Privacy Statement

We believe that it is particularly important to handle your user data transparently. We, the company

mbi Unternehmensberatungs-GmbH
Weidenhäuser Str. 27
35625 Hüttenberg

as a data controller processor, would therefore like to provide you with detailed Information on how your data is used when you visit our homepage www.winpaccs.de.

Definitions of terms

Our Privacy Statement is based on the terms used by the European regulator in the General Data Protection Regulation (GDPR). In order to ensure good readability and aid comprehension, we would like to explain the terms used in advance.

In this Privacy Statement the terms we use include:

a. Personal data

Personal data is all information relating to an identified or identifiable natural person (hereinafter referred to as "data subject"). Identifiable is a natural person who can be identified directly or indirectly, in particular by assignment to an identifier such as a name, an identification number, location data, an online identifier or one or more special characteristics that express the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.

b. Data subject

Data subject is any identified or identifiable natural person whose personal data are processed by the controller.

c. Processing

Processing means any operation or series of operations carried out with or without the aid of automated procedures relating to personal data, such as the collection or entry, organization, arrangement, storage, adaptation or modification, retrieval, querying, application, disclosure by transmission, dissemination or any other form of provision, reconciliation or linking, restriction, deletion or destruction.

d. Restriction on processing

Restriction on processing is the marking of stored personal data with the aim of restricting its future processing.

e. Profiling

Profiling is any automated processing of personal data consisting of the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects relating to the work performance, economic situation, health, personal preferences, interests, reliability, conduct, whereabouts or relocation of that natural person.

f. Pseudonymization

Pseudonymization is the processing of personal data in such a way that the personal data can no longer be assigned to a specific data subject without additional information, provided that this additional information is kept separately and is subject to technical and organizational measures that ensure that the personal data is not assigned to an identified or identifiable natural person.

g. Data controller or data controller processor 

The data controller or data controller processor shall be the natural or legal person, authority, institution or other body which alone or jointly with others decides on the purposes and means of processing personal data. Where the purposes and means of such processing are laid down by Union law or by the law of the member states, the controller or the criteria laid down may be designated in accordance with Union law or the law of the Member States.

h. Contract processor

A contract processor is a natural or legal person, authority, institution or other body that processes personal data on behalf of the data controller.

i. Recipient 

The recipient is a natural or legal person, authority, institution or other body to which personal data is disclosed, whether or not it is a third party. However, authorities which may receive personal data under Union law or the law of the member states within the framework of a particular investigation mandate shall not be regarded as recipients.

j. Third parties

A third party is a natural or legal person, authority, institution or other body other than the data subject, the data controller, the data processor and the persons authorised to process the personal data working under the direct responsibility of the data controller or the data processor.

k. Consent

Consent is any informed and unequivocal statement of intent, in the form of a statement or other clear affirmative act, voluntarily given by the data subject for that particular case, indicating that the data subject consents to personal data concerning him/her to be processed.

2. Collection of data

Our website collects a series of general data and information each time a data subject or an automated system visits it. This general data and information is stored in the log files of the server. The following information may be collected:

  • browser types and versions used,
  • the operating system used by the accessing system,
  • the website from which an accessing system reaches our website (so-called referrer),
  • the subpages which are accessed via an accessing system on our website,
  • the date and time of access to the Internet site,
  • the Internet Protocol address (IP address),
  • other similar data and information used for security purposes in the event of attacks on our information technology systems.

When using this general data and information we do not draw any conclusions about the data subject. In fact this information is needed to: 

  • correctly deliver the contents of our website,
  • ensure the long-term functionality of our information technology systems and the technology of our website, and
  • provide law enforcement authorities with the information necessary for criminal prosecution in the event of a cyber attack.

We therefore evaluate this anonymously collected data and information statistically and with the aim of increasing data protection and data security in our company. Our goal is to ensure an optimal level of protection for the personal data processed by us. The anonymous data of the server log files are stored separately from all personal data provided by a data subject. The duration of the storage depends on whether the storage is still necessary for one of the aforementioned purposes.

3. Legal or contractual regulations for the provision of personal data; necessity for the conclusion of the contract; obligation of the data subjects to provide the personal data; possible consequences of failure to provide the data

We would like to point out that the provision of personal data is partly required by law (e.g. tax regulations) or may also result from contractual regulations (e.g. information on the contractual partner). Under certain circumstances, it may be necessary for a contract to be concluded if a data subject provides us with personal data which must subsequently be processed by us, for example to carry out a contractual relationship. Failure to provide personal data would mean that the contract with the data subject could not be concluded. You can contact our data protection officer, who can inform you on a case-by-case basis about whether the provision of personal data is required by law or by contract or necessary for the conclusion of the contract, and whether there is an obligation to provide the personal data and what consequences the failure to provide the personal data would have in your individual case.

4. Communication option via the Internet 

Due to legal regulations, our website contains information that facilitates quick electronic contact with our company and allows you to communicate directly with us, which also includes a general address for so-called electronic mail (email address). If a data subject contacts the data controller via email or a contact form, the personal data transmitted by the data subject will be stored automatically. Such personal data voluntarily provided by a data subject to the controller will be stored for the purpose of processing or contacting the data subject. This personal data is not passed on to third parties. We delete the data arising in this context after storage is no longer necessary, or processing is restricted if statutory retention obligations exist.

For security reasons, we strongly recommend that you transmit emails in encrypted form only. There are considerable risks involved in the transmission of unencrypted messages. Therefore, please do not send us sensitive data by unencrypted email. Please use our contact form for encrypted communication.

5. Use of cookies

In addition to the aforementioned data, cookies are stored on your computer when you use our website. Cookies are small text files that are stored on your hard disk in the browser you use and through which certain information flows to the place that sets the cookie. They serve to make the Internet offer more user-friendly and effective overall.

This website uses the following types of cookies, the scope and functionality of which are explained below:

  • Transient cookies (see a.)
  • Persistent cookies (see b.).

a. Transient cookies are automatically deleted when you close your browser. This includes in particular the session cookies. These store a so-called session ID, with which different requests of your browser can be assigned to the common session. This will allow your computer to be recognized when you return to our website. Session cookies are deleted when you log out or close your browser.

b. Persistent cookies are automatically deleted after a specified period, which may vary depending on the cookie. You can delete cookies at any time in the security settings of your browser.

c. You can configure your browser settings according to your wishes and, for example, refuse the acceptance of third party cookies or all cookies. "Third Party Cookies" are cookies that have been set by a third party and therefore not by the actual website you are currently visiting. We would like to point out that you may not be able to use all functions of this website by deactivating cookies.

6. Google web fonts

This page uses so-called web fonts provided by Google to uniformly display fonts. When you open a page, your browser loads the required Web fonts into your browser cache to display texts and fonts correctly.

To do this, your browser must connect to Google's servers. This gives Google knowledge that our website has been accessed via your IP address. The use of Google web fonts is in the interest of a uniform and appealing presentation of our online offers. This represents a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR.

If your browser does not support web fonts, a default font is used by your computer. For more information about Google web fonts, please see https://developers.google.com/fonts/faq and Google's Privacy Statement: https://www.google.com/policies/privacy/.

7. Integration of Google Maps

This page uses the Google Maps map service via an API. The provider is Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

To use the features of Google Maps it is necessary to save your IP address. This information is usually transferred to a Google server in the USA and stored there. The provider of this site has no influence on this data transmission.

The use of Google Maps is in the interest of an appealing presentation of our online offers and an easy findability of the places indicated by us on the website. This represents a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR.

More information about the handling of user data can be found in Google's Privacy Statement: https://www.google.de/intl/de/policies/privacy/.

8. Newsletter subscription

With your consent you can subscribe to our newsletter, which we use to inform you about our current interesting offers. The advertised goods and services are named in the declaration of consent.

We use the double opt-in procedure to subscribe to our newsletter. This means that after your registration we will send you an email to the specified email address in which we ask you to confirm that you would like the newsletter to be sent. If you do not confirm your registration within 24 hours, your information will be blocked and automatically deleted after one month. In addition, we store your IP addresses and the time of registration and confirmation. The purpose of the procedure is to be able to prove your registration and, if necessary, to clarify a possible misuse of your personal data.

Required email address for sending the newsletter is your email address alone. The provision of further data is voluntary and will be used to address you personally. After your confirmation we will save your email address for the purpose of sending you the newsletter. Legal basis is Art. 6 para. 1 S. 1 lit. a GDPR. 

You can revoke your consent to receive the newsletter at any time and unsubscribe from the newsletter. You can declare your revocation by clicking on the link provided in every newsletter email, via this form of the website, by email to info@mbi.de or by sending a message to the contact data stated in the legal notice.

9. Children

Our offer is basically aimed at adults. Persons under the age of 18 should not transmit any personal data to us without the consent of their parents or legal guardians.

10. Announcement of changes

Legal changes or changes to our internal processes may require an amendment to this Privacy Statement. In the event of such a change, we will inform you at the latest 6 weeks before it takes effect. In general, you have the right to object to the consent you have given. Please note that (if you do not make use of your right of revocation) the respective current version of the Privacy Statement is the valid one.

11. Revocation of consent/deletion of your personal data

You may at any time review, change or delete the personal information provided to us by sending an email to: datenschutz@mbi.de.

You also have the right to revoke consent once given with effect for the future at any time.

The personal data stored will be deleted if you revoke your consent to its storage. The controller shall process and store the personal data of the data subject only for the period necessary to achieve the data retention objective or to the extent provided for by the European regulator or another legislator in laws or regulations to which the controller is subject.

If the purpose of the storage expires or if a storage period prescribed by the European regulator or another competent legislator expires, the personal data will be routinely blocked or deleted in accordance with the statutory provisions.

12. Rights of data subject

Every data subject shall have the right granted by the European regulator to require the controller to confirm whether personal data concerning him/her are being processed. If a data subject wishes to exercise this right of confirmation, he or she may contact our data protection officer or another employee of the data controller at any time.

Any data subject affected by the processing of personal data shall have the right granted by the European regulator to obtain, at any time and free of charge, information concerning the personal data held on him/her and a copy of that information from the controller.

Furthermore, the European regulator has conceded to the data subject information on the following information:

  • the processing purposes,
  • the categories of personal data being processed,
  • the recipients or categories of recipients to whom the personal data have been or are still being disclosed, in particular recipients in third countries or international organisations,
  • if possible, the planned duration for which the personal data will be stored, or, if this is not possible, the criteria for determining this period,
  • the existence of a right to have personal data concerning them rectified or deleted or to have processing restricted by the controller or a right to object to processing,
  • the existence of a right of appeal to a supervisory authority,
  • if the personal data are not collected from the data subject – all available information on the origin of the data,
  • the existence of automated decision-making including profiling in accordance with Art. 22 para. 1 and para. 4 GDPR and – at least in these cases – meaningful information on the logic involved and the scope and intended effects of such processing for the data subject.

Furthermore, the data subject has a right to know whether personal data have been transferred to a third country or an international organisation. If this is the case, the data subject also has the right to obtain information on the appropriate guarantees in connection with the transfer. If a data subject wishes to exercise this right to information, he or she may contact our data protection officer or another employee of the data controller at any time.

Any data subject concerned by the processing of personal data has the right granted by the European regulator to request the immediate rectification of inaccurate personal data concerning him/her. Furthermore, the data subject has the right, taking into account the purposes of the processing, to request the completion of incomplete personal data, including by means of a supplementary declaration.

If a data subject wishes to exercise this right of rectification, he/she may contact our data protection officer or another employee of the controller at any time.

Any data subject affected by the processing of personal data has the right granted by the European regulator to require the controller to delete personal data concerning him/her immediately (right of deletion) if one of the following reasons applies and if processing is not necessary: 

  • The personal data have been collected and otherwise processed for such purposes for which they are no longer necessary.
  • The data subject withdraws his/her consent on which the processing was based pursuant to Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR, and there is no other legal basis for the processing.
  • The data subject objects to the processing pursuant to Art. 21 para. 1 GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Art. 21 para. 2 GDPR.
  • The personal data was processed unlawfully.
  • The deletion of personal data is necessary to fulfil a legal obligation under Union law or the law of the Member States to which the data controller is subject.
  • The personal data was collected in relation to information society services pursuant to Art. 8 para. 1 GDPR.

If one of the above reasons applies and a data subject wishes to have the personal data stored by us deleted, he/she may contact our data protection officer or another employee of the controller at any time. Our data protection officer or another employee will arrange for the deletion request to be complied with immediately.

If the personal data has been made public by us and our company is responsible for deleting the personal data pursuant to Art. 17 para. 1 GDPR, we are obliged to delete the personal data, taking into account the available technology and the implementation costs of appropriate measures, including technical measures, to inform other data processors who process the published personal data, that the data subject has requested the deletion of all links to this personal data or data related to copies or replications of this person from these other data processors, insofar as the processing is not necessary. Our data protection officer or another employee will take the necessary steps in individual cases.

Any data subject concerned by the processing of personal data shall have the right granted by the European regulator to require the controller to restrict the processing if one of the following conditions is met:

  • The accuracy of the personal data is disputed by the data subject for a period of time that allows the data controller to verify the accuracy of the personal data.
  • The processing is unlawful, the data subject refuses the deletion of the personal data and instead requests a restriction on the use of the personal data.
  • The data controller no longer needs the personal data for the purposes of the processing, but the data subject needs them to assert, exercise or defend legal claims.
  • The data subject has filed an objection against the processing pursuant to Art. 21 para. 1 GDPR and it has not yet been determined whether the data controller's legitimate interests in the processing outweigh those of the data subjects.

If one of the above conditions is met and a data subject wishes to request the restriction of personal data stored by us, he/she may contact our data protection officer or another employee of the controller at any time. Our data protection officer or another employee will have the processing restricted.

Any data subject shall have the right granted by the European regulator to receive personal data concerning him/her provided b him-/herself to a controller in a structured, current and machine-readable format (right to data transferability). He/she also has the right to transmit this data to another data controller without restriction by the controller to whom the personal data had been made available, provided that the processing is based on the consent pursuant to Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR or on a contract pursuant to Art. 6 para. 1 lit. b GDPR and that the processing is carried out using automated procedures, provided that the processing is not necessary for the performance of a task in the public interest or in the exercise of public authority which was transferred to the controller.

Furthermore, in exercising his right to data transferability pursuant to Art. 20 para. 1 GDPR, the data subject has the right to demand that the personal data are transferred directly from one data controller to another data controller, provided this is technically feasible and provided that the rights and freedoms of other persons are not affected thereby.

To assert the right to data transferability, the data subject may contact our data protection officer or another employee at any time.

Any data subject affected by the processing of personal data has the right to object at any time to the processing of personal data concerning him/her on the basis of Article 6 para. 1 lit. e or f of the GDPR, granted by the European regulator for reasons arising from his particular situation. This also applies to profiling based on these provisions.

We will no longer process personal data in the event of an objection, unless we can prove compelling reasons worthy of protection for the processing, which outweigh the interests, rights and freedoms of the data subject, or the processing serves to assert, exercise or defend legal claims.

If we process personal data for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data for the purpose of such advertising. This also applies to profiling insofar as it is connected with such direct advertising. If the data subject objects to our processing for direct marketing purposes, we will no longer process the personal data for these purposes.

In addition, the data subject has the right to object to the processing of personal data concerning him/her which we carry out for scientific or historical research purposes or for statistical purposes pursuant to Art. 89 para. 1 GDPR, for reasons arising from his or her particular situation, unless such processing is necessary for the performance of a task in the public interest.

To exercise the right of objection, the data subject may contact our data protection officer or another employee directly. The data subject shall also be free to exercise his right of opposition in relation to the use of information society services by means of automated procedures using technical specifications, notwithstanding Directive 2002/58/EC. Any data subject affected by the processing of personal data shall have the right granted by the European legislator of directives and regulations not to be subject to a decision based exclusively on automated processing, including profiling, which has legal effect against him or significantly affects him or her in a similar manner, provided that the decision:

  1. is not necessary for the conclusion or performance of a contract between the data subject and the data controller, or
  2. is permitted by the laws of the Union or the Member States to which the data controller is subject, and such laws contain appropriate measures to safeguard the rights, freedoms and legitimate interests of the data subject, or
  3. with the data subject's express consent.

If the decision is: 

  1. required for the conclusion or performance of a contract between the data subject and the data controller, or
  2. with the express consent of the data subject,

we shall take reasonable measures to safeguard the rights, freedoms and legitimate interests of the data subjects, including at least the right to obtain the intervention of a person by the data controller, to state his own position and to challenge the decision.

If the data subject wishes to assert rights relating to automated decisions, he/she may contact our data protection officer or another employee of the data controller at any time.

Any data subject affected by the processing of personal data has the right granted by the European regulator to withdraw consent to the processing of personal data at any time.

If the data subject wishes to exercise his or her right of withdrawal of consent, he or she may contact our Data Protection Officer or any other employee of the data controller at any time.

13. Legal basis of processing

a. Consent

Article 6 para. 1 lit. a GDPR serves our company as a legal basis for processing operations for which we obtain consent for a specific processing purpose.

b. Necessity for contract fulfilment

If the processing of data subject data is necessary for the performance of a contract to which the data subject is a contractual party, as is the case, for example, with processing operations necessary for the delivery of goods or the provision of another service or a service in return, the processing is based on Art. 6 para. 1 lit. b of the GDPR. The same applies to such processing operations that are necessary for carrying out pre-contractual measures, for example in cases of enquiries about our products or services.

c. Legal obligation or protection of vital interests

If our company is subject to a legal obligation requiring the processing of personal data, such as the fulfilment of tax obligations, the processing is based on Art. 6 para. 1 lit. c GDPR. In rare cases, the processing of personal data may become necessary to protect the vital interests of the data subject or another natural person. This would be the case, for example, if a visitor were injured in our company and his name, age, health insurance data or other vital information had to be passed on to a doctor, a hospital or other third parties. Then the processing would be based on Art. 6 para. 1 lit. d GDPR.

d. Justifiable interest

Finally, processing operations could be based on Art. 6 para. 1 lit. f of the GDPR. Processing operations which are not covered by any of the aforementioned legal bases are based on this legal basis if processing is necessary to safeguard a legitimate interest of our company or a third party, provided that the interests, fundamental rights and freedoms of the data subject do not prevail. Such processing procedures are permitted to us in particular because they have been specifically mentioned by the European legislator. In this respect, it took the view that a legitimate interest could be assumed if the data subject is a customer of the data processor (recital 47, second sentence, GDPR). We base the processing of your data in the context of the use of Google Web fonts and Google Maps on a legitimate interest. Our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR is to enable you to use our site in as customer-friendly a way as possible.

14. The person responsible/your contact person

If you have any questions regarding the collection, processing or use of your personal data, the disclosure, correction, blocking or deletion of data, or the revocation of consents granted or objections to a specific use of data, please contact the responsible body or its data protection officer directly. The responsible body is:

mbi Unternehmensberatungs-GmbH
Weidenhaeuser Str. 27
35625 Huettenberg
Germany

Phone: +49 (0) 6441 7809-0
Fax: +49 (0) 6441 7809-30

Email: info@mbi.de 

Our Data Protection Officer is Dr Christian Velten, datenschutz@mbi.de.