found at the end of this privacy information to notify us of your request. Your data will then be erased.

Section 12     Cookies

(1) This internet site uses cookies. Cookies are small text files that are transmitted from a website server to your hard drive. We automatically obtain at this time certain data about your computer and your internet connection such as IP address, browser used and operating system.

(2) Cookies cannot be used to launch programs or to transfer viruses to a computer. We can use the information contained in the cookies to simplify your navigation and to ensure the correct display of our websites.

(3) Under no circumstances are the data we collect in this way transferred to third parties or is a link to personal data established without your consent.

(4) Naturally, you can always view our website even without cookies. You can prevent the use of cookies by setting your browser to block cookies. You will be able to see, as a minimum, the most important parts of these sites as before. Keep in mind, however, that certain functions of our website and the services that can be accessed through your registration and login on the Extranet and the connected trading platforms do not work if you have disabled the use of cookies.

(5) Cookies have different functions. Some cookies are required for specific functions or services on our internet sites, e.g. to defend against attacks on the internet sites or to recognise you as a registered user of the Extranet or of one of our trading platforms. Unless the required cookies are available, the functions and services cannot be utilised, and you will receive error messages or information instead of the desired function. You can, however, at any time grant the consent not previously given or restore withdrawn consent by removing the blocks for the specific cookie and re-accessing the internet site or refreshing the internet site in your browser.

(6) We have implemented the extended cookie alert banner Cookiebot to simplify your handling of cookies on our internet sites and refer to the following procedure instructions. Cookiebot is a service provided by Cybot A/S, Havnegade 39, DK-1058 Copenhagen, Denmark. The cookies required for the internet site functions and the offered services have been set as defaults. If you click on the “OK” button of the banner, you grant your consent (which may be withdrawn at any time) to the use of the default cookies.

(7) The additional function groups and other functions of the integrated cookies are explained and the duration (limited term) of the cookies, at the end of which the cookies automatically expire, is shown in the service’s cookie list. You can disable the cookies singly as well as in function groups. Please note that the cookies also have functions that, while they are not absolutely necessary, may store your user habits and preferences. One example of this is your decision in a dual-language country for one of the two language versions that are offered. The Cookiebot default setting means that you must remove the green tick in the overview to restrict your consent statement accordingly so that you can use the site as usual. If you also allow us to collect statistics (analysis cookies) and to personalise advertising (tracking and profiling cookies), we can send you the tailored information to which you are accustomed, remind you of content you have already viewed and optimise our internet sites on the basis of anonymous analysis of your user behaviour on our sites and platforms and in our services. We thank all of our users who help us in this way to improve constantly.

(8) These are the cookies we use:

Section 13     Security Information

(1) We have implemented many different security measures of reasonable and adequate scope for the protection of personal data.

(2) Our databases are protected by physical and technical measures as well as procedural measures that limit information access to specially authorised persons in conformity with this privacy statement. Our information system is located behind a software firewall to prevent access from other networks that are connected to the internet. Solely employees with a need to know information for the performance of specific tasks are granted access to personal data. Our employees have been trained in security matters and data protection practices. All of our employees and any and all third parties involved in data processing have been obligated to compliance with the German Federal Data Protection Act and to confidential handling of personal data.

(3) Whenever personal data are collected through our internet sites, the transmission is encrypted using the industry standard secure socket layer (“SSL”) technology via https.

(4) You should never reveal your password for your access to our internet sites to third parties, and you should change this password at regular intervals. When you leave our sites, you should always log out and close your browser to prevent any unauthorised users from obtaining access to your user account.

(5) We cannot warrant complete data security whenever email is used for communication.

Section 14     Use, Transfer and Erasure of Personal Data

(1) We use the personal data you have provided to us to answer your queries, process your orders and check your creditworthiness and for technical administration of the websites.

(2) Your personal data will be transferred to third parties solely if the transfer is required to process the contract or if you have given your express consent.

(3) In addition, we do not exclude the possibility that we will transfer anonymised use data for market research purposes. The identification of specific users is excluded in these cases (see above).

(4) We want to point out that in specific cases we are authorised and required by order of government agencies to provide information about data to the extent that this is necessary

• to prosecute criminal activities,

• to obtain state police protection from threats,

• to perform the legal tasks required of the national and state constitution protection authorities, the Federal Intelligence Service or the Military Counterintelligence Service

• or to defend intellectual property rights.

(5) The user data from visitors to the website are automatically erased immediately when the visitors leave the site. The term of the cookies is described in detail in Section 12. Data related to a query are erased once the follow-up correspondence has been completed and no later than six months after the last message that remained unanswered by the user. The data for specific quotations are either erased by the users themselves or at their request and no later than three years after issue of the quotation. Contract data are erased after complete performance of the contractual relationship, in particular after the expiration of warranty, guarantee or liability periods. These periods may be as long as 10 years after delivery of the products or acceptance of the contract performance for the manufacturers of construction products relevant for safety. Our data protection officer will be glad to answer any questions about the erasure policy.

Section 15     Your Privacy Rights

(1) You have the right to access pursuant to Art. 15 GDPR, the right to rectification pursuant to Art. 16 GDPR, the right to erasure pursuant to Art. 17 GDPR, the right to restriction of processing pursuant to Art. 18 GDPR and the right to data portability pursuant to Art. 20 GDPR. Sections 34 and 35 BDSG (Federal Data Protection Act) apply as well with respect to the rights to access and erasure. In addition, there is the right to lodge a complaint with a supervisory authority (Art. 77 GDPR and Section 19 BDSG).

(2) You have the right to obtain from us at any time information about your personal data that we have stored. You also have the right to rectification, blocking or (with the exception of the data storage related to business performance mentioned above) erasure of your personal data. You may contact Thorsten Werbeck, our data protection officer (thorsten.werbeck@novoferm.de), or the data protection officer or persons in charge of data protection at the representative office for your account at any time if you have any questions about the subject of privacy.

(3) Any data that have been blocked must be retained in a blocked file for control purposes so that the blocking of data can be respected at all times. You may also obtain the erasure of the data, provided that there are no statutory retention obligations prohibiting the erasure. If there is such a prohibition of erasure, we will at your request block data.

(4) You may make changes in or withdraw your consent by sending us a message of this content that will become effective for the future. You may withdraw consent at any time without giving your reasons and without observing any special formalities. You may use for this purpose any of the address and contact data of Novoferm (including distribution partners and representative offices) shown above. Please give your consent to the transfer of the message to the office that is in charge of your account.

Section 16     Amendment of Our Privacy Policy

We reserve the right to adapt this privacy statement from time to time so that it always conforms to the latest legal requirements or to include changes in our services in the privacy statement, e.g. when we introduce new services or functions. The new privacy statement then applies when you visit the site again.

Section 17     Right to Object

(1) You have the right, on grounds relating to your particular situation

• as user of the internet site,

• as potential customer after contacting us, our distribution partners or representative offices,

• as a registered user on the Extranet or a connected trading platform

• or as a Novoferm customer,

to object at any time to processing of personal data concerning you which is based on point (f) of Art. 6 (1) GDPR (data processing on the grounds of a weighing of interests).

(2) If you lodge an objection, we will no longer process your personal data unless we or your contract partner can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

(3) The objection may be lodged without special formality and can be sent to our addresses shown in Section 1.

Novoferm Privacy Policy Internet Services

Record of Processing Activities Pursuant to Art. 30 GDPR

1. Controller within the sense of data protection (including the data protection regulations of the TMG [German Telemedia Act] is Novoferm GmbH

Venue: Coesfeld Local Court, HRB 7771

Value-added tax identification number: DE811152143

Managing Directors

Rainer Schackmann, Dipl.-Ing., CEO

Thomas Hage, Dipl.-Kfm.

Dirk Gössling, Dipl.-Ing.

Isselburger Strasse 31

46459 Rees

Phone: (+49)02850-910-0

Fax: (+49)02850-910-646

Internet:

www.novoferm.com (Novoferm Group)

www.novoferm.de (Novoferm Germany)

 for the joint internet site of Novoferm Group consisting of

2. Mr Thorsten Werbeck

Mr. Thorsten Werbeck

Isselburger Str. 31, 46459 Rees

Email: thorsten.werbeck@novoferm.de

has been appointed

as group data protection officer pursuant to Art. 37 (2) GDPR for the companies

• Novoferm GmbH, Isselburger Str. 31, 46459 Rees

• Novoferm Vertriebs GmbH, Schüttensteiner Str. 26, 46419 Isselburg

• Novoferm Riexinger Türenwerke GmbH, Industriestr. 12, 74336 Brackenheim

• Novoferm tormatic GmbH, Eisenhüttenweg 6, 44145 Dortmund

• TST Tor System Technik GmbH, Willi-Bleicher-Str. 7, 52353 Düren

3. User data for website services are stored and processed solely and exclusively for the duration of the use of the site and are erased at the latest upon the closure of the session. User data that have been voluntarily provided with respect to a query are processed, stored and transferred to the indicated distribution partners for processing of the query solely and exclusively for the processing of the query and within the limits of the granted consent; they are erased when the query has been fully processed. Master data from registration are stored for the duration of the utilisation contract and are collected, stored and erased on the basis of the agreed terms and conditions of use. We refer to the privacy policy concerning the handling of contract performance data in operating business.

4. Data subjects are defined as:

• Most broadly, all users of our internet sites in the described group site;

• Then potential buyers of our products and the services we offer;

• Then potential customers sending queries; their master data are recorded for establishing contact and transferred to the authorised representative office or distribution partner (see above) for processing of the query and stored in the lead system for review of the processing;

• Then the potential and current customers whose data are processed by registered users (representative offices and distribution partners) in the quotation function of our online shops for processing of the queries, requests for submission of quotations or for further performance of contracts (follow-up orders, warranty requests etc.). Business transactions are stored for the representative office or the distribution partner for a period of 6 (six) years. As these parties are the contract partners for the customers, they are themselves responsible for data protection that is beyond our control (lead system, trading platforms).

5. The types of processed data:

• Most broadly, the anonymised user data for statistical purposes and for the optimisation of the user friendliness of our internet site described in detail in the privacy statement;

• The master data entered by users in the entry mask when establishing contact. The data are correlated to the purpose of the specific user query and include, in addition to the contact data required for processing (address data, marked with *), supplementary voluntary data fields for more convenient or direct establishment of contact (phone data) and free-text fields for limited text messages. In addition to instructions for processing or restrictions of the consent declaration, users can also transmit transaction data related to the content of their queries;

• The use of the postal code search requires merely the temporary entry of any postal code; a personal association with users is not established;

• During the use of the configurator, the user’s data records are stored solely in accordance with his or her express request and transferred to the distribution partner in the appropriate area solely with his or her express consent (“opt-in”). Here as well, the user must enter the master data for a contact query so that his or her query about the configuration can be processed. The technical and visual data of the configuration are collected and stored along with the master data;

• During registration and the conclusion of a utilisation agreement, all master data required for agreement processing and secure identification of the contract partner are collected. For the use of the B2B platforms (Extranet, trading platforms, online shop, lead system), additional master data of the user are required for verification of the entrepreneurial character within the sense of Section 13 BGB [Civil Code] and the master data of authorised representatives. For the use of the quotation function of the trading platforms and the use of the lead system functions, additional data concerning the authorised persons within the sense of data protection (access control) are collected (e.g. personalised email addresses and secure passwords);

• During the processing of leads, additional specific transaction data required for processing of the specific query may, under certain circumstances, be collected and merged and processed in conjunction with the data of the query. Such actions may include follow-up questions regarding the suitability of the selected Novoferm product or the precise installation situation (e.g. of the garage door) on the user’s property or in his or her building.

6. Possible recipients of the data:

• The target parties of the data transmission shown in the consent information (representative offices or distribution partners of Novoferm GmbH, e.g. Novoferm Vertriebs GmbH for the B2B market in Germany or the locally authorised distribution partner or the representative office in the target country of the user’s query for questions from other European countries);

• The company’s own employees obligated to compliance with the Novoferm data protection organisation and the privacy statement and to confidentiality, especially within the framework of their activities as system administrators and order data processors;

• Our processors (host service and service operators) contractually obligated to confidentiality and also subject to the European data security level as described in the privacy statement.

7. Data processing outside of the immediate territorial scope of the GDPR takes place solely for users from Switzerland on the basis of Swiss data protection law. Moreover, we also guarantee compliance with the level of European data security as a minimum for our users from Switzerland.

8. User data not related to transactions are erased at the latest immediately after conclusion of the use. Query data are erased after conclusion of the processing of the query to the extent that they do not remain permanently stored because of a subsequent business transaction and are finally erased on the basis of the erasure provisions for contract data (see above).

9. Level of security and security measures (Art. 32 GDPR)

We consider the level of security for address data that are usually available in public directories to be relatively low. We consider individual contact data, in particular transaction data for concrete installation queries, to be critical because in the worst case conclusions about reduced building security, even if only temporary, while work is being done on doors and other entrances and exits in the user’s buildings can be drawn from unauthorised data access with criminal intent in conjunction with address data. The risks related to loss of data are in contrast not a problem because even concrete user queries can be easily reproduced with little or manageable effort using the functions of the services.

We transmit even queries about contract initiation containing concrete user data via the contact forms or the configurator in encrypted form (SSL technology).

Our system administrators ensure that the transmitted data can be attributed solely and exclusively to the concrete lead and consequently the concrete user query. The system functions of the lead system ensure that the user’s data records can be read and processed solely and exclusively by the representative office in his or her area and the office’s distribution partners. (For instance, user query from Germany > access by Novoferm Vertriebs GmbH, user query from Nuremberg > supplementary access by the distribution partner in Nuremberg that prepares the contact quotation for delivery of the garage door or installation of the fire protection doors.)

All entries to the system are appropriately personalised, password-protected and used solely by persons who are contractually obligated to compliance with the Novoferm GmbH privacy policy and to implementation of the European (or Swiss, see above) level of data security within their own work organisation.

The availability and usability of the systems are guaranteed by physical and technical protective measures (firewall, secured servers in data centres, backup systems etc., all using state-of-the-art technology) as described in the general privacy policy.

The restoration of the system data from backups is guaranteed as described in the General Restoration Concept.

The inspection, analysis and evaluation of the effectiveness of the security measures is guaranteed by the PBE Concept of our group data protection officer.

Isselburg in May 2018

Thorsten Werbeck