Thank you for your interest in our company. Data protection is particularly important to management at HEYMANNS IT-SOLUTIONS GMBH. In principle it is possible to access the HEYMANNS IT-SOLUTIONS GMBH web pages without entering any personal information. To the extent that a person wishes to make use of particular services from our company via our website, it could be that personal data needs to be processed. If this type of processing is required, and if there is no legal basis for processing of this nature, we request general consent from the person concerned.
A user’s personal data such as name, address, email address or phone number is only processed in accordance with the General Data Protection Regulation and in terms of the state-specific data protection provisions applicable to HEYMANNS IT-SOLUTIONS GMBH. By means of this privacy statement, our company wishes to inform the public as to the nature, extent and purpose of personal data collected, used and processed by us. Furthermore, the rights applicable to persons concerned in terms of this privacy statement are explained.
- Data protection at a glance
The following information provides a simple overview of what happens to your personal data when you visit our website. Personal data is all data that allows you to be personally identified. You can find detailed information on data protection in our privacy statement below this text.
Data collection on our website
Who is responsible for data collection on our website?
Data on this website is processed by Heymanns IT-Solutions GmbH. You can find contact details in the legal notice page of this website or under point 3 of this privacy statement.
How do we collect your data?
Firstly, we collect the data that you provide us. This can be data that you enter in a contact form.
Other data is automatically collected by our IT systems when visiting our website. In particular, this includes technical data (e.g. internet browser, operating system or time of accessing the page). This data is collected automatically as soon as you visit our website.
For what do we use your data?
Some of the data is collected to ensure error-free availability of the website. Other data can be used to analyse your usage behaviour.
What rights do you have in terms of your data?
You have the right to obtain information as to the origin, receiver and purpose of personal data stored, at any time and at no charge. In addition, you have the right to request correction, blocking or deletion of this data. In this regard, and if you have any queries regarding data protection, you may contact us at the address provided in the legal notice page at any time. Furthermore, you have a right to appeal to the relevant supervisory authority.
Analysis tools and third-party tools
When visiting our website, your surfing behaviour can be statistically evaluated. In particular, this occurs by means of cookies and so-called analysis programs. Analysis of your surfing behaviour is generally performed anonymously – your surfing behaviour cannot be traced back to you. You can object to this analysis or prevent it by not using certain tools. You can find detailed information on this in the following privacy statement.
You can object to this analysis. You can find information on disputing the analysis in the this privacy statement.
SSL or TLS encryption
This website uses SSL or TLS encryption for security reasons and for protection of the transmission of confidential content such as orders or queries that you send to us as the website operator. You can recognise a secure connection when the address line of the browser changes from “http//:” to “https://” and from the padlock icon in your browser address bar.
When SSL or TLS encryption is active, data that you transmit to us cannot be read by third parties.
Encrypted payment traffic for direct debiting
When an obligation to transmit payment data (such as account number for direct debit authorisation) arises after concluding a fee-based contract, this data is required for payment processing.
Payment traffic using the current payment method (direct debit) is transmitted exclusively via an encrypted SSL or TLS connection. You can recognise a secure connection when the address line of the browser changes from “http//:” to “https://” and from the padlock icon in your browser address bar.
When encrypted communication is used, payment data that you transmit to us cannot be read by third parties.
As the data controller, HEYMANNS IT-SOLUTIONS GMBH has implemented numerous technical and organisational measures to ensure seamless protection of personal data processed via this website. However, web-based data transmission can in principle be subject to security vulnerabilities so that absolute protection cannot be guaranteed. For this reason, every person concerned is free to provide us with personal data via alternative means such as by telephone.
- Definition of terms
The HEYMANNS IT-SOLUTIONS GMBH privacy statement is based on the terms used by the European legislature and regulators in issuing the General Data Protection Regulation (GDPR). Our data protection is intended to be easily readable and understandable for the public and for our customers and business partners. To ensure that this is the case, we wish to explain the definitions used in advance. The terms we use in this privacy statement include the following:
a) Personal data
Personal data is all information that refers to an identified or identifiable natural person (hereinafter “data subject”). A person is deemed to be identifiable if they can be identified directly or indirectly by means of assignment to an identifier such as a name, an identification number, location data or online identification, or to one or more particular characteristics that constitute an expression of the physical, physiological, genetic, psychological, economic, cultural or social identity of this natural person.
b) Data subject
A data subject is any identified or identifiable natural person whose personal data is processed by the data controller.
Processing is any operation with or without the assistance of automated procedures, or any such sequence of operations in connection with personal data, such as collection, recording, organisation, sorting, storing, tailoring or modification, reading out, retrieval, use, disclosure by means of transmission, distribution or any other form of delivery, comparison or association, limitation, deletion or destruction.
d) Restriction of processing
Restriction of processing is the marking of stored personal data for the purpose of limiting its processing in future.
Profiling is any type of automated processing of personal data that includes using this personal data to evaluate certain personal aspects that relate to a natural person, in particular to analyse and predict aspects that relate to work matters, economic status, health, personal preferences, interests, reliability, behaviour, abode or change of location of this natural person.
Pseudonymisation is the processing of personal data in a manner whereby the personal data can no longer be attributed to a specific data subject without referring to additional information, to the extent that this additional information is stored separately and is subject to technical and organisational measures that ensure that the personal data cannot be attributed to an identified or identifiable natural person.
g) Controller or data controller
The controller or data controller is the natural person or legal person, authority, institution or other entity that either solely or jointly decides on the purpose and method of processing of personal data. Where the purpose and method of processing are laid down by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
The processor is a natural or legal person, authority, institution or other entity that processes personal data as commissioned by the controller.
The recipient is a natural or legal person, authority, institution or other entity to whom personal details are made available, independently of whether this is a third party or not. Authorities that may receive personal data as part of a specific investigation order according to Union or Member State law are not considered to be recipients.
j) Third party
A third party is a natural or legal person, authority, institution or other entity other than the data subject, the controller, the processor and persons authorised directly by the controller or the processor to process the personal data.
Consent of the data subject is any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which they, in the form of a statement or other unequivocal confirmatory act, indicate agreement to the processing of their personal data.
- Name and address of the data controller
The person responsible within the meaning of the General Data Protection Regulation, other data protection laws applicable in the Member States of the European Union and other provisions of a data protection nature is:
HEYMANNS IT-SOLUTIONS GMBH
Phone: +49 2154-953198-0
Telefax: +49 2154-953198-99
- Name and address of the data protection officer
The Heymanns IT-Solutions GmbH data protection officer is: Prof. Dr. Linus Schleupner
Phone: +49 2154-953198-0
Any data subject may at any time contact our data protection office directly with any queries and suggestions.
- Collection of general data and information
Every time the HEYMANNS IT-SOLUTIONS GMBH website is accessed by a data subject or an automated system, the website captures a range of general data and information. This general data and information is stored in the server log files. It is possible to record (1) browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system moves to our website (so-called referrer), (4) the sub-websites which are accessed via an accessing system on our website, (5) the date and time of access to the website, (6) an Internet Protocol address (IP address), (7) the internet service provider of the accessing system and (8) other similar data and information used to avert danger in the event of attacks on our IT systems. HEYMANNS IT-SOLUTIONS GMBH draws no conclusions about the data subject from the use of this general data and information. Rather, the information is used to (1) serve the content of our website correctly, (2) optimise the content of our website as well as the advertising, (3) ensure the continued functionality of our IT systems and the technology of our website, and (4) to provide the necessary information for prosecution to the criminal prosecution authorities in the event of a cyber attack. HEYMANNS IT-SOLUTIONS GMBH therefore evaluates this anonymously collected data and information both statistically and with the aim of increasing data protection and data security in our company in order to ultimately ensure an optimal level of protection for the personal data that we process. The anonymous data on the server log files is stored separately from all personal data provided by the data subject.
The basis for data processing is Art. 6 Para. 1 lit. d GDPR, which permits the processing of data for the fulfilment of a contract or precontractual measures.
- Contact options via the website
The HEYMANNS IT-SOLUTIONS GMBH website contains information that permits quick electronic contact to our company as well as direct communication, including a general address for electronic mail (email address), in accordance with statutory provisions. Where a data subject makes contact with the data controller via email or via the contact form, the personal data transmitted by the data subject will be stored automatically. Such data, which is provided on a voluntary basis by a data subject to the data controller will be stored for the purposes of processing or making contact with the data subject. This personal data will not be forwarded to third parties.
- Routine deletion and blocking of personal data
The data controller processes and stores the personal data of the data subject only for the period of time necessary to achieve the purpose of storage or insofar as this has been provided for by the European legislature and regulators or another competent legislator in laws or regulations. Where the purpose of storage no longer applies or where the time period prescribed by the European legislature and regulators or another competent legislator expires, the personal data will be blocked or deleted routinely and according to the statutory provisions.
- Rights of the data subject
a) Right to confirmation
Every data subject has the right granted by the European legislature and regulators to request confirmation from the data controller as to whether the relevant personal data is being processed. Where a data subject wishes to assert this right of confirmation, they can contact our data protection officer or any employee of the data controller at any time at the address provided in the legal notice page or in this privacy statement.
b) Right to access
Every data subject affected by the processing of personal data has the right granted by the European legislature and regulators to, at any time and at no charge, obtain from the data controller information concerning the personal data stored about themselves and a copy thereof. Furthermore, the European legislature and regulators have granted the data subject access to the following information:
- the purposes of the processing
- the categories of personal data processed
- the recipients or categories of recipients to which the personal data has or will be disclosed, in particular recipients in third countries or international organisations
- if possible, the planned duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration
- the existence of a right to rectify or erase personal data relating to the person or to limit the processing carried out by the controller or of a right to object to such processing
- the existence of a right of appeal to a supervisory authority
- where the personal data is not collected from the data subject: any available information as to its source
- the existence of automated decision-making, including profiling, as per Article 22 Para. 1 and 4 GDPR and – at least in these cases – conclusive information as to the logic involved as well as the scope and the intended effects of processing of this nature for the data subject. Furthermore, the data subject has the right to obtain information as to whether personal data has been transferred to a third country or to an international organisation. Where this is the case, the data subject also has a right to be informed of the appropriate guarantees relating to the transfer.
If a data subject wishes to assert this right to access, they can contact our data protection officer or any employee of the data controller at any time at the address provided in the legal notice page or in this privacy statement.
c) Right to rectification
Every data subject affected by the processing of personal data has the right granted by the European legislature and regulators to request immediate rectification of incorrect personal concerning them. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of a supplementary statement.
If a data subject wishes to assert this right to rectification, they can contact our data protection officer or any employee of the data controller at any time at the address provided in the legal notice page or in this privacy statement.
d) Right to erasure (right to be forgotten)
Every data subject affected by the processing of personal data has the right granted by the European legislature and regulators to request the controller to immediately erase incorrect personal data concerning them, to the extent that one of the following grounds applies and provided that the processing is not necessary:
- The personal data has been collected or processed for purposes for which it is no longer necessary.
- The data subject withdraws their consent on which the processing was based as per Art. 6 Para. 1 lit. a GDPR or Art. 9 Para. 2 lit. a GDPR, and there is no other legal basis for the processing.
- The data subject objects to the processing as per Art. 21 Para 1 GDPR and there are no overriding legitimate reasons for the processing, or the data subject objects to the processing as per Art. 21 Para. 2 GDPR.
- The personal data has been processed in contravention of the law.
- Erasure of the personal data is required to fulfil a statutory requirement under Union or Member State law to which the controller is subject.
- The personal data was collected in relation to information society services offered as per Art. 8 Para. 1 GDPR. To the extent that one of the above reasons applies and a data subject wishes to have personal data stored by HEYMANNS IT-SOLUTIONS GMBH erased, they may contact our data protection officer or any employee of the data controller at any time. The HEYMANNS IT-SOLUTIONS GMBH data protection officer or another employee will ensure that the erasure request is complied with immediately.
If the personal data has been published by HEYMANNS IT-SOLUTIONS GMBH and if our company as the controller is obliged to erase personal data as per Art. 17 Para. 1 GDPR, HEYMANNS IT-SOLUTIONS GMBH will take the appropriate measures having regard to available technologies and implementation costs (of a technical nature as well) to inform other controllers processing the personal data that the data subject has requested erasure by such controllers of all links to, or copy or replication of, this personal data, to the extent that the processing is not required. The HEYMANNS IT-SOLUTIONS GMBH data protection officer or another employee will arrange the necessary steps in individual cases.
e) Right to restriction of processing
Every data subject affected by the processing of personal data has the right granted by the European legislature and regulators to request the controller to restrict the processing of such data, to the extent that one of the following grounds applies and provided that processing is not necessary:
- The accuracy of the personal data is disputed by the data subject, for a period enabling the controller to verify the correctness of the personal data.
- The processing is unlawful and the data subject rejects the deletion of the personal data and instead requests the restriction of use of the personal data.
- The controller no longer requires the personal data for the purposes of processing, but the data subject requires such data to assert, exercise or defend claims in law.
- The data subject has objected to processing as per Art. 21 Para. 1 GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject. To the extent that one of the above conditions applies and a data subject wishes to restrict the personal data stored by HEYMANNS IT-SOLUTIONS GMBH, the data subject may contact our data protection officer or any employee of the data controller at any time at the address provided in the legal notice page or in this privacy statement. The HEYMANNS IT-SOLUTIONS GMBH data protection officer or another employee will arrange the restriction of the processing.
f) Right to data portability
Every data subject affected by the processing of personal data has the right granted by the European legislature and regulators to receive the personal data concerning them, which was provided to a controller by the data subject, in a structured, commonly used and machine-readable format, to the extent that this is technically and economically feasible. The data subject also has the right to transmit this data to another controller without hindrance from the controller to which the personal data was provided, to the extent that the processing is based on consent as per Art. 6 Para. 1 lit. a GDPR or Art. 9 Para. 2 lit. a GDPR or on a contract as per Art. 6 Para 1 lit. b GDPR, and the processing is carried out by automated means, as long as the processing is not required for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Furthermore, in exercising the right of data portability as per Art. 20 Para. 1 GDPR, the data subject has the right to have the personal data transmitted directly from one controller to another to the extent that this is technically feasible and where this does not adversely affect the rights and liberty of others.
In order to assert the right to data portability, the data subject can contact the HEYMANNS IT-SOLUTIONS GMBH data protection officer or another employee at any time at the address provided in the legal notice page or in this privacy statement.
g) Right to object
Every data subject affected by the processing of personal data has the right granted by the European legislature and regulators to object, on grounds relating to their particular situation, at any time, to the processing of personal data concerning them, which is based on Art. 6 Para. 1 lit. e or f GDPR. This also applies to profiling based on these provisions.
HEYMANNS IT-SOLUTIONS GMBH will no longer process the personal data in the event of objection, unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or where the processing serves to assert, exercise or defend claims in law.
If HEYMANNS IT-SOLUTIONS GMBH processes personal data for direct marketing purposes, the data subject has the right to object, at any time, to processing of the personal data for such marketing. This also applies to profiling to the extent that it is related to such direct marketing. If the data subject objects to this processing by HEYMANNS IT-SOLUTIONS GMBH for purposes of direct marketing, HEYMANNS IT-SOLUTIONS GMBH will no longer process the personal data for these purposes.
In addition, the data subject has the right, on grounds relating to their particular situation, to object to processing of personal data concerning them by HEYMANNS IT-SOLUTIONS GMBH for scientific or historical research purposes, or for statistical purposes as per Art. 89 Para. 1 GDPR, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
In order to exercise the right to data portability, the data subject can contact the HEYMANNS IT-SOLUTIONS GMBH data protection officer or another employee at any time at the address provided in the legal notice page or in this privacy statement. In addition, the data subject is free in the context of the use of information society services, and notwithstanding Directive 2002/58/EC, to exercise their right to object by automated means using technical specifications.
h) Automated decisions in individual cases, including profiling
Every data subject affected by the processing of personal data has the right granted by the European legislature and regulators not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning them, or substantially affects them in a similar manner, provided the decision (1) is not necessary for the conclusion or performance of a contract between the data subject and the controller, or (2) is permissible on the basis of Union or Member State law to which the controller is subject and this legislation lays down appropriate measures for safeguarding the rights and liberties as well as the legitimate interests of the data subject, or (3) is based on explicit consent of the data subject.
If the decision (1) is necessary for the conclusion or performance of a contract between the data subject and the controller, or (2) is based on explicit consent of the data subject, HEYMANNS IT-SOLUTIONS GMBH will take appropriate measures to safeguard the rights and liberties as well as the legitimate interests of the data subject, which include at least the right to obtain human intervention of a person at the controller, to present their own point of view and to contest the decision.
If the data subject wishes to exercise the rights concerning automated decisions, they may contact our data protection officer or any employee of the data controller at any time at the address provided in the legal notice page or in this privacy statement.
i) Right to revoke consent under privacy law
Every data subject affected by the processing of personal data has the right granted by the European legislature and regulators to revoke consent to processing of their personal data at any time.
If the data subject wishes to exercise the right to revoke consent, they may contact our data protection officer or any employee of the data controller at any time at the address provided in the legal notice page or in this privacy statement.
j) Right of appeal to the relevant supervisory authority
In the event of breaches of data protection law, the data subject has a right of appeal to the relevant supervisory authority. The relevant supervisory authority for matters of data protection is the state data protection commissioner in North Rhine Westphalia.
State Commissioner for Data Protection and Freedom of Information North Rhine Westphalia
Phone: +49 2 11/384 24-0
Telefax: +49 2 11/384 24-10
- Data protection provisions on the application and use of Google Analytics (with anonymisation function)
The data controller has integrated the Google Analytics component (with anonymisation function) into this website. Google Analytics is a web analysis service. Web analysis is the capture, collection and evaluation of data on the behaviour of visitors to websites. A web analysis service collects, among others, data about the website from which a data subject has come to a website (so-called referrer), which sub-website of the website has been visited or how often and for what duration a sub-website was viewed. Web analysis is primarily used for optimisation of a website and for cost-benefit analysis of internet advertising. The operating company of the Google Analytics component is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.
The data controller uses the “_gat._anonymizeIp” function for web analysis through Google Analytics. This function trims and anonymises the IP address of the internet connection of the data subject if the access to our web pages is from a Member State of the European Union or from a contracting state that is party to the agreement on the European Economic Area.
The purpose of the Google Analytics component is to analyse the data streams of visitors to our website. Google uses the data and information obtained, among others, to evaluate the use of our website, to prepare online reports showing the activity on our web pages and to provide additional services connected to the use of our website.
Google Analytics places a cookie on the data subject’s IT system. Cookies have already been explained above. By placing a cookie, Google is able to analyse the usage of our website. For every access to one of the individual pages of this website, which is operated by the data controller and into which a Google Analytics component has been integrated, the web browser on the data subject’s IT system is automatically triggered by the relevant Google Analytics component to transmit data to Google for the purposes of online analysis. As part of this technical procedure, Google acquires knowledge on personal data such as the IP address of the data subject, which Google can use for example to trace the origin and clicks of the user and to generate commission settlements.
The cookie is used to store personal information such as the access time, location from which the access originated and the frequency of visits to our website by the data subject. For every visit to our website, this personal data, including the IP address of the internet connection used by the data subject, is transmitted to Google in the USA. This personal data is stored by Google in the USA. In some cases, Google forwards this personal data collected through the technical procedure to third parties.
As indicated above, the data subject can at any time block the setting of cookies by our website by means of appropriate settings on the web browser, thereby permanently denying the setting of cookies. Using a setting like this on the web browser would also prevent Google from setting a cookie on the data subject’s IT system. In addition, a cookie already set by Google Analytics can be deleted via the web browser or other software programs.
However, we wish to point out that, under some circumstances, not all functions of our website will be fully usable in this case.
Alternatively, you can block the collection of Google Analytics by clicking on the following link. An opt-out cookie is set which blocks the future collection of your data when visiting this website: Deactivate Google Analytics
- Data protection for employment applications and job application processing
The controller collects and processes personal data from job applicants for the purpose of handling job applications. The processing can also be performed electronically. This is particularly the case where a job applicant transmits the relevant application documentation to the data controller electronically, for example by email or via a form on a web page. If the data controller concludes a contract with an applicant, the data transmitted for the purpose of the employment relationship will be stored having regard to the statutory provisions. If no contract is concluded between the data controller and the applicant, the applicant’s data will automatically be deleted two months after notification of the rejection of the applicant to the extent that no other legitimate interest on the part of the data controller exists. Other legitimate interest in this sense is for example a duty of proof in legal proceedings as per the General Equal Treatment Act (AGG).
- Google Maps
This website uses the map service Google Maps via an API. The provider is Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. It is necessary to store your IP address in order to use the Google Map functions. In general, this information is transmitted to a Google server in the USA, where it is stored. The operator of this site has no influence on this data transmission.
Google Maps is used for the purpose of creating an attractive display of our online offerings and to make it easy to find our locations on the website. This represents a legitimate interest in the sense of Art. 6 Para. 1 lit. f GDPR.
You can find more information on working with user data in the Google data protection declaration:
- Legal basis for processing
Art. 6 I lit. a GDPR serves as the legal basis for our company’s processing operations in which we obtain consent for a specific processing purpose. If the processing of personal data is required for the fulfilment of a contract to which the data subject is party, for example as is the case in processing operations that are necessary for the delivery of goods or the provision of another service or consideration, the processing is based on Art. 6 I lit. b GDPR. The same applies to processing operations that are required for execution of precontractual measures, for example in the case of queries about our products or services. Where our company is subject to a legal obligation that requires the processing of personal data, for example when fulfilling tax-related obligations, this will be based on Art. 6 I lit. c GDPR. In rare cases the processing of personal data can be required to protect the vital interests of the data subject or another natural person. This would be the case for example if a visitor to our company were to become injured and as a result their name, age, medical insurance details or other vital information would need to be shared with a doctor, hospital or other third party. In this case, processing would be based on Art. 6 I lit. d GDPR. Processing operations could ultimately be based on Art. 6 I lit. f GDPR. Processing operations that are not covered by any of the above legal bases take this legal basis if processing is necessary to uphold a legitimate interest of our company or of a third party, provided the interests, fundamental rights and fundamental freedoms of the data subject are not overriding. We are in particular permitted to conduct processing operations of this nature because they are specifically mentioned by the European legislature. To that extent it took the view that a legitimate interest can be assumed if the data subject is a customer of the controller (recital 47 sentence 2 GDPR).
- Legitimate interests in processing pursued by the controller or a third party
If the processing of personal data is based on Art. 6 I lit. f GDPR, our legitimate interest is the conducting of our business activities in the interests of the well-being of all our employees and shareholders.
- Period for which the personal data is saved
The criterion for the period for which personal data is saved is the applicable statutory retention period. After expiry of the period, the relevant data is routinely deleted provided it is no longer required to fulfil or initiate a contract.
- Statutory or contractual provisions for making available personal data; requirement for contract conclusion; obligation of the data subject to make the personal data available; possible consequences of non-provision
We inform you that the provision of personal data is to some extent prescribed by law (e.g. tax regulations) or may arise under contractual arrangements (e.g. particulars of contracting party). For the conclusion of a contract, it may sometimes be necessary for a data subject to provide us with personal data that we then need to process. The data subject is for example obliged to provide us with personal data if our company concludes a contract with them. Non-provision of the personal data would have the consequence that the contract could not be concluded with the data subject. The data subject must contact our data protection officer before providing personal data. Our data protection officer will inform the data subject on a case-by-case basis whether the provision of personal data is legally or contractually prescribed or is necessary for the conclusion of the contract, whether there is any obligation to provide the personal data, and what the consequences of non-provision of the personal data would be.
- Existence of automated decision-making
As a responsible company, we do not use automated decision-making or profiling.