Data protection statement

I. Basic information about data processing and legal bases

(1) This data protection statement clarifies the nature, scope and purpose of the processing of personal data as part of our online offering and the associated websites, functions and content (hereinafter collectively referred to as “online offering” or “website”). The data protection statement shall apply irrespective of the domains, systems, platforms and devices (e.g. PC or mobile) used to provide the online offering.

(2) The terms used in this data protection statement correspond to the wording of the General Data Protection Regulation (GDPR), in particular the definitions in Article 4 of the GDPR. For a better understanding, we have defined the terms relevant for this statement below:

a. Personal data

Personal data is any information relating to an identified or identifiable natural person (hereinafter the “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural Person.

b. Data subject

The data subject is any identified or identifiable natural person whose personal data is processed by the controller.

c. Processing

Processing refers to any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

d. Restriction of processing

Restriction of processing refers to the marking of stored personal data with the aim of limiting its processing in the future.

e. Profiling

Profiling is any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

f. Pseudonymization

Pseudonymization is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

g. Controller or person responsible for processing

The controller or person responsible for processing is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by European Union or member state law, the controller or the specific criteria for its nomination may be provided for by European Union or Member State law.

h. Processor

A processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

i. Recipient

A recipient is a natural or legal person, public authority, agency or another body, to which the personal data is disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with European Union or member state law shall not be regarded as recipients.

j. Third Party

A third party is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

k. Consent

Consent means any specific, informed and unambiguous indication given freely by the data subject of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Users' personal data which is processed as part of this online offering includes user-related data (e.g. customer names and addresses), contract data (e.g. services provided, names of administrators, payment information), usage data (e.g. our websites visited, interest in our products) and content data (e.g. details in the contact form). 

(3) We also use the term “user” in this statement. This has the same meaning as the term “data subject” as defined in the GDPR. All of our online visitors are to be included here, regardless of whether we already have contractual associations with them or not.

(4) All terminology used in this statement, such as “user”, shall be neutral in gender.

(5) We abide by the pertinent data protection regulations within the scope of our business activities. We therefore only process users' personal data if legal permission has been granted. In accordance with statutory regulations, we are permitted specifically to process personal data if this processing is required to perform our contractual services (e.g. order processing) and online services, or the processing is based on the statutory obligations imposed on us. We are also permitted to process this data if the data subject has given consent and/or if we process the data in view of legitimate interests (e.g. for tracking (cyber) attacks on our (computer) system that could result in prosecution).

(6) Data processing Controller:

Maschinenfabrik GmbH

Ehinger Straße 34

88400 Biberach/Riss


Tel.: +49 (0) 7351 571 0

Fax: +49 (0) 7351 571 130



Registered office: Biberach


Ulm District Court, HRB 640007

VAT ID No.: DE 144889422

Tax no.: 54001/00142


Authorized representative CEO: Dr.-Ing. Stefan Brand

Chairman of the Supervisory Board: Martin Kapp


Our data protection officer can be contacted as follows:


Maschinenfabrik GmbH

Data protection officer

Ehinger Straße 34

88400 Biberach/Riss




(7) The legal basis for data processing in the context of consent from the data subject is Article 6 (1a) and Article 7 GDPR, for processing to perform our services and implement contractual measures Article 6 (1b) GDPR, for processing to fulfill our legal obligations Article 6 (1c) GDPR, and for the legal basis for processing to safeguard our legitimate interests Article 6 (1f) GDPR.

II. Security measures

(1) With regard to safeguarding the personal data of our users, we have implemented the very latest organizational, contractual and technical security measures.

(2) These security measures include in particular the encrypted transmission of data between the browser of the respective user and our Server.

(3) However, we would like to point out that e-mails can be saved and sent without encryption.

III. Disclosure of data to third parties and third-party providers

(1) Data shall only be disclosed to third parties in line with legal requirements. In general, we shall only disclose user data to (outside) third parties if required for contractual use, e.g. based on Article 6 (1b) GDPR, if we are legally required to do so or if it is in our legitimate interests in accordance with Article 6 (1f) GDPR.

(2) When we employ subcontractors to provide our services, we take the appropriate legal precautions and corresponding technical and organizational measures to ensure the protection of personal data in accordance with the pertinent legal regulations. We also require our subcontractors to comply with data protection regulations, in particular by taking the necessary technical and organizational measures.

(3) If our Internet offering includes content, tools or other material from other providers (hereinafter collectively referred to as “third-party providers”) and their headquarters are located in a country outside the scope of GDPR (in other words, outside the European Union, or European Economic Area), it should be assumed that a data transfer (also) takes place in this country. The transfer of data in such countries (“third countries”) will only take place if there is an adequate level of data protection in these countries, if the users have given their consent regarding this transfer or if legal permission has been granted.

(4) We currently use the following third-party provider applications on our Website:


a. Google Tag Manager

Our website uses Google Tag Manager. Using this service, website tags can be managed via one interface. Google Tag Manager only implements tags and this means that no cookies are used and no personal data is collected. Google Tag Manager triggers other tags which, in turn, may collect data. However, Google Tag Manager does not access this data. If deactivation is carried out at the domain or cookie level, it remains in place for all tracking tags, provided they are implemented with Google Tag Manager.

For more information on Google Tag Manager, see:



b. Google Maps

Our website has integrated Google Maps on its subpage: This tool is used to display the relevant selected VOLLMER location. Here, the user can choose between the different views, e.g. Terrain, Satellite, StreetView. Users can also move the map as well as zooming in/out.

For additional functions such as directions, which enable the user's location to be determined, the user must, however, switch to the official Google Maps website. The VOLLMER location is not transferred in this case.


c. SurveyMonkey

For individual surveys, the VOLLMER website uses the SurveyMonkey online service (SurveyMonkey Europe UC, 2nd Floor, 2 Shelbourne Buildings, Shelbourne Road, Dublin, Ireland) to create and analyse online surveys. Participation is voluntary. The legal basis is by consent under Article 6(1a) GDPR. The surveys are integrated into our website via a frame.

Even if you participate in an anonymous survey, SurveyMonkey collects information about the device and application that you use to participate in the survey. This includes the IP address, the version of your operating system, the device type and information on the system and performance on the browser type. (Where the data will be stored, how long will it be stored for, when will it be erased?) If you participate in the survey using a mobile device, SurveyMonkey also records the UUID of the device. SurveyMonkey also uses tracking services of third party providers which, in turn, use cookies and page tags to collect usage data and user statistics. The scope of the data collected by SurveyMonkey is beyond the control of VOLLMER.

You can find more information on the cookies used by SurveyMonkey, data protection and the storage period via the following link:

Since the data collected by SurveyMonkey may also be transmitted to servers in the USA, Survey Monkey is certified in accordance with the Privacy Shield Framework. (This takes into account the standard contractual clauses. Note: The Privacy Shield Framework has been declared invalid).

As a participant in a survey, you can contact us at any time and request the survey data you have provided to be erased. This includes your personal data, if this has been collected (see also the notes on storage above). It is not possible to subsequently correct individual answers after submitting the survey.

VOLLMER has embedded Survey Monkey on its website in order to measure the satisfaction of (potential) customers in various areas. The feedback can be submitted anonymously by the survey participant by skipping the request for contact details and leaving the fields empty. Therefore not all points are specified as mandatory fields. If the participant wishes us to personally address their constructive criticism after the survey, we ask them to fill out the contact details section.

The questions are primarily formulated as analysis questions, which means that they do not allow any conclusions to be drawn about the participant. In every survey, there is, however, an open question where the participant can provide their own comments or suggestions for improvement. If the participant refers to a specific case here, then it is possible to draw conclusions.

VOLLMER does not use the surveys to process individual complaints, but simply to obtain a broad picture of the satisfaction level with regards to its products and services, so it can continually improve its processes and products in line with certification. The surveys are voluntary and can be aborted at any time, even during processing.


d. YouTube plugin

We also use a plugin from the provider YouTube. YouTube is run by YouTube LLC, which has its principal place of business at 901 Cherry Avenue, San Bruno, CA 94066, USA. YouTube is represented by Google Inc., which has its headquarters at 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

When you open web pages featuring this plugin from our websites or click on the YouTube logo, a link to the YouTube servers is established and the plugin is shown. The YouTube server will then receive information regarding which of our web pages you have visited. If you are logged on as a YouTube user, YouTube will assign this information to your personal user account. When you use the plugin, e.g. by clicking the start button on a video, this information will also be assigned to your user account. You can prevent this assignment by logging out of your YouTube user account, and any other user accounts run by the companies YouTube LLC or Google Inc., before using our web page and deleting the relevant company Cookies.

To learn more about the purpose and extent of data collection and the further processing and use of the data by YouTube, as well as your rights in this regard and the settings available to protect your privacy, please see the data protection information from YouTube:

IV. Contact and newsletter

(1) If personal data is sent to us via e-mail, we use it exclusively within the framework of the legal permissions, i.e. to process any inquiry or within the scope of the given consent (Article 6 (1a) GDPR) or – if the e-mail contact results in the conclusion of a contract – to fulfill our contractual obligations in accordance with Article 6 (1b) GDPR. During processing, users' personal data gained in this way is kept separately from other personal data gained in other business operations.

(2) If applications are sent to us electronically, we process the personal data included solely for the purpose of handling the application process (Article 6 (1a) GDPR). If we then go on to conclude an employment contract with the applicant, the data submitted is processed and stored for the purpose of handling the employment relationship while taking the legal requirements into account. If an employment contract does not materialize, the application documents are deleted if and so long as there are no legitimate interests against this on our part, such as a burden of proof in a procedure according to the General Act on Equal Treatment (AGG).

(3) With the following information, we would like to inform you about the content of our newsletter and the registration, shipping and statistical evaluation procedures as well as your rights to object:

a. By subscribing to our newsletter, the user agrees to receive the newsletter and to the procedure described below. This is therefore a matter of consent based on data protection regulations, which we log for verification purposes.

b. Content of the newsletter: We send newsletters, e-mails and other electronic notifications with promotional material (hereinafter referred to as the “newsletter”) only with the recipient's consent or legal permission. If during subscription to the newsletter its content is specifically rewritten, this is significant as regards user consent. Our newsletter also contains information about our products, offers, activities and our Company.

c. Double opt-in and logging: Registration for our newsletter requires a double opt-in process. Users therefore receive an e-mail after registration, asking them to confirm their registration. This confirmation is required so as to prevent people from registering using e-mail addresses which are not their own. Newsletter registrations are logged in order to be able to verify the registration process in accordance with legal requirements. This includes saving the time of registration and confirmation, along with the IP address. Likewise, any changes to the data saved by the mailing provider are also logged.

d. Mailing provider: The newsletter is distributed using a software solution from Inxmail GmbH, Wentzinger Straße 17, 79106 Freiburg, Germany (“Inxmail”) subsequently referred to as the “mailing provider”. The data protection policy of the mailing provider can be viewed here.

Furthermore, the mailing provider can use this data pseudonymously, i.e. without assignment to a user, to optimize or improve its own services, e.g. for technical optimization of distribution and to display the newsletter or for statistical purposes to determine which countries the recipients come from. The mailing provider does not, however, use the data from our newsletter recipients to contact them or to pass on to third parties.

e. Registration data: To register for the newsletter, only the user's e-mail address is required. It is also possible to submit other optional personal data. The latter is used solely for a personal address in the actual Newsletter.

f. Statistical survey and analyses: Our newsletters contain a “web beacon”, i.e. a pixel-size file that is retrieved from the mailing provider server when the newsletter is opened. As part of this retrieval process, technical information, such as details about the browser and your system, your IP address and the time of retrieval are collected first. This information is used to make technical improvements to services using the technical data or the target groups and their reading behavior based on their places of retrieval (determined using the IP address) or the access times. The statistical surveys also determine whether the newsletters were opened, when they were opened and which links were clicked. For technical reasons, this information can be assigned to the individual newsletter recipients, however, it is not our intention, or that of the mailing provider, to monitor individual users. Instead, the evaluations help us by identifying the reading habits of our users so we can customize our content to suit them or send different content based on the interests of our users.

g. Use of the mailing provider, performance of the statistical surveys and analyses and logging the registration procedure are all based on our legitimate interests in accordance with Article 6 (1f) GDPR. We are particularly interested in deploying a user-friendly and secure newsletter system, which both protects our business interests and meets the expectations of the users.

h. Cancellation/withdrawal: Users can unsubscribe from our newsletter at any time, i.e. withdraw their consent. This withdraws their consent not only to receive the newsletter from the mailing provider but also to the statistical analyses. Unfortunately, it is not possible to withdraw consent separately for either being contacted by the mailing provider or for the statistical evaluation. A link to unsubscribe from the newsletter can be found at the end of each newsletter. If the user is subscribed to the newsletter only and then cancels their subscription, their personal data is erased. Please be aware that receiving and/or canceling the newsletter normally incurs only the transmission costs, charged at the basic rate.

i. User requirements: Each user has rights and claims, as described in more detail in section VI, which can be enforced against us at any time – also in view of consent as regards mailing of the newsletter.

V. Collection of access data and log files

(1) We collect data about each access to the server containing this service (server log files). The access data includes the name of the visited website, file, date and time of retrieval, transferred data volume, confirmation of successful retrieval, browser type and version, the user's operating system, referrer URL (previously visited page), IP address and the requesting Provider.

(2) For security reasons (e.g. to clarify any misuse or fraudulent behavior), log file information is stored for a maximum of seven days and then erased. If data has to be kept as evidence, it is excluded from erasure until the specific incident has been conclusively clarified.

(3) This data has to be collected for technical reasons in order to provide our Internet offering, so that data collection is based on our legitimate interests pursuant to Article 6 (1f) GDPR.

VI. Use of cookies

To operate our website, we strictly use the necessary cookies based on legitimate interest (Article 6(1f) GDPR). Our legitimate interest is in ensuring that our website works properly and can be used optimally. These types of cookies are also not transferred to third parties. Strictly necessary cookies simply ensure that the strictly necessary functions are operational when you visit our website. This involves, for example, the language selection by session cookies (which are deleted when the browser is closed).

We do not use marketing cookies, personalisation cookies or tracking technologies. We, therefore, do not analyse or pass on personal data.

VII. Rights of users

(1) Users have the right to receive information free of charge at any time about:

a. The purposes for which we process personal data;

b. The categories of personal data that we process;

c. The recipients or categories of recipients to whom the personal data was disclosed or is currently being disclosed;

d. The planned duration of storage of the personal data concerning them or, if accurate details are not possible, criteria used to determine the storage period;

e. All available information about the origin of the data, if the personal data is not collected from the data subject;

f. The existence of an automated decision-making process including profiling in accordance with Article 22 (1 and 4) GDPR and – in these cases at least – meaningful information about the involved logic as well as the scope and intended effects of such processing for the data subject.

(2) The users also have the following rights:

a. Right to rectification 

The users have a right to rectification and/or completion against us, in cases where the processed personal data that relates to them is inaccurate or incomplete. We will carry out the rectification immediately.

b. Right to the restriction of processing

Subject to the following conditions, the users can request to restrict the processing of the personal data that relates to them:

i. If they contest the accuracy of the personal data that relates to them for a period which allows us to verify the accuracy of the personal data;

ii. The processing is unlawful and they oppose erasure of the personal data but instead request to restrict the use of the personal data;

iii. We no longer require the personal data for processing purposes, but they require it to assert, exercise or defend legal claims, or

iv. If they have filed an objection to the processing in accordance with Article 21 (1) GDPR and it is not yet clear whether our legitimate reasons outweigh the reasons given by the users.

If processing of the users' personal data has been restricted, this data may only be processed – other than to save it – with the consent of the users or to assert, exercise or defend legal claims or to protect the rights of another natural or legal person or for reasons of important public interest for the EU or a member state.

If the processing was restricted based on the conditions above, we will inform the users before the restriction is lifted.

c. Right to erasure

i. Obligation of erasure

The users can request us to erase the personal data relating to them immediately, and we are obligated to erase this data immediately, if one of the following reasons applies:

The relevant personal data is no longer required for the purposes for which it was collected or otherwise processed.

The users withdraw their consent which supported processing in accordance with Article 6 (1a) or Article 9 (2a) GDPR, and there is no other legal basis for processing. 

The users object to the processing in accordance with Article 21 (1) GDPR and there are no overriding legitimate reasons for the processing, or they object to the processing in accordance with Article 21 (2) GDPR. 

The personal data relating to the users was unlawfully processed. 

The erasure of personal data relating to the users is required in order to meet a legal obligation under European Union law or the laws of member states with which the controller must comply. 

The personal data relating to the users was collected in relation to information society services offered in accordance with Article 8 (1) GDPR.

ii. Information to third parties

If we have made a user's personal data public and we are obliged to erase it in accordance with Article 17 (1) GDPR, then we will take appropriate measures (including those of a technical nature) in consideration of the available technology and the implementation costs, to inform other data processing controllers who are processing the personal data, that the user as the data subject has requested that all links to this personal data, or copies or replications of such data are erased.

iii. Exceptions

The right to erasure does not apply if the processing is required 

to exercise the right to freedom of expression and Information;

to fulfill a legal obligation which requires processing according to the laws of the EU or its member states, which the controller is subject to, or to perform a task which is in the public interest or in the exercise of public authority, which was passed on to the Controller;

for reasons of public interest in the area of public health in accordance with Article 9 (2h, i) as well as Article 9 (3) GDPR;

for archiving purposes, scientific or historical research purposes in the public interest or for statistical purposes in accordance with Article 89 (1) GDPR, provided that the right mentioned in section a) will likely make implementing the objectives of this processing impossible or seriously disrupt it, or

to assert, exercise or defend legal Claims.

d. Right to information

i. If a user has asserted the right to rectify, erase or restrict the processing against us, we are obligated to inform all recipients to whom the user's personal data was made public about this rectification or erasure of data or restriction of processing, unless this proves to be impossible or it involves disproportionate effort.

ii. The user is entitled to be informed by us about these recipients.

e. Right to data portability

Users have the right to the personal data relating to them, which they have given us, in a structured, conventional and machine-readable format. They also have the right to communicate this data to another controller without obstruction from us, provided that

i. processing is based on consent in accordance with Article 6 (1a) GDPR or Article 9 (2a) GDPR or on a contract in accordance with Article 6 (1b) GDPR and

ii. processing takes place using an automated procedure.

In exercising this right, users also have the right to have the personal data related to them communicated directly from one controller to another controller, where technically possible. This must not restrict the liberties and rights of other People.

The right to data portability does not apply to the processing of personal data which is required to perform a task that is in the public interest or in the exercise of public authority, which was passed on to the Controller.

f. Right to object

i. For reasons relating to their particular situations, users have the right to object at any time to the processing of their personal data, in accordance with Article 6 (1e or f) GDPR; the same applies to profiling based on these provisions. 

ii. We will then cease processing the users' personal data, unless we can provide compelling legitimate reasons for doing so, which outweigh the users' interests, rights and freedoms, or unless the processing is used to assert, exercise or defend legal Claims.

iii. If the users' personal data is processed to pursue direct advertising, they have the right to object at any time to the processing of their personal data for such advertising purposes; the same applies to profiling insofar as it is linked to direct advertising. At the current time, we are not conducting any such processing.

iv. If the users object to data processing for direct advertising purposes, their personal data will cease to be processed for such purposes.

v. Users have the opportunity to exercise their right to object via automated procedures which use technical specifications, in connection with the use of information society services – irrespective of Directive 2002/58/EC.

vi. Users can also withdraw consent at any time, invariably with implications for the future, and refuse future use of their data, where permitted by the legal regulations.

g. Right to file a complaint with a supervisory authority

i. Disregarding any other administrative or judicial remedy, the users have the right to file a complaint with a supervisory authority, especially in the member state where they live, work or the location of the suspected contravention, if they believe that the processing of their personal data contravenes the GDPR.

ii. The supervisory authority where the complaint was filed informs the complainant about the status and results of the complaint, including the option of judicial remedy in accordance with Article 78 GDPR.

iii. The supervisory authority responsible for us is:

German State Commissioner for Data Protection and Freedom of Information


Postfach 10 29 32

70025 Stuttgart

Königstraße 10a

70173 Stuttgart


Tel.: +49 (0) 711 61 55 41 0

Fax: +49 (0) 711 61 55 41 15



VIII. Erasure of data

(1) The data stored with us will be erased as soon as it is no longer required for its intended purpose and the erasure does not oppose any legal retention requirements. If user data is not erased because it is required for other and legally authorized purposes, processing of such data is restricted. In other words, the data is locked and not processed for other purposes. This applies, e.g. for user data that has to be stored for commercial or fiscal reasons.

(2) According to legal requirements, data is stored e.g. for six years in accordance with Section 257, paragraph 1 of the German Commercial Code (HGB) (account books, inventories, opening balances, annual financial statements, business letters, accounting records, etc.) and for ten years in accordance with Section 147 paragraph 1 of the German Fiscal Code (AO) (accounts, records, management reports, accounting records, business and commercial letters, taxation-relevant documents, etc.).

IX. Changes to the data protection statement

(1) We reserve the right to amend the data protection statement in line with changed legal situations, or in the event of changes to services and to data processing. However, this only applies with regard to statements about data processing. Provided that user consent is required or parts of the data protection statement contain regulations for the contractual relationship with the users, the changes will only be made in agreement with the users.

(2) Users are requested to keep themselves up to date with the content of the data protection statement.




Data protection statement last updated May 25th, 2018


Your Contact

VOLLMER WERKE Maschinenfabrik GmbH
AddressEhinger Straße 34
88400 Biberach/Riß