DATA PROTECTION NOTICE (Vink Privacy Policy)

Information to be provided to Data Subjects according to Articles 13 and 14 of Regulation (EU) 2016/679 (General Data Protection Regulation, “GDPR”).

With this Data Protection Notice (“DPN”) Vink Chemicals GmbH & Co. KG (“Vink”, “we”, “our” or “us”) would like to inform you which types of your Personal Data ("Personal Data") we process for which purposes and in which scope. This Data Protection Notice applies to all processing of Personal Data carried out by us, both in the context of providing our services and in particular on our websites and within external online presences, such as our social media profiles ("Services").

1. Data Controller – Contact Details

Unless otherwise specified for a specific market or service, “Controller” within the meaning of the General Data Protection Regulation (“GDPR”), other local data protection laws applicable in the member states of the European Union is Vink Chemicals GmbH & Co. KG, Eichenhöhe 29, 21255 Kakenstorf, Germany, HRA 202013 (AG Tostedt).

Vink’s data protection officer can be reached under the E-Mail address datenschutz[at]vink-chemicals.com.

The online service is hosted by Storage Quality Solutions B.V., Korenpad 6, Netherlands-6534 AS Nijmegen (Web Hosting Provider).

2. Collected Personal Data

The Personal Data we collect from you strictly depends on your relationship with Vink. Below, we describe what kind of data we collect, where it comes from, the purpose and the legal basis of the processing, its duration, and the recipients with whom the data is shared. One or several of the following specific situations may apply to you:

2.1 Processing of Personal Data when using the Services of Vink (such as Websites)

a) Processed Data

When accessing our website or using other Services we or our web hosting provider, collect data on the basis of each access to the server (so-called server log files). Server log files may include the following information:

• the browser types and versions;
• the operating system used by the accessing system;
• the date and time of access;
• the pages of our Services that you visit;
• referrer URL (the previously visited page);
• your device’s the Internet Protocol (IP) address.

When you access the Services by or through a mobile device, we may collect the following information automatically:

• the type of mobile device;
• mobile device’s unique ID;
• the IP address;
• operating system;
• the type of mobile internet browser;
• unique device identifiers and other diagnostic data.

b) The purpose of Processing and Legal basis

We use the data which we collect to provide contractual services and customer support, deliver and optimize the content of our Services correctly and to ensure the long-term viability and technical security of our systems. This purpose constitutes our legitimate interest in data processing pursuant to Art. 6 para. 1 lit. f GDPR.

We use the information regarding your location to provide and maintain our Service and to provide features of our Service. As part of our Services, we deliver products quickly based on the location of a customer. Therefore it is necessary to access location data. The legal basis for such processing is Art. 6 para. 1 lit. f GDPR.

Personal data that you voluntarily submit to Vink, e.g. via email or a contact form, will be stored for the purpose of processing or for contacting you. The legal basis for such processing is Art. 6 para. 1 lit. f GDPR.

c) Sharing your Data

Vink may share your Personal Data with third parties who store your data on their servers. The types of third parties with whom we share your data include:

• IT service providers: including cloud providers for data storage purposes;
• External support service providers;
• Public bodies and authorities if the appropriate legal provisions exist (e.g. tax authorities and customs authorities) on the basis of Art. 6 para 1 lit. c GDPR.

d) Duration of storage

We store your Personal Data strictly as long as it is necessary to achieve the purpose of processing. If we use your personal data on the basis of a legitimate interest, we shall store it at most as long as your interest in deletion or anonymization or other fundamental data privacy rights do not prevail. In addition, data may be stored if this has been provided for by the European Union or a national legislator in regulations, laws or other provisions to which the responsible body is subject. The duration of the data storage depends on the statutory storage obligations and in general is 10 years.

2.2 Cookies

Cookies are text files which are stored on a computer system via an internet browser. Cookies are primarily used to store information about a user during or after his visit within a Service. The information stored may include, for example, the language settings on a website, the login status, or other.

The term "cookies" hereinafter also includes other technologies that fulfil the same functions as cookies (e.g. if user information is stored using online identifiers, also referred to as "user IDs"). Cookies not set by Vink will not be accessible to us.

a) We distinguish the following types and functions of cookies:

• Temporary cookies (session cookies): Temporary cookies are deleted at the latest after a user has left an online service and closed his browser.
• Permanent cookies: Permanent cookies remain stored even after closing the browser. For example, the login status can be saved or preferred content can be displayed directly when the user visits the website again. The interests of users who are used for range measurement or marketing purposes can also be stored in such a cookie.
• First-Party-Cookies: First-Party-Cookies are set by Vink.
• Third party cookies: Third party cookies are mainly used by advertisers (so-called third parties) to process user information.
• Necessary (also: essential) cookies: Cookies can be necessary for the operation of a website (e.g. to save logins or other user inputs or for security reasons).
• Statistics, marketing and personalization cookies: Cookies are also generally used to measure a website's reach and when a user's interests or behavior (e.g. viewing certain content, using functions, etc.) are stored on individual websites in a user profile. Such profiles are used, for example, to display content to users that corresponds to their potential interests. This procedure is also referred to as "tracking", i.e. tracking the potential interests of users.

b) Legal basis for the usage of cookies

The legal basis on which we process your Personal Data with the help of cookies depends on whether we ask you for your consent. If this applies and you consent to the use of cookies, the legal basis for processing your data is your declared consent according to Art. 6 para. 1 lit. a GDPR.

Otherwise, the data processed with the help of cookies will be processed on the basis of our legitimate interests according to Art. 6 para. 1 lit. f GDPR or, if the use of cookies is necessary to fulfill our contractual obligations according to Art. 6 para. 1 lit. b GDPR.

c) Duration of storage

Unless we provide you with explicit information on the retention period of permanent cookies (e.g. within the scope of a so-called cookie opt-in), the retention period is as long as it is necessary to achieve the purpose of the processing.

d) General information on withdrawal of consent and objection (Opt-Out)

Respective of whether processing is based on consent or another legal basis, you have the option at any time to object to the processing of your data using cookie technologies or to revoke consent (collectively referred to as "opt-out"). You can initially explain your objection using the settings of your browser, e.g. by deactivating the use of cookies (which may also restrict the functionality of our Services).

e) Processing Cookie Data on the Basis of Consent

We use a cookie management solution in which users' consent to the use of cookies, or the procedures and providers mentioned in the cookie management solution, can be obtained, managed and revoked by the users. The declaration of consent is stored so that it does not have to be retrieved again and the consent can be proven in accordance with the legal obligation. Storage can take place server-sided and/or in a cookie (so-called opt-out cookie or with the aid of comparable technologies) in order to be able to assign the consent to a user and/or user’s device.

2.3 Processing of Data in the process of recruiting

a) Processed Data

Personal Data that you provide us with during the application process. This may include the following data: Personal details (name, address, contact details, date and place of birth and nationality), application documents (letter of application, curriculum vitae, references, certificates, etc.).

As part of the application process, you will have to provide us with Personal Data that enables Vink to assess the possibility of entering into a working relationship with you or which we are legally obliged to collect. Without such data we will generally not be able to conclude a contract with you or process your application.

b) Purpose of processing and legal basis

Conducting the application process. The legal basis for is Art. 6 para. 1 lit. b GDPR. We may store your application data for some time to defend ourselves against legal claims. The legal basis for this is our legitimate interest (Art. 6 para. 1 lit. f GDPR). If you consent (Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR) we may store your information in our applicant pool. You may still benefit from the rights of the Data Subject as according to Section 6 of this Notice.

c) Sharing the Data

We may share your data with third parties who store your data on their servers or devices. The types of third parties with whom we share your data are:

• External service providers or other contractors (e.g. for data processing and hosting, for processing your application, recruitment agencies and recruitment software);
• Public bodies or authorities if the appropriate legal provisions exist (e.g., tax authorities and customs authorities) on the basis of Art. 6 para. 1 lit. c GDPR.

d) Storage of your Personal Data

Application data shall be deleted within a maximum of six months if the application process does not lead to an employment relationship, unless you have given consent for longer data storage in the context of the inclusion of your data in our applicant pool or if another legal basis is in place.

2.4 Employee Data Processing

a) Processed Data

We process Personal Data that we receive from our employees and other similar data subjects (e.g., freelancers) as part of the onboarding process and the working relationship.

Employee Personal Data include in particular:

• Your personal and contact details (e.g. name, address, contact details, date and place of birth and nationality);
• Family data (e.g. marital status and details of children);
• Information about your working permit and related documents (nationality, passport details, identity card details, national insurance number and details of residence or work permit);
• Religious affiliation, gender, health data, trade union membership (where permitted/required by law);
• Information on qualifications, data on staff development and staff evaluation (e.g. education, work experience, training, promotions, disciplinary measures);
• Details of the employment relationship (e.g. date of entry, job title and description);
• Payroll and tax relevant data (e.g. salary payment, tax number);
• Information on working time (e.g. holidays, illness and data relating to business trips);
• Information on your use of IT systems,

as well as other data comparable with the above categories.

b) The purpose and the legal basis

Employee Data will be processed for the purpose of establishing, carrying out and terminating of employment relationships or for the purpose of carrying out pre-contractual measures which are conducted on request. The legal basis for this type of processing is Art. 6 para. 1 lit. b GDPR and Art. 88 GDPR in conjunction with § 26 Sec. 1 BDSG/FDPA (Federal Data Protection Act) or other applicable national laws.

To the extent necessary, we process your data beyond the actual fulfilment of our contract where we have a legitimate interest in doing so. The legal basis for such processing activities is Art. 6 para.1 lit. f GDPR. Examples for such processing activities are:

• Measures for personnel development planning and/or personnel hiring strategy;
• Measures to protect employees and customers and to protect the property of the company;
• Evaluation of workflows for work control and improvement of processes;
• Publication of official contact details on the intranet;
• Written records of performance reviews
• Written records of disciplinary measures (admonitions, formal warnings, termination, etc.).

If you have given us your consent to process your Personal Data, we will process your data only in accordance with and to the extent agreed in the declaration of consent. Any consent given can be revoked at any time with effect for the future. The revocation of the consent does not affect the legality of the data processed until the revocation. The legal basis for processing on the basis of your consent is Art. 6 para. 1 lit. a GDPR and Art. 88 GDPR in conjunction with § 26 Sec. 2 BDSG/FDPA or other applicable national laws.

As a company we are subject to various legal obligations (e.g. social security law, work safety regulations, tax laws, etc.). Processing on the basis of such legal requirements is done, among other things, to verify your identity, to comply with social security and tax law regulations, reporting or documentation obligations and to manage risks within the company. The legal basis for this is Art. 6 para. 1 lit. c GDPR.

Insofar as special categories of Personal Data are processed in accordance with Art. 9 Para. 1 GDPR, this serves the exercise of rights or the fulfilment of legal obligations arising from labor law, social security law and social protection (e.g., provision of health data to the health insurance funds, recording of severe disability due to additional leave and calculation of the severely disabled levies). Such processing is carried out on the basis of Art. 88 GDPR in conjunction with § 26 para. 3 BDSG/FDPA or other applicable national laws.

c) Sharing your data

We will share your data with third parties who store your data on their servers. The types of third parties with whom we share your data include:

• External service providers or other contractors (e.g. for data processing and hosting, payroll accounting, HR software providers, training providers);
• Public bodies or authorities if the appropriate legal provisions exist (e.g., tax authorities. customs authorities) on the basis of Art. 6 para. 1 lit. c GDPR.

d) Duration of storage

We store your personal data only as long as it is necessary to achieve the purpose of processing. Some data is subject to legal retention periods. This data is deleted after the retention period expires. Generally a common retention period is 10 years for tax purposes. Other retention periods may be shorter; very few are longer depending on the legal obligation and the purpose of processing of your personal data.

2.5 Managing telephone/video conferences/ screen-sharing

a) Processed Data

Personal Data provided for the use of telephone/video conference software (in particular first name, surname, e-mail address; optional: sound transmission; optional: image transmission; optional: questions when using chat functions); to the extent technically necessary, processing of data from your system to establish the connection with the provider of the conference software.

b) The purpose of processing and legal basis

Conducting telephone/video conferences/ screen-sharing; the legal basis in this case is our legitimate interest (Art. 6 para. 1 lit. f GDPR) to provide a working communication tool. Using the recorded telephone/video conferences for training and quality assurance purposes (only if prior consent has been given); the legal basis for this is Art. 6 para 1 lit. a GDPR.

c) Sharing the Data

We will share your data with third parties who store your data on their servers. The types of third parties with whom we share your data include:

• External service providers or other contractors, e.g. for data processing, video conferences and hosting.
• Other external parties, provided that the data subject was duly informed.
• Public bodies and authorities in the event of overriding legal provisions.

d) Duration of storage

Video conferences will only be recorded with the prior documented consent of the participants. We will store video conferences only as long as it is necessary to achieve the agreed purpose of processing. The technical data will be deleted if they are no longer required. The duration of data storage is otherwise governed by the statutory storage obligations and is generally 10 years.

2.6 Social Media

Vink maintains online presences within social networks and processes user data in this context in order to communicate with the active users or offer information about us.

When you visit or interact with a profile on a social media platform, Personal Data about you may be processed. Information associated with a social media profile regularly represents Personal Data. This includes messages and statements made using your profile. In addition, during your visit on a social media profile, certain information is often automatically collected, which may also represent Personal Data.

a) Processed Data

Inventory data (e.g. names, addresses), contact data (e.g. e-mail, telephone numbers), content data (e.g. entries in online forms), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).

b) Purpose of processing and legal basis

Contact requests and communication, tracking (e.g. interest/behavioral profiling, use of cookies), remarketing, reach measurement (e.g. access statistics, recognition of returning visitors). The legal basis for this is Art. 6 para. 1 lit. f GDPR.

c) Sharing the Data

To represent the respective forms of processing and the possibilities of objection (opt-out), we refer to the data protection policies and information provided by the Service operators of the respective networks.

In case of requests for information and the assertion of data subject rights, we advise that these can most effectively be asserted with the providers. Only the providers have access to the data of the users and can take appropriate measures and provide information directly.

• Potential data to be processed: Contact data (e.g. e-mail, telephone numbers), Content data (e.g. text input, sound input, photographs, videos), Usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
• Potential Data subjects: Users (e.g. website visitors, users of online services).
• Potential purposes of Processing: Contact requests and communication, feedback (e.g. collecting feedback via online forms), marketing.
• Legal Basis: Legitimate Interests (Article 6 para. 1 lit. f GDPR).

Service providers we use:

• LinkedIn: Social network; Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Website: https://www.linkedin.com; Privacy Policy: https://www.linkedin.com/legal/privacy-policy; Opt-Out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
• YouTube: Social network and video platform; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Privacy Policy: https://policies.google.com/privacy; Opt-Out: https://adssettings.google.com/authenticated.

3. Data transmission within affiliates, merger, joint venture

a) We may transfer Personal Data to other affiliates (§ 15 AktG – German Stock Corporation Act) or otherwise grant them access to this data. Insofar as this disclosure is for administrative purposes, the disclosure of the data is based on our legitimate business and economic interests or otherwise, if it is necessary to fulfill our contractual obligations or if the consent of the data subjects or otherwise a legal basis (e.g., Article 6 para. 1 lit. b GDPR) is present.

b) We only share your data with our personnel and with personnel of Vink’s affiliates, if this is necessary for the purposes described above.

c) We may also share your data if we should enter into a joint venture, buy, sell or merge with another company. In such a case, your data may be shared with the target company, our new business partners or owners or their advisors on the legal basis of e.g., Article 6 para. 1 lit. b GDPR.

4. International Data transfers

In some cases, the Personal Data collected from you may be processed outside the European Economic Area ("EEA"). These countries may not have the same level of data protection as the EEA. However, we are obliged to ensure that the Personal Data processed by us and our partners outside the EEA are protected in the same way as if they were processed within the EEA. Therefore, if your data is processed outside the EEA, there are certain safeguards in place. We ensure similar protection by ensuring that at least one of the following safeguards is in place:

• Your Personal Data will be transferred to countries whose level of data protection is considered appropriate by the European Commission according to Art. 45 GDPR;
• We use the standard contractual clauses approved by the EU;
• An exception as set out in Art. 49 GDPR;
• Other safeguards as specified in Art. 46 GDPR.

5. Security

1) We use strong technologies and policies to ensure that your Personal Data we hold is appropriately protected.

2) We take measures to protect your data from unauthorized access and unlawful processing, accidental loss, destruction and damage.

3) Unfortunately, the transmission of data over the internet is not completely secure. Although we take steps to protect your Personal Data, we cannot guarantee the security of the information you transmit to us; any transmission is at your own risk. Once we have received your information, we will apply strict procedures and security features to prevent unauthorized access.

4) Any third party involved in processing of Personal Data on behalf of Vink guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of GDPR and ensure the protection of the rights of the data subject (Art. 28 GDPR).

5) Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Vink and the any involved third party acting as a data processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

a) the pseudonymization and encryption of personal data;

b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

6. Your rights

According to data protection legislation, you have a number of rights regarding the personal data we hold about you. If you wish to exercise any of these rights, please contact us at the contact details set out above.

a) The right to be informed. You have the right to be provided with clear, transparent and easily understandable information about how we use your data and what your rights are according to Art. 13 and 14 GDPR. For this reason, we provide you with the information in this DPN.

b) The right of access. You have the right to access your data (if we are acting as a processor) according to Art. 15 GDPR. This will enable you, for example, to check that we use your data in accordance with data protection law.

c) The right to rectification. You have the right to have your data corrected if it is inaccurate or incomplete according to Art. 16 GDPR. You may request that we rectify any errors in the data we hold.

d) The right to erasure. This "right to be forgotten" enables you to request the deletion or removal of certain data that we have stored about you according to Art. 17 GDPR. This right is not absolute and only applies in certain circumstances.

e) The right to restrict processing (blocking of data). You have the right to “block” or “restrict” the further use of your data according to Art. 18 GDPR. If processing is restricted, we may still store your data, but will not process it further.

f) The right to data portability. You have the right to obtain your Personal Data in an accessible and transferable format so that you can re-use it for your own purposes across different service providers according to Art. 20 GDPR. However, this is not an absolute right and there are exceptions.

g) The right to lodge a complaint. You have the right to lodge a complaint about the way we handle or process your information with a competent data protection authority according to Art. 77 GDPR. 

h) The right to withdraw consent. You have the right to withdraw any consent given to us (if we rely on the consent as a legal basis for the processing of certain data) at any time with effect for the future according to Art. 7 GDPR. The legality of the processing carried out on the basis of the consent prior to the withdrawal remains unaffected.

i) The right to object to processing. You have the right to object to the processing of Personal Data concerning you based on Art. 6 para. 1 lit. e or f GDPR according to Art. 21 GDPR. This also applies to direct marketing and related profiling.
Vink and its Affiliates do not use any automatic decision making, including profiling (Art 22 GDPR).

j) Specific Information on the right to object pursuant to Art. 21 para. 4 GDPR

You have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data which is based on Art. 6 para. 1 lit. e or f GDPR, including profiling based on those provisions. Vink will no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims. Where personal data are processed for direct marketing purposes, you shall have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.

7. Our companywide Commitment to Your Privacy

To make sure your personal data is secure, we communicate our privacy and security guidelines to all employees of Vink and strictly enforce privacy safeguards within the company.

8. Obligation to provide data

Unless expressly stated at the time of collection, the providing of data is not required and/or obligatory. Such an obligation may result from legal requirements or contractual regulations. Failure to provide required personal data generally results in a contract not being able to be concluded and/or in us not being able to provide a requested service. Our employees will clarify on a case-by-case basis whether the providing of personal data is required by law or contract or necessary for the conclusion of a contract, whether there is an obligation to provide the personal data and what the consequences of not providing the personal data would be.

9. Changes to this Data protection notice (Policy)

We kindly ask you to inform yourself regularly about the contents of our DPN. We will adjust this DPN as changes in our data processing practices require us to do so. We will inform you as soon as the changes require your cooperation (e.g. consent) or other individual notification. If we provide addresses and contact information of companies and organizations in this Data Protection Notice, we ask you to note that addresses may change over time and to verify the information before contacting us.

10. Complaints

If you should not be satisfied with our response to any complaint or believe our processing of your data does not comply with data protection legislation, you may make a complaint to:

Niedersachsen (Lower Saxony) – The State Commissioner for Data Protection

Physical Address:
Prinzenstrasse 5
30169 Hannover
Mailing Address:
Postfach 2 21
30002 Hannover

Phone: +49 511 120 45 00
Fax: +49 511 120 45 99
Email: poststelle@lfd.niedersachsen.de
Website: www.lfd.niedersachsen.de/

Vink is headquartered in Kakenstorf, Germany. You may also complain to another competent supervisory authority.

Last updated in March 2022