Privacy protection (version 04.2023)

We are delighted that you have chosen to visit our website. The protection and security of your personal information when using our website is very important to us. We would therefore like to take this opportunity to inform you about the personal data concerning you that we collect when you visit our website and the purposes for which it is used.

This privacy policy applies to the website of PRESTO GmbH & Co. KG, which can be accessed via the domain www.presto.eu and the various subdomains (“our website”).

Who is the controller and how can you contact us?

Controller

PRESTO GmbH & Co. KG
Gewerbepark 4
49196 Bad Laer
Germany
 
Tel.: +49 5424 2927-0
Email: kontakt@presto.de
Website: www.presto.eu

 

The data protection officer of the controller is:

SaphirIT GmbH
Managing Director: Frank W. Stroot, Lawyer, Data Protection Officer (TÜV)
Sutthauser Straße 285
49080 Osnabrück, Germany
 
Email: datenschutz@saphirit.de

  

What is this policy about?

This privacy policy meets the legal requirements for transparency with respect to the processing of personal data. Personal data is any information relating to an identified or identifiable natural person. As an example, this includes information such as your name, age, address, telephone number, date of birth, email address, IP address and user behaviour when visiting a website. If there is information for which we cannot establish a link to you personally (or we can only do so with disproportionate effort), e.g. as a result of anonymisation, it is not deemed to be personal data. Processing of personal data (e.g. collection, retrieval, use, storage or transmission) always requires a legal basis and a defined purpose.

Stored personal data is erased as soon as the purpose of the processing has been achieved and there are no legitimate grounds for the data to be retained further. We inform you about specific storage periods and criteria for storage in the individual processing operations. Irrespective of this, we store your personal data in individual cases for the assertion, exercise or defence of legal claims and in the event of statutory retention obligations.

Who receives my data?

We only share your personal data that we process on our website with third parties if this is necessary to fulfil the purposes and it is covered by a legal basis in the individual case (e.g. consent or pursuit of legitimate interests). In addition, we disclose personal data to third parties in individual cases if this serves the purpose of assertion, exercise or defence of legal claims. Possible recipients may then include, for example, law enforcement agencies, lawyers, auditors, courts, etc.

Insofar as we use service providers to operate our website and they process personal data on our behalf within the framework of commissioned data processing pursuant to Art. 28 GDPR, such providers may be recipients of your personal data.

What rights do you have?

Under the conditions of the statutory provisions of the General Data Protection Regulation (GDPR), you have the following rights as a data subject:

  • Access to the data stored about you in the form of meaningful information about the details of the processing and a copy of your data, pursuant to Art. 15 GDPR;
  • Rectification of incorrect or incomplete data stored by us, pursuant to Art. 16 GDPR;
  • Erasure of data stored by us, insofar as the processing is not necessary for the exercise of the right to freedom of expression or information for the fulfilment of a legal obligation, for reasons of public interest or for the assertion, exercise or defence of legal claims, pursuant to Art. 17 GDPR;
  • Restriction of processing pursuant to Art. 18 GDPR, insofar as the accuracy of the data is disputed, the processing is unlawful, we no longer need the data and you object to erasure because you need such data for the assertion, exercise or defence of legal claims or you have objected to the processing pursuant to Art. 21 GDPR;
  • Data portability pursuant to Art. 20 GDPR, insofar as you have provided us with personal data with your consent in accordance with Art. 6(1) point (a) GDPR or on the basis of a contract in accordance with Art. 6(1) point (b) GDPR, and this has been processed by us with the aid of automated procedures. You will receive your data in a structured, common and machine-readable format or we will transfer the data directly to another controller, insofar as this is technically feasible;
  • Objection to processing of your personal data pursuant to Art. 21 GDPR, insofar as this is carried out on the basis of Art. 6(1) points (e) and (f) GDPR and there are reasons for this which arise from your particular situation or the objection is against direct marketing. The right to object does not exist if overriding legitimate grounds for the processing are demonstrated or the processing is carried out for the assertion, exercise or defence of legal claims. If the right to object does not exist for individual processing operations, this is indicated there;
  • Withdrawal of your consent with effect for the future pursuant to Art. 7(3) GDPR; and
  • Lodging of a complaint with a supervisory authority pursuant to Art. 77 of the GDPR if you believe that the processing of your personal data is in breach of the GDPR. As a rule, you can lodge a complaint with the supervisory authority where you have your usual place of residence, your place of work or where our company headquarters are based.

How is my data processed?

Below we explain the individual processing operations, the scope and purpose of data processing, the legal basis, the obligation to provide your data and the storage period. We do not carry out any automated decision-making, including profiling, in individual cases.

Data transfer to bodies outside the European Union

We transfer personal data to organisations (henceforth: third-country organisation) that are located outside the European Union or at least we cannot exclude this as a possibility. Pursuant to Art. 44 of the General Data Protection Regulation (GDPR), we are obliged to guarantee that the level of protection provided by the GDPR is met in these cases. Please note that the third-country organisation can be both a controller and a processor.

Art. 45 GDPR relates to the transfer of data on the basis of an adequacy decision. Where we refer to this in this privacy policy, it means that the third-country organisation is located in a country, territory or specific sector where the EU Commission has decided that there is an adequate level of data protection comparable to the GDPR. 

Art. 46(1) and (5) GDPR stipulates that data transfer is also possible on the basis of so-called standard contractual clauses. If we make use of standard contractual clauses, it is ensured that the third-country organisation accepts these and has thus committed itself to compliance with a level of data protection comparable to the GDPR.

Finally, we may rely on your consent to transfer data to the third-country organisation pursuant to Art. 29(1) point (a) GDPR. This means that you have been informed of all existing possible risks regarding a data transfer where no adequacy decision or other safeguards are in place and have nevertheless consented to the data transfer.

We describe the corresponding risks to you at the appropriate points in this privacy policy.

Information: EU standard contractual clauses and third-country organisations based in the USA

In addition to the information under “Data transmission to organisations outside the European Union”, we would like to draw your attention to one particular set of circumstances.

In the case of data transfers to organisations based in the USA, the possibility of using EU standard contractual clauses is limited. To the extent that we intend to (or already) apply the EU standard contractual clauses in this context, we therefore draw your attention to the following:

We only base transfer of personal data on standard contractual clauses in the USA if we have thoroughly reviewed the facts beforehand. We first carry out a risk assessment. In doing so, we pay particular attention to the type and sensitivity of the data concerned, the scope and purpose of the data processing and its susceptibility to misuse.

We then check whether the organisation processing the personal data in question has taken sufficient technical and organisational measures (e.g. processing data exclusively in European data centres, encryption) to minimise the risks identified in advance to an adequate extent. Only if, after this comprehensive review, we come to the conclusion that the EU standard contractual clauses ensure a sufficient level of data protection as an exception, will we then apply them.

We are only pointing out this possibility as a precaution. There is also the possibility that we will not mention this elsewhere in this policy, as we do not make use of it.

Information: Consent to transfer to third-country organisations located in the USA, including risk information

In addition to the information under “Data transmission to organisations outside the European Union”, we would like to draw your attention to another special set of circumstances.

As already described, the option of using EU standard contractual clauses when transferring data to an organisation in the USA is only possible to a limited extent. In some cases, the only option is to obtain your consent for transfer of the data.

Before giving this consent, we ask you to take note of the following risks and consider them when deciding whether or not to give your consent.

We wish to emphasise clearly that data transfers to the USA without the protection of an adequacy decision may involve significant risks. Particular consideration should be given to the following risks:

  1. There is no uniform data protection law in the USA; in particular, none that is comparable to the GDPR in the EU. This means that both US companies and government agencies have more opportunities to process your personal data, especially for targeted marketing, profiling and conducting (criminal) investigations. Our options for taking action against this are severely limited.
  2. US legislation provides for numerous access rights to your personal data (see, for example, Section 702 of FISA or E.O. 12333 in conjunction with PPD-28 and Cloud Act 2018), which are not in line with our understanding of the law. In particular, there is no proportionality test before access, as is common in the EU.
  3. Citizens of the European Union cannot expect effective legal protection in the USA.
  4. We will generally only ask you for such consent if we have concluded that the US third party cannot use EU standard contractual clauses reliably.

Provision of the website

Type and scope of processing

When you access and use our website, we collect the personal data that your browser automatically transmits to our server. The following information is temporarily stored in a ‘log file’:

  • IP address of the requesting computer;
  • date and time of access;
  • name and URL of the retrieved file;
  • website from which access is made (referrer URL);
  • browser used and, if applicable, your computer’s operating system and the name of your access provider.

Our website is not hosted by us, but by a service provider who processes the aforementioned data on our behalf in accordance with Art. 28 GDPR.

Purpose and legal basis

The processing is carried out to pursue our overriding legitimate interest in displaying our website and ensuring its security and stability on the basis of Art. 6(1) point (f) GDPR. The collection of data and storage in log files is absolutely necessary to operate the website. There is no right to object to processing, based on the exception stipulated under Art. 21(1) GDPR. Insofar as further storage of log files is required by law, processing is carried out on the basis of Art. 6(1) point (c) GDPR. There is no legal or contractual obligation to provide the data; however, it is not technically possible to access our website without providing that data.

Storage period

The aforementioned data is stored for as long as the website is displayed, and for technical reasons beyond that, for a maximum of 7 days.

Enquiry form

Type and scope of processing

On our website, we give you the opportunity to contact us by means of a form we provide. The information collected in the mandatory fields of the form is required in order to process the enquiry. You can also provide any additional information that you consider necessary for us to process the enquiry on a voluntary basis.

Your personal data will not be shared with third parties when you use the contact form.

Purpose and legal basis

The processing of your data through the use of our contact form is carried out for the purpose of communication and dealing with your enquiry on the basis of your consent pursuant to Art. 6(1) point (a) GDPR. Insofar as your enquiry relates to an existing contractual relationship with us, processing is carried out for the purpose of fulfilling the contract on the basis of Art. 6(1) point (b) GDPR. There is no legal or contractual obligation to provide your data, but it is not possible to process your enquiry if you do not provide the information in the mandatory fields. If you do not want to provide this data, please contact us by other means.

Storage period

Insofar as you use the contact form on the basis of your consent, we store the data collected for each enquiry for a period of 8 weeks from completion of processing of your enquiry or until you withdraw your consent.

If you use the contact form as part of a contractual relationship, we store the data collected for each enquiry for a period of three years from the end of the contractual relationship.

User account registration

Type and scope of processing

You have the option to register a user account to use certain areas of our website. The information collected during registration via the mandatory fields is required to provide access to the user account. You can also provide additional information on a voluntary basis for further
(convenience) features.

When you register for a user account, your personal data will only be shared in accordance with this privacy policy.

Purpose and legal basis

We process your data for the purpose of providing you with a user account to fulfil a contract with you pursuant to Art. 6(1) point (b) GDPR. There is a contractual obligation to provide your data, as this information is necessary to identify you and to fulfil the contract on our part. There is no legal obligation to provide the data. If you do not provide this information, it will not be possible to register a user account and thus conclude a contract.

Furthermore, the processing of additional information provided on a voluntary basis for the purpose of making additional (convenience) features available is based on your consent pursuant to Art. 6(1) point (a) GDPR. By disabling the features/erasing the voluntary information in the user account, you can withdraw your consent in accordance with Art. 7(3) GDPR at any time with effect for the future.

Storage period

We store your personal data for the duration of the contractual relationship within the context of providing the user account. At the end of the contract/when the user account has been erased, your data will only continue to be stored if there are legal retention obligations (e.g. under tax and commercial law).

Additional information that you provide to us on the basis of your consent will only be stored until you withdraw your consent by disabling the features/erasing the data, but no longer than the end of the contract on which provision of the user account is based.

Presence on social media platforms

We have fan pages, accounts and channels on the social networks mentioned below to provide you with information and offers within those networks and to offer you additional ways of contacting us and finding out about what we offer. Below we provide information about the data relating to you that we or the respective social network process in connection with accessing and using our fan pages/accounts.

Data that we process

If you want to contact us via messenger or direct message through the respective social network, we generally process the user name you use to contact us and, if applicable, store further data provided by you insofar as this is necessary to process/respond to your enquiry.

The legal basis is Art. 6(1) sentence 1 point (f) GDPR (processing is necessary to pursue the legitimate interests of the controller).

(Statistical) usage data we receive from social networks

We receive automated statistics regarding our accounts via Insights functions. Among other things, the statistics include the total number of page views, likes, details of page activities and post interactions, reach, video views and information about the proportion of men/women among our fans/followers.

The statistics only contain aggregated data that cannot be related to individuals. We cannot identify you in this way.

Data that the social networks process

To view the content of our fan pages and accounts, you do not have to be a member of the respective social network and, in this respect, a user account for the respective social network is not required.

Please note, however, that the social networks also collect and store data from website visitors who do not have a user account when the social network is accessed (e.g. technical data in order to be able to display the website to you) and use cookies and similar technologies, over which we have no control. For details, please refer to the privacy policy of the respective social network (see the corresponding links above)

Insofar as you wish to interact with the content on our fan pages/accounts, e.g. comment on, share or like our posts/articles and/or contact us via messenger features, prior registration with the social network and provision of personal data is required.

We have no control over processing by the social networks of data relating to how you use them. To our knowledge, your data is stored and processed in particular in connection with the provision of the respective social network’s services and to analyse user behaviour (using cookies, pixels/web beacons and similar technologies), on the basis of which advertising based on your interests is displayed both within and outside the respective social network. It cannot be ruled out that social networks will store your data outside the EU/EEA and share it with third parties.

Information concerning, among other things, the exact scope and purposes of personal data processing, the storage period/erasure and guidelines on the use of cookies and similar technologies in the context of registration and use of the social networks can be found in the privacy policy/cookie policy for the social network in question. You will also find information about your rights and opportunities to object there.

Facebook page

When you visit our Facebook page, Facebook collects, among other things, your IP address and other information that is on your PC in the form of cookies. This information is used to provide us, as the operator of the Facebook page, with statistical information about the use of that page. Facebook provides more information about this via the following link: https://facebook.com/help/pages/insights.

It is not possible for us to draw conclusions about individual users through the statistical information provided. We only use this information to respond to our users’ interests and to continuously improve and ensure the quality of our online presence.

We only collect your data through our fan page to allow communication and interaction with us. This collection usually includes your name, message content, comment content and the profile information you provide “publicly”.

The processing of your personal data for these purposes is based on our legitimate business and communication interest in offering an information and communication channel pursuant to Art. 6(1) point (f) GDPR. If you, as a user, have given your consent to data processing vis-à-vis the respective provider of the social network, the legal basis of the processing extends to Art. 6(1) point (a) and Art. 7 GDPR.

As actual data processing is carried out by the provider of the social network, our access to your data is limited. Only the provider of the social network is authorised to have full access to your data. As a result of this, only the provider can directly take and implement appropriate measures to fulfil your user rights (access request, erasure request, objection, etc.). The most effective way of asserting such rights is therefore directly with the provider in question.

We are jointly responsible with Facebook for the personal content of the fan page. Data subject rights can be asserted against Facebook Ireland and us.

In accordance with the GDPR, the primary responsibility for processing Insights data lies with Facebook, and Facebook meets all of its obligations under the GDPR in relation to the processing of Insights data; Facebook Ireland provides data subjects with key information regarding the Page Insights Addendum.

We do not make any decisions regarding the processing of Insights data or any other information resulting from Art. 13 GDPR, including the legal basis, the identity of the controller and the storage period for cookies on user devices.

Facebook itself provides further information (addendum agreement with Facebook): https://www.facebook.com/legal/terms/page_controller_addendum.

Instagram page

When you visit our Instagram page, Instagram collects, among other things, your IP address and other information on your PC in the form of cookies. This information is used to provide us, as the operator of the Instagram page, with statistical information about the use of that page. Instagram provides further information about this via the following link: https://www.facebook.com/help/instagram/788388387972460?helpref=related.

It is not possible for us to draw conclusions about individual users through the statistical information provided. We only use this information to respond to our users’ interests and to continuously improve and ensure the quality of our online presence.

We only collect your data through our fan page to allow communication and interaction with us. This collection usually includes your name, message content, comment content and the profile information you provide “publicly”.

The processing of your personal data for these purposes is based on our legitimate business and communication interest in offering an information and communication channel pursuant to Art. 6(1) point (f) GDPR. If you, as a user, have given your consent to data processing vis-à-vis the respective provider of the social network, the legal basis of the processing extends to Art. 6(1) point (a) and Art. 7 GDPR.

As actual data processing is carried out by the provider of the social network, our access to your data is limited. Only the provider of the social network is authorised to have full access to your data. As a result of this, only the provider can directly take and implement appropriate measures to fulfil your user rights (access request, erasure request, objection, etc.). The most effective way of asserting such rights is therefore directly with the provider in question.

We are jointly responsible with Instagram for the personal content of the fan page. Data subject rights can be asserted against Facebook Ireland and us.

In accordance with the GDPR, the primary responsibility for processing Insights data lies with Instagram, and Instagram meets all of its obligations under the GDPR in relation to the processing of Insights data; Facebook Ireland provides data subjects with key information regarding the Page Insights Addendum.

We do not make any decisions regarding the processing of Insights data or any other information resulting from Art. 13 GDPR, including the legal basis, the identity of the controller and the storage period for cookies on user devices.

Instagram itself provides further information: https://help.instagram.com/519522125107875.

LinkedIn page

LinkedIn is a social network of LinkedIn Inc. based in Sunnyvale, California, USA, which enables the creation of private and professional profiles. Users can cultivate their existing contacts and make new ones. Companies can create profiles where photos and other company information are uploaded. Other LinkedIn users have access to this information and can write their own articles and share this content with others.

The focus is on professional interaction on specialist topics with people who have the same career interests. In addition, LinkedIn is often used by companies and other organisations to recruit employees and present themselves as an attractive employer.

For more information on LinkedIn, please visit: https://about.linkedin.com/

You can find more information on data protection at LinkedIn at: https://www.linkedin.com/legal/privacy-policy

We do not collect or process any personal data via our LinkedIn company page.

YouTube page

YouTube is a video-on-demand service that allows users to upload, watch and share videos, including movie clips, music clips and amateur content. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

For more information on YouTube, see:
https://www.youtube.com/intl/de/about/
 
For more information on data protection at YouTube, please visit:
https://policies.google.com/privacy
 
Further questions about data protection are answered here:
https://policies.google.com/technologies/product-privacy

 

YouTube video

Type and scope of processing

We have integrated YouTube video into our website. YouTube video is a component of the video platform of YouTube, LLC, where users can upload content, share it over the internet and receive detailed statistics.

YouTube video allows us to integrate content from the platform into our website.

YouTube video uses cookies and other browser technologies to analyse user behaviour, recognise users and create user profiles. This information is used, among other things, to analyse the activity of the content watched and to create reports. If a user is registered with YouTube, LLC, YouTube video can associate the videos played using the profile.

When you access this content, you connect to servers of YouTube, LLC, Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, where your IP address and, if applicable, browser data such as your user agent are transmitted.

Purpose and legal basis

The use of YouTube video is based on your consent in accordance with Art. 6(1) point (a) GDPR and Section 25(1) of the German Telecommunications-Telemedia Data Protection Act (TTDSG).

The data processing operations are also not prevented by the fact that the data may be processed by the provider outside the European Union, possibly in cooperation with Google LLC. Your consent also includes a declaration pursuant to Art. 49(1) point (a) GDPR.

We ask you to read our guidance under “Information: Consent to transfer to third-country organisations located in the USA, including risk information” before giving your consent.

Storage period

We have no control over the specific storage period for the data processed; this is determined by YouTube, LLC. For more information, please see the privacy policy for YouTube video: https://policies.google.com/privacy.

jQuery CDN

Type and scope of processing

We use jQuery CDN for proper delivery of the content of our website. jQuery CDN is a service of jQuery, which acts as a content delivery network (CDN) on our website.

A CDN helps to make the content of our site, in particular files such as graphics or scripts, available more quickly with the help of regionally or internationally distributed servers. When you access this content, you are connecting to jQuery servers, in which process your IP address and possibly browser data such as your user agent are transmitted. This data is processed solely for the above purposes and to maintain the security and functionality of jQuery CDN.

Purpose and legal basis

The use of the content delivery network is based on our legitimate interests, i.e. interest in secure and efficient provision and optimisation of our website pursuant to Art. 6(1) point (f) GDPR.

Storage period

We have no control over the specific storage period for the data processed; this is determined by jQuery. For further information, see the privacy policy of jQuery CDN: https://www.stackpath.com/legal/privacy-statement/.