1. INTRODUCTION
We process personal data for the operation of our website www.rpp-group.com (hereinafter referred to as “Website”). We keep such data in confidence and process them in accordance with the applicable laws – in particular, the General Data Protection Regulation (GDPR) and the new version of the German Federal Data Protection Act (BDSG-new). In this Privacy Policy, we wish to inform you about which personal data we collect from you, for which purposes and on which legal basis they are used and to whom we disclose them, if appropriate. Furthermore, we will explain which rights you have to protect and enforce your rights for data protection.

2. DEFINITON OF TERMS
Our Privacy Policy contains technical terms which are defined in the GDPR and the BDSG-new. For your better understanding, we will explain these terms in a more simplified way:

2.1 Personal data
“Personal data” means any information relating to an identified or identifiable natural person (Art. 4(1) of the GDPR). Data of an identified person might be, for instance, their name or email address. Data, however, might also be personal if the identity is not directly recognisable but could be determined by combining own or external information in order to identify that person. A person is identifiable, if information is available about, e.g. their address or bank details, their date of birth or user name, their IP address and/or location data. This means that here any information is relevant which allows for any type of conclusion to be drawn on a person.

2.2 Processing
Art. 4(2) of the GDPR provides that “processing” means any operation which is performed on personal data. That means, in particular, the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.

Controller and Data Protection Officer

3. CONTROLLER
The following company is responsible for data processing and thus the controller:

4. DATA PROTECTION OFFICER
We appointed an external data protection officer for our company. You may contact him at:

Framework of processing

5. FRAMEWORK OF PROCESSING: WEBSITE
We will process the personal data listed in detail under Art. 6-13 below, when you use the Website with the URL www.rpp-group.com. In this process, we will only process data from you that you actively enter on our Website (e.g. by completing forms) or that you provide automatically when using our offer.

Your data will exclusively be processed by us and these data will, as a matter of principle, not be sold, leased or provided to any third parties. Insofar as we use external service providers for the processing of your personal data, that will be done in the context of a cooperation with a so-called data processor, where we act as principal and are authorised to give instructions to our contractors. For the operation of our Website, we use external service providers for hosting, and for the maintenance, update and further development. Insofar as other external service providers will be used for individual processing activities that are listed in Art. 6-13, they will be specified there.

We do, in general, not transfer any data to any third countries and this is not planned for the future either. Any exemptions from this principle will be explained in the types of processing activities listed below.

The processing activities in detail

6. PROVISION OF THE WEBSITE AND LOG FILES

6.1 Description of processing
Whenever anybody visits our Website, we automatically collect information that their browser transfers to our server. These data will also be stored in the so-called log files of our system. This concerns the following data:

• Your anonymized IP address: the last two digits of the visitor IP will be truncated, from IP 11.22.33.44 will be 11.22.0.0

The temporary storage of your IP address by the system is necessary to be able to deliver our Website to the device of any user. To this end, the IP address of the user must be stored for the duration of the session. Your IP address, however, will not be recorded in our log files.

6.2 Purpose
The processing is done to allow for the Website to be called and to ensure its stability and security. In addition, the processing serves for statistical analyses and the improvement of our online offer.

6.3 Legal basis
The processing is necessary for the purposes of the legitimate interests pursued by the controller (Art. 6(1) point (f) of the GDPR). Our legitimate interest is the purpose mentioned in Art. 6.2.

6.4 Storage duration
The data will be erased once they are no longer required to achieve the purpose of their collection. If data are collected to provide the Website, they will be erased once the respective session has been terminated. The log files will be erased after 30 days.

7. CONTACT FORM AND CONTACT BY EMAIL

7.1 Description of processing
We provide you with a contact form on our Website which you can use to contact us. In this form, you will be asked to enter your email address, your name and a message. When clicking the “Send” button, the data will be transferred to us by using SSL encryption (see Art. 14). The contact form can only be transferred if you accept our Privacy Policy by clicking the check box provided. You may also contact us by using the email address specified on our Website. In this case, we will process the personal data of the user that were transferred with the email.

7.2 Purpose
The contact form provided on our Website should offer you a convenient option to contact us. The data transferred with and in the contact form or your email will exclusively be used for the purpose of handling and answering your request.

7.3 Legal basis
The processing is necessary for the purposes of the legitimate interests pursued by the controller (Art. 6(1) point f) of the GDPR). Our legitimate interest is the purpose mentioned in Art. 7.2. Insofar as the contact by email is aimed at concluding or performing a contract, the data will be processed to perform a contract (Art. 6(1) point b) of the GDPR).

7.4 Storage duration
We will erase the data, as soon as such are no longer required to achieve the purpose of their collection. That is usually the case when the relevant communication with you has been terminated. The communication is deemed terminated as soon as the circumstances reveal that the relevant issue has been conclusively resolved. Insofar as any statutory retention period conflicts with the erasure, the data will be erased immediately after the expiry of the statutory retention period.

8. COOKIES

8.1 Description of processing
Our Website uses cookies. Cookies are small text files which are stored in the user’s end device when they visit a website. Cookies contain information which allow for the recognition of a device or enable certain functions of a website. We mostly only use so-called “session cookies”. These will automatically be erased when you end your internet session and close the browser. Other cookies will remain on your device for a longer period of time. We use the cookies set out below on our Website:

Cookie name: fe_typo_user (provider: rpp-group.com)
Purpose / Function: Maintains the status of the user for all page requests.
Storage period: This cookie expires at the end of the browser session.

Cookie name: _ga (provider: rpp-group.com)
Purpose / Function: Registers unique ID that is used to generate statistical data on how the visitor uses the website.
Storage period: 2 years

Cookie name: _gat (provider: rpp-group.com)
Purpose / Function: Used by Google Analytics to limit the request rate.
Storage period: This cookie expires at the end of the browser session.

Cookie name: _gid (provider: rpp-group.com)
Purpose / Function: Registers unique ID that is used to generate statistical data on how the visitor uses the website
Storage period: This cookie expires at the end of the browser session.

8.2 Purpose
We use cookies to make our Website more user-friendly and to offer the functions described in Art. 8.1.

8.3 Legal basis
The processing is necessary for the purposes of the legitimate interests pursued by the controller (Art. 6(1) point f) of the GDPR). Our legitimate interest is the purpose mentioned in Art. 8.2.

8.4 Storage duration
Cookies will automatically be deleted at the end of a session and upon expiry of the storage duration specified. Since cookies are stored on your device, you as user have full control over the use of cookies. By changing the settings in your internet browser, you can deactivate or restrict the transfer of cookies. Cookies already stored can be deleted at any time. This can also occur automatically. If you deactivate cookies for our Website, you may be unable to use individual functions of our Website or such might be used in a restricted way only.

9. GOOGLE WEBFONTS

9.1 Description of processing
Our Website uses “Google Webfonts“, a font replacement service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter referred to as “Google”). Google Webfonts replaces the standard fonts of your device with fonts from the catalogue of Google when our Website is displayed on your device. If your browser prohibits the integration of Google Webfonts, the texts of our Website will be displayed in the standard fonts of your device. Google fonts will be loaded directly from a Google server. In order to do this, your browser will send a request to a Google server. Your IP address might also be transferred to Google together with the address of our Website. Google Webfonts will not store any cookies on your device. Google states that data which are processed in the context of the Google Webfonts service will be transferred to resource-specific domains such as fonts.googleapis.com or fonts.gstatic.com. They will not be associated with data that are connected with the use of other Google services such as e.g. the search machine of the same name or Gmail. For more information on data privacy at Google Webfonts, please refer to https://developers.google.com/fonts/faq?hl=de-DE&csw=1. For general information on data privacy at Google, please visit http://www.google.com/intl/de-DE/policies/privacy/.

9.2 Purpose
The processing is done to be able to provide you with the text of our Website in a clearly legible and aesthetically pleasing manner.

9.3 Legal basis
The processing is necessary for the purposes of the legitimate interests pursued by the controller (Art. 6(1) point f) of the GDPR). Our legitimate interest is the purpose mentioned in Art. 13.2.

9.4 Recipients and transfer to third countries
Personal data might be transferred to Google by using Google Webfonts. Google processes your personal data also in the U.S. and has agreed to comply with the EU-US Privacy Shield. For more information on the EU-US Privacy Shield, please refer to https://www.privacyshield.gov/EU-US-Framework.

10. ADOBE TYPEKIT

10.1 Description of processing
Our Website uses “Adobe Typekit”, a font replacement service provided by the company Adobe Systems Software Ireland Ltd., 4-6 Riverwalk, Citywest Business Campus, Dublin 24, Ireland (hereinafter referred to as “Adobe“). Adobe Typekit replaces the standard fonts of your device with fonts from the catalogue of Adobe when our Website is displayed on your device. If your browser prohibits the integration of Adobe Typekit, the texts of our Website will be displayed in the standard fonts of your device. The Adobe Typekit fonts will be loaded directly from the Adobe servers. In order to do this, your browser will send a request to an Adobe server. Your IP address might be transferred to Adobe together with the address of our Website. Adobe Typekit will not store any cookies on your device. For more information on data privacy at Adobe Typekit, please visit www.adobe.com/privacy/typekit.html. For general information on the subject of data privacy at Adobe, please read the company’s Data Privacy Policy at https://www.adobe.com/de/privacy/policy.html.

10.2 Purpose
The processing is done to be able to provide you with the text of our Website in a clearly legible and aesthetically pleasing manner.

10.3 Legal basis
The processing is necessary for the purposes of the legitimate interests pursued by the controller (Art. 6(1) point f) of the GDPR). Our legitimate interest is the purpose mentioned in Art. 14.2.

10.4 Recipients and transfer to third countries
Personal data might be transferred to Adobe when Adobe Typekit is used. Adobe will process your personal data also in the U.S., possibly through the group company Adobe Systems Incorporated, San Francisco, 345 Park Avenue, San Jose, California 95110, USA, which agreed to comply with the EU‑US Privacy Shield. For more information on the EU-US Privacy Shield, please refer to https://www.privacyshield.gov/EU-US-Framework.

11. GOOGLE MAPS

11.1 Description of processing
Our Website uses “Google Maps,“ a service for displaying maps provided by the company Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter referred to as “Google“). We use Google Maps for embedding a map that displays our business address in our Website. The map will be loaded directly from a Google server. In order to do this, your browser will send a request to a Google server. Your IP address might also be transferred to Google together with the address of our Website. Google Maps will, however, not store any cookies on your device. If you are logged in to Google when you visit our Website, Google Maps will associate this information to your Google user account. Google will store your data as user profiles and will use them for marketing purposes, for market research and/or the customised configuration of the Google websites. You have a right to object against the creation of user profiles; please directly contact Google to exercise such right. For more information on data privacy at Google, please refer to http://www.google.com/intl/de-DE/policies/privacy/.

11.2 Purpose
The processing is done to be able to display an interactive map on our Website.

11.3 Legal basis
The processing is necessary for the purposes of the legitimate interests pursued by the controller (Art. 6(1) point f) of the GDPR). Our legitimate interest is the purpose mentioned in Art. 19.2.

11.4 Recipients and transfer to third countries
Google processes your personal data also in the U.S. and has agreed to comply with the EU-US Privacy Shield. For more information on the EU-US Privacy Shield, please refer to https://www.privacyshield.gov/EU-US-Framework.

12. GOOGLE ANALYTICS

12.1 Description of processing
Our Website uses “Google Analytics”, a web analysis service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter referred to as “Google”). Google Analytics uses cookies (see Art. 8), which allow for an analysis of your use of our offer. We use Google Analytics in the version offered as “Universal Analytics” which allows for this analysis across devices by allocating the data to a pseudonymised user ID. The information created by the cookie are generally transferred to a Google server in the U.S. and stored there. But, we use Google Analytics exclusively with IP anonymisation. This means that your IP address will be shortened by Google within the European Union member states or other states which are part of the European Economic Area before it is transmitted. Only in exceptional cases will the full IP address be transmitted to a Google server in the U.S. and shortened there. The IP address transferred by your browser in the context of Google Analytics will not be combined with any other data from Google. The statistics created by Google Analytics record, in particular, how may users visit our Website, from which country or place they access the Website, which sub-pages they visit and through which links or search terms visitors come to our Website. For the terms of use for Google Analytics please visit http://www.google.com/analytics/terms/de.html. An overview of the data privacy at Google Analytics can be retrieved from http://www.google.com/intl/de/analytics/learn/privacy.html. You can see Google’s data privacy policy at http://www.google.de/intl/de/policies/privacy.

12.2 Purpose
The processing is done to be able to evaluate the use of our Website. The information gained in the process serve to improve our online presentation and to design it according to demand.

12.3 Legal basis
The processing is necessary for the purposes of the legitimate interests pursued by the controller (Art. 6(1) point f) of the GDPR). Our legitimate interest is the purpose mentioned in Art. 20.2.

12.4 Storage period and right to object
For information on the storage period and an explanation of your control and setting options for cookies, please refer to Art. 8. You may object to the data processing by Google Analytics, at any time, by downloading and installing the browser add-on offered by Google at https://tools.google.com/dlpage/gaoptout?hl=de. Alternatively, you have the option to click on the following link. This will place an opt-out cookie on your device which prevents the future collection of your data when visiting this Website.

12.5 Recipients and transfer to third countries
Google Analytics is active for us as service provider in the capacity of a processor. Google processes your personal data also in the U.S. and has agreed to comply with the EU-US Privacy Shield. For more information on the EU-US Privacy Shield, please refer to https://www.privacyshield.gov/EU-US-Framework.

13. GOOGLE RECAPTCHA

13.1 Description of processing
Our Website uses “reCAPTCHA”, a service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, California 94043, USA (hereinafter referred to as “Google“). reCAPTCHA allows us to verify in forms whether the entry was made by a human or by an automated software – in particular, so-called bots. This enables us to protect our Website against spam and abuse. In this process, your IP address, the time you visited our Website, the mouse movements you made and other data required for the reCAPTCHA services might be transferred to Google. For more information on data privacy at Google, please refer to http://www.google.com/intl/de-DE/policies/privacy/.

13.2 Purpose
The processing is done to protect forms on our Website against abuse and spam.

13.3 Legal basis
The processing is necessary for the purposes of the legitimate interests pursued by the controller (Art. 6(1) point f) of the GDPR). Our legitimate interest is the purpose mentioned in Art. 26.2.

13.4 Recipients and transfer to third countries
Google processes your personal data also in the U.S. and has agreed to comply with the EU-US Privacy Shield. For more information on the EU-US Privacy Shield, please refer to https://www.privacyshield.gov/EU-US-Framework.

Security Measures

14. SECURITY MEASURES

We integrated a SSL or TLS certificate in our Website to protect your personal data against unauthorised access. SSL means “Secure Sockets Layer” and TLS means “Transport Layer Security” and encrypts the communication of data between a website and the user’s computer. You recognise active SSL and TLS encryption by the small lock logo displayed on the left side of your browser’s address line.

Your Rights

15. RIGHTS OF DATA SUBJECTS

You, as data subject, have the following rights in view of the data processing performed by our company as described above:

15.1 Right of access (Art. 15 of the GDPR)
You have the right to obtain confirmation from us as to whether or not personal data concerning you are being processed by us. Where that is the case, you have a right of access to the personal data under the conditions set out in Art. 15 of the GDPR and the other information specified in detail in Art. 15 of the GDPR.

15.2 Right to rectification (Art. 16 of the GDPR)
You have the right to obtain from us, without undue delay, the rectification of inaccurate personal data concerning your person and, if necessary, the right to have incomplete personal data completed.

15.3 Right to erasure (Art. 17 of the GDPR)
You also have the right to obtain from us the erasure of personal data concerning you without undue delay, insofar as one of the grounds listed in Art. 17 of the GDPR applies, e.g. if the data is no longer required in relation to the intended purpose.

15.4 Right to restriction of processing (Art. 18 of the GDPR)
You have the right to obtain from us restriction of processing where one of the conditions listed in Art. 18 of the GDPR applies, e.g. if the accuracy of the personal data is contested by you, the data processing will be restricted for a period enabling us to verify the accuracy of the personal data.

15.5 Right to data portability (Art. 20 of the GDPR)
You have the right to receive the personal data concerning you under the preconditions set out in Art. 20 of the GDPR in a structured, commonly used and machine-readable format.

15.6 Right to withdrawal of consent (Art 7(3) of the GDPR)
You shall have the right to withdraw your consent, at any time, for processing which is based on your consent. The withdrawal of your consent will apply from the time it is made. In other words, it will apply for the future. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

15.7 Right to lodge a complaint (Art. 77 of the GDPR)
If you consider that the processing of personal data relating to you infringes the GDPR, you have the right to lodge a complaint with a supervising authority. You may exercise this right with a supervisory authority in the EU Member State of your habitual residence, place of work or place of the alleged infringement.

15.8 Prohibition of automated decision-making / profiling (Art. 22 of the GDPR)
Decisions which produce legal effects concerning you or similarly significantly affect you must not be subject to a decision based solely on automated processing – including profiling. We hereby inform you that we use no automated decision-making, including profiling, in view of your personal data.

Version: September 2018