Privacy: KOCH Pac-Systeme GmbH

1. Introduction

With the following information, we would like to provide you, as the “data subject,” with an overview of how we process your personal data and of your rights under data protection laws. In principle, it is possible to use our website without providing personal data. However, if you wish to make use of special services offered by our company via our website, the processing of personal data may become necessary. Where the processing of personal data is necessary and there is no legal basis for such processing, we will generally obtain your consent.

The processing of personal data, for example your name, address, or email address, is always carried out in accordance with the General Data Protection Regulation (GDPR) and in compliance with the country-specific data protection regulations applicable to “KOCH Pac-Systeme GmbH.” By means of this privacy policy, we would like to inform you about the scope and purpose of the personal data we collect, use, and process.

As the controller responsible for processing, we have implemented numerous technical and organizational measures to ensure the most complete protection possible of personal data processed via this website. Nevertheless, internet-based data transmissions may generally have security gaps, so absolute protection cannot be guaranteed. For this reason, you are free to transmit personal data to us via alternative means, for example by telephone or by post.

You too can take simple and easy-to-implement measures to protect yourself against unauthorized access to your data by third parties. Therefore, we would like to provide you with some guidance here on how to handle your data securely:

l Protect your account (login, user account, or customer account) and your IT system (computer, laptop, tablet, or mobile device) with secure passwords.

l Only you should have access to your passwords.

l Make sure that you always use your passwords for only one account (login, user account, or customer account).

l Do not use one password for different websites, applications, or online services.

l Especially when using publicly accessible IT systems or IT systems shared with other persons, you should always log out after each login on a website, application, or online service.

Passwords should consist of at least 12 characters and be chosen so that they cannot be easily guessed. Therefore, they should not contain common everyday words, your own name, or names of relatives, but should include uppercase and lowercase letters, numbers, and special characters.

2. Controller

The controller within the meaning of the GDPR is:

KOCH Pac-Systeme GmbH

Dieselstraße 13, 72285 Pfalzgrafenweiler, Germany

3. Data Protection Officer

You can contact the Data Protection Officer at the above address or by email at datenschutzteam@ds-be.de

You may contact our Data Protection Officer directly at any time with any questions or suggestions regarding data protection.

4. Legal Basis for Processing

Art. 6 para. 1 lit. a) GDPR (in conjunction with Section 25 para. 1 TDDDG (formerly TTDSG)) serves as the legal basis for our company for processing operations where we obtain consent for a specific processing purpose.

If the processing of personal data is necessary for the performance of a contract to which you are a party, as is the case, for example, with processing operations necessary for the delivery of goods or the provision of any other service or consideration, the processing is based on Art. 6 para. 1 lit. b) GDPR. The same applies to such processing operations that are necessary for carrying out pre-contractual measures, for example in cases of inquiries about our products or services.

If our company is subject to a legal obligation requiring the processing of personal data, such as for the fulfillment of tax obligations, the processing is based on Art. 6 para. 1 lit. c) GDPR.

Ultimately, processing operations may be based on Art. 6 para. 1 lit. f) GDPR. Processing operations that are not covered by any of the aforementioned legal bases are based on this legal basis if processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, provided that the interests, fundamental rights, and freedoms of the data subject do not override those interests. Such processing operations are permitted to us in particular because they have been specifically mentioned by the European legislator. In this respect, the legislator took the view that a legitimate interest could be assumed if you are a customer of our company (Recital 47 sentence 2 GDPR).

Our offer is generally aimed at adults. Persons under the age of 16 may not transmit personal data to us without the consent of their parents or legal guardians. We do not request personal data from children or adolescents, do not collect such data, and do not disclose it to third parties.

5. Transfer of Data to Third Parties

Your personal data will not be transferred to third parties for purposes other than those listed below.

We only share your personal data with third parties if:

1. you have given your express consent pursuant to Art. 6 para. 1 lit. a) GDPR,

2. the disclosure is permissible pursuant to Art. 6 para. 1 lit. f) GDPR for the protection of our legitimate interests and there is no reason to assume that you have an overriding legitimate interest in your data not being disclosed,

3. there is a legal obligation for the disclosure pursuant to Art. 6 para. 1 lit. c) GDPR, and

4. this is legally permissible and necessary pursuant to Art. 6 para. 1 lit. b) GDPR for the processing of contractual relationships with you.

In order to protect your data and, if necessary, enable data transfers to third countries (outside the EU/EEA), we have concluded data processing agreements based on the European Commission’s Standard Contractual Clauses. If the Standard Contractual Clauses are not sufficient to establish an adequate level of security, your consent pursuant to Art. 49 para. 1 lit. a) GDPR may serve as the legal basis for transfers to third countries. This may not apply where the European Commission has issued an adequacy decision for the third country in accordance with Art. 45 GDPR.

Your personal data will not be transferred to third parties for purposes other than those listed below.

6. Technology

6.1 SSL/TLS Encryption

To ensure the security of data processing and to protect the transmission of confidential content, such as orders, login data, or contact inquiries that you send to us as the website operator, this site uses SSL or TLS encryption. You can recognize an encrypted connection by the fact that the browser address line changes from “http://” to “https://” and by the lock symbol in your browser bar.

We use this technology to protect the data you transmit.

6.2 Data Collection When Visiting the Website

When you use our website for information purposes only, that is, if you do not register or otherwise provide us with information or do not consent to processing that requires consent, we only collect data that is technically necessary to provide the service. This regularly includes data that your browser transmits to our server (“so-called server log files”). Each time our website is accessed by you or an automated system, our website collects a series of general data and information. This general data and information is stored in the server log files. The following may be collected:

1. browser types and versions used,

2. the operating system used by the accessing system,

3. the website from which an accessing system reaches our website (so-called referrer),

4. the subpages accessed on our website via an accessing system,

5. the date and time of access to the website,

6. an internet protocol address (IP address), and

7. the internet service provider of the accessing system.

When using this general data and information, we do not draw any conclusions about your person. Rather, this information is needed in order to

1. deliver the content of our website correctly,

2. optimize the content of our website as well as advertising for it,

3. ensure the long-term functionality of our IT systems and the technology of our website, and

4. provide law enforcement authorities with the information necessary for prosecution in the event of a cyber attack.

Therefore, we evaluate this collected data and information statistically on the one hand and also with the aim of increasing data protection and data security in our company in order ultimately to ensure an optimal level of protection for the personal data we process. The data of the server log files is stored separately from all personal data provided by a data subject.

The legal basis for data processing is Art. 6 para. 1 sentence 1 lit. f) GDPR. Our legitimate interest follows from the purposes for data collection listed above.

6.3 Cloudflare (Content Delivery Network)

Our website uses functions of CloudFlare. The provider is CloudFlare, Inc., 665 3rd St. #200, San Francisco, CA 94107, USA.

CloudFlare offers a globally distributed content delivery network with DNS. Technically, the transfer of information between your browser and our website is routed through CloudFlare’s network. This enables CloudFlare to analyze the traffic between users and our websites, for example to detect and defend against attacks on our services. In addition, CloudFlare may store cookies on your computer for optimization and analysis purposes.

You can configure your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or in general, and activate the automatic deletion of cookies when closing the browser. If cookies are deactivated, the functionality of this website may be restricted.

We have concluded an appropriate data processing agreement with Cloudflare on the basis of the GDPR and/or EU Standard Contractual Clauses. Cloudflare collects statistical data about visits to this website. Access data includes: the name of the retrieved website, file, date and time of retrieval, amount of data transferred, message about successful retrieval, browser type and version, the user’s operating system, referrer URL (the previously visited page), IP address, and the requesting provider. Cloudflare uses the log data for statistical evaluations for the purpose of operation, security, and optimization of the offering.

If you have consented to the use of Cloudflare, the legal basis for processing personal data is Art. 6 para. 1 lit. a) GDPR. We also have a legitimate interest in using Cloudflare in order to optimize our online offering and make it more secure. The relevant legal basis is Art. 6 para. 1 lit. f) GDPR. The personal data will be stored for as long as necessary to fulfill the purpose of processing. The data will be deleted as soon as it is no longer required for the purpose.

This US company is certified under the EU-US Data Privacy Framework. An adequacy decision pursuant to Art. 45 GDPR is therefore in place, meaning that personal data may be transferred without further safeguards or additional measures.

Further information about CloudFlare can be found at: www.cloudflare.com/privacypolicy/.

7. Cookies

7.1 General Information About Cookies

Cookies are small files that your browser automatically creates and that are stored on your IT system (laptop, tablet, smartphone, etc.) when you visit our site.

Information is stored in the cookie that results in each case from the connection with the specific device used. However, this does not mean that we obtain direct knowledge of your identity.

The use of cookies serves to make the use of our offer more pleasant for you. For example, we use so-called session cookies to recognize that you have already visited individual pages of our website. These are automatically deleted after you leave our site.

In addition, we also use temporary cookies to optimize user-friendliness, which are stored on your device for a defined period of time. If you visit our site again to use our services, it is automatically recognized that you have visited us before and which entries and settings you made so that you do not have to enter them again.

On the other hand, we use cookies to statistically record the use of our website and to evaluate our offer for optimization purposes. These cookies enable us to automatically recognize when you visit our website again that you have already visited it before. These cookies are automatically deleted after a defined period. The respective storage period of cookies can be found in the settings of the consent tool used.

7.2 Legal Basis for the Use of Cookies

The data processed by cookies that are required for the proper functioning of the website are necessary to safeguard our legitimate interests as well as those of third parties in accordance with Art. 6 para. 1 lit. f) GDPR.

For all other cookies, you have given your consent via our opt-in cookie banner within the meaning of Art. 6 para. 1 lit. a) GDPR.

7.3 Information on Avoiding Cookies in Common Browsers

You can delete cookies, allow only selected cookies, or completely deactivate cookies at any time via the settings of your browser. Further information can be found on the support pages of the respective providers:

l Chrome: support.google.com/chrome/answer/95647.

l Safari: support.apple.com/de-at/guide/safari/sfri11471/mac.

l Firefox: support.mozilla.org/de/kb/cookies-und-website-daten-in-firefox-loschen.

l Microsoft Edge: support.microsoft.com/de-de/microsoft-edge/cookies-in-microsoft-edge-l%C3%B6schen-63947406-40ac-c3b8-57b9-2a946a29ae09.

7.4 Cookiebot (Consent Management Tool)

We use the consent management tool “Cookiebot” from Usercentrics A/S, Havnegade 39, 1058 Copenhagen, Denmark. This service enables us to obtain and manage the consent of website visitors to data processing.

Cookiebot collects data generated by end users who use our website. When an end user gives consent via the cookie consent tool, Cookiebot automatically logs the following data:

l The end user’s IP number in anonymized form (the last three digits are set to 0)

l Date and time of consent.

l Browser user agent of the end user.

l The URL from which the consent was sent.

l An anonymous, random, and encrypted key.

l The end user’s consent status, which serves as proof of consent.

The key and consent status are also stored in the end user’s browser in the “CookieConsent” cookie so that the website can automatically read and follow the end user’s consent on all subsequent page requests and future end user sessions for up to 12 months. The key is used for proof of consent and for an option to check whether the consent status stored in the end user’s browser is unchanged compared to the original consent transmitted to Usercentrics.

The functionality of the website cannot be guaranteed without this processing. The “CookieConsent” cookie set by Cookiebot is classified as necessary. The user has no option to object as long as there is a legal obligation to obtain the user’s consent for certain data processing operations (Art. 7 para. 1, 6 para. 1 sentence 1 lit. c) GDPR).

Usercentrics is the recipient of your personal data and acts as our processor.

Detailed information on the use of Cookiebot can be found at: www.cookiebot.com/de/privacy-policy/.

8. Content of Our Website

8.1 Contact / Contact Form

Personal data is collected when you contact us (e.g. via contact form or email). Which data is collected in the case of using a contact form can be seen from the respective contact form. This data is stored and used exclusively for the purpose of responding to your inquiry or for contacting you and the associated technical administration. The legal basis for processing the data is our legitimate interest in responding to your inquiry pursuant to Art. 6 para. 1 lit. f) GDPR. If your contact is aimed at concluding a contract, the additional legal basis for processing is Art. 6 para. 1 lit. b) GDPR. Your data will be deleted after your inquiry has been finally processed; this is the case when it can be inferred from the circumstances that the relevant matter has been conclusively clarified and provided that there are no statutory retention obligations preventing deletion.

8.2 Application Management / Job Board

We collect and process the personal data of applicants for the purpose of handling the application process. Processing may also take place electronically. This is particularly the case if an applicant submits relevant application documents electronically, for example by email or via a web form on the website. If we conclude an employment or service contract with an applicant, the transmitted data will be stored for the purpose of handling the employment relationship in compliance with legal regulations. If no contract is concluded with the applicant, the application documents will be automatically deleted six months after notification of the rejection decision, provided that no other legitimate interests of ours oppose deletion. Another legitimate interest in this sense is, for example, an obligation to provide evidence in proceedings under the General Equal Treatment Act (AGG).

The legal basis for processing your data is Art. 6 para. 1 lit. b), 88 GDPR in conjunction with Section 26 para. 1 BDSG.

9. Newsletter Distribution

9.1 Newsletter Distribution to Existing Customers

If you have provided us with your email address when purchasing goods or services, we reserve the right to regularly send you offers by email for similar goods or services from our range to those you have already purchased. According to Section 7 para. 3 UWG, we do not need to obtain separate consent from you for this. In this respect, data processing is based solely on our legitimate interest in personalized direct advertising pursuant to Art. 6 para. 1 lit. f) GDPR. If you initially objected to the use of your email address for this purpose, we will not send you emails. You are entitled to object to the use of your email address for the aforementioned advertising purpose at any time with effect for the future by notifying the controller named at the beginning. You will only incur transmission costs according to the basic rates for this. Upon receipt of your objection, the use of your email address for advertising purposes will be stopped immediately.

9.2 Advertising Newsletter

On our website, you are given the opportunity to subscribe to our company newsletter. Which personal data is transmitted to us when ordering the newsletter can be seen from the input form used for this purpose.

We inform our customers and business partners at regular intervals by means of a newsletter about our offers. Our company newsletter can generally only be received by you if

1. you have a valid email address and

2. you have registered for newsletter distribution.

For legal reasons, a confirmation email is sent to the email address you entered for newsletter distribution for the first time using the double opt-in procedure. This confirmation email serves to verify whether you, as the owner of the email address, have authorized receipt of the newsletter.

When registering for the newsletter, we also store the IP address assigned by your internet service provider (ISP) to the IT system used at the time of registration, as well as the date and time of registration. The collection of this data is necessary in order to be able to trace any possible misuse of your email address at a later time and therefore serves our legal protection.

The personal data collected in the course of a newsletter registration is used exclusively for sending our newsletter. Furthermore, newsletter subscribers may be informed by email if this is necessary for the operation of the newsletter service or a registration in this regard, as may be the case in the event of changes to the newsletter offer or changes in technical circumstances. Personal data collected as part of the newsletter service will not be disclosed to third parties. You may cancel your subscription to our newsletter at any time. The consent you have given us to store personal data for newsletter distribution may be revoked at any time. For the purpose of revoking consent, a corresponding link can be found in every newsletter. You also have the option to unsubscribe from the newsletter directly on our website at any time or to notify us of this in another way.

The legal basis for data processing for the purpose of sending the newsletter is Art. 6 para. 1 lit. a) GDPR.

9.3 Newsletter Tracking

Our newsletters contain so-called tracking pixels. A tracking pixel is a miniature graphic embedded in emails sent in HTML format in order to enable log file recording and log file analysis. This allows a statistical evaluation of the success or failure of online marketing campaigns. Based on the embedded tracking pixel, the company can recognize whether and when an email was opened by you and which links contained in the email were accessed by you.

Such personal data collected via the tracking pixels contained in the newsletters is stored and evaluated by us in order to optimize newsletter distribution and adapt the content of future newsletters even better to your interests. This personal data is not disclosed to third parties. Data subjects are entitled at any time to revoke the separate declaration of consent given in this regard via the double opt-in procedure. After revocation, this personal data will be deleted by us. Unsubscribing from the receipt of the newsletter is automatically interpreted by us as a revocation.

Such evaluation is carried out in particular pursuant to Art. 6 para. 1 lit. f) GDPR on the basis of our legitimate interests in displaying personalized advertising, market research, and/or needs-based design of our website.

9.4 CleverReach

This website uses CleverReach for sending newsletters. The provider is CleverReach GmbH & Co. KG, (CRASH Building), Schafjückenweg 2, 26180 Rastede. CleverReach is a service that can be used to organize and analyze newsletter distribution. The data you enter for the purpose of receiving the newsletter (e.g. the email address) is stored on CleverReach servers in Germany or Ireland.

Our newsletters sent with CleverReach enable us to analyze the behavior of newsletter recipients. Among other things, it can be analyzed how many recipients opened the newsletter message and how often which link in the newsletter was clicked. With the help of so-called conversion tracking, it can also be analyzed whether a predefined action (e.g. the purchase of a product on our website) has taken place after clicking the link in the newsletter. Further information on data analysis by CleverReach newsletters can be found at: www.cleverreach.com/de/funktionen/reporting-und-tracking/.

Data processing is based on your consent (Art. 6 para. 1 lit. a) GDPR). You may revoke this consent at any time by unsubscribing from the newsletter. The lawfulness of data processing operations already carried out remains unaffected by the revocation.

If you do not want any analysis by CleverReach, you must unsubscribe from the newsletter. We provide a corresponding link for this in every newsletter message. You can also unsubscribe directly on the website.

You may revoke your consent at any time. You can also prevent processing at any time by unsubscribing from the newsletter. You can also prevent the storage of cookies by adjusting your web browser settings accordingly. You can also prevent the storage and transmission of personal data by disabling JavaScript in your web browser or installing a JavaScript blocker (e.g. noscript.net or www.ghostery.com). Please note that as a result of these measures, not all functions of our website may be available.

The data you have provided to us for the purpose of receiving the newsletter will be stored by us until you unsubscribe from the newsletter and will be deleted from both our servers and the servers of CleverReach after you unsubscribe. Data stored by us for other purposes (e.g. email addresses for the members’ area) remains unaffected.

You can view CleverReach’s privacy policy at: www.cleverreach.com/de/datenschutz/.

10. Our Activities on Social Networks

In order to communicate with you on social networks and inform you about our services, we maintain our own pages there. If you visit one of our social media pages, we are jointly responsible with the provider of the respective social media platform for the processing operations triggered thereby, within the meaning of Art. 26 GDPR.

We are not the original provider of these pages, but merely use them within the scope of the possibilities offered to us by the respective providers.

Therefore, as a precaution, we point out that your data may also be processed outside the European Union or the European Economic Area. Use of these networks may therefore involve data protection risks for you, because safeguarding your rights, such as access, deletion, objection, etc., may be more difficult, and because processing in social networks is often carried out directly by the providers for advertising purposes or to analyze user behavior without our being able to influence this. If usage profiles are created by the provider, cookies are often used or the usage behavior is assigned to your own member profile created by you for the social networks.

The described processing operations of personal data are carried out in accordance with Art. 6 para. 1 lit. f) GDPR on the basis of our legitimate interest and the legitimate interest of the respective provider in being able to communicate with you in a contemporary manner and inform you about our services. If you are required by the respective providers to give consent to data processing as a user, the legal basis is Art. 6 para. 1 lit. a) GDPR in conjunction with Art. 7 GDPR.

Since we do not have access to the providers’ databases, we point out that you are best advised to assert your rights (e.g. to information, rectification, deletion, etc.) directly with the respective provider. Further information on the processing of your data on social networks is set out below for each provider of social networks used by us:

10.1 Facebook

(Joint) controller for data processing in Europe:

Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland

Meta (Facebook) may, unless an objection is made, process content of adult users from the EU, such as photos, posts, or comments, to train its own AI models. The basis is a legitimate interest pursuant to Art. 6 para. 1 lit. f) GDPR. We as a company have no influence on this specific data processing by Meta. Users can object via an online form on Meta platforms.

www.facebook.com/about/privacy

10.2 Instagram

(Joint) controller for data processing in Germany:

Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland

Meta (Instagram) may, unless an objection is made, process content of adult users from the EU, such as photos, posts, or comments, to train its own AI models. We as a company have no influence on this specific data processing. The basis is a legitimate interest pursuant to Art. 6 para. 1 lit. f) GDPR. Users can object via an online form on Meta platforms.

instagram.com/legal/privacy/

10.3 LinkedIn

(Joint) controller for data processing in Europe:

LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland

www.linkedin.com/legal/privacy-policy

10.4 YouTube

(Joint) controller for data processing in Europe:

Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

policies.google.com/privacy

11. Web Analytics

11.1 LinkedIn Pixel (Insight Tag)

This website uses LinkedIn Insights of LinkedIn Corporation, 1000 W Maude Ave, Sunnyvale, CA 94085, USA (LinkedIn). If express consent is granted, user behavior can be tracked in this way.

The procedure is used to evaluate the effectiveness of advertisements for statistical and market research purposes and can help optimize future advertising measures. Through the LinkedIn Pixel, we receive enhanced information about prospective customers for our products, including job titles, employers, or the industry in which they work.

When visiting the website, the following data may also be processed by the LinkedIn Pixel, among others:

l IP address

l Interactions on our website (e.g. page views, clicks, conversions)

l Browser type/version

l Operating system used

l Referrer URL (previously visited page)

l Time of the server request

Direct identifiers are automatically removed from LinkedIn’s dataset within seven days, and the data is deleted after 180 days. The storage period of the cookie can be found in our consent solution. The data is stored and processed by LinkedIn so that a connection to the respective user profile is possible.

These processing operations are carried out exclusively upon granting express consent pursuant to Art. 6 para. 1 lit. a) GDPR.

LinkedIn is certified under the EU-US Data Privacy Framework. An adequacy decision pursuant to Art. 45 GDPR is therefore in place, meaning that personal data may be transferred without further safeguards or additional measures.

Further information and LinkedIn Pixel’s privacy policy can be found at: de.linkedin.com/legal/privacy-policy.

11.2 LinkedIn Analytics

On this website, we use the retargeting tool and conversion tracking of LinkedIn Ireland, Wilton Plaza, Wilton Place, Dublin 2, Ireland (LinkedIn).

For this purpose, the LinkedIn Insight Tag is integrated on our website, which enables LinkedIn to collect statistical data about your visit and use of our website and to provide us with corresponding aggregated statistics on this basis. In addition, the service is used to display interest-specific and relevant offers and recommendations to you after you have informed yourself on the website about certain services, information, and offers. The relevant information is stored in a cookie.

The following data is generally collected and processed:

l IP address

l Device information

l Browser information

l Referrer URL and

l Timestamp

These processing operations are carried out exclusively upon granting express consent pursuant to Art. 6 para. 1 lit. a) GDPR. Your data will be stored until you withdraw your consent.

As part of processing via LinkedIn, data may be transferred to the USA and Singapore. This US company is certified under the EU-US Data Privacy Framework. An adequacy decision pursuant to Art. 45 GDPR is therefore in place, meaning that personal data may be transferred without further safeguards or additional measures. In addition, the security of the transfer is regularly safeguarded by so-called Standard Contractual Clauses, which ensure that the processing of personal data is subject to a level of security equivalent to that of the GDPR. If the Standard Contractual Clauses are not sufficient to establish an adequate level of security, your consent pursuant to Art. 49 para. 1 lit. a) GDPR will be obtained.

More information on LinkedIn’s privacy policy can be found at: de.linkedin.com/legal/privacy-policy.

12. Advertising

12.1 Google Ads (AdWords) Remarketing/Retargeting

We have integrated Google Ads on this website. The operating company of the Google Ads services is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”).

In this way, we advertise this website in Google search results and on third-party websites. For this purpose, Google places a cookie in your browser which automatically enables interest-based advertising using a pseudonymous cookie ID and based on the pages you visit.

Further data processing only takes place if you have agreed with Google that your internet and app browsing history may be linked by Google to your Google account and that information from your Google account may be used to personalize ads you view on the web. If, in this case, you are logged into Google during your visit to our website, Google uses your data together with Google Analytics data to create and define audience lists for cross-device remarketing. For this purpose, your personal data is temporarily linked by Google with Google Analytics data in order to form audiences.

These processing operations are carried out exclusively upon granting express consent pursuant to Art. 6 para. 1 lit. a) GDPR.

Google LLC, the parent company, is certified as a US company under the EU-US Data Privacy Framework. An adequacy decision pursuant to Art. 45 GDPR is therefore in place, meaning that personal data may be transferred without further safeguards or additional measures.

The privacy policy and further information on Google Ads can be found at: www.google.com/policies/technologies/ads/

12.2 Google Ads with Enhanced Conversions

We have integrated Google Ads on this website. The operating company of the Google Ads services is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google Ads is an internet advertising service that enables advertisers to place advertisements in Google’s search engine results as well as in the Google advertising network. The purpose of Google Ads is to promote our website by displaying interest-based advertising on third-party websites and in the search engine results of the Google search engine and by displaying third-party advertising on our website.

If you reach our website via a Google ad, a so-called conversion cookie is placed on your IT system by Google. A conversion cookie loses its validity after thirty days and is not used to identify you. Provided the cookie has not yet expired, the conversion cookie is used to track whether certain subpages, for example the shopping cart of an online shop system, have been accessed on our website. By means of the conversion cookie, both we and Google can understand whether a user who reached our website via a Google Ads ad generated revenue, i.e. completed or abandoned a purchase.

We use Google Ads’ enhanced conversions feature. For this purpose, we transmit personal data collected by us ourselves, such as telephone numbers or email addresses, to Google. This data is matched with event data from Google Ads in order to record more conversions.

On each visit to our website, personal data, including the IP address of the internet connection used by you, is therefore transmitted to Google in the United States of America. Google may disclose this personal data collected via the technical procedure to third parties.

These processing operations are carried out exclusively upon granting express consent pursuant to Art. 6 para. 1 lit. a) GDPR.

The privacy policy and further information on Google Ads can be found at: www.google.de/intl/de/policies/privacy/ or support.google.com/adspolicy/answer/9755941.

12.3 Google Ads – Additional Information on Consent Mode, Advanced Implementation

Under the Digital Markets Act, Google is obliged to obtain users’ consent before user data is processed by Google for personalized advertising. Google complies with this requirement through “Consent Mode.” Users are required to implement this and thereby provide proof of obtaining the consent of website visitors.

Google offers two implementation modes, the basic and the advanced implementation.

We use the advanced implementation method of Google Consent Mode. If you consent to data processing in connection with the use of Google Ads (see above), a connection to Google is established, Google Analytics cookies are set, and the corresponding processing operations are carried out. If you refuse consent, no Google Ads cookies will be set. However, a unique “ping ID” is generated and transmitted to Google. The Google code is executed, but only limited user data is transmitted to Google, including information such as:

l IP address

l Browser details

l Visited URL

No personalized user ID is assigned.

If you have consented to the execution of Google Ads, Consent Mode, advanced implementation, the legal basis for processing personal data is Art. 6 para. 1 lit. a GDPR. In addition, it is in our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR to use Google Analytics 4, Consent Mode, advanced implementation, in order to obtain conversion data without creating user profiles and thus increase economic efficiency.

12.4 LinkedIn Ads

We have integrated LinkedIn Ads on this website. The operating company of the service is LinkedIn Ireland, Wilton Plaza, Wilton Place, Dublin 2, Ireland.

In this way, we advertise our company on the social network LinkedIn. For this purpose, LinkedIn places a cookie in your browser which automatically enables interest-based advertising based on the pages you visit.

These processing operations are carried out exclusively upon granting express consent pursuant to Art. 6 para. 1 lit. a GDPR. Your data will be deleted as soon as it is no longer required to achieve the purpose or if you withdraw your consent.

More information on LinkedIn’s privacy policy can be found at: de.linkedin.com/legal/privacy-policy.

13. Plugins and Other Services

13.1 Font Awesome

Our website uses so-called web fonts provided by Fonticons Inc., 307 S Main St Ste 202 Bentonville, AR, USA, for the uniform display of fonts. When you access a page, your browser loads the required web fonts into your browser cache in order to display texts and fonts correctly.

For this purpose, the browser you use must connect to the servers of Fonticons, Inc. This gives Fonticons, Inc. knowledge that our website was accessed via your IP address. Font Awesome is used exclusively upon granting express consent pursuant to Art. 6 para. 1 lit. a) GDPR.

If your browser does not support Font Awesome, a standard font from your device will be used.

Further information on the privacy policy of Fonticons Inc. can be found at: fontawesome.com/privacy.

13.2 Google Infrastructure – csp.withgoogle.com

We have integrated components of Google services on this website. Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”) is responsible for data processing within the EU.

The following services may be integrated on our pages, among others:

l YouTube (video portal),

l Google Maps (map display),

l Google Tag Manager (script management),

l Google Ads / Google Publisher Services (online advertising),

l “Sign in with Google” (login function),

l Time of the server request.

You can find out which Google services are integrated in detail from this privacy policy.

When you access a subpage that contains a Google service (e.g. an embedded YouTube video or a Google Maps map), the respective service causes your browser to load further content from Google servers. In this context, additional supporting services such as Google WebFonts, Google Video, Google Photos, Google Static, Google Ads Services, or Google Maps Tiles may also be automatically activated.

In addition, many of these integrations establish a connection to csp.withgoogle.com. This domain is part of Google’s infrastructure and is used for the transmission of so-called Content Security Policy (CSP) reports. These reports are automatically generated by modern browsers in order to record violations of defined security policies, especially for protection against cross-site scripting (XSS) or data manipulation.

The data protection assessment of the connection to csp.withgoogle.com depends on which specific Google service technically triggers this security check. The connection is to be regarded as a technical component of the integrated service and does not take place independently of it. Accordingly, the permissibility of this connection under data protection law also depends on the legal basis for the respective service:

l If a Google service, such as YouTube, is only integrated after your express consent pursuant to Art. 6 para. 1 lit. a) GDPR, this consent also applies to the security check associated with the service via csp.withgoogle.com.

l If a service is integrated on the basis of another legal basis, e.g. Art. 6 para. 1 lit. b) GDPR (performance of a contract) or Art. 6 para. 1 lit. f) GDPR (legitimate interest), the connection to csp.withgoogle.com may also be based on this legal basis, provided that no additional personal data (such as user IDs or tracking IDs) is processed.

Further information on data protection can be found at: www.google.de/intl/de/policies/privacy/.

13.3 Microsoft Forms

We use the service “Microsoft Forms” of Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland, to create surveys, polls, and quizzes.

Microsoft Forms is a web-based application for creating surveys, quizzes, and polls. The forms created can be shared via links or embedded on a website to collect feedback from a target group or conduct polls. The survey results are automatically collected and can be displayed and analyzed in real time.

When using Microsoft Forms, various personal data may be collected, including:

l Information that you provide yourself when completing a survey or poll or answering a quiz, such as name, email address, or responses to questions.

l Data on the use of Microsoft Forms, such as date and time of access, browser type, operating system, and IP address.

The retention period for personal data is determined by the statutory retention period applicable in each case.

Participation in surveys, polls, or quizzes is voluntary. The legal basis for processing personal data is the voluntary consent you have given pursuant to Art. 6 para. 1 lit. a) GDPR. You may revoke this consent at any time with effect for the future.

Microsoft generally processes the data within the European Union as part of the so-called EU Data Boundary. For the provision and safeguarding of the services as well as for the fulfillment of legal obligations, Microsoft Ireland may transfer personal data to affiliated companies of Microsoft Corporation (Redmond, Washington, USA). Internal group data transfer takes place on the basis of Standard Contractual Clauses pursuant to Art. 46 para. 2 lit. c) GDPR as well as supplementary technical and organizational measures as specified in the Microsoft Data Protection Addendum.

Microsoft Corporation is additionally certified under the EU-US Data Privacy Framework (DPF). This means that an adequacy decision pursuant to Art. 45 GDPR exists for data transfers to the USA. Transfers of personal data to Microsoft in the USA are therefore permissible even without further safeguards or additional measures.

Further information on Microsoft Forms and the privacy policy can be found at: privacy.microsoft.com/de-de/.

13.4 Microsoft Teams

We use the tool “Microsoft Teams” (“MS Teams”) of Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland (“Microsoft”), both for communication in written form (chat) and in the form of telephone conferences, online meetings, and video conferences.

When using MS Teams, the following personal data is processed:

l Meetings, chats, voicemails, shared files, recordings, and transcripts.

l Data shared about you, for example your email address, profile picture, and phone number.

l A detailed history of the phone calls you make.

l Call quality data.

l Support/feedback data, i.e. information related to troubleshooting tickets or feedback sent to Microsoft.

l Diagnostic and service data, i.e. diagnostic data related to service usage.

In order to enable the display of video and playback of audio, the data from the microphone of your device and from a video camera of your device are processed for the duration of the meeting. You can switch off or mute the camera or microphone yourself at any time via the Microsoft Teams applications.

If corresponding consent has been requested, processing takes place exclusively on the basis of Art. 6 para. 1 lit. a) GDPR. In the context of an employment relationship, such data processing is carried out on the basis of Section 26 BDSG. The legal basis for the use of MS Teams in the context of contractual relationships is Art. 6 para. 1 lit. b) GDPR. In all other cases, the legal basis for the processing of your personal data is Art. 6 para. 1 lit. f) GDPR. Our interest here lies in the effective conduct of online meetings.

If we record online meetings, we will inform you before the start and, where necessary, ask for your consent to the recording. If you do not wish this, you can leave the online meeting.

As a cloud-based service, MS Teams processes the aforementioned data in the course of providing the service. To the extent that MS Teams processes personal data in connection with Microsoft’s legitimate business operations, Microsoft is an independent controller for such use and as such is responsible for compliance with applicable laws and obligations of a controller. If you access the MS Teams website, Microsoft is responsible for data processing. Accessing the website is necessary in order to download the MS Teams software.

Detailed information on data protection at Microsoft in connection with MS Teams can be found at: docs.microsoft.com/de-de/microsoftteams/teams-privacy.

13.5 Yumpu FREE

To display the flip catalogs integrated on our website, we use Yumpu FREE, a tool provided by i-magazine AG (Yumpu), Gewerbestrasse 3, 9444 Diepoldsau, Switzerland.

By using Yumpu, the content of PDF files is displayed directly in your web browser as a freely accessible and readable flip catalog without requiring you to download a PDF file.

To execute the service, your web browser retrieves the content directly from Yumpu. As with every website access, Yumpu receives your IP address as well as information about your web browser, operating system, date and time of access, and so-called referrer data, i.e. information about which page you came from to the website with the Yumpu components, provided the referrer data is not concealed by your browser.

Yumpu is used on the basis of our legitimate interest in an attractive presentation of our website and products within the meaning of Art. 6 para. 1 lit. f) GDPR.

Further information on Yumpu can be found at: www.yumpu.com/de/publishing-software/free.

13.6 Zoho CRM System

We use the CRM system of the provider Zoho Corporation, 4141 Hacienda Drive, Pleasanton, CA 94588, USA (“Zoho CRM”).

Zoho CRM is a software CRM solution for customer relationship management and includes, among other things, the following functions:

l Deal management, lead management, and task management,

l Email tracking and notifications,

l Email templates and appointment scheduling,

l Shared use of documents,

l Online booking system for appointments,

l Telephony solutions such as automatic call recording and logging.

Different departments such as marketing, sales, and customer service work together using the software described.

The provider of Zoho CRM necessarily gains knowledge of the above-mentioned data to the extent provided for במסגרת of our data processing agreement (Art. 28 GDPR) with Zoho CRM. This may include IP addresses as well as names, addresses, email addresses, and telephone numbers.

If corresponding consent has been requested, processing takes place exclusively on the basis of Art. 6 para. 1 lit. a) GDPR. The legal basis for the use of Zoho CRM in the context of contractual relationships is Art. 6 para. 1 lit. b) GDPR. In all other cases, the legal basis for the processing of your personal data is Art. 6 para. 1 lit. f) GDPR. Our interest here lies in the effective coordination of internal and external communication and the management of customer relationships.

To the extent that Zoho CRM processes personal data in connection with its own legitimate business operations, Zoho CRM is an independent controller for such use and as such is responsible for compliance with applicable laws and obligations of a controller.

Zoho CRM’s privacy policy can be found at: www.zoho.com/gdpr.html.

14. Your Rights as a Data Subject

14.1 Right of Access Art. 15 GDPR

You have the right to obtain from us, at any time and free of charge, information about the personal data stored concerning you as well as a copy of such data in accordance with the statutory provisions.

14.2 Right to Rectification Art. 16 GDPR

You have the right to request the rectification of inaccurate personal data concerning you. Furthermore, you have the right, taking into account the purposes of the processing, to request the completion of incomplete personal data.

14.3 Erasure Art. 17 GDPR

You have the right to demand that we erase personal data concerning you without undue delay if one of the reasons provided for by law applies and insofar as processing or storage is not necessary.

14.4 Restriction of Processing Art. 18 GDPR

You have the right to request that we restrict processing if one of the legal requirements is met.

14.5 Data Portability Art. 20 GDPR

You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format. You also have the right to transmit that data to another controller without hindrance from us, where the processing is based on consent pursuant to Art. 6 para. 1 lit. a) GDPR or Art. 9 para. 2 lit. a) GDPR or on a contract pursuant to Art. 6 para. 1 lit. b) GDPR and the processing is carried out by automated means, provided that the processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.

Furthermore, in exercising your right to data portability pursuant to Art. 20 para. 1 GDPR, you have the right to have the personal data transmitted directly from one controller to another, where technically feasible and provided that this does not adversely affect the rights and freedoms of others.

14.6 Right to Object Art. 21 GDPR

You have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you that is based on Art. 6 para. 1 lit. e) (data processing in the public interest) or lit. f) (data processing based on a balancing of interests) GDPR.

This also applies to profiling based on these provisions within the meaning of Art. 4 no. 4 GDPR.

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or unless the processing serves the establishment, exercise, or defense of legal claims.

In individual cases, we process personal data in order to carry out direct advertising. You may object at any time to the processing of personal data for the purpose of such advertising. This also applies to profiling insofar as it is related to such direct advertising. If you object to the processing for direct advertising purposes, we will no longer process the personal data for these purposes.

In addition, you have the right, on grounds relating to your particular situation, to object to processing of personal data concerning you carried out by us for scientific or historical research purposes or for statistical purposes pursuant to Art. 89 para. 1 GDPR, unless such processing is necessary for the performance of a task carried out in the public interest.

You are free, in connection with the use of information society services, and notwithstanding Directive 2002/58/EC, to exercise your right to object by automated means using technical specifications.

14.7 Withdrawal of a Data Protection Consent

You have the right to withdraw consent to the processing of personal data at any time with effect for the future.

14.8 Complaint to a Supervisory Authority

You have the right to lodge a complaint with a supervisory authority responsible for data protection regarding our processing of personal data.

15. Routine Storage, Erasure, and Blocking of Personal Data

We process and store your personal data only for the period necessary to achieve the purpose of storage or insofar as this has been provided for by the legal provisions to which our company is subject.

If the storage purpose ceases to apply or a prescribed storage period expires, the personal data will be routinely blocked or deleted in accordance with the statutory provisions.

16. Duration of Storage of Personal Data

The criterion for the duration of storage of personal data is the respective statutory retention period. After expiry of the period, the corresponding data will be routinely deleted, provided that it is no longer required for the fulfillment or initiation of a contract.

17. Currentness and Amendment of the Privacy Policy

This privacy policy is currently valid and has the status of: March 2026.

As a result of the further development of our website and offers or due to changed legal or official requirements, it may become necessary to amend this privacy policy. The current privacy policy can be accessed and printed by you at any time on the website at “https://www.koch-pac-systeme.com/datenschutz/”.