Data privacy

PRIVACY NOTICE

A. General

Scope

This privacy notice applies to the processing of personal data by RM Components GmbH in connection with the following websites:

•       rm-components.de (corporate website including the multilingual sub-pages /en and /it)

•       shop.rm-components.de (B2B web shop)

To the extent deviating rules apply within individual functions, we expressly indicate this at the relevant place. The B2B web shop is exclusively directed at entrepreneurs within the meaning of sec. 14 of the German Civil Code (Bürgerliches Gesetzbuch – BGB).

Information on the Collection of Personal Data

(1) Below we provide information on the collection of personal data when using our websites. Personal data is any data that can be related to you personally, e.g. name, address, email address, user behaviour. By doing so, we wish to inform you about our processing operations and at the same time comply with our statutory obligations, in particular under the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG).

(2) The controller within the meaning of Article 4 (7) GDPR is RM Components GmbH, O’Brien-Straße 5, 91126 Schwabach, Germany, email: info@rm-components.de. Our Data Protection Officer can be reached at dsb@advizzr.netor at our postal address with the addition “the Data Protection Officer” (der Datenschutzbeauftragte).

(3) When you contact us by email or via a contact form, the data you provide (your email address and, where applicable, your name and telephone number) are stored by us in order to respond to your enquiries. We delete the data accruing in this context, where the enquiry is attributable to a contract, in accordance with the storage periods relating to the contract term. Otherwise, we delete it once storage is no longer necessary, or we restrict the processing if statutory retention obligations apply.

(4) Where we draw on commissioned service providers for individual functions of our service, or wish to use your data for advertising purposes, we will always carefully select and supervise such service providers, and we provide detailed information below on the respective operations. In this context, we also state the defined criteria for the storage period.

Your Rights

(1) You have the following rights vis-à-vis us with regard to the personal data concerning you:

•       Right of access (Article 15 GDPR)

•       Right to rectification or erasure (Articles 16, 17 GDPR)

•       Right to restriction of processing (Article 18 GDPR)

•       Right to object to processing (Article 21 GDPR)

•       Right to data portability (Article 20 GDPR)

(2) You also have the right to lodge a complaint with a data protection supervisory authority concerning the processing of your personal data by us (Article 77 GDPR).

B. Collection of Personal Data when Visiting Our Websites

Server Logs

(1) When using the websites for merely informational purposes – that is, where you do not otherwise transmit information to us – we only collect the personal data that your browser transmits to our server. If you wish to view our websites, we collect the following data, which is technically required for us to display our websites to you and to ensure stability and security (legal basis is Article 6 (1) lit. f GDPR):

•       IP address

•       Date and time of the request

•       Time zone difference from Greenwich Mean Time (GMT)

•       Content of the request (specific page)

•       Access status / HTTP status code

•       Volume of data transferred in each case

•       Website from which the request originates

•       Browser

•       Operating system and its interface

•       Language and version of the browser software

Cookies and Local Storage

(1) When you access our websites, cookies as well as data in your browser’s local or session storage may be stored – either already today or in the future. Cookies are small text files stored on your end device and assigned to the browser you use. Local and session storage are functionally comparable storage techniques within the browser cache. These techniques may serve to recognise the browser, to store user settings and to provide and ensure the requested function.

(2) The legal basis for the storage of information and the access to information already stored on the end device is sec. 25 (1) of the German Telecommunications and Digital Services Data Protection Act (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz – TDDDG) in conjunction with Article 6 (1) lit. a GDPR (consent), unless, pursuant to sec. 25 (2) no. 2 TDDDG, the storage or access is strictly necessary in order to provide a telemedia service expressly requested by the user (technically necessary cookies). For the further processing of the personal data thus collected, Article 6 (1) lit. f GDPR (legitimate interest) applies, or, where consent is required, Article 6 (1) lit. a GDPR.

(3) You can configure your browser settings according to your wishes and, for example, refuse to accept third-party cookies or all cookies. We point out that in this case you may not be able to use all functions of this website. Any consent given may be withdrawn at any time with effect for the future.

(4) Types of cookies:

•       Transient cookies: automatically deleted when you close the browser. These include in particular session cookies. They store a so-called session ID, which allows different requests from your browser to be assigned to the joint session.

•       Persistent cookies: automatically deleted after a predefined period, which may differ depending on the cookie. You may delete cookies at any time in the security settings of your browser.

Consent Management with Usercentrics

(1) For the collection, management and documentation of your consents to the use of cookies and comparable storage techniques, we use the consent management platform of Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany (hereinafter: “Usercentrics”), on our websites. Through the consent banner provided by Usercentrics, you can give, refuse, adjust or withdraw your choice per category (technically necessary, function, marketing, analytics).

(2) Within the operation of the banner, Usercentrics processes the server log files collected upon access (in particular IP address, date and time, browser information) as well as the consent decisions taken by you through the banner, the associated timestamps and a pseudonymous consent ID. For this purpose, Usercentrics sets a separate cookie or local storage entry that stores your choice on the end device.

(3) The storage of this information in, or the access to, your end device is permissible pursuant to sec. 25 (2) no. 2 TDDDG, as it is strictly necessary in order to provide you with the telemedia service “cookie consent management” expressly requested by you and to document the consents given in a verifiable manner. The legal basis for the subsequent processing of the personal data is Article 6 (1) lit. c GDPR in conjunction with Article 7 (1) GDPR (duty to demonstrate consent given) as well as Article 6 (1) lit. f GDPR (legitimate interest in fulfilling the accountability obligation under Article 5 (2) GDPR and in legally compliant, user-friendly consent management).

(4) We have concluded a data processing agreement (DPA) with Usercentrics pursuant to Article 28 GDPR. Data processing generally takes place within the European Union; in individual cases, a transfer to third countries (in particular the USA) may occur. The legal basis is the EU-US adequacy decision of 10 July 2023 (Data Privacy Framework, Article 45 GDPR) and, additionally, the EU Standard Contractual Clauses pursuant to Article 46 (2) lit. c GDPR.

(5) You can withdraw or adjust your consent at any time with effect for the future by re-opening the consent banner via the dedicated trigger provided on our websites. Further information on data processing by Usercentrics is available at https://usercentrics.com/privacy-policy/.

C. Specific Functions of Our Websites

Newsletter

(1) With your consent, you can subscribe to our newsletter, with which we inform you of our current offers. The goods and services advertised are identified in the consent declaration.

(2) For the registration to our newsletter, we use the so-called double opt-in procedure. This means that, after your registration, we send you an email to the email address provided, in which we ask you to confirm that you wish to receive the newsletter. If you do not confirm your registration within 24 hours, your information is blocked and automatically deleted after one month. In addition, we store your IP addresses used and the times of registration and confirmation. The purpose of the procedure is to be able to prove your registration and, where appropriate, to clarify any potential misuse of your personal data.

(3) The only mandatory information for sending the newsletter is your email address. Providing further, separately marked data is voluntary and is used in order to be able to address you personally. If you voluntarily provide a WhatsApp number, you also consent to the dispatch of advertising, product recommendations and marketing campaigns via WhatsApp. Following your confirmation, we store your email address and, where applicable, your WhatsApp number for the purpose of sending the newsletter. The legal basis is Article 6 (1) lit. a GDPR.

(4) You may withdraw your consent to receive the newsletter at any time and unsubscribe from the newsletter. The withdrawal may be declared by clicking the link provided in every newsletter email, by a WhatsApp reply containing the keyword “STOP” (if you receive the newsletter via WhatsApp), by email to info@rm-components.de or by a message to the contact details set out in the legal notice.

Newsletter Dispatch via Brevo

(5) For sending our newsletter – by email and, where requested by you, additionally by WhatsApp – we use the service “Brevo” of Sendinblue SAS, 17 rue Salneuve, 75017 Paris, France (hereinafter: “Brevo”). Brevo processes on our behalf, in particular, the data collected upon registration (email address, where applicable first and last name and/or WhatsApp number, IP address and time of registration as well as of confirmation) and the dispatch and interaction data (delivery, open and click rates for performance measurement). For dispatch via WhatsApp, Brevo uses the WhatsApp Business API of WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (parent company: Meta Platforms, Inc., USA).

(6) We have concluded a data processing agreement with Brevo pursuant to Article 28 GDPR. Brevo processes the data within the European Union. For dispatch via WhatsApp, a transfer to third countries (in particular the USA) may occur; the legal basis for this is the EU-US adequacy decision of 10 July 2023 (Data Privacy Framework, Article 45 GDPR; Meta Platforms, Inc. is certified under the Framework) and, additionally, the EU Standard Contractual Clauses pursuant to Article 46 (2) lit. c GDPR. The legal basis for the use of the service provider is Article 6 (1) lit. f GDPR (legitimate interest in reliable and secure newsletter delivery); the legal basis for the newsletter dispatch itself and for the statistical performance measurement is your consent pursuant to Article 6 (1) lit. a GDPR. Further information on data processing by Brevo is available at https://www.brevo.com/legal/privacypolicy/.

Contact Form

On our websites, we offer the possibility to contact us via a contact form or by email. Within the contact form, the data provided by you (your email address and, where applicable, your name and telephone number, as well as the content of your enquiry) is processed in order to handle your request. The legal basis is Article 6 (1) lit. b GDPR for contract-related enquiries, and, otherwise, Article 6 (1) lit. f GDPR (legitimate interest in responding). The data is deleted as soon as it is no longer required for the achievement of the purpose for which it was collected, or the processing is restricted if statutory retention obligations apply.

Order Processing in the Web Shop (shop.rm-components.de)

(1) Within our B2B web shop, we process the personal data required for the initiation, performance and execution of the purchase contracts (company name, address, contact person, email address, telephone number, VAT ID, order and contract data, payment data). The legal basis is Article 6 (1) lit. b GDPR (performance of contract and pre-contractual measures) as well as Article 6 (1) lit. c GDPR (compliance with legal obligations, in particular commercial and tax retention obligations under sec. 257 of the German Commercial Code (HGB) and sec. 147 of the German Fiscal Code (AO)). The web shop is exclusively directed at entrepreneurs within the meaning of sec. 14 BGB; no processing of consumer data takes place within the web shop.

(2) Where you create a customer account, we process the data required for this purpose (login data, master data, order history) in order to manage the account and to facilitate future orders. The legal basis is Article 6 (1) lit. b GDPR. You can have your customer account deleted at any time; statutory retention obligations remain unaffected.

(3) For the processing of the payment and shipping process, we transfer your data to the respective service providers commissioned with the performance of the contract.

Payment Processing via Novalnet

For the processing of the payment methods offered in the web shop (in particular SEPA direct debit, bank transfer, credit card payment and purchase on invoice), we use the payment service provider Novalnet AG, Gutenbergstraße 2, 85737 Ismaning, Germany. Novalnet AG is a payment institution authorised by the German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht – BaFin) under the German Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz – ZAG). For the processing of the selected payment transaction, we transfer to Novalnet AG, in particular, the master and contact data collected upon order, the order and invoice data as well as the payment data required for the payment method (e.g. IBAN, card or account data). Novalnet AG processes the transferred data under its own data protection responsibility for payment processing, risk and fraud prevention and the fulfilment of its supervisory and anti-money-laundering obligations. The legal bases for the transfer are Article 6 (1) lit. b GDPR (performance of contract) and Article 6 (1) lit. c GDPR (legal obligation); for any risk and credit assessment, additionally Article 6 (1) lit. f GDPR (legitimate interest in avoiding payment defaults). Further information on data processing by Novalnet is available at https://www.novalnet.de/datenschutzerklarung.

Shipping via GLS and DHL

For the delivery of the ordered goods, we transfer the address and contact data required for shipment (recipient company, contact person, delivery address, email address and/or telephone number for delivery notifications) to the following shipping service providers:

•       General Logistics Systems Germany GmbH & Co. OHG (GLS), GLS Germany-Straße 1–7, 36286 Neuenstein, Germany – data protection notice: https://gls-group.com/DE/de/datenschutz/.

•       DHL Paket GmbH, Sträßchensweg 10, 53113 Bonn, Germany – data protection notice: https://www.dhl.de/de/privatkunden/footer/datenschutz.html.

Which shipping service provider is used in each individual case depends on shipment size, destination and logistical availability. The legal basis for the transfer is Article 6 (1) lit. b GDPR (performance of contract). Where an email address or telephone number is transferred for shipment notification, the legal basis is additionally your consent pursuant to Article 6 (1) lit. a GDPR.

(4) In order to avoid payment defaults, we conduct credit assessments for orders in the web shop via the credit reference agencies set out in Section D. The legal basis is Article 6 (1) lit. b GDPR (for the performance of pre-contractual measures) and Article 6 (1) lit. f GDPR (legitimate interest in avoiding payment defaults).

D. External Services and Third-Party Providers

Hosting and Content Delivery Network (Web Shop)

(1) The web shop shop.rm-components.de is delivered via the content delivery network Amazon CloudFront of Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg (hereinafter: AWS). Within the delivery, AWS processes connection and usage data (in particular IP address, date/time of the request, request content, user agent). The use of the service serves the secure and performant provision of content; the legal basis is Article 6 (1) lit. f GDPR. We have concluded a data processing agreement with AWS pursuant to Article 28 GDPR.

(2) In individual cases, a transfer to third countries (in particular the USA) may occur. The legal basis is the EU-US adequacy decision of 10 July 2023 (Data Privacy Framework, Article 45 GDPR) and, additionally, the EU Standard Contractual Clauses (Article 46 (2) lit. c GDPR). Amazon is certified under the EU-US Data Privacy Framework.

Web Shop Platform

(1) The web shop accessible at shop.rm-components.de is developed and technically maintained on our behalf by GraphApi.io GmbH, Friedrichstr. 114a, 10117 Berlin, Germany (registered in the commercial register of the Local Court of Charlottenburg under HRB 207097 B, VAT ID DE 324792772). Within the provision, maintenance and further development of the web shop platform, GraphApi.io GmbH acts as a processor pursuant to Article 28 GDPR in respect of the processing of personal data of our customers and prospects. A corresponding data processing agreement is in place with GraphApi.io GmbH.

(2) The legal basis is Article 6 (1) lit. b GDPR (performance of contract and pre-contractual measures) as well as Article 6 (1) lit. f GDPR (legitimate interest in the provision and secure availability of the web shop platform).

Cloud Office Platform: Microsoft 365

(1) We use Microsoft 365 for email hosting and communication, file storage and sharing, joint document editing, calendars, video conferencing and collaboration. The provider (EU) is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland. The data processed includes, among other things, communication and master data (e.g. email content, sender/recipient, timestamps), calendar/meeting data (including, where applicable, meeting metadata), file/document content and the associated log and usage data.

(2) The purposes are contract performance and initiation, internal and external communication, collaboration, scheduling and project organisation, documentation, IT operation and security. The legal bases are Article 6 (1) lit. b GDPR (contract / initiation) and Article 6 (1) lit. f GDPR (legitimate interest in efficient, secure collaboration); where required, additionally Article 6 (1) lit. a GDPR (consent).

(3) Microsoft acts as a processor (Article 28 GDPR) and may engage sub-processors. Data is, as a rule, processed in EU data centres; in individual cases, transfers to third countries (in particular the USA) may occur. The legal bases are, among other things, the EU-US adequacy decision (Data Privacy Framework, Article 45 GDPR) and, additionally, the EU Standard Contractual Clauses (Article 46 GDPR).

(4) We implement measures pursuant to Article 32 GDPR (including role and authorisation concepts, multi-factor authentication, audit logs, encryption). On the administrative side, we configure, among other things, sharing policies (SharePoint/OneDrive), external sharing settings, policies for third-party app access and Teams apps, retention and archiving settings, and DLP where available. AI and Copilot functions are – where activated – configured in a data-protection-compliant manner or deactivated.

(5) Storage period: this is governed by statutory and contractual requirements (e.g. commercial and tax retention obligations). Where retention or archiving functions are activated, the rules stored therein apply; otherwise, we delete or anonymise personal data once the purpose has ceased to apply.

Conferencing Tool: Microsoft Teams

(1) We use Microsoft Teams for video conferences, online meetings, webinars and screen sharing. The service provider is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland; parent company: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA.

(2) When using the service, name, email address, profile picture, IP address, device/hardware information and the communication content (video, audio and text data) are processed. Processing in the USA and other third countries cannot be excluded. We have concluded the Standard Contractual Clauses made available by Microsoft to its customers. Microsoft is also certified under the EU-US Data Privacy Framework.

(3) The legal basis for the use is Article 6 (1) lit. f GDPR; our legitimate interest consists in efficient and secure communication. Where consent is required, the legal basis is Article 6 (1) lit. a GDPR. Consents given may be withdrawn at any time with effect for the future.

Web Analytics

Google Analytics 4

(1) We use the web analytics service Google Analytics 4 (GA4) of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter: “Google”). The parent company is Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

(2) Google Analytics 4 uses cookies and comparable technologies as well as unique identifiers that enable an analysis of the use of our websites. The data processed includes, in particular: shortened IP address (“Anonymize IP” is activated by default in GA4), date and time of access, pages accessed and click paths, time on site, device and browser information, approximate location based on the IP address (not at city or address level), pseudonymous user identifiers and event-based interaction data.

(3) The purpose of the processing is the statistical evaluation of user behaviour for reach measurement and optimisation of our online service.

(4) The legal basis for the storage of information and the access to information already stored on your end device is sec. 25 (1) TDDDG in conjunction with Article 6 (1) lit. a GDPR (consent). The integration of Google Analytics 4 takes place only after your consent has been given via the consent management platform of Usercentrics GmbH used on our websites (see Section B). You can withdraw your consent at any time with effect for the future by re-opening the consent banner via the dedicated trigger provided on our websites.

(5) We have concluded a data processing agreement with Google pursuant to Article 28 GDPR (Google Ads Data Processing Terms / Google Measurement Controller-Controller Data Protection Terms, in their respective current versions). A transfer to third countries (in particular the USA) cannot be excluded. The legal basis is the EU-US adequacy decision of 10 July 2023 (Data Privacy Framework, Article 45 GDPR; Google LLC is certified under the Framework) and, additionally, the EU Standard Contractual Clauses pursuant to Article 46 (2) lit. c GDPR.

(6) The storage period of event-based user data in Google Analytics is set to 2 months; aggregated, non-personal report data is retained beyond that.

(7) For further information on data processing by Google, please refer to the provider’s privacy policy at https://policies.google.com/privacy. Specific information on Google Analytics is available at https://support.google.com/analytics/answer/6004245.

Credit Assessments

(1) A credit assessment is an evaluation of the creditworthiness of a person or company, which is obtained in order to assess the risk of payment default. It contains information on payment behaviour and the financial situation of the data subject, such as existing loans, payment defaults and any judicial dunning proceedings.

(2) The legal basis for the obtaining and processing of credit assessments is Article 6 (1) lit. b GDPR, where the processing is necessary for the performance of a contract or for the implementation of pre-contractual measures. In addition, Article 6 (1) lit. f GDPR serves as a basis where the processing is necessary for safeguarding the legitimate interests of the controller or a third party. The legitimate interest consists in avoiding payment defaults by business partners.

(3) Credit data is stored by us only for as long as it is necessary for the purpose for which it was collected. The purpose ceases to apply, as a rule, where all claims arising from existing contractual relationships have been satisfied and no further contractual relationships follow within three years from conclusion of the contract. We use the following providers for the carrying out of credit assessments:

SCHUFA Holding AG

Our company regularly carries out, upon the conclusion of contracts and in certain cases involving a legitimate interest, also for existing customers, an assessment of your creditworthiness. For this purpose, we cooperate with SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden, Germany, from which we obtain the data required for this purpose. To this end, we transfer your name and contact details to SCHUFA Holding AG. The legal basis is Article 6 (1) lit. b and lit. f GDPR. The information pursuant to Article 14 GDPR on the data processing taking place at SCHUFA Holding AG is available at https://www.schufa.de/datenschutz.

Creditreform Boniversum GmbH

We also cooperate with Creditreform Boniversum GmbH, Hammfelddamm 13, 41460 Neuss, Germany, from which we obtain the data required for this purpose. To this end, we transfer your name and contact details to Creditreform Boniversum GmbH. The legal basis is Article 6 (1) lit. b and lit. f GDPR. The information pursuant to Article 14 GDPR on the data processing taking place at Creditreform Boniversum GmbH is available at https://www.boniversum.de/eu-dsgvo/informationen-nach-eu-dsgvo-fuer-verbraucher/.

CRIF GmbH

In addition, we cooperate with CRIF GmbH, Leopoldstraße 244, 80807 Munich, Germany, from which we obtain the data required for this purpose. To this end, we transfer your name and contact details to CRIF GmbH. The legal basis is Article 6 (1) lit. b and lit. f GDPR. The information pursuant to Article 14 GDPR on the data processing taking place at CRIF GmbH is available at https://crif.de/datenschutz/.

Social Media (Links)

(1) On our websites, we link to the following social media platforms, without integrating active plug-ins that would transfer data to the providers already upon access to our pages:

•       Facebook (Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland) – data protection notice: https://www.facebook.com/policy.php

•       Instagram (Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland) – data protection notice: https://help.instagram.com/155833707900388

•       LinkedIn (LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; parent company: LinkedIn Corporation, USA) – data protection notice: https://www.linkedin.com/legal/privacy-policy

•       YouTube channel of RM Components (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) – data protection notice: https://policies.google.com/privacy

(2) Only by clicking the respective link, data (in particular IP address, date/time, page accessed, referrer information) is transferred to the platform provider. No further data collection on our websites by these providers takes place. The legal basis for the linking is Article 6 (1) lit. f GDPR.

(3) Meta Platforms, Inc. and LinkedIn Corporation have submitted to the EU-US Data Privacy Framework (https://www.dataprivacyframework.gov/list). In addition, Meta Platforms Ireland Limited and LinkedIn Ireland Unlimited Company have concluded Standard Contractual Clauses pursuant to Article 46 (2) lit. c GDPR with their US group affiliates.

Review Portal

kununu

We link to our profile on kununu. The provider is New Work SE, Am Strandkai 1, 20457 Hamburg, Germany. Data is transferred to the provider only by clicking the respective link. Further information on data processing by the provider is available at https://privacy.new-work.se/datenschutzerklaerung as well as at https://www.kununu.com/de/info/impressum. The legal basis for the linking is Article 6 (1) lit. f GDPR.

E. Data Processing Outside the Website

Apart from that, personal data is collected from the data subject itself. The further collection, storage, processing and use of this and other personal data is necessary for the fulfilment of statutory tasks and legal obligations and for safeguarding our legitimate interests, in particular with regard to a long-term customer relationship and direct marketing. The legal bases for the aforementioned data processing operations are Article 6 (1) lit. b and lit. f GDPR; the legal basis for processing based on consent is Article 6 (1) lit. a GDPR. There is no obligation to grant any consent that may be required; consents given may be withdrawn at any time – individually or in total – for the future. Any such withdrawal is to be addressed to RM Components GmbH, O’Brien-Straße 5, 91126 Schwabach, Germany, email: info@rm-components.de.

Recipients of personal data may include: tax advisors, accounting offices, databases within the scope of our CRM system, operators of our website and email servers and administrators, IT service providers (including, where applicable, remote maintenance), payment service providers and financial service providers (banks). Beyond that, your data is transferred only on the basis of statutory obligations to public authorities, or otherwise only where express consent has been given or where the safeguarding of legitimate interests within the meaning of Article 6 (1) lit. f GDPR so requires.

Privacy Notice for Applicants

(1) We process personal data of applicants exclusively for the purpose of conducting the application procedure. The collection, storage and use of personal application data is necessary for the implementation of pre-contractual measures and for safeguarding our legitimate interests (in particular for the efficient handling of application procedures). The legal basis is Article 6 (1) lit. b and lit. f GDPR. Where applicants have given their consent, Article 6 (1) lit. a GDPR also serves as a legal basis; consents may be withdrawn at any time with effect for the future.

(2) The data of applicants is, as a rule, deleted once the purpose of its processing ceases to apply – at the latest, however, six months after completion of the application procedure. Storage for a longer period only takes place where statutory retention obligations apply or where consent for inclusion in an applicant pool has been given.

Video Surveillance of Our Company Premises

The surveillance of our company premises and warehouse facilities is necessary for the exercise of our right of domicile, for the protection of the life, health or freedom of persons present there (cf. sec. 4 BDSG) and for protection against burglary and theft. The legal basis is Article 6 (1) lit. f GDPR.

F. Objection or Withdrawal of Processing

(1) If you have given consent to the processing of your data, you may withdraw it at any time. Such withdrawal affects the lawfulness of the processing of your personal data after you have declared it to us.

(2) Where we base the processing of your personal data on a balancing of interests, you may object to the processing. When exercising such an objection, we ask you to state the reasons why we should not process your personal data as carried out by us. In the event of your justified objection, we will review the matter and either cease or adjust the data processing or set out our compelling legitimate grounds on the basis of which we will continue the processing.

(3) You may, of course, object to the processing of your personal data for advertising and data analysis purposes at any time. You may inform us of your advertising objection at the following contact details: RM Components GmbH, O’Brien-Straße 5, 91126 Schwabach, Germany, email: info@rm-components.de.

G. Storage Period of Personal Data

We store personal data in accordance with the statutory retention periods (in particular sec. 257 HGB, sec. 147 AO). After the expiry of these periods, the data is deleted, unless it is still required for the performance of a contract or there is a legitimate interest in its further storage. Storage of your data takes place, as a rule, only on servers within the European Economic Area, subject to the expressly mentioned transfers to third countries.

H. Amendments to This Privacy Notice

We reserve the right to amend this privacy notice to ensure that it always complies with current legal requirements, or to implement changes to our services in the privacy notice, for example upon the introduction of new services. The respective new privacy notice will apply to your next visit.

Governing Language

This privacy notice has been issued in German and English. In the event of any discrepancy, inconsistency or conflict between the two language versions, the German version shall prevail.