Ninkaplast GmbH regarding the issue of Data Protection

Ninkaplast GmbH (hereafter, “operator”) is pleased that you are interested in our company and our products and/or services and would like you to feel secure with regards to our protection of your personal data. The protection of the private sphere is of critical importance–particularly for the future of Internet-based business models and for the development of Internet-based business. Thus, through this Data Protection Declaration, we wish to underscore our commitment to the protection of your private sphere. We have obligated our employees as well as the service companies that we commission to maintain confidentiality and follow the provisions of the General Data Protection Regulation and other relevant data protection guidelines.

The processing of personal data, e.g. the name, postal address, e-mail address or telephone number of a data subject, shall always be undertaken in accordance with the General Data Protection Regulation and in accordance with the country-specific data protection guidelines that are valid for the operator. By means of this Data Protection Declaration, we would like to inform the public of the type, scope and purpose of the personal data which we collect, use and process. Moreover, the data subjects are supposed to be informed of their rights via this Data Protection Declaration.

The operator, as the controller for the processing, has implemented numerous technical and organizational measures in order to guarantee the most seamless protection possible of the personal data processed via this Internet site. Nonetheless, in principle, Internet-based data transmissions can have security gaps so that absolute protection cannot be guaranteed. For this reason, each data subject shall be at liberty to provide personal data to us by alternative means, e.g. by telephone or post. We take the protection of your personal data very seriously and strictly follow the provisions of the data protection laws.

Definitions of Terms

The operator’s Data Protection Declaration is based upon the terms which have been used by the European regulatory authorities when establishing the General Data Protection Regulation (GDPR). Our Data Protection Declaration is supposed to be easily readable and understandable both for the public as well as for our guests and business partners. In order to guarantee this, we would like to first discuss in detail the terms used.

In this Data Protection Declaration, we shall use, among others, the following terms:

Personal Data
Personal data shall be considered to be all information which refers to an identified or identifiable natural person (hereafter, “data subject”). An identifiable person shall be considered to be a natural person who can be identified, directly or indirectly–particularly via categorization by an identifier such as a name, an ID number, locational data, an online name or one or more special characteristics which are the expression of the physical, physiological, genetic, psychological, business, cultural or social identity of this natural person.

Data Subject
The data subject shall be considered to be each identified or identifiable natural person whose personal data are processed by the controller responsible for the processing.

Processing
Processing shall be considered to be each process, or each such series of processes, implemented with or without the assistance of automated procedures in conjunction with personal data such as the collection, recording, organization, filing, storage, adaptation or alteration, reading-out, querying, usage, disclosure via transmission, dissemination or any other form of supplying, alignment or linking, restriction, deletion or destruction. Restriction of the Processing The restriction of the processing shall be considered to be the flagging of stored personal data with the goal of restricting their future processing. Profiling Profiling shall be considered to be each type of automated processing of personal data which encompasses these personal data being used in order to assess certain personal aspects that refer to a natural person–particularly in order to analyze or predict aspects regarding the work performance, financial situation, health, personal preferences, interests, reliability, behavior, place of residence or relocation of this natural person.

Pseudonymization
Pseudonymization shall be considered to be the processing of personal data in such a manner that the personal data can no longer be categorized to a specific data subject without being provided additional information insofar as this additional information is stored separately and subjected to technical and organizational measures which guarantee that the personal data cannot be categorized to an identified or identifiable natural person.

Controller or Party Responsible for the Processing
The controller or the party responsible for the processing shall be considered to be the natural or juridical person, government agency, institution or any other party who, solely or collectively, makes decisions regarding the purposes and methods of processing of personal data. If the purposes and methods of this processing have been prescribed by the law of the European Union or the law of the member countries, then the controller and/or the specific criteria for his or her appointment may be prescribed in accordance with the law of the European Union or the law of the member countries.

Processor
The processor shall be considered to be any natural or juridical person, authority, institution or any other party who processes the personal data by mandate from the controller.

Recipient
The recipient shall be considered to be any natural or juridical person, government agency, institution or any other party to whom personal data are disclosed regardless of whether he or she is a third party or not. Public authorities, which may possibly receive personal data within the parameters of a specific investigation mandate in accordance with the law of the European Union or the law of the member countries, shall nonetheless not be considered to be recipients.

Third Party
A third party shall be considered to be any natural or juridical person, government agency, institution or any other party with the exception of the data subject, the controller, the contracted data processor and the persons who are authorized to process the personal data who are under the direct responsibility of the controller or of the processor.

Consent
Consent shall be each declaration of intention that is voluntarily rendered by the data subject for the specific case in an informed and transparent manner in the form of a declaration or any other transparent confirming action, by means of which the data subject announces that he or she is in agreement with the processing of his or her personal data (e.g. when making contact via a form).

Legal Basis of the Processing

Art. 6 I lit. a GDPR shall serve as the legal basis for the processing procedures for which we shall obtain consent for a specific processing purpose. If the processing of personal data is required for the fulfillment of a contractual agreement whose contractual party is the data subject such as is the case, for example, during processing procedures which are required for a supplying of goods or the rendering of any other service or counter-performance, then the processing shall be based upon Art. 6 I lit. b GDPR. The same shall be valid for such processing procedures which are required for the implementation of pre-contractual measures, e.g. in cases of inquiries regarding our products or services. If our company is subject to a legal obligation whereby processing of personal data shall be required, e.g. in order to fulfill tax obligations, then the processing shall be based upon Art. 6 I lit. c GDPR. In rare cases, the processing of personal data could become required in order to protect vital interests of the data subject or of another natural person. If the processing is required owing to a rightful interest, then the processing shall be based upon Art. 7 I lit. f.

Rights of the Data Subject

If the data subject would like to assert one or more of the rights described below, he or she may, at any time, contact our Data Protection Officer or any other employee of the party responsible for the processing.

Right to Confirmation
Each data subject shall have the right, which has been granted by the European regulatory authorities, to demand that the controller confirm whether his or her personal data are being processed. If a data subject would like to exercise this right of confirmation, he or she may, at any time, contact our data protection officer or any other employee of the controller.

Right to Information
Each data subject shall have the right, which has been granted by the European regulatory authorities, to, at any time, receive free-of-charge information from the controller regarding the personal data which have been stored regarding his or her person as well as a copy of this information. Moreover, the European regulatory authorities have also granted the data subject the right to request the following information:

Furthermore, the data subject shall have a right to information regarding whether personal data have been transmitted to a third country or to an international organization. Insofar as this is the case, the data subject shall also be entitled to receive information regarding the suitable guarantees provided in conjunction with the transmission.

Right to Correction
Each data subject shall have the right, which has been granted by the European regulatory authorities, to demand the prompt correction of his incorrect personal data. Moreover, subject to the consideration of the purposes of the processing, the data subject shall also have the right to demand the completion of incomplete personal data–including via a supplemental declaration.

Right to Deletion (Right to be Forgotten)
Each data subject shall have the right, which has been granted by the European regulatory authorities, to demand that the controller promptly delete his or her personal data insofar as one of the following reasons is valid and insofar as the processing is not required:

Right to Restriction of the Processing
Each data subject shall have the right, which has been granted by the European regulatory authorities, to demand that the controller restrict the processing if one of the following requirements has been fulfilled:

Right to Data Portability
Each data subject shall have the right, which has been issued by the European regulatory authorities, to receive his or her personal data, which have been provided by the data subject to a controller, in a structured, commonly used and machine-readable format. Moreover, he or she shall also have the right to transmit these data to another controller–without any objections upon the part of the controller–to whom the personal data have been provided insofar as the processing is based upon the consent granted in accordance with Art. 6 (1) lit. a GDPR or Art. 9 (2) lit. a GDPR or upon a contractual agreement in accordance with Art. 6 (1) lit. b GDPR and the processing is undertaken via an automated procedure insofar as the processing is not required for the fulfillment of a task which lies in the public interest or in the exercising of public authority which has been issued to the controller. Furthermore, the data subject shall have the right, with regards to the exercising of his or her right to data portability in accordance with Art. 20 (1) GDPR, to request that the personal data be transmitted directly by one controller to another controller insofar as this is technically feasible and insofar as the rights and freedoms of other persons are not restricted by so doing.

Right to Object
Each data subject shall have the right, which has been granted by the European regulatory authorities, to lodge an objection, at any time for reasons related to his or her special situation, to the processing of his or her personal data which is undertaken in accordance with Art. 6 (1) lit. e or f GDPR. This shall also be valid for a profiling in accordance with these provisions. In the case that an objection is lodged, the operator shall no longer process the personal data unless we can document mandatory reasons worthy of protection for the processing which outweigh the interests, rights and freedoms of the data subject or the processing serves the purpose of the assertion, exercise or defense of legal claims. If the operator processes personal data in order to conduct direct marketing, then the data subject shall have the right, at any time, to lodge an objection to the processing of the personal data for the purpose of such marketing. This shall also be valid for the profiling insofar as it is conjunction with such direct marketing. If the data subject submits an objection to the operator regarding the processing for the purposes of direct marketing, then the operator shall no longer process the personal data for these purposes. In addition, the data subject shall have the right, for reasons related to his or her special situation, to lodge an objection to the processing of his or her personal data which is undertaken by the operator for scientific or historical research purposes or for statistical purposes in accordance with Art. 89 (1) GDPR unless such processing is required for the fulfillment of a task which is in the public’s interest. Furthermore, the data subject shall be at liberty, in conjunction with the usage of services from the information society and notwithstanding directive 2002/58/EC, to exercise his or her right of objection via an automated procedure in which technical specifications are used.

Automated Decision-Making in Individual Cases including Profiling
Each data subject shall have the right, which has been granted by the European regulatory authorities, to not be subjected to decision-making which is exclusively based upon automated processing–including profiling –which creates legal ramifications for him or her or substantially restricts him or her in a similar fashion insofar as the decision-making (1) is not required for the conclusion or the fulfillment of a contractual agreement between the data subject and the controller, or (2) owing to legal regulations of the European Union or of the member countries to which the controller is subject, is permissible and these legal regulations contain appropriate measures for the safeguarding of the rights and freedoms as well as the rightful interests of the data subject or (3) is undertaken with the express consent of the data subject. If the decision-making (1) is required for the conclusion or the fulfillment of a contractual agreement between the data subject and the controller or (2) it is undertaken with the express consent of the data subject, the operator shall undertake appropriate measures in order to safeguard the rights and freedoms as well as the rightful interests of the data subject whereby this includes at least the right to affect the intervention of a person on the part of the controller in order to express his or her own viewpoint and contest the decision.

Right to Revocation of Consent Granted under Data Protection Law
Each data subject shall have the right, which has been granted by the European regulatory authorities, to–at any time–revoke the consent for the processing of personal data.

Usage and Dissemination of Personal Data

Personal data, which you transmit to us via our website or in some other manner, shall be collected, processed and stored for correspondence with you and for the purposes for which you provided us with the data. Moreover, as required, we shall use these data for sending occasional offers to you and in order to inform you of new products or services and other services which may be of interest to you. You may, at any time, lodge an objection to this usage of your data by sending a suitable notification, e.g. by sending an e-mail to: info@ninka.com. With regards to the dissemination of personal data to third parties, we restrict this to that information which is required for rendering our respective services. The respective third-party provider may use these personal data exclusively for rendering the required service or the implementation of the required transaction which is undertaken by our mandate. In this regard, we shall obligate the service providers to follow the data protection laws. We shall never pass on your personal data for external marketing purposes to third parties, sell them or otherwise make them available to third parties. The operator may be compelled to disclose your data and any related information based upon court or official authority decrees. Likewise, we reserve the right to use your data in order to assert or ward off legal claims. In accordance with applicable law, we also reserve the right to undertake event-based storage and dissemination of personal and other data in order to detect and combat illegal acts, attempts to defraud or any violations of the operator’s Usage Terms and Conditions.

Contacting Us via the Internet Site

In accordance with the statutory provisions, our Internet site contains data which enables fast electronic contacting as well as direct communication with us which also encompasses a general address for so-called electronic post (e-mail address). Insofar as a data subject contacts the controller via e-mail or via a contact form, the personal data transmitted by the data subject shall be automatically stored. Any such personal data provided upon a voluntary basis by a data subject to the controller shall be stored for the purpose of the processing or the contacting of the. These personal data shall not be disseminated to third parties.

Secure Communication on the Internet

We shall endeavor to transmit and store your personal data in such a manner, by means of technical and organizational measures, in such a manner that they are not accessible to third parties. However, in general, the Internet is considered to be an insecure medium. In contract to, for example, a telephone line, the transmission of data on the Internet can more easily be intercepted, recorded or even altered by unauthorized third parties. During unencrypted communication via e-mail, total data security cannot be guaranteed so that we recommend that you send us confidential information via post.

Data Processing on This Internet Site

For security and technical reasons, the operator shall automatically process information in your system logs which your browser transmits to us. They are essentially the following:

We shall not undertake a commingling of these data with other data sources or undertake statistical evaluations upon the basis of these data. Some observations regarding IP addresses: IP addresses shall be mandatorily required for sending the webpages and data from our servers to your browser. They are the “addresses” for the information which you request from our web servers. However, in accordance with the prevailing legal opinion, IP addresses are considered to be personal data and we shall thus use them exclusively in the technically-required scope.

Cookies

Our Internet pages use so-called cookies in multiple sections. Cookies are small text files which are stored on your computer and which your browser stores. They serve to make our website user-friendlier, more effective and more secure. We use the following cookies:

PHPSESSID
Function and content: Required for the creation of the user session. Contains a 32-digit alphanumerical character string. Duration: Is deleted by closing the browser.

_pk_id.,_pk_ses.
Function and content: These are 1st-party cookies which are generated by the Matomo statistical software. These "persistent" cookies shall be stored on the computer and shall only then lose their effectiveness when their assigned expiration date lapses. By using these cookies, we can recognize whether a visitor was already on our website and what types of content are of interest to this person. Contains a 51-digit alphanumerical character string. Duration:
13 months: (_pk_id.)
30 minutes: (_pk_ses.)

Most of the cookies that we use are so-called “session cookies” (cookie “PHPSESSID”) for your user session. They shall be automatically deleted after your visit ends (after the browser is closed). All cookies on our webpages shall contain purely technical information in pseudonymized or anonymized form. They shall contain no personal data. If you would like to prevent the storage of cookies, you must select “accept no cookies” in your browser’s settings. If no cookies are accepted by the browser, however, the functional scope of our Internet site may be very greatly restricted. Some functions shall then no longer be available.

Job Application Data

Job application data shall be stored and processed by us and then also forwarded to the competent contact person at. Your data shall be used exclusively for correspondence with you and in order to process your application during our personnel selection procedure. In order to protect your job application documents, we recommend that you transmit them as a password-protected ZIP file. You can notify us of the password by telephone. Solely the personnel division and the management personnel shall be granted access to your job application data. After six months, we shall delete your transmitted data for the application process unless you have expressly approved a longer retention period.

Web Analysis with Matomo (formerly Piwik)

The user’s actions on the website shall be recorded and evaluated via the tracking software from Matomo (www.matomo.org). In this regard, the storage of the IP address shall be undertaken anonymously, i.e. the last two octets of the IP address shall be set to 0. By so doing, the collected data cannot be attributed to a specific person.

The tracking software shall be used merely in order to adapt the website to the current technical framework conditions and in order to optimize the Internet site for the users. Any dissemination to third parties shall be excluded.

The tracking software shall be operated via a partner company located in Germany on its own encrypted server. Statistical data and any personal data (e.g. via registration or contact forms) shall thus be stored separately from each other on different servers. Any linking between personal data and statistical data shall be absolutely excluded.

Objection to the Web Analysis

You shall have the right to lodge an objection to the collection of anonymized data by Matomo.

The objection shall be stored in the form of an opt-out cookie so that, for example, after deleting all browser cookies, the opt-out must be declared once again.

Routine Deletion and Blocking of Personal Data

The controller shall process and store the personal data of the data subject only for the period which is required for the attainment of the storage purpose or insofar as this has been prescribed by the European regulatory authorities or any other lawmakers in laws or regulations to which the controller is subject.

If the storage purpose ceases to be valid or a storage period prescribed by the European regulatory authorities or any other competent lawmakers, the personal data shall be blocked or deleted routinely and in accordance with the statutory provisions.

Period for which the Personal Data are Stored

The criterion for the period for the storage of personal data shall be the respective statutory retention period. After the period has elapsed, the corresponding data shall be routinely deleted insofar as they are no longer required for the fulfillment or negotiation of a contractual agreement.

Updating this Data Protection Declaration

Insofar as the operator introduces new products or services, alters Internet procedures or the Internet and EDP security technology continues to develop, the Data Protection Declaration shall be updated. Thus, we reserve the right to amend or supplement the declaration as required. We shall publish any such changes here. Status of this Data Protection Declaration: May 2019.