Privacy Policy

NAF NEUNKIRCHENER ACHSENFABRIK AG
Weyhausenstrasse 2
91077 Neunkirchen am Brand
Germany
Email: info@nafaxles.com
Phone +49 (0)9134 702 0
Authorised representative: Dr Norbert Knorren, Bernhard Schnabel, Erwin Urban
Legal information:

Data protection officer contact details

By post:
NAF NEUNKIRCHENER ACHSENFABRIK AG
– Data protection –
Weyhausenstrasse 2
91077 Neunkirchen am Brand

By email: datenschutz@nafaxles.com

We take appropriate technical and organisational measures in accordance with the legal requirements, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of data processing as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons, in order to ensure a level of protection appropriate to the risk.

In particular the measures include safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as the respective access, input, transfer, safeguarding of availability and its separation. We have also set up procedures to ensure that the right of data subjects are exercised, data is deleted and we respond to any threats to the data. Furthermore, we already take the protection of personal data into account during the development or selection of hardware, software and processes in accordance with the principle of data protection, by means of technical design and data protection-friendly default settings.

Shortening of the IP address: If IP addresses are processed by us or by the service providers and technologies employed and processing of a full IP address is not required, the IP address is shortened (also known as “IP masking”). The last two digits or the last part of the IP address after a dot are removed or replaced by placeholders. Shortening the IP address is intended to prevent or significantly complicate the identification of a person by means of their IP address.

TLS encryption (https): We use TLS encryption to protect your data transmitted through our website. You can recognise such encrypted connections by the prefix https:// in the address bar of your browser.

When we process personal data, some data may be transferred to other bodies, companies, legally independent organisational units or persons or disclosed to them. The recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In such cases we observe the legal requirements and, in particular, conclude corresponding contracts or agreements with the recipients of your data that serve to protect your data.

Data transfer within the organisation: We may transfer personal data to other offices within our organisation or grant them access to this data. If the data is transferred for administrative purposes, transfer of the data is based on our legitimate business and commercial interests or takes place if it is necessary to fulfil our contractual obligations or if the consent of the data subjects or legal permission has been obtained.

Data processing in third countries: If we process data in a third country (i.e. outside the European Union (EU), the European Economic Area (EEA)) or if processing takes place during use of third-party services or the disclosure or transfer of data to other persons, bodies or companies, this will only occur place in compliance with the legal requirements. If the level of data protection in the third country has been recognised by means of an adequacy decision (Art. 45 GDPR), this serves as the basis for data transfer. Otherwise data will only be transferred if the level of data protection is otherwise ensured, in particular through standard contractual clauses (Art. 46 para. 2 lit. c GDPR), express consent or in the case of contractual or legally required transfers (Art. 49 para. 1 GDPR).

In addition, we will inform you of the basis of the third country transfer with the individual providers from the third country, whereby the adequacy decisions take precedence as the basis.
Information on third country transfers and existing adequacy decisions can be found in the information provided by the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_de.

EU-US Trans-Atlantic Data Privacy Framework: As part of the so-called “Data Privacy Framework” (DPF), the EU Commission has also recognised the level of data protection for certain companies from the USA as secure within the framework of the adequacy decision of 10 July 2023. The list of certified companies as well as further information on the DPF is given on the website of the US Department of Commerce at https://www.dataprivacyframework.gov/ (in English). As part of the privacy policy we provide information about the service providers that we use which are certified under the provisions of the Data Privacy Framework.

You can use our careers portal to apply for vacancies or send us a speculative application. We process the personal data you submit through the applicant portal for the application process and to contact you (e.g. to arrange appointments, answer queries). Data processing is carried out for the purpose of initiating an employment contract (Art. 6 para. 1 lit. b GDPR contract initiation). If you provide us with data that is not mandatory, we process it on the basis of our legitimate interests in the use of the information provided to us (Art. 6 para. 1 lit. f GDPR). We will delete any obviously irrelevant data. If special categories of personal data (Art. 9 para. 1 GDPR) are voluntarily provided as part of the application process, processing is also carried out in compliance with Art. 9 para. 2 lit. b GDPR (e.g. health data, severely disabled status or ethnic origin). In addition, we process your personal data (first name, surname, date of birth if applicable) within the scope of our legitimate interest in order to carry out a sanctions list check (EU regulation on combating terrorism, BAFA requirements (Federal Office of Economics and Export Control)).

If an employment contract is concluded, we will continue to process the personal data we have already received from you if as this is necessary for the performance of the employment contract. We will delete any application data that is not required for this purpose.

If your application is not successful, your data will be deleted no later than six months after completion of the application process in order to fulfil our obligation to provide evidence under the Equal Treatment Act (AGG). In addition, your personal data may be processed if this is necessary for the defence of legal claims asserted against us in the application process (Art. 6 para. 1 lit. f GDPR).

Data and invoices for any travel expense reimbursements are archived in accordance with the provisions of tax law (Art. 6 para. 1 lit. c GDPR; generally 10 years). If you and we are interested in working together in the future and you have given us your consent (Art. 6 para. 1 lit. a GDPR), we will store your application documents in our applicant pool for a period of one year to be able to contact you in the event of suitable vacancies. You can withdraw your consent to this at any time with effect for the future.

We process data of our contractual and business partners, e.g. customers and interested parties (collectively referred to as “contractual partners”) in the context of contractual and comparable legal relationships and associated measures and within the framework of communication with the contractual partners (or pre-contractual), e.g. to answer enquiries.

We process this data in order to fulfil our contractual obligations. This includes in particular the obligations to provide the agreed services, any updating obligations and remedies in the event of warranty and other service problems. We also process the data to safeguard our rights and for the purpose of the administrative tasks associated with these obligations and the company organisation. Furthermore, we process the data on the basis of our legitimate interests in proper and efficient business management and in security measures to protect our contractual partners and our business operations from misuse, jeopardising their data, secrets, information and rights (e.g. for the involvement of telecommunications, transport and other auxiliary services as well as subcontractors, banks, tax and legal advisers, payment service providers or tax authorities).

Within the framework of applicable law, we only pass on the data of contractual partners to third parties to the extent necessary for the aforementioned purposes or to fulfil legal obligations. The contractual partners are informed about other forms of processing, e.g. for marketing purposes, as part of this data protection information.

We inform the contractual partners about which data is required for the aforementioned purposes before or during data collection, e.g. in online forms, by means of special labelling (e.g. colours) or symbols (e.g. asterisks or similar) or in person.

We delete the data after the expiry of statutory warranty and comparable obligations, i.e. generally after three (3) years, unless the data is stored in a customer account, e.g. for as long as it must be retained for legal archiving reasons.

The statutory retention period is ten (10) years for documents relevant under tax legislation as well as for trading books, inventories, opening balance sheets, annual financial statements, the work instructions required to understand these documents and other organisational documents and accounting records, and six years for commercial and business letters received and copies of commercial and business letters sent. The period begins at the end of the calendar year in which the last entry was made in the book, the inventory, the opening balance sheet, the annual financial statements or the management report was prepared, the commercial or business letter was received or sent or the accounting document was created, the record was made or the other documents were created.

With the following data protection information we would like to inform you about the purposes for which we process your personal data (hereinafter referred to as “data”) and to which extent.

Processing of your personal data
As part of occupational health and safety, visitors and guests must also be instructed on occupational safety, accident prevention and emergency procedures. To this purpose they are shown our visitor video, which you have already seen.
In order to be able to provide the required evidence, we record your first name, surname, email address and, for confirmation, your signature in addition to the company name. The data is only used to prove that you have seen the safety video showing our measures. We collect the email address so that we can subsequently send you confirmation that you watched our visitor film and the viewing validity. The data is used exclusively for documentation purposes and is only stored for one year for this purpose. If you visit us after this verification and storage period has expired, new instruction and confirmation is required.

Deletion of your data
We store your personal data collected during registration for one year and then delete it.
For hospitality purposes your first and surname and the name of your company will be noted on the hospitality receipt. The legal basis for this is Section 4 (5) No. 2 EStG (Income tax law). For commercial and tax law reasons we must retain this information (the standard storage period is 10 years).

Rights of data subjects
You have the following rights with regard to the personal data concerning you which you can assert against us:
– Right of access (Art. 15 GDPR),
– Right to rectification (Art. 16 GDPR) or erasure (Art. 17 GDPR)
– Right to restriction of processing (Art. 18 GDPR)
– Right to object to processing (Art. 21 GDPR)
– Right to withdraw your consent (Art. 7 para. 3 GDPR)
– Right to receive the data in a structured, commonly used and machine-readable format (“data portability”) and the right to transmit the data to another controller if the requirements of Art. 20 para. 1 lit. a, b GDPR are met (Art. 20 GDPR).
You can assert your rights by notifying us using the contact details provided in the “Controller” section or by contacting our designated data protection officer. You also have the right to lodge a complaint with a data protection supervisory authority about our processing of your personal data (Art. 77 GDPR).

Amendment and updating of the data protection information
We will occasionally amend and improve this privacy policy and data protection information, in particular if this is necessary due to changes in applicable law or our internal processes.

We maintain online presences within social networks and process user data in this context in order to communicate with the users active there or to provide information about us.
We would like to point out that within this framework user data may be processed outside the European Union. This can result in risks for users because, for example, it could make it more difficult to enforce users’ rights.

Furthermore, user data within social networks is generally processed for market research and advertising purposes. For example, user profiles can be created based on user behaviour and the resulting interests of users. The user profiles can in turn be used, for example, to place adverts inside and outside the networks that presumably correspond to the interests of the users.

For these purposes, cookies are usually stored on the user’s computer, in which the user’s usage behaviour and interests are stored. Furthermore, data can also be stored in the user profiles independently of the devices used by the users (especially if the users are members of the respective platforms and are logged in to them).

For a detailed description of the respective forms of processing and the opt-out options, please refer to the privacy policies and information provided by the operators of the respective networks.

In the case of requests for information and the assertion of data subject rights, we would also like to point out that these can be asserted most effectively against the providers. Only the providers have access to the users’ data and can take appropriate measures and provide information directly.

• Processed data types: Contact data (e.g. email, phone numbers); content data (e.g. entries in online forms); usage data (e.g. websites visited, interest in content, access times); meta, communication and process data (e.g. IP addresses, time data, identification numbers, consent status).
• Persons concerned: Users (e.g. website visitors, users of online services).
• Purposes of data processing: Contact enquiries and communication; feedback (e.g. collecting feedback using online forms); marketing.
• Legal basis: Legitimate interests (Art. 6 para. 1 lit. f GDPR).

Further information on processing operations, procedures and services:

• Facebook pages: Profiles within the Facebook social network – We are jointly responsible with Meta Platforms Ireland Ltd. for the collection (but not further processing) of data of visitors to our Facebook page (so-called “fan page”). This data includes information about the types of content users view or interact with, or the actions they take (see “Things you and others do and provide” in the Facebook Privacy Policy: https://www.facebook.com/policy), as well as information about the devices used by users (e.g. IP addresses, operating system, browser type, language settings, cookie data; see “Device information” in the Facebook Privacy Policy: https://www.facebook.com/policy). As explained in the Facebook Privacy Policy under “How do we use this information?”, Facebook also collects and uses information to provide analytics services, known as “Page Insights”, for page operators to help them understand how people interact with their pages and the content associated with them. We have concluded a special agreement with Facebook (“Information on Page Insights”, https://www.facebook.com/legal/terms/page_controller_addendum), which regulates in particular which security measures Facebook must observe and in which Facebook has agreed to fulfil the rights of data subjects (i.e. users can, for example, send information or deletion requests directly to Facebook). The rights of users (in particular to information, erasure, objection and complaint to the competent supervisory authority) are not restricted by the agreements with Facebook. Further information can be found in the “Information on Page Insights” (https://www.facebook.com/legal/terms/information_about_page_insights_data); Service provider: Meta Platforms Ireland Ltd, Merrion Road, Dublin 4, D04 X2K5, Ireland;
  Legal basis: Legitimate interests (Art. 6 para. 1 1 lit. f GDPR);
  Website: https://www.facebook.com;
  Privacy policy: https://www.facebook.com/about/privacy;
  Basis for third country transfer: EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum);
  Further information: Agreement on joint responsibility: https://www.facebook.com/legal/terms/information_about_page_insights_data. The joint responsibility is limited to the collection by and transfer of data to Meta Platforms Ireland Ltd., a company based in the EU. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, which in particular concerns the transfer of the data to the parent company Meta Platforms, Inc. in the USA (on the basis of the standard contractual clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.).
• LinkedIn: Social network;
  Service provider: LinkedIn Ireland Unlimited Company, Wilton Plaza Wilton Place, Dublin 2, Ireland;
  Legal basis: Legitimate interests (Art. 6 para 1 lit. f GDPR)
  Website: https://www.linkedin.com;
  Privacy policy: https://www.linkedin.com/legal/privacy-policy;
  Data processing agreement: https://legal.linkedin.com/dpa;
  Basis third country transfer: Standard contractual clauses (https://legal.linkedin.com/dpa);
  Opt-out option: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
• X: Social network;
  Service provider: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland;
  Legal basis: Legitimate interests (Art. 6 para 1 lit. f GDPR)
  Privacy policy: https://twitter.com/privacy, (Settings: https://twitter.com/personalization).
• YouTube: Social network and video platform;
  Service provider: Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland;
  Legal basis: Legitimate interests (Art. 6 para 1 lit. f GDPR);
  Privacy policy: https://policies.google.com/privacy;
  Basis for third country transfer: EU-US Data Privacy Framework (DPF);
  Opt-out option: https://adssettings.google.com/authenticated.

Cookies are small text files or other storage notes that store information on end devices and read information from the end devices, for example to store the login status of our customer account, the contents of a shopping basket in an e-shop, the content accessed or the functions of an online service used. Cookies can also be used for various purposes, e.g. to ensure the functionality, security and convenience of online content and to create analyses of visitor flows.

Notes on consent: We use cookies in accordance with the statutory provisions. We therefore obtain prior consent from users, unless this is not required by law. In particular, consent is not required if the storage and reading of information, including cookies, is absolutely necessary in order to provide the user with a telemedia service expressly requested by them (i.e. our online content). Essential cookies generally include cookies with functions that serve to display and enable operability of the online content, load balancing, security, storage of user preferences and selection options or similar purposes related to the provision of the main and secondary functions of the online content requested by the users. The revocable consent is clearly communicated to the users and contains the information on the respective use of cookies.

Information on the legal basis for data protection: The legal basis under data protection law on which we process users’ personal data with the help of cookies depends on whether we ask users for their consent. If users give their consent, the legal basis for processing their data is their declared consent. Otherwise, the data processed with the help of cookies is processed on the basis of our legitimate interests (e.g. in the business-related operation of our online content and improvement of its usability) or, if this is carried out within the context of the fulfilment of our contractual obligations, if the use of cookies is necessary to fulfil our contractual obligations. We explain the purposes for which we process cookies in the course of this privacy policy or as part of our consent and processing procedures.

Storage duration: With regard to the storage period, a distinction is made between the following types of cookies:

• Temporary cookies (also referred to as session cookies): Temporary cookies are deleted at the latest after a user has left an online service and closed their end device (e.g. browser or mobile application).
• Permanent cookies: Permanent cookies remain stored even after the end device is closed. For example, the login status can be saved or preferred content displayed directly when the user visits a website again. The user data collected with the help of cookies can also be used to measure reach. Unless we provide users with explicit information on the type and storage duration of cookies (e.g. when obtaining consent), users should assume that cookies are permanent and that they can be stored for up to two years.

General information on cancellation and objection (so-called “opt-out”): Users can withdraw the consent they have given at any time and object to processing in accordance with the legal requirements. To this purpose users can also restrict the use of cookies in their browser settings (although this may also restrict the functionality of our online services). You can also object to the use of cookies for online marketing purposes via the websites https://optout.aboutads.info and https://www.youronlinechoices.com/.

Cookie settings / opt-out option:
Consent manager description

• Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

Further information on processing operations, procedures and services:

• Processing of cookie data on the basis of consent: We use a cookie consent management procedure in which the user’s consent to the use of cookies or the processing and providers named in the cookie consent management procedure can be obtained, managed and revoked by the user. The declaration of consent is stored so that it does not have to be requested again and the consent can be proven in accordance with the legal obligations. The consent can be stored on the server side and/or in a cookie (so-called opt-in cookie, or with the help of comparable technologies) to be able to assign the consent to a user or their device. Subject to individual information on the providers of cookie management services, the following information applies: Consent may be stored for up to two years. A pseudonymous user identifier is created and stored with the time of consent, information on the scope of consent (e.g. which categories of cookies and/or service providers) as well as the browser, system and end device used; Legal basis: Consent (Art. 6 para. 1 lit. f GDPR);

This website uses the web analysis service Plausible Analytics for visitor statistics.

• Provider: OÜ Plausible Insights, Västriku tn 2, Tartu 50403, Estonia; (EU) (https://plausible.io/imprint)
• Privacy policy: plausible.io/privacy and plausible.io/data-policy.
• Purposes of data processing: Web analytics. This is based on anonymised data and does not use cookies. It is not possible to draw conclusions about your person.
• Processed data:
  When you visit the website, the following data is stored by Plausible Analytics:
  – URL of the page or file accessed,
  – URL of the page from which you came to our site (referrer),
  – URL of an outbound link that you clicked on our site,
  – Browser type and version, operating system of your device and the device type,
  – Information about your location (country, region and town) is determined approximately from your IP address; the IP address itself is not stored.
• Legal basis: Legitimate interest (Art. 6 para. 1 lit. f GDPR) in a statistical analysis of the use of the website.

We incorporate functional and content elements into our online content that are obtained from the servers of their respective providers (hereinafter referred to as “third-party providers”). This may include, for example, graphics, videos or city maps (hereinafter uniformly referred to as “content”).
The integration always requires that the third-party providers of this content process the IP address of the user, as they would not be able to send the content to their browser without the IP address. The IP address is therefore required to display this content or function. We endeavour to only use content from providers who only use the IP address to deliver the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. The “pixel tags” can be used to analyse information such as visitor traffic on the pages of this website. The pseudonymised information may also be stored in cookies on the user’s device and may contain, among other things, technical information about the browser and operating system, referring websites, visiting time and other details about the use of our online content, as well as being linked to such information from other sources.

• Processed data types: Usage data (e.g. websites visited, interest in content, access times); meta, communication and process data (e.g. IP addresses, time data, identification numbers, consent status); inventory data (e.g. names, addresses); contact data (e.g. email, phone numbers); content data (e.g. entries in online forms); location data (information on the geographical location of a device or person).
• Persons concerned: Users (e.g. website visitors)
• Purposes of data processing: Provision of our online services and user-friendliness.
• Legal basis: Legitimate interests (Art. 6 para. 1 lit. f GDPR).

Further information on processing operations, procedures and services:

• Google Maps: We integrate the maps of the “Google Maps” service of the provider Google. The processed data may include, in particular, IP addresses and location data of users;
  Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland;
  Legal basis: Legitimate interests (Art. 6 para 1 lit. f GDPR)
  Website: https://mapsplatform.google.com/;
  Privacy policy: https://policies.google.com/privacy;
  Basis for third country transfer: EU-US Data Privacy Framework (DPF).
• YouTube videos: Video content; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland;
  Legal basis: Legitimate interests (Art. 6 para 1 lit. f GDPR);
  Website: https://www.youtube.com;
  Privacy policy: https://policies.google.com/privacy;
  Basis for third country transfer: EU-US Data Privacy Framework (DPF);
  Opt-out option: Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=desettings , for the display of advertising: https://adssettings.google.com/authenticated.

The data processed by us is deleted in accordance with the legal requirements as soon as the consent given for processing is revoked or other authorisations cease to apply (e.g. if the purpose of processing this data no longer applies or it is not required for the purpose). If the data is not deleted because it is required for other and legally permissible purposes, processing will be limited to these purposes. This means that the data is blocked and not processed for other purposes. This applies, for example, to data that must be stored for reasons of commercial or tax law (standard storage period 10 years) or the storage of which is necessary for the assertion, exercise or defence of legal claims or for the protection of the rights of another natural or legal person. Our data protection information may also contain further information on the retention and deletion of data, which apply primarily to the respective processing operations.

As a data subject you are entitled to various rights under the GDPR, which arise in particular from Art. 15 to 21 GDPR:

• Right of objection: You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on sections (e) or (f) of Article 6 (1) GDPR, including profiling based on those provisions. If your personal data is processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing purposes; this includes profiling to the extent that it is related to such direct marketing.
• Right of objection: You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you: You have the right to withdraw your consent at any time.
• Right to information: You have the right to request confirmation as to whether the data in question is being processed and to request information about this data as well as further information and a copy of the data in accordance with the legal requirements.
• Right to rectification: In accordance with the legal requirements, you have the right to request the completion of data concerning you or the correction of any incorrect personal data.
• Right to deletion and restriction of processing: In accordance with the legal requirements, you have the right to demand that data concerning you is deleted immediately or, alternatively, to demand that processing of such data is restricted in accordance with the legal requirements.
• Right to data portability: You have the right to receive data concerning you that you have provided to us in a structured, commonly used and machine-readable format in accordance with the legal requirements or to request its transmission to another controller.
• Complaint to the supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that processing of personal data relating to you infringes the provisions of the GDPR.
  Supervisory authority responsible for us: Bavarian State Office for Data Protection Supervision (BayLDA), P.O. Box 1349, 91504 Ansbach, Germany

Please inform yourself regularly about the content of our privacy policy. We amend the information it contains as soon as changes to our data processing procedures make this necessary. We will inform you as soon as the changes require an act of co-operation on your part (e.g. consent) or other individual notification.

If we provide addresses and contact information of companies and organisations in this privacy policy, please note that the addresses may change over time and please check the information before making contact.

Valid as of: 2 October 2024