Data protection statement

IOI Oleo GmbH

Herrengraben 31
20459 Hamburg
Germany

Phone: +49 (0) 40 280031 – 0

E-Mail: info@ioioleo.de
Web:  www.ioioleo.de

Data Privacy Information

This privacy statement informs you about how we treat your data. To make the processing of your data transparent, we would like to provide you with the following information to give you an overview of these processing operations. To keep things fair, we additionally want to inform you about your rights pursuant to the EU-General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG).

We will inform you in detail about

I. General Information
II. Data Processing on our Website
III. Data Processing on our Social Media
IV. Further Data Processing

IOI Oleo GmbH is the controller of the data processing (hereinafter referred to as ‘we’ or ‘us’).

Latest update: July 2020

1. Contact
If you have any questions or feedback concerning this information or wish to contact us to exercise your rights, please send your enquiry to

IOI Oleo GmbH
Herrengraben 31, 20459 Hamburg, Germany
Tel.: +49 (0) 40 28 00 31 – 0
Email: info@ioioleo.de

2. Legal Basis
The legal term ‘personal data’ refers to all information relating to an identified or identifiable natural person.

We process personal data in compliance with the data protection regulations, in particular the GDPR and the BDSG. We solely process data based on law. We process personal data

  • solely with your consent (Art. 6 section 1 letter a) GDPR),
  • to perform a contract to which you are a party or to take steps at your request prior to entering into a contract (Art. 6 section 1 letter b) GDPR),
  • to comply with a legal obligation (Art. 6 section 1 letter c) GDPR) or
  • where processing is necessary for the purposes of our legitimate interests or those of a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data (Art. 6 section 1 letter f) GDPR).
    If you apply for an open position in our company, we will, additionally, process your personal data to decide on whether to hire you (section 26 para. 1 sentence 1 BDSG).

3. Period of Storage
In absence of an alternative provision ensuing from the following statements, we will only store your data for as long as required to achieve the intended processing purpose or to fulfil our contractual or statutory obligations.
Such statutory retention requirements, in particular, result from commercial or tax law. From the end of the calendar year in which the data has been collected we will store personal data used for accounting for ten years. Personal data contained in commercial letters and contracts will be stored for six years.
Apart from that, we will store personal data collected for the purpose of the performance of a contract, in particular data on complaints and requests, for a maximum of four years from the end of the procedure. Data stored for marketing purposes will be deleted when you object to processing for this purpose.

4. Recipients of Data
Unless otherwise stated in the following, the data is processed on the servers of service providers. For this, we commission processors. Processing activities conducted by the processors include e.g. hosting, maintenance and support of IT systems, customer and order management, order handling, accounting, marketing or shredding of files and data carrier destruction. Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. Processors process data not for their own purposes but solely for the controller and are contractually obliged to implement appropriate technical and organizational measures ensuring data protection.
Apart from that, we transfer your data to postal and delivery services, our bank, tax consultants/auditors or the fiscal authority if necessary.
Should your data be transferred to further recipients, we will inform you via the respective processing activity.

5. Processing in the Exercise of your Rights pursuant to Art. 15 to 22 GDPR
If you exercise your rights pursuant to Art. 15 to 22 GDPR, we process the personal data transferred in order for us to grant you your rights and to acquire proof thereof. For the purpose of providing information and preparing such information, we will process the stored data only for this purpose as well as for purposes of data protection control and otherwise restrict processing in accordance with Art. 18 GDPR. These processing operations are based on Art. 6 section 1 letter c) GDPR in combination with Art. 15 to 22 GDPR and section 34 para. 2 BDSG.

6. Your rights
As the data subject, you are entitled to exercise your rights against us. In particular, you have the following rights:

  • Pursuant to Art. 15 GDPR and section 34 BDSG, you have the right of access to information confirming whether and, if so, to what extent we are processing personal data concerning you.
  • Pursuant to Art. 16 GDPR, you have the right to rectification of your data.
  • Pursuant to Art. 17 GDPR and section 35 BDSG, you have the right to erasure of your personal data.
  • Pursuant to Art. 18 GDPR, you have the right to require us to restrict the processing of your personal data.
  • Pursuant to Art. 20 GDPR, you have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and the right to transfer such data to another controller.
  • Where you have granted us specific consent to a processing activity, you can withdraw such consent at any time pursuant to Art. 7 section 3 GDPR. Any such withdrawal of consent shall not affect the lawfulness of processing based on that consent prior to its withdrawal.
  • If you are of the view that the processing of your personal data infringes GDPR provisions, you have the right to lodge a complaint with a supervisory authority pursuant to Art.77 GDPR.

7. Right to object
Pursuant to Art. 21 section 1 GDPR, you have the right to object to processing activities based on Art. 6 section 1 letter e) or letter f) GDPR on grounds relating to your particular situation. If we process your personal data for the purpose of direct marketing, you may object to such processing pursuant to Art. 21 section 2 and section 3 GDPR.

8. Data protection officer
You can contact our data protection officer via the following address: datenschutz@ioioleo.de

During use of our website, we collect information that you provide yourself. We also automatically collect certain information about your use of the site during your visit to the site. In data protection law, the IP address is also considered personal data. An IP address is assigned to each device connected to the internet by the internet provider so that it can send and receive data.

1. Processing of Server-Log-Files
When using our website for informative purposes only, general information that your browser transfers to our server is initially stored automatically (not via registration). This includes by default: browser type/-version, operating system used, page called, the previously visited page (referrer URL), IP address, date and time of server request and HTTP status code. The processing is carried out in pursuit of our legitimate interests and is based on Art. 6 section 1 letter f) GDPR. This processing serves the technical administration and security of the website. The data collected will be deleted after fourteen days unless there is a justified suspicion of illegal use based on concrete indications and further examination and processing of the information is necessary for this reason. We are unable to identify you as a data subject based on the information collected. Art. 15 to 22 GDPR therefore do not apply pursuant to Art. 11 section 2 GDPR, unless you provide additional information to enable your identification in order to exercise the rights set out in these articles.

2. Data Transfer to third countries
Visiting our website may involve the transfer of certain personal data to third countries, i.e. countries where the DSGVO is not applicable law. Such a transfer shall be authorised if the European Commission has decided that an adequate level of data protection is ensured in such third country.
In the absence of such an adequacy decision by the European Commission, personal data will only be transferred to a third country if appropriate safeguards are in place in accordance with Art. 46 DSGVO or if one of the conditions of Art. 49 DSGVO is met.
Unless otherwise stated below, we use as appropriate safeguards the EU standard contractual clauses for the transfer of personal data to processors in third countries: https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX%3A32010D0087.

3. Contact and requests
When you send us a message via our contact email address, we will process the transferred data in order to process the request.
We process this data in pursuit of our legitimate interest to reach out to persons submitting requests. The legal basis for this is Art. 6 section 1 letter f) GDPR.

4. Registration
In order to use certain functions on our website, registration via the website is required. The required information can be found in the input mask. For registration, we process the name and email address entered as well as a password freely chosen. Providing the information marked as mandatory is required to complete the registration. The data provided is processed for the purpose of performance. The legal basis for this is Art. 6 section 1 letter b) GDPR.

5. Applications
When you apply for a position at our company, we process your application data exclusively for purposes related to your interest in current or future employment with us and handling your application. All employees entrusted with data processing are obliged to maintain the confidentiality of your data. If we are unable to offer you a position, we will retain the data you provided for up to six months for the purpose of answering potential questions relating to your application and rejection. This does not apply if legal provisions prevent deletion, if further storage is necessary for the purpose of presenting evidence or if you have expressly consented to longer storage.
Legal basis for the data processing is section 26 para. 1 BDSG. If we keep your applicant data for a period of six months and you have expressly consented to this, we would like to point out that this consent can be freely withdrawn at any time in accordance with Art. 7 section 3 GDPR. Such a revocation does not affect the lawfulness of processing based on the consent prior to its withdrawal.

6. Newsletter
On our website we offer the possibility to register for our newsletter. After the registration we will inform you regularly about the latest news about our offers. A valid e-mail address is required to register for the newsletter. To verify the e-mail address, you will first receive a registration e-mail, which you must confirm via a link (double opt-in). If you subscribe to the newsletter on our website, we process personal data such as your e-mail address and your name on the basis of the consent you have given. The processing is based on the legal basis of Art. 6 section 1 letter a) GDPR.
You can withdraw the consent you have given at any time with effect for the future, for example by clicking on the “unsubscribe” link in the newsletter or by contacting us via the channels mentioned above. The legality of the data processing operations already carried out remains unaffected by the revocation. When registering for the newsletter, we also save the IP address and the date and time of registration. The processing of this data is necessary to prove that you have given your consent. The legal basis results from our legal obligation to document your consent (Art. 6 section 1 letter c), Art. 7 section 1 GDPR).
We also analyse the reading behaviour and opening rates of our newsletter. For this purpose, we collect and process pseudonymised usage data, which we do not combine with your e-mail address or IP address. The legal basis for the analysis of our newsletter is Art. 6 section 1 letter f) GDPR and the processing serves our legitimate interest in the optimisation of our newsletter. You can object to this at any time by contacting one of the contact channels mentioned above.
For the administration of the subscribers, the sending of the newsletter and the analysis, we use the CleverReach service of CleverReach GmbH & Co. KG (Mühlenstr. 43, 26180 Rastede, Germany). The CleverReach GmbH & Co. KG processes personal data as a processor only with our express instruction and is contractually obligated to guarantee sufficient technical and organizational measures for data protection. The data processing by CleverReach GmbH & Co. KG only takes place in data centers in the European Union.

7. Cookies
We use cookies and similar technologies on our website. Cookies are small text files that are stored by your browser when you visit a website. This makes the browser identifiable so it can be recognised by our web server. We use so-called ‘session cookies’, which are deleted when the browser session is ended. Other cookies (‘persistent cookies’) are automatically deleted after a specific period, which may vary depending on the cookie.

In part, the use of cookies is necessary to maintain functionality and operation of our website. Apart from that, we use cookies and similar technologies to measure the coverage of our website and analyse the use of our website.

Cookies are stored on the computer of the user. Therefore, you as the user have full control over the use of cookies. You can delete cookies in the security settings of your browser at any time. You can object to the use of cookies entirely or for certain cases in your browser settings. Further information from the Federal Office for Information Security is available at https://www.bsi-fuer-buerger.de/BSIFB/DE/Empfehlungen/EinrichtungSoftware/EinrichtungBrowser/Sicherheitsmassnahmen/Cookies/cookies_node.html.

You can find information on how we use cookies and similar technologies in the description of the specific processing activity.

8. Consent Management System
This website uses a Consent Management Banner of the provider Borlaps to control cookies. The Borlabs content banner enables users of our website to give their consent to certain data processing procedures or to revoke any consent given. In addition, Borlabs supports us in being able to provide proof of consent. For this purpose, Borlabs processes information on the declaration of consent and further protocol data on this declaration. Cookies are also used to collect this data.
The processing of these data is necessary to prove that consent has been given. The legal basis results from our legal obligation to document your consent (Art. 6 section 1 letter c), Art. 7 section 1 GDPR).

9. Analysis of our website with Google Analytics
In order to evaluate visits to our website, we use Google Analytics, a service provided by Google Ireland Limited (Ireland/EU). Google will use cookies to analyse your use of our website. During this process, personal data in the form of online identifiers (including cookie identifiers), IP addresses, device identifiers and information about your interaction with our website will be collected. The information, aggregated through the cookie, will normally be transferred to Google’s servers in the USA and stored there. Google will use this information on our behalf, to analyse the use of our website, create reports about the general activity on our website and to provide us with further services in relation to the use of our website. During this process, the data can be used to build pseudonymous user profiles for single users.
We only use Google Analytic with activated IP address anonymisation. With this setting the user’s IP address will be shortened within the EU or the European Economic Area. The user’s full IP address will only be sent to Google’s servers in the USA and shortened there in exceptional cases. The user’s IP address provided by the user’s web browser will not be merged with other data stored by Google.
We use a product variant called Google Universal Analytics. This service enables us to connect data from multiple sessions and multiple devices under a unique User-ID. By using it, we can put single user interactions in a broader context and are able to analyse long term relationships.
User interaction data will be stored for a duration of 14 months and will be deleted automatically afterwards. The deletion process of data for which the storage period has passed will be performed automatically, once per month.
The setting of cookies and the processing of personal data described here, are conducted with your consent. Legal basis for the processing of personal data through Google Analytics is therefore Art. 6 section 1 letter a) GDPR. You can object to the storage of cookies by Google Analytics through editing the respective settings of your web browser. Furthermore, you can prevent the collection of aforementioned information with a browser plugin available through the following link: https://tools.google.com/dlpage/gaoptout. If you are visiting our website with a mobile device, you can disable Google Analytics by clicking this link. Please be advised, that we will document your consent, as we are required to do so by Art. 7 section 1 GDPR. Because we are required to do so by law, the legal basis for the storage is Art. 6 section 1 letter c) GDPR.

10. Integrated services and third-party content
We use services and content (collectively, “Content”) provided on our Website by third parties. For such an integration a processing of your IP address is necessary, so that the contents can be sent to your browser. Your IP address will therefore be transmitted to the respective third party providers. This data processing is carried out in order to safeguard our legitimate interests in the optimisation and economic operation of our website and finds its legal basis in Art. 6 section 1 letter f) GDPR. You can object to this data processing at any time by changing the settings of your browser or by using certain browser extensions. One such extension is the uMatrix matrix-based firewall for the Firefox and Google Chrome browsers. Please note that this may result in functional restrictions on the website.
We have incorporated into our website content from the following third-party services:
Services provided by Google Ireland Limited (Ireland/EU):

  • „Google-Maps“ to display maps
  • „Google Web Fonts“ to display fonts

We operate company pages on multiple social media platforms via which we offer further opportunities to obtain information about our company and for exchange. We operate company pages on the following social media platforms:

  • Instagram
  • Pinterest
  • Flickr
  • Tumblr

Visiting a company page on social media can result in your personal data being processed. The information in your social media account constitutes personal data. This also encompasses messages and statements made with the account. Additionally, certain information about your visit to a company page is often collected automatically during your visit.

1. Data Processing during the Visit of a Social Media Page
a. Instagram Page
Certain information about you is processed relating to your visit to our Instagram page on which we present our company or individual products. Facebook Ireland Ltd (Ireland/EU – ‘Facebook’) is the sole controller of this processing. Further information about the processing of personal data by Facebook is available via https://www.facebook.com/privacy/explanation.
Facebook provides the opportunity to object to certain processing activities; corresponding information and opt-out-methods are available via https://www.facebook.com/settings?tab=ads.

Facebook provides us with anonymised statistics and insights for our Instagram page, which enable us to gain knowledge about the ways in which people interact with our page (so called ‘insights’). These insights are created based on certain information about persons who have visited our page. Facebook and we are joint controllers of this processing. The processing serves our legitimate interest in evaluating the ways in which people interact with our page and improving our page based on this. This finds its legal basis in Art. 6 section 1 letter f) GDPR. It is impossible to match the information obtained via insights to individual accounts which interact with our Facebook page. We have concluded an agreement with Facebook on joint controllership in which the data protection duties are allocated between Facebook and us. Details of the processing of personal data for the creation of insights and of the agreement we concluded with Facebook are available via https://www.facebook.com/legal/terms/information_about_page_insights_data. Regarding these processing activities, you may also exercise your rights (see above ‘Your Rights’) against Facebook directly. Further information is available in Facebook’s privacy statement via https://www.facebook.com/privacy/explanation.

Please note that user data is also processed in the USA and other third countries according to Facebook’s data protection guidelines. Facebook only transfers user data to countries for which the European Commission has made an adequacy decision pursuant to Art. 45 GDPR or based on appropriate safeguards pursuant to Art. 46 GDPR. Facebook Inc. is certified under the EU-US Privacy Shield and, thus, provides an adequate level of data protection pursuant to Art. 45 GDPR (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).

b. Pinterest
Generally, Pinterest Europe Ltd. is the sole controller of the processing of your personal data relating to your visit to our Pinterest account. Further information on the processing of personal data by Pinterest Europe Ltd. is available via https://policy.pinterest.com/de/privacy-policy.

c. Flickr
Generally, the Flickr, Inc. is the sole controller of the processing of your personal data relating to your visit to our Flickr profile. Further information on the processing of personal data by New Work SE is available via https://www.flickr.com/help/privacy.

d. Tumblr
Generally, Tumblr, Inc. is the sole controller of the processing of your personal data relating to your visit to our Tumblr blog. Further information on the processing of personal data by Tumblr, Inc. is available via https://www.tumblr.com/privacy/de.

2. Processing of Data you Share with us via our Company Pages
Additionally, we process information which you provide us with via the respective social media platform. Such information can include the username, contact details or a message to us. Generally, we only process this personal data if we have expressly requested you to share this data with us like, for example, in connection with a survey. We are the sole controller of such processing activities.

We process this data in pursuit of our legitimate interest to reach out to persons submitting requests. The legal basis for this is Art. 6 section 1 letter f) GDPR.
Additionally, we might process such data shared with us for purposes of evaluation or marketing. Such processing is based on Art. 6 section 1 letter f) GDPR and serve our legitimate interest to develop our product range and inform you about our product range. Further data processing can take place if you have consented (Art. 6 section 1 letter a) GDPR) or if this serves to fulfil a legal obligation (Art. 6 section 1 letter c) GDPR).

We use a software to operate our company pages. When users ask certain questions on one of our company pages which are determined in the software, the software displays the text as well as the username of the user. In the course of this, this data is transferred to the provider of the software. The text and the username will be deleted as soon as the request has been processed.

1. Contact via Email
If you send us a message via our contact email address, we will process the transferred data in order to process the request. We process this data in pursuit of our legitimate interest to reach out to persons submitting requests. The legal basis for this is Art. 6 section 1 letter f) GDPR.

2. Contractual relationship
In order to establish and execute the contractual relationship with our customers, suppliers and business partners it is regularly necessary to process the master, contract and payment data provided to us. If we process personal data of our contact persons at commercial customers, suppliers and business partners in the course of this, this happens in pursuit of our legitimate interests and is based on Art. 6 section 1 letter f) GDPR. In addition, we process customer and potential customer data for evaluation and marketing purposes. This processing takes place on the legal basis of Art. 6 section 1 letter f) GDPR and serves our interest in further developing our product range and informing you specifically about products by IOI Oleo GmbH. Further data processing can take place if you have consented (Art. 6 section 1 letter a) GDPR) or if this serves to fulfil a legal obligation (Art. 6 section 1 letter c) GDPR).

3. Use of the business e-mail address and telephone number for marketing purposes
We may use your e-mail address or telephone number provided during registration or ordering to inform you about our own similar products and services offered by us. In doing so, we pursue our legitimate interest in direct advertising for our products and services.

a. Use of the e-mail address for marketing purposes
The legal basis for the use of e-mail addresses for marketing purposes is Article 6 section 1 letter f) GDPR, § 7 para. 3 UWG. You can object to this use of the e-mail address at any time without incurring any costs other than the transmission costs according to the basic tariffs. To do so, you can contact us by e-mail at info@ioioleo.de or via any other of our stated contact channels. You can also object to the receipt of such e-mails directly by clicking on the unsubscribe link contained in each mailing.
For sending such marketing emails, we use the CleverReach service of CleverReach GmbH & Co. KG (Mühlenstr. 43, 26180 Rastede, Germany). The CleverReach GmbH & Co. KG processes personal data as a processor only with our express instruction and is contractually obligated to guarantee sufficient technical and organizational measures for data protection. The data processing by CleverReach GmbH & Co. KG only takes place in data centers in the European Union.

b. Use of the telephone number for marketing purposes
The legal basis for the use of telephone numbers for marketing purposes is Art. 6 section 1 letter f) GDPR, §7 para. 2 no. 2 UWG. You can object to this use of your e-mail address at any time without incurring any costs other than the transmission costs according to the basic tariffs. For this purpose, you can contact us by e-mail at info@ioioleo.de or via any other of our stated contact channels.