Data protection information of the Wilo-Foundation

A. Name and address of the data controller

For the purposes of the General Data Protection Regulation (GDPR) and other national data protection laws the data controller is:

Wilo-Foundation
Wilopark 1  
44263 Dortmund 
Germany
info(at)wilo-foundation.de 
www.wilo-foundation.de

Since the criteria of section 38 of the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) do not apply to the Wilo-Foundation, the Foundation is not obliged to appoint a data protection officer. Should you have any questions relating to data protection issues, please contact:

info(at)wilo-foundation.de 

B. General information on data processing

1. Scope of the processing of personal data
We only collect and use our user’s personal data to the extent necessary to provide a functioning website, contents and services. We only collect and use our user’s personal data after having obtained the user’s consent. An exception applies in cases when the user’s consent cannot be obtained for factual reasons and the processing of the data is permitted by law.

2. Legal basis for the processing of personal data

Article 6(1) point (a) GDPR serves as the legal basis if we obtain the data subject’s consent to the processing of personal data.

Article 6(1) point (b) GDPR serves as the legal basis for the processing of personal data required to perform a contract to which the data subject is a party. This also applies to processing operations that are necessary for the implementation of pre-contractual measures.

Article 6(1) point (c) GDPR serves as the legal basis if the processing of personal data is required to perform statutory obligations owed by our company.

Article 6(1) point (d) GDPR serves as the legal basis in the event that vital interests of the data subject or another real person require the processing of personal data.

Article 6(1) point (f) GDPR serves as the legal basis if the data processing is necessary to safeguard a legitimate interest of our company or a third party that prevails over the data subject’s interests, fundamental rights and fundamental freedoms.

3. Data deletion and storage period
The personal data of the data subject is deleted or blocked as soon as the purpose of their storage has been achieved. Storage for a longer period is possible if provided for by the European or national legislator in relevant Union regulations, laws or other provisions governing the data controller. The data is also deleted or blocked once the statutory retention period lapses, unless there is a requirement to retain the data for entering into or performing a contract. The data we delete includes, inter alia

  • log data, which is deleted after 180 days, and anonymised after 7 days.

 

C. Provision of the website and generation of log files

1. Description and scope of data processing
Our system automatically collects data and information from the accessing computer on each occasion a user visits our website.

The following data is collected:

(1) The user’s IP address, but in partially anonymised form, so it cannot be traced back to the user

(2) Date and time of access

(3) Websites from which the user was referred to our website

(4) Sub-websites accessed by the user

(5) Websites accessed by the user’s system via our website

(6) Duration of the user’s visit

(7) Time of the user’s first visit and most recent visit

2. Legal basis for the data processing
The legal basis for the temporary storage of the data and log files is Article 6(1) point (f) GDPR.

3. Purpose of the data processing
The purpose of the data use is the evaluation of the use of websites so as to further improve the offer and user experience. Through the evaluation, information on how the website is used can be obtained, and in this way the content of the website continuously optimised. The user data collected in this way for the purpose of analysis is anonymised by technical measures. Therefore, the data can no longer be allocated to the user accessing the site. The data is not stored together with other personal data of the users.

4. Storage period
Our provider’s services store the data they process for an unlimited period. They do not use any cookies but only process the access log data. IP addresses are stored in the access log as partially anonymised information. Consequently, this information does not constitute personal data.

The actual website (Typo3) stores the data for a period of 180 days, with IP addresses being anonymised after 7 days.

5. Right to object and contest a decision
The collection of the data for the provision of the website and storage of the data in log files is absolutely essential for the operation of the website. This means that the users cannot object to this collection and storage of data.

D. Use of cookies

1. Description and scope of the data processing

Our website uses cookies. Cookies are text files that are stored in the Internet browser or by the Internet browser on the computer system of the data subject. If the data subject accesses a website, a cookie may be stored on the data subject's operating system. This cookie contains a characteristic string of characters that enables the browser to be uniquely identified when the website is called up again.

We use cookies to make our website more user-friendly. Some elements of our website require that the accessing browser can be identified even after a page change. The following data is stored and transmitted in the cookies:

  • Security mechanism for forms (XSRF)
  • Web analysis tool Matomo (formerly Piwik)
  • Universal Messenger data for target group-orientated website display

We also use cookies on our website that enable an analysis of the data subject's surfing behaviour.

The following data can be transmitted in this way:

  • Search terms entered
  • Frequency of page views
  • Utilisation of website functions

The data of the data subject collected in this way is pseudonymised by technical precautions. It is therefore no longer possible to assign the data to the data subject. The data is not stored together with other personal data of the data subject.

When accessing our website, the data subject is informed about the use of cookies by an information banner and referred to this privacy policy. In this context, the data subject has the option of allowing or blocking cookies. A distinction must be made between cookies that are technically necessary for the operation of our website and cookies that are not.

2. Legal basis for data processing

The legal basis for the processing of personal data using cookies, which are absolutely necessary for the operation of our website, is Art. 6 para. 1 lit. f GDPR.

The legal basis for the processing of personal data using all other cookies that are not absolutely necessary is your effective consent in accordance with Art. 6 para. 1 lit. a GDPR.

3. Purpose of data processing

The purpose of using technically necessary cookies is to simplify the use of websites for the data subject. Some functions of our website cannot be offered without the use of cookies. For these, it is necessary for the browser to be recognised even after a page change.

We need cookies for the following applications:

  • Tracking functionalities (e.g. country of origin)

This purpose also constitutes our legitimate interest in the processing of personal data in accordance with Art. 6 para. 1 lit. f GDPR.

The data collected by technically necessary cookies is not used to create user profiles.

The purpose of using analytics cookies is to improve the quality of our website and its content. Through the analysis cookies, we learn how the website is used and can thus constantly optimise our offer.

4. Duration of storage

Cookies that have already been saved can be deleted by you at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to use all functions of the website to their full extent.

5. Possibility of objection and removal

Cookies are stored on the data subject's computer and transmitted from there to our website. As the data subject, you therefore have full control over the use of cookies. You can deactivate or restrict the transmission of cookies by changing the settings in your internet browser.

In addition, you have the option of adjusting your settings in the cookie banner or cookie declaration at any time and revoking your consent with effect for the future. Processing that has already taken place in the past is not affected by this.

E. Newsletter

1. Description and scope of the data processing

On our website there is the possibility to subscribe to a free newsletter. When registering for the newsletter, the data from the input mask is transmitted to us.

In addition, the following data is collected during registration:

(1) IP address of the accessing computer

(2) Date and time of registration

Your consent will be obtained for the processing of the data as part of the registration process and reference will be made to this privacy policy.

If you purchase goods or services on our website and provide your e-mail address, this may subsequently be used by us to send you a newsletter. In such a case, the newsletter will only be used to send direct advertising for its own similar goods or services.

In connection with data processing for the sending of newsletters, the data will not be passed on to third parties. The data will be used exclusively for sending the newsletter.

Newsletter tracking takes place, so that pixel images, also known as web beacons or tracking pixels, are integrated into the emails sent, but are not directly contained (only the web address). These must be downloaded from the external server by the browser's mail program. Information is provided on the time of access, the IP address and the client used.

In the administration and dispatch of newsletters, we are supported by Sendinblue GmbH ("Brevo"), Köpenicker Straße 126, 10179 Berlin, with whom we have concluded a contract for commissioned data processing.

The hosting servers on which Brevo processes and stores its databases are all located within the European Union, on its own servers and in the Google Cloud. Brevo uses OVH exclusively in France and Germany as its primary hosting provider. The data is stored in the Google Cloud in Belgium.

2. Legal basis for the data processing

The legal basis for the processing of data after registration for the newsletter by the data subject is Art. 6 (1) (a) GDPR if consent has been given.

The legal basis for sending the newsletter as a result of the sale of goods or services is Art. 6 I lit. f GDPR, § 7 para. 3 UWG.

In addition, newsletter tracking is based on Art. 6 (1) (f) GDPR.

3. Purpose of the data processing

The collection of the e-mail address of the data subject serves to deliver the newsletter.

The tracking of the newsletter is used for statistical evaluation in order to recognize how many e-mails were read and when, and which links were frequently accessed. In this case, the use is not personal. The information is used to optimize the content of newsletters or to better tailor newsletters to the mail clients used by the recipients.

The collection of other personal data as part of the registration process serves to prevent misuse of the services or the e-mail address used.

4. Storage period

The data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. The e-mail address of the data subject will therefore be stored as long as the subscription to the newsletter is active. 

You have the option of requesting the individual deletion of your data at Brevo at any time. Brevo undertakes to comply with such requests within 30 days. For all further information on the processing of data by BREVO, please refer to the BREVO Privacy Policy.

5. Right to object and contest a decision

The subscription to the newsletter can be cancelled by the data subject at any time. For this purpose, there is a corresponding link in every newsletter.

This also makes it possible to withdraw consent to the storage of personal data collected during the registration process.

6. Cloudflare Turnstile

We use “Cloudflare Turnstile” on this website. The provider is Cloudflare Inc., 101 Townsend St., San Francisco, CA 94107, USA (hereinafter “Turnstile”).

Turnstile is used to check whether the data input on this website (e.g., in a contact form) is done by a human or by an automated program. For this purpose, Turnstile analyzes the behavior of the website visitor based on a number of characteristics.

This analysis starts automatically as soon as the website visitor enters a website that uses Turnstile. For the analysis, Turnstile evaluates various information (e.g., IP address, time spent on the website or mouse movements made by the user). The data collected during the analysis is forwarded to Cloudflare.

The storage and analysis of the data is based on Art. 6 (1)(f) GDPR. The website operator has a legitimate interest in protecting his web offerings from abusive automated spying and from Spam. If such consent has been obtained, the data will be processed exclusively on the basis of Art. 6 (1)(a) GDPR and § 25 (1) TDDDG, if the consent comprises the storage of cookies or access to information on the user’s device (e.g., device fingerprinting) as defined in the TDDDG (German Telecommunications Act). Such consent may be revoked at any time.

The processing of data is based on Standard Contract Clauses, which you can find here: https://www.cloudflare.com/cloudflare-customer-scc/.

For more information on Cloudflare Turnstile, please visit the privacy policy at: https://www.cloudflare.com/cloudflare-customer-dpa/.

The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the US, which is intended to ensure compliance with European data protection standards for data processing in the US. Every company certified under the DPF is obliged to comply with these data protection standards. For more information, please contact the provider under the following link: https://www.dataprivacyframework.gov/participant/5666.

F. Website analysis services

This website uses the software "Matomo" (www.matomo.org), a service provided by InnoCraft Ltd, 150 Willis St, 6011 Wellington, New Zealand. The software places a cookie (a text file) on your computer with which your browser can be recognised. If subpages of our website are accessed, the following data is stored:

  • The IP address of the data subject shortened by the last two bytes (anonymised)
  • The accessed subpage and time of access
  • Browser and operating system of the data subject
  • Source page of the data subject (referrer)
  • The time spent on the website
  • The pages that are accessed from the accessed subpage

The data collected with Matomo is stored on a server in Germany. It is not passed on to third parties.

2. Legal basis for data processing

The legal basis for the processing of personal data using Matomo is Article 6(1)(f) of the GDPR.

3. Purpose of data processing

We need the data in order to analyse the surfing behaviour of affected persons and to obtain information about the use of the individual components of the website. The purpose of data processing is to endeavour to sustainably improve the website and the user experience. This is our legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR. By anonymising the IP address, we take account of the data subject's interest in the protection of their personal data. The data is never used to personally identify the data subject of the website and is not merged with other data.

4. Duration of storage

The data will be deleted as soon as it is no longer required to fulfil the purpose for which it was collected.

5. Possibility of objection and removal

You have the option to object to the recording of data in the manner described above in various ways at any time:

  • You can completely prevent the storage of cookies in your browser. However, this may mean that you will no longer be able to use some functions of our website that require identification (shopping basket, orders, personal settings, etc.)
  • You can activate the "Do-not-track" setting in your browser. Our Matomo system is configured to respect this setting.

G. Rights of the data subject

If your personal data is processed, you are a data subject in the meaning of the GDPR. You have the following rights against the data controller:

1. Access to information
You have the right to request the controller to confirm whether we process any of your personal data. If this is the case, you have the right to request the data controller to furnish you with the following information:

(1) The purposes for processing the personal data;

(2) The categories of personal data that is processed;

(3) The recipients or categories of recipients to whom your personal data was or will be disclosed to;

(4) The intended period for storing your personal data or, if no precise information is available, the criteria for determining the period of storage;

(5) The existence of a right to the deletion or correction of your personal data, a right to restrict the data processing by the data controller, and a right to revoke your declaration of consent for such data processing;

(6) The existence of a right to lodge a complaint with a supervisory authority;

(7) All available information on the source of any personal data that was not collected from the data subject;

(8) The existence of automated individual decisions, including profiling pursuant to Article 22(1) and (4) GDPR and, where this is the case, meaningful information regarding the logical reasoning involved and the magnitude and intended effects of such data processing for the data subject.

You also have the right to demand information on whether your personal data was transmitted to a third country or an international organisation. You may in this respect demand to be informed about the adequate safeguards pursuant to Article 46 GDPR in relation to the transmission.

2. Right to rectification
You have a right to request the data controller to correct or complete your data if your personal data is incorrect or incomplete. The data controller must correct the data without undue delay.

3. Right to restrict the data processing
You have the right to impose a restriction on the processing of your personal data under the following conditions:

(1) You contest the correctness of your personal data and allow the data controller sufficient time to verify the correctness of the personal data;

(2) The data processing is unlawful and you decline the deletion of your personal data relating and rather demand the processing of your personal data to be restricted;

(3) The data controller no longer requires the personal data for the purposes they were collected for, but you require the data for the purpose of asserting, exercising or defending legal interests, or

(4) You have objected against the data processing in accordance with Article 21(1) GDPR and a decision on whether the data controller’s legitimate interests prevail over yours has not been made.

If the processing of your personal data has been restricted, this data – except for their storage – may only be processed with your consent, for the purpose of asserting, exercising or defending legal interests, to protect rights of another person or legal entity or for reasons of important public interest of the European Union or a Member State.

If the restriction imposed on the processing of the data under the stated conditions is modified, you will be informed by the data controller before the restriction is lifted.

4. Right to erasure
a) Obligation to delete data

You may request the controller to promptly delete your personal data and the data controller is under an obligation to delete such data without undue delay, provided one of the following reasons apply:

(1) Your personal data is no longer required for the purposes for which they were collected or processed otherwise.

(2) You revoke your consent on which the data processing is based pursuant to Article 6(1) point (a) or Article 9(2) point (a) GDPR and there is no other legal basis for the data processing.

(3) You object to the data processing in accordance with Article 21(1) GDPR and there are no overriding legitimate interests in the data processing, or you object against the data processing in accordance with Article 21(2) GDPR

(4) Your personal data was processed unlawfully.

(5) The deletion of your personal data is required to perform a statutory obligation prescribed by EU law or the law of the Member States governing the data controller.

(6) Your personal data was collected in relation to services offered by the information society pursuant to Article 8(1) GDPR.

b) Notification of third parties

If the controller has made your personal data public and is under an obligation to delete such data pursuant to Article 17(1) GDPR, the data controller must, within the bounds of the available technology and implementation costs, take adequate measures, including those of a technical nature, to inform data controllers processing the personal data about the fact that you as the data subject have requested them to delete all links to this personal data, as well as copies or reproductions of this personal data.

c) Exceptions

You do not have a right to the deletion of your data to the extent the data processing is required

(1) to exercise the right to freedom of expression and freedom of information;

(2) to perform a statutory obligation that requires the data processing under EU law or the law of the Member States governing the data controller, or to perform a function in the public interest or to exercise a public authority conferred upon the data controller;

(3) or reasons of public interest in the area of public health pursuant to Article 9(2) points (h) and (i), as well as Article 9(3) GDPR;

(4) for archiving purposes that are in the public interest, scientific or historical research purposes, or for statistical purposes in accordance with Article 89(1) GDPR, to the extent the right stated in section a) is expected to render the achievement of the objectives of this data processing infeasible or to significantly impeded them, or

(5) for the purpose of asserting, exercising or defend legal interests.

5. Right to onward notification
If you have exercised your right to the correction or deletion of your data, or to impose a restriction on the data processing, against the data controller, the data controller is required to notify all recipients to whom your personal data was disclosed about such correction or deletion of your data, or the imposition of a restriction on the processing of your data, unless such action is infeasible or would entail unreasonable effort or expenses. You have the right to be informed about these recipients of your data by the data controller.

Ihnen steht gegenüber dem Verantwortlichen das Recht zu, über diese Empfänger unterrichtet zu werden. 

6. Recht auf Datenübertragbarkeit 
Sie haben das Recht, die Sie betreffenden personenbezogenen Daten, die Sie dem Verantwortlichen bereitgestellt haben, in einem strukturierten, gängigen und maschinenlesbaren Format zu erhalten. Außerdem haben Sie das Recht diese Daten einem anderen Verantwortlichen ohne Behinderung durch den Verantwortlichen, dem die personenbezogenen Daten bereitgestellt wurden, zu übermitteln, sofern 

(1) the data processing is based on consent pursuant to Article 6(1) point (a) or Article 9(2) point (a) GDPR, or based on a contract pursuant to Article 6(1) point (b) GDPR, and

(2) the processing is conducted with the help of automated processes.

When you exercise this right, you are also entitled to have the personal data transmitted directly from one data controller to another, subject to technical feasibility. This must not compromise the rights and freedoms of third parties. The right data portability does not apply to data processing necessary for the performance of a function in the public interest, or in the exercise of a public authority conferred upon the data controller

7. Right to object
You have the right to object against the processing of your personal data on the basis of Article 6(1) point (e) or (f) GDPR for reasons resulting from your personal circumstances at any time; this also applies to profiling based on the same provisions.

The data controller will then cease the processing of your personal data, unless the controller demonstrates compelling legitimate interests in the data processing which prevail over your interests, rights and freedoms, or unless the processing serves the purpose of asserting, exercising or defending legal interests. Where personal data is processed for direct advertising purposes, you have the right to object against the processing of your personal data for such direct advertising purposes at any time; this also applies to profiling associated with such direct advertising. Your personal data will no longer be processed for direct advertising purposes if you object against the data processing for such purposes. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by via automated processes that use technical specifications.

8. Right to revoke your declaration of consent under data protection law
You have the right to revoke a previously granted declaration of consent under data protection law. A revocation of consent will be without prejudice to the lawfulness of the data processing conducted prior to the revocation.

9. Automated individual decisions, including profiling
You have the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision

(1) is necessary for entering into or performing a contract between you and a data controller,

(2) is authorised by Union or Member State law to which the data controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or

(3) is based on your explicit consent.

However, decisions must not be based on special categories of personal data pursuant to Article 9(1) GDPR, unless Article 9(2) point (a) or (g) applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place. In the cases referred to in points (1) and (3), the data controller must implement suitable measures to safeguard your rights, freedoms and legitimate interests, at least the right to obtain human intervention on the part of the data controller, to express your point of view and to contest the decision.

10. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.

The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint, including the possibility of a judicial remedy pursuant to Article 78 GDPR.

If you wish to object against the collection, processing or use of your data by the Wilo-Foundation in accordance with this Privacy Statement, either categorically or for individual measures, you may send us your objection to the address:

Wilo-Foundation 
Wilopark 1 
44263 Dortmund 
Germany 

or via email to

info(at)wilo-foundation.de 

H. Security

The Foundation implements technical and organisational security measures to protect your data administered by us against accidental or deliberate manipulation, loss and destruction and/or access by unauthorised persons.

Our security measures are continuously improved as new technology becomes available.

As at March 2025

Please note that this statement may be supplemented or amended in the future due to legal or other requirements. Please inform yourself regularly about the current status.