Privacy statement

This privacy statement provides information on the type, scope and purpose of the processing of personal data (“data”) as part of our online offer and the associated websites, functions and contents as well as external online presences, such as our social media profiles (the “online offer”). With regard to the terms used, such as “processing” or “controller”, we refer to the definition in Art. 4 of the General Data Protection Regulation (GDPR).


Humbach GmbH & Co. KG 
Im Brauke 13
57392 Schmallenberg, Germany
Phone: + 49 (0) 29 72 - 97 847 0
Fax: + 49 (0) 29 72 - 97 847 70
Email: info(at)humbach(dot)de
Legal form: Limited partnership
Registered office: Schmallenberg, Germany
Commercial register at the Arnsberg Local Court, HRA 7177
Personally liable partner: Humbach GmbH
Arnsberg Local Court, HRB 9710
Management: Peter Teppich

Link to the imprint

Types of processed data:

- Stock data (e.g. name, addresses).
- Contact data (e.g. email, telephone numbers).
- Content data (e.g. text input, photographs, videos).
- Usage data (e.g. visited websites, interest in contents, access times).
- Metadata/communication data (e.g. device information, IP addresses).

Categories of data subjects

Visitors and users of the online offer (in the following, the data subjects are also referred to as “users”).

Purpose of the processing

- Provision of the online offer, its functions and contents.
- Response to contact enquiries and communication with users.
- Security measures.
- Reach measurement/marketing


“Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Processing” means any operation or set of operations which is performed on personal data, whether or not by automated means. The term is very general and includes practically any handling of data.

“Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Relevant legal basis

We are obliged to inform you of the legal basis of our data processing operations in accordance with Art. 13 GDPR. If the legal basis is not specified in the privacy statement, the following applies: The legal basis for obtaining consent is Art. 6 (1) lit. a and Art 7 GDPR, the legal basis for processing to fulfil our services and perform contractual measures as well as to respond to enquiries is Art. 6 (1) lit. b GDPR, the legal basis for processing to comply with legal obligations is Art. 6 (1) lit. c GDPR and the legal basis for processing to safeguard our legitimate interests is Art. 6 (1) lit. f GDPR. In the event that vital interests of the data subject or another natural person necessitate the processing of personal data, Art. 6 (1) lit. d GDPR serves as the legal basis.

Security measures

In accordance with Art. 32 GDPR, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the different probabilities of occurrence and severity of the risk for the rights and freedoms of natural persons, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

The measures particularly include ensuring the confidentiality, integrity and availability of data by controlling physical access to the data as well as the associated access, input, transfer, assurance of availability and separation. We have also established procedures that ensure that the rights of third parties are taken into account, the erasure of data and a response to threats to the data. Moreover, we already take the protection of personal data into account during the develop and selection of hardware, software and processes based on the principle of data protection by design and by default (Art. 25 GDPR).

Cooperation with processors and third parties

If we disclose data to other persons and companies as part of our data processing (processors or third parties), transfer data to them or otherwise allow them to access the data, this only takes place on the basis of a legal authorisation (e.g. if the transfer of the data to third parties, such as payment service providers, is necessary to perform the contract in accordance with Art. 6 (1) lit. b GDPR), you have provided your consent, this is permitted by law or based on our legitimate interests (e.g. when appointing representatives, web hosters, etc.).

If we assign third parties to process data based on a “processing contract”, this takes place based on Art. 28 GDPR.

Transfer to third countries

If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or this occurs as part of the use of third-party services or the disclosure or transfer of data to third parties, this only takes place if this is required to fulfil our (pre)contractual obligations, based on your consent, based on a legal obligation or based on our legitimate interests. Subject to statutory or contractual authorisations, we only process the data, or allow the data to be processed, in a third country if the specific requirements in Art. 44 et seq. GDPR are in place. That is to say, the processing, for example, takes place based on specific guarantees, such as the officially recognised confirmation of an EU-compliant data protection level (e.g. for the USA, the “Privacy Shield”) or in compliance with officially recognised special contractual obligations (“standard contract clauses”).

Rights of data subjects

You have the right to obtain confirmation as to whether or not personal data concerning you are being processed as well as the right to obtain information on this data as well as additional information and a copy of the data in accordance with Art. 15 GDPR.

In accordance with Art. 16 GDPR, you have the right to complete personal data concerning you or correct incorrect data concerning you.

In accordance with Art. 17 GDPR, you have the right to immediately erase the relevant data or, alternatively, in accordance with Art. 18 GDPR, you have the right to restrict the processing of the data.

In accordance with Art. 20 GDPR, you have the right to receive the data concerning you that you have provided to us and to request their transfer to other controllers.

Moreover, pursuant to Art. 77 GDPR, you have the right to submit a complaint to the responsible supervisory authority.

Right of withdrawal

Pursuant to Art. 7 (3) GDPR, you have the right to withdraw consents that you have granted with effect for the future

Right to object

You can object to the future processing of data concerning you in accordance with Art. 21 GDPR. The objection may, in particular, take place for processing for direct marketing purposes.

Cookies and right to object for direct marketing

“Cookies” are small files that are stored on users’ computers. Cookies may contain various information. A cookie is primarily used to save information on a user (or the device on which the cookie is saved) during or even after their visit to an online offer. Temporary cookies (“session cookies” or “transient cookies”) are cookies that are erased after a user exits the online offer and closes their browser. For example, this kind of cookie may save the contents of a shopping cart in an online shop or a login status. “Permanent” or “persistent” cookies are cookies that remain saved after the browser is closed. For example, this allows a login status to be saved, if users visit the online offer after several days. Likewise, this cookie may also save a user’s interests, which are used for reach measurement or marketing purposes. “Third-party cookies” are cookies that are offered by providers other than the controller who operates the online offer (otherwise, controller cookies are referred to as “first-party cookies”).

We may use temporary and permanent cookies and therefore provide an associated clarification in our privacy statement.

If users do not want cookies to be saved on their computer, we ask that they disable the corresponding option in their browser’s system settings. Saved cookies can be erased in the browser’s system settings. The exclusion of cookies may restrict the function of this online offer.

A more general objection to the use of cookies used for the purposes of online marketing can be declared for a range of services, especially tracking, via the US site or the EU site Moreover, the saving of cookies can be prevented by disabling them in the browser’s settings. Please note that this may restrict the use of certain functions in this online offer.

Erasing data

The data that we process are erased, or their processing is restricted, in accordance with Art. 17 and Art. 18 GDPR. Unless expressly indicated in this privacy statement, the data that we save is deleted as soon as it is no longer required for its intended purpose and the erasure does not infringe upon any statutory retention obligations. If the data are not deleted, because they are required for other lawful purposes, their processing is restricted. I.e. the data are blocked and not processed for other purposes. For example, this applies for data that need to be stored for business or tax reasons.

In accordance with the statutory requirements in Germany, storage is required, in particular, for 10 years pursuant to Sections 147 (1) AO (German Revenue Code), 257 (1) no. 1 and 4 and (4) HGB (German Commercial Code) (accounts, records, management reports, accounting documents, trading books, documents relevant for tax purposes, etc.) and for 6 years pursuant to Section 257 (1) no. 2 and 3 and (4) HGB (commercial papers).

In accordance with the statutory requirements in Austria, storage is required, in particular, for 7 years pursuant to Section 132 (1) BAO (Austrian Federal Revenue Code) (accounting documents, receipts/invoices, accounts, documents, business papers, statement of revenue and expenditure, etc.), for 22 years in connection with properties and for 10 years for documents in connection with electronic services, telecommunication, radio and television services, which are supplied to private individuals in EU member states and for which the Mini-One-Stop-Shop (MOSS) is used.

Business-related processing

We also process
- contract data (e.g. subject matter of the contract, term, customer category).
- Payment data (e.g. bank details, payment history)
of our customers, interested parties and business partners for the purpose of providing contractual services, customer support, marketing, advertising and market research.

Contractual services

We process the data of our contract partners and interested parties as well as other clients or customers (“contract partners”) in accordance with Art. 6 (1) lit. b GDPR in order to be able to provide our contractual or pre-contractual services to the contract partner. The data processed as a result, the nature, scope and purpose as well as the necessity of processing are determined by the underlying contractual relationship.

The processed data include the master data of our contract partners (e.g. name and addresses), contact data (e.g. email addresses and telephone numbers) as well as contract data (e.g. services utilised, contents of the contract, contractual communication, names of contact persons) and payment data (e.g. bank accounts, payment history).

We fundamentally do not process special categories of personal data, unless these are part of a commissioned or contractual processing.

We process data, which are required to establish and fulfil the contractual services, and indicate the necessity of providing these data, if this is not evident to the contract partner. The data are only disclosed to external persons or companies if this is necessary within the scope of the contract. When processing the data transferred to us as part of an order, we act in accordance with the client’s instructions as well as the statutory provisions.

As part of the use of our online services, we can save the IP address and time of the relevant user activity. This information is saved based on our legitimate interests as well as the interests of the user in the protection against misuse and other unauthorised use. These data are fundamentally not forwarded to third parties, unless this is required to pursue our claims pursuant to Art. 6 (1) lit. f GDPR or a statutory obligation pursuant to Art. 6 (1) lit. c GDPR exists.

The data are erased, if the data are no longer required to fulfil contractual or statutory duties of care as well as for dealing with any warranty and similar obligations, whereby the necessity of the storage of the data is reviewed every three years; the statutory storage obligations apply in all other respects.

Administration, accounting, office organisation, contact management

We process data within the scope of administration tasks as well as the organisation of our operation, accounting and compliance with statutory obligations, such as archiving. In this case, we process the same data that we process within the scope of the provision of our contractual services. The processing is based on Art. 6 (1) lit. c GDPR and Art. 6 (1) lit. f GDPR. Customers, interested parties, business partners and website visitors are affected by the processing. The purpose and our interest in the processing lies in administration, accounting, office organisation and the archiving of data, i.e. tasks that serve to maintain our business activities, perform our tasks and provide our services. The erasure of the data with regard to contractual services and the contractual communication corresponds to the information provided for these processing activities.

We disclose or transfer data to the tax office, consultants, such as accountants or auditors, as well as other billing offices and payment services providers.

Moreover, we save information on suppliers, event organisers and other business partners, e.g. for the purpose of subsequent contact, based on our business interests. This predominantly company-related data is essentially stored permanently.

Establishing contact

When establishing contact with us (e.g. via contact form, email, telephone or social media), the user’s details are processed to respond to the contact request and its processing pursuant to Art. 6 (1) lit. b (within the scope of contractual/precontractual relationships) and Art. 6 (1) lit. f (other enquiries) GDPR. The user information may be saved in a customer relationship management system (“CRM system”) or similar enquiry system.

We erase enquiries provided that they are no longer necessary. We check the necessity every two years; the statutory archiving obligations also apply.

Hosting and sending emails

The hosting services that we use are intended to provide the following services: Infrastructure and platform services, computing capacity, memory and database services, email dispatch, security services as well as technical maintenance services, which we use to operate this online offer.

To provide these services, we or our hosting provider processes stock data, contact data, content data, contract data, usage data, metadata and communication data of customers, interested parties and visitors to this online offer based on our legitimate interests in the efficient and secure provision of this online offer pursuant to Art. 6 (1) lit. f GDPR in conjunction with Art. 28 GDPR (conclusion of a processing contract).

Collecting access data and log files

We or our hosting provider collects data on every access to the server on which this service is located (server log files) based on our legitimate interests within the meaning of Art. 6 (1) lit. f GDPR. The access data include the name of the accessed website, file, date and time of access, transferred data volume, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited site), IP address and the requesting provider.

Log file information is stored for a maximum of 7 days for security reasons (e.g. to clarify misuse or fraud) and is subsequently erased. Data, whose continued storage for evidentiary purposes is necessary, are excepted from erasure until the final clarification of the specific incident.

Integration of third-party services and contents

We use the content or service offers of third parties within the scope of our online offer based on our legitimate interests (i.e. interest in the analysis, optimisation and efficient operation of our online offer within the meaning of Art. 6 (1) lit. f GDPR) in order to integrate their contents and services, such as videos or fonts (“contents”).

This always requires third-party providers of these contents to use the user’s IP address, as they could not send the contents to the browser without the IP address. The IP address is therefore necessary to present these contents. We endeavour to exclusively use contents whose relevant providers only use the IP address to deliver the contents. Moreover, third-party providers can use pixel tags (invisible graphics, also referred to as “web beacons”) for statistical marketing purposes. “Pixel tags” allow information, such as the visitor traffic on this website, to be evaluated. Moreover, the pseudonymous information can be saved in cookies on the user’s device and may also contain technical information on the browser and operating system, referrer websites, the time of visit and other information on the use of our online offer and may also be combined with such information from other sources.

Google Fonts

We use the fonts ("Google Fonts”) of the provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy statement:, opt-out:

Google Maps

We use the maps provided by the “Google Maps” service of the provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The processed data may particularly include IP addresses and data on the user’s location; however, this cannot be collected without the user’s consent (generally as part of the settings on their mobile devices). The data may be processed in the USA. Privacy statement:, opt-out:

Created with by lawyer Dr Thomas Schwenke