Data Privacy

Data Privacy Statement

Information about handling your data on our website

Version: 2020-01-13


Preliminary note

We appreciate you choosing to visit our website and showing interest in our company.

Data protection is very important to us. We have taken technical and organizational measures to ensure that we and external service providers comply with legal requirements concerning your data.

In the following, we will inform you about what data we collect from you while you visit our website, how it is processed and used, what you can do to obtain information about your data we have stored, how you may prevent the collection and use of your data, and who to contact if you have any questions about data privacy.

Personal data handling, see point 1, is largely governed in the framework of the General Data Protection Regulation (GDPR), see in particular Articles 12 to 22 and 34 GDPR.

The text of the General Data Protection Regulation can be found at, also please see our note regarding links to other websites under point 5.


1 Explanation: Personal data

Personal data are all information that relates to an identified or identifiable person. A person is identifiable if he/she can be identified directly or indirectly. This can be done, for example, by association with an identifier, e.g. a name, an identification number, location data, an online identifier or one or more special features.


2 Responsible party, authority and data protection officer


2.1 Responsible party for data processing

The responsible party for data processing belongs to

b+m surface systems GmbH
Meininger Weg 10, 36132 Eiterfeld, Germany
Telephone: +49 6672 92920

Authorized Managing Director: Sebastian Merz
Registry court and registration number: Fulda district court, HRB 3358


2.2 Responsible authority

The responsible data protection supervisory authority for the control and compliance with data protection law is

Der Hessische Beauftragte für Datenschutz und Informationsfreiheit (The Hessian Commissioner for Data Protection and Freedom of Information)
Postfach 3163, 65021 Wiesbaden, Germany
Telephone: +49 611 14080


2.3 Data protection officer

The data protection officer for our company is

Thorsten Bock
Ludwig-Erhard-Strasse 2, 36088 Huenfeld, Germany
Telephone: +49 6652 96976100


3 Data collection and processing as well as legal basis

When you access and use our website, you provide data directly and/or indirectly to us that we process in different ways in order to:

  • provide you with our website content,
    legal basis: Art. 6 para. 1 S. 1 GDPR, contract initiation;
  • optimize our website,
    legal basis: Art. 6 para. 1 S. 1 lit. f GDPR, legitimate interest;
  • be able to get in touch with you (e.g. contact form, callback form),
    legal basis: Art. 6 para. 1 S. 1 lit. a GDPR, consent.

As part of the processing, your data may be transmitted to:

  • people within our company who are directly involved in data processing,
  • service providers who are contractually bound and are required to maintain secrecy and undertake some of the data processing tasks, or
  • other external companies where necessary, e.g. postal service.


3.1 Saving and storage periods

We store your data for however long we need it to accomplish the purposes outlined under point 3. However, there are legal provisions, e.g. tax code § 147, that require us to keep certain documents for six to ten years. After expiration of the retention period, we delete data that are no longer needed.


3.2 Technically necessary data

Your browser provides the following data to make it technically possible for you to visit our website:

  • IP address
  • Date and time of request
  • Time zone difference from Greenwich Mean Time (GMT)
  • Requested website or file
  • Access status/status code
  • Amount of transmitted data
  • Referrer (URL of the referring website)
  • Identification data of the browser used
  • Identification data of the operating system used


3.3 Cookies


3.3.1 General

Cookies are data records that transmit to the website operator or to third parties certain information, which, for example, makes it possible to identify the website visitor during subsequent visits or to make the website more effective and user-friendly overall.

Depending on the browser used, you can adjust settings to allow or restrict cookies, or to delete cookies that have already been set. The help menu or support website of each browser will describe how to change these settings.


3.3.2 Usage on our website

We only use the following technically necessary cookie on our website:

Name: bm_mobile_view
Type: Persistent cookie, i.e. temporary use
Duration: 1 day from setting/updating


3.4 JavaScript/jQuery

To ensure full functionality and optimal performance on our website, we use JavaScript technology (jQuery), which is stored locally on our web server and downloaded from there. Since this technology is widely used by many websites, it is very likely that you have already downloaded jQuery when visiting other websites. In this case, your browser uses the copy stored in the browser cache and does not need to download the data again.

You can disable JavaScript in your browser and/or use a script blocker, such as


3.5 Contact details

If you contact us, e.g. via contact form or e-mail, your information in the message, including the contact details you provided for us to process your requests and follow up with you, are stored with us. We will not share this information without your consent.

The data entered in the message are thus processed exclusively on the basis of your consent (Art. 6 para. 1 lit. a GDPR). You can revoke this consent at any time. An informal message via e-mail to us is sufficient to do this. The legality of the data processing operations carried out until the revocation remains unaffected by the revocation.

The data you enter in the message will remain with us until you ask us to delete it, revoke your consent to storage, or the purpose for the data storage no longer applies, e.g. after completing your request. This does not affect mandatory legal provisions, e.g. retention periods.

Depending on the background/purpose of contacting, further legal bases for data processing can include, among others, our legitimate interest in answering your request (Art. 6 para. 1 lit. f) and/or concluding or fulfilling a contract (Art. 6 para. 1 lit. b GDPR).


3.6 Transferring data to countries outside the European Union

We do not plan this.


3.7 Need to provide the data

In order to achieve the reasons described in point 3, it is necessary that you provide us with your personal data.


3.8 Automated decision-making/profiling

Automated decision-making or profiling does not occur.


4 Rights

As the person concerned by the data processing, you have, among others, the following rights under the GDPR (hereafter "Concerned Party’s Rights"):


4.1 Disclosure rights (according to Art. 15 GDPR)

You have the right to request information about whether we process personal information about you or not. When we process personal information about you, you are entitled to find out

  • why we are processing your data,
  • what types of data we are processing from you,
  • what types of recipients receive or should receive data from you,
  • how long we will save your data; if  we cannot specify the duration of storage, we must inform you how the storage duration is determined (e.g. after legal retention period expiration),
  • that you have a right to correct and delete the data concerning you, including the right to limit the processing and/or the option to object,
  • that you have a right to appeal to a supervisory authority,
  • where your data comes from, if we did not collect it directly from you,
  • whether your data are being used for automated decision-making/profiling and, if so, to find out what the logic behind the decision-making is and what impact and scope the automatic decision-making can have on you,
  • that, if data about you are transmitted to a country outside the European Union, you are entitled to information as to whether and if so, what guarantees an adequate level of protection for the data receiver,
  • that you have the right to request a copy of your personal data. Data copies are always provided in electronic form. The first copy is free; a reasonable fee may be required for additional copies. A copy can only be provided if the rights of other persons are not affected.


4.2 Right to correct data (according to Art. 16 GDPR)

You have the right to ask us to correct your data if it is incorrect and/or incomplete. This also includes the right to completion through supplementary statements or communications. A correction and/or supplementation must be made immediately, meaning without undue delay.


4.3 Right to delete personal data (according to Art. 17 GDPR)

You have the right to request deletion of your personal data from us if

  • the personal data are no longer required for the purposes for which they were collected and processed,
  • the data has been processed based on your consent and you have revoked your consent; however, this does not apply if there is another legal permission for data processing,
  • you have filed an objection to data processing, the legal authorization of which is in "legitimate interest" (according to Article 6 paragraph 1 letters e or f); however deletion may not be done if there are legitimate reasons for additional processing,
  • you have filed an objection to data processing for direct marketing purposes,
  • your personal data have been processed unlawfully,
  • it concerns the data of a minor, which were collected for information society services (electronic service) based on the consent (according to Art. 8 para. 1 GDPR).

The right to delete personal data does not exist if

  • the right to freedom of expression and information conflicts with the request for deletion,
  • the processing of personal data is required
    • to fulfill a legal obligation (e.g. statutory retention requirements),
    • to perform public duties and interests under applicable law (including "public welfare"), or
    • for archiving and/or research purposes,
  • the personal data are required to establish, exercise, or defend legal claims.

The deletion must be done immediately, meaning without undue delay. If personal data have been made public by us (e.g. on the internet), we must ensure as far as is technically possible and reasonable that other data processors are also informed about the deletion request, including the deletion of links, copies, and/or replications.


4.4 Right to restrict data processing (according to Art. 18 GDPR)

You have the right to have processing of your personal data restricted in the following cases:

  • If you have denied the accuracy of your personal data, you may request that your data not be used for the duration of the verification of accuracy and thus the processing is limited.
  • For unlawful data processing, you may request data use restrictions instead of data deletion.
  • If you need your personal data to establish, exercise, or defend legal claims and we no longer need your personal data, you may request us to restrict processing for legal purposes.
  • If you have filed an objection (according to Art. 21 para. 1 GDPR) and it is not yet clear whether our interests in processing outweigh your interests, you can request that your data not be used for the duration of the test for other purposes and thus the processing is limited.

Personal data, of which processing has been restricted by your request, may only be processed subject to storage

  • with your consent,
  • to establish, exercise, or defend legal claims,
  • to protect the rights of other natural or legal persons, or
  • for reasons of important public interest.

If a processing restriction is lifted, you will be notified in advance.


4.5 Right to data transferability (according to Art. 20 GDPR)

Subject to the following provisions, you have the right to request the publication of your data in a standard electronic, machine-readable data format.

You may also request us to transfer this information directly to another person named by you or to be named responsible if this is technically possible for us.

The right to transfer data exists only for data provided by you, and requires that the processing is done based on consent or to carry out a contract and performed via automated processes.

The right to transfer data according to Art. 20 GDPR leaves the right to data deletion unaffected according to Art. 17 GDPR. Data transfer is subject to the rights and freedoms of other persons whose rights may be affected by the data transfer.


4.6 Revocation right (according to Art. 7 Abs. 3 GDPR)

You have the right to revoke your initially given consent to the processing of your data at any time effective going forward. We will delete the revoked data concerned immediately, as long as further processing cannot be based on the legal basis for unapproved processing. Revocation of consent does not affect the legality of processing done based on the consent until the revocation.


4.7 Right to object to certain data processing (according to Art. 21 GDPR)

In case of processing personal data in order to perform public interest duties (Art. 6 para. 1 lit. e GDPR) or to exercise legitimate interests (Art. 6 para. 1 lit. f GDPR) you may object to processing personal data concerning you at any time effective going forward.

In case of objection, we shall refrain from any further processing of your data for the abovementioned purposes, unless

  • there are compelling, legitimate grounds for processing that outweigh your interests, rights, and freedoms, or
  • the processing is necessary to establish, exercise, or defend legal claims.

You may object at any time to use of your data for direct marketing purposes effective going forward; this also applies to profiling insofar as it is connected with direct advertising. In case of objection, we may no longer use your data for direct marketing purposes.


4.8 Prohibition of automated decisions/profiling (according to Art. 22 GDPR)

Decisions by us that have legal effects or that significantly affect you must not be based solely on automated processing of personal data. This includes profiling. This prohibition does not apply if the automated decision

  • is required for the conclusion or fulfillment of a contract with you,
  • is permitted by law, if such legislation contains reasonable measures to protect your rights and freedoms as well as your legitimate interests, or
  • is done with your express consent.

Decisions based solely on automated processing of special categories of personal data (sensitive data), are only permitted if they 

  • are made on the basis of your expressed consent, or
  • are based on relevant public interest for processing, and
  • reasonable measures have been taken to protect your rights and freedoms as well as your legitimate interests.


4.9 Handling a data breach

We will inform you immediately of any data breaches that could result in high risk for your personal rights and freedoms; the information can be omitted in cases of Art. 34 para. 3 GDPR. As part of the information, we will in particular provide you with the following information:

  • Description of the data breach,
  • Name and contact details of the data protection officer or another contact point for further information,
  • Description of the likely consequences of the data breach,
  • Description of any actions we have taken or suggested to resolve the data breach including measures to mitigate adverse effects.


4.10 Exercising rights of persons concerned

To exercise the rights of persons concerned, please contact the authorities mentioned above in point 2. Requests that are submitted electronically are usually answered electronically. Any information, communications, and measures made available by GDPR are generally provided free of charge. Only in cases of clearly unfounded or excessive requests are we entitled to charge a reasonable fee for processing or refrain from action (according to Article 12 paragraph 5 GDPR).

If there are reasonable doubts about your identity, we may request additional information from you for identification purposes. If identification is not possible for us, we are entitled to refuse to process your request. We will – as far as possible – notify you separately about any inability for identification (see Article 12 paragraph 6 and Article 11 GDPR).

Disclosure and information requests are usually processed immediately, but no later than one month after receipt of the request. The deadline may be extended by an additional two months if necessary, taking into account the complexity and/or the number of requests; in case of an extension, we will inform you of the reasons for the delay within one month of receipt of your request.

If we fail to respond to a request we will notify you immediately, but no later than one month after receipt of the request, notifying you of  the reasons for this and  inform you of the possibility to file a complaint with a regulatory authority or to seek judicial remedy (see Article 12 paragraph 3 and paragraph 4 GDPR).

Please note that you can only exercise your rights in the context of limitations and restrictions provided by the European Union or member states (Article 23 GDPR).


4.11 Obligation to share information with third parties

If we have disclosed personal information to other parties or recipients, we are required, to the extent technically possible and reasonable, to communicate any correction, deletion, and/or restriction of processing to the data recipients.

We will inform you about the respective data recipients upon request.


5 Links to other websites

Our website contains links to other websites that are not under our control. Please note that we are not responsible for the privacy practices of other websites, including the privacy practices of websites we link to on our website.

Therefore, when you click/open a link that directs you to another website, we ask that you always read the privacy policy of the website you visit.

This privacy policy applies only to information collected through our website.


6 Changes and updates to this privacy policy

We may revise this privacy policy if necessary. The current version of this privacy policy will determine our use of the information about you and is available on our website at the following link:

If significant changes are made to this privacy policy, we will inform you of the changes, if necessary, via e-mail or a notice/message on our website. By continuing to access and/or use our website after the changes have come into effect, you agree to the revised privacy policy.


7 Legal remedies

In case of grievances, you may always contact the responsible supervisory authority of the European Union or the member states. The contact details of the responsible authority for our company can be found under point 2.2.