Privacy policy

Controller

For data collection and processing within the meaning of the General Data Protection Regulation, the

ELBE PARTNERS Industries GmbH
Brandstwiete 4
20457 Hamburg
Phone: +49 (0)40-46 00 298-0
Internet: https://www.elbepartners.com
E-mail: info@elbepartners.com
is responsible.

Contact details of our data protection officer

BDO Legal Rechtsanwaltsgesellschaft mbH
Frank Metzler
Zielstattstrasse 40
81379 Munich
E-mail: elbepartners@dsb.bdolegal.de

Introduction and general information on data processing

The protection of your personal data is extremely important to us. We therefore treat your personal data confidentially and comply with the statutory provisions on data protection, in particular the European General Data Protection Regulation (hereinafter: "GDPR") and the German Federal Data Protection Act (hereinafter: "BDSG").

This privacy policy is intended to inform you about the type, scope and purpose of the collection and use of your personal data by us as the above-mentioned controller. In the following, you will first find definitions of the terms used (A.) and general information on the processing of your personal data (B.). We then go on to specifically address data processing when using our website and other data processing that we carry out as the controller under data protection law (C). Finally, we inform you about your rights as a data subject (D.).

A. Definitions

In accordance with the model of Art. 4 EU GDPR, this privacy policy is based on the following definitions:

1. Personal data

According to Art. 4 No. 1 GDPR, personal data means any information relating to an identified or identifiable natural person (data subject). A person is identifiable if he or she can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, an online identifier, location data or information relating to his or her physical, physiological, genetic, mental, economic, cultural or social identity.

Identifiability can also be provided by linking such information or other additional knowledge. The origin, form or embodiment of the information is irrelevant (photos, video or audio recordings can also contain personal data).

2. Processing

According to Art. 4 No. 2 GDPR, processing means any operation which is performed on personal data, whether or not by automated means (i.e. using technical specifications). This includes, in particular, the collection (i.e. acquisition), recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data, or alteration of the purposes for which they were originally processed.

3. Controller

According to Art. 4 No. 7 GDPR, the controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

4. Processor

According to Art. 4 No. 8 GDPR, a processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller in accordance with the controller's instructions (e.g. IT service provider). In terms of data protection law, a processor is not a third party.

5. Third party

According to Art. 4 No. 10 GDPR, a third party is any natural or legal person, public authority, agency or body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or processor, are authorized to process the personal data; this also includes other legal entities belonging to the group.

6. Consent

According to Art. 4 No. 11 GDPR, consent means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

B. General information on data processing

1. Scope of the processing of personal data

As a matter of principle, we only collect data whose processing is either required by law, which is necessary for the conclusion and execution of a contract, in whose processing we have an overriding legitimate interest or which is provided to us voluntarily on the basis of consent.

We collect, store and use personal data from you as a visitor to our website only insofar as this is necessary to provide a functional website and to present our content and services. In addition, the collection and use of your personal data only takes place regularly with your consent. An exception applies in cases where prior consent cannot be obtained for factual reasons and the processing of the data is permitted by law.

2. Legal bases for the processing of personal data

a. Data processing for contract initiation and fulfillment

When processing personal data that is required to initiate or fulfill a contract with you, Art. 6 (1)(b) GDPR serves as the legal basis. This also applies to processing operations that are necessary to carry out pre-contractual measures.

b. Data processing on the basis of consent

Insofar as we obtain your consent for the processing of personal data, Art. 6 (1)(a) GDPR serves as the legal basis. We only base the processing of your personal data on consent if this is not already permitted on other legal grounds.

We also ask for your consent if we wish to provide information about our own products and services and events, and it is not possible to process your data in order to protect legitimate interests or if we ask you to take part in a survey.

c. Data processing for the protection of legitimate interests

We only process your personal data in accordance with Art. 6 (1)(f) GDPR to safeguard legitimate interests if the further requirements of Art. 6 (1)(f) GDPR are met, i.e. if our interests in data processing or the interests of a third party outweigh your interests or fundamental rights and freedoms in the individual case.

Furthermore, we use your personal data if and insofar as this is necessary to protect our legitimate interests, e.g. for the defense and enforcement of claims. In this respect, too, data processing is based on Art. 6 (1)(f) GDPR.

d. Data processing for the fulfillment of legal obligations

If and to the extent necessary, we process your personal data in order to comply with any statutory documentation obligations, e.g. vis-à-vis tax offices and supervisory authorities. In this case, data processing is carried out on the basis of Art. 6 (1)(c) GDPR.

In addition, we process your personal data in accordance with Art. 6 (1)(c) GDPR for the purpose of a detailed examination as to whether an order may be accepted. The same applies to the statutory obligation imposed on us to identify our business partners and the other obligations under the provisions of the Money Laundering Act.

3. Data erasure and storage duration

Your personal data will be deleted or blocked as soon as the purpose of storage no longer applies. Data may also be stored if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which we are subject.

Your personal data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage for the conclusion or fulfillment of a contract.

4. Security through the use of TLS/SSL

If you transmit your personal data to us via our website, we use current, secure technologies, in particular the so-called "Transport Layer Security" (TLS) transmission (previously also known as "Secure Socket Layer" (SSL) transmission). All information and data transmitted using these secure methods is encrypted before it is sent to us. In addition, to protect you and us from misuse, the IP address of your device is transmitted to us. We would like to point out that encryption using these technical methods only works if the corresponding technical default settings have also been initiated on your side.

5. Data recipients

Your personal data may be passed on by us to third parties. We only transfer your personal data to third parties if we are authorized to do so under data protection law. The transfer of data to third parties is based either on the fulfillment of legal obligations, on legitimate interests, on the necessity of fulfilling a contract or on the basis of any consent given.

If external service providers act as processors, the data transfer takes place within the framework of an data processing agreement, which ensures that the data is only processed on and within our instructions and that the processor complies with the data protection regulations.

If it is necessary to transfer data to third parties or processors in countries outside the European Economic Area, this is done either on the basis of approved EU standard contractual clauses or on the basis of an adequacy decision issued by the EU Commission.

C. Information on individual data processing operations

1. Storage of cookies

We use so-called cookies to make visiting our website attractive and to enable the use of certain functions. Cookies are small text files that are automatically stored on your device.

Some of the cookies we use are deleted again at the end of the browser session, i.e. after closing the browser (so-called "session cookies"). Other cookies remain on your device and enable us to recognize your browser on your next visit (so-called "persistent cookies"). The duration of storage can be found in the overview in the cookie settings of the web browser.

Furthermore, only cookies that are technically necessary for the operation of the website are set. No cookies are stored for other purposes (e.g. analysis and statistics, marketing).

If personal data is processed by implemented cookies, which are technically necessary for the operation of our website, the processing is carried out in accordance with Art. 6 (1)(f) GDPR to protect our legitimate interests in the best possible functionality of the website and a customer-friendly and effective design of the page visit.

2. Provision of the website and creation of log files

Each time our website is accessed, our system automatically collects data and information from the system of the accessing device.

The following data is collected:

• IP address
• Browser type and browser version
• Operating system
• Date and time of the visit to the website
• Access status / Http status code
• GMT time zone difference
• Amount of data transferred
• Website/source/reference from which the website was accessed

This data is not stored together with your other personal data.

Temporary storage of the IP address by the system is necessary to enable delivery of the website to your device. For this purpose, your IP address must remain stored for the duration of the session. The data is stored in log files to ensure the functionality of the website. In addition, we use the data to optimize the website and to ensure the security of our information technology systems. The data is not analyzed for any other purpose.

This is also our legitimate interest in data processing within the meaning of Art. 6 (1)(f) GDPR, which serves as the legal basis for the processing of your personal data in the context of the collection of log files.

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended. If the data is stored in log files, this is the case after 7 days at the latest. Storage beyond this period is possible. In this case, your IP address will be deleted or anonymized so that it is no longer possible to identify the accessing client.

3. Contact by e-mail, telephone or fax

If you contact us by e-mail, telephone or fax, your request, including the personal data resulting from it, will be processed for the purpose of processing your request.

The processing of your personal data is based on your consent in accordance with Art. 6 (1)(a) GDPR, which you give us by contacting us. If your request is aimed at concluding a contract with us, the data processing is based on Art. 6 (1)(b) GDPR.

Subject to statutory retention periods, your personal data will be deleted as soon as we have finally processed your request. If you do not receive a response from us within a period of 10 days, your personal data will also be deleted.

Your consent can be revoked at any time with effect for the future. To do so, please send us an e-mail to datenschutz@elbepartners.com. However, we would like to point out that your request cannot be processed any further if you withdraw your consent.

D. Your rights as a data subject

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis us as the controller:

1. Right of access

You can request confirmation from us as to whether your personal data is being processed by us. If such processing is taking place, you can request the following information from us in accordance with Art. 15 GDPR:

• the purposes for which the personal data are processed
• the categories of personal data that are processed
• the recipients or categories of recipients to whom your personal data have been or will be disclosed
• the planned duration of the storage of your personal data or, if specific information on this is not possible, criteria for determining the storage period
• the existence of a right to rectification or erasure of your personal data, a right to restriction of processing by us or a right to object to such processing
• the existence of a right to lodge a complaint with a supervisory authority
• all available information about the origin of the data if the personal data is not collected from you
• the existence of automated decision-making, including profiling, in accordance with Art. 22 (1) and (4) GDPR and - at least in these cases - meaningful information about the logic involved and the scope and intended impact of such processing on you

Furthermore, you have the right to request information as to whether your personal data is transferred to a third country or to an international organization. In this context, you may request to be informed about the appropriate safeguards pursuant to Art. 46 GDPR in connection with the transfer.

2. Right to rectification

In accordance with Art. 16 GDPR, you have a right to rectification and/or completion vis-à-vis us if your personal data is incorrect and/or incomplete. We must make the correction without delay.

3. Right to restriction of processing

Under the following conditions, you can request the restriction of the processing of your personal data in accordance with Art. 18 GDPR:

• if you contest the accuracy of your personal data for a period enabling us to verify the accuracy of the personal data
• the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead
• we no longer need the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defense of legal claims, or
• if you have objected to the processing pursuant to Art. 21 (1) GDPR and it is not yet certain whether our legitimate reasons outweigh your reasons

If the processing of your personal data has been restricted, this data - apart from its storage - may only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. You will be informed by us before the restriction is lifted.

4. Right to erasure

a. Obligation to delete

In accordance with Art. 17 GDPR, you can demand that we delete your personal data immediately. We are obliged to delete this data immediately if one of the following reasons applies:

• your personal data is no longer necessary for the purposes for which it was collected or otherwise processed
• your consent, on which the processing was based pursuant to Art. 6 (1)(a) GDPR, is revoked by you and there is no other legal basis for the processing
• you object to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing
• you object to the processing in accordance with Art. 21 (2) GDPR
• your personal data has been processed unlawfully
• the deletion of your personal data is necessary to fulfill a legal obligation under Union law or the law of the Member States to which we are subject
• your personal data was collected in relation to information society services offered in accordance with Art. 8 (1) GDPR

b. Information to third parties

If we have made your personal data public and we are obliged to delete it in accordance with Art. 17 (1) GDPR, we will take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform controllers who process the personal data that you have requested them to delete all links to this personal data or copies or replications of this personal data.

c. Exceptions to the right to erasure

The right to erasure does not exist if the processing is necessary:

• to exercise the right to freedom of expression and information
• for compliance with a legal obligation which requires processing by Union or Member State law to which we are subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in us
• for reasons of public interest in the area of public health pursuant to Art. 9 (2)(h) and (i) GDPR and Art. 9 (3) GDPR
• for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to Art. 89 (1) GDPR, insofar as the right referred to in Section 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing
• for the assertion, exercise or defense of legal claims

5. Right to notification

If you have asserted the right to rectification, erasure or restriction of processing against us, we are obliged pursuant to Art. 19 GDPR to notify all recipients to whom your personal data have been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves disproportionate effort. You have the right to be informed about these recipients.

6. Right to data portability

In accordance with Art. 20 GDPR, you have the right to receive the personal data you have provided to us in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller to whom the personal data has been provided without hindrance from us, provided that

• the processing is based on consent pursuant to Art. 6 (1)(a) GDPR or on a contract pursuant to Art. 6 (1)(b) GDPR and
• the processing is carried out using automated procedures

In exercising this right, you also have the right to have your personal data transmitted directly from one controller to another, where technically feasible. The freedoms and rights of other persons must not be affected by this.

The right to data portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.

7. Right to object

Pursuant to Art. 21 GDPR, you have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on Art. 6 (1)(e) or (f) GDPR, including profiling based on those provisions. The objection must be justified.

If we receive an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defense of legal claims.

If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for the purpose of such advertising; this also applies to profiling insofar as it is associated with such direct marketing. If you object to processing for direct marketing purposes, your personal data will no longer be processed for these purposes.

Notwithstanding Directive 2002/58/EC, you have the option of exercising your right to object in connection with the use of information society services by means of automated procedures using technical specifications.

8. Right to revoke the declaration of consent

In accordance with Art. 7 (3) GDPR, you have the right to revoke your declaration of consent under data protection law at any time - even before the GDPR came into force (May 25, 2018). The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. The revocation of consent can be declared by e-mail to datenschutz@elbepartners.com or by letter or telephone to our contact details above.

9. Automated decision-making in individual cases including profiling

In accordance with Art. 22 GDPR, you have the right not to be subject to a decision based solely on automated processing - including profiling - which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision

• is necessary for the conclusion or performance of a contract between you and us, or
• is authorized by Union or Member State law to which we are subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
• with your express consent

However, these decisions may not be based on special categories of personal data pursuant to Art. 9 (1) GDPR, unless Art. 9 (2)(a) or (g) GDPR applies and appropriate measures have been taken to protect the rights and freedoms as well as your legitimate interests.

We take appropriate measures to safeguard your rights and freedoms and your legitimate interests, including at least the right to obtain the intervention of a person on our side, to express your own point of view and to contest the decision.

10. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of your personal data infringes the GDPR.

The supervisory authority with which the complaint has been lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 GDPR.

The supervisory authority responsible for us is
Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit
Ludwig-Erhard-Strasse 22
20459 Hamburg
Phone: +49 (0)428 54-4040
E-mail: mailbox@datenschutz.hamburg.de

Nov 12th, 2025