Privacy statement

1. General information

1.1 Personal data (Art. 4 (1) GDPR)

The subject for data protection is personal data (subsequently also referred to as data). This means any information relating to an identified or identifiable natural person. Examples of such information include details such as the name, address, profession, e-mail address, health, income, marital status, genetic characteristics, phone number and if applicable also user data such as IP address.

1.2 Controller (Art. 4 (7) GDPR)

The controller responsible for processing your personal data as part of the process of using this website www.progroup.ag (subsequently referred to as the website) is Progroup AG (subsequently referred to as the operator or controller). The contact details are:

Progroup AG
Horstring 12
76829 Landau in der Pfalz
Board: Mr Jürgen Heindl, Dr. Volker Metz, Mr Maximilian Heindl, Mr Philipp Kosloh
Phone: +49 (0) 6341 / 5576-0
Fax: +49 (0) 6341 / 5576-109
E-mail: info@progroup.ag

1.3 Data protection officer

The controller has appointed a data protection officer. This person can be reached by e-mailing datenschutz@progroup.ag.

1.4 Opportunity to object

If you want to object to the processing of your data by the operator in accordance with this privacy statement overall or for individual measures, you can do this by using the contact details which are specified above. Please note that, if you do object in this way, in some circumstances use of the website and access to the services which are offered on it may only be limited or may not be possible at all.

2. Scope and purposes of data processing

2.1 Accessing and using the website

Each time that the website and its subpages are accessed, use data is transferred by the respective internet browser and saved in server log files. The data records which are stored as part of this process contain the following data:

  • Date and time of access
  • Name of the subpage which is accessed
  • IP address
  • Referrer URL (original URL from which you have accessed the website)
  • Amount of data transferred
  • Product and version information for the browser used

The log files are evaluated by the operator in anonymised form in order to further improve the website and make it more user-friendly, find and rectify faults more quickly and manage server capacities. For example, this makes it possible to understand at which time use of the website is particularly popular and the operator can then make an appropriate volume of data available.

The admissibility of this processing is based on Art. 6 (1. (f)) GDPR, which states that the processing is lawful if it is necessary for the purpose of preserving the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. The legitimate interest of the operator lies in providing a website containing information and offering services to its customers and optimising the operation of the website.

The data which is processed by the operator is required by it to enable you to access and make optimum use of the website. This data is data which necessarily needs to be processed while using any form of telemedia. You are not obliged to provide this data. However, the consequence of not providing it is that you will not be able to access the website or will not be able to access it in full.

Your IP address will be deleted or anonymised after you finish using the website. In the case of anonymisation, the IP addresses are amended in such a way that they can no longer be assigned to an identified or identifiable natural person or can only be assigned with a disproportionately large amount of time, costs and effort.

2.2 Contact form and e-mail at a click

If you wish to contact the operator, you can make use of a contact form to do so. As part of the process of completing this form, you need to specify the following details:

  • First name
  • Last name
  • E-mail address
  • Topic

In addition, you can voluntarily specify the following details:

  • Phone number
  • Message

In addition, at a number of places on the website you have the option with just one click to open an e-mail to be sent to the operator. The sender used here is automatically the e-mail address which is linked to your e-mail program. If you do not wish your e-mail address to be called up in this way, you can change this in the settings of your particular e-mail program.

The admissibility of this processing is based on Art. 6 (1. (b)) GDPR, which states that the processing is lawful if it is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. You are not obliged to provide this data. However, the consequence of not providing it is that you will not be able to send a message to the operator.

The personal data which is processed will be deleted after the expiry of the statutory retention obligations if the controller does not have a legitimate interest in continuing to retain this data. In any event, only the data which is really also absolutely needed for the purpose of achieving the corresponding purpose will continue to be stored. Where possible, the personal data will be anonymised.

2.3 Advertising

The operator uses your data for advertising purposes. The admissibility of this processing is based on Art. 6 (1. (f)) GDPR, which states that the processing is lawful if it is necessary for the purpose of preserving the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. The use of data for advertising purposes represents a legitimate interest of the operator. The operator relies on actively presenting its services to new and existing customers.

As a customer of the operator, you will also regularly receive product recommendations by e-mail which are based on the products or services which you have already ordered. By doing this, the operator wishes to send you information about its services which you might be interested in, based on your last order or booking. If you no longer wish to receive such recommendations, you can object to this at any time without incurring any costs other than the transmission costs according to the basic rates. A notification in text form to the operator is sufficient for this. In addition, each e-mail contains a link to unsubscribe. The admissibility of this processing is based, beyond Art. 6 (1. (f)) GDPR, on Section 7 (3) of the German Unfair Competition Act.

The personal data which is stored for advertising purposes is saved by the operator and used in accordance with the statutory provisions unless you object to this. This data is deleted if the controller does not have a legitimate interest in continuing to retain it or statutory retention periods do not oppose such deletion. In any event, only the data which is really also absolutely needed for the purpose of achieving the corresponding purpose will continue to be stored.

2.4 Newsletter

To receive further information about the operator’s services, you can also subscribe to an e-mail newsletter. The newsletter is sent out using what is known as the double opt-in method, i.e. you will only receive a newsletter by e-mail if you have previously explicitly confirmed that the newsletter service should be activated. Once you have activated the newsletter, you will receive a notification e-mail containing a link for activation. You will only receive the newsletter once you click on this link.

You can deactivate the newsletter at any time. You can contact the operator to do this (contact details above) or use the unsubscribe link which is provided in each newsletter.

The admissibility of this processing is based on Art. 6 (1. (a)) GDPR, which states that the processing is lawful if the data subject has given consent to the processing of his or her personal data for one or more specific purposes.

The provision of your data is optional but is required to be able to receive the newsletter.

If you withdraw your consent or unsubscribe from the newsletter, your data will be deleted unless the controller has a legitimate interest in continuing to retain it. This may be the case if the operator needs to continue to store your data as a result of a contract with you. In addition, statutory retention periods may also oppose such deletion. In any event, only the data which is really also absolutely needed for the purpose of achieving the corresponding purpose will continue to be stored.

2.5 Customer magazine

The operator publishes the magazine PROfil at regular intervals and in it reports on the latest issues and topics in the paper, corrugated board and packaging industries. The customer magazine will be provided to you free of charge on request as part of a contractual relationship. Bot the current magazine and future magazines can be ordered by post. In addition, it is also possible to order the current magazine as a download link via e-mail. The magazine is produced with a great deal of effort that costs money, which is why the magazine can only be provided if you specify the following personal data:

  • Title
  • First name
  • Last name
  • Company
  • E-mail

In addition, the following optional details can be provided:

  • Sector
  • Street
  • Postcode
  • Town/city
  • Country
  • Phone

When you order the magazine, you give your consent pursuant to Art. 6 (1 (a)) GDPR to the sending of the magazine (form of advertising) and the processing of your data associated with this. This can be withdrawn from the operator at any time.

The operator also uses the data for advertising purposes. The admissibility of this processing is likewise based on Art. 6 (1. (a)) GDPR. When you order the customer magazine PROfil, you have accordingly consented to the processing of personal data for advertising purposes. This consent can also be withdrawn from the operator at any time.

The provision of your data is voluntary; but the mandatory details at least are required to be able to receive the customer magazine.

If you withdraw your consent, your data will be deleted, unless the controller has a legitimate interest in continuing to retain it or statutory retention periods oppose such deletion.

2.6 Investor relations

Under the menu item Investor Relations, interested investors can gain access to the protected investor section. The following details need to be provided to do this:

  • E-mail address
  • Password
  • Title
  • First name
  • Last name
  • Company
  • Street
  • Postcode
  • City
  • Country

Registration takes place using what is known as the double opt-in method, i.e. activation can only take place if you have previously explicitly confirmed this. For this purpose, you will receive an e-mail containing a confirmation link. Only once you click on this link can activation take place. After this, the registered investors are able to log in using their e-mail address and their password. This gives them access to the investor website, where the investors are provided with relevant information such as quarterly reports and annual management reports.

The admissibility of the data processing associated with this is based on Art. 6 (1. (b)) GDPR, which states that the processing is lawful if it is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. The operator requires the data which you provide in order to complete the registration process and grant you access to the investor section. You are not obliged to provide this data. However, if you do not provide this data, it is not possible to access the investor section.

The data which is collected as part of investor relations will be deleted by the operator, unless there is a legitimate interest in continuing to store it or statutory retention periods oppose such deletion.

2.7 e-box

Customers who have already registered have the option to log in via the e-box using their user name and password. The log-in details are assigned by the respective sales manager. Customer master data such as name and address are stored in the customer section. In this section, customers can then submit orders and track the production dates and delivery dates for these orders. To make an order, the order details and possible delivery dates need to be entered. Existing orders can also be amended by entering the order details. The order status can be tracked using the existing order details. In addition, it is possible to view the route planning and keep a track on the precise delivery time. Delayed orders are likewise displayed to customers. Customers also have the opportunity to view the stock movements and the production planning.

The operator uses the data which you provide so that it can assign them to your customer profile and enable you to perform the abovementioned activities (such as placing an order). The admissibility of this processing is based on Art. 6 (1. (b)) GDPR, which states that the processing is lawful if it is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

The provision of your data is voluntary. However, without this data it is not possible to log into and use the e-box section of the website. The data which is collected as part of e-box will be deleted by the operator, unless there is a legitimate interest in continuing to store it or statutory retention periods oppose such deletion.

2.8 Use of cookies

The operator uses what are known as cookies. These are small data packages which normally consist of letters and numbers and are stored on a browser when you visit certain websites. The cookies enable the website to recognise your browser, track your activity as you browse various sections of the website and identify you when you return to the website. Cookies do not contain any data that identifies you personally, but the information about you which is stored by the operator may be assigned to the data which is obtained from the cookies and is stored in them.

Information which the operator obtains from you through the use of cookies may be used for the following purposes:

  • Recognising the user’s computer when visiting the website
  • Tracking the user’s browsing activities on the website
  • Improving the user-friendliness of the website
  • Evaluating the use of the website
  • Operating the website
  • Preventing fraud and improving the security of the website
  • Individual configuration of the website, taking account of the needs of users

Cookies do not cause any damage on a browser. They do not contain any viruses and also do not allow the operator to spy on you. Two types of cookies are used:

  • Temporary cookies are automatically deleted when your browser is closed (session cook-ies).
  • By contrast, persistent cookies have a longer lifespan. This type of cookie makes it pos-sible for you to be recognised the next time you visit a website after you have left it. The-se cookies are deleted after no more than 30 days.

The cookies enable the operator to understand your user behaviour for the abovementioned purposes and to an appropriate extent. They are also designed to enable you to enjoy optimised browsing of the operator’s website. The operator also only ever collects this data in anonymised form.

The admissibility of this processing is based on Art. 6 (1. (f)) GDPR, which states that the processing is lawful if it is necessary for the purpose of preserving the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. The operator’s legitimate interest lies in presenting its website in an optimised way. You are not obliged to provide this data. However, the data needs to be provided to be able to access the operator’s website without any problems (technically necessary cookies). If you do not accept cookies or delete cookies that have already been set, this may result in restrictions to the way the website works.

2.9 Use of Google Analytics

The operator utilises the web analysis service Google Analytics from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. This uses the cookies described above to record, for example, information about your operating system, your browser, your IP address, the website accessed previously and the date and time of your visit to the operator’s website. The information about the use of the website which is generated by the cookies is transferred to a Google server in Ireland and stored there. If necessary, the data may also be transferred to the USA. For cases of data transfer to the USA, Google has certification for the Privacy Shield Framework. You can obtain further information about this directly from Google https://policies.google.com/privacy/frameworks?gl=de.

Google will use this information to evaluate the way that the website is used, to compile reports about the activity on the website for the operator, and to provide further services associated with use of the website and use of the internet. If this is prescribed by law or third parties process this data on behalf of Google, Google will also pass this information on to these third parties. This use takes place anonymously or under a pseudonym. You can obtain more details about this directly from Google https://policies.google.com/privacy?hl=de.

When Google Analytics is used, no direct personal data is stored, but rather just the Internet Protocol address. This information is used to automatically recognise you the next time that you visit the operator’s website and make it easier for you to navigate the website.

The admissibility of this processing is based on Art. 6 (1. (a)) GDPR, which states that the processing is lawful if the data subject has given consent to the processing of his or her personal data for one or more specific purposes. You can withdraw your consent at any time.

The personal data which is collected as part of the use of tracking tools will be deleted, unless the controller has a legitimate interest in continuing to retain it. In any event, only the data which is really also absolutely needed for the purpose of achieving the corresponding purpose will continue to be stored. Where possible, the personal data will be anonymised.

You are not obliged to provide this personal data. However, in some circumstances the consequence of not providing it is that you will not be able to use the website or will not be able to use it in full.

2.10 Fonts

On the website the operator utilises external fonts from the service Google Fonts. This is operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. As a result of this use, information about the use of the website (for example the time of access, IP address etc.) is transferred to a Google server in Ireland and stored there. If necessary, the data may also be transferred to the USA. For cases of data transfer to the USA, Google has certification for the Privacy Shield Framework. You can obtain further information about this directly from Google https://policies.google.com/privacy/frameworks?gl=de.

The operator uses Google Fonts to enable you to use external fonts to make the website look better. The admissibility of this processing is based on Art. 6 (1. (f)) GDPR, which states that the processing is lawful if it is necessary for the purpose of preserving the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. The use of data for purposes of improving the way that the website looks represents a legitimate interest of the operator within the meaning of Art. 6 (1 (f)) GDPR. The provision of data is neither prescribed by law nor required to enter into a contract. The consequence of failing to provide the data is that the font will be presented to you in another form.

The operator does not save any personal data by incorporating Google Fonts. The data is saved by Google in accordance with its own privacy policy. You can find further information about this in the privacy policy and terms of use of Google.

2.11 YouTube

The operator uses videos from YouTube on its website. YouTube is a service of
YouTube LLC (“YouTube”), 901 Cherry Ave., San Bruno, CA 94066, USA and is provided by it. YouTube LLC is a subsidiary of Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

When you visit the website, YouTube receives the information that you have accessed the corresponding subpage of our website. In addition, further information about the use of the website (for example the date and time of access, IP address etc.) may be transferred to a Google server (possibly in a third country such as the USA) and stored there. This is done regardless of whether YouTube provides a user account via which you are logged in, or whether no user account exists. For cases of data transfer to the USA, Google has certification for the Privacy Shield Framework. You can obtain further information about this directly from Google https://policies.google.com/privacy/frameworks?gl=de.

The data will be used by Google for purposes of advertising, market research and/or customising the design of its website. There may also be a link to your user account here if you are logged in there. If you do not want this to happen, you must log out before using the website. The terms of use and privacy policy of Google apply (see above).

The operator uses YouTube videos to show you videos on various topics. The admissibility of this processing is based on Art. 6 (1. (f)) GDPR, which states that the processing is lawful if it is necessary for the purpose of preserving the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. The use of data for purposes of providing videos to illustrate our services and products represents a legitimate interest within the meaning of Art. 6 (1. (f)) GDPR.

The provision of data is neither prescribed by law nor required to enter into a contract. The consequence of failing to provide the data is that you will not be able to use our website or will not be able to use it in full.

2.12 Web presence on social media (YouTube, Vimeo, Xing, LinkedIn)

As well as this website, we also maintain a presence on social networks (YouTube, Facebook, Vimeo, Xing; LinkedIn) which you can access via corresponding buttons on our website (link set up). As soon as you visit such a presence, these services store and process users’ personal data in accordance with the terms of use that apply in each case. We wish to point out that we do not have any influence over the way that the data is collected and used further by the social networks.

If while visiting our website you follow the links and are logged in via your personal user account, the information that you have visited our website will be passed on to the respective social network and stored there. The visit to this website can then be assigned to your user account. To prevent this, you must log out of your account before clicking on the link.

For details of the purpose and scope of data collection by the respective service and the further processing of your data which takes place there as well as your rights in this regard, please consult the respective privacy policies of these providers:

YouTube: https://policies.google.com/privacy?hl=de&gl=de

Vimeo: https://vimeo.com/de/features/video-privacy

Xing: https://privacy.xing.com/de/datenschutzerklaerung

LinkedIn: https://www.linkedin.com/legal/privacy-policy?_l=de_DE

2.13 Application

(1) Application via the website and by e-mail

 

On the website you have the opportunity to apply for our job vacancies. To do this, you need to specify a range of information. These mandatory details are highlighted. Other details that you may specify are voluntary, such as providing the link to your personal LinkedIn profile. We offer you the opportunity to import the curriculum vitae that is required for the application from your LinkedIn profile. In addition, you have the opportunity to apply to us via e-mail.

The controller processes your data for the purpose of conducting the application procedure. The admissibility of this processing is based on Section 26 of the German Data Protection Act (new), which states that personal data of employees may be processed for employment-related purposes where this is necessary for making a decision on hiring a person.

Sometimes it may be necessary for us to process your data for the purpose of enforcing, exercising or defending legal claims. This is based on Art. 6 (1 (f)) GDPR. The same legal basis applies to the use of this data for internal analyses for the purpose of optimising the work processes taking place.

If you do not provide the necessary details and documents to the controller, the controller will not be able to consider you in the application procedure. This means that this data must be provided to be able to enter into a contract.

(2) Future job advertisements

 

If you have given consent to your data being stored for a longer period of time, the controller will contact you when suitable vacancies arise.

 

The admissibility of this processing is based on Art. 6 (1 (a)) GDPR (consent).

 

Your data will be deleted after you withdraw your consent, unless the controller has a legitimate interest in continuing to retain it. This may be the case if the controller needs to continue to store your data as a result of a contract with you.

 

You can withdraw your consent to this processing at any time.

(3) Duration of storage

 

Your data is first stored when the application is received. The duration of this storage is determined primarily by the legal retention obligations and by our legitimate interest in continuing to retain it. If you are rejected for a job, your application documents and data will be retained for six months, unless you have given your consent to a longer period of retention.

A longer period of retention may arise in a specific case if we have a legitimate interest in this and your legitimate interests do not oppose it.

If an appointment is made, your data will be stored for the purpose of conducting an employment relationship and processed as employee data.

3. Right to information, rectification, erasure, restriction, objection and data portability

If your personal data is processed, you are a data subject within the meaning of the GDPR and you enjoy the following rights within the framework of the statutory regulations:

3.1 Right to information

On request, the operator will provide you with information on whether it processes data about you. The operator will endeavour to deal with requests for information swiftly.

3.2 Right to erasure

You have the right to demand that the operator erases personal data concerning you without undue delay, and the operator is obliged to erase personal data concerning you without undue delay if one of the grounds specified in Art. 17 (1 (a)-(f)) GDPR applies.

3.3 Right to restriction

You have the right to demand that the operator restricts the processing if one of the requirements of Art. 18 (1 (a)-(d)) GDPR is met.

3.4 Right to object

You have the right to object at any time, for reasons appertaining to your particular situation, to the processing of personal data concerning you which takes place on the basis of Art. 6 (1 (e)) GDPR; this also applies to profiling based on these provisions. The operator will no longer process your personal data, unless it can demonstrate compelling legitimate grounds for processing which override your interests, rights and freedoms, or the processing is used for the purpose of enforcing, exercising or defending legal claims.

If your personal data is processed to engage in direct advertising, you have the right at any time to object to the processing of personal data concerning you for the purpose of such advertising; this also applies to the profiling if it is associated with such direct advertising.

Please use the contact address which is specified above for your notification.

3.5 Right to data portability

You have the right to receive the personal data concerning you, which you have provided to the operator, in a structured, commonly used and machine-readable format, and you have the right to transmit this data to another controller without hindrance from the operator to which the personal data was provided, where the processing is based on consent pursuant to Art. 6 (1 (a)) GDPR, Art. 9 (2 (a)) GDPR or on a contract pursuant to Art. 6 (1 (b)) GDPR and the processing is carried out by automated means.

4. Withdrawing your consent

If you have given your consent to the processing of your personal data and withdraw it, the processing which took place up to the withdrawal date remains unaffected by this.

5. Right to complain

You have the right to lodge a complaint with a supervisory authority at any time (Art. 77 GDPR).

6. Recipients

The data collected when you access and use the website and the details which you specify will be transferred to the operator’s server and stored there. Apart from this, your data may be passed on to the following categories of recipients:

  • People working for the controller who are engaged in the processing (e.g. marketing department, personnel management, customer service, secretariat)
  • Affiliated companies
  • Processors (e.g. computer centre, IT service provider, software support)
  • The operator’s contractual partners (e.g. shipping providers, banks, tax advisers, banks in the case of the reimbursement of travel expenses)

7. Links to third-party websites

When you visit the website, content which is linked to third-party websites may be displayed. The operator has no access to the cookies or other functions that are used by third-party websites, nor can the operator control them. Such third-party websites are not subject to the operator’s privacy policy.

8. Miscellaneous

To make it easier to understand, the operator also makes this privacy statement available to you in English, French, Czech, Polish and Italian. However, if there is any doubt, the provisions of the German privacy statement shall be authoritative.

 

Last updated: May 2019