Data Privacy Statement

This Data Privacy Statement informs you of the type, scope and purpose of the processing of personal data (hereinafter “data” for short) within our online platform and the websites, features and content relating thereto as well as our external online presence, e.g. our social media profiles (hereinafter collectively referred to as “online platform”). With regard to the terminology used, e.g. “processing” or “controller”, we refer to the definitions in Article 4 of the General Data Protection Regulation (GDPR). Controller HÄHL GmbH Eutinger Strasse 29 75249 Kieselbronn, Germany Managing Director with power of representation: Dr. Thomas Hähl

Types of data processed:

  • inventory data (e.g. names, addresses)
  • contact details (e.g. email, telephone numbers)
  • content data (e.g. text entries, photographs, videos)
  • usage data (e.g. websites visited, interest in content, access times)
  • meta/communication data (e.g. device information, IP addresses).

Categories of data subjects

visitors to, and users of, the online platform (the data subjects are hereinafter also collectively referred to as “users”).

Purpose of the processing

  • provision of the online platform, its features and its content
  • answering contact requests and communicating with users
  • security measures
  • range measurement/marketing

Terminology used

“Personal data” is any information relating to an identified or identifiable natural person (hereinafter “data subject”); a natural person is regarded as identifiable if he/she can be identified directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier (e.g. cookie) or one or more particular characteristics that express the physical, physiological, genetic, psychological, economic, cultural or social identity of this natural person. “Processing” means any process carried out with or without the aid of automated procedures, or any series of such processes, in connection with personal data. The term has a broad meaning and encompasses practically any handling of data. “Controller” is any natural or legal person, public authority, agency or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data.

Applicable legal bases

In accordance with Article 13 GDPR, we hereby inform you of the legal bases for our data processing. Insofar as the legal basis is not specified in this Data Privacy Statement, the following applies: The legal basis for obtaining consent is Article 6 (1) a) and Article 7 GDPR; the legal basis for processing data for performing our services and implementing contractual measures, as well as for answering enquiries is Article 6 (1) b) GDPR; the legal basis for processing data for fulfilling our legal obligations is Article 6 (1) c) GDPR, and the legal basis for processing data for protecting our legitimate interests is Article 6 (1) f) GDPR. Article 6 (1) d) GDPR serves as the legal basis if it is necessary to process personal data in order to protect vital interests of the data subject or any other natural person.

Collaboration with processors and third parties

Insofar as we disclose data to other persons and companies (processors or third parties) in the course of our processing or transfer data to these or grant these access to data in some other way, this takes place only on the basis of statutory permission (e.g. where it is necessary under Article 6 (1) b) GDPR to transfer data to third parties, such as payment service providers, for the purpose of performing a contract) or on the basis of consent, a legal obligation or our legitimate interests (e.g. when appointing agents, web hosts, etc.). 

Insofar as we appoint third parties to process data on the basis of a so-called “agreement on commissioned processing”, this occurs on the basis of Article 28 GDPR.

Transfers to third countries

Insofar as we process data in a third country (i.e. outside of the European Union (EU) or the European Economic Area (EEA)), or this occurs when using third-party services or disclosing or transferring data to third parties, this takes place only for the purpose of fulfilling our (pre)contractual duties or on the basis of your consent, a legal obligation or our legitimate interests. Subject to statutory or contractual permission, we process the data, or have the data processed, in a third country only if the particular prerequisites referred to in Articles 44 et seqq. GDPR are met. This means that the processing takes place, for example, on the basis of particular safeguards, such as the officially recognised determination of a data protection level corresponding to the EU (e.g. for the USA through the “Privacy Shield”) or compliance with officially recognised special contractual obligations (so-called “standard contractual clauses”).

Rights of the data subject

You have the right to demand confirmation of whether data concerning you is being processed, and the right to access this data and to obtain further information and a copy of the data in accordance with Article 15 GDPR. You have, under Article 16 GDPR, the right to demand that incomplete data concerning you be completed, or that inaccurate data concerning you be rectified. You have, under Article 17 GDPR, the right to demand that data concerning you be erased without delay, or alternatively, under Article 18 GDPR, the right to demand that the processing of your data be restricted. You have the right to demand under Article 20 GDPR to receive the data concerning you that you have provided to us, and to demand that this data be transferred to other controllers. Furthermore, you have the right under Article 77 GDPR to lodge a complaint with the competent supervisory authority.

Right to revoke

Under Article 7 (3) GDPR, you have the right to revoke, with effect for the future, any consent given.

Right to object

You may at any time, subject to Article 21 GDPR, opt out of future processing of the data concerning you. In particular, you may object to processing for the purposes of direct marketing.

Cookies and the right to object in the case of direct marketing

“Cookies” are small data files stored on the users’ computers. Various details may be stored within the cookies. A cookie primarily serves to store a user’s details (or details relating to the device on which the cookie is stored) during, or also after, the user’s visit to an online platform. “Temporary cookies” or “session cookies” or “transient cookies” are cookies that are deleted after a user has left an online platform and closed his/her browser. For example, the content of a shopping basket in an online shop, or a log-in status, may be stored in such cookie. “Permanent cookies” or “persistent cookies” are cookies that remain stored even after the browser has been closed. For example, the log-in status may be saved in case of a user visit after several days. Likewise, the users’ interests used for the purpose of range measurement or marketing may be stored in such cookie. “Third-party cookies” are cookies offered by providers other than the controller operating the online platform (cookies only from this controller are referred to as “first-party cookies”). We may use temporary and permanent cookies and provide information on these within our Data Privacy Statement. Users who do not wish to have cookies stored on their computer are requested to deactivate the corresponding option in their browser’s system settings. Stored cookies can be deleted in the browser’s system settings. The exclusion of cookies may lead to reduced functionality of this online platform. In the case of many of the services, particularly in the case of tracking, a general objection to the use of cookies for online marketing purposes may be declared via the US-American website or the EU website . Furthermore, the storage of cookies can be achieved by disabling them in the browser settings. Please bear in mind that it is possible that some features of this online platform will then not be usable.

Erasure of data

The data processed by us is erased, or its processing is restricted, in accordance with Articles 17 and 18 GDPR. Unless otherwise expressly stated in this Data Privacy Statement, the data stored with us is erased as soon as it is no longer needed for its specific purpose, and no statutory retention duties conflict with its erasure. Insofar as the data is not erased because it is needed for other and legally permissible purposes, its processing is restricted. This means that the data is blocked and is not processed for other purposes. For example, this applies to data retained for reasons under commercial or fiscal law. Under statutory provisions in Germany, the data is, in particular, stored for 6 years under Section 257 (1) HGB [German Commercial Code] (account books, inventories, opening balance sheets, annual financial statements, commercial letters, accounting records, etc.), and for 10 years under Section 147 (1) AO [Tax Code] (books of account, records, management reports, accounting records, commercial and business letters, documents relevant to taxation, etc.). Under statutory provisions in Austria, the data is, in particular, stored for 7 years in accordance with Section 132 (1) BAO [Austrian Federal Tax Code] (accounting documents, records/invoices, bank accounts, receipts, business documents, statements of income and expenses, etc.), 22 years in connection with real estate and for 10 years in the case of documents in connection with electronically supplied services, telecommunication services, broadcasting services and television services supplied to non-entrepreneurs in EU Member States and for which the Mini One Stop Shop (MOSS) is used.

Business-related processing

Additionally, we process
- contract data (e.g. subject-matter of the contract, term, customer category)
- payment data (e.g. bank account details, payment history)
from our customers, potential customers and business associates for the purpose of providing contractual services, support and customer care, marketing, advertising and market research.


The hosting services that we make use of serve to make available the following services: infrastructure and platform services, computing capacity, storage space and database services, security services and technical maintenance services that we use for the purpose of operating this online platform. In this respect, we, or our hosting provider, process inventory data, contact details, content data, contract data, usage data, meta data and communication data of customers, potential customers and visitors to this online platform on the basis of our legitimate interest in efficient and secure provision of this online platform in accordance with Article 6 (1) f) GDPR in conjunction with Article 28 GDPR (conclusion of an agreement on commissioned processing).

Collection of access data and log files

On the basis of our legitimate interests within the meaning of Article 6 (1) f) GDPR, we, or our hosting provider, collect data concerning all access to the server on which this service is located (so-called server log files). Access data includes the name of the website accessed, the file, the date and time of access, the data volume transferred, the notification of successful access, the browser type and version, the user’s operating system, the referrer URL (the website visited beforehand), the IP address and the provider requesting access. For security reasons (e.g. for clearing up acts of misuse or fraud), log-file information is stored for a period of 7 days at most and then erased. Data that needs to be further retained for purposes of proof is excluded from erasure until the respective incident has been finally cleared up.

Administration, financial accounting, office organisation, contact management

We process data for the purposes of performing administrative tasks, organising our business, financial accounting and compliance with our statutory duties, e.g. archiving. In this respect, we process the same data as the data processed by us in the course of rendering our contractual services. This processing is based on Article 6 (1) c) GDPR and Article 6 (1) f) GDPR. The processing relates to customers, potential customers, business associates and website visitors. The purpose, and our interest in the processing, lie in administration, financial accounting, office organisation and data archiving, i.e. tasks that serve to preserve our business activities, perform our tasks and render our services. The erasure of the data regarding contractual services and contractual communication corresponds to the information provided in the course of these processing activities. In this respect, we disclose or transfer data to the fiscal authority and to advisers, e.g. tax advisers or chartered accountants, as well as to other billing centres and payment service providers. Furthermore, we store, on the basis of our business management interests, details relating to suppliers, event organisers and other business associates, e.g. for the purpose of making contact at a later date. Generally, we permanently store this data, which is mainly company-related data.

Business analysis and market research

In order to operate our business economically and to be able to recognise market trends, customer wishes and user wishes, we analyse the data in our possession concerning business transactions, contracts, enquiries etc. In this respect, we process inventory data, communication data, contract data, payment data, usage data and meta data on the basis of Article 6 (1) f) GDPR. The data subjects in this respect include customers, potential customers, business associates, visitors and users of the online platform. The analyses are carried out for the purpose of business evaluations and for marketing and market research purposes. In the process, we may take into account the profiles of the registered users, including information on, for example, their purchase transactions. The analyses help us to enhance user-friendliness, optimise our platform and increase our business efficiency. The analyses serve solely us and are not disclosed externally, except in the case of anonymous analyses with aggregated values. Insofar as these analyses or profiles are person-related, they are deleted or anonymised upon termination of the users, otherwise two years after the conclusion of the contract. In all other respects, the overall business analyses and general trend determinations are created anonymously if possible.

Data privacy notice regarding the application procedure

In line with the statutory provisions, we process applicant data only for the purpose of, and within the framework of, the application procedure. The processing of applicant data takes place for the fulfilment of our (pre)contractual obligations under the application procedure, within the meaning of Article 6 (1) b) GDPR and Article 6 (1) f) GDPR, insofar as it is necessary for us to process the data, e.g. within the framework of legal proceedings (in Germany, Section 26 BDSG [German Federal Data Protection Act] applies additionally). The application procedure requires that applicants provide us with applicant data. The applicant data that needs to be provided is marked insofar as we provide an online form or, otherwise, ensues from the job descriptions. Generally, this data includes personal details, postal and contact addresses and the documents forming part of the application, such as covering letter, CV and references. Moreover, applicants may provide us with additional information voluntarily. By sending their application to us, the applicants agree to having their data processed for the purposes of the application procedure in the manner, and to the extent, set out in this Data Privacy Statement.

Insofar as data belonging to particular categories of personal data within the meaning of Article 9 (1) GDPR (e.g. health data such as severely handicapped status or ethnic origin) is voluntarily provided in the course of the application procedure, this data is additionally processed in accordance with Article 9 (2) b) GDPR. Insofar as data belonging to particular categories of personal data within the meaning of Article 9 (1) GDPR (e.g. health data, if this is necessary for the exercise of the profession concerned) is requested from applicants in the course of the application procedure, this data is additionally processed in accordance with Article 9 (2) a) GDPR. Applicants can send their applications to us via an online form on our website, insofar as such form is made available. The data is transferred to us in encrypted form in accordance with the state of the technological art. Furthermore, applicants may send their applications to us by email. In this respect, however, please bear in mind that emails are generally not sent in encrypted form, and the applicants themselves have to take care of encryption. Therefore, we cannot take on any responsibility for the transmission path of the application between the sender and receipt on our server. For this reason, we recommend that applicants send their application to us via the online form or by post instead. The data provided by the applicants may, if the application is successful, be further processed by us for the purposes of the employment relationship. Otherwise, if the application for a job vacancy is unsuccessful, the applicant data is erased. The applicant data is likewise erased if the applicant withdraws his/her application, which he/she is entitled to do at any time. Except in the case of legitimate revocation by the applicant, the applicant data is erased after six months. This period enables us to answer any follow-up questions relating to the application and satisfy our duties to provide proof under the Gleichbehandlungsgesetz [Equal Treatment Act]. Invoices concerning any reimbursement of travel expenses are archived in accordance with the provisions of fiscal law.


When a user contacts us (e.g. via the contact form, by email or by telephone or via social media), the user’s details are, in accordance with Article 6 (1) b) GDPR, processed for processing and handling the contact request. The users’ details may be stored in a customer relationship management system (“CRM system”) or a comparable query organisation system. We erase queries when, and insofar as, they are no longer needed. We review the need for this every two years. Furthermore, the statutory archiving duties apply.

Google Analytics

We use Google Analytics, a web analysis service from Google LLC (“Google”), on the basis of our legitimate interests (i.e. our interest in the analysis, optimisation and economic operation of our online platform within the meaning of Article 6 (1), f) GDPR). Google uses cookies. Normally, the information generated by such cookie concerning the users’ usage of the online platform is transmitted to a Google server in the USA and stored there. Google is certified under the Privacy Shield Agreement and thus offers a guarantee of compliance with European data protection law ( Google uses this information on our behalf in order to evaluate the use of our online platform by the users, compile reports on the activities carried out within this online platform and provide us with other services in connection with the use of this online platform and the Internet. In this respect, the data processed may be used to create pseudonymous usage profiles of the users. We use Google Analytics only with activated IP anonymisation. This means that the users’ IP address is truncated by Google within Member States of the European Union or the European Economic Area. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and truncated there. The IP address transmitted by the user’s browser is not combined with other Google data. By downloading and installing the browser plugin available at the following link, users can prevent the storage of cookies by setting their browser software accordingly. Furthermore, users can prevent data generated by such cookie relating to their use of the online platform from being collected and transmitted to Google and being processed by Google: Further information on data usage by Google and on setting and opt-out options can be found in Google’s Data Privacy Statement ( and in the settings for the displaying of ad impressions by Google ( The users’ personal data is erased or anonymised after 14 months.

Integration of third-party services and content

Within our online platform, we use content or service offerings from third-party providers (hereinafter uniformly referred to as “content”) on the basis of our legitimate interests (i.e. our interest in the analysis, optimisation and economic operation of our online platform within the meaning of Article 6 (1), f) GDPR) in order to integrate their content and services, e.g. videos or typefaces. This always presupposes that the third-party providers of this content are aware of the IP address of the users, as they would otherwise be unable to send the content to their browser. Therefore, the IP address is essential for showing this content. We endeavour to only use such content from providers who use the IP address merely for the purpose of delivering their respective content. Furthermore, third-party providers may use so-called pixel tags (invisible graphics, also referred to as “web beacons”) for statistical or marketing purposes. Pixel tags enable information, such as visitor traffic on the pages of this website, to be evaluated. Furthermore, the pseudonymous information may be stored in cookies on the user’s device. This information may include, among other data, technical information about the browser and operating system, referring web pages, the time of the visit as well as other information regarding the use of our online platform, and may be combined with such information from other sources.

Google Maps

We integrate the maps from the service “Google Maps” provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. In particular, the data processed may include the users’ IP addresses and location data, which will however not be collected without the users’ consent (which is generally given through the settings of their mobile devices). The data may be processed in the USA. Data Privacy Statement:, Opt-out: