Hermann Bantleon GmbH, headquartered at Blaubeurer Str. 32 in Ulm, places great importance on the protection of your personal rights and data. Personal data includes all information relating to an identified or identifiable natural person. We therefore strictly adhere to the provisions and principles of the General Data Protection Regulation (GDPR) and similar regulations (e.g., the German Federal Data Protection Act – BDSG).

We are very pleased that you are visiting our website. At this point, we would also like to refer you to our legal notice (“Impressum”), where you can find more information about our company structure.

Below, we inform you about the scope and purpose for which your data is processed when using our website, which rights you can exercise in relation to data protection, and many other privacy-related topics.

II. Controller in the Sense of Data Protection Law

The controller responsible for data processing within the company is:

Hermann Bantleon GmbH
Blaubeurer Straße 32
89077 Ulm
Germany

Phone: +49 731 3990-0
Email: info@bantleon.de
Web: www.bantleon.de

Legal representatives: Dr. Alexander German, Roland Schmid

If you have any questions regarding data protection, you may contact our Data Protection Officer at any time:

Internal Data Protection Officer: Thomas Rathgeber
Phone: +49 731 3990-0
Email: datenschutz@bantleon.de

III. Legal Bases and Purposes of Processing Personal Data

We always process your personal data based on legal regulations. In particular, processing takes place on the basis of the following legal foundations:

1. Based on your consent (Art. 6 para. 1 lit. a GDPR)

If you have given us your consent to process your personal data for specific purposes (e.g., sending information, event invitations, or for marketing purposes), the processing takes place solely on this basis. You may revoke your consent at any time with effect for the future. The lawfulness of the processing carried out until revocation remains unaffected.

2. For the performance of contractual or pre-contractual obligations (Art. 6 para. 1 lit. b GDPR)

The processing of personal data is necessary to fulfill our contractual obligations or to carry out pre-contractual measures at your request. This particularly includes:

• Your company-related contact data

• Data from business processes such as inquiries, offers, orders, invitations to specialist events or trade fairs, delivery notes, and invoices

3. Due to legal obligations (Art. 6 para. 1 lit. c GDPR) or in the public interest (Art. 6 para. 1 lit. e GDPR)

We are subject to various legal obligations – e.g., tax laws or supervisory regulations. In this context, we process your data for purposes such as:

• Creditworthiness and identity checks

• Fraud and money laundering prevention

• Fulfillment of tax control and reporting obligations

• Risk assessment and management

4. To protect vital interests (Art. 6 para. 1 lit. d GDPR)

In rare exceptional cases, processing your data may be necessary to protect your vital interests or those of another natural person – for example, in medical emergencies on our premises.

5. For the purposes of legitimate interests (Art. 6 para. 1 lit. f GDPR)

Where necessary, we also process your data to safeguard our legitimate interests or those of third parties, provided that your interests worthy of protection do not prevail. Examples include:

• Credit agencies (e.g., SCHUFA) for credit checks

• Advertising, market and opinion research, unless you object

• Optimization of customer communication processes and needs analysis

• Assertion and defense of legal claims

• Ensuring IT security and IT operations

• Prevention and investigation of criminal offenses

• Video surveillance to protect customers and employees as well as for the enforcement of house rights

• Access controls and measures for building and facility security

• Measures to control and develop our services and products

IV. Storage Duration and Data Deletion

We store your personal data only for as long as necessary for the aforementioned purposes or as long as statutory retention periods apply. After that, the data is deleted or blocked.

In addition, storage may take place if required by legal provisions – for example, European or national legislation to which Hermann Bantleon GmbH is subject. In these cases, the data will be deleted or blocked after the legally stipulated retention periods have expired, unless further storage is necessary for the performance of a contract or the establishment, exercise, or defense of legal claims.

V. Processing Operations

1. Use and Provision of the Website

When you visit our website, our system automatically collects certain information transmitted by your browser. These data are temporarily stored in so-called log files and serve to ensure technical stability and security of the website as well as to statistically evaluate our services.

a. Type and scope of data processing

The following data are collected:

• IP address of the requesting device

• Date and time of access

• Name and URL of the accessed file

• Website from which access is made (referrer URL)

• Visited subdomains

• Browser used, operating system, and name of the access provider

• HTTP status code (success or error message)

b. Legal basis

Data processing is carried out on the basis of Art. 6 para. 1 lit. f GDPR. Our legitimate interest lies in ensuring smooth operation, system security, and the optimization of our online offerings.

c. Storage duration

Log file data are stored for a period of 14 days and then automatically deleted. Further storage may be legally required in individual cases.

d. Right of revocation

This data processing is not based on consent but on the protection of legitimate interests—therefore, no right of revocation applies in this case.

2. Sending of Our Newsletter

You have the option to subscribe to our newsletter to receive regular updates about news, products, events, and promotions.

a. Type and scope of data processing

To send the newsletter, we need at least your email address. Optionally, you may also provide your name. Registration is carried out using the double opt-in procedure: you will receive an email with a confirmation link, which you must actively click to receive the newsletter. Sending is done via Microsoft Customer Insights, with whom we have concluded a data processing agreement.

b. Legal basis

Processing is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR or – where applicable – based on our legitimate interest under Art. 6 para. 1 lit. f GDPR.

c. Storage duration

Your data is stored for as long as you are subscribed to the newsletter. Upon unsubscription, your data will be promptly deleted.

d. Right of revocation

You can revoke your consent at any time via the unsubscribe link in the newsletter or by emailing: datenschutz@bantleon.de. The lawfulness of processing until the time of revocation remains unaffected.

3. Online Application Process

Applications for open positions are submitted through our online portal, operated by BITE GmbH, Magirus-Deutz-Straße 12, 89077 Ulm.

a. Type and scope of data processing

We process the personal data provided during the application process, in particular:

• Personal data (name, contact details, date of birth)

• Application documents (CV, certificates, qualifications)

• Voluntary entries in the form

• Communication history

Processing is carried out exclusively for the purpose of reviewing and executing the application process. The technical infrastructure is provided by BITE GmbH. Your data is processed on the basis of a data processing agreement (DPA) pursuant to Art. 28 GDPR. Further information can be found on BITE GmbH's website under their privacy policy.

b. Legal basis

Art. 6 para. 1 lit. b GDPR in conjunction with § 26 BDSG (initiation of an employment relationship). If you voluntarily agree to be included in our applicant pool, processing is based on your consent under Art. 6 para. 1 lit. a GDPR.

c. Storage duration

The data will be deleted six months after the application process is completed, unless further consent to retain the data has been given. Earlier deletion is possible at any time upon request.

d. Right of revocation

You may revoke your consent to data processing at any time. Processing up to the time of revocation remains lawful.

4. Customer Portal

Through our protected customer portal, we provide registered business customers with product-specific documents such as safety data sheets and technical information.

a. Type and scope of data processing

During registration, we process the following information:

• Name

• Business email address

• Position within the company

b. Legal basis

Data processing is carried out for contract performance pursuant to Art. 6 para. 1 lit. b GDPR.

c. Storage duration

The data is stored for the duration of active portal use. After access is deactivated, the data will be deleted promptly.

d. Right of revocation

If processing is based on consent, you may revoke it at any time with effect for the future.

5. Corporate Influencer Program

As part of our Corporate Influencer Program, selected employees act as brand ambassadors on LinkedIn to authentically report about the company, our values, and our expertise. Participation is voluntary but subject to specific guidelines and rules that participants must adhere to. Published content is the sole responsibility of the participating employees and is subject to the terms of use and privacy policies of LinkedIn (LinkedIn Ireland Unlimited Company, Wilton Park, Dublin 2, Ireland).

a. Type and scope of data processing

Publicly visible data on LinkedIn is processed, such as:

• Profile information (name, job title, profile picture)

• Published posts, comments, interactions

• Network activity (likes, shares)

Publication is voluntary by the participating employees. Content created as part of the program is labeled accordingly.

b. Legal basis

Participation is voluntary and based on consent in accordance with Art. 6 para. 1 lit. a GDPR. Without explicit consent, Hermann Bantleon GmbH does not process any personal data under this program.

c. Storage duration

Personal data is processed for as long as the participant is part of the program or until revocation.

d. Right of revocation and deletion

Participants can withdraw their consent at any time and leave the program. Hermann Bantleon GmbH has no control over content already published on LinkedIn. Deletion must be carried out via LinkedIn settings or directly through the appropriate contact form.

VI. Cookies and Web Tracking

To provide you with a comfortable and user-friendly experience on our website and to continuously optimize our content, we use cookies and similar technologies. Consent management is handled via the Cookiebot consent tool (Cybot A/S, Havnegade 39, 1058 Copenhagen, Denmark).

a. What are cookies?

Cookies are small text files that are stored on your device when you visit our website. They contain information that is sent back to our server by your browser upon future visits. Cookies can enable functionalities such as:

• Storing individual settings (e.g., language preferences)

• Statistical analysis of user behavior (web analytics)

• Display of embedded content (e.g., YouTube videos, Google Maps)

b. Consent management

When visiting our website for the first time, a cookie banner appears allowing you to determine which cookie categories you want to allow. You can revoke or change your decision at any time via the round button at the bottom left of the screen.

We differentiate between the following cookie categories:

• Necessary cookies: Required for the technical operation of the website

• Preferences: Enable a website to remember information that affects how the site behaves or looks, such as your preferred language or region

• Statistics cookies: Help us understand how visitors interact with the website

• Marketing cookies: Used to display personalized content or advertising

Your consents are documented and stored for verification purposes in accordance with Art. 7 GDPR.

c. Storage duration and deletion of cookies

The storage duration of individual cookies may vary. Temporary cookies are automatically deleted after the session ends, while persistent cookies remain on your device for a defined period. You can manually delete cookies at any time via your browser settings.

Please note: Deactivating cookies may restrict the functionality of our website.

d. Services from third-party providers

Our website includes content and services from external providers (e.g., Google, YouTube), which may also use cookies and similar technologies. These third-party providers process personal data under their own responsibility – Hermann Bantleon GmbH has no influence over their data processing.

More information about data processing can be found in the respective privacy policies of the providers.

VII. Use of Google Analytics

Our website uses Google Analytics, a web analytics service provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). Google Analytics uses cookies to analyze user behavior on our website and to continuously improve usability and content.

a. Scope and purpose of data processing

Google Analytics collects and analyzes the following information:

• Anonymized IP address of the accessing device

• Device type, operating system, and browser type/version

• Date, time, and duration of the visit

• Pages visited and click paths

• Interactions on the website (e.g., form submissions, scrolling behavior)

• Source of origin (e.g., search engine or referring website)

This data helps us understand how visitors use our website. The analysis is carried out exclusively in aggregated form, without identifying individuals.

b. IP anonymization

To protect your privacy, we have activated the IP anonymization feature (“anonymizeIp”) on our website. This shortens your IP address before it is transmitted to Google, rendering it anonymous. Only in exceptional cases will the full IP address be transmitted to Google servers in the USA and then shortened.

c. Legal basis for processing

Use of Google Analytics takes place solely based on your explicit consent in accordance with Art. 6 para. 1 lit. a GDPR in conjunction with § 25 para. 1 TTDSG (placement of cookies). You can revoke your consent at any time via the cookie banner on the website or the cookie settings button in the bottom left corner of the screen.

d. Data transfer to third countries

Google may also process data in the USA. The transfer of personal data is based on the EU-U.S. Data Privacy Framework (DPF), which was recognized as a secure third country by the EU Commission in July 2023 (Art. 45 GDPR).

e. Storage duration and deactivation

Usage data collected through Google Analytics is stored for a maximum of 14 months and then automatically deleted.

You can additionally prevent data collection by:

• Adjusting your cookie settings on our website

• Installing the Google browser add-on: https://tools.google.com/dlpage/gaoptout'

More information on data processing by Google can be found in their privacy policy.

VIII. Data Disclosure to Third Parties

We treat your personal data confidentially and generally only disclose it to third parties if it is necessary to fulfill our contractual or legal obligations, or if you have given us your explicit consent.

Disclosure to external recipients only takes place if at least one of the following conditions is met:

• Consent
  You have given us your explicit consent to disclose the data (Art. 6 para. 1 sentence 1 lit. a GDPR).

• Performance of a contract or pre-contractual measures
  Disclosure is necessary for the performance of a contract with you or to carry out pre-contractual measures (Art. 6 para. 1 sentence 1 lit. b GDPR).

• Legal obligation
  We are legally required to disclose your data to specific recipients, e.g., to authorities or courts (Art. 6 para. 1 sentence 1 lit. c GDPR).

• Legitimate interests
  Disclosure occurs to safeguard legitimate interests of our company or third parties, e.g., to assert or defend legal claims, and there is no reason to assume that your interests worthy of protection outweigh these interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Typical categories of external recipients may include:

• IT and hosting service providers (e.g., for data processing on our behalf)

• Tax consultants and auditors

• Lawyers and courts

• Delivery and logistics service providers

• Partner companies involved in joint projects

All external service providers who process personal data on our behalf are contractually obligated to comply with applicable data protection laws pursuant to Art. 28 GDPR.

IX. Protection of Minors

Our website and the services offered are intended exclusively for individuals who are at least 16 years old.

We do not knowingly collect personal data from children or adolescents under the age of 16. Should a person under the age of 16 provide us with personal data, this is only permissible with prior consent of their legal guardians.

According to Art. 8 paras. 1 and 2 GDPR, we require the contact details of the parent or legal guardian in such cases in order to verify and document the necessary consent. Processing will only take place if valid consent has been granted.

If we become aware that personal data of a child under 16 has been processed without valid parental consent, we will delete this data immediately.

X. Contact via Forms and Email

If you contact us using a contact form on our website, a whistleblower/compliance form, or via email, we process your personal data exclusively for the purpose of handling your request.

a. Type and scope of data processing

Depending on the form used, we collect the following data when you contact us:

Required fields:

• Salutation

• First and last name

• Company

• Street, postal code, city

• Email address

• Your request (free text field)

Optional fields (voluntary):

• Telephone number

• Country

Processing is carried out solely for communication purposes and to process your request. Data will not be passed on to third parties unless this is necessary for processing (e.g., by contracted service providers under data processing agreements).

Spam & bot protection: TrustCaptcha

To protect our web forms from spam bots and automated attacks, we use the tool TrustCaptcha (TrustCaptcha GmbH, Munich, Germany).

The following data is temporarily processed:

• IP address

• Device and browser information

• Language settings, time zone

• Mouse movements and user behavior on the website

• Dwell time

Analysis is performed solely to detect human interaction and is not used for advertising purposes or stored permanently. More information: https://trustcaptcha.de/datenschutz

b. Legal basis

Data processing in the context of your contact is based on:

• The performance of pre-contractual measures or a contract pursuant to Art. 6 para. 1 lit. b GDPR

• In the case of general inquiries or feedback, our legitimate interest in efficient communication pursuant to Art. 6 para. 1 lit. f GDPR

• The use of TrustCaptcha is also based on Art. 6 para. 1 lit. f GDPR in conjunction with § 25 para. 2 no. 2 TTDSG (legitimate interest in security and functionality of the website)

c. Storage duration

We store your personal data only for as long as it is necessary to process your request or as long as statutory retention obligations apply (e.g., commercial or tax-related retention periods).

d. Right of revocation

You may object to data processing at any time with effect for the future – particularly regarding analysis by TrustCaptcha. Alternatively, you can contact us by telephone or traditional mail instead of using the web forms.

XI. Recipients of Your Data

Within Hermann Bantleon GmbH, only those individuals who need access to your personal data to fulfill their duties will be granted such access.

In addition, we use carefully selected external service providers who support us in providing our services – for example, in the following areas:

• Hosting and operation of our IT systems (e.g., data centers)

• Mailing of letters, emails, or packages

• Customer service and marketing

• Database maintenance and analysis

• Secure disposal of files and data

These service providers are contractually obligated to comply with data protection regulations under data processing agreements pursuant to Art. 28 GDPR. They may only process personal data on our instructions and only to the extent required to fulfill their tasks.

Your data will only be shared with other recipients if:

• you have given your explicit consent,

• there is a legal obligation to do so,

• or it is necessary for the fulfillment of a contract with you.

XII. Data Transfers to Third Countries

The transfer of personal data to so-called third countries (i.e., outside the European Union or the European Economic Area) only occurs in justified exceptional cases – for example, when using international IT services.

Examples include:

• Google Analytics and embedded services such as YouTube, whose servers are located partly in the USA.

For providers based in the USA, data transfers are made on the basis of the EU-U.S. Data Privacy Framework (DPF), which was recognized by the EU Commission in July 2023 as a secure framework pursuant to Art. 45 GDPR, provided the respective company is certified under the DPF.

If no certification exists, transfers may take place on the basis of Standard Contractual Clauses (SCCs) issued by the EU Commission pursuant to Art. 46 para. 2 lit. c GDPR or – in the case of explicit consent – pursuant to Art. 49 para. 1 lit. a GDPR.

Please note that in some countries outside the EU, the level of data protection may not be equivalent to European standards. In such cases, we ensure that your data is protected as best as possible through contractual, technical, and organizational measures.

More information on the EU-U.S. Data Privacy Framework is available at:
https://www.dataprivacyframework.gov

XIII. Data Security

Protecting your personal data is very important to us. For this reason, we have implemented comprehensive technical and organizational measures (TOMs) to ensure an appropriate level of protection in accordance with Art. 32 GDPR and to guarantee the security of your data at all times.

Our security measures include, among others:

• Use of current encryption technologies (e.g., SSL/TLS) for secure data transmission via our website

• Regular security updates and patches for our systems

• Controlled data access via role and permission concepts

• Protection of IT systems through firewalls, antivirus software, and access controls

• Confidentiality agreements with all employees and regular data protection training

Data transmissions via our website are encrypted using the latest TLS encryption protocol. You can recognize this by the padlock symbol in your browser’s address bar. Please ensure that you always use the latest version of your browser to maintain secure communication.

Please note: Communication via email may have security vulnerabilities. If you wish to send us confidential information (e.g., job application documents or personal data of third parties), we expressly recommend using our encrypted application portal or the traditional postal service.

XIV. Your Rights as a Data Subject

Under the GDPR, you as a data subject have numerous rights in relation to the processing of your personal data. We are happy to inform you about these rights below:

1. Withdrawal of Consent – Art. 7 para. 3 GDPR

You may withdraw your consent at any time with effect for the future. The lawfulness of the data processing carried out until the withdrawal remains unaffected.

2. Right of Access – Art. 15 GDPR

You have the right to request information at any time about your personal data that we process. This includes in particular:

• the purpose of the processing

• the categories of data processed

• the recipients (or categories of recipients)

• the intended storage period

• the existence of rights to rectification, erasure, restriction or objection

• the existence of a right to lodge a complaint with a supervisory authority

• the origin of your data, if it was not collected directly from you

• the existence of automated decision-making, including profiling (if applicable)

3. Rectification – Art. 16 GDPR

You have the right to have inaccurate or incomplete personal data concerning you rectified or completed.

4. Erasure – Art. 17 GDPR (Right to be Forgotten)

You may request the erasure of your personal data, provided that there are no legal retention obligations or the data is not required for the establishment, exercise, or defense of legal claims.

5. Restriction of Processing – Art. 18 GDPR

You may request the restriction of processing of your personal data if:

• you contest the accuracy of the data (for the duration of the verification)

• the processing is unlawful, but you do not wish to have the data erased

• the data is no longer required for the purpose of processing, but you need it for the establishment, exercise, or defense of legal claims

• you have objected to the processing and it is not yet clear whether our legitimate interests outweigh yours

6. Data Portability – Art. 20 GDPR

You have the right to receive the data you have provided to us in a structured, commonly used, and machine-readable format or – if technically feasible – to have it transmitted directly to another controller.

7. Objection to Processing – Art. 21 GDPR

You can object at any time to the processing of your personal data based on Art. 6 para. 1 lit. f GDPR (legitimate interest), if there are grounds relating to your particular situation. Processing will then no longer take place unless we can demonstrate compelling legitimate grounds.

8. Right to Lodge a Complaint – Art. 77 GDPR

If you believe that we have violated data protection law when processing your data, you have the right to lodge a complaint with a supervisory authority. The competent authority for Hermann Bantleon GmbH is:

State Commissioner for Data Protection and Freedom of Information Baden-Württemberg
P.O. Box 10 29 32, 70025 Stuttgart
Königstraße 10a, 70173 Stuttgart
Phone: +49 711 / 615541 – 0
Email: poststelle@lfdi.bwl.de
Website: https://www.baden-wuerttemberg.datenschutz.de

To exercise your rights, a simple message to: datenschutz@bantleon.de is sufficient.