This Privacy Policy explains how personal data is processed by the website pentel-energel.eu, as well as by the company Pentel Bürobedarf-Handelsgesellschaft mbH as a trading partner.
We, Pentel Bürobedarf-Handelsgesellschaft mbH, take the protection of our customer’s personal data very seriously. We treat your personal data as confidential, and in accordance with both data protection legislation and the provisions of this Privacy Policy.
Below you will find information about how Pentel Bürobedarf-Handelsgesellschaft mbH collects and uses personal data, focusing in particular on the kinds of data collected during your visit to our website and how this data is used. Section IX of our Policy tells you about the rights you are granted by the EU General Data Protection Regulation (GDPR) and how you can exercise these rights.
I. Name and contact details of the controller
The ‘controller’, as defined by the GDPR and other national data protection legislation enacted by EU and EEA member states, as well as other regulations governing data protection, is as follows:
Pentel Bürobedarfs-Handelsgesellschaft mbH
Lademannbogen 143
22339 Hamburg
Germany
Tel.: +49 40 538091-0
Email: info@pentel.de
Website: www.pentel.de
II. Name and contact details of the Data Protection Officer
If you have any questions about the processing of your personal data or require other information about data protection, please feel free to email our Data Protection Officer (DPO) at datenschutz@pentel.de. You can also write to them at our company address, marking your letter for the attention of our DPO.
III. General information about data processing
1. Scope of personal data processing
As a general rule, we collect and use personal data about the users of our website only insofar as this is necessary to provide a fully functional website, which also includes providing related content and services. The routine collection and use of personal data from our users occurs only after obtaining consent from these users. One exception is in cases where consent cannot be obtained beforehand for practical reasons and the processing of data in such cases is allowed by the provisions of applicable law.
2. Legal basis for the processing of personal data
Insofar as we obtain consent for processing operations involving the personal data of a data subject, point (a) of art. 6(1) of the GDPR serves as the legal basis for the processing of personal data.
In cases where the processing of personal data is necessary for the fulfilment of a contract and the data subject is the party to this contract, point (b) of art. 6(1) of the GDPR serves as the legal basis. This also applies to processing operations required in order to take steps prior to entering into a contract.
If the processing of personal data is required for the fulfilment of a legal obligation to which our company is subject, point (c) of art. 6(1) of the GDPR serves as the legal basis.
In cases where the vital interests of the data subject or some other natural person make the processing of personal data necessary, point (d) of art. 6(1) of the GDPR serves as the legal basis.
If processing is necessary to protect the legitimate interests of our company or a third party, and the interests or fundamental rights and freedoms of the data subject do not override these aforementioned legitimate interests, point (f) of art. 6(1) of the GDPR serves as the legal basis.
3. Data erasure and duration of storage
The personal data of the data subject is erased or made unavailable once the purpose of data storage no longer applies. In addition, personal data may continue to be stored if such a retention is provided for by EU or national legislation—including Regulations, laws or other legislative instruments—and the controller is subject to this legislation. The personal data is also made unavailable or erased if a retention period prescribed by the aforementioned standards expires, except in such cases where there is a need for the continued storage of the data for reasons of contract conclusion or contractual fulfilment.
IV. Provisioning of the website and creation of log files/pixels
1. Description and scope of data processing
Each time our website is accessed, our systems collect data and information automatically from the device or computer accessing our website. These data items may include the following:
– The web page that referred you to our site (referrer URL)
– The website or file that you requested
– Browser type and version
– The operating system you are using
– The type of device you are using
– Date and time of day of your visits to individual web pages
– IP address in an anonymised format (only used to identify the accessing location)
2. Legal basis for data processing
The legal basis for the temporary storage of the log files is point (f) of art. 6(1) of the GDPR.
3. Purpose of data processing
The temporary storage of the IP address is necessary to enable the outward delivery of the web page to the user’s computer. The log files are otherwise used solely for the purposes of error detection and resolution, as well as for statistical purposes and the technical optimisation of the web presence, including assuring its security and stability, and ensuring you are provided with a user experience of the highest quality.
These purposes also grant us a legitimate interest in data processing pursuant to point (f) of art. 6(1) of the GDPR.
4. Duration of storage
All data is erased once it is no longer required to achieve the purpose for which it was originally collected. In the case of storing data in log files, data is erased after no more than eight weeks. While storage beyond this point in time is possible, in this case the user’s IP addresses are erased or made unrecognisable so that any association with the accessing client is no longer possible.
5. Opportunities for objection and remediation
Data must be collected in order to provide the website to the user and data must be recorded in log files in order to operate the website. Website users are not therefore granted an opportunity to object to these activities.
V. Use of cookies
1. Description and scope of data processing
Our websites may make use of cookies. Cookies are not harmful to your PC and cannot contain viruses. We use cookies to make our website more secure, more efficient and more user-friendly. Cookies are small text files that are stored in the user’s web browser or stored by this web browser on the user’s computer system. When a user accesses a web page, a cookie may be accordingly stored on the user’s operating system. This cookie contains a specific character string that enables the unambiguous identification of the browser if this browser accesses the web page at a later date. Some of our website features depend on being able to identify the accessing browser even when the user switches from one page to another.
Unless otherwise stated by the specific provisions as set out in section VI of this Privacy Policy (‘Google Analytics’), the cookies we use do not store or transfer any kinds of personal data. The cookies used are technical in nature, and are required for the use of our websites and also to improve usability. If their use is blocked, our websites may become unusable (whether in whole or in part).
2. Legal basis for data processing
The legal basis for the processing of personal data when making use of cookies is point (f) of art. 6(1) of the GDPR.
3. Purpose of data processing
The purpose of using technically essential cookies is to simplify the use of the websites for users and to improve the user experience. Some of the features of our websites cannot be offered without the use of cookies. For these features, it is essential that the browser remains identifiable even after a page change.
The user data collected by technically essential cookies is not used to create user profiles. Analytics cookies are used only for the purpose of improving the quality of our website and its content. These analytics cookies enable us to find out how the website is used, so as to continuously improve our services. These purposes also grant us a legitimate interest in the processing of personal data pursuant to point (f) of art. 6(1) of the GDPR.
4. Duration of storage, opportunities for objection and remediation
Cookies are stored on the user’s computer and their data is sent from this computer to our page. As the user, you therefore have full control over the use of these cookies. You can change the settings in your web browser to deactivate or restrict the use and storage of cookies. Many online advertising cookies can be managed by visiting the US website www.aboutads.info/choices or the EU page www.youronlinechoices.com/uk/your-ad-choices/. Any cookies already stored can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it is possible that some or all of the features on our website may no longer be usable (in full).
VI. Social media plugins
1. Inclusion of social media plugins
Our websites make use of social plugins (‘plugins’) from social networks. In consideration of data protection concerns, we have deliberately decided not to activate plugins from social networks by default on our websites. Instead, we utilise a solution known as ‘Shariff’. Shariff lets you, the user, decide whether to send data to operators of a particular social network and what kind of data you want to share. When you visit our websites, data is therefore never sent or shared automatically to or with social networks such as Facebook or Pinterest. Your web browser only makes a connection to the servers of the social network in question when you actually click the respective button. Accordingly, when you click the respective button (‘Share’), you give your consent for your web browser to make a connection to the servers of the social network in question and to transfer usage data to the respective operators of this social network. This always applies—whether or not you have an account with the social network. One option to avoid making any association with your social network account is to log out of your account before using our website, i.e. before you click the corresponding button.
We have no influence on the nature and scope of the data that is then collected by the social networks in question. To find out more about the purpose and scope of data collection, and the further processing and usage of this data by the social network(s) in question, as well as your related rights and options for settings to protect your privacy, please consult the privacy policies provided by the respective social network(s).
The above applies to our use of the following social media plugins:
a) Use of Facebook social plugins
Our website uses social plugins (‘plugins’) from the social network facebook.com, which is operated by Facebook Inc., 1 Hacker Way, Menlo Park, California 94025, USA (‘Facebook’). Facebook’s legal representative for all users outside the USA and Canada is Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Facebook’s social plugins can be identified by their use of one of the Facebook logos (white ‘f’ on a blue tile, the wording ‘Like’ or a ‘thumbs-up’ icon) or the additional text ‘Facebook Social Plugin’. A list of Facebook’s social plugins together with their designs can be viewed here: developers.facebook.com/docs/plugins/.
To find out more about the purpose and scope of data collection, and the further processing and usage of this data by Facebook, as well as your related rights and options for settings to protect your privacy, please consult the Facebook Privacy Policy: www.facebook.com/about/privacy/.
Other settings and options for objecting to the usage of data for advertising purposes can be found in the Facebook Profile settings: www.facebook.com/settings.
b) Use of Instagram plugins (such as the ‘Instagram’ button)
We use social plugins (‘plugins’) on our website from the social network Instagram (Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA).
To find out more about the purpose and scope of data collection, and the further processing and usage of this data by Instagram, as well as your related rights and options for settings to protect your privacy, please consult the Instagram Privacy Policy: http://instagram.com/about/legal/privacy/.
You can change your privacy settings on Instagram on the account settings page: https://www.instagram.com/accounts/privacy_and_security.
c) Use of Pinterest plugins
We use social plugins (‘plugins’) on our website from the social network Pinterest (Pinterest Inc., 635 High Street, Palo Alto, CA, 94301, USA).
To find out more about the purpose and scope of data collection, and the further processing and usage of this data by Pinterest, as well as your related rights and options for settings to protect your privacy, please consult the Pinterest Privacy Policy: https://policy.pinterest.com/en-gb/privacy-policy.
d) YouTube
On our website, we link to a web service provided by YouTube LLC, 901 Cherry Avenue, San Bruno, CA 94066, USA, represented by Google LLC, 1600 Amphitheatre Parkway, 94043 Mountain View, CA 94043, USA (‘YouTube’), so as to provide access to product videos hosted by YouTube.
Google has agreed to be bound by the terms of the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework. For further information about the use of data for advertising purposes by Google (including YouTube), as well as options for settings and objecting to this use, please see the Google Privacy Policy at https://policies.google.com/privacy?hl=en-GB.
2. Legal basis for data processing
The legal basis for the processing of personal data when making use of cookies is point (f) of art. 6(1) of the GDPR or your consent as given to us in accordance with point (a) of art. 6(1) of the GDPR. For details of the purposes of processing, please see the information supplied by the respective provider.
3. Duration of storage, opportunities for objection and remediation:
For information about the use of data for advertising purposes by social media providers, as well as options for settings and objecting to this use, please see the stated websites for the individual social media providers.
VII. Contact form and email contact
1. Description and scope of data processing
If you use our digital contact and registration forms, then the information you enter and your contact details will be stored by us for the purpose of processing and for contacting you if we need to clarify anything. We will not share this information without your consent.
The data that is entered using the form is therefore processed solely according to the consent that you have given (point (a) of art. 6(1) of the GDPR). You can withdraw this consent at any time. A withdrawal does not affect the lawfulness of data processing activities carried out before the withdrawal. We retain the data that you have entered into these electronic forms until you request its erasure or withdraw your consent to its storage, or until the purpose for storing this data no longer applies. This does not affect any mandatory legal provisions—such as retention periods in particular.
2. Legal basis for data processing
The legal basis for processing the data is point (a) of art. 6(1) of the GDPR, with the user’s consent having been obtained.
The legal basis for processing the data provided by sending an email is point (f) of art. 6(1) of the GDPR.
If the contact via email is intended to conclude a contract, then an additional legal basis is provided for processing by point (b) of art. 6(1) of the GDPR.
3. Purpose of data processing
Personal data is processed from the contact form for the sole purpose of handling the contact request. In the case of a contact request sent via email, this supplies a legitimate interest for the processing of this data.
Any other types of personal data processed during the form submission process serve to prevent misuse of the contact form and to safeguard the security of our IT systems.
4. Duration of storage
All data is erased once it is no longer required to achieve the purpose for which it was originally collected, i.e. once the circumstances make it clear that the matter in question has been adequately clarified. If legal retention periods apply to the correspondence (cf. German Commercial Code section 257 and German Fiscal Code section 147), we will erase it on expiry of these mandatory retention periods.
5. Opportunities for objection and remediation
Users may withdraw their consent to the processing of personal data at any time. If a user contacts us by email, they can withdraw their consent to the storage of their personal data at any time. In such a case, further communication will no longer be possible. In this case, all personal data stored in the context of this contact request will be erased. This does not affect our obligations to abide by statutory retention periods.
VIII. Electronic newsletter
a) Description and scope of data processing
After registering for one of our prize competitions, you may be notified by us if you win a prize. We require your postal address in order to send you your prize. You provide us with these details voluntarily. You have the right to withdraw your consent to being notified in this way at any time.
The following data items are also collected during registration:
– IP address of the accessing computer
– Date and time of registration
– Date and time of the declaration of consent
– Confirmation that the checkbox was checked
– Date and time of the user’s click on the confirmation link and the link in the confirmation email
In order to process this data, your consent is obtained as part of the registration process and you are referred to this Privacy Policy. Data is not shared with third parties as part of the data processing that is involved with sending notifications. The data is used only for the purpose of notifying you that you have won a prize.
b) Legal basis for data processing
The message is sent as a result of the user registering to receive it on the website provided for this purpose.
The legal basis for processing the data after the user has registered to receive the newsletter is point (a) of art. 6(1) of the GDPR, with the user’s consent having been obtained.
If a message is sent as a result of the sale of certain goods or services, then the legal basis for sending the message as a result of the sale of goods or services is section 7(3) of the German Act against Unfair Competition (UWG) and point (f) of art. 6(1) of the GDPR.
c) Purpose of data processing
The user’s email address is recorded in order to send the user the message.
The collection of other personal data as part of the registration procedure is intended to avoid misuse of the services and of the email address supplied by the user.
d) Duration of storage
All data is erased once it is no longer required to achieve the purpose for which it was originally collected. The user’s email address is therefore stored for as long as the user has an active subscription to the newsletter.
e) Opportunities for objection and remediation
The message subscription can be cancelled by the subscribed user at any time. An unsubscribe link is provided for this purpose in each newsletter sent. You can also contact us at the address provided in our Legal Notice.
Doing so also allows you to withdraw your consent to our storage of the personal data we collected from you during the registration procedure.
IX. Rights of the data subject
In cases where your personal data is processed, you are a ‘data subject’ as defined by the GDPR and you are granted the following rights vis-à-vis the controller:
1. Right to access
You have the right to obtain from the controller confirmation as to whether or not we are processing personal data where you are the data subject.
If this kind of processing is taking place, you have the right to obtain the following information from the controller:
a) The purposes for which the personal data is being processed.
b) The categories of personal data that are being processed.
c) The recipients or categories of recipient to whom the personal data where you are the data subject have been or will be disclosed.
d) The envisaged period for which the personal data where you are the data subject will be stored or, if specific details are not available, the criteria used to determine the storage period.
e) The existence of a right to request from the controller rectification or erasure of personal data concerning you as a data subject, or a right to restrict the processing of such personal data or a right to object to such processing.
f) The right to lodge a complaint with a supervisory authority.
g) All available information concerning the origin of the data, if the personal data is not collected directly from the data subject.
h) The existence of automated decision-making, including profiling, referred to in art. 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
You have the right to obtain information about whether the personal data concerning you as a data subject is being transferred to a third country or an international organisation. In this context, you can request to be informed about the appropriate safeguards in accordance with art. 46 of the GDPR in connection with this transfer.
2. Right to rectification
You are granted a right to the rectification and/or completion of incomplete data vis-à-vis the controller, in cases where your personal data that is processed is inaccurate or incomplete. The controller must make such rectifications without undue delay.
3. Right to restriction of processing
Under the following conditions, you can request the restriction of processing for the personal data affecting you as a data subject:
a) If you contest the accuracy of the personal data concerning you as a data subject for a period enabling the controller to verify the accuracy of the personal data.
b) If the processing is unlawful and you oppose the erasure of the personal data, and request that the use of this personal data is restricted instead.
c) If the controller no longer needs the personal data for the purposes of the processing, but you require this data for the establishment, exercise or defence of legal claims.
d) If you have objected to processing pursuant to art. 21(1) of the GDPR pending the verification of whether the legitimate grounds of the controller override your own grounds.
If the processing of the personal data affecting you as a data subject is restricted, then this data, with the exception of its storage, can only be processed as follows: with your consent being given; or for the establishment, exercise or defence of legal claims; or to protect the rights of another natural person or legal entity; or for reasons of an important public interest of the European Union or of an EU Member State.
If processing has been restricted according to one or more of the abovementioned provisions, you will be informed by the controller before the restriction(s) is/are lifted.
4. Right to erasure (‘right to be forgotten’)
a) Compulsory erasure
You can request that the controller erases personal data concerning you as a data subject without undue delay. The controller is accordingly obliged to erase this data without undue delay if one of the following grounds applies:
(1) The personal data affecting you as a data subject is no longer needed for the purposes for which it was collected or otherwise processed.
(2) You withdraw the consent you gave, on which the processing was based according to point (a) of art. 6(1) of the GDPR or point (a) of art. 9(2) of the GDPR, and there is no other legal basis for the processing.
(3) You object to the processing pursuant to art. 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to art. 21(2) of the GDPR.
(4) The personal data affecting you as the data subject has been unlawfully processed.
(5) The personal data affecting you as a data subject must be erased in order to ensure compliance with a legal obligation in European Union or EU Member State law to which the controller is subject.
(6) The personal data affecting you as a data subject has been collected in relation to the offer of information society services pursuant to art. 8(1) of the GDPR.
b) Sharing information with third parties
If the controller has made the personal data affecting you as a data subject public and the controller is obliged to erase this data pursuant to art. 17(1) of the GDPR, the controller shall take the following steps: the controller shall—taking into account the available technology and implementation costs for reasonable measures (including technical measures) required to do so—inform the controllers who are processing the personal data that you, as the data subject, have requested the erasure by such controllers of all links to this personal data, as well as all copies or replications of this personal data.
c) Exceptions
A right to erasure is not granted in the following cases:
(1) If processing is required to exercise the right to freedom of expression and information.
(2) If processing is required for compliance with a legal obligation that requires processing by European Union or EU Member State law to which the controller is subject or for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller.
(3) If processing is required for reasons of public interest in the area of public health, in accordance with points (h) and (i) of art. 9(2) as well as art. 9(3) of the GDPR.
(4) If processing is required for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with art. 89(1) of the GDPR, insofar as the right referred to in section (a) above is likely to render impossible or seriously impair the achievement of the objectives of that processing.
(5) If processing is required for the establishment, exercise or defence of legal claims.
5. Right to information
If you have exercised your right to rectification, erasure or restriction of processing vis-à-vis the controller, the controller is required by law to notify all recipients to whom personal data about you has been disclosed about this rectification, erasure or restriction of processing, except in cases where this notification proves to be impossible or would involve a disproportionate amount of effort on the part of the controller.
You have the right to obtain information about these recipients from the controller.
6. Right to data portability
You have the right to receive the personal data concerning you as a data subject that you have provided to the controller in a structured, commonly used and machine-readable format. You also have the right to transfer this data to another controller without hindrance from the controller to whom the personal data was originally provided, in the event that
(1) processing is based on consent being given pursuant to point (a) of art. 6(1) of the GDPR or point (a) of art. 9(2) of the GDPR, or because of a contract pursuant to point (b) of art. 6(1) of the GDPR, and
(2) processing involves the use of automated procedures.
In exercising this right, you also have the right to have your personal data transmitted directly from one controller to another, insofar as this is technically feasible, and where exercising this right of data portability does not adversely affect the rights and freedoms of others.
This right to data portability is not granted if the processing of personal data is required for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
7. Right to object
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data about you, where such processing is based on point (e) or (f) of art. 6(1) of the GDPR; this right also includes profiling based on these provisions.
The controller will no longer process the personal data affecting you as a data subject unless this controller can demonstrate compelling legitimate grounds for this processing that override your interests, rights and freedoms, or where this processing is required for the establishment, exercise or defence of legal claims.
If the personal data affecting you as a data subject is processed for direct marketing purposes, you have the right to object at any time to the processing of the personal data affecting you as a data subject for this kind of marketing, which includes profiling to the extent that it is related to such direct marketing.
If you object to the processing for direct marketing purposes, the personal data affecting you as a data subject will no longer be processed for such purposes.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you have the option of exercising your right to object by automated means using technical specifications.
8. Right to withdraw consent as given under data protection law
You have the right to withdraw your consent as given under data protection law at any time. Withdrawal of consent does not affect the legitimacy of processing completed on the basis of this consent until the point in time of withdrawal.
9. Automated individual decision-making, including profiling
You have the right to object to being affected by a decision taken solely on the basis of automated processing (including profiling), where such a decision produces legal effects that concern you or affects you in a similar and significantly detrimental way. This does not apply if such a decision
(1) is necessary for entering into, or the performance of, a contract between you and the controller;
(2) is authorised by European Union or EU Member State law to which the controller is subject, and this law also lays down suitable measures to safeguard your rights and freedoms, and your legitimate interests; or
(3) is based on your explicit consent.
Such decisions must not be based on special categories of personal data referred to in art. 9(1) of the GDPR, however, unless point (a) or (g) of art. 9(2) of the GDPR applies, and suitable measures have been taken to safeguard your rights and freedoms, and your legitimate interests.
In the cases outlined in (1) and (3) above, the controller must implement suitable measures to safeguard your rights and freedoms, and your legitimate interests. These measures include at least the right to obtain human intervention on the part of the controller, and to express your own point of view, and to contest the decision.
10. Right to lodge a complaint with a supervisory authority
Without prejudice to other legal remedies provided under administrative law or by a court order, you have the right to lodge a complaint with a supervisory authority, whether in the member state of your place of residence, your workplace or the place of the alleged violation, if you believe that the processing of your personal data was done in violation of the provisions of the GDPR.
The supervisory authority with whom the complaint is lodged informs the plaintiff about the progress and results of the complaint, including the possibility of obtaining an effective judicial remedy on the basis of art. 78 of the GDPR.
X. Legal warning re unsolicited mail
The operators of this website expressly prohibit the use of contact details provided in accordance with German law (‘Impressumspflicht’) for the purpose of sending any advertising or information materials not expressly requested. The operators of this website expressly reserve the right to take legal action in the event of receiving unsolicited advertising information such as ‘spam’ mail.
XI. Date and revisions
This Privacy Policy was published on 05 Febuary 2021. We reserve the right to update this Privacy Policy in due course, so as to improve data protection and/or adjust its provisions to changes in government policy or relevant legislation.