If you wish to make use of special services of our company via our website or the apps or if you order something via our eShop, the processing of personal data may become necessary. If the processing of personal data is necessary and there is no legal basis for such processing (for example, the implementation of a contractual agreement), we will ask for your consent.
This Privacy Statement (as of March 2020) contains information about the data we collect from you, how we use it and how you can object to the use of this data.
Who is responsible for data collection and processing?
Heidelberger Druckmaschinen AG welcomes your visit to our web pages and app and your interest in our products. Please note that this Privacy Statement no longer applies if you follow links to third-party sites or register in areas controlled by other data controllers.
The data controller with respect to this website or app is:
Heidelberger Druckmaschinen AG
Tel.: +49 (0)6221 92 00
Our data protection officer can be contacted at:
Heidelberger Druckmaschinen AG
Data Protection Officer
Why do we process your data (processing purpose) and what is the legal basis for this?
In the following, we will give you a general overview of the processing purposes and legal bases in the context of our web pages and app. We have collected more detailed information for you below, sorted by the tools used.
For technical reasons, certain data must be collected and stored when you visit our web pages, such as the date and duration of your visit, the web pages used, the identification data of the type of browser and operating system used and the website from which you are visiting us.
In order to fulfill a contract, we require certain personal data from you. This data is required to make bookings in the eShop, process payments, carry out credit checks, deliver to the specified address (if items are to be shipped) and, where appropriate, to process cancellations or refunds.
In this case, the contract is the legal basis for the processing of your personal data in accordance with Art. 6 para. 1 lit. b of the General Data Protection Regulation (GDPR). Art. 6 para. 1 lit. b GDPR also applies in respect of processing operations that are necessary for carrying out pre-contractual measures, for example in the event of inquiries regarding our products or services.
If we obtain your consent for the processing of personal data (for example, if you sign up for the newsletter or use the “stay signed in” option), this serves as the legal basis in accordance with Art. 6 para. 1 lit. a GDPR.
If our company is subject to a legal obligation rendering the processing of personal data necessary, for example in order to meet tax obligations, the processing is based on Art. 6 para. 1 lit. c GDPR.
In order to constantly improve the services we offer you, we store and analyze usage data from the online area on a pseudonymized basis. The legal basis for this is our legitimate interest in the optimization of our web pages and apps, and in the effective design of our advertising in accordance with Art. 6 para. 1 lit. f GDPR.
Only applies to existing customers: We are also interested in maintaining our customer relationship with you and in providing you with information and offerings that we believe match your interests. We therefore process your data on the basis of Art. 6 para. 1 lit. f GDPR (also with the help of service providers) in order to send you information and offerings. We use your contact data (name and e-mail address that we have received from our business relationship with you) for advertising by post and for market research, unless you object to such use.
On what legal grounds are cookies used and are there options for opting out?
The cookies can be categorized as follows:
- Essential cookies: These technologies are required to activate the core functionality of the website and to achieve the objective of the website. These cookies are necessary for technical reasons so that you can visit our website and use the respective functions. The legal basis of the processing for the above-mentioned purposes is your and our legitimate interest in providing you with a functioning website and relevant content in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR.
- Functional cookies: Functional cookies are used to operate the site and enable convenient handling as part of the user experience. The legal basis of the processing for the above-mentioned purposes is your and our legitimate interest in facilitating a convenient user experience in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR.
- Marketing cookies: Marketing, analysis and targeting cookies are typically used to improve the service on our web pages or to show you advertisements that match your interests. The legal basis for this is your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR.
If additional legal bases exist, these are indicated under the respective service.
Cookies are small text files that are automatically created by your browser and stored on your terminal device (laptop, tablet, smartphone, etc.) when you visit our website. Information in connection with the specific terminal device used is stored in the cookie, however this does not mean that we can obtain direct knowledge of your identity as a result.
To whom will your data be passed on?
Internal transfer of personal data:
Heidelberg’s internal IT departments and the selected service providers engaged by them can access user data insofar as this is necessary in the course of fulfilling their tasks.
Orders for information material via the app or our contact form are handed over to Heidelberg’s marketing team or sales team as part of lead management.
Transfers to third parties:
Personal data is usually transferred to third parties in the context of our web pages and apps if their services are deliberately used or accessed by the user.
More detailed, additional or different information, such as further recipients or the transfer to third countries, can be found below under the details of the respective service.
How long will your data be stored?
Personal data that we process on the basis of consent will be processed by us for as long as the wording of the consent allows or until the consent of the data subject is revoked. We store tax-relevant personal data for ten years, pursuant to the first sentence of Section 147 para. 3 of the German Fiscal Code (AO), the first half sentence of Section 257 para. 4 of the German Commercial Code (HGB) in conjunction with Section 257 para. 1 nos. 1 and 4 HGB, and sentences 1 and 2 of Section 14b para. 1 of the German VAT Act (UStG). We store personal data on user accounts/master data, for push notifications, and for the allocation of performance data on the basis of our legitimate interest in defending or asserting legal claims up to their limitation period for three years from the end of the year in which the processing was carried out, pursuant to Art. 6 para. 1 lit. f GDPR and Sections 280 para. 1, 195, and 199 para. 1 of the German Civil Code (BGB).
Due to our legitimate interest in security and troubleshooting, we store personal communication data and protocols for a maximum of seven days from the end of processing, pursuant to Art. 6 para. 1 lit. f GDPR.
We store personal analysis and statistical data, such as Google Analytics data relating to user behavior, only for as long as this is necessary in order to create the anonymized data records. This corresponds to a deletion within a very short time.
We may also store your data for a longer period of time if necessary, for example to assert or defend legal claims, solve technical problems, or analyze security incidents.
What rights do data subjects have?
We do not carry out profiling or automated decision making in the normal course of business. We expressly refer to exceptions under the respective headings below.
You have various rights under the GDPR as a user* of our app: In accordance with Art. 15 GDPR, you can request information about the personal data relating to you that we process. When requesting this information, you should outline your concern more precisely in order to make it easier for us to compile the necessary data.
If the legal requirements of Art. 15 para. 3 or Art. 20 GDPR are met, you have the right to receive a copy of your data or to have your data transferred to you.
If the information concerning you is not (or no longer) correct, you can request a correction in accordance with Art. 16 GDPR. If your data is incomplete, you can request that it be completed. You can request the deletion of your personal data under the provisions of Art. 17 GDPR.
Within the framework of the provisions of Art. 18 GDPR, you have the right to request that the processing of data concerning you be restricted.
Where data is processed on the basis of legitimate interests, you have the right under Art. 21 GDPR to object at any time to the processing of data concerning you for reasons arising from your particular situation. You may object to the processing of your personal data on the basis of legitimate interests for direct marketing purposes at any time without giving reasons.
You can revoke your consent at any time with future effect.
You may assert these rights against Heidelberger Druckmaschinen AG free of charge via the e-mail address or postal address stated above.
Please feel free to contact us first before you make use of your right to lodge a complaint with the data protection supervisory authorities. Our competent data protection supervisory authority is: “The State Commissioner for Data Protection and Freedom of Information” in Baden-Württemberg.
Further information on data processing when using various services can be found here:
Event and product information
The Heidelberg Group may make the following personal data available to you on web pages or in the app:
- Personal data about speakers, presenters at trade fairs and events (e.g. date of the event, duration of the speech, content of the speech, name of the speaker, brief profile of the speaker). Speakers can be external persons or employees of the Heidelberg Group.
- Personal data on contact persons and experts at trade fairs and events (such as people’s names, their position at Heidelberg, information on special expertise, business contact details, etc.).
We receive this data on a voluntary basis directly from the people concerned and use it for advertising or information purposes only after express consent and approval has been given. The legal basis for processing this data (information on speakers and contacts) is the consent of the data subjects pursuant to Art. 6 para. 1 lit. a GDPR.
Use of the Heidelberg Assistant and the app
If you register to use the Heidelberg Assistant, you will be asked to provide the following information: last name, first name, e-mail address, country, and customer affiliation. Providing the information is voluntary. If you provide us with this information, we will use it to identify users and to make personal and individual content of the app visible.
If users receive a voucher from us, these vouchers will be assigned to user e-mail addresses and displayed within the app, provided that the user logs into the app with this e-mail address. We receive the e-mail address via the registration; the allocation of vouchers by HDM AG and its Sales and Service Center.
When you set up the app, you will be asked if the app is allowed to send you notifications. If you agree, we will use push notifications to send you alerts about the app, as well as marketing messages. The service then sends the registration ID (Android) or the token (iOS) to the registered device. The app sends the ID or token to the server, where it is stored in a database. If a push notification is to be sent, the server sends the desired message with registration ID/token to the platform’s push service, which forwards the push notification to the respective devices.
You can suspend receipt of push notifications when not using the app by explicitly logging out of the app.
You can revoke your consent to receive push notifications via the operating system as follows:
- Android/Settings/Applications/Applications Manager//Notifications
When you use our app, the data that is sent by your browser during usage and that is required to use our services is automatically recorded. This data includes the IP address, installation ID, operating system, platform (iOS, Android, Windows), and the date and time of use of our services. Every time our app is used or a file stored in the app is retrieved, this action is logged.
The following is logged: name of the retrieved file, date and time of retrieval, amount of data transferred, notification of successful retrieval, app ID and requesting domain. The IP addresses of the requesting devices are also logged. Access is registered for reasons of data security, to ensure the stability and operational reliability of our system and to protect against possible external attacks. In addition, the data is statistically evaluated to optimize the services we offer. It is not possible to trace which contents you have accessed or which files you have retrieved on the basis of the logged data. The temporary collection of the data is necessary in order to enable the delivery of the content to the terminal devices and to guarantee its reproduction. This data is not merged with other data sources.
The data will be deleted as soon as it is no longer necessary for the purpose for which it was collected. For the storage of data in log files, this is the case after seven days at the latest. It is possible that the data may additionally be stored with our technical service providers for statistical purposes, inter alia. In this case, the IP address will be deleted or masked so that the calling device can no longer be assigned.
The collection of data for the provision of the app and its storage is absolutely necessary for the operation of the service, so that there is no option for the user to object. The legal basis for the processing of user account/master data and the assignment of performance data and communication data is the fulfillment of our contract with you for the provision of the Heidelberg Assistant and your content in accordance with Art. 6 para. 1 lit. b GDPR.
The legal basis for the processing of push notifications, and for information and marketing purposes, is our legitimate interest in providing users with relevant information about the Heidelberg Group in accordance with Art. 6 para. 1 lit. f GDPR.
In addition, we use the Google Firebase service for our app to analyze and categorize user groups, and to send push notifications. You can find more information here, at Google, or directly in our app.
If you contact us via a contact form, Heidelberger Druckmaschinen AG will process your first name, last name, job title, company and number of employees, and your contact details (telephone number and e-mail address), the content of the message and, on a voluntary basis, the customer number provided. The processing of the data is carried out to deal with your request and is necessary in order to handle the request. Contact details are processed in order to respond to queries and communicate on the matter. If you are assigned to an advisor, the data will be passed on to the advisor (acting as a self-employed commercial agent) and the advisor’s employees for processing.
Processing for the purpose of initiating and implementing contracts is based on Art. 6 para. 1 lit. b GDPR. The legal basis for the processing otherwise depends on your specific request.
You will find more detailed information on data protection in the context of the respective communication objectives and partners.
Further information on data protection is provided in the context of the application procedure.
Social Media and Facebook
This website uses social plug-ins from Facebook, LinkedIn, Xing, Google and YouTube. These are offerings from the US companies Facebook and Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”)).
We are responsible for the transmitted data together with Facebook under data protection law, but this is limited to the transmission of your communication data from our web pages to Facebook.
When you visit a page containing a plug-in of this type, your browser will connect to Facebook or Google and the content will be loaded from these pages. Your visit to this website may be tracked by Facebook and Google, even if you do not actively use the social plug-in function. If you have an account with Facebook or Google, you can use a social plug-in of this type and share information with your friends. Heidelberger Druckmaschinen AG has no influence on the content of the plug-ins and the transmission of information.
Facebook and Google provide detailed information on the scope, type, purpose and further processing of your data on their websites, where you will also find further information on your rights and setting options to protect your privacy.
Our website contains links to our Facebook fan page. If you follow these links, you will leave the website or app of the Heidelberg Group, where the Heidelberg Group is the sole data controller, and switch to a Facebook fan page where the Heidelberg Group shares the role of data controller with Facebook.
The legal basis for this processing by Heidelberg is our legitimate interest in advertising our company and its services in accordance with Art. 6 para. 1 lit. f GDPR.
This website also includes plug-ins from the social network Instagram Inc, 1601 Willow Road, Menlo Park, CA, 94025, USA (“Instagram”). You can recognize the Instagram plug-in by the Instagram button on our site.
Our website uses features of the LinkedIn network. The provider is LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA.
Every time you access one of our pages containing LinkedIn features, a connection to LinkedIn’s servers is established. LinkedIn is informed that you have visited our web pages with your IP address. When you click on the LinkedIn button and are logged into your LinkedIn account, LinkedIn is able to associate your visit to our site with you and your account. Please note that, as provider of the web pages, we have no knowledge of the content of the data transmitted or of its use by LinkedIn.
The LinkedIn plug-in is used on the basis of Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in achieving the widest possible degree of visibility on social media.
Our website uses features of the XING network. The provider is XING AG, Dammtorstrasse 29-32, 20354 Hamburg, Germany.
Every time you access one of our pages containing XING features, a connection to XING’s servers is established. No personal data is stored in the process, to our knowledge. In particular, no IP addresses are stored or usage behavior evaluated.
The XING plug-in is used on the basis of Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in achieving the widest possible degree of visibility on social media.
The following services fall under the category “essential cookies”:
Consent management platform
We use a consent management platform. The service lets you decide which of the various services available on our web pages (associated with personal data processing) you wish to use only on the basis of consent. It also allows us to document your consent to the data processing and to provide the legally required proof of this. Your declaration applies to all our web pages and apps.
The following data is processed:
- Date and time of your visit
- Device information
- Browser information
- Anonymized IP address
- Opt-in and opt-out data
The legal basis of the processing is Art. 6 para. 1 lit. f GDPR in conjunction with Art. 7 para. 1 GDPR.
Regarding data retention: All information is stored for three years from the end of processing. The legal basis for this is our obligation to document the fulfillment of the data protection requirements according to Art. 6 para. 1 lit. c GDPR in conjunction with Art. 5 para. 2 and Art. 24 GDPR, combined with our legitimate interest in proving compliance under Art. 6 para. 1 lit. f GDPR in conjunction with Section 41 of the German Federal Data Protection Act (BDSG), and with Section 41 para. 2 no. 1 of the German Administrative Offenses Act (OWiG). The platform is operated by our commissioned processor, Usercentrics GmbH, Sonnenstrasse 23, 80331 Munich, Germany.
You can find more information about data protection at Usercentrics here.
ClickDimensions and newsletters
If you download images or click on a link in a Heidelberger Druckmaschinen AG newsletter or in one of our other marketing e-mails, this is automatically logged by ClickDimensions via an e-mail tracking service. The usage information generated will be stored on our server in Germany and used for statistical usage analysis. The results help us to measure the success and reach of our newsletters, as well as to continuously improve the content of our newsletters and make the information offered on our web pages more interesting for you.
ClickDimensions never stores information in the LSO section of your computer, i.e. we never use ‘flash cookies’ (local shared objects, LSO for short). ClickDimensions does not use any visitor identification technology that involves sharing information that you provide with other websites.
- IP address
- Browser information
- Usage data
- Date and time of your visit
- Pages viewed
- Device information
- Demographic information
The legal basis for the processing of users’ personal data is Art. 6 para. 1 lit. f GDPR: our legitimate interest in measuring the reach of our newsletters and their target group-specific optimization, as well as the target group-specific optimization of our website content.
If you do not agree with the storage and analysis of this data, you can unsubscribe from the respective newsletter or by clicking on the following link, from the marketing e-mails: click here.
Google Tag Manager
We use Google Tag Manager. The provider of the Google Tag Manager component is Alphabet Inc. This service enables website tags to be managed via an API. Google Tag Manager only implements tags. This means that cookies are not used and no personal data is collected. Google Tag Manager triggers other tags that can be used to collect data, however, Google Tag Manager does not access this data. If deactivation has been carried out at domain or cookie level, this will remain in place for all tracking tags implemented with Google Tag Manager.
Zoovu (only in Pantone Manager)
This is a conversation search platform and a configurator. We use Zoovu for our PANTONE® Manager, where customers can search for a color that meets their requirements.
The following data is processed by Zoovu:
- Clicked answer (selected color)
- Customer ID
- User identification
- Time stamp
- IP address
- Usage and behavioral data (such as retrieving a color or using the search function)
- Events (like buying or retrieving a color)
To opt out of the data processing, click here. We would like to point out that the functions of our eShop may be limited as a result.
The information required for the selected action is transmitted on the basis of our legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR for the purpose of advertising products and offers from Heidelberger Druckmaschinen AG.
Podigee (only for podcasts)
To provide you with podcasts, we use the podcast hosting service of our commissioned processor Podigee UG, Am Walde 2, 56249 Herschbach, Germany. The podcasts are loaded by Podigee or transmitted via Podigee, so when you access a podcast integrated in our web pages, data is transmitted to our service provider.
The use is based on our legitimate interests, i.e. our interest in the secure and efficient provision, analysis and optimization of our range of podcasts in accordance with Art. 6 para. 1 lit. f GDPR.
Podigee processes IP addresses and device information to enable podcasts to be downloaded/played and to determine statistical data, such as download numbers. This data is anonymized or pseudonymized before being stored in Podigee’s database unless it is required for the provision of the podcasts. Data that is required for provision of the podcasts will be deleted no later than seven days after this provision if it is not required for billing purposes (see above under “How long will your data be stored?”).
Investis (display of share prices)
We have integrated Quartal Flife components on this website. Quartal Flife is a plug-in that enables share prices to be displayed on our website. Quartal Flife’s operating company is Investis Limited, 24 Fashion Street, London E1 6PX, England (“Investis”). The purpose of integrating this tool is our legitimate interest in being able to present our company’s stock market data on our website.
Each time you access an individual page with an integrated Quartal Flife component, the Internet browser on your computer is automatically prompted to download a depiction of the corresponding component from Investis. As part of this technical procedure, Investis obtains knowledge about which specific page of our website you are visiting.
- Website visitor
This service (e.g. for contact forms, and newsletter registrations) is used for purposes of identification and to prevent the services provided from being misused by machines. “Captchas” are generated and verified on application servers from Heidelberger Druckmaschinen AG. No data is transmitted to third parties in the process.
- IP address
- Click path
- Time spent on the site
- Website visitor behavior
- Browser language
- User input
- Browser plug-ins
Click here to opt out on all the processing company’s domains.
To optimize the loading times of our website and our online eShop application, we use a so-called content delivery network (CDN) offered by Akamai Technologies, Inc., 150 Broadway, Cambridge, MA 02142, USA.
Akamai is a content delivery and cloud infrastructure service provider that coordinates and optimizes the load balancing of web content for online applications. We use Akamai services to speed up our websites so that they can provide an acceptable response time worldwide.
The legal basis for the processing of users’ personal data is our legitimate interest in providing an online presence that can be used worldwide without restriction in accordance with Art. 6 para. 1 lit. f GDPR.
- IP address
- Browser information
- Operating system
- Pages visited
- Date and time of your visit
The following service falls under the category “functional cookies”:
We use a plug-in from the New Relic web analysis service on this website. It enables us to record statistical evaluations of the speed of the website, to determine whether the website can be accessed, and how quickly the respective page is displayed when accessed. This service is operated by New Relic Inc. (188 Spear Street, Suite 1200, San Francisco, CA 94105, USA; “New Relic”).
Through the integration of the plug-in, New Relic is informed that a user has accessed the corresponding page of our website. If the user is logged in at New Relic, New Relic can assign the visit to the user’s New Relic account. If a user is not a member of New Relic, New Relic nevertheless saves the user’s IP address.
The legal basis for the processing of personal data is our legitimate interest in the evaluation of the availability and speed of our website in accordance with Art. 6 para. 1 lit. f GDPR. Heidelberg does not receive any personal data from New Relic, but only anonymous, statistical evaluations.
If you are a member of New Relic and do not want New Relic to collect data about you through this website and link it with your membership data stored at New Relic, you should log out of New Relic before visiting the website.
The following services fall under the category “marketing cookies”:
The purpose of using Matomo is to improve the quality of our website and its contents. It tells us how the website is used and in this way enables us to constantly optimize the service that we offer.
- Time of users’ previous visit
- Screen resolution
- Files clicked or downloaded
- Links clicked leading outside the domain
- IP address
- Page speed
- Page URL
- Browser information
- Device information
You can opt out of this data processing via the following link: Opt-out.
You will also find the e-mail address of the processing company’s data protection officer below. E-mail: Privacy@matomo.org
- Browser type/version,
- Operating system used,
- Referrer URL (the web page that directed you to our website),
- Host name of the accessing terminal device (IP address, advertising ID)
- Time of the server request
Google Analytics is only used by us in conjunction with activated IP anonymization (IP masking). This means that users’ IP addresses are truncated by Google for users within member states of the European Union or other states party to the agreement on the European Economic Area. Only in exceptional cases (e.g. in the event of a technical defect in the European Union) is the IP address sent to a US server and truncated there.
The IP address anonymization method used by Google does not write IP addresses to a disk, as anonymization takes place in the main memory immediately after the request is received. We do not receive any personal data from Google, only anonymized statistics.
Transfer to third countries (outside the EU and the EEA): Google receives personal data in the course of analyzing user behavior on the basis of your consent and processes this data worldwide if necessary for the provision of the services:
Google Ireland Limited
Gordon House, Barrow Street
Tel: +353 1 543 1000
Fax: +353 1 686 5660
We store the data on pseudonymized profiles that cannot be associated with any individual person for a period of 26 months to prevent cases of abuse and to optimize our web pages. This data is automatically deleted after 26 months. Move your mouse over here to opt out on all domains of the processing company or to download the browser add-on to deactivate Google Analytics.
Google Analytics Advertising Feature
With your consent under Art. 6 para. 1 lit. a GDPR, we use Google Analytics advertising features on our web pages. This enables us to display personal offers to you, including outside the websites hosted by Heidelberger Druckmaschinen AG.
- Pages visited
- IP address
- Duration of the visit
- Other information on the use of websites
- Content, in which users are interested
By linking your anonymous usage data collected through Google’s DoubleClick Advertising Network, we can analyze the demographic composition of our website visitors and impact on our users’ interests. This helps us to present you with better and above all more relevant advertising.
You can revoke your consent at any time with future effect: More information and opt-out.