Version 3.0 valid from 1.9.2022 until revoked
Please note that some of the terms used herein are taken from Regulation (EU) 679/2016 on the protection of natural persons regarding the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (the so-called "General Data Protection Regulation", hereinafter abbreviated to "GDPR").
Most of the terms are defined in Section 4 GDPR.
A. Our contact details
Georg Utz Holding AG
Phone +41 56 648 7711
The Data Protection Officer can also be contacted under
B. Basic information on our data processing operations
This section provides basic information on how we handle your personal data. This information applies to all data processing operations carried out by us as the data controllers. Insofar as we are able to provide further details in the context of individually listed data processing operations in section C, we will specify our explanations in the relevant places.
We only process your personal data for our legitimate purposes. As a rule, we only process data for the provision and supply of our services, including our online offers (e.g., the maintenance of our website).
II. Legal grounds
We process your personal data only if and to the extent that at least one of the following applies:
1. Consent (Art. 6 para. 1 Sentence 1 lit. a GDPR)
In individual cases, we ask you to give your consent in order to process certain personal data for previously defined and communicated purposes in accordance with Art. 6 section 1 s. 1 lit. a GDPR. We always obtain consent electronically and record the content and granting consent. In this case, consent is given by way of an "opt-in" procedure (confirming action by placing a tick in the appropriate box) or, if this is necessary to identify the data subject, by way of a "double-opt-in" procedure (additional confirmation of identity by receipt of an e-mail with a confirmation link which you must click on). We only use a different requesting process when placing cookies on our website (Cookiebot).
If you give your consent, you can withdraw it. Please note the more detailed information on your right of revocation under point F.II.
2. Contract fulfilment (Art. 6 section 1 s. 1 lit. b GDPR)
When carrying out pre-contractual measures or executing a contract with you, we rely on the legal basis of Art. 6 section 1 s. 1 lit. b GDPR. This includes, for example, your contact details, which we need for contract processing and communication.
3. Compliance with a legal obligation (Art. 6 section 1 s. 1 lit. c GDPR)
If we process data in order to comply with a legal obligation (e.g., commercial law or tax obligations), this is legally based on Art. 6 section 1 s. 1 lit. c GDPR.
4. Protection of vital interests (Art. 6 section 1 s. 1 lit. d GDPR)
If vital interests of the data subject or another natural person make processing of personal data necessary, this is legally based on Art. 6 section 1 s. 1 lit. d GDPR.
5. Performance of a task carried out in the public interest or in the exercise of official authority (Art. 6 section 1 s. 1 lit. e GDPR)
For the processing of personal data in the performance of tasks carried out in the public interest or in the exercise of official authority, we rely on Art. 6 section 1 s. 1 lit. e GDPR.
6. Safeguarding legitimate interests (Art. 6 section 1 s. 1 lit. f GDPR)
In accordance with Art. 6 section 1 s. 1 lit. f GDPR, we process personal data if we protect our legitimate interests or those of a third party and these interests override your interests, fundamental rights and freedoms. In these cases, you may have a right to object to the processing. Please note the more detailed information on your right of revocation under point F.I.
III. Data erasure
We erase your personal data as soon as the purpose of processing has been achieved or otherwise ceases to apply, unless storage beyond this is provided for by law, for example pursuant to Art. 17 section 3 GDPR. In order to ensure timely erasure, if necessary, we follow a specially created erasure concept based on the erasure of personal data after the expiry of certain storage and erasure periods, which we divide in accordance with the following criteria:
IV. Disclosure of personal data to third parties
We only pass on personal data to third parties if we are legally obliged or entitled to do so. This includes the following groups of recipients:
If required, we can provide you with a list of the specific recipients of your personal data.
V. Processing of data in so-called third countries
As a matter of principle, your personal data will only be processed in countries within the EU or the European Economic Area that are subject to the scope of the GDPR. To all other, so-called "third countries", we only transfer your personal data if an adequate level of data protection is guaranteed in the respective third country or at the respective recipient in the third country in accordance with Art. 44 et seq. GDPR. This may be the case
If we cannot guarantee an adequate level of data protection when transferring data to a third country, we will only process your personal data if you give us your express consent to do so (Art. 49 section 1 s. 1 lit. a GDPR). In this case, we will inform you of the corresponding risks associated with the transfer to third countries.
C. Data processing when visiting our website
This section provides information about the personal data processing operations that take place when you visit our website.
I. Log files
When you visit our website, the browser you use on your end device automatically sends information to our website server. This information is temporarily stored in a so-called "log file".
1. Captured data
The following information is automatically captured when you visit our website and stored until it is automatically erased:
2. Purpose and legal basis
The capture and processing of these "log data" serve the following purposes founded on the following legal basis:
3. Duration of storage and erasure periods
The data are erased when the purpose for which they were captured no longer applies. In the context of providing our website’s content, the data are therefore generally erased when you leave our pages and the session is therefore ended.
Insofar as the purposes of system security and stability are pursued, log data are stored for a maximum of seven days beyond the end of the session. Beyond these seven days, data are only stored or otherwise processed as to ensure that the IP addresses of the users are erased after the expiry of the aforementioned storage period of seven days or are altered in such a way (e.g., by anonymisation or pseudonymisation) that any allocation of the log data to an IP address and therefore to the user is no longer possible.
4. Possibility of objection and removal
As will be explained under section F.I, you have a right of objection insofar as we rely on legitimate interests. However, as the data processing described above is imperative for the operation of our website, you can only assert your right of objection insofar as your particular situation does not permit processing to the extent described above. As a rule, however, we can prove the compelling necessity of the data processing just mentioned.
5. Data security
During your visit of our website, we use the widespread SSL procedure (Secure Socket Layer) in conjunction with the highest encryption level supported by your browser. As a rule, this is a 256-bit encryption. If your browser does not support 256-bit encryption, we use 128-bit v3 technology instead. You can view whether an individual page of our website is transmitted in encrypted form by the closed display of the key or lock symbol in the lower status bar of your browser.
We also use appropriate technical and organisational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorised access by third parties. Our security measures are continuously improved in line with technological developments.
Cookies are small text files that your browser automatically creates and stores on your end device (PC, laptop, tablet, smartphone, etc.) while you visit our website. Cookies do not contain viruses, Trojans or other malware, but information that enables your browser to be uniquely identified when the same website is called up again. Although we do not obtain any direct knowledge of your identity through the placement of cookies, it may in principle be possible to establish a personal reference to the user, depending on the type of cookie and the possibility of assigning a cookie to an IP address.
We basically distinguish between two types of cookies:
1. Purpose and legal basis
The use of necessary cookies not only serves to enable the provision of our website and the full use of our offer, but also to make it more pleasant for you. Functions such as language settings, a shopping cart or similar would not be possible without the use of these cookies.
On the other hand, we use optional cookies to statistically record the use of our website and to conduct an analysis of the surfing behaviour of users on our website. This serves to optimise our offer and the quality of our website and its content. The analysis cookies help us to learn how the website is used and therefore to constantly optimise our offer. This enables us to adapt our offer to the wishes of our user group, for example through market research, and to design it in line with requirements. We take technical precautions to in order to pseudonymise the user data captured in this manner. Although we are then no longer able to allocate the data to the accessing user, it may be possible for the companies whose tools we use for the placement of cookies (such as Google) to allocate and identify the user more clearly.
The use of our cookies with regard to the provision of our website and the full use of our offer is legally based on Art. 6 para. 1 p. 1 lit. b GDPR, insofar as this use is mandatory in terms of the fulfilment of the contract or for the implementation of pre-contractual measures (such as a shopping cart function), and Art. 6 para. 1 p. 1 lit. f GDPR, insofar as we pursue functional purposes (appealing design and the like, security interests, etc.).
Insofar as we analyse the surfing behaviour of our users by means of optional cookies and, in doing so, make partial use of third-party software, we invoke your previously granted consent in accordance with Art. 6 para. 1 p. 1 lit. a GDPR. Of course, we will refrain from this type of data processing if you have not previously given your consent.
2. Duration of storage and erasure periods
Session cookies are only stored by your browser for the duration of your browser session and are erased when you close the browser. Optional cookies remain stored on the terminal device you are using for a longer period of 1 day to 2 years. All validity periods can be viewed on the website under 'Cookie Settings' (https://www.utzgroup.com/en/cookie-settings/.
3. Right of objection and removal
As a user, you can also adjust technical settings to decide yourself whether and how your browser uses and stores cookies. You can configure your browser so as not to store cookies on your computer or to always send a message before a new cookie is created. You can delete cookies that have already been created or have them automatically deleted by your browser. However, the complete deactivation of cookies may mean that you cannot use all the functions of our website.
III. Google Tools - Analytics
a) Purpose and legal basis
This is only activated if you have given the appropriate consent when accessing our website in accordance with Art. 6 para. 1 p. 1 lit. a GDPR. Please note that you are entitled to withdrawal (Section F.II).
b) Data recipients
The information generated by the cookie (e.g., browser type, operating system, IP address, etc.) about your website use may be transmitted to and stored on a Google server in the USA. Your IP address will be shortened and anonymised by Google within the Member States of the European Union or in other contracting states to the Agreement on the European Economic Area before transmission (so-called "IP masking"). Only in exceptional cases will the full IP address be transmitted to and shortened on a Google server in the USA.
Google will use the aforementioned information for the purpose of evaluating your use of the website, compiling reports on website activity and providing other services relating to website activity and internet usage for the purposes of market research and to tailor the website to your needs. If necessary, this information is transferred to third parties if this is required by law or if third parties process these data on our behalf. Google may also merge data from other sources of its own with your data, so that Google can identify you despite IP masking.
Please note, as we communicated when asking for consent, that
If you have nevertheless given your consent, your consent explicitly refers to the fact that you are aware of and accept these risks.
c) Right of objection and removal
We only activate the Google Analytics function if you have given your appropriate consent when accessing our website. As Google Analytics works with cookies, the explanations under the previous point C.II also apply. Please pay particular attention to your right of withdrawing your consent (see further details in Section F.II).
You can also prevent Google Analytics from capturing data by either downloading and installing a browser add-on or setting an opt-out cookie at the following Internet address: tools.google.com/dlpage/gaoptout. Setting an opt-out cookie will prevent the future capture of your data by Google Analytics when you visit this website. However, if you delete your cookies in the future, this will result in the opt-out cookie also being deleted and you may have to reactivate it.
We use Google Analytics to analyse data from AdWords and the DoubleClick cookie for statistical purposes. If undesired, this can be deactivated via the ad preferences manager (https://adssettings.google.de/authenticated).
d) Joint controllers
Finally, we would like to point out that we are jointly responsible with Google for overall data processing (Art. 26 GDPR). Data capture on the website is first carried out by us; the website then transmits the captured data to Google through the respective tool. Once the data have been transmitted, Google is again solely responsible for further processing.
We have entered into an agreement with Google under which you can exercise your data protection rights in accordance with this processing series both against us and against Google. If the assertion of your rights relates to a data processing operation that is within the area of responsibility of the other joint controller, we will forward your request accordingly so that your rights are safeguarded.
IV. Email contact
If you contact us via the email address provided on our website, we will store your email address and any other data you (voluntarily) provide. Data are only passed on to third parties if this is necessary to process your request (e.g., HubSpot).
1. Purpose and legal basis
We process the aforementioned data for the purpose of handling your request. Other data are only processed for technical or security reasons (for example, prevention of misuse and ensuring our system security). This is legally based on Art. 6 para. 1 p. 1 lit. b GDPR (fulfilment of a contract or pre-contractual measures) and with regard to the latter purpose, Art. 6 para. 1 p. 1 lit. f GDPR, as we have a legitimate interest in the integrity of our website.
2. Duration of storage and erasure periods
All of the aforementioned data will be erased as soon as we have processed your request and further clarification is no longer necessary. Erasure shall take place subject to any obligations and rights pursuant to Section B.III.
3. Possibility of objection and removal
Once you have contacted us, you can withdraw your request and object to further processing of your data at any time. In addition, you may have the right to object in accordance with Art. 21 GDPR (cf. Section F.I.1).
V. Social Media
1. Use of social media plugins
We currently refrain from using any social plugins, such as those from Facebook, Twitter, Pinterest, etc. On our website, we only offer you the option of establishing a direct connection with our social media channels. This means that no personal data are passed on.
2. Transfer and allocation
If you are already logged in to one of these services, the providers can allocate your click from our website to your profile on Facebook, Twitter or Instagram. If you do not want these services to be able to make this allocation, you must log out of the corresponding service before visiting our website or clicking on our social media icon.
3. Possibility of objection and removal
By expressly accepting these DPR as part of the electronic order process or by validly applying the DPR after delivery in paper form to you as the ordering party, you acknowledge the use, purpose and operation of these tools and expressly agree to the use of such tools.
VI. Links to other websites
1. Exclusion of liability
Insofar as we refer or link from our websites to the websites of third parties, we cannot assume any guarantee or liability for the correctness or completeness of the contents and the data security of these websites. As a rule, such references or links are displayed by framing to ensure you can immediately recognise that you are no longer on our B2B platform.
2. Separate provisions under data protection law
1. Use of our webshops
In order to use the ordering function of our webshop, we need data to carry out the ordering process. Mandatory data are marked as such, further information is voluntary. We process the data you provide to process your order. In addition, you can use the payment method of your choice, which also requires data entry. This is legally based on Art. 6 para. 1 s. 1 lit. b GDPR.
As already communicated above, we are obliged by commercial and tax law to store your address, payment and order data for a period of ten years. However, we will restrict processing after approximately three years, i.e., after the expiry of any warranty and other rights. Your data will then only be used to comply with legal obligations.
If you are our contractual partner, we have provided the essential information regarding our data processing of your personal data as a controller in our GTC. Please note that in this context we also apply our General Information under section B for data processing in contracts. The following information is therefore only provided as a supplement to our General Terms and Conditions and to our General Information under Section B. If you have any further questions, please contact us using the contact details provided in Section B.I.1 or B.I.2.
I. Purpose and legal basis
The purpose of capturing the personal data obtained in the course of concluding and executing the contract is to enable us to fulfil our obligations under the contract. For example, we need your contact details to provide you with our services. This is legally based on Art. 6 para. 1 s. 1 lit. b GDPR. Data will only be passed on to third parties under the conditions set out in Sections B.IV and B.V. Categories of recipients in our contracts include payment service providers and logistics service providers. Failure to provide the data on your part may result in the contract not being concluded and/or executed.
Furthermore, we use the data to serve you as a customer and for statistical market and opinion research purposes. This is necessary to continuously improve our products and services and to adapt them to the needs of our customers. We only engage in direct advertising with your prior consent or if there is another corresponding legality under the Union law of the Member States.
The aforementioned data processing in the case of consent given is legally based on Section 6 para. 1 s. 1 lit. a GDPR, insofar as this is necessary for the fulfilment of the contract and the implementation of pre-contractual measures, Section 6 para. 1 s. 1 lit. b GDPR, in all other aforementioned cases Section 6 para. 1 s. 1 lit. f GDPR (safeguarding of legitimate interests), whereby our legitimate interest is the marketing and continuous improvement of our products and services and their adaptation to the needs of our clients.
II. Duration of storage and erasure periods
As a matter of principle, we only store personal data as long as this serves a legitimate purpose. If the purpose of processing no longer applies, we have taken technical and organisational measures to ensure that personal data are deleted or made unidentifiable or that processing is restricted.
We will only store data after the purpose of processing has ceased to apply if this is provided for by the European or national legislator in Union regulations, laws or other provisions to which our company is subject. Such cases may include the existence of legitimate interests in storage, such as during the course of limitation periods for the purpose of legal defence against any claims or, for example, the fulfilment of statutory retention obligations. If any further storage described above is no longer covered by the aforementioned standards, we will immediately erase the data or restrict their processing, unless any further storage of the data is necessary for the conclusion of a contract or for other purposes.
III. Possibility of objection and removal
In particular, you have the right to revoke your consent against the collection and further processing of data on the basis of consent (cf. Section F.II). Data processing necessary for the performance of the contract or the implementation of pre-contractual measures is not subject to any right of objection; however, you may object to data processing on the grounds of legitimate interest under the conditions set out in Section F.I.1.
With regard to our direct advertising, we refer to your right of revocation (in the case of granted consent) pursuant to Section F.II and to your right of objection pursuant to Section F.I.2.
Apart from that, you are entitled to data subject rights already mentioned under Section F.
F. Your rights as a data subject
If you are affected by our processing of your personal data, you may have the following rights:
I. Right to object (Art. 21 GDPR)
Regarding data processing for specific purposes, you have the right to object in accordance with Section 21 GDPR. For any objection, please contact us or our data protection officer at the contact details provided. You will not incur any additional costs other than the transmission costs in accordance with the base rates of your telecommunications provider. A right of objection exists in the following cases:
1. Processing for legitimate interest (Art. 6 para. 1 s. 1 lit. f, 21 para. 1 GDPR):
If personal data are processed for the purpose of safeguarding legitimate interests (Section 6 para. 1 s. 1 lit. f GDPR), you may object to the processing of your personal data at any time on grounds relating to your particular situation. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms of the data subject, or the processing serves the purpose of asserting, exercising or defending legal claims.
2. Processing for direct marketing purposes (Art. 21 para. 2 GDPR, Section 7 para. 3 UWG [Unfair Competition Act]):
To the extent that we process data for direct marketing and/or related profiling purposes, you may object at any time to the processing of your personal data for such marketing and/or profiling purposes. If you object, we will refrain from any further processing of your data for direct marketing and/or profiling purposes.
3. Processing for the performance of a task carried out in the public interest or in the exercise of official authority (Section 6 para. 1 s. 1 lit. e, 21 para. 1 GDPR):
If personal data are processed for the performance of tasks in the public interest or for the exercise of official authority (Section 6 para. 1 s. 1 lit. e GDPR), you may object to the processing of your personal data at any time on grounds relating to your particular situation. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms of the data subject, or the processing serves the purpose of asserting, exercising or defending legal claims.
4. Processing for scientific or historical research purposes or for statistical purposes (Art. 21 para. 6 GDPR):
If personal data are processed for scientific or historical research purposes or for statistical purposes pursuant to Section 89 para. 1 GDPR, you have the right to object, on grounds relating to your particular situation, to the processing of your personal data, unless the processing is necessary for the performance of a task carried out in the public interest.
II. Right of withdrawal after consenting (Section 7 para. 3 GDPR)
You can withdraw your consent once given at any time with effect for the future – in full or in part – without incurring any costs by contacting us using our contact details. The lawfulness of the processing of the data covered by the consent on the basis of the consent until withdrawal remains unaffected by the withdrawal.
III. Right of access (Art. 15 GDPR)
You have the right to request information about your personal data processed by us. This right of access comprises
You have the right to request a copy of your personal data processed by us. In this case, you will not incur any costs for the first data copy, but we will charge a reasonable fee for further data copies. If you exercise this right, we will generally provide the data copy in electronic form, unless otherwise specified. This provision is subject to the rights and freedoms of other persons who may be affected by the transmission of the data copy.
IV. Right to rectification (Art. 16 GDPR)
You have the right to ask us for the immediate rectification of your inaccurate data. Likewise, you may request that we complete your incomplete personal data by means of supplementary declarations or notifications from you.
V. Right to erasure (Art. 17 GDPR)
You have the right to ask us for the immediate erasure of your personal data stored with us, to the extent that
If we have made personal data public, we will also inform other controllers of your request for erasure, including the deletion of links, copies and/or replications, to the extent technically possible and reasonable.
The aforementioned rights to erasure of your personal data do not exist insofar as the processing is required
VI. Right to restriction of processing (Art. 18 GDPR)
You have the right to request us to restrict the processing of your personal data (i.e., to limit the processing to mere storage) if one of the following cases applies:
If we have restricted the processing of your personal data at your request, we may and will only process such data – apart from their storage – with your consent or for the assertion, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of an important public interest of the Union or a Member State.
f a processing restriction is lifted, you will be informed of this in advance.
VII. Right to data portability (Art. 20 GDPR)
You have the right to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format and you have the right to transfer these data to another controller without hindrance from us, provided that
Where technically feasible, you may also request us to transfer your personal data directly to another controller.
The exercise of the right to data portability does not affect the right to data erasure (Section 17 GDPR). However, the right to data portability does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.
You cannot exercise the right to data portability if it affects the rights and freedoms of other individuals.
VIII. Right to lodge a complaint (Art. 77 GDPR)
We always process personal data in accordance with the law. If you nevertheless have reason to believe that we have violated applicable data protection law, you may at any time contact the competent supervisory authority of the Union or the Member States and lodge a complaint. Competence lies with the supervisory authority of your usual place of residence, your place of work or the place of the alleged infringement.
© Georg Utz Holding AG