Data privacy statement
We appreciate your interest in our company. The management of Symestic GmbH places great importance on data privacy. In general, using the Symestic GmbH website is possible without providing any personal data. However, processing of personal data may be required, if a data subject wishes to make use of special services provided by our company through our website. If processing of personal data is require and if there is a legal basis for processing this data, we will generally ask for the consent of the data subject.
We exclusively process personal data, for instance the name, address e-mail address or phone number of a data subject, in accordance with the provisions of the General Data Protection Regulation and in compliance with the country-specific data privacy regulations valid for Symestic GmbH. Our company would like to use this data privacy statement to inform the public about the type, extent and purpose of the personal data collected, used and processed by us. Moreover, this data privacy statement informs data subjects about their rights.
As the processing controller, Symestic GmbH has implemented various technical and organisational measures to provide full protection of personal data processed via this website to the extent possible. Nevertheless, internet-based data transmission may have security flaws, so that absolute protection cannot be guaranteed. For this reason, every data subject has the right to transmit personal data to us through alternative methods, for instance by phone.
The data privacy statement of Symestic GmbH is based on the terminology used by European regulators when issuing the General Data Protection Regulation (GDPR). Our data privacy statement is intended to be easy to read and understand for the general public and for our customers and business partners. To ensure this, we would like to start by explaining some terminology.
We use the following terms, among others, in this data privacy statement:
a) personal data
Personal data is any information referring to an identified or identifiably natural person (hereinafter “data subject”). A natural person is regarded as identifiable if the person can be identified directly or indirectly, in particular through an identifier such as a name, an ID number, location data or an online user name or one or several special features which are an expression of the person’s physical, physiological, genetic, mental, economic, cultural or social identity.
b) data subject
The data subject is any identified or identifiable natural person whose personal data is being processed by the processing controller.
Processing is any process or sequence of processes related to personal data performed with or without the aid of automated procedures, such as collection, recording, organisation, ordering, saving, adapting or modifying, exporting, retrieving, usage, disclosure through transmission, distribution or other manners of provision, comparison or linking, restriction, erasure or destruction.
d) Restriction of processing
The restriction of processing is the marking of stored personal data with the aim of limiting the processing thereof in the future.
Profiling is any kind of automated processing of personal data consisting of the use of this personal data to evaluate specific personal aspects of a natural person, in particular in order to analyse or predict aspects regarding work performance, economic situation, health, personal preferences, interests, reliability, behaviour, whereabouts or changes in location of this natural person.
Pseudonymisation is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
g) Controller or processing controller
The controller or processing controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
A processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
The recipient is a natural or legal person, public authority, agency or other body, to which the personal data is disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law are not regarded as recipients.
j) Third party
A third party is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Consent of the data subject is any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
2. Name and address of the controller
The controller as defined by the General Data Protection Regulation, other data privacy law applicable in EU member states and other data privacy regulations is:
Data privacy officer: Wolfgang Knobloch
The data subject can stop our website from saving a cookie by making the relevant settings in the web browser used, thereby permanently objecting to cookies being used. Moreover, previously set cookies can be deleted in the web browser or through use of other software programs at any time. This is possible in all common web browsers. If the data subject deactivates cookies in the web browser used, not all functions of our website may be available to their full extent.
3. Recording of general data and information
Any time the Symestic GmbH website is accessed by a data subject or an automated system, it records some general data and information. This general data and information is saved in the log files of the server. The following data and information may be recorded:
(1) browser types and versions used,
(2) the operating system of the accessing system,
(3) the website by which an accessing system was referred to our website (the “referrer”)
(4) the sub-sites accessed on our website by an accessing system,
(5) the date and time of access to our website,
(6) an Internet Protocol address (IP address),
(7) the internet service provider of the accessing system and
(8) other similar data and information serving to prevent danger in the event of attacks on our information technology systems.
Symestic GmbH does not draw any conclusions about the data subject when using this general data and information. Instead, this information is required to
(1) provide the content of our website without errors,
(2) optimise the content of our website and advertisement for it,
(3) ensure the long-term function of our information technology systems and the technology of our website and
(4) to provide law enforcement authorities with the information required for criminal prosecution in the event of a cyber attack.
Anonymous data and information is therefore evaluated by Symestic GmbH for statistical purposes and to increase the data privacy and data security in our company in order to ensure an ideal level of protection for the personal data processed by us. The anonymous data of the server log files is stored separately from any personal data provided by the data subject.
4. Registration on our website
The data subject has the option of registering on the website of the controller by providing personal data. The personal data provided to the controller is based on the input form used for registration. The personal data provided by the data subject is exclusively collected and stored for internal purposes by the controller. The controller may disclose the data to one or several processors, for instance a parcel service provider, who will also exclusively use the personal data for internal purposes in line with those of the controller.
Moreover, when the data subject registers on the controller's website, the IP address assigned by the data subject’s internet service provider (ISP) as well as the data and time of registration are also saved. This data is stored because that is the only way to prevent misuse of our services and permit investigation in the event of criminal activity. This makes storage of this data necessary to safeguard the controller’s interests. This data is not disclosed to third parties, unless this is legally required or disclosure is necessary for the purpose of criminal prosecution.
The registration of the data subject including the voluntary provision of personal data is used by the controller to provide the data subject with content or services which, by their nature, can only be offered to registered users. Registered persons have the option to change the personal data provided during registration at any time or have them deleted completely from the controller’s database.
At the data subject’s request, the controller will inform the data subject at any time which personal data related to the data subject the controller has stored. Moreover, the controller will correct or delete the personal data at the request of the data subject, unless legally mandated retention periods apply. All of the controller’s employees are available to the data subject as contact partners in this context.
5. Contact options via the website
In accordance with legal regulations, the Symestic GmbH website contains options for quick electronic contact with our company as well as direct communication with us, including a general address for electronic mail (e-mail address). If a data subject enters into contact with the controller by e-mail or through a contact form, the personal data submitted by the data subject is stored automatically. Such personal data, which is voluntarily provided to the controller by the data subject, is saved for the purpose of processing the enquiry or contacting the data subject. This personal data will not be disclosed to third parties.
6. Routine erasure and blocking of personal data
The controller will only process and store the personal data of the data subject for the period required to achieve the purpose of storing the data or for the period required by European regulators or other legislators in laws or regulations to which the controller is subject.
If the purpose of storing the data no longer applies or one of the retention periods legally mandated by European regulators or other applicable legislation expires, the personal data will routinely be blocked or deleted according to applicable legal regulations.
7. Rights of the data subject
a) Right to confirmation
European regulators have given each data subject the right to demand confirmation from the controller whether personal data related to him or her is being processed. If a data subject wishes to make use of this right to confirmation, he or she can contact one of the controller’s employees at any point.
b) Right of access
European regulators have given each data subject the right to receive access to the personal data related to the data subject saved by the controller at any time free of charge as well as a copy of the data. Moreover, European legislators have given data subjects the right to receive information about the following:
- the purposes of processing
- the categories of personal data processed
- the recipients or categories of recipient to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organisations
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period
- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing
- the existence of the right to lodge a complaint with a supervisory authority
where the personal data is not collected from the data subject: any available information as to the source of the data
the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Furthermore, the data subject has the right to be informed of whether personal data has been transmitted to a third country or an international organisation. If this is the case, the data subject has the right to be informed of suitable safeguards for such transmission.
If a data subject wishes to make use of this right of access, he or she can contact one of the controller’s employees at any point.
c) Right to rectification
European regulators have given each data subject the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Moreover, taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.
If a data subject wishes to make use of this right to rectification, he or she can contact one of the controller’s employees at any point.
d) Right to erasure (right to be forgotten)
European regulators have given each data subject the right to obtain from the controller the erasure of personal data concerning him or her without undue delay where one of the following reasons applies:
- The personal data was collected or otherwise processed for purposes for which it is no longer necessary.
- The data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), GDPR or point (a) of Article 9(2), and there is no other legal basis for the processing.
- The data subject objects to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) GDPR.
- The personal data has been unlawfully processed.
- The personal data has to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
- The personal data has been collected in relation to the offer of information society services referred to in Article 8(1) GDPR.
If one of the above-listed grounds applies and a data subject wants to request erasure of the personal data stored by Symestic GmbH, he or she can contact one of the controller’s employees at any time. The Symestic GmbH employee will ensure compliance with the request for erasure without undue delay.
Where Symestic GmbH has made the personal data public and is obliged pursuant to Art. 17(1) GDPR to erase the personal data, Symestic GmbH, taking account of available technology and the cost of implementation, will take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, this personal data, provided processing is not required. The Symestic GmbH employee will take all necessary steps for each individual case.
e) Right to restriction of processing
European regulators have given each data subject the right to obtain from the controller restriction of processing where one of the following applies:
- The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data.
- The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of its use instead.
- The controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims.
- The data subject has objected to processing pursuant to Article 21(1) GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.
If one of the above-listed grounds applies and a data subject wants to request restriction of processing of the personal data stored by Symestic GmbH, he or she can contact one of the controller’s employees at any time. The Symestic GmbH employee will ensure that the relevant personal data is restricted
f) Right to data portability
European regulators have given each data subject the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format. The data subject also has the right to transmit this data to another controller without hindrance from the controller to which the personal data have been provided, where processing is based on consent pursuant to point (a) of Article 6(1) GDPR or point (a) of Article 9(2) GDPR or on a contract pursuant to point (b) of Article 6(1) GDPR; and processing is carried out by automated means, unless processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Moreover, in exercising his or her right to data portability pursuant to Article 20(1) GDPR, the data subject has the right to have the personal data transmitted directly from one controller to another, provided that this is technically feasible and the rights and freedoms of others are not adversely affected.
To exercise the right to data portability, the data subject can contact an employee of Symestic GmbH at any point.
g) Right to object
European regulators have given each data subject the right to object, on reasons relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1) GDPR. This also applies to profiling based on those provisions.
Symestic GmbH will not continue to process the personal data unless we can demonstrate compelling legitimate reasons for the processing which override the interests, rights and freedoms of the data subject or processing is required for the establishment, exercise or defence of legal claims.
Where Symestic GmbH processes personal data for direct marketing purposes, the data subject has the right to object at any time to processing of personal data concerning him or her for such marketing. This also applies to profiling to the extent that it is related to such direct marketing. Where the data subject submits an objection to processing for direct marketing purposes to Symestic GmbH, Symestic GmbH will no longer process personal data for such purposes.
Moreover, the data subject, on reasons relating to his or her particular situation, has the right to object to processing of personal data concerning him or her where personal data is processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1) GDPR, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
To exercise the right to object, the data subject can contact an employee of Symestic GmbH at any point. Moreover, in the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.
h) Automated individual decision-making, including profiling
European regulators have given each data subject the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, unless the decision (1) is necessary for entering into, or performance of, a contract between the data subject and the data controller, or (2) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests or (3) is based on the data subject's explicit consent.
If the decision (1) is necessary for entering into, or performance of, a contract between the data subject and the data controller, or (2) is based on the data subject’s explicit consent, Symestic GmbH will implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
If a data subject wishes to make use of his or her rights related to automated decision-making, he or she can contact one of the controller’s employees at any point.
i) Right to withdraw consent related to data protection
European regulators have given data subjects the right to withdraw consent to the processing of their personal data at any time.
If a data subject wishes to make use of this right to withdraw consent, he or she can contact one of the controller’s employees at any point.
8. Data privacy provisions for the use of Google Analytics (with anonymisation function)
The controller has integrated the component Google Analytics (with anonymisation function) on this website. Google Analytics is a web analytics service. Web analytics is the term for collection and evaluation of data related to the behaviour of visitors of websites. Among other things, a web analytics service collects data indicating from which website an affected person has reached a website ("referrer"), which sub-pages of the website were accessed and how often and for which duration a sub-page was viewed. Web analytics is primarily used for optimising a website and for cost-benefit analysis of internet-based advertising.
The provider of the Google Analytics component is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.
The controller uses the code "_gat._anonymizeIp” for its use of Google Analytics. This code truncates and anonymises the IP address of the data subject’s internet connection, if the data subject accesses our website from a EU Member State or from another state that is party to the European Economic Area Agreement.
The purpose of the Google Analytics component is to analyse the flow of visitors to our website. Google uses the gathered data and information to, among other things, analyse the use of our website, to compile online reports listing the activity on our websites for us, and to provide services related to the use of our website.
Google Analytics saves a cookie on the information technology system of the data subject. The significance of cookies has already been explained. This cookie allows Google to analyse the use of our website. Each time the web browser on the data subject’s information technology system is used to access a sub-page of the website provided by the controller on which a Google Analytics component is integrated, the web browser is automatically prompted by the Google Analytics component to transmit data to Google for the purpose of online analysis. Through this technical process, Google gains access to personal data such as the IP address of the data subject, which Google uses, among other things, to track the referral site of the user and permit invoicing of commissions.
The cookie is used to store personal information, such as the time of access, the referrer for the access and the frequency of accessing our website of the data subject. After each visit to our websites, this personal data, including the IP address of the internet connection used by the data subject, is transmitted to Google in the United States of America. This personal data is stored by Google in the United States of America. Google may transmit personal data collected in this manner to third parties.
The data subject can stop our website from saving a cookie as explained above by making the relevant settings in the web browser used, thereby permanently objecting to cookies being used. This setting in the web browser used would also prevent Google from saving a cookie in the information technology system of the data subject. In addition, a cookie set by Google Analytics can be deleted in the web browser or through a different software program at any time.
We use services provided by the software HubSpot. HubSpot is an American software company with a branch in Ireland (HubSpot European Headquarters, Ground Floor, Two Dockland Central, Guild Street, Dublin 1, Ireland).
HubSpot is a service platform. The service used is an integrated software solution for managing customer data and various aspects of our online marketing. This includes analysis of the landing pages and reporting. "Web beacons" are used for this and cookies are stored on your device used.
- IP address
- Geographical location
- Type of browser
- Duration of the visit
- Accessed pages
Our website uses web fonts provided by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google") to ensure standardized font display.
When a site is accessed, your browser loads the necessary web fonts into your browser cache so that text and fonts can be correctly displayed. Your browser must connect to the Google servers for this purpose; personal data may need to be sent to the Google LLC servers in USA for this.
It is not possible to ensure an adequate level of data protection in view of Google LLC and data processing being carried out in the USA. Authorities may be able to access the data for security and monitoring purposes without the need to inform you or This means you being able to appeal this. We cannot influence to what extent Google will process this data for their own purposes or link it with your other user profiles.
This is why we have integrated Google fonts locally on our web server and not on the Google servers. There is no connection to the Google servers and therefore no data communication and no data is stored. Legal grounds for processing the data is in our legitimate interest for the purpose of Art. 6 Par. 1 (f) of the GDPR.
We use Google Tag Manager, an online advertising program provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States.
This service manages website tags via an interface. Google Tag Manager only implements tags. That means: No cookies are used and no personal data is collected. Google Tag Manager triggers other tags which, in turn, collect data.
Tag Manager is run in your browser, i.e. at the very least, stored as information in your device's storage.
Data processing is carried out based on your consent, in accordance with Art. 6, Par. 1 of the GDPR, if you have given your consent for our banner to be used. You can revoke your consent any time. To do so, please follow this link and make the necessary changes to the settings for use of this banner. Data transfer to a third country takes place based on Art. 49 Par. 1 (a) of the GDPR.
You can find additional information about handling of user data in the Google Tag Manager Use Policy.
13. Legal basis of processing
Our company uses point (a) of Art. 6 (I) GDPR as the legal basis for processing where we request consent for a specific processing purpose. Where processing of personal data is required for performance of a contract to which the data subject is party, as is, for instance, the case for processing required for delivering goods or providing other services, processing is based on point (b) of Article 6 (I) GDPR. The same applies to processing required prior to entering into a contract, for instance in the event of enquiries about our products and services. Where our company is subject to a legal obligation requiring processing of personal data, for instance compliance with tax obligations, processing is based on point (c) of Article 6 (I) GDPR. In rare cases processing may be necessary in order to protect the vital interests of the data subject or of another natural person. This would, for instance, be the case if a visitor is injured on our premises and we would have to give his or her name, age, health insurance data or other vital information to a doctor, hospital or other third parties. In this case, processing would be based on point (d) of Article 6 (I) GDPR. Lastly, processing may be based on point (f) of Article 6 (I) GDPR. Processing is based on this legal basis, if it does not fall under any of the aforementioned legal bases, and is necessary to maintain the legitimate interests of our company or a third party, provided such interests are not overridden by the interests, fundamental rights and freedoms of the data subject. We have the right to perform such processing, because it is explicitly mentioned by European legislators. They were of the opinion that a legitimate interest could be assumed, if the data subject is the controller’s client (recital 47 sentence 2 GDPR).
14. Legitimate processing interests pursued by the controller or by a third party
Where processing of personal data is based on point (f) of Article 6 (I) GDPR, our legitimate interest is the performance of our business activity to the benefit of all of our employees and our shareholders.
15. Duration for which the personal data is stored
The duration for which personal data is stored is the respective legally mandated retention period. After this period expires, the respective data is routinely deleted, provided it is no longer required for contract performance or entering into a contract.
16. Legal or contractual stipulations regarding the provision of personal data; requirement for
entering into a contract; obligation of the data subject to provide personal data; possible consequences of failure to provide
We would like to inform you that provision of personal data is partially legally mandated (e.g. tax regulations) or may be required by contractual stipulations (e.g. information about the contract partner). Occasionally entering into a contract may require the data subject to provide us with personal data which we then have to process. The data subject is, for instance, obligated to provide us with personal data, if our company enters into a contract with him or her. Failure to provide personal data would result in the data subject being prevented from entering into the contract. Prior to providing personal data, the data subject must contact one of our employees. Our employee will inform the data subject whether provision of personal data is legally or contractually mandated or required for entering into the contract in his or her case, whether there is an obligation to provide the personal data and what the consequences of failure to provide the personal data would be.
17. Existence of automated decision-making
Due to our sense of responsibility as a company, we do not use automated decision-making or profiling.