The European Pallet Association e.V. (EPAL) appreciates your interest in the Web site of EPAL.
We place great value on the protection of your personal data. To this end, we have implemented numerous technical and organisational measures to ensure end-to-end protection in accordance with the applicable EU General Data Protection Regulation (EU Regulation 2016/679, GDPR) and the German Federal Data Protection Act (BDSG).
I Data controller for data processing:
European Pallet Association e.V.
40472 Düsseldorf, Germany
Tel.: +49 (211) 98 480 48 – 0
Fax: +49 (211) 98 480 48 – 48
Dirk Hoferer, Jarek Maciążek (chair of the board)
II Data Protection Officer of the data controller responsible for data processing:
KMR IT-Innovations GmbH
47877 Willich, Germany
Tel.: +49 2154 93682-0
III General information on data processing
1 Scope of the processing of personal data
As a matter of principle, we only process personal data of our users to the extent that is necessary for the provision of a functioning Web site as well as for the provision of our content and services. The processing of personal data of our users is usually only done following the user’s consent. An exception applies in those cases in which it is not possible for practical reasons to obtain consent beforehand and the processing of the data is permitted by law.
2 Legal basis for the processing of personal data
Insofar as we obtain the consent of the person concerned for processing operations of personal data, Section 6 (1) lit. a of the EU Data Protection Regulation (GDPR) constitutes the legal basis.
Section 6 (1) lit. b GDPR forms the legal basis when we process personal data required for the execution of a contract of which the person concerned is a contractual party. This also applies to processing operations that are required for the execution of pre-contractual actions.
Insofar as the processing of personal data is required for compliance with a statutory obligation that our company must comply with, Section 6 (1) lit. c GDPR is the legal basis.
In the event that the vital interests of the person concerned or another natural person require the processing of personal data, Section 6 (1) lit. d GDPR serves as the legal basis.
If processing is required for the protection of a legitimate interest of our company or a third party and the interests, fundamental rights and basic liberties of the person concerned do not outweigh the aforementioned interest, the legal basis is Section 6 (1) lit. f GDPR.
3 Data deletion and storage period
The personal data of the person concerned is deleted or blocked as soon as the purpose of storage no longer applies. In addition, the data can be stored if the storage is provided for by European or German legislative bodies in regulations under EU law, laws or other provisions, with which the data controller must comply. The data is also blocked or deleted if a storage period specified by the aforementioned standards expires, unless there is a necessity to continue to store the data for the purpose of conclusion of a contract or execution of a contract.
4 Data transmission (SSL encryption)
The transmission of data over the Internet (e.g. when communicating by e-mail) may involve security gaps. As a provider, we cannot completely protect the transmission of data via the Internet since it might be outside the sphere of our control. For this reason, you have the option of transmitting your personal data to us through other communication channels (e.g. by phone or normal mail).
For security reasons and to protect the transmission of confidential content (“Contact” and “Become a Licensee” forms) that you send to us, the Web site uses SSL encryption. You can recognise an encrypted connection when the address line of your browser changes from http:// to https:// and a padlock appears in the address line.
When the SSL encryption is enabled, data you transmit to us cannot be read by third parties.
IV Provision of the Web site and creation of log files
1 Description of data processing
With each visit to our Web site, our system automatically registers data and information of the computer system of the visiting computer.
The following data is collected:
§ information about the browser (type and version) with which the Web site is visited.
§ the operating system of the user
§ the Internet service provider of the user
§ the IP address of the user
§ date and time of access
§ Web sites from which the user’s system gets to our Web site
§ Web sites that are visited by the user’s system via our Web site
2 Log files
The data specified in Item 1 is also stored in the log files of our system.
This data is never stored together with other personal data of the user.
3 Legal basis of data processing
Section 6 (1) lit. f GDPR constitutes the legal basis for the temporary storage of data and log files.
4 Purpose of the processing of personal data
The provision of the Web site has the purpose of providing information on the activities of EPAL and the EPAL Euro pallet pool. In the members area, Licensees of EPAL have the possibility of checking information on the licence agreement and entering contract data.
4.1 Use of the Web site for information
The temporary storage of the IP address by the system is necessary in order to enable the delivery of the Web site to the user’s computer. For this, the IP address of the user must be stored for the duration of the visit.
The log files are stored so as to ensure the functionality of the Web site.
We also use the data to optimise the Web site and for ensuring the security of our IT systems. An evaluation of the data for marketing purposes does not take place in this context.
Section 6 (1) lit. f GDPR forms the legal basis of the data processing.
4.2 Use of the Web site for contract review and the entry of contract data
We collect personal data for the initiation of a contract (application by a Licensee) as well as the execution of a contract.
Section 6 (1) lit. a, b and f GDPR forms the legal basis for this.
The contact data of a Licensee can be published on our portal on request. Personal data (e.g. name and contact data of a contact person) is only published here with the express consent of the person concerned.
Section 6 (1) lit. a GDPR is the legal basis for this.
5 Storage period
5.1 Use of the Web site for information
Personal data is only stored for the period necessary for the execution of the purpose of the processing (data minimisation).
The data is deleted as soon as it is no longer required for achieving the purpose of its collection. With respect to data collection for the provision of the Web site, this is the case when the respective visit is finished. With respect to the storage of data in log files, this is the case at the latest after seven days. Longer storage is possible. In this case, the IP addresses of the users are deleted or altered so that no assignment is possible to the visiting client any more.
5.2 Use of the Web site for contract review and the entry of contract data
Personal data is stored for the duration of the licence agreement to the extent necessary for the execution of the licence agreement. After the end of the licence agreement, the data is deleted unless statutory provisions require otherwise (e.g. storage for fiscal reasons). In this case, the data is stored for the duration of the prescribed retention period. Once the retention period has lapsed, the data is deleted.
6 Right of objection
6.1 Use of the Web site for information
The collection of data for provision of the Web site and the storage of data in log files is absolutely necessary for the operation of the Web site.
This means the user has no possibility to object.
6.2 Use of the Web site for contract review and the entry of contract data
In principle, the Web site can be used without giving personal data. If personal data is collected as described above, we assure you that your data will not be disclosed to third parties without your express consent (unless disclosure is required for purposes of law enforcement, the safeguarding of public order or the protection of our systems).
1 Purpose of data processing by means of cookies
Furthermore, cookies are used to improve the quality of our Web site and its content. By using cookies, we learn how the Web site is used; this allows us to optimise our range of offers constantly. The user data collected by cookies is not used for the creation of user profiles.
2 Object of data storage and data transmission by cookies
The following data is stored and transmitted in the cookies:
§ language settings
§ log-in information
§ frequency of site visits
§ use of Web site features
§ search terms entered
The data of users collected by means of cookies is pseudonymised by technical means. Therefore no assignment of the data to the visiting user is possible any more. The data is not stored together with other personal data of the users.
4 Disabling, restriction and deletion of cookies
If cookies for our Web site are disabled, you may no longer be able to use all the features of the Web site to their full extent.
6 Legal basis
Section 6 (1) lit. f GDPR constitutes the legal basis for the processing of personal data using cookies. Section 6 (1) lit. a GDPR constitutes the legal basis for the processing of personal data using cookies for purposes of analysis.
On our Web site, you have the possibility of subscribing to a free newsletter (BusinessNews). With the registration, the user declares his/her consent to the receipt of the newsletter.
1 Scope of data processing
With the registration, the user’s e-mail address, which must be entered for registration, is transmitted to us. In addition, the following data is collected with the registration:
§ the IP address of the user
§ date and time of registration
In the context of data processing for the sending of newsletters, no data is disclosed to third parties. The data is used solely for the sending of the newsletter.
2 Purpose of data processing
The collection of the user’s e-mail address serves for sending the newsletter.
The collection of other personal data as part of the registration process has the purpose of preventing a misuse of the services or the e-mail addresses used.
The subscription to the newsletter can be cancelled by the user at any time.
To this end, every newsletter contains an “Unsubscribe” link.
4 Storage period
The data is deleted as soon as it is no longer required for achieving the purpose of its collection. This is the case when the user has unsubscribed from the subscription of the newsletter (Item 3).
5 Legal basis
Section 6 (1) lit. a GDPR constitutes the legal basis for the processing of data after registration for the newsletter.
VII Contact form and e-mail contact
Our Web site contains a contact form that can be used for making contact electronically.
1 Scope of data processing
If the user makes use of the contact form, the data entered in the input mask is transmitted to us and stored. This concerns the following data:
§ name and surname (Mr./Mrs.)
§ company (and, if applicable, position)
§ e-mail address
§ phone number (optional)
§ request text (optional)
§ request for answer (phone or e-mail)
At the time of sending the message, the following data is also stored:
§ the IP address of the user
§ date and time of registration
As an alternative, contact can be made via the provided e-mail address. In this case, the user’s personal data transmitted with the e-mail is stored.
The data is not disclosed to third parties.
The data is used solely for processing the conversation.
2 Purpose of data processing
The processing of the personal data from the input mask is solely used to process the making of contact. If the contact is made by e-mail, this entails the required legitimate processing of the data.
The other personal data processed during the sending operation is used to prevent misuse of the contact form and to ensure the security of our IT systems.
The user can revoke his consent to the processing of personal data at any time. If the user contacts us by e-mail, he/she can object to the storage of his/her personal data at any time. In such a case, the conversation cannot be continued. In this case, all personal data stored in the course of the contacting is deleted.
4 Storage period
The data is deleted as soon as it is no longer required for achieving the purpose of its collection. For the personal data from the input mask of the contact form and the data sent by e-mail, this is the case once the respective conversation with the user is finished. The conversation is finished when it is clear from the circumstances that the respective matter has been finally settled. The personal data that was additionally collected during the sending operation is deleted at the latest after a period of seven days.
5 Legal basis
Section 6 (1) lit. a GDPR constitutes the legal basis for the processing of the data.
Section 6 (1) lit. f GDPR constitutes the legal basis for the processing of data that is transmitted with the sending of an e-mail. If the e-mail contact aims at the conclusion of a contract, Section 6 (1) lit. b GDPR is an additional legal basis.
VIII Web analysis by Google Analytics
Our Web site uses Google Analytics.
IX Google Maps
Our Web site uses the Google Maps software from Google LLC in order to provide geographic information and directions.
X Rights of the person concerned
If your personal data is processed, you are a person concerned within the meaning of the GDPR. You have the following rights with respect to the data controller:
1 Right to information
You are entitled to request from the data controller a confirmation on whether personal data concerning you is processed by us. If such a processing exists, you are entitled to request the following information from the data controller:
1.1 the purposes for which the personal data is processed;
1.2 the categories of personal data that is being processed;
1.3 the recipients or categories of recipients to whom the personal data concerning you has been disclosed or will be disclosed;
1.4 the intended storage period for the personal data concerning you or, if specific details are not possible here, criteria for the determination of the storage period;
1.5 the existence of a right to correction or deletion of personal data concerning you; of the right to restriction of processing by the data controller; of a right to an objection to this processing;
1.6 the existence of a right to file a complaint with a supervisory authority;
1.7 all available information on the origin of the data, if the personal data is not collected from the person concerned;
1.8 the existence of an automated decision-making process, including profiling, according to Section 22 (1, 4) GDPR, and – at least in these cases – meaningful information on the logic involved as well as the scope and desired impact of such processing for the person concerned.
You are entitled to demand information on whether the personal data concerning you was transmitted to a third country or an international organisation. You can demand in this context that you be informed of suitable guarantees for the transmission pursuant to Section 46 GDPR.
2 Right to correction
You are entitled to request correction and/or completion from the data controller if the processed personal data concerning you is incorrect or incomplete. The data controller must carry out the correction/completion promptly.
3 Right to restriction of processing
You are entitled to request a restriction of the processing of personal data concerning you under the following circumstances:
3.1 if you dispute the accuracy of the personal data concerning you for a period of time that allows the data controller to check the accuracy of the personal data;
3.2 if the processing is unlawful and you reject the deletion of the personal data and, instead, demand a restriction of the use of the personal data;
3.3 if the data controller no longer needs the personal data for purposes of processing but you need it to assert, exercise or defend legal claims; or
3.4 if you object to the processing in accordance with Section 21 (1) GDPR and it is not yet clear whether the legitimate reasons of the data controller outweigh your reasons.
If the processing of the personal data concerning you was restricted, this data – apart from its storage – is allowed to be processed only with your consent or for the assertion, exercise or defence of legal claims; or for the protection of the rights of another natural or legal person; or for other reasons associated with an important interest of the Union or a Member State.
If the processing was restricted according to the aforementioned conditions, you will be informed by the data controller before the restriction is lifted.
4 Right to deletion
4.1 Obligation to delete
You can request from the data controller that the respective personal data be deleted immediately; then the data controller is obligated to delete this data immediately if one of the following reasons applies:
4.1.1 The personal data concerning you is no longer needed for the purposes for which it was collected or processed in any other way.
4.1.2 You revoke your consent on which the processing in accordance with Section 6 (1) lit. a or Section 9 (2) lit. a GDPR was based, and there is no other legal basis for the processing.
4.1.3 You object to the processing in accordance with Section 21 (1) GDPR, and there are no overriding legitimate reasons for the processing; or you object to the processing in accordance with Section 21 (2) GDPR.
4.1.4 The personal data concerning you was processed unlawfully.
4.1.5 The deletion of the personal data concerning you is required to meet a legal obligation under EU law or the law of the Member States with which the data controller must comply.
4.1.6 The personal data concerning you was collected in terms of offered information society services pursuant to Section 8 (1) GDPR.
4.2 Information to third parties
In the event that the data controller has made public the personal data concerning you and he is obligated under Section 17 (1) GDPR to delete it, the data controller shall take appropriate actions – taking in due consideration the available technology and the costs of implementation – including technical ones in order to inform the persons responsible for data processing, who process the personal data, that you as a person concerned have demanded the deletion of all links to this personal data or any copies and replications of this personal data.
The right to deletion does not apply if processing is required
4.3.1 for the exercise of the right to freedom of expression and information;
4.3.2 for compliance with a legal obligation that requires processing in accordance with the law of the Union or the Member States; or for the exercise of a task that is in the public interest or due to a public authority that was assigned to the data controller.
4.3.3 on grounds of public interest in the field of public health, pursuant to Section 9 (2) lit. h and i as well as Section 9 (3) GDPR;
4.3.4 for archiving purposes that are in the public interest; for purposes of scholarly or historical research; or for statistical purposes pursuant to Section 89 (1) GDPR to the extent that the right specified in Item a) would make the achievement of these goals impossible or would seriously impair it; or
4.3.5 for the assertion, exercise or defence of legal claims.
5 Right to information
If you have asserted your right to correction, deletion or restriction of processing to the data controller, the data controller is obligated to inform all recipients to whom the personal data concerning you was disclosed of this correction or deletion of the data or the restriction of processing, unless this is impossible or would involve disproportionate effort and expenditure.
With respect to the data controller, you have the right to be informed of these recipients.
6 Right to data portability
You have the right to receive the personal data concerning you, which you have provided to the data controller, in a structured, common and machine-readable format. In addition, you are entitled to transmit this data to another data controller without interference from the original data controller to whom the data was provided if
6.1 the processing is based on consent in the meaning of Section 6 (1) lit. a GDPR or Section 9 (2) lit. a GDPR or on a contract in accordance with Section 6 (1) lit. b GDPR and
6.2 the processing uses automated procedures.
In exercising this right, you are also entitled to seek that the personal data concerning you is transmitted directly from one data controller to another data controller, insofar as this is technically feasible. Liberties and rights of other persons shall not be affected by this.
The right to data portability does not apply to the processing of personal data that is required for the exercise of a task that is in the public interest or is due to a public authority that was assigned to the data controller.
7 Right of objection
For reasons that arise from your specific situation, you have the right to object to the processing of the personal data concerning you that is carried out on the basis of Section 6 (1) lit. e or f GDPR; this also applies to any profiling based on these provisions.
The data controller shall no longer process the personal data concerning you unless he can give proof of reasons worthy of protection for the processing that outweigh your interests, rights and liberties; or if the processing serves for the assertion, exercise or defence of legal claims.
If the personal data concerning you is processed for direct advertising, you are entitled at any time to object to the processing of the personal data concerning you for such advertising purposes; this also applies to profiling insofar as it is connected to such direct advertising.
If you object to processing for purposes of direct advertising, the personal data concerning you will no longer be processed for these purposes.
Regardless of Directive 2002/58/EC, you have the possibility, in the context of the use of information society services, of exercising your right to objection by way of automated procedures for which technical specifications are used.
8 Right to revoke the declaration of consent under data protection law
You have the right to revoke your declaration of consent under data protection law. The revocation of consent does not affect the lawfulness of the processing carried out based on the consent until revocation.
9 Automated decision on a case-by-case basis, including profiling
You have the right not to be subject to a decision that is solely based on automated processing – including profiling – and is legally effective with respect to you or significantly affects you in a similar way. This does not apply if the decision
9.1 is required for the conclusion or execution of a contract between you and the data controller;
9.2 is permitted based on the statutory provisions of the Union or the Member States with which the data controller must comply, and these statutory provisions contain appropriate measures for the protection of your rights and liberties as well as your legitimate interests; or
9.3 is made with your express consent.
Such decisions are not allowed to be based on special categories of personal data as defined by Section 9 (1) GDPR, however, unless Section 9 (2) lit. a or g GDPR applies and appropriate measures for the protection of rights, liberties and your legitimate interests were taken.
With regard to the cases referred to in (1) and (3), the data controller shall take appropriate actions in order to protect the rights and liberties as well as your legitimate interests; this includes, at a minimum, the right to seek the intervention of a person on the part of the data controller; the right to present your own standpoint; and the right to dispute the decision.
10 Right to file a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to file a complaint with a supervisory authority, in particular in the Member State of your residence, place of work or location of the alleged violation, if you are of the opinion that the processing of the personal data concerning you violates the GDPR.
The supervisory authority with which the complaint was filed shall inform the complainant of the status and the results of the complaint, including the possibility of a judicial remedy pursuant to Section 78 GDPR.