1. data protection at a glance
General information
We, PONGS GROUP GmbH & CO. KG (hereinafter “PONGS®” or “we”), take the protection of your personal data very seriously and strictly adhere to the rules of the currently applicable data protection laws, especially the General Data Protection Regulation (hereinafter: “GDPR”, Regulation (EU) 2016/679) of the European Parliament and Council.
The following information provides a simple overview of what happens to your personal data when you visit this website. Personal data are all data with which you can be personally identified. Personal data is collected and processed on our websites and when using our services only to the extent necessary and for specific purposes. Detailed information on the subject of data protection can be found in our privacy policy listed below this text.
Scope of the data protection declaration
The following statement provides an overview of how we ensure data protection, what type of data is collected for what purpose, and on what legal basis it is collected and processed. It applies to all websites operated by PONGS® and when you contact us through other communication channels. If PONGS® websites deviate from these data processing principles or supplement them with their own, this will be made clear on the respective websites in an appropriate manner.
Data collection on this website
Who is responsible for data collection on this website?
The data processing on this website is carried out by the website operator. You can find their contact details in the “Note on the Responsible Party” section of this privacy policy.
How do we collect your data?
Your data is collected on the one hand by you providing it to us. This can be data that you enter in a contact form, for example. Other data is automatically collected or with your consent when you visit the website by our IT systems. This is mainly technical data (e.g., internet browser, operating system, or time of page access). The collection of this data occurs automatically as soon as you enter this website.
What do we use your data for?
Part of the data is collected to ensure the error-free provision of the website. Other data may be used to analyze your user behavior.
What rights do you have regarding your data?
You have the right at any time to receive free information about the origin, recipient, and purpose of your stored personal data. You also have the right to request the correction or deletion of this data. If you have given consent to data processing, you can revoke this consent at any time for the future. You also have the right to request the restriction of the processing of your personal data under certain circumstances. Furthermore, you have the right to lodge a complaint with the competent supervisory authority. More detailed information on this can be found in section 3.11, “Data Protection Rights.” For this and any other questions on the subject of data protection, you can contact us at any time.
Analysis tools and third-party tools
When visiting this website, your browsing behavior can be statistically evaluated. This is mainly done with so-called analysis programs. Detailed information about these analysis programs can be found in the following privacy policy.
2. Hosting
External hosting
This website is hosted externally. The personal data collected on this website is stored on the servers of the host(s). This may include IP addresses, contact requests, meta and communication data, contract data, contact details, names, website accesses, and other data generated via a website.
External hosting is carried out for the purpose of fulfilling contracts with our potential and existing customers (Art. 6 para. 1 lit. b GDPR) and in the interest of a secure, fast, and efficient provision of our online offer by a professional provider (Art. 6 para. 1 lit. f GDPR).
If appropriate consent has been requested, the processing takes place exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG, insofar as the consent includes the storage of cookies or access to information on the user’s device (e.g., device fingerprinting) within the meaning of the TTDSG. Consent can be revoked at any time.
Our host(s) will only process your data to the extent necessary to fulfill their performance obligations and follow our instructions regarding this data.
3 General notes and mandatory information
3.1 Data protection
The operators of these pages take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the statutory data protection regulations and this privacy policy. When you use this website, various personal data are collected.
Personal data is data with which you can be personally identified. This privacy policy explains what data we collect and what we use it for. It also explains how and for what purpose this happens.
We point out that data transmission on the internet (e.g., when communicating by email) can have security gaps. A complete protection of the data from access by third parties is not possible.
3.2 Note on the responsible entity
The responsible party for data processing on this website is:
PONGS GROUP GmbH & CO. KG
Villa Lantz, Lohauser Dorfstraße 51 – Lantz’scher Park, 40474 Düsseldorf
Germany
Phone: +49 211 54230-800
Email: info@pongs.de
Website: www.pongs.com
The responsible party is the natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data (e.g., names, email addresses, etc.).
3.3 Contact details of the data protection officer
PONGS GROUP GmbH & CO. KG
Villa Lantz, Lohauser Dorfstraße 51 – Lantz’scher Park, 40474 Düsseldorf
Germany
Phone: +49 211 54230-811
Email: datenschutz@pongs.de
Website: www.pongs.com
3.4 Data processing by calling up our internet pages
PONGS® automatically collects and stores information in its server log files that your browser or app transmits to us. These data cannot be assigned to specific individuals by PONGS®. A combination of these data with other data sources is not carried out.
These are:
Browser type/version
Operating system used
Referrer URL (the previously visited page)
Hostname of the accessing computer (IP address v4 and v6)
Time of the server request
The IP address is the worldwide valid, at the time of allocation by your internet provider unique identification of your computer and consists, in its most common form (IPv4), of four blocks of digits separated by dots, or extended by additional digits (IPv6). Usually, as a private user, you will not use a constant IP address, as you are assigned a temporary IP address by your provider (so-called “dynamic IP address”). In the case of a permanently assigned IP address (so-called “static IP address”), it is technically easy to assign user data via this feature.
3.5 The aforementioned data is processed by us mainly for the following purposes:
- Ensuring a smooth connection setup of the website
- Ensuring a comfortable use of the aforementioned website
- Evaluation of system security and stability
The personal data of the server log files are processed based on Art. 6 para. 1 lit. f GDPR. This legal basis allows the processing of personal data within the framework of the “legitimate interest” of the controller, provided that your fundamental rights, freedoms, or interests do not outweigh them. Our legitimate interest lies in easier administration and the ability to detect and track hacking. You can object to this data processing at any time if there are reasons arising from your particular situation that speak against the data processing. A simple email to the data protection officer is sufficient for this. Our legitimate interest follows from the above-listed purposes for data collection. In no case do we use the collected data for the purpose of drawing conclusions about your person.
The server log files with the aforementioned data are automatically deleted after 30 days or anonymized in the case of use for statistics. We reserve the right to store the server log files longer if facts exist that suggest the assumption of an unauthorized access (such as the attempt of hacking or a so-called DDOS attack).
3.6 Linking to external websites
This privacy policy applies exclusively to the PONGS® websites. These may contain links to third-party web offerings. This privacy policy does not extend to these. If you leave the PONGS® websites to visit a third-party offering, we recommend that you carefully read the privacy policy of the respective provider.
3.7 Storage period
Unless a specific storage period has been specified within this privacy policy, your personal data will remain with us until the purpose for data processing ceases to apply. If you assert a legitimate request for deletion or revoke consent for data processing, your data will be deleted unless we have other legally permissible reasons for storing your personal data (e.g., tax or commercial law retention periods (HGB or AO)); in the latter case, the deletion will take place after these reasons no longer apply.
3.8 Information about cookies and the use of analysis tools
General:
PONGS® uses so-called cookies on its websites and in its apps in several places. They serve to make our offer more user-friendly, effective, and secure. Cookies are small text files that are stored on your computer and saved by your browser. Most of the cookies we use are so-called “session cookies.” They are automatically deleted after your visit. Cookies do not harm your computer and do not contain viruses.
The purpose of using technically necessary cookies is to simplify the use of websites for users. Some functions of our internet site cannot be offered without the use of cookies. For these, it is necessary that the browser is recognized even after a page change. The legal basis for the processing of personal data using technically necessary cookies is Art. 6 para. 1 lit. f GDPR.
If appropriate consent has been requested, the processing takes place exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG, insofar as the consent includes the storage of cookies or access to information on the user’s device within the meaning of the TTDSG. Consent can be revoked at any time. The legal basis for the processing of personal data using cookies for analysis purposes and for controlling and evaluating advertisements is Art. 6 para. 1 lit. a GDPR.
If cookies from third-party companies or for analysis purposes are used, we will inform you about this separately within this privacy policy and, if necessary, request your consent.
3.9 Note on data transfer to the USA and other third countries
We use tools from companies based in the USA or other third countries whose data protection level may not meet EU standards. These tools are activated only with your active consent, which is obtained via the Cookie Consent Banner. This consent can be revoked at any time. When these tools are active, your personal data can be transferred to these third countries and processed there. We point out that in these countries, it may not be possible to guarantee a data protection level comparable to that in the EU.
The transfer of personal data to these third countries generally takes place within the framework of order processing based on an EU adequacy decision and the signing of standard data protection clauses, taking into account contractual, technical, and organizational measures to comply with the data protection level of the EU. If data transfer to a third country that does not meet these criteria occurs, it happens in exceptional cases based on a legal obligation or your active consent.
EU-US Data Privacy Framework: As part of the so-called “Data Privacy Framework” (DPF), the EU Commission has also recognized the data protection level for certain companies from the USA within the framework of the adequacy decision of 10.07.2023 as safe. You can find the list of certified companies and more information about the DPF on the US Department of Commerce website at Data Privacy Framework (in English). We inform you within the privacy notices which service providers we use are certified under the Data Privacy Framework.
3.10 Recipients or categories of recipients of the personal data
Within the company, only those departments that need the data to fulfill contractual and legal obligations or to implement our legitimate interest (e.g., sales) have access to it. Processors we use in accordance with Art. 28 GDPR can also process data for these purposes, such as IT service providers, cloud providers, and disposers in the area of data destruction. All service providers are contractually obligated to treat your data confidentially.
A transfer of data to recipients outside the company only takes place in compliance with applicable data protection regulations. Recipients of personal data can be companies in the logistics sector, service providers, suppliers, subcontractors, tax consultants, auditors, credit and financial service providers, credit agencies, debt collection companies, lawyers, and authorities. In such cases, information is passed on to these companies or individuals to enable further processing.
3.11 In addition to the above information, an overview of your other data protection rights follows below:
Right to confirmation (Article 15(1) of the GDPR).
Every data subject has the right granted by the European directives and regulations to obtain confirmation from the controller as to whether personal data concerning them is being processed. If a data subject wishes to exercise this right of confirmation, they can contact an employee of the controller at any time.
Right of access to the personal data concerned (Art. 15 DS-GVO)
Every data subject affected by the processing of personal data has the right granted by the European directives and regulations to obtain at any time from the controller free information about the personal data stored about them and a copy of this information. The European directives and regulations also grant the data subject information about the following:
- The purposes of the processing
- The categories of personal data processed
- The recipients or categories of recipients to whom the personal data have been or will be disclosed, particularly in recipients in third countries or international organizations
- Where possible, the planned duration for which the personal data will be stored, or if this is not possible, the criteria used to determine that period
- The existence of a right to rectification or erasure of personal data concerning them, or to restriction of processing by the controller, or to object to such processing
- The existence of a right to lodge a complaint with a supervisory authority
- If the personal data is not collected from the data subject: Any available information about the source of the data
The existence of automated decision-making, including profiling, referred to in Article 22 paras.1 and 4 GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject
Furthermore, the data subject has the right to be informed whether personal data has been transferred to a third country or to an international organization. If this is the case, the data subject has the right to be informed of the appropriate safeguards relating to the transfer.
If a data subject wishes to exercise this right to information, they can contact an employee of the controller at any time.
Right to rectification (Art. 16 DS-GVO)
Every data subject affected by the processing of personal data has the right granted by the European directives and regulations to obtain from the controller without undue delay the rectification of inaccurate personal data concerning them. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.
If a data subject wishes to exercise this right to rectification, they can contact an employee of the controller at any time.
Right to erasure (Art. 17 DS-GVO)
Every data subject affected by the processing of personal data has the right granted by the European directives and regulations to obtain from the controller the erasure of personal data concerning them without undue delay, where one of the following grounds applies and insofar as the processing is not necessary:
- The personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed.
- The data subject withdraws consent on which the processing is based according to Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR, and there is no other legal ground for the processing.
- The data subject objects to the processing pursuant to Art. 21 para. 1 GDPR, and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Art. 21 para. 2 GDPR.
- The personal data has been unlawfully processed.
- The erasure of the personal data is required to fulfill a legal obligation under Union or Member State law to which the controller is subject.
- The personal data has been collected in relation to the offer of information society services referred to in Art. 8 para. 1 GDPR.
If one of the above reasons applies and a data subject wishes to arrange for the deletion of personal data stored by PONGS GROUP GmbH & CO. KG, they can contact an employee of the controller at any time. The employee of PONGS GROUP GmbH & CO. KG will ensure that the deletion request is complied with without delay.
If the personal data has been made public by PONGS GROUP GmbH & CO. KG and our company is responsible under Art. 17 para. 1 GDPR for the deletion of the personal data, PONGS GROUP GmbH & CO. KG, taking into account the available technology and the cost of implementation, will take reasonable steps, including technical measures, to inform other controllers processing the personal data that the data subject has requested the erasure by such controllers of any links to or copies or replications of the personal data, insofar as the processing is not necessary. The employee of PONGS GROUP GmbH & CO. KG will arrange the necessary measures in individual cases.
Right to restriction of processing (Art. 18 DS-GVO)
You have the right to request the restriction of the processing of your personal data. To do this, you can contact us at any time. The right to restriction of processing exists in the following cases:
- If you contest the accuracy of your personal data stored with us, we usually need time to verify this. For the duration of the verification, you have the right to request the restriction of the processing of your personal data.
- If the processing of your personal data was/is unlawful, you can request the restriction of data processing instead of erasure.
- If we no longer need your personal data, but you need it to establish, exercise, or defend legal claims, you have the right to request the restriction of the processing of your personal data instead of erasure.
- If you have objected to processing pursuant to Art. 21 para. 1 GDPR, a balancing of your and our interests must be carried out. As long as it has not been determined whose interests prevail, you have the right to request the restriction of the processing of your personal data.
- If you have restricted the processing of your personal data, this data may – apart from its storage – only be processed with your consent or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.
Right to data portability (Art. 20 DS-GVO)
Every data subject affected by the processing of personal data has the right granted by the European directives and regulations to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used, and machine-readable format. They also have the right to transmit this data to another controller without hindrance from the controller to which the personal data has been provided, insofar as the processing is based on consent pursuant to Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR or on a contract pursuant to Art. 6 para. 1 lit. b GDPR, and the processing is carried out by automated means, provided the processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Furthermore, when exercising their right to data portability pursuant to Art. 20 para. 1 GDPR, the data subject has the right to have the personal data transmitted directly from one controller to another, where technically feasible and provided that this does not adversely affect the rights and freedoms of others.
To assert the right to data portability, the data subject can contact an employee of PONGS GROUP GmbH & CO. KG at any time.
Right to object to processing (Art. 21 DS-GVO)
Many data processing operations are only possible with your explicit consent. You can revoke any consent you have given at any time. The legality of the data processing carried out before the revocation remains unaffected by the revocation.
Every data subject affected by the processing of personal data has the right granted by the European directives and regulations to object at any time, on grounds relating to their particular situation, to the processing of personal data concerning them which is based on Art. 6 para. 1 lit. e or f GDPR. This also applies to profiling based on these provisions.
PONGS GROUP GmbH & CO. KG will no longer process the personal data in the event of an objection unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject, or the processing is for the establishment, exercise, or defense of legal claims.
If PONGS GROUP GmbH & CO. KG processes personal data to carry out direct marketing, the data subject has the right to object at any time to the processing of personal data for such marketing. This also applies to profiling to the extent that it is related to such direct marketing. If the data subject objects to PONGS GROUP GmbH & CO. KG processing for direct marketing purposes, PONGS GROUP GmbH & CO. KG will no longer process the personal data for these purposes.
In addition, the data subject has the right, on grounds relating to their particular situation, to object to the processing of personal data concerning them for scientific or historical research purposes or for statistical purposes pursuant to Art. 89 para. 1 GDPR, unless the processing is necessary for the performance of a task carried out in the public interest.
To exercise the right to object, the data subject can contact any employee of PONGS GROUP GmbH & CO. KG directly. A simple message in text form is sufficient. The data subject can write to us or contact us by email. The data subject is also free to exercise their right to object in the context of the use of information society services, notwithstanding Directive 2002/58/EC, by means of automated procedures using technical specifications.
Right to automated decisions in individual cases, including profiling (Art. 22 DS-GVO).
Every data subject affected by the processing of personal data has the right granted by the European directives and regulations not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them, provided that the decision (1) is not necessary for entering into, or the performance of, a contract between the data subject and a controller, or (2) is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, or (3) is based on the data subject’s explicit consent.
If the decision (1) is necessary for entering into, or the performance of, a contract between the data subject and a controller, or (2) it is based on the data subject’s explicit consent, PONGS GROUP GmbH & CO. KG will implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, which include at least the right to obtain human intervention on the part of the controller, to express their point of view and to contest the decision.
If the data subject wishes to exercise rights concerning automated decisions, they can contact an employee of the controller at any time.
For the establishment, performance, or termination of the business relationship and for pre-contractual measures, we do not generally use fully automated decision-making pursuant to Art. 22 GDPR. Should we use these procedures in individual cases, we will inform you separately or obtain your consent, if legally required.
Right to withdraw consent at any time without affecting the lawfulness of the processing carried out on the basis of consent until withdrawal (Art. 7(3) DS-GVO).
Every data subject affected by the processing of personal data has the right granted by the European directives and regulations to withdraw consent to the processing of personal data at any time without affecting the lawfulness of the processing based on consent before its withdrawal.
If the data subject wishes to exercise their right to withdraw consent, they can contact an employee of the controller at any time.
Right of appeal to a supervisory authority (Art. 77 DS-GVO)
If there are violations of the GDPR, data subjects have the right to lodge a complaint with a supervisory authority, particularly in the Member State of their habitual residence, place of work, or the place of the alleged violation. The right to lodge a complaint is without prejudice to other administrative or judicial remedies.
Is there an obligation to provide data?
As part of the contractual relationship or pre-contractual measures, you must provide the personal data that is required for the initiation, performance, and termination, as well as the fulfillment of the associated contractual obligations or for which we are legally obliged to collect. Without this data, we will generally not be able to carry out the necessary pre-contractual measures or the contractual relationship with you.
3.12 SSL or TLS encryption
For security reasons and to protect the transmission of confidential content, such as orders or inquiries that you send to us as the site operator, this site uses SSL or TLS encryption. You can recognize an encrypted connection by the fact that the address line of the browser changes from “http://” to “https://” and by the lock symbol in your browser line.
If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.
3.13 Contact form
If you send us inquiries via the contact form, your details from the inquiry form, including the contact details you provide there, will be stored by us for the purpose of processing the inquiry and in case of follow-up questions. We do not pass on this data without your consent.
The processing of these data is based on Art. 6 para. 1 lit. b GDPR, provided that your request is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the inquiries addressed to us (Art. 6 para. 1 lit. f GDPR) or on your consent (Art. 6 para. 1 lit. a GDPR) if this has been requested; the consent can be revoked at any time.
The data you enter in the contact form will remain with us until you request us to delete it, revoke your consent to storage, or the purpose for data storage no longer applies (e.g., after your request has been processed). Mandatory legal provisions – especially retention periods – remain unaffected.
3.14 Inquiry by e-mail, telephone or fax
If you contact us by email, phone, or fax, your inquiry, including all resulting personal data (name, inquiry), will be stored and processed by us for the purpose of processing your request. We do not pass on this data without your consent.
The processing of these data is based on Art. 6 para. 1 lit. b GDPR, provided that your request is related to the performance of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the inquiries addressed to us (Art. 6 para. 1 lit. f GDPR) or on your consent (Art. 6 para. 1 lit. a GDPR) if this has been requested; the consent can be revoked at any time.
The data you send to us via contact inquiries will remain with us until you request us to delete it, revoke your consent to storage, or the purpose for data storage no longer applies (e.g., after your request has been processed). Mandatory legal provisions – especially statutory retention periods – remain unaffected.
3.15 Objection to advertising e-mails
We hereby object to the use of contact data published within the scope of the imprint obligation for sending unsolicited advertising and information materials. The operators of the pages expressly reserve the right to take legal action in the event of unsolicited sending of advertising information, such as spam emails.
4. analysis tools and other cookies
4.1 Matomo
This website uses Matomo, an open-source web analysis tool, to collect anonymous usage data for this website. The software creates detailed statistics, including search engines used, search terms, browsers, and user origin.
The provider of this service is InnoCraft Ltd., 7 Waterloo Quay, PO625, 6140 Wellington, New Zealand.
Matomo sets a cookie in your browser for data collection.
To activate Matomo, we obtain your active consent via our Cookie Consent Banner. Thus, the processing takes place exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG, insofar as the consent includes the storage of cookies or access to information on the user’s device (e.g., device fingerprinting) within the meaning of the TTDSG. The consent can be revoked at any time.
The storage period of the cookie is 30 minutes.
The data about your behavior when visiting the website is collected to identify potential problems such as not found pages, search engine problems, or unpopular pages. Once the data (number of website visitors seeing error pages or only one page, etc.) is processed, Matomo generates reports for the website operator so that they can respond technically or content-wise.
Matomo processes the following data:
- Cookies
- Anonymized IP addresses by removing the last 2 bytes (e.g., 198.51.0.0 instead of 198.51.100.54)
- Pseudonymized location (based on the anonymized IP address)
- Date and time
- Title of the accessed page
- URL of the accessed page
- URL of the previous page (if this allows)
- Screen resolution
- Local time
- Information on files clicked and downloaded
- External links
- Duration of page load
- Country, region, city (with low accuracy due to the reference to the IP address)
- Main language of the browser
- agent of the browser
- Interactions with forms, but not storing their content
More about the data processed by Matomo can be found in Matomo’s privacy policy: Matomo Privacy Policy
4.2 Borlabs Cookie
This website uses Borlabs Cookie, which sets a technically necessary cookie (borlabs-cookie) to store your cookie consents in your browser and document them in a data protection-compliant manner. The provider of this technology is Borlabs – Benjamin A. Bornschein, Georg-Wilhelm-Str. 17, 21107 Hamburg, Germany (hereinafter Borlabs).
When you enter our website, a Borlabs cookie is stored in your browser, in which the consents you have given or the revocation of these consents are stored. These data are not passed on to the provider of Borlabs Cookie.
Among other things, the following data is stored:
- Cookie duration
- Cookie version
- Domain and path of the WordPress website
- Consents chosen by the user
- UID (a randomly generated ID for the user)
The collected data will be stored until you request us to delete it, the Borlabs cookie itself is deleted, or the purpose for data storage no longer applies. The Borlabs cookie has a storage duration of 1 week. Mandatory legal retention periods remain unaffected. Details on the data processing of Borlabs Cookie can be found at Borlabs Cookie Data Processing
The use of the Borlabs Cookie Consent technology takes place to obtain the legally required consents for the use of cookies. The legal basis for this is Art. 6 para. 1 S. 1 lit. c GDPR.
5. matterport (virtual 3D tour)
For this website, PONGS® uses the Matterport service platform to provide the virtual 3D tour. The provider is Matterport, Inc., 352 E. Java Dr. Sunnyvale, CA 94089, USA. To ensure data protection on this website, the virtual tour is deactivated when you first visit our website. A direct connection to the servers of Matterport is only established if you activate the virtual tour yourself.
This requires your active consent according to Art. 6 para. 1 lit. a GDPR and § 25 TTDSG. This consent is obtained via the Cookie Consent Banner. By consenting to the activation of Matterport, you also consent to the aforementioned transfer of the data collected to the USA and other third countries.
As part of the so-called EU-US Data Privacy Framework (DPF), the EU Commission has also recognized the data protection level for certain companies from the USA within the framework of the adequacy decision of 10.07.2023 as safe. However, the provider Matterport has not yet been certified under the DPF.
Thus, the aforementioned transfer of the data collected to the USA occurs to a provider that cannot guarantee a data protection level comparable to that in the EU, as the adequacy decision of the European Commission for the USA under Art. 45 para. 3 GDPR in the form of the DPF does not apply here. Moreover, appropriate safeguards according to Art. 46 para. 1 GDPR are missing. Therefore, the legal basis for the data transfer is your above-mentioned consent according to Art. 49 para. 1 lit. a GDPR.
This consent can be revoked at any time.
The consent is obtained on our website via the so-called “two-click solution”: Access to the virtual tour is thus only possible after consent (1st click); only then can the virtual tour be started with another, 2nd click, and a data connection to Matterport is established.
Your consent is given voluntarily; not giving consent has no disadvantages. As stated, the virtual tour is merely an additional offer.
If you start the virtual tour on our website, a connection to the Matterport server in the USA is established. The Matterport server is informed which of our pages you are visiting. Matterport also obtains your IP address, the type and version of your internet browser, the operating system model, and the identifier of your computer or mobile device as well as your usage patterns associated with the services. This applies even if you are not logged in to Matterport or do not have an account with Matterport. The information collected by Matterport is transmitted to the Matterport server in the USA. If you have a Matterport account and are logged in, you enable Matterport to assign your browsing behavior directly to your personal profile. You can prevent this by logging out of your Matterport account.
When you leave or refresh our website, the connection to the Matterport server is automatically disconnected again. If you visit our website again later, you must consent again to the processing of your personal data.
According to its statement, Matterport uses the information mentioned to manage and improve its services, diagnose problems with its services, and better assess the use of the services. The Ministry of Economics has no influence on the type and scope of the data processed by Matterport, the way it is processed and used, or the transfer of this data to third parties. Therefore, we explicitly point out that you use the Matterport service platform at your own risk.
You can find Matterport’s privacy policy at Matterport Privacy Policy.
6. newsletter
Newsletter data
If you want to receive the newsletter offered on the website, we need your valid email address and information that allows us to verify that you are the owner of the email address provided and agree to receive the newsletter. Further data is not collected or only on a voluntary basis. We use this data exclusively for sending the requested information and do not pass it on to third parties.
The processing of the data entered in the newsletter registration form is based solely on your consent (Art. 6 para. 1 lit. a GDPR). You can revoke your consent to the storage of data, the email address, and its use for sending the newsletter at any time, for example, via the “unsubscribe” link in the newsletter. The legality of the data processing operations already carried out remains unaffected by the revocation.
With the newsletter, we inform you at regular intervals about our offers. During the registration process for the newsletter, your consent will be obtained and this privacy policy referred to. The registration for our newsletter takes place in a so-called double-opt-in procedure. This means: After the actual registration, you will receive an email in which you will be asked to confirm your registration. This confirmation is necessary so that no one can register with third-party email addresses. The registrations for the newsletter are logged to prove the registration process according to legal requirements. This includes storing the registration and confirmation times as well as the IP address. Changes to your data stored by the newsletter service provider are also logged.
No comparison of the data collected with data that may be collected by other components of our site is carried out.
The data you provide to us for the purpose of receiving the newsletter will be stored by us until you unsubscribe from the newsletter and will be deleted from the newsletter distribution list after you unsubscribe. We reserve the right to delete or block email addresses from our newsletter distribution list at our discretion within the framework of our legitimate interest according to Art. 6 para. 1 lit. f GDPR.
Data that has been stored by us for other purposes remains unaffected by this.
After you unsubscribe from the newsletter distribution list, your email address will be stored by us or the newsletter service provider in a blacklist if necessary, to prevent future mailings. The data from the blacklist will only be used for this purpose and not combined with other data. This serves both your interest and our interest in complying with the legal requirements for sending newsletters (legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR). Storage in the blacklist is not time-limited. You can object to the storage if your interests outweigh our legitimate interest.
7. plugins and tools
7.1 YouTube
This website integrates videos from the YouTube website. The operator of the site is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.
When you visit one of our web pages that has YouTube embedded, a connection to the YouTube servers is established. The YouTube server is informed which of our pages you have visited.
Your data may be transferred to the USA. There is an adequacy decision by the EU Commission for the USA, the EU-US Privacy Framework (DPF). Google, as the parent company of YouTube, has certified itself under the DPF and is thereby committed to complying with European data protection principles.
The activation of YouTube on this page requires your active consent according to Art. 6 para. 1 lit. a GDPR and § 25 TTDSG. This consent is obtained via the Cookie Consent Banner. By consenting to the activation of YouTube, you also consent to the aforementioned transfer of the data collected to the USA.
This consent can be revoked at any time.
If you accept only essential cookies (technically necessary), the aforementioned transfer will not occur.
Furthermore, YouTube may store various cookies on your device or use similar technologies for recognition (e.g., device fingerprinting). In this way, YouTube can obtain information about visitors to this website. This information is used, among other things, to collect video statistics, improve user-friendliness, and prevent fraud attempts.
The storage duration is 6 months.
If you are logged into your YouTube account, you enable YouTube to assign your browsing behavior directly to your personal profile. You can prevent this by logging out of your YouTube account.
For more information on how user data is handled, please refer to YouTube’s privacy policy at: Google Privacy Policy.
7.2 Google Maps
This page uses the Google Maps mapping service. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.
To use the functions of Google Maps, it is necessary to store your IP address. This information is usually transmitted to a Google server in the USA and stored there. An adequacy decision of the EU Commission, the EU-US Privacy Framework (DPF), exists for the USA. Google has certified itself under the DPF and thus committed to complying with European data protection principles.
PONGS has no influence on this data transmission. By integrating Google Maps, we can provide you with the most important information about various locations. You see the company locations depicted there and, if needed, the way to the respective location. For this purpose, Google Maps stores certain data to be able to offer the service. Your consent is required for this.
The data collected and stored includes, among other things, the search terms entered, your IP address, and any entered latitude and longitude coordinates. If you use the route planner function, the entered start address is also stored. Since we have integrated Google Maps into our website, Google sets at least one cookie (name: NID) in your browser. This cookie stores data about your user behavior. Google uses this data to optimize its own services and to provide you with individual, personalized advertising.
The storage period is 6 months.
Activating Google Maps on this page requires your active consent according to Art. 6 para. 1 lit. a GDPR and § 25 TTDSG. This consent is given via the cookie consent banner. By consenting to activate Google Maps, you also consent to the aforementioned transmission of the data collected in this process to the USA.
This consent can be revoked at any time.
More information on the handling of user data can be found in Google’s privacy policy:
7.3 LinkedIn
Privacy Policy for Using the LinkedIn Page of PONGS
PONGS uses the technical platform and services of LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland, for its information service.
Usage Notice.
Please be aware that you use the LinkedIn page of PONGS and its features at your own responsibility. This is especially true for interactive features provided by LinkedIn, such as commenting or rating. For information on the data processed by LinkedIn and the purposes for which it is used, please refer to LinkedIn’s Privacy Policy: LinkedIn Privacy Policy.
When visiting our PONGS company page on LinkedIn (https://www.linkedin.com/company/pongs-gruppe), your IP address and other information stored in cookies on your device are collected. This information is used to provide PONGS, as the operator of the LinkedIn company page, with statistical information about the usage of the page.
The data collected about you in this context is processed by LinkedIn Ireland Unlimited Company and may be transferred to countries outside the European Union (https://www.linkedin.com/help/linkedin/answer/62533).
Regarding data transfers to the USA: On July 10, 2023, the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework, recognizing the United States as a country that ensures an adequate level of protection for personal data transferred from the EU/EEA. LinkedIn Corporation and its controlled US subsidiaries adhere to the EU-US Data Privacy Framework (EU-U.S. DPF).
The information LinkedIn receives from processing the aforementioned data and how it is used is generally described in LinkedIn’s privacy policy. There you will also find information about contact options.
PONGS, as the operator of a LinkedIn company page, does not collect or process any data from your use of the offered service beyond the information provided by LinkedIn.
7.4 Instagram
PONGS uses the technical platform and services of Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA, for its information service.
Please be aware that you use the Instagram page of PONGS and its features at your own responsibility. This is especially true for interactive features provided by Instagram, such as commenting or rating. Instagram is also classified as an audiovisual platform, enabling its users to share photos and videos and further disseminate such data on other social networks.
When you visit any of the individual pages of this website that includes an Instagram component (Insta-button), the Internet browser on your device is automatically prompted by the respective Instagram component to download a display of the corresponding Instagram functionality. This allows Instagram to know which specific subpage of the PONGS website you have visited.
When you visit our Instagram page at https://www.instagram.com/pongsgroup/, Instagram collects, among other things, your IP address and additional information stored in cookies on your device. This information is used to provide us, as the operators of the Instagram page, with statistical information about the use of the Instagram page.
The data collected from you in this context is processed by Instagram Inc. and may be transferred to countries outside the European Union. The information Instagram receives and how it is used is described in general terms in Instagram’s privacy policies. You can find information on how to contact Instagram and about ad settings in these policies. The privacy policies are available at https://help.instagram.com/155833707900388 or www.instagram.com/about/legal/privacy/.
Please note that Instagram uses data from visits to Instagram pages for its own purposes. However, Instagram does not clearly and conclusively state, and we do not know, to what extent activities on the Instagram page are attributed to individual users, how long Instagram stores this data, and whether data from a visit to the Instagram page is passed on to third parties.
When you access an Instagram page, the IP address assigned to your device is transmitted to Instagram. According to Instagram, this IP address is anonymized (for “German” IP addresses) and deleted after 90 days. Instagram also stores information about users’ devices (for example, as part of the “login notification” function); this may allow Instagram to assign IP addresses to individual users.
If you are simultaneously logged into Instagram with a user account, a cookie with your Instagram ID is stored on your device. This allows Instagram to recognize which specific subpage you visit on our website each time you access it and throughout the duration of your visit. This happens regardless of whether you click on the Instagram component on our website or not. If you do not want this information to be transmitted to Instagram, you can prevent this transmission by logging out of your Instagram account before accessing our website.
The information collected via the Instagram component about your use of our website is assigned to your respective Instagram account. If you press one of the Instagram buttons integrated into our website, the transmitted data and information will be assigned to your personal Instagram user account and processed by Instagram.
Based on this data, content or advertisements tailored to you can be offered.
7.5 Pinterest
PONGS uses the technical platform and services of the social network Pinterest, which is operated by Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland, for its information service. When you access a page that contains such an element, your browser establishes a direct connection to the servers of Pinterest. This social media element transmits log data to the server of Pinterest in the USA. This log data may include your IP address, the address of the websites visited that also contain Pinterest features, type and settings of the browser, date and time of the request, your usage of Pinterest, and cookies.
We would like to point out that you use this Pinterest page and its functions at your own responsibility. This applies especially to the use of the provider’s interactive features, such as commenting or rating. The Pinterest privacy policy provides information on what data Pinterest processes and for what purposes it is used, as well as your rights and options for protecting your privacy:
8. Separate information obligations of PONGS GROUP GmbH & Co. KG for business partners
8.1 Purposes for which the personal data are processed and the legal basis for the processing
We process personal data if it is necessary for the establishment, execution, and fulfillment of a contract and to carry out pre-contractual measures (Art. 6 para. 1 lit. b GDPR, e.g., in connection with the initiation, execution, and management of orders), to fulfill a legal obligation (Art. 6 para. 1 lit. c GDPR, e.g., compliance with commercial and tax retention obligations according to § 257 HGB and § 147 AO), to safeguard the legitimate interests of the controller or a third party (Art. 6 para. 1 lit. f GDPR, e.g., storing data for a reasonable period for acquisition efforts or to assert legal claims and defense in legal disputes).
If you have given your consent to data processing, we process your personal data based on Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR if special categories of data according to Art. 9 para. 1 GDPR are processed (e.g., disclosure of data to third parties, evaluation for marketing purposes, or advertising communication via email).
In the case of explicit consent to the transfer of personal data to third countries, data processing also takes place based on Art. 49 para. 1 lit. a GDPR. If you have consented to the storage of cookies or access to information on your device (e.g., via device fingerprinting), data processing also takes place based on § 25 para. 1 TTDSG. Consent can be revoked at any time.
8.2 Sources and categories of personal data processed
We process personal data that we receive from you or from public sources such as commercial registers, the internet, and directories, or from third parties such as credit agencies or business partners in the course of contact and our business relationship, e.g., to process an inquiry or an order.
Relevant personal data includes personal data (such as name, first name, address, bank details, billing address, tax number, or VAT ID number) and other contact details (such as phone number, email address). This can also include contract or order data (e.g., sales data, order volume), information about your financial situation (e.g., creditworthiness data), and data about your person (e.g., profession, position, tasks, and powers) as well as other data comparable to the mentioned categories.
8.3 Duration for which the personal data are stored and the criteria for determining this duration.
The required personal data is stored for the duration of the existence of warranty and guarantee claims. In addition, personal data is stored in accordance with statutory retention periods. Corresponding proof and retention obligations result from the Commercial Code (HGB) and the Fiscal Code (AO). The specified retention or documentation periods are up to ten years. If the data is no longer required for the fulfillment of contractual or legal obligations, it will be regularly deleted.
9. Separate information obligations of PONGS GROUP GmbH & CO. KG for applicants
We are pleased that you are applying or have applied for a position in our company. Below we inform you in accordance with Art. 13, 14 of the EU General Data Protection Regulation (EU GDPR) for what purposes we process the application documents (data) you provide on a voluntary basis and what rights you have in this regard.
9.1 Purposes for which your personal data are processed and the legal basis for the processing
We process the data you send us in connection with your application to check your suitability for the position (or possibly other open positions in our company) and to conduct the application process.
The legal basis for processing your personal data in this application process is primarily § 26 BDSG. Thereafter, the processing of the data is permissible if it is necessary in connection with the decision on establishing an employment relationship.
Furthermore, we may process personal data about you as far as this is necessary to fulfill legal obligations (Art. 6 para. 1 lit. c GDPR, e.g., reimbursement of travel expenses) and to defend against asserted legal claims from the application process against us. The legal basis is then Art. 6 para. 1 lit. f GDPR; the legitimate interest is, for example, a duty to provide evidence in a procedure under the General Equal Treatment Act (AGG). Should there be a need for longer-term storage (e.g., for further vacant or vacant positions), this will be done on the basis of your consent in written form (in accordance with Art. 6 para. 1 lit. a GDPR).
If special categories of personal data within the meaning of Art. 9 para. 1 GDPR are voluntarily communicated during the application process, their processing is also carried out according to Art. 9 para. 2 lit. b GDPR in conjunction with § 26 para. 3 BDSG (e.g., disability status). If special categories of personal data within the meaning of Art. 9 para. 1 GDPR are requested from applicants in the course of the application process, their processing is also carried out according to Art. 9 para. 2 lit. a GDPR in conjunction with § 26 para. 2 as well as para. 3 sentence 2 BDSG (e.g., health data if required for the exercise of the profession).
9.2 Sources and categories of personal data processed
We process personal data that we receive from you or from personnel service providers in the course of the application process, such as personal data (name, address, and other contact details, date and place of birth, nationality), bank details (for the purpose of travel expense reimbursement), qualification certificates (e.g., references, evaluations, and other training certificates), IP addresses, and photographs.
9.3 Recipients or categories of recipients of the personal data
Applicants can send us their documents by email. However, please note that emails are generally not sent encrypted, and applicants are responsible for encryption themselves. Therefore, we cannot assume responsibility for the transmission path of the application between the sender and the receipt on our server and therefore recommend using postal mail.
Your data will be reviewed by the HR department after receiving your application. Suitable applications will then be forwarded internally to the person responsible for the respective open position, and possibly also to the works council. In the company, only those persons have access to your data who need it for the proper conduct of the application process.
Otherwise, personal data is processed on our behalf on the basis of contracts under Art. 28 GDPR (order processing), especially for providers of cloud solutions and applicant management systems. Personnel service providers may also be engaged as part of the application process. All service providers are contractually obligated to treat your data confidentially.
Otherwise, data is only passed on to recipients outside the company if statutory provisions allow or require this, the transfer is necessary for the fulfillment of legal obligations, or we have your consent.
9.4 Transfer to a third country (outside the EU / EEA) or to an international organization.
The data is processed exclusively in data centers in the Federal Republic of Germany. A transfer to a third country does not take place and is not planned.
9.5 Duration for which the personal data is stored and the criteria for determining this duration:
If an employment relationship does not come about following an application, we store applicant data for a maximum of six months from the date of the rejection decision, so that we can answer any follow-up questions about the application and meet our obligations to provide evidence under the General Equal Treatment Act (AGG). This does not apply if legal provisions prevent deletion (e.g., archiving of travel expense reimbursements according to tax regulations for up to 10 years), further storage is necessary for evidence purposes, or you have expressly consented to longer storage. If the data subject has given consent to longer storage of their personal data, we will include this data in our applicant pool. There, the data will be deleted after one year.
If the data subject receives a job offer as part of the application process, the relevant and necessary data from the applicant data will be transferred to our personnel data system.
10. separate data protection information for online meetings of PONGS GROUP GmbH & CO. KG with “MS Teams“
Below we inform you based on the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG) about the processing of personal data in connection with the implementation of online meetings using the video conferencing tool “Microsoft Teams.”
Name and Contact Details of the Controller
The controller for data processing that is directly related to the implementation of “online meetings” is:
PONGS Group GmbH & Co. KG
Lohauser Dorfstraße 51, 40474 Düsseldorf
Phone: +49 211 54230800
Email: info@pongs.de
Note: If you access the “Microsoft Teams” website, the provider of “Microsoft Teams” is responsible for data processing. Accessing the website is only necessary to download the software for use.
If you do not want or cannot use the “Microsoft Teams” app, you can also use “Microsoft Teams” via your browser. The service is then provided to that extent via the “Microsoft Teams” website.
Contact Details of the Data Protection Officer
We have appointed a data protection officer. You can reach this officer as follows:
PONGS Group GmbH & Co. KG
Lohauser Dorfstraße 51, 40474 Düsseldorf
Phone: +49 211 54230811
Email: datenschutz@pongs.de
10.1 Purpose of the processing
We use the “Microsoft Teams” tool to conduct telephone conferences, video conferences, and webinars (hereinafter: “online meetings”). “Microsoft Teams” is a service provided by Microsoft Corporation.
10.2 Legal basis of data processing
Insofar as personal data of employees of PONGS Group GmbH & Co. KG is processed, § 26 BDSG is the legal basis for data processing. If personal data is not required for the establishment, performance, or termination of the employment relationship but is nevertheless an elementary component in the use of “Microsoft Teams,” Art. 6 para. 1 lit. f GDPR is the legal basis for data processing. In these cases, our interest lies in the effective conduct of “online meetings.”
If the processing of personal data within the scope of online meetings is necessary for the fulfillment of a contract to which you are a party or for the implementation of pre-contractual measures that take place upon your request, Art. 6 para. 1 lit. b GDPR serves as the legal basis for data processing.
If there is no contractual relationship, the legal basis is Art. 6 para. 1 lit. f GDPR. Here, too, our interest lies in the effective conduct of “online meetings.”
If video and audio recordings are exceptionally necessary, this is done exclusively based on the consent you have given according to Art. 6 para. 1 lit. a GDPR.
10.3 Type and scope of data processing
We use “Microsoft Teams” to conduct “online meetings.” If we want to record “online meetings,” we will inform you transparently in advance and ask for your consent. If it is necessary for the purposes of recording the results of an online meeting, we will record the chat content. However, this will generally not be the case.
Automated decision-making within the meaning of Art. 22 GDPR is not used.
The following personal data is processed when using “Microsoft Teams,” whereby the scope of the data also depends on the information you provide before or during the participation in an “online meeting”:
- User information (registration information): e.g., username, activation and conference codes, email address, first and last name, company, organization ID, participant IP, profile picture (optional)
- Configuration and communication data: e.g., device name, IP address, geodata, time zone, activity logs, hardware type
- Conference information: e.g., date, time, duration, number of participants, connection method, diagnostic information
- Text, audio, and video data: You may have the opportunity to use the chat function in an “online meeting.” In this case, the text inputs you make are processed to display them in the “online meeting.” To enable the display of video and playback of audio, the data from the microphone of your device and any video camera of the device is processed during the meeting. You can switch off or mute the camera or microphone yourself at any time via the “MS Teams” applications.
10.4 Recipients / passing on of data
Personal data processed in connection with participation in “online meetings” is not generally disclosed to third parties unless it is intended for disclosure. Please note that the content of “online meetings,” like in the case of personal meetings, often serves to communicate information with customers, interested parties, or third parties and is therefore intended for disclosure.
Another recipient is the provider of “Microsoft Teams,” Microsoft Corporation.
10.5 Data processing outside the EU / EEA
Data processing in third countries generally does not take place because we or the service provider have restricted the storage location to data centers in the EU or EEA.
However, we cannot exclude that the service provider also uses servers outside the EU or EEA or that data routing takes place via internet servers located outside the EU or EEA. An adequate level of data protection is guaranteed in this case on the one hand by the adequacy decision of the EU Commission for the EU-US Data Privacy Framework (DPF). Microsoft Corporation and thus MS Teams are certified here. Additionally, the data is generally secured against unauthorized access by third parties through encryption during transport over the internet.
10.6 Storage period
Your personal data, which we process in connection with your use of “Microsoft Teams,” is generally deleted as soon as it is no longer required for the purposes for which it was collected. A necessity for storage can exist, especially if the data is still needed to fulfill contractual services, check, grant, or defend warranty or guarantee claims. In the case of statutory retention obligations of 6 years or 10 years under commercial and tax law, deletion is only considered after the respective retention obligation has expired. If and insofar as the processing is based on your consent, the data will only be stored until you revoke your consent unless there is also another legal basis for processing.
10.7 Your Rights as Data Subjects
As a data subject, you can exercise the rights granted to you by the GDPR at any time, provided they are applicable to the processing:
- The right to information whether and which data is processed about you (Art. 15 GDPR);
- The right to request the rectification or completion of data concerning you (Art. 16 GDPR);
- The right to erasure of data concerning you in accordance with Art. 17 GDPR;
- The right to request the restriction of the processing of data in accordance with Art. 18 GDPR;
- The right to data portability in accordance with Art. 20 GDPR;
- The right to object to future processing of data concerning you in accordance with Art. 21 GDPR
Revocability of Your Consent
If processing is based on the legal basis of consent, it can be revoked at any time. The legality of the processing carried out based on the consent until revocation remains unaffected (Art. 7 para. 3 GDPR).
Right to Lodge a Complaint with a Supervisory Authority
You have the right to complain about the processing of personal data by us to a data protection supervisory authority.
11. Google reCAPTCHA
We use Google reCAPTCHA (hereinafter “reCAPTCHA”) on our website. The provider is Google Ireland Limited, Gordon House, Barrow Street Dublin 4, Ireland (“Google”).
reCAPTCHA is used to check whether the data entered on our website (e.g., in a contact form) is done by a human or an automated program. This serves the purpose of protecting us as the website operator from a flood of spam by bots. It is intended to prevent the misuse of the contact functions on our website, for example, by fake users, click fraud, and DDoS attacks, etc.
For this purpose, reCAPTCHA analyzes the behavior of the website visitor based on various characteristics. This analysis begins automatically as soon as the website visitor enters the website. To analyze, reCAPTCHA evaluates various information (e.g., IP address, the time the website visitor spends on the website, or mouse movements made by the user). The data collected during the analysis is forwarded to Google.
To ensure that Google reCAPTCHA functions on our website, a JavaScript element is embedded in the source code. The Google Captcha service then runs in the background and can track and analyze the website visitor’s user behavior. The following personal data is collected and analyzed by Google.
11.1. What Data Does Google reCAPTCHA Process?
During the verification process by reCAPTCHA, we as the website operator and thus Google collect a range of data from the website visitor. Google reCAPTCHA collects information including, but not limited to:
•Page that embeds reCAPTCHA
•Referrer URL (page from which the user comes)
•User’s IP address
•Device settings (language, browser, location)
•Duration of visit
•Mouse movements and keystrokes
•Screen and window resolution
•Time zone
•Installation of browser plugins
Furthermore, Google reCAPTCHA checks whether a cookie has already been placed in the user’s browser. If not, Google sets a cookie. In practice, this means that Google creates a fingerprint of the visitor for reCAPTCHA, which can be recognized on other pages. This allows Google to track users across different sites.
With the version used here, invisible reCAPTCHA (reCAPTCHA v3), it is no longer necessary for the user to solve text or image puzzles or to check a box.
11.2. Legal Basis for Data Processing
The data processing is based on Article 6(1)(a) of the GDPR. We therefore require your active consent via the Cookie Consent Banner for reCAPTCHA to be used. A corresponding query is included in the banner.
The service provider for reCAPTCHA is Google Ireland Limited. However, personal data may also be transferred to the parent company, Google LLC. This company is based in the USA. There is an adequacy decision by the EU for data transfer to the USA, the EU-US Data Privacy Framework. Google LLC. is certified as a data recipient under this framework.
11.3. Storage Duration of Processed Data
Data from website visitors is transmitted to Google’s servers through reCAPTCHA. Google does not clearly specify where exactly this data is stored, even after repeated inquiries. In the absence of confirmation from Google, it is assumed that data such as mouse movements, time spent on the website, or language settings are stored on European or American Google servers. The IP address that your browser transmits to Google is generally not combined with other Google data from other Google services. However, if website visitors are logged into their Google account while using the reCAPTCHA plug-in, the data will be combined. The different privacy policies of Google apply in this case.
For more information on Google reCAPTCHA and Google’s privacy policy, please refer to the following links: Google Privacy Policy and Google reCAPTCHA Introduction.