Privacy Policy
Information on Data Protection for the Gerolsteiner Website
We are glad that you are interested in using our web service. The protection of personal data is our first priority. Below you find information about the processing of your personal data and your rights within the use of our web service.
1. Controller
The controller responsible for the data processing is:
Gerolsteiner Brunnen GmbH & Co KG
Vulkanring
54567 Gerolstein
E-Mail: datenschutz@gerolsteiner.com
Tel.: + 49 (0) 6591 14-0
2. Data protection officer
You can contact our data protection officer as follows:
Dr. Gregor Scheja
Scheja und Partner Rechtsanwälte mbB
Adenauerallee 136
D-53113 Bonn
Telephone: 0228/2272260
Contact: https://www.scheja-partner.de/kontakt/kontakt.html
3. Rights of the data subject
As data subject you have the following rights in accordance to the General Data Protection Regulation (GDPR) as far as the respective legal requirements are met:
Access: You have the right to obtain information about your personal data processed by us.
Rectification: You can obtain the rectification of inaccurate personal data concerning you. Furthermore you can obtain the completion of incomplete personal data.
Erasure: In specific cases you can obtain the erasure of your personal data.
Restriction of processing: In specific cases you can obtain restriction of processing of your personal data.
Data portability: If you provided data to us based on a contract or your consent you can demand that you receive the provided data in a structured, commonly used and machine-readable format or that we transmit the data directly to another controller.
Right to Object
Individual right to objectYou have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Art. 6 sec. 1, including profiling based on those provisions. We will then no longer process the personal data for those purposes unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing serves the establishment, exercise or defence of legal claims. Right to object to processing for direct marketing purposesIn some cases we process your data for direct marketing. You have the right to object to the processing of your personal data for those purposes at any time. This applies to profiling as far as it is associated with such direct marketing. If you object to the processing for direct marketing purposes, your personal data will not be processed for those purposes any longer.
Withdrawal of consent: If you gave your consent to the processing of your personal data you can withdraw your consent at any time with future effect. The lawfulness of the processing of your personal data until your withdrawal will not be affected. In addition to the options stated under ‘enforcement of your rights’ you can explain your withdrawal according to the respective information concerning ‘exercising the right to object’ in the section ‘Services & Cookies’.
Enforcements of your rights: To exercise the aforementioned rights please contact via e-Mail datenschutz@gerolsteiner.com or by post to the address stated under number 1. When doing so please make sure an unambiguous identification of yourself is possible.
Right of appeal: You have the right to lodge a complaint with a data protection supervisory authority, particularly one in the member state of your habitual residence, work place or the place of the suspected violation, if you are of the view that the processing of your personal data is unlawful.
4. Automated individual decision-making, including profiling
Automated individual decision-making, including profiling within the meaning of Art. 22 GDPR does not take place within the use of our Service.
5. Details on services, cookies & co.
5.1 Our own services
Data categories:
Date and time of access, duration of visit, type of device, used operation system, used functions, amount of sent data, type of event, IP-address, domain name
Purpose(s):
Providing service
Legal Basis:
Article 6 section 1 b) and f) GDPR
Pursued legitimate interests:
Technical functionality
Recipients or categories of recipients:
Hosting provider, internal departments, external service provider for technical support
Third country transfer: Adequacy decision (yes/no)
no
Storage periods or criteria for their Determination:
Directly after delivery by the web server
Duty to provide personal data and possible consequences of failure to provide:
No duty to provide, automatic collection by accessing the service
Data Sources:
Direct collection when accessing website/service
Data categories:
First and Last Name Address, Phone Number, email-Address
Purpose(s):
Finalizing a Contract and processing of the order
Legal Basis:
Article 6 section 1 b) GDPR
Pursued legitimate interests:
See purposes
Recipients or categories of recipients:
Hosting provider, internal departments, external service provider for technical support, sales partner
Third country transfer: Adequacy decision (yes/no)
no
Duty to provide personal data and possible consequences of failure to provide:
No duty to provide, without providing the personal data, the finalizing of a contract is impossible.
Data Sources:
Direct collection when accessing website/service
Data categories:
Accessed URL, IP address, date and time of access, amount of transferred data, website where the user came from (‘referrer’), websites accessed by the user’s system from our website, http-status, information about the browser type and the used version, operating system, internet service provider
Purpose(s):
Statistical evaluations, optimizing the website, system security (fraud prevention), error diagnosis
Legal basis:
Article 6 section 1 b) and f) GDPR
Pursued legitimate interests:
See purposes
Recipients or categories of recipients:
Hosting provider, internal departments, external service provider for technical support government agencies on demand
Third country transfer: Adequacy decision (yes/no)
no
Duty to provide personal data and possible consequences of failure to provide:
No duty to provide, automatic collection by accessing the service
Data sources:
Direct collection when accessing website/service
Data categories:
Name of the contacting person, postal address, phone number, e-Mail address, content of the message
Purpose(s):
Receipt and handling of requests, complaints and other feedback
Legal basis:
Article 6 section 1 b) and f) GDPR
Pursued legitimate interests:
See purposes
Recipients or categories of recipients:
Hosting provider, internal departments, government agencies on demand
Duty to provide personal data and possible consequences of failure to provide:
Mandatory details in the contact form marked with ‘*’, other information is not mandatory but serves faster handling of the request
Data sources:
Direct collection in the contact form
Data categories:
Name of recipient, title, E-Mail address, date and time of registration
Purpose(s):
Sending out newsletters for customers
Legal basis:
Article 6 section 1 a) GDPR
Recipients or categories of recipients:
Internal departments especially marketing, hosting provider, processor for sending out newsletters, government agencies on demand
Duty to provide personal data and possible consequences of failure to provide:
No duty to provide
Exercising the right to object:
Cancellation link in every newsletter
Data sources:
Direct collection in the newsletter registration form
Data categories:
Name of pseudonym, content of comment
Purpose(s):
Allowing commenting on website content
Legal basis:
Article 6 section 1 f) GDPR
Pursued legitimate interests:
See purposes
Recipients or categories of recipients:
Hosting provider, internal departments especially customer service
Duty to provide personal data and possible consequences of failure to provide:
No duty to provide
Data sources:
Direct collection in commenting form
If you take part in one of our competitions, you can find information on how your data will be handled detailed in the conditions of entry.
Data categories:
First and last name, date for booking an appointment
Purpose(s):
Enabling appointment booking
Legal Basis:
Article 6 section 1 f) GDPR
Pursued legitimate interests:
internal departments, contract processors for providing the calendar function
Third country transfer: Adequacy decision (yes/no)
USA; no
Guarantees for third country transfers and possibility of access to them:
Standard contractual clauses in accordance with article 46 section 2 GDPR, copies can be requested from the contact in number 1
Duty to provide personal data and possible consequences of failure to provide:
No duty to provide. No appointment booking is possible without providing the data.
Data Sources:
Direct collection in calendar function
5.2. Integration of third party services
We use third party services to enable you to use their functions, services and features. These integrated services are designed and provided by the respective third party. Therefore we have no influence on the design, contents and function of those services or the processing of personal data by the provider. Please obtain further information directly from the providers of those integrated services.
Provider/recipient:
Facebook, Inc., 1601 Willow Road, Menlo Park, California 94025, USA
Purpose(s):
Communication with Facebook profile
Legal basis:
Article 6 section 1 f) GDPR
Pursued legitimate interests:
Allowing communication via Facebook profile
The provider’s data protection notice:
Further information:
We use the Shariff-solution, the browser only establishes a direct connection to Faceboo after clicking on the Facebook button
Provider/recipient:
Twitter, Inc. Attn: Privacy Policy Inquiry 1355 Market Street, Suite 900 San Francisco, CA 94103
Purpose(s):
Communication with Twitter profile
Legal basis:
Article 6 section 1 f) GDPR
Pursued legitimate interests:
Allowing communication via twitter profile
The provider’s data protection notice:
Further information:
We use the Shariff-solution, the browser only establishes a direct connection to twitter after clicking on the twitter button
Provider/recipient:
Pinterest Inc., 651 Brannan Street, San Francisco, CA 94103, USA.
Purpose(s):
Communication with Pinterest profile
Legal basis:
Article 6 section 1 f) GDPR
Pursued legitimate interests:
Allowing communication via Pinterest profile
The provider’s data protection notice:
policy.pinterest.com/en/privacy-policy
Further information:
We use the Shariff-solution, the browser only establishes a direct connection to Pinterest after clicking on the Pinterest button
Provider/recipient:
LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland
Purpose(s):
Communication with the LinkedIn profile
Legal basis:
Article 6 section 1 f) GDPR
Pursued legitimate interests:
Enabling communication via the LinkedIn profile
The provider’s data protection notice:
www.linkedin.com/legal/privacy-policy
Further information:
We use the Shariff-solution, the browser only establishes a direct connection to Pinterest after clicking on the Pinterest button
Provider/recipient:
New Work SE, Am Strandkai 1, 20457 Hamburg
Purpose(s):
Communication with the XING-profile
Legal basis:
Article 6 section 1 f) GDPR
Pursued legitimate interests:
Enabling communication via the LinkedIn profile
The provider’s data protection notice:
privacy.xing.com/en/privacy-policy
Further information:
We use the Shariff-solution, the browser only establishes a direct connection to Pinterest after clicking on the Pinterest button
5.3. Cookies, pixels and other similar technology
On our website we use cookies to provide an extensive range of functions, make the usage more comfortable and optimize our offers. Cookies are small text files generated by a web server und stored on your computer during the online visit by your web browser.
We use so-called ‚session cookies‘ which are automatically deleted after upon completion of your browser session.
Furthermore we use persistent cookies which are mostly used to provide permanently recurring settings to you as a website visitor. This enables us to modify our website individually in accordance to your preferences. Persistent cookies also enable us to analyze our visitor’s usage behavior though only within the scope of validity.
In addition to that, further cookies might be used in connection with the integration of specific services by the providers of those services (so-called ‘Third-Party cookies’).
Usage-based online advertising (see above) can also be facilitated through the use of tracking pixels. Tracking pixels are small graphics on websites which permit log data capture and analysis, which can be used for statistical evaluation. When the user visits the website, the tracking pixels inscribe information onto the cookie data on the user’s browser.
If you do not want cookies to be used you can prevent the storage of cookies on your device with respective configurations of your internet browser. Please bear in mind that the functionality and the range und functions could be restricted by that. Furthermore we will only use specific cookies with your previous consent. Also you can make use of your right to object when it comes to specific cookies. Detailed information about type, scope, purposes, legal bases and options to object to the processing in the context of those cookies you can find in the following tables.
5.4. Services jointly controlled with third-party providers
In some cases, we are jointly responsible with a third-party provider. This may be the case both for the integration of their services on our website and for our presence in the third party's offer. For detailed information on the type, scope, purposes, legal basis and enforcement of your data subject rights in connection with these services, please refer to the information in the tables below. Information on the data processing of the respective third-party provider can be found in their data protection notices. You can also exercise your rights as a data subject both vis-à-vis us and directly vis-à-vis the respective service provider. The service provider will be able to react more quickly with regard to the processes for which it is responsible, which is why we recommend direct contact with the service provider.
5.4.1 Facebook Fanpage
We use the Facebook-service Page Insights and are Joint Controllers with Facebook Ireland Limited, 4 Grand Canal Square Dublin 2, Ireland (contact the Data Protection Officer). We have entered into a contract with Facebook Ireland Limited (hereinafter “Facebook”) which covers the responsibilities regarding this jointly controlled service, which, however, only provides us with statistical data on usage.
The privacy policies of the other joint controllers responsible for the Facebook Fanpage, can be found under the link Data Policy.
Functionality in our sole responsibility:
Interaction by/with users
Data categories:
Date and time of the interaction, type of the device, used operation system, type and content of the interaction (e.g. likes, direct messages), profile name and – picture.
Purpose(s):
Interacting with users, improving of usability, receiving and processing inquiries, complaints or other feedback.
Legal basis:
Article 6 section 1 f) GDPR
Pursued legitimate interests:
further development of our services and products,control and improvement of our business processes, business analysis, public communication, branding.
Recipients or categories of recipients:
Internal departments, especially marketing. Regarding the recipients of Facebook, we refer to their data policy.
Third country transfer; adequacy decision:
We do not transfer your data to a third country. Regarding the data transfer to a third country by Facebook we refer to their data policy.
Storage periods or criteria for their determination:
If there are no legal obligations: after termination of the user relationship, after complete answer of the direct message, after the removal of the commented article, if applicable deletion of illegal content. Regarding the retention by Facebook we refer to their data policy.
Duty to provide personal data and possible consequences of failure to provide:
No duty to provide.
Data sources:
Direct collection when interacting with the user.
6. Links to Other Websites
Our website contains so-called hyperlinks to the websites of other suppliers. Clicking on these links will take you directly from our website to the other suppliers’ websites. You can notice this by, among other things, the change to the URL.
7. Changes to these Data Protection Guidelines
We reserve the right to change these data protection guidelines to reflect changes in the law or to our internal company procedures. We therefore request that you review these data protection guidelines every time you view this website.
Last updated:
April 2024