DATA PROTECTION STATEMENT BY ITW FASTENER PRODUCTS

in accordance with the EU ordinance 2016/679 adopted by the European Parliament and ratified by the Council on 27 April 2016 for the protection of natural persons when personal data is processed and for the free movement of such data (hereinafter known as GDPR [DSGVO]).

A. INTRODUCTION AND DEFINITIONS

This document provides information on the type and scope of data processing and the protection of personal data. The document is addressed to you – our customers, suppliers, and business associates (including your employees or co-operating third parties). This document describes how personal data is processed by Gesellschaft ITW Fastener Products GmbH, based at Am Pulverhäuschen 7, in 67677 Enkenbach-Alsenborn, VAT registration number: DE 815121918, entered in the commercial register of the registry court in Iserlohn (hereinafter known as «Controller»).
Personal data – includes all information about an identified or identifiable natural person («Person concerned»). An identifiable natural person is a person who can be identified either directly or indirectly, in particular by means of reference to identifying information such as a name, an identification number, information about a location, online identification, or one or more specific factors of physical, physiological, genetic, financial, cultural or social identity of this natural person.
Sensitive personal data – specific categories of personal data which could reveal race or ethnic origin, religion, political or philosophical beliefs, trade union membership, information about state of health or sex life, genetic data or biometric data resulting in clear identification of the person.
Processing – each procedure or that group of procedures carried out with personal data, regardless of whether they are automatically recorded, listed, organised, structured, modified or amended, called off, consulted, used, made accessible as a result of data transfer, dissemination or by other means, developed or combined, restricted, deleted or destroyed.
Person processing the data – a natural person or legal entity, authority, agency, or other body which processes personal data for the Controller.
Recipient – natural person or legal entity, authority, agency or other body to whom personal data is forwarded, regardless of whether they are third parties or not. However, authorities which may receive personal data as part of a special investigation in accordance with the law of a member state shall not be regarded as Recipients. This personal data must be processed by these authorities in compliance with the data protection regulations in force for the purposes for which the processing is to be carried out.
Person concerned – natural person to whom the personal data refers. This may also include employees, members of corporate bodies, persons working together with you.
Third Party – a natural person or legal entity, an authority or other body which is not the Person concerned, the Controller, the Person processing the data, or a person reporting directly to the Controller, or to the Person processing the data.

B. NATURE OF THE COLLECTED PERSONAL DATA

The Controller may process data about you or the persons concerned prior to, or during the contract, in particular that personal data which you made available to the Controller (responsible for handling the contract) prior to or during the contract. The Controller shall, inter alia, process the following types of personal data:
  • Information serving for identification purposes such as title, first name, surname, date of birth, position or name of employer,
  • Contact data such as permanent home address, telephone numbers and e-mail addresses,
  • Information from the other party in communications, e.g. information in e-mails, lists of telephone conversations, minutes of meetings, contact forms, or from applications submitted via our website or help desk;
  • Invoice and transaction data such as bank account numbers, invoice information, payment information received;
  • Geo-localisation information, such as, for example, information from your internet browser or from mobile applications which you use;
  • Image files of video surveillance and the information about the input of electronic access control Systems.

C. PURPOSE AND LEGAL BASIS FOR PROCESSING PERSONAL DATA

The Controller collects and uses the data make available by you in order to fulfil an agreement or a contract which is to be or will be entered into between you and the Controller. Moreover, the Controller also collects the personal data made available by you, provided that it is necessary to do so under the relevant legal regulations or as a result of a ruling passed by the authorities.
In the cases in which it is not necessary to process personal data to fulfil the contract or has not been prescribed by law, the Controller will expressly ask for your consent in a limited number of cases or request that the data is secured. This shall apply for specific types of use of the personal data. If the Controller requests your consent, you will always have the option to refuse it. If you grant your consent, the person concerned who has granted the consent shall be entitled to revoke it at any time.
Moreover, the Controller can also collect and process personal data without consent being granted, if this is necessary for the Controller’s other lawful purposes, for example:
  • For the management and development of business relationships;
  • To ensure the security and protection of assets and other legitimate interests of the Controller;
  • For investigating possible incidents or breaches against the obligations created by the law and / or regulations;
  • If it is necessary for compliance with the regulations, such as, for example, the collection and provision of personal data in accordance with the statutory regulations, tax laws, or at the request of the police;
  • When court authorisation is submitted, or when exercising, or defending the statutory rights of the Controller;
  • If it is necessary to protect your life (or the life of another person).
  • In addition to this we may have a justified interest in taking advertising measures or mounting marketing campaigns based on Article 6 Para 1 (f) of the GDPR [DSGVO], provided that your consent is not required for such purposes.
  • With regard to possible compliance-related activities, Article 6 Para 1 (c) as well as Article 6 Para 1 (f) GDPR [DSGVO] shall be regarded as the legal bases, since the processing of the respective personal data may be necessary for our justified interests. Such legitimate interests will consist in relevant breaches being reported to us and that compliance with the laws in force will be investigated.
  • Insofar as we forward your personal data to other companies within our group than the IT service provider operating throughout our group, and this is not done as part of processing an order, Article 6 Para 1 (f) GDPR [DSGVO] shall be regarded as the legal basis for such transfers. Our legitimate interest in this respect shall be (i) a centralised global approach with standardized processes and (ii) cost cutting, as a result of centralising IT operations.

D. PROCESSING PERSONAL DATA

The Controller may also forward the personal data provided to third parties as well, including, but not restricted to:
  • Other companies forming a group of companies with the Controller
  • Persons providing the Controller with goods or services (e.g. financial, tax or legal advisers, other consultants, suppliers of storage or webmail/information systems, disposal service providers);
  • Other third parties, if it concerns the forwarding of personal data subject to your consent or guaranteeing compliance with legal obligations, the submission of an actual or potential claim or the defence against an actual or potential claim or the protection of your life (or of the life of another person), the fulfilment of the contracts entered into between the Controller and third parties.
The recipients named above may be located in a country outside the EU. There may possibly not be any adequate level of data protection in such a country compared with the level of data protection afforded within the European Union. This means that the data protection laws in this country to which we transfer data may possibly not offer the same level of protection as that which exists in Germany. Generally your data will be forwarded to third party countries not having an adequate level of data protection subject to the so-called EU standard contract clauses. You may obtain a copy of these protective measures from datenschutz@itw-efc.com.

E. DATA STORAGE PERIOD

personal data shall only be stored in safekeeping for that period of time required to fulfil the purposes described here (or other purposes which may also be stipulated) or elsewhere as a result of agreements between the Controller and third parties, in laws in force and other internal regulations of the Controller.

F. SOURCES OF PERSONAL DATA

We shall receive the most personal of details directly from you, based upon our communication during our business relationship, not only during the pre-contractual stage, but also while the contract is being handled. In addition to this, personal data may also come from sources accessible by the public, public registers and lists (e.g. company registers, registers of debtors, professional registers. The Seller may also receive personal data from third parties who are entitled to access personal data and to process it. The Controller may obtain personal data from electronic controlled access systems or video surveillance (if there is any) within his own premises.

G. RIGHTS OF THE PERSON CONCERNED

Every person concerned shall have the following rights:
– The right to information (Article 15 GDPR [DS-GVO])
In accordance with Article 15 of the GDPR [DS-GVO] the person concerned has the right to request confirmation from the Controller as to whether it will be processing personal data; if this is the case, the person concerned shall be entitled to have information about this personal data and about the following information: the purposes for which it is being processed, the categories of personal data which are being processed; the recipients or categories of recipients to whom the personal data has been disclosed or will be disclosed, in particular to recipients in third party countries or international organisations; if possible the intended duration for which the personal data is to be stored or, if this is not possible, the criteria to be applied for determining this period of time; the existence of a right to have the personal data concerning the person concerned corrected or deleted, or to have processing by the Controller restricted or a right to object to such processing, the existence of a right to lodge a complaint with a supervisory body; if the personal data is not collected from the concerned person, all available information about the origin of the data; the existence of an automated decision-making system including profiling in accordance with Article 22 Paragraphs 1 and 4 and – in these cases at least – meaningful information about the logic involved as well as the scope and impact sought after from such processing for the concerned person.
– Correction of personal data (Article 16 GDPR [DS-GVO])
In accordance with Article 16 GDPR [DS-GVO], the person concerned shall be entitled to have personal data being processed by the Controller corrected. The person concerned shall also be obliged to report changes to his personal data and submit proof that such a change has taken place. At the same time collaboration will be necessary if it is noted that the personal data processed by the Controller is not correct. The remedy is to be carried out straight away, always however, taking technical limitations into account.
– Deletion / The right to be forgotten personal data (Article 17 GDPR [DS-GVO])
In accordance with Article 17 of GDPR [DS-GVO], the person concerned shall be entitled to have the personal data concerning him deleted by the Controller immediately, if the Controller is unable to prove that it has justified reasons for not doing so. The Controller has mechanisms for automatic anonymization or the deletion of personal data, if this is no longer required for the purpose for which it is being processed.
– Restrictions placed on the processing of personal data (Article 18 GDPR [DS-GVO])
As a person concerned, you will be entitled to restrict processing subject to the preconditions in Article 18 of the GDPR [DS-GVO]. That means that you will be entitled to demand that we restrict processing if one of the preconditions stated in Article 18 Paragraph 1 of the GDPR is extant. This may, for example, be the case if you contest the accuracy of the personal data. The restriction on processing shall in this case be imposed for a period of time enabling us to verify the accuracy of the personal data (Article 18 Paragraph 1 Letter a of the GDPR [DS-GVO]). A restriction means marking saved data with the objective of restricting the future processing of your data. (Article 4 Number 3 of the GDPR [DS-GVO]).
– Non-transferability of personal data (Article 20 GDPR [DS-GVO]),
The person concerned shall be entitled to receive the personal data concerning him which he has made available to a Controller in a structured, accessible format which can be read by a computer, and has the right to have this data transferred to another Controller without being hindered by the Controller to which the personal data was submitted, provided that
  • The processing is based upon consent in accordance with Article 6 Paragraph 1 Letter a or Article 9 Paragraph 2 Letter a or on a contract in accordance with Article 6 Paragraph 1 Letter b of the GDPR [DS-GVO] and
  • The processing is effected by means of an automated procedure.
– When exercising your right to have data transferred in accordance with Paragraph 1, the person concerned shall be entitled to have the personal data transferred directly from one Controller to another Controller, provided that this is technically feasible.
– Exercising the right in Paragraph 1 of this Article shall not affect Article 17. This right shall not apply for processing transferred to the Controller which is necessary to carry out a task in the public interest or when exercising public authority.
– The right in accordance with Paragraph 1 must not impair the rights and freedoms of other persons.
– Objection to the processing of personal data (Article 21 GDPR [DS-GVO])
In accordance with Article 21 GDPR [DS-GVO]) the person concerned shall be entitled to raise an objection to having his personal data processed, if the objective of having the personal data processed is that the Controller has a justified interest in having the personal data processed. If the Controller is unable to prove that there is a serious legitimate reason for processing, thus rendering invalidating the interests or rights or freedoms of the person concerned, the Controller must cease processing the personal data forthwith.
– not subjected to an automated individual decision
The person concerned shall have the right to not to be subject to a decision based solely upon automated processing including the production of profiles if it has a legal impact upon that person or is highly detrimental to that person by similar means.
– Revocation of the consent to processing personal data
If the Controller processes personal data on the basis of consent, the person concerned shall be entitled to revoke his consent at any time.
Please note that in connection with the rights or the person concerned described above there may be restrictions on, or exceptions to exercising a right. The Controller for the processing shall collaborate with the person concerned to discuss possible exceptions or restrictions in the event that the person concerned should wish to make use of his right. If you should have any queries about the rights of the person concerned, or if you as the person concerned would like to exercise these rights in connection with the personal data contained in this data protection statement, please contact the Data Protection Officer of the Controller whose contact details are below.
You will, moreover, have the right to apply to the Data Protection Supervisory Authority. The responsible supervisory authority is:
Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz, Prof. Dr. Dieter Kugelmann
Office address:
Hintere Bleiche 34 55116 Mainz or postal address: Postfach 30 40 55020 Mainz.

H. SECURITY OF PERSONAL DATA

The Controller is aware of the significance and value of personal data and has therefore taken organisational and technical measures to guarantee the safety of your personal data. The administration and processing of personal data shall be carried out in compliance with all applicable laws, in particular with the GDPR [DS-GVO], but also with the laws for the protection of the personal rights of a natural person. Persons who handle personal data are subject to a non-disclosure undertaking and must comply with the statutory and internal regulations of the Controller.

I. CONTACT DATA OF THE CONTROLLER

If you should have any queries or comments regarding exercising your rights or in connection with this data protection statement, you may contact us at any time: ITW Fastener Products GmbH Am Pulverhäuschen 7 67677 Enkenbach-Alsenborn; datenschutz@itw-efc.com.
Our Data Protection Officer may be contacted at: datenschutz@itw-efc.com.
This data protection statement comes into force on 25 May 2018. The Controller is entitled to amend this data protection statement at any time whereby a new version will be published on the Controller’s Website.