Privacy information for our website www.werbeschwamm.com

We take data protection seriously and hereby inform you about how we process your data and what claims and rights you have under data protection regulations. 1. Data controller and contact details 1.1 Data controller within the meaning of data protection law MAPA GmbH
Industriestraße 21-25
27404 Zeven

Tel. 04281-73-0
Fax 04281-73-269
Email info@mapa.de

1.2 Contact details of our company data protection officer:

HEC Harald Eul Consulting GmbH

Data protection officer of MAPA GmbH Auf der Höhe 34
50321 Brühl

Email: Datenschutz-MAPA@he-c.de

2. Purposes and legal basis on which we process your data

We process personal data in accordance with the provisions of the General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG) and other applicable data protection regulations.

The specific data that is processed and how it is used depends largely on the content of the requested or agreed cooperation.

Further details or additions to the purposes of data processing can be found below or can be found in the respective contract documents, forms, a declaration of consent, and/or other information provided to you (e.g., in the context of using our website or our terms and conditions). 2.1 Purposes for the performance of a contract or pre-contractual measures
(Art. 6 (1) (b) GDPR)

Personal data is processed for the purpose of executing our contracts with you and fulfilling your orders, as well as for carrying out measures and activities within the framework of pre-contractual relationships, e.g. with interested parties. In particular, processing serves to deliver goods in accordance with your orders and wishes and includes the services, measures, and activities necessary for this purpose. This essentially includes contract-related communication with you, the verifiability of transactions, orders, and other agreements, as well as quality control through appropriate documentation, goodwill procedures, measures for the management and optimization of business processes, and the fulfillment of general duties of care, management, and control by affiliated companies (including our parent company Newell Brands Inc.); statistical evaluations for corporate management, cost recording and controlling, reporting, internal and external communication, emergency management, billing and tax assessment of operational services, risk management, assertion of legal claims and defense in legal disputes; Ensuring IT security (including system and plausibility tests) and general security, including building and facility security, securing and exercising domiciliary rights (e.g., through access controls); Ensuring the integrity, authenticity, and availability of data, preventing and investigating criminal offenses; Control by supervisory bodies or control authorities (e.g., auditing).

2.2 Purposes within the scope of a legitimate interest of us or third parties
(Art. 6 (1) f GDPR)

Beyond the actual fulfillment of the contract or preliminary contract, we may process your data if it is necessary to protect our legitimate interests or those of third parties, in particular for the following purposes:

• Customer service, advertising, or market and opinion research, provided you have not objected to the use of your data;
• Obtaining information and exchanging data with credit agencies, insofar as this goes beyond our economic risk;
• reviewing and optimizing procedures for needs analysis;
• further developing services and products as well as existing systems and processes;
• disclosing personal data as part of due diligence in company sale negotiations;
• for comparison with European and international anti-terrorism lists, insofar as this goes beyond the legal obligations;
• the enrichment of our data, including through the use or research of publicly available data;
• statistical evaluations or market analysis;
• benchmarking;
• asserting legal claims and defending against legal disputes that are not directly related to the contractual relationship;
• restricted storage of data if deletion is not possible or only possible with disproportionate effort due to the special nature of the storage;
• the development of scoring systems or automated decision-making processes;
• the prevention and investigation of criminal offenses, unless exclusively for the fulfillment of legal requirements;
• building and facility security (e.g., through access controls and video surveillance), insofar as this goes beyond general duties of care;
• internal and external investigations, security checks;
• the possible monitoring or recording of telephone calls for quality control and training purposes;
• the obtaining and maintaining of certifications of a private or official nature;
• ensuring and exercising domiciliary rights through appropriate measures such as video surveillance to protect our customers and employees and to secure evidence in the event of criminal offenses and to prevent them.

2.3 Purposes within the scope of your consent
(Art. 6 (1) a GDPR)

Your personal data may also be processed for specific purposes (e.g., use of your email address for marketing purposes) based on your consent. As a rule, you can revoke this consent at any time. This also applies to the revocation of declarations of consent that were given to us before the GDPR came into force, i.e., before May 25, 2018. You will be informed separately in the corresponding consent text about the purposes and consequences of revoking or not giving consent. As a general rule, the revocation of consent only has effect for the future. Processing that took place before the revocation is not affected and remains lawful. 2.4 Purposes for fulfilling legal requirements (Art. 6 (1) c GDPR) or in the public interest (Art. 6 (1) e GDPR)

We are subject to a variety of legal obligations. These are primarily legal requirements (e.g., commercial and tax laws), but also, where applicable, regulatory or other official requirements (e.g., sanctions lists) . The purposes of processing may include identity and age verification, fraud and money laundering prevention, the prevention, combating, and investigation of terrorist financing and crimes that endanger assets, comparisons with European and international anti-terrorism lists, the fulfillment of tax control and reporting obligations, and the archiving of data for the purposes of data protection and data security, as well as audits by tax and other authorities. In addition, the disclosure of personal data may be necessary in the context of official/judicial measures for the purposes of gathering evidence, prosecuting crimes, or enforcing civil law claims.

3. The categories of data we process, insofar as we do not receive data directly from you, and their origin

To the extent necessary for the conduct of our business, we also process personal data that we have lawfully obtained from other companies or other third parties (e.g., credit agencies, address publishers). In addition, we process personal data that we have lawfully obtained, received, or acquired from publicly accessible sources (such as telephone directories, commercial and association registers, registration registers, debtor registers, land registers, the press, the Internet, and other media) and are permitted to process. Relevant categories of personal data may include, in particular:

• Personal data (name, date of birth, place of birth, nationality, marital status, occupation/industry, and similar data)
• Contact details (address, email address, telephone number, and similar data)
• Address data (registration data and comparable data)
• Payment/coverage confirmation for bank and credit cards
• Information about your financial situation (creditworthiness data including scoring, i.e., data for assessing economic risk)
• Your customer history
• Data about your use of the telemedia we offer (e.g., time of access to our websites, apps, or newsletters, pages/links clicked on our site, entries, and similar data)
• Video data

4. Recipients or categories of recipients of your data

Within our company, your data will be received by those internal departments or organizational units that need it to fulfill our contractual and legal obligations or in the context of processing and implementing our legitimate interests. Your data will only be passed on to external parties

• in connection with contract processing;
• for the purpose of complying with legal requirements according to which we are obliged to provide information, report or pass on data, or where the transfer of data is in the public interest (see section 2.4);
• if external service providers process data on our behalf as processors or function providers (e.g., external data centers, support/maintenance of EDP/IT applications, archiving, document processing, call center services, compliance services, controlling, data screening for anti-money laundering purposes, data validation or plausibility checks, data destruction, purchasing/procurement, customer management, letter shops, marketing, media technology, research, risk controlling, billing, telephony, website management, auditing services, credit institutions, printing companies or data disposal companies, courier services, logistics);
• based on our legitimate interest or the legitimate interest of the third party for the purposes specified in section 2.2 (e.g., to authorities, credit agencies, debt collection agencies, lawyers, courts, experts, group companies, committees, and supervisory bodies);
• if you have given us your consent to transfer your data to third parties.

We will not pass on your data to third parties beyond this. If we commission service providers within the scope of order processing, your data will be subject to the same security standards as ours. In all other cases, the recipients may only use the data for the purposes for which it was transmitted to them.

5. Duration of storage of your data

We process and store your data for the duration of our business relationship. This also includes the initiation of a contract (pre-contractual legal relationship) and the execution of a contract.

In addition, we are subject to various storage and documentation obligations, which arise from the German Commercial Code (HGB) and the German Fiscal Code (AO), among others. The periods specified there for storage and documentation are up to ten years beyond the end of the business relationship or the pre-contractual legal relationship. Furthermore, special legal provisions may require a longer retention period, such as the preservation of evidence within the framework of the statutory limitation provisions. According to §§ 195 ff. of the German Civil Code (BGB), the regular limitation period is three years; however, limitation periods of up to 30 years may also apply.

If the data is no longer required for the fulfillment of contractual or legal obligations and rights, it will be deleted on a regular basis, unless its further processing for a limited period of time is necessary to fulfill the purposes listed in section 2.2 due to an overriding legitimate interest. Such an overriding legitimate interest interest also exists, for example, if deletion is not possible or only possible with disproportionate effort due to the special nature of the storage, and processing for other purposes is excluded by appropriate technical and organizational measures. 6. Processing of your data in a third country or by an international organization

Data is transferred to locations in countries outside the European Union (EU) or the European Economic Area (EEA) (so-called third countries) if this is necessary for the execution of an order/contract from or with you, it is required by law (e.g., tax reporting obligations), it is in the legitimate interest of us or a third party, or you have given us your consent.

In this context, your data may also be processed in a third country in connection with the involvement of service providers within the scope of order processing. If there is no decision by the EU Commission on an adequate level of data protection in the country concerned, we ensure that your rights and freedoms are adequately protected and guaranteed in accordance with EU data protection regulations by means of appropriate contracts. We will provide you with detailed information on request. Information on the appropriate or adequate safeguards and on the possibility of obtaining a copy of them can be requested from the company data protection officer. 7. Your data protection rights Under certain conditions, you can assert your data protection rights against us:

• You have the right to obtain information from us about your data stored by us in accordance with the provisions of Art. 15 GDPR (with restrictions under § 34 BDSG, if applicable).
• Upon your request, we will correct the data stored about you in accordance with Art. 16 GDPR if it is inaccurate or incorrect.
• If you wish, we will delete your data in accordance with the principles of Art. 17 GDPR, provided that other legal regulations (e.g., statutory retention obligations or the restrictions under § 35 BDSG) or an overriding interest on our part (e.g., to defend our rights and claims) do not prevent this.
• Taking into account the requirements of Art. 18 GDPR, you can request that we restrict the processing of your data.
• Furthermore, you can object to the processing of your data in accordance with Art. 21 GDPR, on the basis of which we must stop processing your data. However, this right of objection only applies in very special circumstances relating to your personal situation, whereby the rights of our company may conflict with your right of objection.
• You also have the right to receive your data in a structured, commonly used, and machine-readable format or to transfer it to a third party under the conditions of Art. 20 GDPR.
• In addition, you have the right to revoke your consent to the processing of personal data at any time with future effect (see section 2.3).
• You also have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). However, we recommend that you always address any complaints to our data protection officer first. Your requests to exercise your rights should, if possible, be sent in writing to the above address or directly to our company data protection officer.

8. Scope of your obligations to provide us with your data

You only need to provide us with data that is necessary for the establishment and execution of a business relationship or for a pre-contractual relationship with us, or that we are legally obliged to collect. Without this data, we will generally not be able to conclude or execute the contract. This may also apply to data required later in the course of the business relationship. If we request additional data from you, you will be informed separately that the provision of this data is voluntary.

9. Existence of automated decision-making in individual cases (including profiling)

We do not use purely automated decision-making procedures in accordance with Article 22 of the GDPR. If we do use such a procedure in individual cases in the future, we will inform you separately, provided this is required by law.

Under certain circumstances, we may process your data in part with the aim of evaluating certain personal aspects (profiling).

In order to provide you with targeted information and advice on products, we may use evaluation tools. These enable us to design products, communicate and advertise in line with your needs, including market and opinion research.

Such procedures may also be used to assess your creditworthiness and credit rating, as well as to combat money laundering and fraud. So-called “score values” may be used to assess your creditworthiness and credit rating. Scoring uses mathematical methods to calculate the probability that a customer will meet their payment obligations in accordance with the contract. Such score values thus support us, for example, in assessing creditworthiness and making decisions in the context of product sales, and are incorporated into our risk management. The calculation is based on mathematically and statistically recognized and proven methods and is based on your data, in particular your income, expenses, existing liabilities, occupation, employer, length of employment, experience from previous business relationships, contractual repayment of previous loans, and information from credit agencies. Information on nationality and special categories of personal data pursuant to Art. 9 GDPR are not processed in this context. Information about your right to object Art. 21 GDPR

1. You have the right to object at any time to the processing of your data on the basis of Art. 6 (1) f GDPR (data processing based on a balancing of interests) or Art. 6 (1) e GDPR (data processing in the public interest) if there are reasons for this arising from your particular situation. This also applies to profiling based on this provision within the meaning of Art. 4 No. 4 GDPR. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing serves to assert, exercise, or defend legal claims.
   
   
2. We may also process your personal data for direct marketing purposes. If you do not wish to receive advertising, you have the right to object to this at any time; this also applies to profiling insofar as it is related to such direct marketing. We will take this objection into account for the future.
   
   We will no longer process your data for direct marketing purposes if you object to processing for these purposes. The objection can be made informally and should be addressed to
   
   

MAPA GmbH
Data Protection Officer
Industriestraße 21-25
27404 Zeven

Our privacy policy and the information on data protection regarding our data processing in accordance with Articles (Art.) 13, 14, and 21 of the GDPR may change from time to time. We will publish all changes on the Internet at www.mapa.de