Data privacy statement

By the data privacy statement at hand, we inform you about type, scope and processing of personal data within our website and associated websites, functions and content as well as external websites such as our profiles on social media networks and platforms. “AFI” and/or “we” refers to AFI Solutions GmbH as the responsible party providing this website. “Newsletter” means newsletters, e-mails and other electronic notifications containing advertising information.

“Personal data” or “data” within the meaning of this data privacy statement refers to personal data in accordance with Art. 4(1) of the GDPR. “You” refers to the visitor or user of the websites. “Websites” refer to AFI’s homepages and landing pages which are accessible under the following domains:

afi-solutions.com
redpapercenter.com
copilot-im-einkauf.com

Other than that, the definitions in Art. 4 of the GDPR apply to the terms used in this data privacy statement (e.g. “processing”, “person responsible” etc.).

AFI collects, processes and uses your personal data in compliance with the applicable data protection law. As far as AFI collects, processes and/or uses personal data, this is always for a specific purpose.

1. Person responsible

AFI Solutions GmbH
Sigmaringer Straße 109
70567 Stuttgart
Germany

2. Purposes and legal basis of data processing

2.1 We process the following types of data

inventory data (e.g. first and last names, addresses)
contact data (e.g. e-mail, phone numbers)
content data (e.g. text input)
usage data (e.g. visited websites, access times)
meta/communication data (e.g. device information, IP addresses).

2.2 Purposes of processing personal data

provision of our website, its functions and content,
processing of inquiries via our contact form,
safety measures,
marketing (also in the form of IAM).

2.3 Contact via the contact form

When contacting us (e.g. via the contact form, e-mail, phone or social media), the user’s details are used for the processing of the contact request and its handling in line with Art. 6(1b) of the GDPR. User information can be stored in a customer relationship management system (“CRM”) or the like.

We delete the requests if they are no longer required. We review their requirement every two years. Furthermore, the statutory duty to preserve records applies.

2.4 Hosting

The hosting services we use serve to provide the following services: infrastructure and platform services, computing capacity, storage space and database services, security services as well as technical maintenance services that we use for the purpose of operating this online service.

On doing so, we or our hosting provider process inventory data, contact data, content data, contract data, usage data, meta and communication data of customers, interested parties and visitors of this online service on the basis of our legitimate interests in an efficient and secure provision of this online service in line with Art. 6(1f) of the GDPR in conjunction with Art. 28 of the GDPR (conclusion of order processing contract).

2.5 Collection of access data and log files

Based on our legitimate interests within the meaning of Art. 6(1f) of the GDPR, we or our hosting provider collect data on each access to the server on which this service is located (so-called server log files). Access data includes the name of the accessed website, file, data and time of access, transferred data volume, notification of successful access, browser type and version, the user’s operating system, referrer URL (the website visited previously), IP address and the requesting provider. Servers in this sense are our web, content, application and database servers which we use for the operation of the website.

We automatically collect the IP address (from which you access), files (accessed by you), date and time of your access in order to detect and subsequently correct any technical and functional errors on the website.

We store server log files for security reasons (e.g. to investigate misuse or fraud) for a maximum of 31 days and delete them afterwards. Data, of which further storage is necessary for evidentiary purposes, will only be deleted after final clarification of the respective incident.

2.6 WiredMinds Analysis

The tracking pixel technology of WiredMinds AG (www.wiredminds.de) is used to evaluate the visitor behavior on our website. It collects, processes and stores data in order to create user profiles under an alias. As far as possible and useful, these user profiles are rendered anonymous. Cookies are used for this purpose. Cookies are text files that are stored on the computer of the visitor and serve to recognize internet browsers. The collected data, general or personal, will be sent to WiredMinds or stored directly by WiredMinds. WiredMinds may store the data generated during visits to the website in anonymous user profiles. This data is not used to identify visitors to websites unless the visitor has given his consent. Furthermore, it is not linked to personal information about the person behind a pseudonym. IP addresses are directly rendered anonymous by deleting the last numerical sequence.

Please click here for: deactivating website tracking with WiredMinds

2.7 Google Analytics

Based on our legitimate interest (i.e. interest in the analysis, optimization and economic operation of our online services within the meaning of Art. 6(1) of the GDPR), Google Analytics, a web analysis service of Google Ireland Limited (“Google”) is applied. Google uses cookies. The information generated by the cookie regarding the use of the online service by users is generally transferred to a Google server in the USA and stored there.

Google is certified under the Privacy Shield Framework and thereby offers a guarantee to comply with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).

Google will use this information on our behalf to evaluate the use of our online service by users, to compile reports on the activities within this online service and to provide us with further services associated with the use of this online service and the use of the internet. In the course of this, pseudonymous user profiles can be created from the processed data.

We apply Google Analytics only with activated IP anonymization. This means that Google will shorten the IP address of users within EU member states or other contracting member states of the EEA. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and shortened there.

The IP address transferred by the user’s browser is not associated with other Google data. Users can prevent the storage of cookies by setting their browser software accordingly. They can also prevent Google from collecting data, which was generated by the cookie and relates to their use of the online service, and from processing this data by downloading and installing the browser plugin available under the following link:http://tools.google.com/dlpage/gaoptout?hl=de.

For further information on data use by Google, setting and objection options, please refer to Google’s privacy policy (https://policies.google.com/technologies/ads) and in the settings for the display of advertisements by Google (https://adssettings.google.com/authenticated).

Personal data of users will be deleted or made anonymous after 14 months.

2.8 Newsletter

We only send newsletters with the consent of the recipient or within the scope of legal permission. If the content of a newsletter is specifically described within the scope of a subscription, this is decisive for the consent of the recipients. In addition, our newsletters contain information about our services and/or us.

The subscription to our newsletter takes place in a so-called double opt-in procedure, i.e. after subscription you will receive an e-mail in which we ask you to confirm your subscription. This confirmation is necessary to ensure that no one can subscribe to the newsletter with other e-mail addresses. Subscriptions to our newsletter are logged in order to be able to prove the subscription process in conformity with the law. This includes the storage of the time of subscription and confirmation and the IP address. Changes to your data stored with the dispatch service provider are also logged. Simply enter your e-mail address to subscribe to our newsletter. Optionally, you can enter a name in the subscription process, e.g. for a personal address in the newsletter.

The dispatch of our newsletter and the associated performance measurement is based on the recipients’ consent in line with Art. 6 (1a), Art. 7 of the GDPR in conjunction with Section 7, Subsection 2, No. 3 of the German Unfair Competition Act (UC) or on the basis of legal permission in line with Section 7, Subsection 3 of the UC. Logging of the subscription process is based on our legitimate interest in line with Art. 6 (1f) of the GDPR. We are interested in using a user-friendly and secure newsletter system that serves our commercial interests, meets the expectations of users and allows for proof of granted consent. You are entitled at any time to cancel your subscription. For this purpose, just click the “unsubscribe” or “cancellation” button available at the bottom of each newsletter you receive. We are entitled to store e-mail addresses after cancellation of the subscription for up to three years on the basis of our legitimate interests before finally deleting them. This storage allows for proof of previously granted consent. Further processing of this data takes place exclusively for the purpose of warding off possible claims based on a consent granted allegedly insufficient or in an insufficient scope or in an inadequate manner. An immediate deletion is possible if the previously granted consent is confirmed at the same time as the corresponding application.

Newsletter - dispatch service provider

The newsletter is sent using Pardot, a service of SFDC Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Salesforce"), a subsidiary of Salesforce.com, inc., SalesforceTower, 415 Mission Street, 3rd Floor, San Francisco, California, 94105, USA. The sending service provider is appointed on the basis of our legitimate interests in pursuance of Art. 6, Section 1 lit. f of the GDPR. For this purpose, we have concluded an order processing agreement incl. EU standard contractual clauses and "Binding Corporate Rules" (https://www.salesforce.com/content/dam/web/en_us/www/documents/legal/misc/Salesforce-Processor-BCR.pdf) as laid down in Art. 28, Section 3, S. 1 of the GDPR with the service provider appointed. This enables us to link your data with your other customer data stored with us and with information from third-party providers in order to address you individually, i.e. based on your interests and usage. For details on Pardot and the provider Salesforce, please refer to the item "Pardot".

Newsletters sent with Pardot MAS contain so-called web beacons. These are tiny graphics that allow us to analyze user behavior, such as opening and reading emails and clicking on links. This helps us to make our provided contents more relevant and interesting for you.

Newsletter - performance measurement

The newsletters contain a so-called “web beacon” (tracking pixel), i.e. a pixel-sized file which is downloaded from our server when the newsletter is opened. If we use a dispatch service provider, it will be downloaded from his server. Within the scope of this retrieval, technical information, such as information about your browser and your system, as well as your IP address and time of retrieval, are initially collected. This information is used to technically improve the services by means of technical data or the target groups and their reading behavior based on their retrieval location (which can be determined using the IP address) or the access time. The statistical surveys also include determining whether the newsletters are opened, when they are opened, and which links are clicked. For technical reasons, this information can be assigned to the individual newsletter recipients, but it is neither our object in view nor that of the dispatch service provider (if deployed) to observe individual users. The main objective of the evaluations is to understand the reading habits of our users and to adapt our content correspondingly or to send different content according to the interests of our users.

2.9 Cookies, pixels and right of objection in direct advertising

“Cookies” are small files that are stored on the users’ computers. Different data can be stored within the cookies. A cookie is primarily used to store user information (or information on the device on which the cookie is stored) during or after his visit to an online service. Temporary cookies or “session cookies” or “transient cookies” are cookies which are deleted after a user leaves an online service and shuts down his browser. In such a cookie, the contents of a shopping cart in an online shop or a login status can be stored for example. “Permanent” or “persistent” cookies are those which remain stored after the browser is shut down. The login status can be stored when the users revisit these after several days. Furthermore, the user information which is used for reach measurement or marketing purposes can be stored in such a cookie. “Third party cookies” are cookies that are offered by providers other than the person responsible for operating the online service (if they are only his cookies, they are referred to as “first party cookies”).

We may apply temporary or permanent cookies and provide the necessary information regarding these within the framework of our data privacy statement.

If users do not want cookies to be stored on their computer, they are asked to deactivate the respective option in the system settings of their browser. Stored cookies may be deleted in the system settings of the browser. Exclusion of cookies can lead to functional restrictions of this online service.

A general objection against the use of cookies for online marketing purposes can be declared at numerous services and - particularly in the case of tracking - via the US website www.aboutads.info/choices/ or the EU website www.youronlinechoices.com. Furthermore, the storage of cookies can be carried out by shutting them down in the browser settings. However, please note that by doing so, you might not be able to use this website to its full extent.

We use so-called pixels, web beacons (tracking pixels), Clear GIFs or similar mechanisms (hereinafter referred to as “pixel”). A pixel is an image file or a link to an image file that is injected in the website code but is not located on your device (e.g. computer, smartphone etc.). We mostly use pixels for the same reasons as cookies. They allow us to count the number of users that are visiting our website for example or - if the e-mail program of the user permits HTML - to determine if and when an e-mail has been opened. Pixels help us to check and optimize the efficiency of our website and our advertising measures. A direct reference to a person is not made when using pixels. Personal tracking does not take place. Commonly, pixels work in conjunction with cookies. If you have deactivated cookies, pixels will then determine only an anonymous visit to a website.

2.10 Data transfer to third parties

Unless otherwise stated, data will not be transferred to third parties.

2.11 Pardot

We are using the Pardot Marketing Automation System ("Pardot MAS") of Pardot LLC, 950 East Paces Ferry Rd. Suite 3300 Atlanta, GA 30326, USA ("Pardot"). Pardot is a software for capturing and evaluating the use of a website by website visitors. Further information on the handling of personal data by Pardot/Salesforce is provided here: https://www.salesforce.com/company/privacy/.

When visiting our website, Pardot MAS records your click path and uses it to create an individual usage profile via a pseudonym. For this purpose, cookies are set that permit the recognition of your browser. By agreeing to the use of cookies when visiting our website for the first time by confirming the so-called cookie acceptance banner or by continuing to browse our website, you also agree to the use of cookies by Pardot. Documentation of the cookies set by Pardot/Salesforce can be found here: https://help.salesforce.com/articleView?id=pardot_basics_cookies.htm&type=0

You can withdraw your consent at any time with effect for the future. Please contact the responsible party mentioned above for this purpose. In addition, you can deactivate the creation of pseudonymized usage profiles at any time by configuring your Internet browser so that cookies from the domain "pardot.com" are not accepted or by deselecting the cookies set by Pardot/Salesforce in our consent dialog (category "Marketing"). However, this may lead to certain restrictions in the functions and user-friendliness of our website.

3. Legal bases of data processing

Legal basis for obtaining consents is Art. 6(1a) and Art. 7 of the GDPR, legal basis for processing to perform our service and performance of contractual measures as well as for responding to inquiries is Art. 6(1b) of the GDPR, legal basis for processing to perform our legal duties is Art. 6(1c) of the GDPR and legal basis for processing to preserve our legitimate interests is Art. 6(1f) of the GDPR. In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6(1d) serves as the legal basis.

On a supplementary basis, the other legal bases explicitly mentioned in this data privacy statement shall apply.

Provided that we disclose data to other persons and companies (contract processors or third parties) within the context of our processing, transmit it to them or otherwise grant them access to the data, this shall only take place on the basis of legal permission (e.g. if a transmission of data to third parties, such as payment service providers, in line with Art. 6(1b) of the GDPR, is necessary for contractual performance), if you have consented, if a legal obligation provides for this or on the basis of our legitimate interest (e.g. when using contractors, web hosts etc.). If we commission third parties with the processing of data on the basis of a so-called order processing contract, this takes place in line with Art. 28 of the GDPR.

4. Online presence in social media networks and platforms, integration of third-party services and content

We maintain online presence within social networks and platforms to communicate with active customers, interested parties and users and to inform them about our services. When accessing the respective networks and platforms, the terms and conditions and the data processing policies of their respective hosts apply. Unless otherwise stated in our data privacy statement, we only process the data of users if they are communicating with us within social networks and platforms, e.g. when they leave posts on our online presence or send us messages.

We apply content or service packages of third-party suppliers to involve their content and services, such as videos or fonts (hereinafter uniformly referred to as “content”) within our online service based on our legitimate interest (i.e. interest in the analysis, optimization and commercial operation of our online service in line with Art. 6(1f) of the GDPR).

This always presupposes that third-party providers of this content perceive the IP address of the users because they could not send the content to their browsers without the IP address. Therefore, the IP address is required for the display of this content. We make every effort to only use content whose respective provider uses the IP address merely for the delivery of the content. Furthermore, third-party providers can also use so-called pixel tags (invisible graphics also referred to as “web beacons” or “tracking pixels”) for statistical or marketing purposes. By means of these “pixel tags”, information such as the traffic of visitors on the pages of this website may be analyzed. The pseudonymous information may also be stored in cookies on the user’s device and may include technical information about the browser and operating system, referential websites, visiting time and other information about the use of our online service as well as be linked to such information from other sources.

4.1 YouTube

We integrate videos of the platform “YouTube” provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland. Privacy policy: https://www.google.com/policies/privacy/, opt-out: https://adssettings.google.com/authenticated.

4.2 Use of Facebook Social Plugins

On the basis of our legitimate interests (i.e. interest in the analysis, optimization and commercial operation of our online service within the meaning of Art. 6(1f) of the GDPR), we use social plugins (“plugins”) of the social network facebook.com which is operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”). These plugins can display interaction elements or content (e.g. videos, graphics or text contributions) and are recognizable by one of the Facebook logos (a white letter “f” on a blue tile and the terms “like”, “I like” or a “thumbs up” symbol) or are characterized with the add-on “Facebook social plugin”. List and appearance of the Facebook social plugins can be viewed here: https://developers.facebook.com/docs/plugins/.

Facebook is certified under the Privacy Shield Framework and thereby offers a guarantee to comply with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).

When a user accesses a function of this online service that contains such a plugin, his device sets up a direct connection to Facebook’s servers. The content of the plugin is transmitted directly to the user’s device and integrated into the online service. Thereby, user profiles can be created from the processed data. We therefore have no influence on the amount of data Facebook collects with the help of this plugin and inform users according to present knowledge as a result.

By integration of the plugins, Facebook receives information that a user has accessed the corresponding web page of the online service. If the user is logged in to Facebook, Facebook can assign the access to the web page to his Facebook account. When users interact with the plugins, e.g. when they press the “like”-button or leave a comment, the respective information is directly transferred to Facebook from your device and stored with Facebook. If a user is not a Facebook member, it is still possible for Facebook to find out and store his IP address. According to Facebook, only an anonymized IP address is stored in Germany.

Purpose and scope of the data collection and the further processing and use of the data by Facebook, as well as the corresponding rights and setting options for the privacy protection of users, can be found in Facebook’s privacy policy: https://www.facebook.com/about/privacy/.

If a user is a Facebook member and does not want Facebook to collect data about him via this online service and link it to his membership data stored with Facebook, he must log out of Facebook before using our online service and delete his cookies. Further settings and objections to the use of data for advertising purposes are possible within the Facebook profile settings https://www.facebook.com/settings?tab=ads or via the US-American website http://www.aboutads.info/choices/ or via the EU website http://www.youronlinechoices.com/. The settings are platform-independent, i.e. they are applied to all devices such as desktop computers or mobile devices.

4.3 Twitter

We integrate functions and content of the Twitter service provided by Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA into our online service. This may include, for example, content such as images, videos or texts and buttons with which users can express their appreciation of the content or subscribe to the authors of the content or our contributions. If the users are members of the Twitter platform, Twitter can assign their access to the above-mentioned content and functions to the user profiles on Twitter. Twitter is certified under the Privacy Shield Framework and thereby offers a guarantee to comply with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status=Active).

4.4 Instagram

We integrate functions and content of the Instagram service provided by Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA into our online service. This may include, for example, content such as images, videos or texts and buttons with which users can express their appreciation of the content or subscribe to the authors of the content or our contributions. If the users are members of the Instagram platform, Instagram can assign their access to the above-mentioned content and functions to the user profiles on Instagram. Privacy policy: http://www.instagram.com/about/legal/privacy/.

4.5 XING

We integrate functions and content of the XING service provided by XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany into our online service. This may include, for example, content such as images, videos or texts and buttons with which users can express their appreciation of the content or subscribe to the authors of the content or our contributions. If the users are members of the XING platform, XING can assign their access to the above-mentioned content and functions to the user profiles on XING. Privacy policy:https://privacy.xing.com/de/datenschutzerklaerung.

4.6 LinkedIn

We integrate functions and content of the LinkedIn service provided by LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland, into our online service. This may include, for example, content such as images, videos or texts and buttons with which users can express their appreciation of the content or subscribe to the authors of the content or our contributions. If the users are members of the LinkedIn platform, LinkedIn can assign their access to the above-mentioned content and functions to the user profiles on LinkedIn. Privacy policy: www.linkedin.com/legal/privacy-policy.

LinkedIn is certified under the Privacy Shield Framework and thereby offers a guarantee to comply with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000L0UZAA0&status=Active).

Privacy policy: https://www.linkedin.com/legal/privacy-policy, opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

5. Deletion of personal data

We delete or limit the processing of data handled by us in line with Art. 17 and 18 of the GDPR. Unless otherwise regulated in this data privacy statement, we delete the data stored by us as soon as it is no longer required for the purpose of processing and there are no legal duties to preserve records preventing deletion. If the data is not deleted because it is required for other and legally permissible purposes, their processing is limited, i.e. the data is blocked and not processed for other purposes. This applies particularly to data subject to retention under commercial or tax law.

German law currently provides for the following retention periods: 6 years in line with section 257(1) of the German Commercial Code (trading books, inventories, opening balance sheets, annual financial statements, commercial letters, posting documents etc.) and 10 years in line with section 147(1) of the German Revenue Code (books, records, management records, posting documents, commercial and business letters, documents relevant for taxation etc.).

6. Your rights

In line with Art. 7(3) of the GDPR, you have the right to revoke consent granted in line with Art. 7(3) of the GDPR with effect for the future.
In line with Art. 15 of the GDPR, you have the right to request confirmation as to whether the data concerned is being processed and to request information and copies of the data.
In line with Art. 16 of the GDPR, you have the right to request the completion of data or the correction of incorrect data concerning you.
In line with Art. 17 of the GDPR, you have the right to request that relevant data is promptly deleted or, alternatively, to demand a restriction on the processing of data in line with Art. 18 of the GDPR.
In line with Art. 20 of the GDPR, you have the right to request receipt of data concerning you, which you have provided to us, and to demand its transmission to other persons responsible.
In line with Art. 21 of the GDPR, you can object to the future processing of data concerning you at any time. The objection may take place particularly against processing for direct advertising purposes.
In line with Art. 77 of the GDPR, you have the right to file a complaint with the appropriate supervisory authority.

7. Data protection official of the person responsible

Contact details of our data protection official:

AFI Solutions GmbH
Data Protection Official
Sigmaringer Straße 109
70567 Stuttgart
eMail: datenschutz@afi-solutions.com

AFI Solutions GmbH as of 1 May 2018