Data Privacy Statement

We welcome your visit to our website and your interest in our business and our products. The protection of your privacy during the processing of personal data is an important issue for us, as is the security of all business data. We take these issues into account in our business processes. All personal data obtained during your visit to our website is always processed both confidentially and in accordance with statutory requirements. Data protection and information security form part of our corporate policy. The websites available under the domain mapal.com are provided by MAPAL Dr. Kress SE & Co. KG (referred to in the following as MAPAL). MAPAL websites may contain links to websites run by other providers not covered by this data privacy statement.

Personal data are those items of data that make it possible to identify you. Here, the issue is not whether it is possible to identify you based on a single piece of information. The more information and data that can be combined, the more accurately the person can be identified. Personal data include, e.g., the name, address, age, e-mail address and telephone number of a person.

1. Collection, processing and storage of personal data by MAPAL

MAPAL collects, processes and saves your personal data only if these actions are legally permissible. We obtain these data in two ways: either you provide the data to us or we collect the data during the utilisation of our services.

The provision of personal data on this website is neither legally nor contractually required, nor is it necessary for the fulfilment of a contract. However, you may not be able to use certain services on this website or across what we offer if you do not provide such data.
 

1.1. Data you provide to us

As a rule you can use our website without the need to provide your personal information to us directly. For some services we will ask for your personal data to be able to process the related service quickly and in a user-friendly manner, or to be able to offer the service at all. In the section “Individual services” (see point 3 below) you will find detailed information on all services provided by MAPAL on this website.

1.2. Data we obtain during your utilisation of our services

Some data are produced automatically and for technical reasons when you visit our website. The following information is acquired without any action on your part and saved until it is deleted automatically:

• IP address,
• the web browser used, including the language and version of the browser software,
• the operating system used and its interface,
• the website from which access is made (referrer URL),
• date and time of the access.

The data stated are processed by us for the following purposes:

• To ensure the smooth establishment of a connection to the website,
• to ensure our website is pleasant to use,
• to evaluate the system security and system stability,
• to evaluate statistics.

The legal basis for processing of the data is generally Article 6(1)(f) GDPR (legitimate interests), unless another legal basis is specified in this document for individual services. Our legitimate interest stems from the purposes stated above for collecting the data. Under no circumstances do we use the data collected to identify you.

We also use cookies when you visit our website. You will find more detailed explanations in point 2 of this data privacy statement.
 

1.3. Disclosure of data

In principle, we do not disclose personal data to third parties. If in a specific case, data are provided to a third party, this is carried out on the basis of appropriate agreements.

In individual cases, for example for the conclusion of contracts, it may be necessary for us to transfer information to recipients in what are known as third countries. Third countries refer to countries outside the European Union or the Agreement on the European Economic Area where a level of data protection comparable to that in the European Union is not necessarily ensured. Where the information transferred also includes personal data, we ensure, prior to such transfer, that an adequate level of data protection is guaranteed in the respective third country or by the recipient in that third country. This may be based, in particular, on an adequacy decision by the European Commission, which confirms that a specific third country ensures an adequate level of data protection overall. Alternatively, we may base the data transfer on what are known as EU Standard Contractual Clauses agreed with a recipient. We will be glad to provide you with further information on the appropriate safeguards in place to ensure an adequate level of data protection upon request.

Further information on the EU Standard Contractual Clauses can be found at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en and information about adequacy decisions can be found at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en.

By means of corresponding measures and regular checks, we ensure the data we have collected cannot be viewed or accessed externally by third parties.
 

2. Use of cookies and other storage technologies

2.1. Explanation of terms

“Cookies” are small data packages that your browser creates automatically and saves on your device (laptop, tablet, smartphone, etc.).

Local storage or browser storage (e.g. local storage, session storage, IndexedDB) are a technical development of cookies. The data is stored in databases within the browser, which allows faster and more targeted access to this data. In the rest of this document, all these technologies are collectively referred to as “cookies”.

​​​Information related to the specific device used is saved in the cookies. This does not mean that we obtain direct knowledge of your identity by this means. The purpose of cookies is to make our website more user-friendly. There are different types of cookies, which are described later.
 

2.2. Usage at MAPAL

The processing of your personal data through the use of cookies that are necessary for the operation of our website is based on Article 6(1)(f) GDPR (legitimate interests) in order to ensure the smooth operation of our website. This requirement also applies within the meaning of Section 25(2) TDDDG. Otherwise, we only process your personal data in connection with cookies (in particular for analytics and advertising purposes) if you have given your prior consent in accordance with Article 6(1)(a) GDPR and Section 25(1) TDDDG. Data is processed for advertising, market research and to tailor our website to user needs.

In your browser you can display the cookies on your computer, delete the cookies or set up the configuration such that not all of the cookies or no cookies are saved any longer. Please note that some functions may not work or may not work correctly if you deactivate the usage of cookies. All cookies are automatically deleted after a defined time. You can view the respective expiry periods in our cookie banner.
 

3. Individual services

3.1. HubSpot

We use the services of HubSpot Ireland on this website. Contact: HubSpot, 2nd Floor 30 North Wall Quay, Dublin 1, Ireland, telephone: +353 1 5187500.

We use all collected information exclusively for customer communication and to optimise our marketing activities. As part of optimising our marketing activities, the following data may be collected and processed via HubSpot:

• Geographic location
• Browser type
• Domain names
• Pages viewed within the MAPAL Group
• Operating system version
• Internet service provider
• IP address
• Device ID
• Duration of the visit
• Operating system
• Access times
• Device model and version
• Data entered in contact forms
• Personalisation and use of our newsletter

The data is stored and further processed on the servers of our software partner HubSpot Ireland. In this context, HubSpot acts as our processor and processes the data only in accordance with our instructions. We use the IP address in a shortened form.

Where we obtain your consent for certain online marketing measures (e.g. tracking or newsletters), the legal basis for processing is your consent in accordance with Article 6(1)(a) GDPR. Where data is processed via a contact form for the purpose of initiating and/or fulfilling a contract with you, the legal basis is Article 6(1)(b) GDPR. Otherwise, the data processing is based on Article 6(1)(f) GDPR, under which personal data may be processed without the data subject’s consent where this is necessary for the purposes of the legitimate interests pursued by the controller or a third party, provided that these interests are not overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data.

If you do not want the data mentioned to be collected and processed via HubSpot, you can refuse to provide your consent or withdraw it at any time with effect for the future. You can do this easily via the cookie banner. In the “Marketing” section, you can view the list of cookies set by selecting “Show cookie information”. Set the slider labelled “HubSpot” to “Off” and confirm your selection by clicking the “Save” button.

You also have the right to object to processing based on legitimate interests. You can find further details in Section 4.3 of this Data Privacy Statement.

In addition, we delete personal data collected via HubSpot once the purpose for which it was collected has been fulfilled, unless statutory retention periods prevent us from deleting it.

You can find further information on HubSpot’s data protection provisions and security measures here: https://legal.hubspot.com/privacy-policy as well as https://www.hubspot.com/security.
 

3.2. Email newsletter

If you register for the MAPAL Newsletter, you provide your express consent. For this purpose we will need your e-mail address. In order to personalise the newsletter, you should provide us with further information on your company, as well as your name and contact data.

Individual links in the newsletter are personalised so that we can identify which content is of particular interest to readers and improve our services on this basis.

By means of a tracking pixel in the newsletter, we may also receive information on whether the newsletter has been opened. You can prevent this in your e-mail system by not allowing any external images.

Your data will be used only for the purpose of sending the newsletter as per Article 6(1)(a) GDPR. For this purpose we use a tool from a service provider; the service provider receives your data within the statutorily permitted, contractually regulated framework. You can view, change or delete your data at any time. You can unsubscribe from the newsletter at any time using the link provided in each newsletter.

3.3. Online Shop

We only use the data we collect about you in our online shop to ensure the smooth processing of your order. Placing an order in our online shop requires you to create a customer account by registering, as we only supply business customers. To create a customer account, you have to provide us with personal data such as your name, address, telephone number and e-mail address. We process your personal data in connection with your customer account in order to provide our services and to protect our legitimate interests on the basis of Article 6(1)(b) and (f) GDPR.

We will delete your data in the customer account at the latest when you inform us that you want us to delete your profile, provided the applicable law does not oblige to continue to store the data. Otherwise, the provisions on the deletion of customer accounts due to inactivity set out in the privacy notice provided to you during registration apply.

For package deliveries and courier deliveries, we provide your company, name, address and, if necessary, telephone number to the service provider we contract so that this provider can process the delivery and can communicate with you, if necessary, to notify and arrange delivery. The legal basis for the associated data processing is Article 6(1)(b) GDPR, i.e. the processing of your data is necessary for the fulfilment of purchase contracts and delivery agreements.

We use the same tracking features in the web shop as on our website. The purpose of this is to optimise the online shop. Please refer to the relevant sections of this Data Privacy Statement on the tracking tools used.

3.4. Catalogue mailing

To mail you our catalogues, we need your name, address and e-mail address. These data are processed based on Art. 6(1)(f) GDPR.

We use these data once for mailing the catalogues and brochures required. A service provider undertakes the picking and mailing of print media for us. This service provider uses your data once within the statutorily permitted, contractually regulated framework to safeguard the provision and mailing of catalogues and brochures. Your data will then be deleted without delay.

3.5. Google Analytics

We use Google Analytics on our website, which is a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). This feature is only activated if you give us your consent in accordance with Article 6(1)(a) GDPR.

Google Analytics uses cookies that enable an analysis of your use of the website. The information generated by the cookie about your use of the website is usually transferred to a Google server in the USA and stored there. We have activated IP shortening on this website such that your IP address will be shortened by Google within the member states of the European Union or in other states party to the agreement on the European Economic Area.

Only in exceptional cases is the full IP address transmitted to a Google server in the USA and shortened there. Google will use this information to evaluate your use of the website, to compile reports about website activities and to provide further services related to website activity and Internet usage to us.

Your personal data collected in connection with Google Analytics is deleted or anonymised after 2 months.
 

3.7. Google Tag Manager

We use Google Tag Manager. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google Tag Manager is a tool that allows us to integrate tracking or analytics tools and other technologies on our website. It is used to manage and deploy the tools integrated through it. Google Tag Manager collects your IP address and other browser data, which may also be transferred to Google’s parent company in the United States.

The use of Google Tag Manager is based on Article 6(1)(a) GDPR and Section 25(1) TDDDG, insofar as your consent includes the storage of cookies or access to information on your device (e.g. device fingerprinting) within the meaning of the TDDDG. You can withdraw your consent at any time.

The company is certified under the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the United States that is intended to ensure compliance with European data protection standards for data processing in the USA. Any company certified under the DPF commits to complying with these data protection standards. You can find further information from the provider at https://www.dataprivacyframework.gov/participant/5780.
 

3.8. Careers portal

Please do not send us your application by email and instead use our encrypted careers portal.

During the utilisation of our careers portal, it is important for us to ensure the best possible protection of your personal data. All personal data we collect and process in the context of an application are protected by technical and organisational measures against unauthorised access and manipulation.

The legal basis for data processing as part of the application process is Article 88 GDPR within the meaning of Section 26 BDSG and, where applicable, your consent to data processing.

The controller responsible for data processing is (in the case of an application for a specific advertised position) the respective company advertising the position, whose address details you can find in the relevant job posting. When applying for a specific position, your data will only be made available to other recruiters within the MAPAL Group if you give your consent when submitting your data.

If you do not provide the required personal data, you will not be able to take part in the application process.

If you create a general applicant profile on our platform, MAPAL Dr. Kress SE & Co. KG is responsible for this. If you use the function that allows CVs to be automatically read and transferred into the applicant management system via a third-party provider (for example XING or LinkedIn), your personal data will also be collected, processed and used by these third parties for the purpose of carrying out the application process. Before using the function for automatically reading CVs, your separate consent to the processing of your personal data is obtained.

As part of your application, it is ensured that your data is automatically deleted from our systems once the purpose for which we received it no longer applies. Processes have been put in place to ensure that data is deleted once the purpose for which it was collected no longer applies or after the applicable retention period has expired. The following retention periods apply:

Application data for a specific position is deleted six months after a rejection.

If you have created a general profile on our platform, it will be automatically deleted after twelve months if you have not used it or logged in during that period.

Regardless of automatic deletion, you can delete your profile yourself at any time.
 

3.9. Social media

We also offer you comprehensive personal support and the opportunity of remaining in contact with us via our pages on social media (YouTube, X, LinkedIn, Xing, kununu, Instagram, Facebook), based on our legitimate interests in accordance with Article 6(1)(f) GDPR and, where applicable, on the basis of your consent in accordance with Article 6(1)(a) GDPR. These media services collect, in certain circumstances, personal data, e.g. via the profile you have saved there. You can withdraw any consent you have given at any time from the relevant provider.

It cannot be ruled out that every visitor to these pages is recorded by the respective service providers. For information on the purpose and scope of the collection of data and the further processing and utilisation of the data by these companies, as well as your related rights and the settings you can make to protect your privacy, please refer to the data privacy notices issued by:

• YouTube: https://www.google.de/intl/en/policies/privacy/
• X: https://x.com/en/privacy
• LinkedIn: https://www.linkedin.com/static?key=privacy_policy
• Xing: https://privacy.xing.com/en/privacy-policy
• kununu: https://www.kununu.com/de/info/datenschutz?x-lang=en_US
• Instagram: https://www.instagram.com/legal/privacy/
• Facebook: https://de-de.facebook.com/privacy/explanation
   

3.10 Google Conversion Tracking

This website uses Google Conversion Tracking. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

With the help of Google Conversion Tracking, we and Google can recognise whether a user has carried out certain actions. For example, we can analyse how often buttons on our website are clicked and which products are viewed or purchased particularly frequently. This information is used to create conversion statistics. We learn the total number of users who have clicked on our ads and which actions they take afterwards. We do not receive any information that allows us to personally identify users. Google itself uses cookies or similar recognition technologies for identification.

The use of this service is based on your consent in accordance with Article 6(1)(a) GDPR and Section 25(1) TDDDG. You can withdraw your consent at any time.

You can find more information on Google Conversion Tracking in Google’s Privacy Policy: https://policies.google.com/privacy?hl=en.

The company is certified under the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the United States that is intended to ensure compliance with European data protection standards for data processing in the USA. Any company certified under the DPF commits to complying with these data protection standards. You can find further information from the provider at the following link: https://www.dataprivacyframework.gov/participant/5780.
 

3.11 Cookiebot

Our website uses Cookiebot’s consent technology to obtain your consent to the storage of certain cookies on your device or the use of certain technologies and to document this in a way that complies with data protection. The provider of this technology is Usercentrics A/S, Havnegade 39, 1058 Copenhagen, Denmark (hereinafter “Cookiebot”).

When you visit our website, a connection is established to Cookiebot’s servers in order to obtain your consent and other declarations regarding the use of cookies. Cookiebot then stores a cookie in your browser in order to assign the consents you have given or their withdrawal. The data collected in this way is stored until you ask us to delete it, delete the Cookiebot cookie yourself, or the purpose for storing the data no longer applies. Mandatory statutory retention obligations remain unaffected.

Cookiebot is used to obtain the legally required consents for the use of cookies. The legal basis for this is Article 6(1)(c) GDPR.
 

3.12 LinkedIn Insights

This website uses the LinkedIn Insight Tag. LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland is the provider of this service.

Data processing via the LinkedIn Insight Tag

With the help of the LinkedIn Insight Tag, we receive information about visitors to our website. If a website visitor is registered with LinkedIn, we can, among other things, analyse key professional data (e.g. career level, company size, country, location, industry and job title) of our website visitors and, in this way, better tailor our website to the respective target groups. We can also use the LinkedIn Insight Tag to measure whether visitors to our websites make a purchase or perform another action (conversion tracking). Conversion tracking can also take place across devices (e.g. from PC to tablet). The LinkedIn Insight Tag also offers a retargeting feature that allows us to display targeted advertising to visitors to our website outside the website, whereby, according to LinkedIn, no identification of the advertising recipient takes place.

LinkedIn also collects so-called log files (URL, referrer URL, IP address, device and browser characteristics, and time of access). IP addresses are shortened or (if used to reach LinkedIn members across devices) hashed (pseudonymised). Direct identifiers of LinkedIn members are deleted by LinkedIn after seven days. The remaining pseudonymised data is then deleted within 180 days.

The data collected by LinkedIn cannot be assigned by us as the website operator to specific individuals. LinkedIn will store the personal data collected from website visitors on its servers in the USA and use it as part of its own advertising measures. You can find further details in LinkedIn’s privacy policy at https://www.linkedin.com/legal/privacy-policy#choices-oblig.

Legal Basis

Where consent has been obtained, the use of the above-mentioned service is based exclusively on Article 6(1)(a) GDPR and Section 25 TDDDG. You can withdraw your consent at any time. Where consent has not been obtained, this service is used on the basis of Article 6(1)(f) GDPR; the website operator has a legitimate interest in effective advertising measures, including social media.

The data transfer to the USA is based on the EU Commission’s Standard Contractual Clauses. You can find more details: https://www.linkedin.com/legal/l/dpa and https://www.linkedin.com/legal/l/eu-sccs.

The company is certified under the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the United States that is intended to ensure compliance with European data protection standards for data processing in the USA. Any company certified under the DPF commits to complying with these data protection standards. You can find further information from the provider at the following link: https://www.dataprivacyframework.gov/participant/5448.

Objection to the use of the LinkedIn Insight Tag

You can object to the analysis of your usage behaviour and targeted advertising by LinkedIn at the following link: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

As well as this, LinkedIn members can control the use of their personal data for advertising purposes in their account settings. To prevent data collected on our website from being linked by LinkedIn to your LinkedIn account, you must log out of your LinkedIn account before visiting our website.
 

4. Your rights

Of course, you retain control over all the personal data you make available to us on visiting the website and using our services. The following rights are available to you; you can make use of these rights free of charge.

4.1. Right to access

You have the right to consult your personal data we have saved at any time free of charge. This includes, among other things, information on how long and for what purposes we process the data, where it comes from, and to which recipients or categories of recipients we disclose it. You can also obtain a copy of this data from us.

4.2. Right to revoke consent granted

You have the right to revoke consent you have granted to process personal data at any time with effect for the future. If you revoke your consent, we will delete the related data without delay, provided further processing cannot be allowed on a legal basis for processing. The revocation of your consent does not affect the legality of processing undertaken up until revocation.

4.3. Right to object

If we process your personal data in the context of a weighing of interests in our legitimate interest, you have at any time the right, for reasons based on your specific situation, to object to this processing with effect for the future.

If you exercise your right to object, we will stop processing the data concerned. The right to continue processing is retained, however, if we can demonstrate compelling, legitimate reasons for the processing that outweigh your interests, fundamental rights and fundamental freedoms, or if processing is for the purpose of the assertion, exercise or defence of legal claims.

If your personal data is processed by us for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing.
 

4.4. Right to data portability

You have the right to apply for the transfer of your personal data from us to another controller. Details and limitations can be found in Article 20 GDPR. Exercising this right does not affect your right to deletion.

4.5. Right to rectification, deletion or restriction of the processing

You have the right to correct, delete or restrict the processing of your personal data.

4.6. Right to lodge a complaint

You have the right to complain to a supervisory authority or our company if you should have a reason for complaint. To make use of rights in relation to our company, please contact the persons listed at the end of the data privacy statement.

5. Duration of storage

As a general rule, we store personal data for as long as this is necessary for the purpose of processing or as long as we have a legitimate interest in storing it and your interests in not continuing the storage do not override this. This means that we generally only store your data for as long as is necessary to provide our website and the associated services or as long as we are legally required to retain your data. We also delete personal data without any action on your part as soon as it is no longer required for the purpose of processing or if its storage is otherwise no longer permitted by law.

Personal data that we are required to retain to comply with statutory retention obligations will be stored until the end of the respective retention period. Where we store personal data solely to comply with retention obligations, the related processing is generally restricted so that the data is only accessed where this is necessary for the purpose of the retention obligation.
 

6. Automatic decision-making

In connection with the processing of your personal data described in this privacy notice, we generally do not use automated decision-making (including profiling) within the meaning of Article 22 GDPR. If we use such procedures in individual cases, we will of course inform you separately.

8. Responsible for data collection

The controller responsible for the processing of personal data (within the meaning of Article 4(7) GDPR) and therefore for questions, requests for information, applications, complaints or criticism regarding our data protection is:

MAPAL Dr. Kress SE & Co. KG
Obere Bahnstraße 13
73431 Aalen
datenschutz@mapal.com
+49 7361 585-0

Data protection officer
The implementation of data protection in our organisation is checked by a data protection officer. If you have issues in relation to the processing of your personal data, you can also contact this officer directly. You can contact the data protection team at:

datenschutz@mapal.com

There, you can also obtain information on how to contact the Data Protection Officer directly, if you wish