Privacy Policy

Cookie settings

You can adjust your cookie settings via the following link: Go to cookie settings

Privacy Policy

Thank you for your interest in the ST Extruded Products Germany GmbH (STEP-G) website. At STEP-G, we take the protection of your personal data very seriously, particularly when it comes to its collection, processing and use during your visit to our website. We comply with the provisions of the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), the German Digital Services Act and any other applicable, country-specific data protection regulations.

In principle, you can use the STEP-G website without submitting any personal data, such as your name, address, email address or telephone number. However, if you wish to make use of particular services that we offer via our website, it may be necessary for your personal data to be processed by STEP-G. We will always obtain your consent to process your personal data if the law does not already provide a basis for the processing.
The purpose of this Privacy Policy is to inform you about the nature, scope and purpose of the collection, processing and use of personal data by STEP-G.

In addition, we wish to inform you about your rights under this Privacy Policy.

STEP-G has taken a variety of technical and organisational measures to protect your personal data processed via this website as completely as possible. Nevertheless, we wish to point out that absolute protection cannot be guaranteed due to the nature of internet-based data transmission and the associated potential security vulnerabilities. You therefore have the option of providing us with your personal data by other means (e.g. by telephone or post).

1. Terminology

Within the framework of this Privacy Policy, STEP-G uses terminology that is also used in the EU General Data Protection Regulation (GDPR). These include the following terms:

Personal data

“Personal data” refers to any information relating to an identified or identifiable natural person (hereinafter “data subject”). A natural person is identifiable if they can be identified, either directly or indirectly, by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.

Data subject

“Data subject” refers to any identified or identifiable natural person whose personal data is processed by the controller responsible for the processing.

Processing

“Processing” refers to any operation or set of operations performed on personal data or sets of personal data, whether automated or not, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Restriction of processing

“Restriction of processing” means marking stored personal data with the aim of limiting its processing in the future.

Profiling

“Profiling” refers to any form of automated processing of personal data that involves using the data to evaluate certain personal aspects relating to a natural person. This can include analysing or predicting aspects concerning that person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Pseudonymisation

“Pseudonymisation” means processing personal data in such a way that it can no longer be attributed to a specific data subject without the use of additional information. This additional information must be kept separately and be subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

File system

A “file system” is defined as any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.

Controller

A “controller” is defined as the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purpose and means of such processing are determined by European Union law or the law of the Member States, the data controller (or the specific criteria governing his/her appointment) may be determined by EU or national law.

Processor

“Processor” means a natural or legal person, public authority, agency or body that processes personal data on behalf of the controller.

Recipient

“Recipient” means a natural or legal person, public authority, agency or body to which personal data is disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular enquiry in accordance with Union or Member State law shall not be regarded as recipients.

Third party

“Third party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Consent

“Consent” means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

2. Name and address of the data controller

The data controller responsible for processing the data collected via the STEP-G website is:

ST Extruded Products Germany GmbH, Schachenstraße 14, 88267 Vogt (D) Tel.: +49 7529 999-0, E-Mail: vogt.office@step-g.com, Website: www.step-g.com.

3. Name and address of the data protection officer

The data protection officer of the controller is:

White Whale Data GbR, RA Götz Sommer, Hansaring 97, 50670 Cologne (D), Tel.: +49 221 977 69 80, E-mail: info@wwdata.de

All data subjects may contact our data protection officer directly at any time with any questions or suggestions regarding data protection.

4. Legal basis for processing

Pursuant to Art. 6 (1) of the GDPR, the processing of personal data by STEP-G is lawful if at least one of the following conditions is met:

a) the data subject has given consent to the processing of personal data concerning them for one or more specific purposes;

b) processing is necessary for the performance of a contract to which they are a party or for steps to be taken at their request prior to entering into a contract (e.g. product enquiries);

c) processing is necessary for compliance with a legal obligation to which the controller is subject (e.g. tax obligations);

d) processing is necessary in order to protect the vital interests of the data subject or of another natural person (e.g. health insurance data of a visitor in the event of an accident on our premises);

e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

5. Legitimate interests in the processing pursued by the controller or a third party

Where the processing of personal data is based on Article 6 (1) (f) GDPR, we have a legitimate interest in conducting our business for the benefit of all of our employees and shareholders.

6. Duration for which the personal data is stored

STEP-G stores personal data for the respective statutory retention periods. At the end of this period, the corresponding data is routinely deleted, unless it is required for performance of the contract or for contract initiation.

7. Existence of automated decision-making

As a responsible and conscientious company we do not carry out automated decision-making or profiling.

8. Rights of the data subject

Under the provisions of the GDPR, you have the following rights as a data subject:

Right to confirmation

As the data subject, you have the right to ask STEP-G (as the data controller) to confirm the processing of your personal data. You can exercise this right at any time by contacting any of the data protection officers mentioned in this Privacy Policy or any other STEP-G employee.

Right to information

As the data subject, you have the right, at any time, to receive information from STEP-G free of charge regarding the personal data stored about you, and to receive a copy of this data. Furthermore, you have the right to obtain the following information:

a) the purposes of the processing;

b) the categories of personal data being processed;

c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning you or to object to such processing;

f) the existence of a right to lodge a complaint with a supervisory authority;

g) if the personal data are not collected from you as the data subject: All available information about the origin of the data;

h) the existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you as the data subject.

If personal data are transferred to a third country or to an international organisation, you as the data subject have the right to be informed of the appropriate safeguards pursuant to Article 46 GDPR in connection with the transfer.

If you as a data subject wish to exercise this right to information, you can contact any data protection officer named in this Privacy Policy or another employee of STEP-G at any time.

Right to rectification

As a data subject, you have the right to obtain from STEP-G without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you as the data subject have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

If you, as the data subject, wish to exercise this right to rectification, you can contact any data protection officer named in this Privacy Policy or another STEP-G employee at any time.

Right to erasure (“right to be forgotten”)

As the data subject, you have the right to obtain from STEP-G the erasure of personal data concerning you without undue delay where one of the following grounds applies and insofar as the processing is not necessary:

a) The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.

b) The data subject withdraws consent on which the processing is based according to point (a) of Article 6 (1) GDPR, or point (a) of Article 9 (2) GDPR, and where there is no other legal ground for the processing.

c) The data subject objects to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Art. 21 (2) GDPR.

d) The personal data have been processed unlawfully.

e) The personal data must be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.

f) The personal data have been collected in relation to the offer of information society services referred to in Article 8 (1) GDPR.
Where one of these grounds applies and you as the data subject wish to request the erasure of your personal data stored by STEP-G, you can contact any data protection officer named in this Privacy Policy or another STEP-G employee at any time. A data protection officer named in this Privacy Policy or another employee of STEP-G will arrange for the request for cancellation to be complied with immediately.

Where STEP-G has made personal data public which we are obliged to delete pursuant to Article 17 (1) GDPR, STEP-G will take appropriate measures (including of a technical nature) – taking into account the available technology and the costs of implementation – to notify other data controllers processing the published personal data that you (as the data subject) have requested the deletion of all links to such personal data as well as all copies or reproductions thereof by those other data controllers, unless such processing is mandatory. Any data protection officer of STEP-G or another employee will take all necessary steps in individual cases.

Right to restriction of processing

As a data subject, you have the right to request STEP-G to restrict processing if one of the following conditions is met:

a) The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data.

b) The processing is unlawful and you as the data subject oppose the erasure of the personal data and request the restriction of their use instead.

c) STEP-G no longer needs the personal data for the purposes of the processing, but you as the data subject require them for the establishment, exercise or defence of legal claims.

d) You as the data subject have objected to processing pursuant to Art. 21 (1) GDPR pending the verification whether the legitimate grounds of STEP-G override your grounds as the data subject.

If one of these conditions is met and you as the data subject wish to request the restriction of personal data stored by STEP-G, you can contact our data protection officer or another STEP-G employee at any time. Any data protection officer of STEP-G or another employee will arrange for the restriction of processing.

Right to data portability

As the data subject, you have the right to receive the personal data that you provided to STEP-G in a structured, common and machine-readable format. You also have the right to transfer this data to another data controller – without hindrance by the data controller to whom the personal data was submitted – provided that the processing is based on consent pursuant to Article 6 (1) (a) GDPR or Article 9 (2) (a) GDPR or on a contract pursuant to Article 6 (1) (b) GDPR and the processing is carried out by automated means, unless the processing is necessary in the public interest or in the exercise of official authority vested in the data controller. In addition, as the data subject exercising your right to data portability pursuant to Article 20 (1) GDPR, you have the right to have your personal data transmitted directly from one data controller to another, to the extent that this is technically feasible and that doing so does not limit the rights and freedoms of other persons. As the data subject, you can exercise this right to data portability at any time by contacting any data protection officer mentioned in this Privacy Policy or any other STEP-G employee..

Right of objection

As the data subject, you have the right, for reasons based on your particular situation, to object at any time to the processing of your personal data pursuant to Article 6 (1) (e) or (f) GDPR. This also applies to profiling based on these provisions.

In case of an objection, STEP-G will cease processing the personal data, unless we can prove that there are compelling legitimate grounds for its processing, which outweigh your interests, rights and freedoms as the data subject, or unless the purpose of the processing is to assert, exercise or defend against legal claims.

Where STEP-G processes personal data for the purpose of direct advertising, as the data subject you have the right, at any time, to object to the processing of your personal data for the purpose of such advertising. The same applies in the case of profiling, to the extent that it is associated with such direct advertising. If you, as the data subject, object to STEP-G processing your data for direct marketing purposes, STEP-G will no longer process your personal data for these purposes.

In addition, as the data subject you have the right, for reasons based on your particular situation, to object to the processing of your personal data by STEP-G for scientific or historical research purposes, or for statistical purposes pursuant to Article 89 (1) GDPR, unless such processing is necessary in the public interest.

If you, as the data subject, wish to exercise this right to object, you can contact any data protection officer named in this Privacy Policy or another STEP-G employee at any time. As the data subject, you are also free to exercise your right to object in connection with the use of information society services, notwithstanding Directive 2002/58/EC, by means of automated procedures using technical specifications.

Automated decisions in individual cases, including profiling

As the data subject, you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, provided that the decision;

a) is not necessary for the conclusion or fulfilment of a contract between you as the data subject and STEP-G, or

b) is authorised by Union or Member State law to which STEP-G is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests as a data subject; or

c) with the express consent of you as the data subject.

If the decision is necessary for entering into, or the performance of, a contract between you as the data subject and STEP-G, or if it is based on your explicit consent as the data subject, STEP-G shall implement suitable measures to safeguard your rights and freedoms and legitimate interests as the data subject, at least the right to obtain human intervention on the part of STEP-G, to express your point of view and to contest the decision.

If you, as the data subject, wish to exercise these rights with regard to automated decisions, you can contact any data protection officer named in this Privacy Policy or another STEP-G employee at any time.

Right to withdraw consent under data protection law

As a data subject affected by the processing of personal data, you have the right to withdraw your consent to the processing of personal data at any time.

If you as a data subject wish to exercise this right to withdraw consent, you can contact any data protection officer named in this Privacy Policy or another STEP-G employee at any time.

9. Legal or contractual regulations governing the provision of personal data; its necessity for the purpose of concluding of the contract; obligations of the data subject to provide their personal data; possible consequences of non-provision

We wish to explicitly point out that the provision of your personal data may be required by law (e.g. due to tax regulations) or may result from contractual arrangements (e.g. details of the contracting party). For the purpose of concluding a contract it may be necessary for you, as the data subject, to provide us with personal data that must subsequently be processed by us. For example, as the data subject, you will be required to provide us with personal data if our company signs a contract with you. Refusal to provide your personal data would mean that we would not be able to conclude the contract with you (as the data subject). Before you submit your personal data to us, we advise you to contact our data protection officer or one of our employees. They will inform you (as the data subject) on a case-by-case basis whether the provision of your personal data is required by law, or contractually required, or required for the conclusion of the contract, or whether you are obliged to provide the personal data, as well as the consequences of refusing to provide it.

10. Routine erasure and blocking of personal data

STEP-G only processes and stores personal data for the period of time necessary to achieve the purpose of the storage, or if STEP-G is bound by statutory provisions that require such storage.
If the purpose of the storage is omitted or if a legally prescribed retention period expires, the personal data is routinely blocked or deleted in accordance with the statutory provisions.

11. Hosting provider

STEP-G hosts the content of our website at SpaceNet AG, Joseph-Dollinger-Bogen 14, 80807 Munich, Germany, as a processor for the provision and operation of our IT infrastructure. The processing by SpaceNet serves the provision and operation of our IT infrastructure as well as the hosting and data centre operation. The data processing takes place in certified high-security data centres of SpaceNet in Munich.

SpaceNet processes the following data as part of order processing:

the browser type and version used
the operating system, which can be subsequently changed by the user, and the user’s Internet service provider,
the date and time of the server enquiry
the previously visited website, only if this has linked to our website and the visitor has clicked on this link,
the IP address of the user
the amount of data sent/transmitted.

Processing is carried out on the basis of Art. 6 (1) (b) GDPR and Art. 28 GDPR. STEP-G has concluded the agreement with SpaceNet required under data protection law for order processing, in accordance with Art. 28 of the GDPR. According to this agreement, SpaceNet is responsible for ensuring the necessary protection of your data, processing it exclusively in accordance with our instructions and in line with applicable data protection regulations. Further information about SpaceNet can be found on the website: www.space.net/.

The data is stored on SpaceNet servers located in Germany. SpaceNet only processes this data for the stated purposes and on our behalf. SpaceNet does not use the data independently or disclose it to third parties without authorisation. Similarly, this data is not stored alongside other personal user information.

It is necessary to temporarily store the IP address in the system in order to deliver the website or its content to the user’s device. However, the IP address remains stored during the session. If no other retention period is requested, the stored log data is automatically deleted after six months.

The storage of all the above-mentioned information ((1) - (8)) in log files serves to ensure the functionality of the website. In addition, the data is used to optimise the website and ensure the security of our IT systems. The data is not analysed for marketing purposes. These purposes also represent our legitimate interest in data processing in accordance with Art. 6 (1) (f) GDPR in conjunction with § 25 (2) TDDDG.

12. Cookies

The websites of STEP-G use cookies. Cookies are text files that are downloaded and stored in a computer system via an internet browser.

Many websites and servers use cookies. Many cookies contain a so-called “cookie ID”. This consists of a character string that serves as the cookie’s unique identifier, making it possible to assign visits to internet pages and servers to the specific internet browser in which the cookie was stored. This allows the visited web pages and servers to distinguish the browser of the respective visitors from other internet browsers (if they contain other cookies). In other words, the unique cookie ID makes it possible to recognise and identify a specific internet browser.

By using cookies, STEP-G can provide visitors to the website with more user-friendly services that would otherwise not be possible. By using cookies, STEP-G is able to optimise its websites for the benefit of the visitors, since the cookies make it possible to identify repeat visitors to the website, which in turn allows us to make the website easier for them to use. For example, when using cookies, visitors are not required to enter their login data each time they visit the website. The login is instead performed automatically by the website via the cookie that was previously stored on the visitor’s computer. In addition, cookies enable online shops to “remember” the items that customers have placed in their virtual shopping carts.

Some cookies are set by third-party providers, e.g. Google, Facebook or other advertising networks, which have their own privacy policies. These cookies are mainly used to analyse and personalise advertising and can track your activities on various websites. You can find out more about this in this data protection declaration under the data protection provisions of the respective services.

In order to offer you more transparency and control, we have implemented a detailed cookie consent management system. This system allows you to:

distinguish between necessary and optional cookies
make granular choices for different cookie categories
change or reset your preferences at any time

The following types of cookies exist:

Necessary cookies: These cookies are required for the basic website functions to work, such as user login or the shopping basket function in an online shop.
Functional cookies: These cookies enable the website to remember your preferences, such as your language settings or login data, in order to improve the user experience.
Performance and analysis cookies: These cookies help to analyse the use of the website so that we can improve its performance. An example of this is Google Analytics.
Marketing cookies: these cookies are used to show you personalised advertising based on your interests, even if you visit other websites. They enable us to carry out targeted advertising measures (e.g. through Google Ads and other advertising networks).

As the data subject, the user can prevent the use of cookies by the STEP-G website by configuring the corresponding setting in their internet browser. In this way, they can permanently block the use of cookies. In addition, the visitor to the website can delete cookies that have already been stored at any time via their internet browser settings or other software programs. This feature is available in all popular internet browsers. Users (i.e. data subjects) who disable the saving of cookies in their internet browser may no longer be able to make full use of all the features of the STEP-G website.

The storage period of cookies can vary. The storage period for “permanent cookies” can be up to two years. You can adjust your cookie settings at any time via the ‘Cookie settings’ link at the bottom of the page.

The legal basis for our use of cookies may vary depending on the circumstances. The legal basis on which we process your personal data always depends on the specific individual case. If we ask for your consent and you agree to the use of cookies, this consent provides the legal basis for the processing of your data (Art. 6 (1) (a) GDPR). Should the use of cookies become necessary in order to fulfil our (pre-)contractual obligations towards you, the data processing by STEP-G is based on Art. 6 (1) (b) GDPR. In all other cases, we base the processing of your data by means of cookies on our legitimate interest pursuant to Art. 6 (1) (f) GDPR (e.g. operation of the website and its improvement).

13. Collection of general data and information

Whenever a data subject or automated system accesses the STEP-G website, general information about the nature of the access is periodically stored in our server’s log files. This information may include the browser type and version, the operating system, as well as the website via which the data subject or automated system accessed our website. Other recorded information may include the subpages accessed on our website, the date and time of access, the visitor’s IP address, the internet service provider of the accessing system and any other security-related data we need in the context of preventing attacks against our IT systems.

STEP-G does not use this data to draw conclusions about the data subject. Instead, this data is necessary to ensure that the contents of our website are properly transmitted, as well as to optimise our website, to ensure its functionality, and to provide information required by law enforcement agencies in the event of a cyberattack. We therefore evaluate this data solely for statistical purposes and also to improve data protection and data security within our company. The goal here is to ensure that the personal data we process is safeguarded to the maximum extent possible. The personal data which data subjects submit to us is stored separately from the anonymous data that our server collects via its log files.

14. Registration on our website

You have the opportunity to register on our website by submitting personal data. For details about which personal data is transmitted to the data controller, please refer to the input screen that STEP-G makes available to you during registration. The personal data you provide is collected and stored by STEP-G solely for internal use and for statistical purposes. STEP-G may also transfer your personal data to one or more data processors, e.g. postal operators, which also use personal data exclusively for internal order processing.

If you register on our website, the data saved there is also transmitted by the respective internet service providers (ISP). This includes the IP address as well as the date and time of registration. We store this data as a necessary means to prevent misuse of our services and, if necessary, this information can be used at a later time to investigate previous criminal activity. The storage of the data is therefore necessary to safeguard the data controller’s systems. As a matter of principle, STEP-G will not pass this data on to third parties unless it is legally obliged to do so, or unless disclosure is required for the purposes of criminal prosecution.

STEP-G requires users to register – and in so doing to submit personal data – in order to offer them content and services which, due to their nature, can only be offered to registered users. At any time, registered users are entitled to modify the personal data that they submitted during registration, or to have such data removed from STEP-G’s database entirely.

They also have the right, at any time, to ask STEP-G which personal data has been stored. STEP-G will respond to such requests as soon as possible. To the extent that we are not prevented from doing so due to statutory retention periods, STEP-G will comply with any requests from data subjects for the rectification or deletion of their personal data. In this context, all employees of STEP-G as well as any data protection officers named in this Privacy Policy are available as a point of contact.

15. Contact via the website

Due to statutory regulations, the websites of STEP-G contains features and information which enable fast electronic contact with our company as well as direct communication with us. This also includes our e-mail address.

When you contact STEP-G via e-mail or our contact form, your personal data is automatically stored. This data, which you voluntarily submit to STEP-G, is stored for the purpose of processing or contacting you (as the data subject).

16. Data protection provisions about the application and use of Pimcore

STEP-G uses the Product Information Management (PIM) system Pimcore from Pimcore GmbH, Söllheimer Straße 16, 5020 Salzburg, Austria, to manage and process product information.

The following data is processed when using Pimcore:
Product master data (e.g. article numbers, designations)
Product descriptions and technical specifications
Product images and videos
Classifications and categorisations

This data is processed for the following purposes:

Centralised management and maintenance of product information
Provision of consistent product data for various output channels
Quality assurance of product information
Optimisation of internal processes in product management

The processing is carried out on the basis of Art. 6 (1) (f) GDPR. Our legitimate interest lies in efficiently managing and utilising product information.

The Pimcore framework provides restricted access to data via its comprehensive authorisation system. This means that access to user data can be effectively restricted based on the respective user and role levels. In this way, information can be changed or deleted as required, guaranteeing secure and precise data management. Further information about Pimcore can be found on the website: pimcore.com/en/

To comply with the new guidelines, Pimcore has also developed the GDPR Data Extractor Tool. This tool ensures that the right of access to data is safeguarded by enabling a targeted search and export of personal data. All relevant data is displayed in a clearly organised list, from which personal data can be easily deleted or exported in JSON format.

The data is stored for the duration of product availability and beyond in accordance with statutory retention periods. After these periods have expired, the data will be deleted.

The data stored in Pimcore is only passed on to internal departments and to technical service providers commissioned with the maintenance and hosting of the system.

STEP-G uses technical and organisational security measures to protect your data against accidental or intentional manipulation, loss, destruction or access by unauthorised persons.

17. Data protection provisions for applications and the application process

In connection with the career portal, STEP-G collects and processes applicants’ personal data for the purpose of processing their applications. Such processing may be carried out by electronic means. In particular, this applies in cases where applicants submit their application documents to STEP-G by e-mail, via a web form on our website, or by other electronic means.

STEP-G uses the applicant management tool “BITE”, developed and provided by BITE GmbH (Magirus-Deutz-Straße 12, 89077 Ulm, Germany), to organise the application process efficiently and transparently. STEP-G uses the tool to record, manage and process the personal data you provide as part of your application. Further information about BITE can be found on the website at: www.b-ite.de/

Your data will be processed exclusively for the purpose of carrying out the application process, including checking your suitability for the advertised position and communicating with you.

Your personal data is processed on the basis of Art. 6 (1) (b) GDPR, as it is necessary for the implementation of pre-contractual measures, as well as in accordance with § 26 BDSG, insofar as it concerns data in connection with your application for employment.

In the application process, STEP-G processes the following personal data:

Your contact details (e.g. name, address, telephone number, e-mail address),
Information about your qualifications (e.g. CV, certificates, cover letter),
Other information that you voluntarily provide to us as part of your application.
Data storage period

Your data will be stored for the duration of the application process. After completion of the process, your data will be stored for a period of six months in order to be able to answer any queries or defend against legal claims. Should STEP-G wish to store your data for longer (e.g. for future job offers), STEP-G will ask you for your express consent beforehand.

The applicant management tool “BITE” is operated by BITE GmbH, which acts as STEP-G’s processor in accordance with Art. 28 GDPR. Your data will only be processed within the European Union. Your data will not be passed on to third parties beyond this.

If an application is successful and the applicant is hired, STEP-G stores the data submitted by the applicant for the purpose of facilitating the employment relationship. The statutory regulations are observed in this regard.

If an application is unsuccessful, i.e. if no employment contract is concluded, STEP-G automatically deletes the submitted documents two months from the date on which the respective applicants were notified of their unsuccessful application. The data is only kept beyond this time if its deletion conflicts with other justified interests of STEP-G – for example, in the event that STEP-G is required to give evidence in proceedings under the German General Equal Treatment Act (AGG).

18. Data protection provisions about the application and use of Google Maps

On this website STEP-G uses the product Google Maps service provided by the company Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google Inc. (hereinafter: ‘Google’), 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA to display a map and to allow you to calculate and display the route to our company’s locations.

When you use Google Maps on our website, the following data is processed:

IP address
Geographical data
Browser information
Usage data

By connecting your internet browser to Google’s servers, the company can determine which website your request was sent from and to which IP address the directions should be sent. If you do not agree to this processing, you can prevent cookies from being installed by Google by changing the corresponding settings in your browser. You can find out more about this in the “Cookies” section of this Privacy Policy.

The legal basis for the collection and processing of the aforementioned data is Art. 6 (1) (f) GDPR. We have a legitimate interest in optimising the features of our website in order to offer you the best possible service.

Google processes your data in the USA, among other places. Google is an active participant in the EU-US Data Privacy Framework, which regulates the correct and secure transfer of personal data from EU citizens to the USA. You can find more information at https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en.

In addition, Google uses so-called standard contractual clauses (= Art. 46. (2) and (3) GDPR). Standard Contractual Clauses (SCCs) are templates provided by the EU Commission and are intended to ensure that your data complies with European data protection standards even if it is transferred to third countries (such as the USA) and stored there. Through the EU-US Data Privacy Framework and the Standard Contractual Clauses, Google undertakes to comply with the European level of data protection when processing your relevant data, even if the data is stored, processed and managed in the USA. These clauses are based on an implementing decision of the EU Commission. You can find the resolution and the corresponding standard contractual clauses here, among others: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de.

The Google Ads Data Processing Terms, which refer to the standard contractual clauses, can be found at https://business.safety.google/intl/de/adsprocessorterms/.

You can find out more about the Google Maps Terms of Use at https://www.google.com/intl/de_de/help/terms_maps.html and https://policies.google.com/terms?gl=DE&hl=de.

19. Data protection provisions about the application and use of HubSpot

STEP-G uses the HubSpot marketing automation system from HubSpot Inc. for the purposes of statistics, marketing, content management, web analysis and search engine optimisation. (25 First Street, 2nd Floor, Cambridge, MA 02141, USA). HubSpot operates offices in Ireland (One Dockland Central, Dublin 1, Ireland) and Germany (Am Postbahnhof 17, 10243 Berlin). The software uses cookies (see Sec. 4).

The following data is collected:

First name
Surname
E-mail address (primary, membership)
Telephone number (primary, mobile, fax)
Job title
Preferred language
Password (only hashed and stored securely)
User IDs (creator and last updater)
Place of residence and billing location (city, country/region, postcode)
IP-based location data (geographic position, city location, time zone)
Company name (for small companies/self-employed persons)
Industry, number of employees, company divisions
Timestamp (first interaction, last activity, last change, next activity)
Communication history (last contact, messages, surveys, meetings)
Usage behaviour (navigation information, referral URL, visit duration, events, access times)
Engagement metrics (contacts, sales activities, target group and service interactions)
Device details (browser type, operating system, model, version, device identifier, advertising IDs)
Network data (IP address, domain, internet provider)
Mobile apps and download information
Payment history (completed/anticipated payments, total amount collected/remaining)
Bank details
Deal and sales data (amounts, closing date, assigned deals, probability of closing)

You can find out more about the data processed through the use of HubSpot in the Privacy Policy at https://legal.hubspot.com/de/privacy-policy?tid=331733495288 and https://knowledge.hubspot.com/de/properties/hubspots-default-contact-properties#analytics.

Hubspot is also used to send the STEP-G newsletter. Subscription to the newsletter is always optional, requiring active user action. No newsletter will be sent without explicit registration. STEP-G uses a double opt-in procedure for its newsletter registration. After registering on the website, the user receives a confirmation e-mail with a corresponding link. Only after clicking on this link is the registration completed and the newsletter will be sent by e-mail in future. This procedure ensures that users can only register themselves for the newsletter and serves as proof of registration.

When you register, your e-mail address and, if you choose to provide it, other personal data will be stored in HubSpot. This data is used exclusively for sending the newsletter and the associated personalisation. Each newsletter contains an unsubscribe link that you can use to unsubscribe from the newsletter at any time.

The legal basis for the use of the software is the consent of the user according to. Art. 6 (1) (a) GDPR. Consent to cookies is given via a banner that informs the visitor that cookies are used on the first visit or after deleting the cookies. The visitor can either agree to the use or reject it. If consent is given, the corresponding cookies are set in the visitor’s browser, while no HubSpot cookies are activated if consent is refused. For certain functions, such as the HubSpot chat tool or advertising cookies, explicit consent is also requested. If the visitor changes their mind, they can withdraw their consent via the banner. In this case, cookies that have already been set will be removed and functions that rely on cookies, such as the chat history or personalised advertising, may no longer be available. You can find out more about this in the “Cookies” section of this Privacy Policy.

It is possible that HubSpot may pass on or transfer the data collected to another country (e.g. Ireland, the USA or other countries in which HubSpot partners operate), or countries outside the European Union and the European Economic Area which do not have an appropriate data protection level. As HubSpot acts as our processor, data is processed on behalf of STEP-G. It should be noted that the GDPR applies not only to companies based in the EU, but to all organisations that process the data of EU citizens, regardless of their location. To ensure GDPR compliance, HubSpot offers functions such as cookie banners for obtaining consent, the option of recording the legal basis for data processing and functions for GDPR-compliant deletion of data.

HubSpot also processes your data in the USA, among other places. HubSpot is an active participant in the EU-US Data Privacy Framework, which regulates the correct and secure transfer of personal data from EU citizens to the USA. You can find more information on this at: https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en

In addition, HubSpot uses so-called standard contractual clauses (= Art. 46. (2) and (3) GDPR). Standard Contractual Clauses (SCCs) are templates provided by the EU Commission and are intended to ensure that your data complies with European data protection standards even if it is transferred to third countries (such as the USA) and stored there. Through the EU-US Data Privacy Framework and the Standard Contractual Clauses, HubSpot undertakes to comply with the European level of data protection when processing your relevant data, even if the data is stored, processed and managed in the USA. These clauses are based on an implementing decision of the EU Commission. You can find the resolution and the corresponding standard contractual clauses here, among others: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de.

The Data Processing Agreement, which corresponds to the standard contractual clauses, can be found at: https://legal.hubspot.com/dpa.

20. Data protection provisions about the application and use of Google Analytics (with anonymisation function)

STEP-G has integrated the component Google Analytics (with anonymisation feature) into this website. The operating company of the Google Analytics component is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

Google Analytics is a web analytics service. Web analysis is the collection, collation and evaluation of data about the behaviour of visitors to websites.

Google Analytics collects data about:

The origin of the visitors (referrer)
The subpages visited and the time spent on them
The frequency of visits
The technical device (e.g. IP address, browser and device type)

The purpose of data processing by Google Analytics is:

The analysis of visitor behaviour on our website
The creation of reports on activities on our website
To offer further services in connection with the use of our website

To protect your privacy, STEP-G uses the addition “_gat._anonymiseIp” for web analysis via Google Analytics. This parameter allows the IP address of the data subject’s internet connection to be shortened and anonymised by Google if the data subject accesses our website from a Member State of the European Union or from another contracting state to the Agreement on the European Economic Area.

Google Analytics places a cookie on the information technology system of you as the data subject. Each time you visit a page on the website operated by STEP-G with an integrated Google Analytics component, data is automatically transmitted to Google for online analysis. Among other things, personal data such as the IP address is recorded in order to trace the origin of visitors and clicks. Cookies are used to store information such as access time, origin and frequency of visits and transfer it to Google in the USA.

The use of Google Analytics requires your consent, which STEP-G has obtained with its cookie pop-up. According to Art. 6 (1) (a) GDPR, this consent constitutes the legal basis for the processing of personal data, as may occur when collected by web analytics tools.

STEP-G uses a consent management tool that gives you the option of consenting to or rejecting the use of cookies and tracking technologies when you first visit our website. You can revoke or adjust your consent at any time via the settings in the consent banner. You can find out more about this in the “Cookies” section of this Privacy Policy.

The cookies set by Google Analytics are usually deleted after 30 days. Further data will be stored for as long as is necessary for the above-mentioned purposes or as required by statutory retention obligations.

In addition to consent, we have a legitimate interest in analysing the behaviour of website visitors in order to improve our offer technically and economically. With the help of Google Analytics, STEP-G recognises website errors, can identify attacks and improve efficiency. The legal basis for this is Art. 6 (1) (f) GDPR (legitimate interests). Nevertheless, STEP-G only uses Google Analytics if you have given your consent.

The Google Ads Data Processing Terms, which refer to the standard contractual clauses, can be found at https://business.safety.google/intl/de/adsprocessorterms/.

As previously mentioned, the data subject can prevent the use of cookies by our website at any time by configuring the relevant settings in their internet browser, and can thus permanently disable the storage of cookies. Configuring an internet browser in this way would also prevent Google from storing a cookie in the data subject’s IT system. In addition, a cookie already set by Google Analytics can be deleted at any time via the Internet browser or other software programmes.
Furthermore, the data subject has the option of objecting to – and preventing the collection of – the data generated by Google Analytics regarding their use of this website, as well as the processing of this data by Google. To do so, the data subject must download and install a browser add-on via this link: https://tools.google.com/dlpage/gaoptout https://tools.google.com/dlpage/gaoptout. This browser add-on informs Google Analytics via JavaScript that no data and information about visits to the website may be transmitted to Google Analytics. If the data subject installs the browser add-on, Google acknowledges their objection to its use of their web analytics data. If the data subject’s IT system is later deleted, formatted or reinstalled, they must reinstall the browser add-on in order to disable Google Analytics. If the browser add-on is uninstalled or disabled by the data subject or another person within their sphere of control, it remains possible to reinstall or reactivate the browser add-on.

If you would like to find out more about data processing, see the Google Privacy Policy at https://policies.google.com/privacy?hl=de.

21. Data protection provisions about the application and use of Google Ads

STEP-G uses Google Ads, a service provided by Google Ireland Limited (‘Google’), Gordon House, Barrow Street, Dublin 4, Ireland. Google Ads is an online advertising service from Google that allows companies to place paid adverts in Google search results and in the Google advertising network.
The following data is processed by Google Ads:

IP address

User interactions on the website (e.g. clicks, dwell time)
Device and browser information
Origin of visitors (e.g. which advert brought you to our site)
Location data

Data processing is carried out for the following purposes:

Measuring and analysing the effectiveness of advertising measures (conversion tracking)
Optimisation of our online offering and our advertising measures
Personalisation of advertising
Economic success and improvement of our services

STEP-G uses the remarketing function within the Google Ads service to address visitors to its own website with targeted advertising even after their visit. This function enables interest-based adverts to be placed throughout the Google advertising network, for example in Google Search results, on YouTube, or on other websites. This is based on the analysis of user behaviour on the website, such as which offers users were interested in. This means that personalised adverts can be displayed on other websites, too. The remarketing cookies used for this service collect information about users’ behaviour on the website (e.g. which pages or products were visited) in order to display personalised adverts based on users’ interests.

The processing of your personal data takes place exclusively on the basis of your express consent in accordance with Art. 6 (1) (a) GDPR. This consent is obtained via a cookie consent tool (consent banner) before Google Ads is activated. No data processing by Google Ads takes place without your consent.

The cookies set by Google Ads are usually deleted after 30 days. Further data will be stored for as long as is necessary for the above-mentioned purposes or as required by statutory retention obligations.

The Google Ads Data Processing Terms, which refer to the standard contractual clauses, can be found at https://business.safety.google/intl/de/adsprocessorterms/.

If you would like to find out more about data processing, see the Google Privacy Policy at https://policies.google.com/privacy?hl=de.

22. Social media networks

STEP-G has a company presence on the social media networks YouTube, Instagram, Facebook and LinkedIn.

A social network is an online service that allows users to communicate with each other and interact in a virtual space. This online social meeting point (online community) can be used to exchange views and experiences and provide personal or business information to other users within the online community. Among other things, Facebook users can create personal profiles, upload photos and network with other users via friend requests.

Static hyperlinks to the respective profiles are provided on the website for this purpose. As a rule, no personal data of the users is transmitted to the respective platforms through this mere linking.

Only when such a link is actively clicked on or a social media plugin or a specific embedding (e.g. of videos or feeds) is used on the website can data processing by the respective platform operators take place. In these cases, the IP address or other technical information may be transmitted to the respective provider. Further information on this can be found below in the explanations of the individual social media platforms.

a. Data protection provisions about the use of Facebook links

STEP-G provides a hyperlink on the website that leads to the Facebook profile of the BUG Aluminium-Systeme brand. The operator of the Facebook social network is Meta Platforms, Inc., 1601 Willow Road, Menlo Park, CA 94025, USA. Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, is responsible for the processing of personal data of users residing outside the USA and Canada.

By clicking on this link, you will leave the STEP-G website and be redirected directly to the Facebook platform.
By clicking on the Facebook link, Facebook processes personal data such as your IP address, browser information and possibly other data in accordance with its own data protection guidelines. The data processing takes place outside the sphere of influence of STEP-G.

STEP-G does not transmit any personal data to Facebook in connection with the setting of the link. Data is only transferred to Facebook when you actively click on the link.

The sole purpose of the link is to give you access to further information about STEP-G on Facebook.

Information on your rights in connection with data processing on Facebook and the contact details of Facebook’s data protection officer can be found in Facebook’s Privacy Policy mentioned above.

Further information on data processing by Facebook can be found in Facebook’s Privacy Policy: https://www.facebook.com/about/privacy.

Since STEP-G only provides a link to the Instagram profile and does not embed any content directly on its website, there is no joint responsibility with Meta Platforms Ireland Limited within the meaning of Art. 26 GDPR.

b. Data protection provisions about the use of Instagram links

STEP-G provides a hyperlink on the website that leads to the Instagram profile of the BUG Aluminium-Systeme brand. The operator of the social network Instagram Instagram is Meta Platforms, Inc., 1601 Willow Road, Menlo Park, CA 94025, USA. Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, is responsible for the processing of personal data of users residing outside the USA and Canada.

By clicking on the link, you leave our website and access the Instagram platform.
By simply clicking on the link, no personal data will be transmitted to Instagram. Your data will only be processed when you use the Instagram platform. Instagram’s data processing is governed by Meta’s Privacy Policy, which you can view at https://privacycenter.instagram.com/policy/.

Please note that you use Instagram and its functions under your own responsibility.

Instagram processes personal data such as IP address, device and browser information as well as content that users share or interact with on the platform.

You can manage your data protection settings and rights to data management, correction, deletion and objection directly in your Instagram account or at https://privacycenter.instagram.com/policy/.

Since STEP-G only provides a link to the Instagram profile and does not embed content directly on its website, there is no joint responsibility with Meta Platforms Ireland Limited within the meaning of Art. 26 GDPR.

c. Data protection provisions about the use of LinkedIn links

STEP-G provides a hyperlink on the website that leads to the LinkedIn profile of the BUG Aluminium-Systeme brand. LinkedIn’s operating company is LinkedIn Corporation, 2029 Stierlin Court Mountain View, CA 94043, USA. Outside the United States, issues relating to the company’s Privacy Policy are handled by LinkedIn Ireland, Privacy Policy Issues, Wilton Plaza, Wilton Place, Dublin 2, Ireland.

Please note that clicking on this link will take you away from our website and to the LinkedIn platform. LinkedIn is an independent service over whose data processing STEP-G has no influence.

As soon as you follow the link, LinkedIn may process personal data such as your IP address, browser information and possibly other data in accordance with LinkedIn’s own Terms of Use and Privacy Policy.

STEP-G does not transmit any personal data to LinkedIn in connection with the setting of the link. Data is only transferred to LinkedIn when you actively click on the link.

The link serves exclusively to provide you with further information about our company on LinkedIn and to make our social media presence accessible.

You can obtain information about the processing of your personal data by LinkedIn directly from LinkedIn and assert your rights as a data subject there.

Information on data processing by LinkedIn can be found in LinkedIn’s Privacy Policy at: https://www.linkedin.com/legal/privacy-policy.

LinkedIn’s cookie policy can be found at https://www.linkedin.com/legal/cookie-policy.

Since STEP-G only provides a link to the LinkedIn profile and does not embed any content directly on its website, there is no joint responsibility with LinkedIn within the meaning of Art. 26 GDPR.

d. Data protection provisions about the application and use of YouTube

Videos from the YouTube platform are embedded on the STEP-G website. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The parent company is Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

When a page with an embedded YouTube video is accessed, a connection to the YouTube servers is established. Personal data such as your IP address may be transmitted to YouTube and Google. Even if YouTube’s “extended data protection mode” is used, data may be transmitted as soon as the page is loaded. Further data (e.g. through cookies) is only collected when the video is played in order to record video statistics, improve user-friendliness and prevent abusive behaviour.
Your personal data is processed exclusively on the basis of your express consent in accordance with Art. 6 (1) (a) GDPR. This consent is obtained via a cookie consent tool (consent banner) before a connection to the YouTube servers is established and content is loaded. No data processing by YouTube takes place without your consent.

Further information on data processing by YouTube and Google can be found in Google’s Privacy Policy: https://policies.google.com/privacy.