Privacy Policy

1. General
   1. Scope

This privacy policy relates to the following processing activities:

• Use of our website(s)

1. 2. Controller

We take the protection of your personal data and the legal obligations to ensure data protection very seriously. The law requires full transparency regarding the processing of personal data. As a data subject you can only fully understand the specifics of the processing if you are duly informed about the purpose, nature and scope of the processing.

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

HAVI Logistics Business Services GmbH

Geitlingstraße 20
47228 Duisburg
Germany

referred hereinafter as ‘controller’ or ‘we’.

You may contact our data protection officer at:
 havi@hewardmills.com

1. 3. Definitions

The terms used in this privacy policy (e.g. data categories, purposes and legitimate interests, as well as terms from the GDPR) are explained in the section ‘Definitions’ below.

1. 4. General information on data processing

We only process personal data to the extent permitted by law. We only disclose or transfer personal data to third parties in the cases described below. The personal data are protected by appropriate technical and organizational measures (e.g. pseudonymization, encryption).

Except where we are obliged by law to store the data or disclose or transfer them to third parties (including but not limited to prosecuting authorities), the decision which personal data we process and for how long and to which extent we may disclose or transfer them to third parties depends on the specific website features you use from time to time.

1. 5. How long we retain personal data

Any personal data will be deleted as soon as the purpose of the processing is no longer applicable or another reason for deletion pursuant to Art. 17 (1) GDPR applies (e.g. you have revoked your consent given to us). In exceptional cases, we may nevertheless continue to process your personal data if an exception to the deletion obligation applies, in particular pursuant to Art. 17 (3) GDPR or another applicable law (e.g. there is a statutory storage obligation).

1. 6. Automated individual decision-making, including profiling

Automated individual decision-making including profiling does not take place.

1. 7. Your rights

You have the right of access/right to information under Art. 15 GDPR, the right to rectification under Art. 16 GDPR, the right to erasure under Art. 17 GDPR, the right to restriction of processing under Art. 18 GDPR and the right to data portability under Art. 20 GDPR.

You have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR).

The supervisory authority responsible for us is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
Kavalleriestraße 2-4
40213 Düsseldorf

However, you are free to lodge a complaint with another data protection supervisory authority.

1. 8. Our notification obligations

We will notify all recipients to whom your personal data has been disclosed of any rectification or erasure of your personal data or restriction of processing in accordance with Art. 16, Art. 17 (1) and Art. 18 GDPR, unless this notification is impossible or involves a disproportionate effort. We will inform you about the recipients if you request this.

1. 9. Your obligation to provide or disclose data

Unless otherwise stated in the information on the legal basis below, you are not obliged to provide personal data. If we base the processing on Art. 6 (1) (b) GDPR, your personal data is required for the fulfilment or conclusion of a contract. If you do not provide the personal data, it will not be possible to fulfil the contract or conclude the contract. If you do not provide the data in the cases of Art. 6 (1) (a) and/or Art. 6 (1) (f) GDPR, it will not be possible to use the offers concerned.

1. 10. Transfer of data to third countries

Data transfers to third countries outside the European Union (EU) and the European Economic Area (EEA) are only permitted in compliance with the special provisions of Art. 44 et seq. GDPR. If such a third country transfer occurs when processing your personal data, we will inform you below about the third country transfer and the basis for the transfer.

General information on the basis of the transfer:

If the transfer is based on an exception pursuant to Art. 49 GDPR, you will find the details in the appropriate place.

If the transfer is based on an adequacy decision within the meaning of Art. 45 GDPR, you will find an overview of the adequacy decisions here:

• Overview of adequacy decisions

If the transfer is based on so-called standard contractual clauses of the EU Commission within the meaning of Art. 46 (2) (c) GDPR, you can find the implementing decision 2021/914 of the EU Commission, which contains the standard contractual clauses, here:

• Standard contractual clauses of the EU Commission

If the transfer is based on binding corporate rules (BCR) within the meaning of Art. 46 (2) (b) GDPR, you can find an overview of the published BCR here:

• Overview of Binding Corporate Rules

1. 11. Right to object

Pursuant to Art. 21 (1) GDPR, you have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Art. 6 (1) (f) GDPR. If personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such purposes in accordance with Art. 21 (2) GDPR. The objection can be made without observing any form requirements and should be addressed to the contact details given above.

1. 12. Revocation of consent

In accordance with Art. 7 (1) GDPR, you have the right to withdraw your consent by mail or email at any time with effect for the future. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. After you have withdrawn your consent, we will delete the personal data we have processed based on your consent unless there is another legal basis for the processing of these data.

The withdrawal is not subject to formal requirements and should be sent to the contact data stated above.

2. Interrelation between the Privacy Notice and the Cookie Policy and Consent Tool

This privacy policy informs you about data processing based on the provisions of the GDPR and, if applicable, the German Federal Data Protection Act (BDSG). If the provisions of the German Telecommunications Digital Services Data Protection Act (TDDDG) are relevant for individual circumstances, you will find the information in the consent tool [LINK] and in the cookie policy. This also applies to information on storing or reading data on your end device.

3. Use of our website(s)

The use of our website(s) and their functions regularly requires the processing of personal data. The following statements, unless otherwise indicated, refer to all websites that we operate and that link to this data protection information.

Please note that links on our website may take you to other websites that are not operated by us but by third parties. We either clearly mark such links or they can be recognized by a change in the address line of your browser. We are not responsible for compliance with data protection regulations and the secure handling of your personal data on these websites operated by third parties.

Provision of the website(s)
Purpose of processing: Advertising and personalized marketing activities; Information security
Legal basis: Art. 6 (1) (f) GDPR
Legitimate interests: Design, operation and availability of digital products; Customer acquisition, retention, and win-back; Promotion of sales activities; Operation, integrity and security of digital products
Categories of personal data: Connection data; Usage data
Data recipients: IT service providers
Intended transfer to third countries: None

Sign up to our personalized newsletter
Purpose of processing: Advertising and personalized marketing activities; User, prospect and/or customer support; Analysis and performance measurement as well as optimization of products and/or services
Legal basis: Art. 6 (1) (a), (f) GDPR
Legitimate interests: Customer acquisition, retention, and win-back; Promotion of sales activities; Promotion of economic interests; Advertising and image improvement, market and opinion research
Categories of personal data: Master data; Contact data; Usage data; Connection data
Data recipients: IT service providers
Intended transfer to third countries: None

Request for quotes
Purpose of processing: Advertising and personalized marketing activities; User, prospect and/or customer support
Legal basis: Art. 6 (1) (f) GDPR
Legitimate interests: Customer acquisition, retention, and win-back; Promotion of sales activities; Promotion of economic interests; Advertising and image improvement, market and opinion research; Promotion of legitimate interests within a group of undertakings
Categories of personal data: Master data; Contact data
Data recipients: IT service providers; HAVI firms in relevant markets
Intended transfer to third countries: Third countries on a case by case basis (adequacy decisions and standard data protection clauses)

Contacting us
Purposes: User, prospect and/or customer support
Legal basis: Art. 6 (1) (f) GDPR
Legitimate interest: Integration of desired or required functionalities; Promotion of sales activities; Analysis and optimization of our own offers, services and advertising measures; Customer acquisition, retention, and win-back; Promotion of legitimate interests within a group of undertakings
Categories of personal data: Connection data; Content data; if applicable, Master data and/or Contact data
Data recipients: IT service providers; HAVI firms in relevant markets
Intended transfer to third countries: Third countries on a case by case basis (adequacy decisions and standard data protection clauses)

Consent management
Purposes: Legal affairs and compliance
Legal basis: Art. 6 Abs. 1 (c), (f) GDPR
Categories of personal data: Usage data; Connection data; if applicable, Master data and/or Contact data
Legitimate interest: Prevention of criminal offenses, administrative offenses and other detrimental actions; Integration of desired or required functionalities
Data recipients: IT service providers
Intended transfer to third countries: Third countries on a case by case basis (adequacy decisions and standard data protection clauses)

Analytics and performance measurement
Purposes: Analysis and Performance measurement as well as optimization of products and/or services; Advertising and personalized marketing activities
Legal basis: Art. 6 (1) (f) GDPR
Legitimate interests: Analysis and optimization of our own offers, services and advertising measures; Promotion of sales activities; Advertising and image improvement, market and opinion research
Categories of personal data: Usage data; Connection data; if applicable, Content data
Data recipients: IT service providers
Intended transfer to third countries: Depending on the services used, for details see Cookie Policy or Consent Tool.

4. Definitions

From the GDPR
This privacy policy uses the terms of the legal text of the GDPR. For example, the definitions (Art. 4 GDPR) can be found at https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX:32016R0679. The definition of health data can be found in Art. 4 No. 15 GDPR. If other special categories of personal data are processed, you will find the definition in Art. 4, 9 (1) GDPR. If the data processed are personal data relating to criminal convictions and offences, you will find the definition in Art. 10 GDPR.

Further definitions

Data categories
When we specify the categories of data processed, this refers in particular to the following data:

• Master Data (e.g. name, address, date of birth)
• Contact Data (e.g. e-mail address, phone number, handles for messenger services)
• Content Data (e.g. text input, photographs, videos, contents of documents/files)
• Contract Data (e.g. subject of contract, terms, employee category)
• Payment Data (e.g. bank details, payroll history, use of other payment service providers)
• Usage Data (e.g. history on websites, use of certain content, access times, contact or order history)
• Connection Data (e.g. device information, IP addresses, URL referrers)
• Location Data (e.g. GPS data, IP geolocation, access points)
• Diagnostic Data (e.g. crash logs, performance data of the website/app, other technical data for the analysis of faults and errors)
• Job candidate and employee data (e.g. employment history, working hours, vacation periods, periods of incapacity for work, appraisals, training and further education, bank details, social security number, health insurance/health insurance number, salary expectations and salary data as well as the tax identification number, proofs and documents, working hours, public offices held, social security data, data on occupational integration management)

Purposes of data processing
In the following sections we have categorised the purposes pursued to improve comprehensibility and readability. In some instances, there may be overlaps with our “legitimate interests” (see definitions below) – this cannot be avoided.

Unless otherwise indicated, the following definitions apply:

• Advertising and personalized marketing activities: This includes, for instance, launching public and, where applicable, access-restricted websites, apps and/or external pages for general information about our products/services (e.g., general website about our company, press pages, social media pages), personalized communication with users, prospects and/or customers (e.g., newsletters), display of (personalized) recommendations and advertising (e.g., personalized newsletters, display of advertising on other websites, search engines, social media pages and/or apps and generally in advertising networks), aggregation and linking of data (possibly involving third parties such as publishers in ad networks) to ensure commission entitlements on advertising material.
• Safety and emergency management: This includes all processes which, in the relevant context, serve to ensure the relevant safety specifications and the prevention and/or handling of accidents and emergencies, such as access controls, video surveillance, logging, evacuation, personal rescue and damage limitation.
• Analysis and performance measurement as well as optimization of products and/or services: This includes, for instance, opinion polls and voting, comparison tests (so-called A/B testing), analysis and (usually aggregated) evaluation of user, prospect and/or customer behavior in the online and/or offline area (e.g. through click paths, mouse movements and heat maps), analysis and evaluation of the success of general and, if applicable, personalized marketing measures, needs-based design of our (digital) products and services based on the analyzed demand and/or usage behavior.
• Purchase order execution and contract management: This includes all processing operations required for the fulfilment of the relevant purchase orders/contracts, such as the processing of master and contact data for the execution and fulfilment of a customer’s purchase orders, payment processing including any necessary transfer of data to payment service providers, processing of returns, license verification.
• Operations and development of internal IT systems: This includes, among other things, user management, authentication and technical logging, as well as IT support and the further development and adaptation of systems and the associated processing of personal data. This applies regardless of whether the IT systems are operated by the controller itself or by a service provider acting on controller’s behalf (processor).
• Job candidate management: This includes recruitment marketing and processes relating to the initiation of employment, such as processing applications (digital and analogue), communicating with job candidates, conducting job interviews, assessment center procedures and trial work, setting up talent pools and documenting the outcome of applications.
• Business partner management: This includes all processes which serve to analyze and select suitable business partners and to maintain existing business relationships.
• Warranty, guarantee, goodwill and general service: This includes, without limitation, the handling of warranty, guarantee and goodwill cases, as well as any information on updates, improvements and recalls.
• Identity and/or creditworthiness check: The aim of the processing is to check the identity of the data subject, insofar as this is necessary for the relevant process, and/or to check the creditworthiness and/or solvency of a prospect or contractual partner.
• Information security: This includes processing operations which serve to protect against hazards and to secure IT systems, as well as to achieve the protection goals of confidentiality, availability and integrity of data, systems and processes (e.g., distinguishing between human access and bot access, detecting and warding off abusive access, security-relevant analysis of the use of digital products and services).
• Logistics and fleet management: This includes, among other things, the planning, management and control of our logistics, including external logistics service providers, and the management of our vehicle fleet, including compliance with legal obligations.
• User, prospect and/or customer support: This includes, for instance, contact forms, chat systems including chat bots and callback options, and generally the handling of various inquiries (e.g., advice, service, complaints).
• Human resources and HR management: This includes all processes relating to the performance of employment or processes that are closely related to employment, such as onboarding, HR administration, the fulfilment of employer obligations, personnel development including training and further education, voluntary employer benefits, HR planning and controlling, company health management, company social counselling, company co-determination, measures to terminate employment, investigative and disciplinary measures and offboarding.
• Project management including project collaboration: Coordination and implementation of projects, project planning, project schedule management, exchange of information within projects, collaboration within projects.
• Legal affairs and compliance: This includes, for instance, the assertion, exercise, and enforcement of legal claims and processes to ensure compliance with legal requirements (e.g., as part of data privacy consent management) and to prevent and/or detect and prosecute legal violations.
• Event management: This includes all processes required for the implementation of offline and online events and meetings (e.g. registration, participant management, implementation of the event, processing of personal preferences and needs, data processing in the context of video conferencing and/or instant messaging services), photo, audio and/or video documentation of events, issuing of certificates of participation.
• Administration: This includes processes that comprise, without limitation, basic business functions such as communication, accounting, invoicing and reporting, documentation and archiving, know-how and contact management.

Legitimate interests
In the following, we will outline our legitimate interests within the meaning of Art. 6 (1) (f) GDPR as categories to improve comprehensibility and readability. In some cases, there may be overlaps with our “purposes” (see the definitions above) – this cannot be avoided.

Unless otherwise stated, the following legitimate interests are to be understood as follows:

• Promotion of sales activities: e.g. promoting our sales by evaluating the demand of our customers, analyzing of the interests and purchasing and demand behavior of our prospects, users and/or customers.
• Promotion of economic interests: e.g. measures to reduce and cut costs, avoidance/reduction of significant additional costs, general increase in earnings (especially through outsourcing to service providers) and avoidance of competitive disadvantages.
• Advertising and image improvement, market and opinion research: e.g. opinion polls, voting, product and/or service ratings and other reviews, and the integration of these results.
• Analysis and optimization of our own offers, services and advertising measures: e.g. analyzing user, prospective customer and/or customer behavior for the optimization of processes, services and products, needs-based design of our products, services and marketing measures and direct customer contact.
• Design, operation and availability of digital products: e.g. incorporation of general functions of websites, apps and other digital products.
• Operation, integrity and security of digital products: e.g. defense against requests overloading our digital services (denial of service attacks) or excessive use of bots to destabilize a platform, IT security measures such as storing log files and IP addresses over a longer period of time to detect and prevention of misuse, including beyond the legally required level.
• Direct marketing (personalized marketing): e.g., directly contacting interested parties and customers that are not based on consent, such as product recommendations based on interests expressed in the past, including the processing of data in preparation for direct marketing (e.g., customer segmentation, affinity ratings).
• Integration of desired or required functionalities: Integration of functionalities that are in the interest of the customer, are displayed at the request of the customer and/or are necessary for the provision of the service (e.g., the integration of contact options on websites or in apps or, for instance, the possibility of saving configurations by the user (e.g., preferred language)).
• Assert, exercise or defend against legal claims: e.g. preservation of evidence, to clarify the facts in the event of a foreseeable legal dispute.
• Customer acquisition, retention, and win-back: e.g. operation of a customer relationship management (CRM) for prospect and customer care.
• Freedom of expression, press, and broadcasting: e.g. processing operations previously covered by the so-called media privilege.
• Protection of the body and health of the data subject: in particular, processing operations which are in the interest of the data subject and in the public interest (e.g. pastoral care).
• Promotion of legitimate interests within a group of undertakings: Performance of organizational, procedural or entrepreneurial tasks within the cooperation of several affiliated companies (see the explanations in Recital 48 GDPR).
• Prevention of criminal offenses, administrative offenses and other detrimental actions: e.g. fraud prevention, preventive measures within the framework of an internal control system, measures for the clarification of risks following corresponding suspicious cases or other indications of possible actions to the detriment of the controller or other persons.
• Reducing risk of failure: Identification of economic, technical, procedural, or organizational risks to the company that could lead to a complete or partial failure of the company, parts of the company or products or services of the company.
• Employee support: Integration or implementation of services and activities that are in the interests of employees, such as satisfaction surveys, voluntary events and activities, birthday lists, sending greeting cards, etc.
• Employee retention: Integration or implementation of services and activities to achieve long-term employee loyalty to the employer, e.g. promotion of personal development, birthday lists, sending birthday gifts.
• Other legitimate interests: Where relevant, these interests are explained separately at the respective points.

Categories of recipients
In the following section, we list the categories of recipients that we use in our privacy policy:

• Associations, organizations and interest groups
• Banks and other financial service providers
• Contractual partners (without customers)
• Customers and interested parties
• Group companies and other affiliated companies
• HR service providers
• Insurances
• IT service providers
• Landlords
• Opponents in legal disputes
• Platform operators and media
• Persons bound by the obligation of professional secrecy and their respective companies/entities (e.g. lawyers, tax advisors)
• Public authorities and other public bodies
• Suppliers