IV. Storage Duration and Data Deletion
We store your personal data only for as long as necessary for the aforementioned purposes or as long as statutory retention periods apply. After that, the data is deleted or blocked.
In addition, storage may take place if required by legal provisions – for example, European or national legislation to which Hermann Bantleon GmbH is subject. In these cases, the data will be deleted or blocked after the legally stipulated retention periods have expired, unless further storage is necessary for the performance of a contract or the establishment, exercise, or defense of legal claims.
V. Processing Operations
1. Use and Provision of the Website
When you visit our website, our system automatically collects certain information transmitted by your browser. These data are temporarily stored in so-called log files and serve to ensure technical stability and security of the website as well as to statistically evaluate our services.
a. Type and scope of data processing
The following data are collected:
-
IP address of the requesting device
-
Date and time of access
-
Name and URL of the accessed file
-
Website from which access is made (referrer URL)
-
Visited subdomains
-
Browser used, operating system, and name of the access provider
-
HTTP status code (success or error message)
b. Legal basis
Data processing is carried out on the basis of Art. 6 para. 1 lit. f GDPR. Our legitimate interest lies in ensuring smooth operation, system security, and the optimization of our online offerings.
c. Storage duration
Log file data are stored for a period of 14 days and then automatically deleted. Further storage may be legally required in individual cases.
d. Right of revocation
This data processing is not based on consent but on the protection of legitimate interests—therefore, no right of revocation applies in this case.
2. Sending of Our Newsletter
You have the option to subscribe to our newsletter to receive regular updates about news, products, events, and promotions.
a. Type and scope of data processing
To send the newsletter, we need at least your email address. Optionally, you may also provide your name. Registration is carried out using the double opt-in procedure: you will receive an email with a confirmation link, which you must actively click to receive the newsletter. Sending is done via Microsoft Customer Insights, with whom we have concluded a data processing agreement.
b. Legal basis
Processing is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR or – where applicable – based on our legitimate interest under Art. 6 para. 1 lit. f GDPR.
c. Storage duration
Your data is stored for as long as you are subscribed to the newsletter. Upon unsubscription, your data will be promptly deleted.
d. Right of revocation
You can revoke your consent at any time via the unsubscribe link in the newsletter or by emailing: datenschutz@bantleon.de. The lawfulness of processing until the time of revocation remains unaffected.
3. Online Application Process
Applications for open positions are submitted through our online portal, operated by BITE GmbH, Magirus-Deutz-Straße 12, 89077 Ulm.
a. Type and scope of data processing
We process the personal data provided during the application process, in particular:
-
Personal data (name, contact details, date of birth)
-
Application documents (CV, certificates, qualifications)
-
Voluntary entries in the form
-
Communication history
Processing is carried out exclusively for the purpose of reviewing and executing the application process. The technical infrastructure is provided by BITE GmbH. Your data is processed on the basis of a data processing agreement (DPA) pursuant to Art. 28 GDPR. Further information can be found on BITE GmbH's website under their privacy policy.
b. Legal basis
Art. 6 para. 1 lit. b GDPR in conjunction with § 26 BDSG (initiation of an employment relationship). If you voluntarily agree to be included in our applicant pool, processing is based on your consent under Art. 6 para. 1 lit. a GDPR.
c. Storage duration
The data will be deleted six months after the application process is completed, unless further consent to retain the data has been given. Earlier deletion is possible at any time upon request.
d. Right of revocation
You may revoke your consent to data processing at any time. Processing up to the time of revocation remains lawful.
4. Customer Portal
Through our protected customer portal, we provide registered business customers with product-specific documents such as safety data sheets and technical information.
a. Type and scope of data processing
During registration, we process the following information:
b. Legal basis
Data processing is carried out for contract performance pursuant to Art. 6 para. 1 lit. b GDPR.
c. Storage duration
The data is stored for the duration of active portal use. After access is deactivated, the data will be deleted promptly.
d. Right of revocation
If processing is based on consent, you may revoke it at any time with effect for the future.
5. Corporate Influencer Program
As part of our Corporate Influencer Program, selected employees act as brand ambassadors on LinkedIn to authentically report about the company, our values, and our expertise. Participation is voluntary but subject to specific guidelines and rules that participants must adhere to. Published content is the sole responsibility of the participating employees and is subject to the terms of use and privacy policies of LinkedIn (LinkedIn Ireland Unlimited Company, Wilton Park, Dublin 2, Ireland).
a. Type and scope of data processing
Publicly visible data on LinkedIn is processed, such as:
-
Profile information (name, job title, profile picture)
-
Published posts, comments, interactions
-
Network activity (likes, shares)
Publication is voluntary by the participating employees. Content created as part of the program is labeled accordingly.
b. Legal basis
Participation is voluntary and based on consent in accordance with Art. 6 para. 1 lit. a GDPR. Without explicit consent, Hermann Bantleon GmbH does not process any personal data under this program.
c. Storage duration
Personal data is processed for as long as the participant is part of the program or until revocation.
d. Right of revocation and deletion
Participants can withdraw their consent at any time and leave the program. Hermann Bantleon GmbH has no control over content already published on LinkedIn. Deletion must be carried out via LinkedIn settings or directly through the appropriate contact form.
VI. Cookies and Web Tracking
To provide you with a comfortable and user-friendly experience on our website and to continuously optimize our content, we use cookies and similar technologies. Consent management is handled via the Cookiebot consent tool (Cybot A/S, Havnegade 39, 1058 Copenhagen, Denmark).
a. What are cookies?
Cookies are small text files that are stored on your device when you visit our website. They contain information that is sent back to our server by your browser upon future visits. Cookies can enable functionalities such as:
-
Storing individual settings (e.g., language preferences)
-
Statistical analysis of user behavior (web analytics)
-
Display of embedded content (e.g., YouTube videos, Google Maps)
b. Consent management
When visiting our website for the first time, a cookie banner appears allowing you to determine which cookie categories you want to allow. You can revoke or change your decision at any time via the round button at the bottom left of the screen.
We differentiate between the following cookie categories:
-
Necessary cookies: Required for the technical operation of the website
-
Preferences: Enable a website to remember information that affects how the site behaves or looks, such as your preferred language or region
-
Statistics cookies: Help us understand how visitors interact with the website
-
Marketing cookies: Used to display personalized content or advertising
Your consents are documented and stored for verification purposes in accordance with Art. 7 GDPR.
c. Storage duration and deletion of cookies
The storage duration of individual cookies may vary. Temporary cookies are automatically deleted after the session ends, while persistent cookies remain on your device for a defined period. You can manually delete cookies at any time via your browser settings.
Please note: Deactivating cookies may restrict the functionality of our website.
d. Services from third-party providers
Our website includes content and services from external providers (e.g., Google, YouTube), which may also use cookies and similar technologies. These third-party providers process personal data under their own responsibility – Hermann Bantleon GmbH has no influence over their data processing.
More information about data processing can be found in the respective privacy policies of the providers.
VII. Use of Google Analytics
Our website uses Google Analytics, a web analytics service provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). Google Analytics uses cookies to analyze user behavior on our website and to continuously improve usability and content.
a. Scope and purpose of data processing
Google Analytics collects and analyzes the following information:
-
Anonymized IP address of the accessing device
-
Device type, operating system, and browser type/version
-
Date, time, and duration of the visit
-
Pages visited and click paths
-
Interactions on the website (e.g., form submissions, scrolling behavior)
-
Source of origin (e.g., search engine or referring website)
This data helps us understand how visitors use our website. The analysis is carried out exclusively in aggregated form, without identifying individuals.
b. IP anonymization
To protect your privacy, we have activated the IP anonymization feature (“anonymizeIp”) on our website. This shortens your IP address before it is transmitted to Google, rendering it anonymous. Only in exceptional cases will the full IP address be transmitted to Google servers in the USA and then shortened.
c. Legal basis for processing
Use of Google Analytics takes place solely based on your explicit consent in accordance with Art. 6 para. 1 lit. a GDPR in conjunction with § 25 para. 1 TTDSG (placement of cookies). You can revoke your consent at any time via the cookie banner on the website or the cookie settings button in the bottom left corner of the screen.
d. Data transfer to third countries
Google may also process data in the USA. The transfer of personal data is based on the EU-U.S. Data Privacy Framework (DPF), which was recognized as a secure third country by the EU Commission in July 2023 (Art. 45 GDPR).
e. Storage duration and deactivation
Usage data collected through Google Analytics is stored for a maximum of 14 months and then automatically deleted.
You can additionally prevent data collection by:
More information on data processing by Google can be found in their privacy policy.
VIII. Data Disclosure to Third Parties
We treat your personal data confidentially and generally only disclose it to third parties if it is necessary to fulfill our contractual or legal obligations, or if you have given us your explicit consent.
Disclosure to external recipients only takes place if at least one of the following conditions is met:
-
Consent
You have given us your explicit consent to disclose the data (Art. 6 para. 1 sentence 1 lit. a GDPR).
-
Performance of a contract or pre-contractual measures
Disclosure is necessary for the performance of a contract with you or to carry out pre-contractual measures (Art. 6 para. 1 sentence 1 lit. b GDPR).
-
Legal obligation
We are legally required to disclose your data to specific recipients, e.g., to authorities or courts (Art. 6 para. 1 sentence 1 lit. c GDPR).
-
Legitimate interests
Disclosure occurs to safeguard legitimate interests of our company or third parties, e.g., to assert or defend legal claims, and there is no reason to assume that your interests worthy of protection outweigh these interests (Art. 6 para. 1 sentence 1 lit. f GDPR).
Typical categories of external recipients may include:
-
IT and hosting service providers (e.g., for data processing on our behalf)
-
Tax consultants and auditors
-
Lawyers and courts
-
Delivery and logistics service providers
-
Partner companies involved in joint projects
All external service providers who process personal data on our behalf are contractually obligated to comply with applicable data protection laws pursuant to Art. 28 GDPR.
IX. Protection of Minors
Our website and the services offered are intended exclusively for individuals who are at least 16 years old.
We do not knowingly collect personal data from children or adolescents under the age of 16. Should a person under the age of 16 provide us with personal data, this is only permissible with prior consent of their legal guardians.
According to Art. 8 paras. 1 and 2 GDPR, we require the contact details of the parent or legal guardian in such cases in order to verify and document the necessary consent. Processing will only take place if valid consent has been granted.
If we become aware that personal data of a child under 16 has been processed without valid parental consent, we will delete this data immediately.
X. Contact via Forms and Email
If you contact us using a contact form on our website, a whistleblower/compliance form, or via email, we process your personal data exclusively for the purpose of handling your request.
a. Type and scope of data processing
Depending on the form used, we collect the following data when you contact us:
Required fields:
-
Salutation
-
First and last name
-
Company
-
Street, postal code, city
-
Email address
-
Your request (free text field)
Optional fields (voluntary):
Processing is carried out solely for communication purposes and to process your request. Data will not be passed on to third parties unless this is necessary for processing (e.g., by contracted service providers under data processing agreements).
Spam & bot protection: TrustCaptcha
To protect our web forms from spam bots and automated attacks, we use the tool TrustCaptcha (TrustCaptcha GmbH, Munich, Germany).
The following data is temporarily processed:
-
IP address
-
Device and browser information
-
Language settings, time zone
-
Mouse movements and user behavior on the website
-
Dwell time
Analysis is performed solely to detect human interaction and is not used for advertising purposes or stored permanently. More information: https://trustcaptcha.de/datenschutz
b. Legal basis
Data processing in the context of your contact is based on:
-
The performance of pre-contractual measures or a contract pursuant to Art. 6 para. 1 lit. b GDPR
-
In the case of general inquiries or feedback, our legitimate interest in efficient communication pursuant to Art. 6 para. 1 lit. f GDPR
-
The use of TrustCaptcha is also based on Art. 6 para. 1 lit. f GDPR in conjunction with § 25 para. 2 no. 2 TTDSG (legitimate interest in security and functionality of the website)
c. Storage duration
We store your personal data only for as long as it is necessary to process your request or as long as statutory retention obligations apply (e.g., commercial or tax-related retention periods).
d. Right of revocation
You may object to data processing at any time with effect for the future – particularly regarding analysis by TrustCaptcha. Alternatively, you can contact us by telephone or traditional mail instead of using the web forms.
XI. Recipients of Your Data
Within Hermann Bantleon GmbH, only those individuals who need access to your personal data to fulfill their duties will be granted such access.
In addition, we use carefully selected external service providers who support us in providing our services – for example, in the following areas:
-
Hosting and operation of our IT systems (e.g., data centers)
-
Mailing of letters, emails, or packages
-
Customer service and marketing
-
Database maintenance and analysis
-
Secure disposal of files and data
These service providers are contractually obligated to comply with data protection regulations under data processing agreements pursuant to Art. 28 GDPR. They may only process personal data on our instructions and only to the extent required to fulfill their tasks.
Your data will only be shared with other recipients if:
-
you have given your explicit consent,
-
there is a legal obligation to do so,
-
or it is necessary for the fulfillment of a contract with you.
XII. Data Transfers to Third Countries
The transfer of personal data to so-called third countries (i.e., outside the European Union or the European Economic Area) only occurs in justified exceptional cases – for example, when using international IT services.
Examples include:
For providers based in the USA, data transfers are made on the basis of the EU-U.S. Data Privacy Framework (DPF), which was recognized by the EU Commission in July 2023 as a secure framework pursuant to Art. 45 GDPR, provided the respective company is certified under the DPF.
If no certification exists, transfers may take place on the basis of Standard Contractual Clauses (SCCs) issued by the EU Commission pursuant to Art. 46 para. 2 lit. c GDPR or – in the case of explicit consent – pursuant to Art. 49 para. 1 lit. a GDPR.
Please note that in some countries outside the EU, the level of data protection may not be equivalent to European standards. In such cases, we ensure that your data is protected as best as possible through contractual, technical, and organizational measures.
More information on the EU-U.S. Data Privacy Framework is available at:
https://www.dataprivacyframework.gov
XIII. Data Security
Protecting your personal data is very important to us. For this reason, we have implemented comprehensive technical and organizational measures (TOMs) to ensure an appropriate level of protection in accordance with Art. 32 GDPR and to guarantee the security of your data at all times.
Our security measures include, among others:
-
Use of current encryption technologies (e.g., SSL/TLS) for secure data transmission via our website
-
Regular security updates and patches for our systems
-
Controlled data access via role and permission concepts
-
Protection of IT systems through firewalls, antivirus software, and access controls
-
Confidentiality agreements with all employees and regular data protection training
Data transmissions via our website are encrypted using the latest TLS encryption protocol. You can recognize this by the padlock symbol in your browser’s address bar. Please ensure that you always use the latest version of your browser to maintain secure communication.
Please note: Communication via email may have security vulnerabilities. If you wish to send us confidential information (e.g., job application documents or personal data of third parties), we expressly recommend using our encrypted application portal or the traditional postal service.
XIV. Your Rights as a Data Subject
Under the GDPR, you as a data subject have numerous rights in relation to the processing of your personal data. We are happy to inform you about these rights below:
1. Withdrawal of Consent – Art. 7 para. 3 GDPR
You may withdraw your consent at any time with effect for the future. The lawfulness of the data processing carried out until the withdrawal remains unaffected.
2. Right of Access – Art. 15 GDPR
You have the right to request information at any time about your personal data that we process. This includes in particular:
-
the purpose of the processing
-
the categories of data processed
-
the recipients (or categories of recipients)
-
the intended storage period
-
the existence of rights to rectification, erasure, restriction or objection
-
the existence of a right to lodge a complaint with a supervisory authority
-
the origin of your data, if it was not collected directly from you
-
the existence of automated decision-making, including profiling (if applicable)
3. Rectification – Art. 16 GDPR
You have the right to have inaccurate or incomplete personal data concerning you rectified or completed.
4. Erasure – Art. 17 GDPR (Right to be Forgotten)
You may request the erasure of your personal data, provided that there are no legal retention obligations or the data is not required for the establishment, exercise, or defense of legal claims.
5. Restriction of Processing – Art. 18 GDPR
You may request the restriction of processing of your personal data if:
-
you contest the accuracy of the data (for the duration of the verification)
-
the processing is unlawful, but you do not wish to have the data erased
-
the data is no longer required for the purpose of processing, but you need it for the establishment, exercise, or defense of legal claims
-
you have objected to the processing and it is not yet clear whether our legitimate interests outweigh yours
6. Data Portability – Art. 20 GDPR
You have the right to receive the data you have provided to us in a structured, commonly used, and machine-readable format or – if technically feasible – to have it transmitted directly to another controller.
7. Objection to Processing – Art. 21 GDPR
You can object at any time to the processing of your personal data based on Art. 6 para. 1 lit. f GDPR (legitimate interest), if there are grounds relating to your particular situation. Processing will then no longer take place unless we can demonstrate compelling legitimate grounds.
8. Right to Lodge a Complaint – Art. 77 GDPR
If you believe that we have violated data protection law when processing your data, you have the right to lodge a complaint with a supervisory authority. The competent authority for Hermann Bantleon GmbH is:
State Commissioner for Data Protection and Freedom of Information Baden-Württemberg
P.O. Box 10 29 32, 70025 Stuttgart
Königstraße 10a, 70173 Stuttgart
Phone: +49 711 / 615541 – 0
Email: poststelle@lfdi.bwl.de
Website: https://www.baden-wuerttemberg.datenschutz.de
To exercise your rights, a simple message to: datenschutz@bantleon.de is sufficient.
You have the right, at any time and for reasons arising from your particular situation, to object to the processing of your personal data if such processing is based on Art. 6 para. 1 lit. e or lit. f GDPR (e.g., for the protection of our company’s legitimate interests).
If we process your personal data for direct marketing purposes, you have the right to object to this processing at any time without giving reasons in accordance with Art. 21 para. 2 GDPR. Upon receipt of your objection, your data will no longer be processed for advertising purposes.
Hermann Bantleon GmbH maintains presences on social networks and embeds external content (e.g., videos) to interact with customers, interested parties, and partners, to inform about our services, and to strengthen our employer brand.
For the processing of personal data on our company pages within social networks, we are jointly responsible with the respective platform operators pursuant to Art. 26 GDPR, insofar as we influence the purposes and means of processing.
Please note that the use of these platforms may also involve data processing outside the EU, particularly in the USA. Further information on how data is handled can be found in the privacy policies of the respective providers:
When you visit our social media pages or interact with embedded content (e.g., YouTube videos), the respective providers may process the following personal data:
We use aggregated usage statistics (e.g., via LinkedIn Page Insights) to tailor our content to target groups. We have no full control over the actual data processing by the platform operators.
Data processing by us is based on Art. 6 para. 1 lit. f GDPR (legitimate interest in public communication and brand building).
If you communicate with us via these platforms (e.g., direct messages, comments), processing of your data is additionally based on Art. 6 para. 1 lit. b GDPR (contract or pre-contractual measures).
Processing by the platform providers may be based on your consent given to them – especially in the case of personalized advertising (Art. 6 para. 1 lit. a GDPR).
You can assert your rights (e.g., access, erasure, objection) both against us and against the respective platform operator. Please note that only the platform provider has full access to your data.
Information on how to exercise your rights can also be found in the respective privacy policies of the platforms.
Our website contains links to external third-party websites. When you click such a link, you will leave our website and be redirected directly to the page of the respective provider. You can recognize this, among other things, by the change in the URL in your browser's address bar.
Please note that Hermann Bantleon GmbH has no influence over the content or compliance with data protection regulations on the part of these external providers. The respective provider is solely responsible for processing your personal data on those external websites.
We therefore recommend that you inform yourself directly on the linked pages about the applicable data protection provisions.