Modern information and communications technologies play an increasingly large role in the activities of the BÜFA Group. That is why we take the protection of your privacy and personal particulars that you make available to us very seriously. We observe the provisions of the German Federal Data Protection Act as a matter or course. Details of any data we possibly collect and how we handle such data are set out below.

Responsibility

BÜFA GmbH & Co. KG
Stubbenweg 40
26125 Oldenburg, Germany
Phone +49 441 9317-0
E-mail: info@buefa.de

Contact details of the Data Protection Officer

We are supported by our data protection officer in fulfilling our data protection obligations. In the event of an enquiry, please name the company concerned which is involved. The contact details of our data protection officer are as follows: 

Dr. Uwe Schläger
datenschutz nord GmbH
Konsul-Smidt-Straße 88
28217 Bremen, Germany

Web: www.datenschutz-nord-gruppe.de
E-mail: office@datenschutz-nord.de
Phone: 0421 69 66 32 0

What personal data are collected and processed?

You can visit our websites without us requiring any personal data from you. We only learn the name of your Internet Service Provider, the website from which you visit us and the pages that you visit on our website. Personal data are only requested and processed if you use specific services. Your attention is then specifically drawn to this in the menu.

For what purposes do we collect and process your personal data?

As we are constantly endeavouring in a continuous process to improve both our services and your experience with our websites, the above general data are evaluated statistically. However, for this purpose we are interested in your personal opinion and your sphere in this connection. That is why at some points we request you to provide additional information. This information is voluntary and we naturally treat it confidentially.

If you use our services, generally we only collect such data as we need to provide the services. In as far as we ask you for any further data, this comprises voluntary information. The personal data are processed solely to perform the service requested and to maintain our own justified business interests. 

Are personal data passed on to third parties?

We will only pass on your personal data to third parties in as far as this is absolutely necessary to provide the service requested. Beyond this we will not disclose, pass on, sell or otherwise market your personal data to other enterprises or institutions unless your express declaration of agreement to this is received. The situation is different if we are obligated to disclose and transmit the data by law or by a court judgement.

Use of IP addresses

It is pointed out that this website uses Google Analytics with the extension "_anonymizeIp()" and therefore IP addresses are only processed in abbreviated form in order to exclude direct personal references. 

Cookies

We use cookies in some areas of our websites. These are identifiers that allow us to provide you with our services on a more individual basis during your visit. We do not use cookies to collect personal data. If you would like to be informed about the use of cookies by your browser or would like to exclude them, you should activate the corresponding browser settings. 

BÜFA Session Storage

In order to define our lead and revenue sources more precisely in future and to be able to evaluate them further, we use BÜFA's own session storage on our website, in which marketing information about users of our website is stored. This allows us to analyse which BÜFA measures and campaigns lead to success and to calculate the profitability of marketing measures. For this purpose, the source of the contact enquiry (e.g. source, medium and campaign) is stored in a session storage and transmitted to our CRM (Customer Relationship Management) when a user fills out and submits a contact form on one of our websites.
The information stored in the cookie includes:

• Sources, e.g. Google, LinkedIn, Facebook, Instagram, trade fairs, print materials, newsletters, etc.
• Medium, e.g. email, organic and paidsearch, organic and paidsocial, QR codes 
• Campaign information, e.g. name and ID of the campaign

The information is kept in session storage for the duration of the session and deleted at the end of the session.

The legal basis for the processing of personal data is your consent in accordance with Art. 6 section 1 sentence 1 lit. a GDPR, provided that you have given your consent via our consent banner. If you have not given your consent, no data will be stored via the cookie.
 

Consent banner

We use a consent management platform (consent or cookie banner) on our websites. The processing in connection with the use of the consent management platform as well as the logging of the settings you have made is carried out on the basis of Art. 6 (1) sentence 1 lit. f DSGVO, in our legitimate interest to play out our content according to your preferences and to be able to prove the consent(s) you have given. The settings you have made, the consent you have given and parts of your usage data are stored in a cookie. This means that the cookie is retained for subsequent page requests and your consent can still be traced. You can find more information on this under the section "Required cookies".

You can change the cookie settings at any time using the blue fingerprint button at the bottom left of the website.

The provider of the consent management platform acts for us as a strictly instruction-bound service provider (order processor). An order processing contract in accordance with Art. 28 DSGVO has been agreed.

Google Consent Mode (Basic) 

We use Google Consent Mode V2 (basic mode). This means that your IP address is transmitted to Google irrespective of your settings in the banner. However, this is deleted by Google immediately after collection and is not logged. The processing is based on our legitimate interest in being able to better control and use certain functions of the Google services used on the website that require consent. The legal basis for processing is Art. 6 (1) (f) GDPR.

Google Tag Manager

We use Google Tag Manager from Google Inc. for our website. Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland) is responsible for all Google services in Europe.

Google Tag Manager is a tool that allows us to integrate tracking or statistical tools and other technologies on our website. The Tag Manager is used to manage the tools and external services that we use on our website and allows the use of so-called tags. A tag is a code element that is stored in the source code of the website, for example to control which page or service elements and tools are activated and loaded in which order. The tool triggers other tags, which in turn may collect data and which are explained further in this privacy policy. For example, only the tools for which consent has been given via the consent banner can be displayed.

The Google Tag Manager itself does not create any user profiles, does not store any cookies and does not carry out any independent analyses. It is only used to manage and display the tools integrated via it (e.g. Google Analytics).

If services have been deactivated at domain or cookie level, this remains in place for all tracking tags that are implemented with Google Tag Manager. For more information on Google Tag Manager, see https://www.google.com/intl/de/tagmanager/use-policy.html.

The processing of personal data in connection with the use of Google Tag Manager can be legitimised on the basis of our legitimate interests in the efficient management of the tracking tools used. The legal basis for the processing is Art. 6 para. 1 sentence 1 lit. f GDPR.

We have concluded a data processing agreement with Google for the use of Google Tag Manager (Art. 28 GDPR). Google only processes the data on our behalf in order to trigger the stored tags and display the services on our website. 

Google may also process data outside the EU or the EEA (in particular in the USA). Google has certified itself in accordance with the EU-U.S. Data Privacy Framework and is listed on the Data Privacy Framework List. Accordingly, transfers of personal data to the USA can be based on the adequacy decision pursuant to Art. 45 GDPR. An adequate level of data protection is guaranteed by the adequacy decision. Google also undertakes to conclude standard contractual clauses with other sub-processors.

Google Analytics

We use the web analysis tool "Google Analytics" (including "Google Search Console") to design our websites according to your needs. Google Analytics creates usage profiles based on pseudonyms. For this purpose, permanent cookies are stored on your end device and read out by us. In this way we are able to recognise returning visitors and count them as such.

Google Ireland Limited and Google LLC support us within the framework of Google Analytics. (USA) support us as processors according to Art. 28 GDPR. Data processing can therefore also take place outside the EU or EEA. With regard to Google LLC, no adequate level of data protection can be assumed due to the processing in the USA. There is a risk that authorities may access the data for security and monitoring purposes without your being informed or having the right to appeal. Please take this into account if you decide to give your consent to our use of Google Analytics. 

The data processing is based on your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR or § 15 TMG, if you have given your consent via our banner. The transfer to a third country takes place on the basis of Art. 49 para. 1 lit. a GDPR.  

Google Analytics with Google Signals technical extension

On our website, we use the technical extension Google Signals, of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

We use the technical extension Google Signals on our website to perform cross-device tracking. This allows us to establish an association of a single website visitor with different end devices. However, this is only the case if you have logged into a Google service while visiting our website and at the same time activated the "personalized advertising" option in your Google account settings. We do not receive any personal data from Google, but statistics compiled on the basis of Google Signals.

Google can analyze user behavior across devices and create database models based on this. The logins and device types of all page visitors who were logged into a Google account and executed a conversion are taken into account. The data shows, among other things, on which device you first clicked on an ad and on which device the associated conversion took place.

The legal basis for the processing of personal data is your consent pursuant to Art. 6 (1) lit. a DSGVO, provided you have given your consent via our banner.

If you do not wish to be used by Google Signals via our website, deactivate the "personalized advertising" option in your Google account settings. Please note the following information: https://support.google.com/ads/answer/2662922?hl=de

For more information on data use for advertising purposes by Google, settings and opt-out options, please visit Google's websites:

http://www.google.com/analytics/terms/de.html
https://www.google.de/intl/de/policies/
https://marketingplatform.google.com/about/analytics/tag-manager/use-policy/

Google Ads Remarketing

We use the functions of Google Ads Remarketing. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

With Google Ads Remarketing, we can assign people who interact with our online offer to specific target groups in order to subsequently display interest-based advertising in the Google advertising network (remarketing or retargeting).

For these purposes, when our and other websites on which Google marketing services are active are called up, a code is executed directly by Google and so-called (re)marketing tags (invisible graphics or codes, also known as web beacons) are integrated into the website. With their help, an individual cookie, i.e. a small file, is stored on the user's device (comparable technologies can also be used instead of cookies). This file records which websites the user has visited, what content they are interested in and which offers have been clicked on, as well as technical information about the browser and operating system, referring websites, time of visit and other information about the use of the online offer. The user's IP address is also recorded

Furthermore, the advertising target groups created with Google Ads Remarketing can be linked to Google's cross-device functions. In this way, interest-based, personalised advertising messages that have been adapted to you depending on your previous usage and surfing behaviour on one end device (e.g. smartphone) can also be displayed on another of your end devices (e.g. tablet or PC).

The use of this service is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG. Consent can be revoked at any time.

The cookies are stored on your end device for 13 months if you are from the European Economic Area (EEA), Switzerland or the United Kingdom (UK). Otherwise, the storage period is 24 months.

As we use a third-party provider, Google, which is also based in the USA, it cannot be ruled out that your data will also be processed in the USA. An adequate level of data protection is guaranteed for transfers to the USA due to the provider's certification under the EU-U.S. Data Privacy Framework.

If you have a Google account, you can object to personalised advertising at the following link: https://www.google.com/settings/ads/onweb/.

Further information and the data protection provisions can be found in Google's privacy policy at: https://policies.google.com/technologies/ads?hl=de.

Google Fonts

We use Google Fonts from Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA for the functional display of our website. The service enables us to use external fonts. When you visit our website, your IP address is transmitted via the Google domains fonts.googleapis.com and fonts.gstatic.com. According to Google, this transmission is separate from other Google services. 
In addition, information such as language settings, screen resolution, name and version of the browser are transmitted to Google. Google stores this data for one year. We have no influence on the scope and further use of the data that is collected and processed by the provider through the use of the service.
The legal basis for data processing is the consent you have given in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR. You can revoke your consent at any time. To do so, please click on the fingerprint at the bottom left and make the appropriate settings via our banner.
For transfers to the USA, an adequate level of data protection is guaranteed due to the provider's certification under the adequacy decision (EU-U.S. Data Privacy Framework).
Further information on Google Fonts can be found in Google's privacy policy, which you can access here: https://policies.google.com/privacy?hl=de&tid=311141511

Microsoft Advertising (formerly Bing Ads)

On our websites, we use Microsoft Advertising (formerly Bing Ads) from Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA (hereinafter referred to as Microsoft or Third Party Provider), so that you can be shown targeted advertising on other websites based on your visit to our websites and so that we can see how effective our advertising measures have been.
Microsoft Advertising serves our online advertisements on the Bing search engine, Yahoo and Microsoft partner websites. When an ad is clicked, Microsoft sets cookies. Cookies are small text files that are stored in your computer's browser. Microsoft uses cookies to store data about the use of our website (e.g. length of visit, which areas of the website were visited and which ad you used to access our website) and, in the case of an order based on these data, the order value and the time of the order. All this data relates to your user behaviour. We therefore receive Microsoft advertising data and evaluations of your web behaviour.
As we use a third party provider based in the USA, it cannot be ruled out that your data will also be processed in the USA. For transfers to the USA, an appropriate level of data protection is guaranteed due to the certification of the provider under the EU-U.S. Data Privacy Framework.
Data processing is based on your consent pursuant to Art. 6 (1) sentence 1 lit. a DSGVO, provided you have given your consent via our banner.
Furthermore, you can object to the use of data by Microsoft for the receipt of interest-based advertising by deactivating the corresponding setting via this link.
Cookies from the third-party provider are stored on your terminal device for 180 days.
For more information on data protection and the cookies used by Microsoft Advertising, please see the Microsoft privacy policy.

Hotjar

We use Hotjar to better understand the needs of our users and optimize the experience on this website. Using Hotjar's technology, we get a better understanding of our users' experiences (e.g., how much time users spend on which pages, which links they click on, what they like and don't like, etc.) and this helps us tailor our offerings based on our users' feedback. Hotjar works with cookies and other technologies to collect information about our users' behavior and about their devices (in particular, IP address of the device (collected and stored only in anonymized form), screen size, device type (unique device identifiers), information about the browser used, location (country only), language preferred to view our website). Hotjar stores this information in a pseudonymized user profile. The information is not used by Hotjar or us to identify individual users or merged with other data about individual users.
For more information, please see Hotjar's privacy policy here: 

https://www.hotjar.com/legal/policies/privacy.

Within the scope of the Hotjar service, Hotjar Limited Malta supports us as a processor in accordance with Art. 28 DSGVO. In this context, data processing may also take place by Hotjar outside the EU or the EEA (in particular in the USA). With regard to Hotjar, no adequate level of data protection can be assumed due to processing in the USA. There is a risk that authorities may access the data for security and monitoring purposes without you being informed or having legal recourse. Please keep this in mind if you decide to give your consent to our use of Hotjar.

Data processing is based on your consent, if you have given your consent via our banner. The transfer to a third country takes place on the basis of Art. 49 (1) lit. a DSGVO.

Meta Pixel

On this website, we use the retargeting technology "Meta Pixel" from the provider Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. This enables us to measure the success of Facebook advertising campaigns, to retarget visitors to our website with advertisements on the Meta platforms (Facebook, Instagram) and to personalize the advertisements.

If you have consented to this, a direct connection is established between your browser and the Meta server via the retargeting tags. Meta thereby receives the information that you have visited our site with your IP address. This allows Meta to associate your visit to our website with your user account. Using the information obtained in this way, we can evaluate the effectiveness of our advertisements displayed there and optimize future advertising measures by displaying interest-based advertisements ("Meta Ads").

The legal basis for data processing is your consent pursuant to Art. 6 para. 1 sentence 1 lit. a, 7 GDPR in conjunction with. § Section 25 (1) sentence 1 TDDDG, provided that you have given your consent via our cookie banner. You can revoke your consent there at any time with effect for the future.

Insofar as personal data is collected from you on our website and forwarded to Meta as part of this processing, we are joint controllers together with Meta limited to this data processing within the meaning of Art. 26 GDPR. Art. 26 GDPR and have concluded a joint controllership agreement, which you can view here: www.facebook.com/legal/controller_addendum.

Accordingly, we are responsible under data protection law for the provision of data protection information when using the Meta tool and the implementation on our website. Meta is responsible under data protection law for the data security of the Meta tool used. You can also assert your data subject rights under Art. 15 et seq. GDPR directly against Meta. The processing carried out by Meta after forwarding is carried out under Meta's own responsibility under data protection law. Information on the contact addresses and on the collection and use of your data by Meta itself can be found at www.facebook.com/about/privacy/. We would like to point out that, as the provider of the pages, we have no knowledge of the content of the transmitted data or its further use by Meta.

It cannot be ruled out that Meta transfers data to the USA as part of the processing described here. Meta is certified under the EU-US Data Privacy Framework (EU-US DPF). Compliance with an adequate data protection standard for processing in the USA is therefore guaranteed.

Embedded videos

On our websites we embed videos that are not stored on our servers. In order to ensure that calling up our web pages with embedded videos does not automatically lead to the reloading of third-party content, in a first step we only display locally stored preview images of the videos. This does not provide the third party provider with any information.

Only after a click on the preview image, content from the third party provider is loaded. The third party provider receives the information that you have called up our site and the usage data that is technically required in this context. We have no influence on further data processing by the third party provider. By clicking on the preview image, you give us the consent to reload contents of the third party provider. 

The embedding takes place on the basis of your consent in accordance with Art. 6 Para. 1 S. 1 lit. a GDPR or § 15 TMG, if you have given your consent by clicking on the preview picture. Please note that the embedding of many videos leads to your data being processed outside the EU or EEA. In some countries, there is a risk that authorities may access the data for security and surveillance purposes without you being informed or having the right to appeal. If we use providers in insecure third countries and you give your consent, the transfer to an insecure third country is based on Art. 49 para. 1 lit. a GDPR.

Provider: YouTube / Google (USA) 

Maximum storage period: Google does not specify a specific duration for this.

Adequate level of data protection: No adequate level of data protection. The transmission is based on Art. 49 para. 1 lit. a GDPR.

Revocation of consent: If you have clicked on a thumbnail, the contents of the third party provider are immediately reloaded. If you do not wish such reloading on other sites, please do not click on the thumbnails anymore.

Map services

On our web pages we embed map services that are not stored on our servers. In order to ensure that calling up our web pages with embedded map services does not automatically lead to third-party content being loaded, we only display locally saved preview images of the maps in a first step. This does not provide the third party provider with any information.

Only after a click on the preview image will the content of the third party provider be loaded. The third party provider is then informed that you have called up our site and receives the usage data that is technically required for this purpose. We have no influence on further data processing by the third party provider. By clicking on the preview image, you give us the consent to reload contents of the third party provider. 

The embedding takes place on the basis of your consent in accordance with Art. 6 Para. 1 S. 1 lit. a GDPR or § 15 TMG, provided that you have previously given your consent by clicking on the preview image. 

Please note that the embedding of some card services means that your data will be processed outside the EU or EEA. In some countries, there is a risk that authorities may access the data for security and monitoring purposes without you being informed or having the right to appeal. If we use providers in insecure third countries and you give your consent, the transfer to an insecure third country is based on Art. 49 para. 1 lit. a GDPR. 

Provider: Google LLC (USA)

Maximum storage period: Google does not specify a specific duration for this.

Adequate level of data protection: No adequate level of data protection. The transmission is based on Art. 49 para. 1 lit. a GDPR. 

Revocation of consent:  If you have clicked on a thumbnail, the contents of the third party provider are immediately reloaded. If you do not wish such reloading on other sites, please do not click on the thumbnails anymore.

Security

We have taken technical and organisational measures to prevent the personal data you provide against loss, destruction, tampering and unauthorised access. This includes the encrypted transmission of data using sha256RSA (2048 bits) signature algorithm. All our staff and third parties participating in data processing are obligated to observe the German Federal Data Protection Act and treat personal data confidentially.

We reserve the right to modify this declaration at any time. It does not constitute any contractual or other formal right vis-à-vis or on behalf of any party.

Information according to Art. 13, 14 GDPR for applicants

The information regarding data protection for applicants can be found here.

Right of appeal to a supervisory authority

Pursuant to Art. 77 GDPR, you have the right to complain to a supervisory authority if you are of the opinion that the processing of the data concerning you violates data protection provisions. The right of appeal can be asserted in particular with a supervisory authority in the member state of your residence, your place of work or the place of the presumed infringement.

Contacting

You may contact us via our contact form. In order to use our contact form, we first require the data marked as mandatory.

The legal basis for this processing is Art. 6 (1) (f) GDPR in order to respond to your request. In addition, you can decide for yourself whether you would like to provide us with further information. This information is provided voluntarily and is not mandatory for contacting us. We process the information you provide voluntarily on the basis of your consent (Art. 6 (1) (a) GDPR).

Your data will only be processed to respond to your enquiry. We delete your data if it is no longer required and there are no legal retention obligations in conflict to that. 

Concerning the processing according to Art. 6 (1) (f) GDPR, you have the right to object at any time. You can also withdraw your consent to the processing of the data you provided voluntarily at any time. To do so, please contact the e-mail address stated in the imprint.

Basic data protection regulation for social media

The information regarding the data protection of our social media presences can be found here.

Your rights as a user

When processing your personal data, the GDPR grants you as a website user certain rights:

1.) Right to information (Art. 15 GDPR): 

You have the right to request confirmation as to whether personal data relating to you are being processed; if this is the case, you have the right to access this personal data and the information specified in Art. 15 GDPR. 

2.) Right to rectification and cancellation (Art. 16 and 17 GDPR):

You have the right to demand the immediate correction of incorrect personal data concerning you and, if necessary, the completion of incomplete personal data. 

They also have the right to demand that personal data relating to them be deleted immediately if one of the reasons specified in Art. 17 GDPR applies, e.g. if the data is no longer required for the purposes pursued. 

3.) Right to limit the processing (Art. 18 GDPR): 

You have the right to demand the restriction of the processing if one of the conditions listed in Art. 18 GDPR is met, e.g. if you have lodged an objection against the processing for the duration of any examination. 

4.) Right to data transferability (Art. 20 GDPR): 

In certain cases, which are listed in detail in Art. 20 GDPR, you have the right to receive the personal data concerning you in a structured, common and machine-readable format or to request the transfer of this data to a third party.  

5.) Right of objection (Art. 21 GDPR): 

If data is collected on the basis of Art. 6 para. 1 lit. f (data processing to safeguard legitimate interests), you have the right to object to such processing at any time for reasons arising from your particular situation. We will then no longer process the personal data unless there are verifiable compelling grounds for processing worthy of protection which outweigh the interests, rights and freedoms of the person concerned, or the processing serves to assert, exercise or defend legal claims.