Data protection declaration

Holzmedia GmbH, Neue Str. 10, 71576 Burgstetten, as the operator of the website www.holzmedia.de is the controller within the meaning of the GDPR.

You can contact our data protection officer at any time with all data protection concerns at datenschutz@holzmedia.de.

Personal data means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

The scope and type of collection, processing and use of your data differs depending on whether you visit our website merely to retrieve generally available information or to make use of additional services. In principle, we process your personal data as part of our business activities for pre-contractual or contractual purposes. In addition, the exercise of our legitimate interest, your consent or compliance with legal requirements may also be the purpose of data processing by us. We will inform you about the specific purposes of data processing in the following sections.

We process your personal data in accordance with the following legal bases:

• for the fulfilment of pre-contractual or contractual obligations (Art. 6 para. 1 b) GDPR)
• on the basis of your consent (Art. 6 para. 1 a) GDPR)
• in the context of a balancing of interests (Art. 6 para. 1 f) GDPR)
• on the basis of legal requirements (Art. 6 para. 1 c) GDPR)

We will inform you about the specific legal basis for data processing in our respective processing operations.

If we process your personal data as part of a balancing of interests due to our overriding legitimate interest (legal basis for data processing is Art. 6 para. 1 f) GDPR), you have the right to object to this processing at any time for reasons arising from your particular situation. If you exercise your right to object, we will stop processing the data concerned. However, we reserve the right to continue processing (with the exception of direct advertising; here we will immediately observe your objection) if we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or if the processing serves the establishment, exercise or defence of legal claims. Further rights of data subjects remain unaffected.

For purely informational use of our website, it is generally not necessary for you to provide personal data. Rather, when you visit our website, we only collect the data that your internet browser automatically transmits to us, such as:

• Referrer (previously visited website)
• Requested website or file
• Browser type and browser version
• Operating system used
• Type of device used
• Date and time of access
• IP address in anonymised form
• other similar data and information used for security purposes in the event of attacks on our information technology systems.

This is usually done through the use of log files. The purpose of the processing is to ensure the functionality and compatibility of our website for technically unproblematic use, including troubleshooting and protection against technical attacks and misuse. The legal basis for this processing is our legitimate interest in accordance with Art. 6 para. 1 f) GDPR. Our legitimate interest lies in the proper operation of our website. The log file data is deleted when it is no longer required for the purpose of processing.

If you make use of further services of our company via our website, it may be necessary for you to provide personal data for this purpose. Which personal data is required for the provision of services can be seen from the respective input screen or application. You can provide further information voluntarily. You can recognise which information is required and which is voluntary by the fact that the mandatory information is marked with an asterisk (*) or with the note "Mandatory field". Your data is processed solely for the purpose of providing the service you have requested. The legal basis for the processing of your personal data and the information about when your personal data will be deleted can be found in the description of the specific services.

We use an external service provider to host our website. The personal data collected on this website is stored on the hoster's servers. The host is used in the interest of secure, fast and efficient provision of our website (Art. 6 (I) (f) GDPR). Our hoster will only process your data to the extent necessary to fulfil its performance obligations within the scope of contractual obligations and instructions from us. We use IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany, as our hoster. We have concluded an order processing contract with the hoster in accordance

On our website we offer you the opportunity to contact us by e-mail. Please note that unencrypted communication by e-mail is insecure. It cannot be ruled out that data transmitted in this way may be read, copied, changed or deleted by unauthorised persons. The personal data that you provide when contacting us via an e-mail enquiry will only be processed for the purpose of handling your e-mail enquiry. It will only be passed on to third parties if this is necessary for the purpose of processing this contact. The legal basis for this processing is Art. 6 para. 1 b) GDPR. Your personal data will be deleted when it is no longer required to fulfil the purpose for which you contacted us. We would like to point out that your messages may have to be stored within the framework of statutory retention obligations. In this case, the legal basis is Art. 6 para. 1 c) GDPR

You can subscribe to our newsletter via our website. We use the CleverReach service to send newsletters and measure our marketing success. The provider is CleverReach GmbH & Co KG, CRASH Building, Schafjückenweg 2, 26180 Rasted. We have concluded a contract with CleverReach for order data processing and thus implement the data protection requirements. Further details can be found in CleverReach's privacy policy at www.cleverreach.com/de-de/datenschutz.

When you subscribe to our newsletter, your e-mail address and your e-mail address and your consent are collected. The purpose is to be able to send you the newsletter and to document our authorisation to do so. The legal basis for the processing is Art. 6 para. 1 a) GDPR. You can revoke this consent at any time with effect for the future by unsubscribing from the newsletter; we provide a corresponding link for this purpose in every newsletter message. The legality of the data processing operations that have already taken place remains unaffected by the cancellation.

The following data is also collected to log the registration process: Your IP address and the date and time of registration. The logging is based on our legitimate interests in accordance with Art. 6 para. 1 f) GDPR and serves as proof of consent to receive the newsletter.

Our newsletters also enable us to analyse your behaviour. Among other things, this allows us to analyse whether and when you have read our newsletter and whether you have followed any links contained in the newsletter.

The data you provide us with for the purpose of subscribing to the newsletter will be stored by us until you unsubscribe from the newsletter and deleted from both our servers and the CleverReach servers after you unsubscribe from the newsletter. Data stored by us for other purposes (e.g. e-mail address) remain unaffected by this.

We have taken technical and organisational measures to protect our website and other systems against loss, destruction, access, modification or dissemination of your data by unauthorised persons. We use the TLS 1.2 (Transport Layer Security) coding system.

We use cookies or similar technologies for various purposes, e.g. to ensure the functionality, security and convenience of online offers and to create analyses of visitor flows.

Cookies are small text files that are stored on your computer when you visit our website. Comparable technologies are so-called web storage technologies (also called "local data" and "local storage"); data is stored locally in the memory of your browser ("cache"). In the following, we summarise cookies and comparable technologies under the term "cookie" for reasons of better readability.

We use cookies in accordance with the statutory provisions. We therefore obtain prior consent from users, unless this is not required by law.

If users consent, the legal basis for the processing of their data is the declared consent in accordance with Art. 6 para. 1 a) GDPR. The revocable consent is clearly communicated to the users and contains the information on the respective cookie use. Further information about the individual cookies or comparable technologies and their purpose can be found in our data protection settings.

Consent is not required in particular if the storage and reading of information, including cookies, is absolutely necessary in order to provide users with a telemedia service (i.e. our online offering) that they have expressly requested. In these cases, the legal basis for processing your data is the fulfilment of our contractual obligations in accordance with Art. 6 Para. 1 b) GDPR, compliance with legal obligations in accordance with Art. 6 Para. 1 c) GDPR or our legitimate interest (e.g. in the economic and secure use of our online offer and improvement of its usability) in accordance with Art. 6 Para. 1 f) GDPR. Further information on the individual cookies and their purpose can be found in our data protection settings.

If you wish, you can delete the cookies at any time. However, this may mean that individual functions are no longer available to you. To delete cookies, please refer to the help function of your browser or change your settings in the data protection settings.

Klaro

This website uses the cookie consent tool Klaro from the provider KIProtect GmbH, Bismarckstr. 10-12, 10625 Berlin, Germany. The purpose of the processing is to obtain and document consent to the storage of certain cookies on your end device or to the use of certain technologies and to technically enable the revocation of consent given. The service is hosted locally on our server. Data is not passed on to third parties. Klaro stores a cookie in your browser in order to be able to assign the consents given or their revocation to you. The legal basis for the processing of the data is Section 25 (2) No. 2 TDDDG and Art. 6 (1c) and (f) GDPR to fulfil our legal obligation to obtain consent to the processing of personal data in accordance with the provisions of the applicable data protection laws and to document this consent. The data collected in this way is stored until you ask us to delete it, delete the Klaro cookie yourself or the purpose for data storage no longer applies. Mandatory statutory retention obligations remain unaffected. Further information can be found in the privacy policy at klaro.org/resources/privacy

No web analysis takes place on our website.

We maintain publicly accessible profiles on social networks. The individual social networks we use are listed below.

Social networks such as Facebook etc. can generally analyse your user behaviour comprehensively when you visit their website or a website with integrated social media content (e.g. like buttons or advertising banners). Visiting our social media presences triggers numerous data protection-relevant processing operations.

In detail: If you are logged into your social media account and visit our social media presence, the operator of the social media portal can assign this visit to your user account. However, your personal data may also be collected if you are not logged in or do not have an account with the respective social media portal. In this case, this data is collected, for example, via cookies that are stored on your end device or by recording your IP address, and the operators of the social media portals can use the data collected in this way to create user profiles in which your preferences and interests are stored. In this way, interest-based advertising can be displayed to you inside and outside the respective social media presence. If you have an account with the respective social network, the interest-based advertising can be displayed on all devices on which you are logged in or were logged in. please also note that we cannot track all processing operations on the social media portals. Depending on the provider, further processing operations may therefore be carried out by the operators of the social media portals. For details, please refer to the terms of use and data protection provisions of the respective social media portals.

Legal basis

Our social media presence is intended to ensure an informative presence on the Internet. This is a legitimate interest within the meaning of Art. 6 para. 1 f) GDPR. In necessary cases, the legal basis is also Art. 6 para. 1 a) GDPR. The analysis processes initiated by the social networks themselves may be based on other legal bases that must be specified by the operators of the social networks (e.g. consent within the meaning of Art. 6 para. 1 a) GDPR).

Controller and assertion of rights

If you visit one of our social media sites, we are jointly responsible with the operator of the social media platform for the data processing operations triggered during this visit. You can assert your rights (information, rectification, erasure, restriction of processing, data portability and complaint) both against us and against the operator of the respective social media portal. Please note that, despite the joint responsibility with the social media portal operators, we do not have full influence on the data processing procedures of the social media portals. Our options are largely determined by the company policy of the respective provider.

Storage period

The data collected directly by us via the social media presence is deleted from our systems as soon as the purpose for its storage no longer applies, you ask us to delete it or revoke your consent to its storage. Stored cookies remain on your end device until you delete them. Mandatory statutory provisions - in particular retention periods - remain unaffected, and we have no influence on the storage period of your data that is stored by the operators of the social networks for their own purposes. For details, please contact the operators of the social networks directly (e.g. in their privacy policy, see below).

Social networks in detail

Facebook

We have a profile on Facebook. The provider is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. We link to this profile on our website. If you follow a corresponding link by clicking on it, this provider stores and uses your data (IP address and other personal data) for the provision of the service and for its own business purposes. It cannot be ruled out that your personal data will also be transferred to Meta Platforms Inc. based in the USA. Meta has certified itself under the EU-US Data Privacy Framework for compliance with the level of data protection applicable in the EU. The certificate can be viewed at www.dataprivacyframework.gov/s/. Further information on data protection by Facebook can be found at www.facebook.com/about/privacy/

Instagram

We have a profile on Instagram. The provider is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. We link to this profile on our website. If you follow a corresponding link by clicking on it, this provider stores and uses your data (IP address and other personal data) for the provision of the service and for its own business purposes. It cannot be ruled out that your personal data will also be transferred to Meta Platforms Inc. based in the USA. Meta has certified itself under the EU-US Data Privacy Framework for compliance with the level of data protection applicable in the EU. The certificate can be viewed at www.dataprivacyframework.gov/s/. Further information on data protection by Instagram can be found at www.instagram.com/about/legal/privacy.

XING

We use XING. The provider is XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany. We link to this profile on our website. If you follow a corresponding link by clicking on it, this provider stores and uses your data (IP address and other personal data) for the provision of the service and for its own business purposes. Details on how they handle your personal data can be found in XING's privacy policy: privacy.xing.com/de/datenschutzerklaerung

If we use additional functions and content (e.g. map or font services) on our website by means of which we or the provider of the services process your personal data, we will inform you about this here.

Mapbox

This website uses Mapbox, a map service from Mapbox Inc, 740 15th Street NW, 5th Floor, 20005 Washington D.C., USA, to display an interactive map. Your browser also transfers personal data to Mapbox in the USA. Mapbox has certified itself within the framework of the EU-US Data Privacy Framework for compliance with the level of data protection applicable in the EU. The certificate can be viewed at www.dataprivacyframework.gov/s/. The legal basis for the use of Mapbox is your consent in accordance with Art. 6 (1) a) GDPR. You can revoke your consent at any time with effect for the future by removing the tick here. You can find more information about data processing by Mapbox at www.mapbox.com/legal/privacy.

Vimeo

Plugins from the Vimeo video portal of Vimeo Inc, 555 West 18th Street, New York, New York 10011, USA are integrated on our website. Each time you access a page that offers one or more Vimeo video clips, a direct connection is established between your browser and a Vimeo server in the USA. Information about your visit and your IP address is stored there; Vimeo also places cookies in your browser. Through interactions with the Vimeo plugins (e.g. clicking the start button), this information is also transmitted to Vimeo and stored there. Your personal data will also be transmitted to the service provider based in the USA. It also cannot be ruled out that the use of Vimeo may result in Google services being reloaded by Vimeo itself without us having any influence over this; the services reloaded by Vimeo are Google Static. Vimeo Inc. has certified itself under the EU-US Data Privacy Framework for compliance with the level of data protection applicable in the EU. The certificate can be viewed at www.dataprivacyframework.gov/s/. The legal basis for the use of Vimeo is your consent in accordance with Art. 6 (1) a) GDPR. You can revoke your consent at any time with effect for the future by removing the tick here. You can find more information about the service provider and the associated privacy policy at www.vimeo.com/privacy.

If we provide links to websites of other organisations, this privacy policy does not apply to the processing of personal data by that organisation. We therefore recommend that you read the data protection notices on the other websites you visit.

We have bundled certain data processing procedures in our company. These can be performed centrally by our individual divisions, e.g. for processing enquiries. External contractors and service providers (e.g. logistics companies or IT service providers) may also be used to ensure the fulfilment of our tasks and contracts. In addition, data may be passed on to recipients to whom we are obliged or authorised to pass on data on the basis of contractual or legal obligations or on the basis of your consent.

Data transfer to third countries

Data will only be transferred to third countries (countries outside the EU and the European Economic Area EEA) if this is necessary for the performance of a contract/order/business relationship, including the initiation thereof, or if this is permitted by our legitimate interest or on the basis of your consent and only in compliance with the data protection requirements prescribed for this purpose.

Note on data transfer to the USA

As part of the so-called "Data Privacy Framework" (DPF), the EU Commission has also recognised the level of data protection for certain companies from the USA as secure as part of the adequacy decision of 10.07.2023. The list of certified companies and further information on the DPF can be found on the website of the US Department of Commerce at www.dataprivacyframework.gov/. We will inform you which of the service providers we use are certified under the DPF in this privacy policy for the respective service.

We only process your personal data for as long as is necessary to fulfil the respective purpose or until there is no longer a legal basis for the processing (e.g. revocation of consent to data processing). We observe the existing statutory retention and storage periods.

You have the right to:

• to receive information free of charge about the personal data we have stored about you (right to information)
• to request confirmation as to whether we are processing personal data concerning you (right to confirmation)
• to demand that we erase the personal data concerning you without undue delay, provided that the processing is no longer necessary and the other requirements of the GDPR for erasure are also met (right to erasure)
• to demand the immediate rectification and completion of inaccurate personal data concerning you (right to rectification)
• to request the restriction of the processing of your personal data (right to restriction of processing)
• to receive the personal data concerning you in a structured, commonly used and machine-readable format (right to data portability)
• to object to the processing of your personal data (right to object)
• you have the right not to be subject to a decision based solely on automated processing - including profiling - which produces legal effects concerning you or similarly significantly affects you (right to individual decision-making)
• to withdraw your consent to the processing of your personal data at any time with effect for the future
• to lodge a complaint with the supervisory authority responsible for data protection if you believe that the processing of your personal data violates the GDPR (right to lodge a complaint).

For further information on your rights, please contact our data protection officer.

In order to ensure that our privacy policy always complies with the current legal requirements, we reserve the right to make changes at any time. This also applies in the event that the privacy policy has to be adapted due to new or revised services, for example new services.