This data privacy statement informs you about the type, scope and purpose of processing personal data (hereinafter referred to as "data" for short) within our online offering and the websites associated with it, about functions and contents and also about external online presences, such as our social media profile (hereinafter referred to collectively as "online offering"). In respect of the terms used, such as "processing" or "controller", we refer to the definitions in Art. 4 of the General Data Protection Regulation (GDPR).


STEINEL Vertrieb GmbH
Dieselstraße 80-84
33442 Herzebrock-Clarholz
Managing Director: Dipl.-Kfm. Ingo Steinel, Dipl.-Oec. Martin Frechen
Link to publication details:
Contact details for Data Protection Officer:

Types of data processed:
- User-related data (e.g. names, addresses).
- Contact data (e.g. e-mail, telephone numbers).
- Content data (e.g. text entries, photographs, videos).
- Usage data (e.g. websites visited, interest in contents, access times).
- Meta/communication data (e.g. device information, IP addresses).

Data-Subject Categories
Visitors and users of the online offering (we refer to data subjects collectively below as "users").

Purpose of Processing

- Reach measurement/marketing
- Replying to contact enquiries and communication with users
- Security measures
- Provision of the online offering, its functions and contents

Terms Used

"Personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

"Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The term is far-reaching and covers virtually any handling of data.

"Pseudonymisation" means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

"Profiling" means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

"Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

"Processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Applicable Legal Bases

Pursuant to Art. 13 of the GDPR we inform you of the legal bases on which we process data. Unless the legal basis is specified in the data privacy statement, the following shall apply: the legal basis for obtaining consents is Art. 6 (1) and Art. 7 of the GDPR, the legal basis for the processing for providing our services and carrying out contractual measures as well as replying to enquiries is Art. 6 (1) b of the GDPR, the legal basis for the processing for meeting our legal obligations is Art. 6 (1) c of the GDPR, and the legal basis for the processing for safeguarding our legitimate interests is Art. 6 (1) f of the GDPR. In the event that vital interests of the data subject or another natural person make it necessary to process personal data, Art. 6 (1) d of the GDPR provides the legal basis.

Security Measures

Pursuant to Art. 32 of the GDPR and taking into account the state of the art, the costs of implementation and the nature, scope, circumstances and purposes of processing as well as the varying likelihood and severity of the risk for the rights and freedoms of natural persons, we implement appropriate technical and organisational measures to ensure a level of security commensurate to the risk.

In particular, these measures include ensuring the confidentiality, integrity and availability of data by controlling physical access to the data, as well as that of any digital access concerning them, input, transmission, assured availability and their segregation. We have furthermore set up procedures to ensure that data subjects can exercise their rights, data can be erased and action is taken to protect data at risk. We furthermore take account of protecting personal data as early as the time of developing or selecting hardware, software and procedures in accordance with the principle of data protection by the way in which technology is configured and by privacy-enhancing default settings (Art. 25 of the GDPR).

Cooperation with Processors and Third Parties

Insofar as we disclose data to other persons and enterprises (processors or third parties), transfer these to them or grant them access to the data in any other way within the course our processing activity, such shall only be done on the basis a legal permission (e.g. if it is necessary to transfer data to third parties, such as payment service providers, under Art. 6 (1) b of the GDPR in respect of performing a contract), if you have given your consent, if a legal obligation provides for such or on the basis of our legitimate interests (e.g. when using agents, web hosters etc.). insofar as we engage a "processor" to process on the basis of a "processing contract", this shall be done on the basis of Art. 28 of the GDPR.

Transfers to Third Countries
Insofar as we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or this happens within the scope of engaging services of third parties or within the scope of disclosing or transferring data to third parties, this shall only be take place if it is done to meet (pre-) contractual duties, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we only process or have data processed in a third country if the particular conditions laid down in Art. 44 ff. GDPR are met. This means that processing will only take place, for example, on the basis of specific particular safeguards, such as the officially acknowledged ascertainment of a level of data protection required in the EU (e.g. for the USA by the "Privacy Shield") or compliance with specific officially acknowledged contractual obligations ("standard contractual clauses").

Rights of Data Subjects

You have the right to obtain confirmation as to whether data concerning you are being processed and to obtain information about these data as well as further information and a copy of the data in accordance with Art. 15 of the GDPR.
Under Art. 16 of the GDPR, you have the right demand the completion of data concerning you or the rectification of inaccurate data concerning you.
Pursuant to Art. 17 of the GDPR, you have the right to demand that data concerning you are erased without due delay or, alternatively, pursuant to Art. 18 GDPR to demand a restriction to the processing of your data.
You have the right to demand to receive the data concerning you which you have made available to us in accordance with Art. 20 of the GDPR and demand that they be transmitted to other controllers.
In accordance with Art. 77 of the GDPR, you furthermore have the right to lodge a complaint with the responsible supervisory authority.

Right of Cancellation

You have the right to withdraw consents given in accordance with Art. 7 (3) of the GDPR with effect for the future.

Right to Object
In accordance with Art. 21 of the GDPR, you have the right at any time to object to any future processing of data concerning you. In particular, you may object to processing for purposes of direct marketing.

Cookies and Right to Object in Connection with Direct Marketing

"Cookies" are small files that are stored on users' computers. Various details can be stored within cookies. A cookie is primarily used to store information about a user (or the device on which the cookie is stored) during or after a user's visit to an online offering. Temporary cookies, or "session cookies" or "transient cookies", are cookies that are erased after a user leaves an online offering and closes his or her browser In such a cookie, for example, it is possible store the contents of a shopping cart in an online store or a login status. The term "permanent" or "persistent" refers to cookies that remain stored even after the browser has been closed. This way, for example, the login status will be saved if users visit this website after several days. The interests of users can also be stored in a cookie of this type and used for measuring reach or marketing purposes. A "third-party cookie" refers to cookies that are offered by providers other than the controller operating this online offering (otherwise, if it is only the controller's cookies, the term "first-party cookies" is used).

We can use temporary and permanent cookies and provide information on the use of such within our data privacy statement.

If users do not want cookies to be stored on their computer, we ask them to deactivate the relevant option in their browser's system settings. Stored cookies can be erased in the browser's system settings. The exclusion of cookies may result in function-related restrictions in this online offering.

General objection to the use of cookies employed for purposes of online marketing can be declared for a large number of services, particularly in the case of tracking, via the US site or the EU site Furthermore, the storage of cookies can be prevented by deactivating them in the browser's settings. Please note that it may then not be possible to use all of the functions provided by this online offering.

Erasure of Data

The data we process are erased in accordance with Art. 17 and their processing restricted in accordance with 18 of the GDPR. Unless otherwise explicitly stated within this data privacy statement, the data we store will be erased as soon as they are no longer needed for their intended purpose and their erasure does not conflict with any statutory retention obligations. If the data are not erased because they are required for other and legally permissible purposes, their processing will be restricted. This means that the data is locked and not processed for other purposes. This applies to data, for example, which must be retained for commercial reasons or for reasons in taxation law.

Under the statutory requirements in Germany, data must be retained in particular for 10 years in accordance with Sections 147 (1) of the German Fiscal Code (Abgabenordnung - AO), Section 257 (1) 1 and 4, (4) of the German Commercial Code (Handelsgesetzbuch - HGB) (ledgers, records, situation reports, accounting records, trading books, documents relevant to taxation etc.) and for 6 years in accordance with Section 257 (1) 2 and 3, (4) of the German Commercial Code (trade letters).

Under the statutory requirements in Austria, data must be retained in particular for 7 years in accordance with Section 132 (1) of the Austrian Federal Fiscal Code (Bundesabgabenordnung - BAO) (accounting documents, receipts/invoices, accounts, receipts, business paperwork, list of income and expenses etc.), for 22 years in connection with properties and for 10 years for documents in connection with services provided by electronic means, telecommunications, radio and television services provided for non-business persons in EU member states and for which use is made of the Mini-One-Stop-Shop (MOSS).