UPM Data Protection Statement

Last updated on June 24th, 2019,

The following data protection statement applies to use of our online offer [www.upm-cdm.eu] (hereinafter: “Website”).
We put great value on data protection. Collection and processing of your personal data takes place under consideration of the applicable rules under data protection law, in particular the General Data Protection Regulation (GDPR).

1.Controller

The controller for collection, processing and use of your personal data within the meaning of Article 4(7) GDPR is Martin Dilger, managing director, UPM Umwelt-Projekt-Management GmbH, Lamontstraße 11, D-81679 Munich, Germany, mdilger(at)upm-cdm.eu.
If you want to object to the collection, processing or use of your data by us, taking account of these data protection provisions as a whole or for particular measures, you can direct your objection to the controller.
You may store and print out this data protection statement at any time.

2.General purposes of processing

We use personal data for the purpose of operating the website [and for processing your requests.

3.What data do we use, and why?

3.1 Hosting

The hosting services we use serve to provide the following services: Infrastructure and platform services, computing capacity, storage space and database services, safety services and technical maintenance services that we use for the purpose of operation of the website.

For this, we or our hosting provider process inventory data, contact details, content data, contract data, usage data, meta and communication data of customers, potential customers and visitors to this website, based on our legitimate interests in efficient and secure provision of our website in accordance with point (f) of sentence 1 of Article 6(1) in conjunction with Article 28 GDPR.

3.2 Access data

We collect information concerning you when you use this website. We automatically record information concerning your usage behaviour and your interaction with us and we register data concerning your computer or mobile device. We collect, store and use data concerning any access to our website (server log files). The access data include:

  • Name and URL of the called file,
  • Date and time of the access
  • Transferred data volume
  • Notification on the successful call (HTTP response code)
  • Browser type and browser version
  • Operating system
  • Referrer URL (the website visited before)
  • Websites that are called up by the user’s system via our website
  • Internet service provider of the user
  • Internet protocol address and the requesting provider

We use these protocol data without any assignment to your person or other profile generation for statistical evaluations for the purpose of operation, security and optimisation of our website, but also for anonymous recording of the number of visitors on our website (traffic), as well as for the scope and type of use of our website and services, and for settlement purposes, in order to measure the number of clicks received from cooperation partners. Due to this information, we are able to provide personalised and site-specific contents and to analyse the data traffic, find and remedy errors and improve our services.

This is also our legitimate interest in accordance with point (f) of sentence 1 of Article 6(1) GDPR. We reserve subsequent review of the protocol files if there are any specific indications that give rise to the justified suspicion of illegal use. We store internet protocol addresses for a temporary period in the logfiles if this is necessary for safety purposes or necessary for rendering services or settlement for a service, e.g. if you use one of our offers. After cancellation of the process of ordering or after receipt of the payment, we will erase the internet protocol address if it is no longer necessary for security purposes. We will also store internet protocol addresses if we have a specific suspicion concerning a crime in connection with use of our website. We also store the date of your last visit as part of your account (e.g. on registration, login, clicking of links, etc.).

3.3 Cookies

We use session cookies in order to optimise our website. A session cookie is a small text file that the respective servers send out when visiting a website and that is stored temporarily on your hard disc. This file contains a session ID with which various requests from your browser can be assigned to a shared session. This makes it possible to recognise your computer when you return to our website. These cookies are deleted when you close your browser. They are used, e.g., to let you use the shopping cart function across multiple pages.

At a small scope, we also use persistent cookies (also small text files that are stored on your end device) that will remain on your end device and that enable us to recognise your browser again on your next visit. These cookies are stored on your hard disc and will delete themselves after the specified time. Their lifetimes range from 1 month to 10 years. That way, we can display our offer in a more user-friendly, effective and secure manner and, for instance, present information specifically adjusted to your interests on the page.

Our legitimate interest in use of the cookies in accordance with point (f) of sentence 1 of Article 6(1) GDPR is in making our website more user-friendly, effective and secure.

The cookies store, among others, the following data and information:

  • Log-in information
  • Language settings
  • Search terms entered
  • Information regarding the number of calls of our website and use of particular functions of our website.

When the cookie is activated, it is assigned an identification number; your personal data will not be assigned to this identification number. Your name, your internet protocol address or similar data that would permit assignment of the cookie to you will not be inserted into the cookie. Based on the cookie technology, we will only obtain pseudonymised information, for instance, on which pages of our shop were visited, which products were viewed, etc.

You can set your browser so that you will be informed in advance about setting of cookies and can decide individually whether or not you want to prevent acceptance of cookies in specific cases or in general, or to prevent cookies completely. This can limit the website’s function.

3.4 Data to meet our contractual obligations

We process personal data that we need to meet our contractual obligations, such as name, address, email address, ordered products, invoice and payment data. These data must be collected for conclusion of the contract.

The data will be erased after the expiration of the warranty periods and the statutory archiving periods. The legal basis for processing of these data is point (b) of sentence 1 of Article 6(1) GDPR; these data are needed to enable us to fulfil our contractual obligations towards you.

3.5 Email contact

If you contact us (e.g. by contact form or email), we will process your information for processing the request and if any subsequent questions arise. If processing activities take place to perform any pre-contractual measures that are taken upon your request or to perform the contract if you are already our customer, the legal basis for processing activities shall be point (b) of sentence 1 of Article 6(1).

We will only process any other personal data if you consent to this (point (a) of sentence 1 of Article 6(1) GDPR) or if we have a legitimate interest in processing of your data (point (f) of sentence 1 of Article 6(1) GDPR). A legitimate interest is present, e.g., in order to reply to your email.

4. Duration of storage

If not specifically indicated, we will store personal data only for as long as this is necessary to meet the pursued purposes.In some cases, the legislator stipulates the storage of personal data, e.g. in tax or commercial law. In such cases, we will only continue to store the data for these statutory purposes, but we will not otherwise process them and we will delete them after the expiration of the statutory storage period.

5. Your rights as a data subject

Under the applicable laws, you have various rights concerning your personal data. If you want to assert these rights, please send your request to the address named in item 1 by email or mail, while clearly identifying yourself.

Find an overview of your rights below.

5.1 Right to confirmation and access

You have the right to well-structured communication about processing of your personal data.In particular:You have the right to obtain our confirmation of whether we process any personal data concerning you at any time. If this is the case, you have the right to demand information from us about the personal data stored concerning you from us, including a copy of these data. Furthermore, you have a right to the following information:

  1. the purposes of the processing;
  2. the categories of personal data concerned;
  3. the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
  4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  5. the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning you, or to object to such processing;
  6. the existence of the right to lodge a complaint with a supervisory authority;
  7. where the personal data are not collected from you, any available information as to their source;
  8. the existence of automated decision-making, including profiling, in accordance with Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you.

Where personal data are transferred to a third country or to an international organisation, you have the right to be informed of the appropriate safeguards in accordance with Article 46 GDPR relating to the transfer.

5.2 Right to rectification

You have the right to demand rectification and, if applicable, completion of the personal data concerning you from the controller.

In particular: You have the right to demand rectification of inaccurate personal data concerning you without undue delay from us at any time. Taking into account the purposes of the processing, you shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

5.3 Right to erasure (“right to be forgotten”)

In a number of cases, we are obligated to erase personal data concerning you.In particular:In accordance with Article 17(1) GDPR, you have the right to demand from us that any personal data concerning you will be deleted without undue delay, and we are obligated to delete personal data without undue delay if one of the following reasons applies:

  1. The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
  2. You withdraw consent on which the processing was based in accordance with point (a) of sentence 1 of Article 6(1) GDPR or point (a) of Article 9(2) GDPR and there is no other legal basis for the processing.
  3. You object to processing in accordance with Article 21(1) GDPR and there are no overruling legitimate grounds for processing, or you object to processing in accordance with Article 21(2) GDPR.
  4. The personal data have been unlawfully processed.
  5. Erasure of the personal data is necessary for compliance with a legal obligation under Union or Member State law to which we are subject.6. The personal data have been collected in relation to the offer of information society services in relation to Article 8(1) GDPR.

If we have made the personal data public and if we are obliged in accordance with Article 17(1) GDPR to erase the personal data, we shall take reasonable steps, including technical measures, taking account of available technology and the cost of implementation, to inform data controllers who are processing the personal data that you have requested the erasure of any links to, or copies or replications of those personal data by such controllers.

5.4 Right to restriction of processing

In a number of cases, you have the right to demand that we restrict processing of your personal data. In particular: You have the right to obtain restriction of processing from us where one of the following conditions applies:

  1. the accuracy of the personal data is contested by you, for a period enabling us to verify the accuracy of the personal data,
  2. the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
  3. we no longer need the personal data for the purposes of the processing, but the data are required by you for the establishment, exercise or defence of legal claims; or
  4. If you have objected to processing in accordance with Article 21(1) GDPR, while it is not yet certain if the legitimate reasons of our company override yours.

5.5 Right to data portability

You have the right to obtain personal data concerning you in a machine-readable form, to transmit them and to have them transmitted.

In particular:You have the right to obtain the personal data concerning you that you have provided to us, in a structured, commonly used and machine-readable format and you have the right to transmit those data to another controller without hindrance from us, where:

  1. processing is based on consent in accordance with point (a) of sentence 1 of Article 6(1) GDPR or point (a) of Article 9(2) GDPR or a contract in accordance with point (b) of sentence 1 of Article 6(1) GDPR and
  2. the processing is carried out by automated means.In exercising your right to data portability in accordance with paragraph 1, you have the right to have the personal data transmitted directly from us to another controller, where technically feasible.

5.6 Right to object

You have the right to object to lawful processing of your personal data by us if this is justified by your particular situation and our interests in processing are not overriding.

In particular:You shall have the right to object, on grounds relating to your particular situation, at any time, to processing of personal data concerning you which is based on point (e) or (f) of sentence 1 of Article 6(1) GDPR, including profiling based on those provisions. We shall no longer process the personal data concerning you unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.Where we process any personal data for direct marketing purposes, you shall have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1) GDPR, you have the right to object to processing of personal data concerning you, on grounds relating to your particular situation, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

5.7 Automated decision-making, including profiling

You have the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning you or similarly significantly affects you. There is no automated decision-making based on the collected personal data.

5.8 Right to revoke the declaration of consent under data protection law

You have the right to revoke consent to processing of your personal data at any time.

5.9 Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data concerning you is unlawful.

6. Data security

We take the greatest effort to ensure security of your data within the context of the applicable data protection laws and the technical options.We transmit your personal data encrypted. This shall also apply to your orders and to the customer login. We use the encoding system SSL (Secure Socket Layer), but would like to point out that the data transmission on the internet (e.g. in the case of email communication) may involve gaps in security. Complete protection of the data against third-party access is not possible. We maintain technical and organisational security measures in compliance with Article 32 GDPR to protect your data, which we always adjust to the state of the art. We also do not warrant that our offer will be available at certain times; accidental events, interruptions or failures cannot be excluded. The servers used by us are subject to regular careful maintenance.

7. Passing on data to third parties; no data transmission to non-EU countries

In principle, we use your personal data only within our company.If and as far as we involve any third parties within the context of performing contracts (for example logistics service providers), these will only obtain personal data at the scope at which the transmission is necessary for the corresponding service. If we outsource certain parts of our processing activities (“data processing based on an agreement”), we commit our processors contractually to only use personal data in accordance with the requirements of the data protection laws and to ensure protection of the rights of the data subject. Data transmission to bodies or persons outside of the EU outside of the case named in item 4 of this statement does not take place and is not planned.

This Data Protection Statement  is available in English and German languages. In case of discrepancies, the German version will prevail.