top of page

Data protection information

REBO Lighting & Electronics GmbH

§ 1    Introduction and Scope

 

(1) The following information provides you, as a data subject, with an overview of how we process your personal data and of your rights under the applicable data protection laws.

 

(2) This Privacy Notice applies to the processing of personal data in connection with accessing and using our website at www.rebo-group.de (including its subpages and the English-language version at www.rebo-group.de/en). Separate information pursuant to Articles 13 and 14 GDPR is available upon request for the processing of personal data outside the website (e.g., in connection with business relationships, procurement, sales, or human resources administration).

 

(3) The processing of personal data is always carried out in compliance with the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), the German Act on Data Protection and the Protection of Privacy in Telecommunications and Digital Services (TDDDG), and any other applicable statutory provisions.

 

(4) As a general rule, our website may be used without providing personal data. To the extent we collect personal data in order to provide specific functions or services, such collection is always based on a legal basis identified in this Privacy Notice.

§ 2  Controller

 

The controller within the meaning of Article 4(7) GDPR is:

 

    REBO Lighting & Electronics GmbH

    Vor dem Melmen 8-10

    99817 Eisenach

    Germany

 

    Managing Director authorized to represent the company:

    Jiawei Huang

    Telephone:  +49 (0) 36920 87-0

    Fax:        +49 (0) 36920 87-102

    Email:      service@rebo-group.de

    Website:    www.rebo-group.de

 

 

§ 3  Data Protection Officer

 

Our appointed Data Protection Officer can be contacted as follows:

 

    REBO Lighting & Electronics GmbH

    -- Data Protection Officer --

    Vor dem Melmen 8-10

    99817 Eisenach

    Germany

    Telephone:  +49 173 49 27 525

    Email:      datenschutz@rebo-group.de

 

You may contact our Data Protection Officer directly at any time, in particular to exercise your data subject rights (Section 18) or to submit suggestions relating to data protection.

 

 

§ 4  Definitions

 

This Privacy Notice is based on the definitions set out in Article 4 GDPR. In particular, the following terms are relevant:

 

  • personal data (Article 4(1) GDPR)

  • processing (Article 4(2) GDPR)

  • restriction of processing (Article 4(3) GDPR)

  • profiling (Article 4(4) GDPR)

  • pseudonymization (Article 4(5) GDPR)

  • controller (Article 4(7) GDPR)

  • processor (Article 4(8) GDPR)

  • recipient (Article 4(9) GDPR)

  • third party (Article 4(10) GDPR)

  • consent (Article 4(11) GDPR)

  • data subject – any identified or identifiable natural person whose personal data is processed by the controller

 

For readability, the full statutory definitions are not reproduced here. The definitions are available at https://eur-lex.europa.eu/eli/reg/2016/679.

§ 5  Legal Bases for Processing

 

Where we obtain the data subject’s consent for processing operations involving personal data, Article 6(1), first subparagraph, lit. a GDPR (and, where applicable, Article 9(2)(a) GDPR) serves as the legal basis.

 

Where the processing of personal data is necessary for the performance of a contract or for the implementation of pre-contractual measures, Article 6(1), first subparagraph, lit. b GDPR serves as the legal basis.

 

Where the processing of personal data is necessary to comply with a legal obligation to which our company is subject (e.g., retention obligations under tax and commercial law pursuant to Section 147 of the German Fiscal Code (AO) and Section 257 of the German Commercial Code (HGB)), Article 6(1), first subparagraph, lit. c GDPR serves as the legal basis.

 

Where processing of personal data is necessary in order to protect the vital interests of the data subject or of another natural person, Article 6(1), first subparagraph, lit. d GDPR serves as the legal basis.

 

Where processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, and such interests are not overridden by the interests or fundamental rights and freedoms of the data subject, Article 6(1), first subparagraph, lit. f GDPR serves as the legal basis.

 

For processing in the employment context and in connection with job applications, Section 26 BDSG also applies. For reports submitted under the German Whistleblower Protection Act (HinSchG), Sections 8 et seq. HinSchG also apply.

 

In addition, Section 25 TDDDG applies to the storage of information on the end user’s terminal equipment or access to information already stored on such terminal equipment.

§ 6  Hosting and Provision of the Website

 

(1) Our website is hosted on the platform of Wix.com Ltd.

 

    Wix Online Platform Limited

    1 Grant's Row, Dublin 2 D02HX96

    Ireland

 

(2) Wix provides the technical infrastructure through which our website is delivered. This includes, in particular, the processing of IP addresses and technical connection data for the purpose of delivering the website content.

 

(3) We have entered into a data processing agreement with Wix in accordance with Article 28 GDPR.

 

(4) The legal basis for the use of Wix is Article 6(1), first subparagraph, lit. f GDPR. Our legitimate interest lies in the secure, stable, and economically reasonable provision of the website.

 

(5) For Israel, the European Commission has adopted an adequacy decision pursuant to Article 45 GDPR (Decision 2011/61/EU). To the extent that data is transferred to the United States in the course of services provided by Wix, such transfer is based on the Standard Contractual Clauses pursuant to Article 46(2)(c) GDPR or, where the U.S. recipient is certified under the EU-U.S. Data Privacy Framework, on the European Commission’s adequacy decision of July 10, 2023 (Implementing Decision (EU) 2023/1795, Article 45 GDPR). Further information is provided in Section 15.

 

(6) Further information on data protection at Wix is available at https://www.wix.com/about/privacy.

§ 7  Data Collection When Visiting the Website

 

(1) Each time our website is accessed, our hosting service provider automatically collects information transmitted by your browser to the server. This information is temporarily stored in so-called server log files. In particular, the following data is collected without any action on your part and stored until it is automatically deleted:

 

  1. IP address of the requesting end device (shortened/anonymized)

  2. date and time of access

  3. name and URL of the retrieved file

  4. website from which access is made (referrer URL)

  5. browser used and, where applicable, the operating system of your end device

  6. name of your internet service provider

 

(2) This data is processed for the following purposes:

 

  1. ensuring a smooth connection to the website,

  2. ensuring convenient use of our website,

  3. evaluating system security and stability,

  4. defending against attacks and supporting criminal prosecution in the event of cyberattacks.

 

(3) The legal basis is Article 6(1), first subparagraph, lit. f GDPR. Our legitimate interest follows from the purposes listed in paragraph 2.

 

(4) Server log file data is automatically deleted no later than 30 days after collection, unless it must be retained for a longer period due to compelling security or evidentiary reasons until a security incident has been fully resolved.

 

(5) The log data is not combined with other data sources. We do not use this data to draw conclusions about your identity.

§ 8  Cookies and Comparable Technologies on End Devices

 

§ 8.1  Current Configuration of Our Website

 

(1) At present, our website stores on your end device, or accesses from your end device, only information that is strictly technically necessary for providing the digital service you have expressly requested (Section 25(2) no. 2 TDDDG). No consent is required for this.

 

(2) This technically necessary information includes, in particular, session information required to maintain your session during your visit, as well as information that is strictly necessary for the functionality of our hosting service provider’s platform.

 

(3) Analytics, marketing, or tracking cookies, as well as comparable technologies (e.g., pixels, fingerprinting, third-party SDKs), are currently NOT used.

 

(4) Third-party services (e.g., web analytics services, social media plug-ins, embedded videos, external fonts, chatbots) are currently NOT integrated.

 

§ 8.2  Notice Regarding Future Use

 

If, in the future, we use cookies, comparable technologies, or third-party services beyond the current configuration, we will, before activating them:

 

    a)     update and supplement this Privacy Notice accordingly,

    b)     integrate a consent management system (CMP) through which you can provide, manage, and withdraw your consent at any time with effect for the future, and

    c)     begin the relevant processing only after obtaining your express consent within the meaning of Section 25(1) TDDDG in conjunction with Article 6(1), first subparagraph, lit. a GDPR.

§ 9  Contacting Us and Contact Form

 

(1) Our website provides the option to contact us by email or through the contact channels made available on the "Contact" subpage.

 

(2) If you contact us, we process at least the following data:

 

a.         name,

b.         email address,

c.         company affiliation (if provided),

d.         subject matter and content of your message,

e.         date and time of the contact request,

f.          any other information you choose to provide voluntarily.

 

(3) Processing is carried out solely for the purpose of handling your inquiry and the related technical administration. The legal basis is:

 

    a)     Article 6(1), first subparagraph, lit. b GDPR, to the extent your inquiry is aimed at entering into or performing a contract,

    b)     otherwise, Article 6(1), first subparagraph, lit. f GDPR. Our legitimate interest lies in the timely and substantively accurate handling of your request.

 

(4) Depending on the content of your inquiry, it will be forwarded internally to the responsible department (including, among others, Sales, Purchasing, Quality, Human Resources, and Integrated Management). Your data will not be disclosed to third parties outside our company unless this is strictly necessary to respond to your inquiry.

 

(5) Your data will be deleted as soon as it is no longer necessary for achieving the purpose of the processing. This is generally the case when the circumstances indicate that the matter in question has been conclusively resolved. Where statutory retention obligations apply (in particular under Section 147 AO and Section 257 HGB; generally six or ten years, respectively), the data will be retained for the duration of those obligations and deleted thereafter.

§ 10  Applications and Applicant Management

 

(1) If you apply to us for an advertised position, an apprenticeship position, or on an unsolicited basis, we process the personal data you submit in connection with your application.

 

(2) Categories of data processed:

 

a.         master data (name, address, contact details, date of birth),

b.         qualification and background data (cover letter, résumé/CV, references, certificates, records of education and training),

c.         photograph, if voluntarily provided by you,

d.         any other information you choose to provide voluntarily.

 

(3) Purposes of processing:

 

a.         conducting and administering the application process,

b.         communicating with you during the application process,

c.         establishing the employment relationship if you receive and accept an offer,

d.         complying with legal obligations, in particular under the German General Equal Treatment Act (AGG),

e.         protecting our legitimate interests, in particular in connection with legal defense.

 

(4) The legal bases are Section 26(1) BDSG in conjunction with Article 88 GDPR (for the establishment, performance, and termination of an employment relationship), Article 6(1), first subparagraph, lit. b GDPR (taking steps prior to entering into and performing a contractual relationship), Article 6(1), first subparagraph, lit. c GDPR in conjunction with the AGG, and Article 6(1), first subparagraph, lit. f GDPR for the protection of our legitimate interests. To the extent you voluntarily provide us with health data or other special categories of personal data within the meaning of Article 9(1) GDPR, the legal basis is Article 9(2)(b) GDPR in conjunction with Section 26(3) BDSG.

 

(5) Retention period:

 

a.         If you are not hired, we will delete your application documents no later than six months after completion of the application process. This period is based on the two-month period for asserting claims under Section 15(4) AGG, plus an appropriate buffer for postal delivery and potential legal disputes.

 

b.         If you are hired, your application documents will be added to your personnel file and further processed in accordance with the rules applicable thereto; you will receive separate information pursuant to Article 13 GDPR.

 

c.         You may, however, expressly consent to a longer retention period (e.g., for inclusion in an applicant pool). You may withdraw your consent at any time with effect for the future.

§ 11  Whistleblowing System

 

(1) Our company operates an internal reporting system (whistleblowing system) in accordance with Sections 12 et seq. of the German Whistleblower Protection Act (HinSchG). This system may be used to report violations within the meaning of Section 2 HinSchG.

 

(2) Data processed:

 

a.         the content of the report, including any attachments,

b.         if provided by you: name, contact details, function, employment relationship; anonymous reports are possible,

c.         data relating to affected persons and third parties, to the extent such data must necessarily be processed in connection

             with the report or the investigation,

d.         log data for documentation and follow-up purposes in relation to the report.

 

(3) Purposes of processing:

 

a.         receiving and handling the report,

b.         conducting internal investigations,

c.         taking follow-up measures pursuant to Section 18 HinSchG,

d.         documentation pursuant to Section 11 HinSchG,

e.         protecting the whistleblower, including protection against retaliation pursuant to Section 36 HinSchG.

 

(4) The legal basis is Article 6(1), first subparagraph, lit. c GDPR in conjunction with Sections 10 and 11 HinSchG (legal obligation to establish and operate an internal reporting office), supplemented by Article 6(1), first subparagraph, lit. f GDPR (legitimate interest in investigating and remedying violations).

 

(5) Confidentiality: The identity of the whistleblower, as well as the identity of affected persons and other persons named in the report, will be treated in strict confidence (Section 8 HinSchG). Access to the reports is restricted exclusively to the persons entrusted with handling them within the internal reporting office.

 

(6) Retention period: Reports and related documentation will be deleted three years after the conclusion of the procedure, unless a longer retention period is required in order to comply with legal obligations or to defend against legal claims (Section 11(5) HinSchG).

 

(7) The whistleblowing system is technically operated by an external service provider, Inproma Internet Software und Projektmanagement GmbH, located at Am Hofe 10, 42349 Wuppertal. Commercial Register: HRB 10244, register court: Local Court of Wuppertal. Further information is available at https://inproma.de/.

§ 12  Social Media Presence

 

(1) We maintain profiles or pages on social networks in order to communicate with persons registered there and to provide information about our services.

 

(2) Please note that personal data may therefore also be processed outside the European Economic Area. This may result in risks for users because enforcement of users’ rights may be more difficult. With regard to U.S. providers certified under the EU-U.S. Data Privacy Framework, these risks are reduced to a certain extent.

 

(3) The processing activities carried out by the platform operators are largely beyond our control. In particular, the operators create usage profiles regardless of whether a user has an account. We recommend reviewing the privacy notices of the respective providers before using those platforms. With regard to processing activities on the platforms for which we and the operators are jointly responsible, joint controller arrangements pursuant to Article 26 GDPR are in place.

§ 13  Recipients of Personal Data

(1) Your personal data will not be transferred to third parties for purposes other than those stated in this Privacy Notice.

 

(2) We disclose your personal data to third parties only if:

 

  1. you have given your express consent pursuant to Article 6(1), first subparagraph, lit. a GDPR,

  2. the disclosure is necessary for the performance of contractual relationships with you pursuant to Article 6(1), first subparagraph, lit. b GDPR,

  3. there is a legal obligation to disclose the data pursuant to Article 6(1), first subparagraph, lit. c GDPR (e.g., to tax authorities, customs authorities, or law enforcement authorities), or

  4. the disclosure is permitted pursuant to Article 6(1), first subparagraph, lit. f GDPR for the establishment, exercise, or defense of legal claims.

 

(3) Categories of recipients may include, in particular:

 

  1. IT service providers (hosting, email, applicant management, ticketing),

  2. licensed professionals and advisors (attorneys, tax advisors, auditors, data protection consultants),

  3. affiliated companies within the BoAo group of companies,

  4. customers, suppliers, and other business partners, to the extent necessary for the performance of the business relationship,

  5. banks and payment service providers,

  6. authorities, courts, and other public bodies.

 

(4) Processors within the meaning of Article 28 GDPR are contractually obligated to process your data solely on our instructions and in compliance with the GDPR.

§ 14  Transfers to Third Countries

 

(1) Personal data is transferred to a country outside the European Economic Area (EEA) only where there is a valid legal basis for doing so under Chapter V GDPR.

 

(2) In particular, we rely on the following transfer mechanisms:

 

  1. adequacy decisions of the European Commission pursuant to Article 45 GDPR (including, among others, for the United States under the EU-U.S. Data Privacy Framework – Implementing Decision (EU) 2023/1795, as well as for the United Kingdom, Switzerland, and Israel),

  2. Standard Contractual Clauses pursuant to Article 46(2)(c) GDPR (Implementing Decision (EU) 2021/914), supplemented by a Transfer Impact Assessment (TIA) and, where necessary, additional technical, organizational, or contractual safeguards within the meaning of EDPB Recommendations 01/2020,

  3. binding corporate rules pursuant to Article 47 GDPR, where applicable,

  4. derogations for specific situations pursuant to Article 49 GDPR (on an exceptional basis only).

 

(3) Upon request, you may obtain a copy of the relevant safeguards from our Data Protection Officer (Section 3).

 

§ 15  Retention and Deletion

 

(1) We store your personal data only for as long as necessary for the respective processing purposes or as long as statutory retention obligations apply.

 

(2) Once the purpose no longer applies, your personal data will be routinely restricted or deleted in accordance with the applicable legal requirements.

 

(3) The following statutory retention periods are particularly relevant:

 

  1. 10 years for accounting records pursuant to Section 147(3) in conjunction with Section 147(1) AO, and Section 257(4) in conjunction with Section 257(1) nos. 1, 4, and 4a HGB,

  2. 8 years for commercial or business correspondence pursuant to Section 257(4) in conjunction with Section 257(1) nos. 2 and 3 HGB, and Section 147(3) AO (subject to the reduction to six years where such records originated before January 1, 2025).

 

(4) Information on the specific retention periods applicable in each case can be found in the individual processing activities (Sections 7, 9, 10, and 11).

§ 16  Rights of Data Subjects

 

You have the following rights in accordance with the applicable statutory provisions. To exercise your rights, please use the contact channels listed in Section 2 or contact our Data Protection Officer directly (Section 3).

 

§ 16.1  Right to Confirmation

You have the right to request confirmation from us as to whether personal data concerning you is being processed.

 

§ 16.2  Right of Access (Article 15 GDPR)

You have the right to obtain from us, free of charge, information about the personal data stored about you and a copy of such data.

 

§ 16.3  Right to Rectification (Article 16 GDPR)

You have the right to request the rectification of inaccurate personal data concerning you and the completion of incomplete data.

 

§ 16.4  Right to Erasure (Article 17 GDPR)

You have the right to request that we erase personal data concerning you without undue delay, provided that one of the grounds set out in Article 17(1) GDPR applies and the processing is not necessary.

 

§ 16.5  Right to Restriction of Processing (Article 18 GDPR)

You have the right to request restriction of processing where one of the conditions set out in Article 18(1) GDPR is met.

 

§ 16.6  Right to Data Portability (Article 20 GDPR)

You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format and, where technically feasible, to request that it be transmitted to another controller, provided that the processing is based on consent (Article 6(1), first subparagraph, lit. a GDPR or Article 9(2)(a) GDPR) or on a contract (Article 6(1), first subparagraph, lit. b GDPR) and is carried out by automated means.

 

§ 16.7  Right to Object (Article 21 GDPR)

You have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you where such processing is based on Article 6(1), first subparagraph, lit. e or lit. f GDPR. This also applies to profiling based on those provisions. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or unless the processing serves the establishment, exercise, or defense of legal claims.

 

§ 16.8  Withdrawal of Data Protection Consent

You have the right to withdraw any consent given for the processing of personal data at any time with effect for the future. The lawfulness of the processing carried out on the basis of the consent before its withdrawal remains unaffected.

§ 17  Right to Lodge a Complaint with a Supervisory Authority

 

(1) Pursuant to Article 77 GDPR, you have the right to lodge a complaint with a data protection supervisory authority concerning our processing of your personal data.

 

(2) The supervisory authority competent for us is:

 

    Thuringian State Commissioner for Data Protection and Freedom of Information (TLfDI)

    Häßlerstraße 8

    99096 Erfurt

    Germany

    Telephone:  +49 (0) 361 57 3112900

    Fax:        +49 (0) 361 57 3112904

    Email:      poststelle@datenschutz.thueringen.de

    Website:    https://www.tlfdi.de

 

(3) Irrespective of the above, you may also contact another data protection supervisory authority, for example in the Member State of your habitual residence, your place of work, or the place of the alleged infringement.

§ 18  No Automated Individual Decision-Making

 

No decision based solely on automated processing, including profiling, that produces legal effects concerning you or similarly significantly affects you is made in connection with this website (Article 22 GDPR).

 

§ 19  Protection of Minors

 

Our website is not directed at children or adolescents under the age of 16. We do not knowingly collect personal data from children or adolescents under the age of 16. If we become aware that we have inadvertently collected such data, we will delete it without undue delay.

 

§ 20  Data Security

 

(1) We implement appropriate technical and organizational measures within the meaning of Article 32 GDPR to ensure a level of security appropriate to the risk. These measures include, in particular:

 

a.         encryption of data transmission using TLS/SSL,

b.         a role-based and need-based authorization concept,

c.         training for our employees and confidentiality obligations imposed on them,

d.         regular review, assessment, and updating of security measures.

 

(2) Despite these measures, data transmissions over the Internet (e.g., communication by email) may have security vulnerabilities. Complete protection of data against access by third parties is not possible. You are therefore free to transmit personal data to us by alternative means, such as by telephone or post.

§ 21  Currency and Amendments to this Privacy Notice

 

(1) This Privacy Notice reflects the version status stated above.

 

(2) Changes to this Privacy Notice may become necessary as a result of the further development of our website and the services offered through it, or due to changes in legal or regulatory requirements.

 

(3) The current version of this Privacy Notice can be accessed and printed at any time on our website at https://www.rebo-group.de/datenschutzhinweise (German) and https://www.rebo-group.de/en/datenschutzhinweise (English).

Datenschutzhinweise: Impressum
bottom of page