Thank you for your interest in our company. Data protection is of a particularly high priority for the management of XPOLI GmbH. For this reason, we provide information here not only about the handling of personal data on this website, but also generally in our company.
The use of the Internet pages of the XPOLI GmbH is possible without any indication of personal data. However, if a data subject wants to use special services of our enterprise via our website, processing of personal data could become necessary. If processing of personal data is necessary and there is no legal basis for such processing, we will generally obtain the consent of the data subject.
In the following, we inform you about.
We would like to point out that data transmission on the Internet (e.g., communication by e-mail) can have security gaps. Complete protection of data against access by third parties is not possible. For this reason, every data subject is free to transmit personal data to us by alternative means, for example by telephone.
The responsible party within the meaning of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection regulations is:
Untere Seelach 8 a
hereinafter referred to as "XPOLI GmbH"
T: +49 911 954 232-0
The data protection officer of the responsible party is:
Personal data is information that can be used to identify a person, i.e., information that can be traced back to a person. This includes the name, email address or telephone number. But also, data about preferences, hobbies, memberships, or which websites were viewed by someone count as personal data.
As a matter of principle, we collect and use personal data of our customers only to the extent that this is necessary within the scope of our activities. The collection and use of our customers' personal data is only carried out based on a legal authorisation, contracts or after the customer's consent.
Insofar as we obtain the consent of the data subject for processing operations of personal data, Art. 6 (1) lit. a EU General Data Protection Regulation (GDPR) serves as the legal basis.
When processing personal data that is necessary for the performance of a contract to which the data subject is a party, Art. 6 (1) (b) GDPR serves as the legal basis. This also applies to processing operations that are necessary for the performance of pre-contractual measures.
Insofar as the processing of personal data is necessary for the fulfilment of a legal obligation to which our company is subject, Art. 6 (1) c GDPR serves as the legal basis. If vital interests of the data subject or another natural person make processing of personal data necessary, Art. 6 (1) (d) GDPR serves as the legal basis.
If the processing is necessary to protect a legitimate interest of our company or a third party and the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 (1) f GDPR serves as the legal basis for the processing.
The personal data of the data subject will be deleted or blocked as soon as the purpose of the storage no longer applies. Storage may also take place if this has been provided for by the European or national legislator in Union regulations, laws, or other provisions to which the controller is subject. Data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires unless there is a need to continue storing the data for the conclusion or performance of a contract.
In addition, personal data may be stored for the time during which claims can be asserted against us (statutory limitation period of three or up to thirty years).
We use commissioned service providers for individual processing operations. This includes, for example, hosting, maintenance and support of IT systems, marketing measures or file and data carrier destruction. These service providers only process the data according to explicit instructions and are contractually obliged to guarantee appropriate technical and organisational measures for data protection. In addition, we may transmit personal data of our customers to bodies such as postal and delivery services, house bank, tax advisor/auditor or the tax authorities.
If you exercise your rights in accordance with Articles 15 to 22 of the GDPR, we process the personal data provided for the purpose of implementing these rights by us and to be able to provide evidence of this. For the purpose of providing information and its preparation, we will process stored data only for this purpose and for data protection control purposes and otherwise restrict processing in accordance with Art. 18 GDPR.
These processing operations are based on the legal basis of Art. 6 (1) c) GDPR in conjunction with Art. 15 to 22 GDPR. Art. 15 to 22 GDPR and § 34 para. 2 BDSG. We inform you in detail about your rights at the end of this data protection declaration.
To establish or implement the contractual relationship with our customers, it is regularly necessary to process the personal master, contract and payment data provided to us. The legal basis for this processing is Art. 6 para. 1 lit. b) GDPR. We also process customer and prospect data for evaluation and marketing purposes. This processing is carried out on the legal basis of Art. 6 para. 1 lit. f) GDPR and serves our interest in further developing our offer and informing you specifically about offers of XPOLI GmbH. Further data processing may take place if you have consented (Art. 6 para. 1 lit. a) GDPR) or if this serves the fulfilment of a legal obligation (Art. 6 para. 1 lit. c) GDPR).
If you apply to our company, we will process your application data exclusively for purposes that are related to your interest in a current or future employment with us and the processing of your application. Your application will only be processed and noted by the relevant contacts at our company. All employees entrusted with data processing are obliged to maintain the confidentiality of your data. If we are unable to offer you employment, we will retain the data you have provided for up to four months after any rejection for the purpose of answering questions relating to your application and rejection. This does not apply if legal provisions prevent deletion if further storage is necessary for the purpose of providing evidence or if you have expressly consented to longer storage. The legal basis for data processing is 26 para. 1 p. 1 BDSG. If we store your applicant data for longer than four months and you have expressly consented to this, we would like to point out that this consent can be freely revoked at any time in accordance with Art. 7 Para. 3 GDPR. Such a revocation does not affect the lawfulness of the processing that was carried out on the basis of the consent until the revocation.
During our activities as a company, we also rely on external assistance such as IT service providers for the provision and maintenance of our hardware and software or other service personnel. During this involvement, our external service providers may also become aware of personal data, which is why we oblige our external service providers to maintain confidentiality and data secrecy and limit their access to personal data to a minimum. Supervisory authorities also regularly inspect companies and have access to personal data in the process.
Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing computer.
The following data is collected:
(1) Information about the type of browser and the version used.
(2) The user's operating system
(3) The user's Internet service provider
(4) The user's IP address (shortened)
(5) Date and time of access
(6) Websites from which the user's system accesses our website
(7) Success or error during loading
This data is also stored in the log files of our system. This data is not stored together with other personal data of the user.
The legal basis for the temporary storage of the data and the log files is Art. 6 para. 1 lit. f GDPR.
The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user's computer. They also serve security. For this purpose, the user's IP address must remain stored for the duration of the session.
The storage in log files is done to ensure the functionality of the website. In addition, we use the data to optimise the website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context. These purposes are also our legitimate interest in data processing according to Art. 6 Para. 1 lit. f GDPR.
The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended.
In the case of storage of data in log files, this is the case after 14 days at the latest. Back-up files are deleted after four weeks. Storage beyond this period is possible. In this case, the IP addresses of the users are deleted or alienated, so that an assignment of the calling client is no longer possible.
The collection of data for the provision of the website and the storage of the data in log files is necessary for the operation of the website. Consequently, there is no possibility for the user to object.
We do not have a cookie banner - and we don't need one! In accordance with our company strategy, we not only take data protection seriously, but also minimise data collection as far as possible. Therefore, we only use functional cookies that are necessary for the technical support of the website. Nevertheless, we are happy to inform you.
Some of the web pages use so-called cookies. Cookies do not cause any damage to your computer and do not contain viruses. Cookies are generally used to make offers more user-friendly, effective, and secure.
A cookie is a piece of information (data record or information snippet) that is stored on your end device (smartphone, notebook, tablet, desktop PC, etc.). More precisely, a cookie consists of a pair of data, a key, and a value. It contains a characteristic string of characters that enables the browser to be uniquely identified when the website is called up again. A cookie is managed by the browser in the user's terminal device and is thus stored there. In the process, a cookie is not necessarily located in a file, but is often even stored together with other cookies via several files (often not text files!) are stored in a distributed manner.
Each browser decides for itself how cookies are stored. Both the Firefox browser from Mozilla and Google Chrome store cookies in a database under Windows. Only in the past was it common to store each individual cookie in a separate text file.
Every website uses so-called "session cookies". They are automatically deleted at the end of your visit. Other cookies remain stored on your terminal device until you delete them. These cookies enable the website provider to recognise your browser the next time you visit. The user data collected in this way is usually pseudonymised by technical precautions. Therefore, it is no longer possible to assign the data to the calling user.
Generally, a distinction is made between two types:
Web browser cookies
A web browser cookie is a small text file that is sent from a website to your computer or mobile device, where it is stored by your web browser. Web browser cookies can store information such as your IP address or other identifier, your browser type and information about the content you view and interact with on the Digital Services. By storing such information, web browser cookies can store your preferences and settings for online services and analyse how you use online services. This would be like abandoning anonymisation in our tracking technology and, for example, pairing credit card information with a visitor to a supermarket to link the receipt with tracking data. However, it is precisely these Big Data analyses that cannot be carried out with our software.
Tracking technologies: Web beacons/gifs, pixels, page tags, script.
Emails and mobile apps may contain small, transparent image files or lines of code to record how you interact with them. This information is used to help website and app publishers better analyse and improve their services.
Further information on this is available from the German Federal Office for Information Security.
We do not need the legal basis because we do not collect any data. If we did, however, the processing of personal data using technically necessary cookies would be our legitimate interest under Art. 6 (1) lit. f GDPR.
The legal basis for the processing of personal data using cookies for analysis purposes is Art. 6 para. 1 lit. a GDPR if the user has given his or her consent in this regard.
The user data collected through technically necessary cookies are not used to create user profiles. There is also no use of so-called analysis cookies.
Since we do not evaluate your visit data and do not store any data, we make it easier for you to visit our website. There is no opting out of cookies.
In general, however, you can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or in general, and activate the automatic deletion of cookies when closing the browser.
When you subscribe to a newsletter, there are two options.
Once you have confirmed your registration for the newsletter, you will receive interesting information at irregular intervals at the e-mail address you have entered, which is relevant to this website. You can unsubscribe from the newsletter by sending us an informal e-mail, for example to the e-mail address given in the imprint or to the address where you asked to receive a newsletter, or by clicking on an unsubscribe link in the newsletter (you will then be taken to a page where you can confirm your subscription cancellation).
We will not share your email address or any other information you provide with any third party without your permission, unless there is another legal basis for doing so.
Alternatively, you can contact us via the e-mail address provided on the contact page in the "Imprint" section. In this case, the user's personal data provided with the e-mail and in the attachments will be stored. In this context, the data will not be passed on to third parties. The data will be used exclusively for processing the respective enquiry.
The legal basis for the processing of the data is, in the event of the existence of a consent of the user Art. 6 para. 1 lit. a GDPR.
The legal basis for the processing of data transmitted while sending an e-mail is Art. 6 para. 1 lit. f GDPR. If the e-mail contact is aimed at concluding a contract, the additional legal basis for the processing is Art. 6 para. 1 lit. b GDPR. 3.
The processing of the personal data from the input mask serves us solely to process the contact. In the case of contact by e-mail, this also constitutes the necessary legitimate interest in processing the data.
The other personal data processed during the sending process serve to prevent misuse of the contact form and to ensure the security of our information technology systems.
If you send us enquiries via the contact form, your details from the enquiry form, including the contact details you provide there, will be stored by us for the purpose of processing the enquiry and in the event of follow-up questions. We will not pass on this data without your consent.
The user has the possibility to revoke his consent to the processing of personal data at any time. If the user contacts us by e-mail, he can object to the storage of his personal data at any time. In such a case, the conversation cannot be continued. All personal data stored while contacting us will be deleted in this case.
Social media or a social network is a social meeting place operated on the Internet, an online community that generally enables users to communicate with each other and interact in virtual space. A social network can serve as a platform for exchanging opinions and experiences or enables the internet community to provide personal or company-related information. Facebook, for example, allows social network users to, among other things, create private profiles, upload photos and network via friend requests.
Through this, we would like to offer further opportunities for information about the respective activities of XPOLI and for exchange. We are currently present on the following social media platforms:
When you visit or interact with a profile on a social media platform, personal data about you may be processed. Information associated with a social media profile used also regularly constitutes personal data. This also covers messages and statements made while using the profile. In addition, during your visit to a social media profile often automatically collects certain information about it, which may also constitute personal data.
We would like to explain this process in a little more detail here.
We use social media plug-ins on our platform to connect users via social media as well. If the data subject is logged in to a social media service while using the platform, the service usually recognises which specific sub-page the data subject is visiting each time the platform is called up and for the entire duration of the stay on it. This information is collected by the corresponding plug-in and assigned to the personal account of the data subject by the respective social network. If the data subject activates a button of a social network (Twitter, Facebook, Instagram, etc.) integrated on the platform, the data and information thus transmitted will be assigned to the data subject's personal user account with the respective social network and stored and processed there.
A data subject who does not wish this to happen can log out of his or her social networks before visiting the platform. However, most plug-ins also transmit data to their social network in this case, but this data is then not directly assigned to a user profile.
When you visit our Facebook or Instagram page, through which we present our company or individual products from our range, certain information about you is processed.
The sole controller of this processing of personal data is Meta Platforms Ireland Limited (Ireland/EU - "Meta"). For more information about Meta's processing of personal data, please visit https://www.facebook.com/privacy/explanation.
Meta offers the possibility to object to certain data processing; information and opt-out options in this regard can be found at https://www.facebook.com/settings?tab=ads.
Meta provides us with anonymised statistics and insights for our Facebook and Instagram page, which help us gain knowledge about the types of actions people take on our page (so-called "page insights"). These page insights are created based on certain information about individuals who have visited our page. This processing of personal data is carried out by Meta and us as joint controllers. The processing serves our legitimate interest to evaluate the types of actions taken on our site and to improve our site based on these insights. The legal basis for this processing is Art. 6 (1) (f) GDPR. We cannot attribute the information obtained via Page Insights to individual Facebook profiles that interact with our Facebook page. We have entered into a joint controller agreement with Meta which sets out the allocation of data protection obligations between us and Meta. Details of the
You can find out more about the processing of personal data for the creation of site insights and the agreement concluded between us and Meta at https://www.facebook.com/legal/terms/information_about_page_insights_data.
Please note that according to the Meta data protection regulations, user data is also processed in the USA or other third countries. Meta only transfers user data to countries for which an adequacy decision has been issued by the European Commission in accordance with Art. 45 GDPR or based on appropriate guarantees in accordance with Art. 46 GDPR.
Data processing and data protection in the USA do not meet the standard of the GDPR. The services are subject to US law and may therefore be obliged to hand over data to US authorities or intelligence services if legal requirements are met. Risks for you exist due to the more difficult enforcement of the law, the lack of control when processing or passing on the data and the aforementioned access by state authorities.
We also process information that you have provided to us via our company page on the respective social media platform. Such information may be the username used, contact details or a message to us. We regularly process this personal data only if we have previously expressly requested you to provide us with this data. These processing operations are carried out by us as the sole data controller. We process this data based on our legitimate interest in contacting persons making enquiries. The legal basis for the data processing is Art. 6 (1) (f) GDPR.
In addition, we may process such data for evaluation and marketing purposes. This processing is carried out on the legal basis of Art. 6 Para. 1 Letter f) GDPR and serves our interest in further developing our range of products and informing you specifically about XPOLI. Further data processing may take place if you have consented (Art. 6 Para. 1 Letter a) GDPR) or if this serves the fulfilment of a legal obligation (Art. 6 Para. 1 Letter c) GDPR).
This site uses SSL encryption for security reasons and to protect the transmission of confidential content, such as enquiries that you send to us as site operator. You can recognise an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line.
If SSL encryption is activated, the data you transmit to us cannot be read by third parties.
We use technical and organisational security measures in order to protect the data that is you provide to our company from accidental or intentional manipulation, loss, destruction or access by unauthorised persons. Our security measures are continuously improved in line with technological developments. If you have any further questions about the processing of your personal data or about data protection, please contact the above-mentioned data protection officer.
If your personal data is processed, you are a data subject within the meaning of the Data Protection Regulation and you have the following rights vis-à-vis the data controller:
You may request confirmation from the controller as to whether personal data concerning you is being processed by us.
If there is such processing, you may request information from the controller about the following:
(1) the purposes for which the personal data are processed.
(2) the categories of personal data which are processed.
(3) the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed.
(4) the envisaged duration of the storage of the personal data concerning you or, if specific information on this is not possible, criteria for determining the storage period.
(5) the existence of a right to rectify or erase personal data concerning you, a right to have processing restricted by the controller or a right to object to such processing.
(6) the existence of a right of appeal to a supervisory authority.
(7) any available information on the origin of the data, if the personal data are not collected from the data subject.
(8) the existence of automated decision-making, including profiling, pursuant to Article 22(1) and (4) of the GDPR and, at least in these cases, meaningful information about the logic involved and the scope and intended effects of such processing for the data subject.
You have the right to request information on whether personal data concerning you are transferred to a third country or to an international organisation. In this context, you may request to be informed about the appropriate safeguards pursuant to Article 46 of the GDPR in connection with the transfer.
You have a right of rectification and/or completion vis-à-vis the controller if the personal data processed concerning you are inaccurate or incomplete. The controller must make the rectification without undue delay.
You may request the restriction of the processing of personal data concerning you under the following conditions:
(1) if you object to the accuracy of the personal data concerning you for a period of
the processing is unlawful, and you object to the erasure of the personal data and request instead the restriction of the use of the personal data.
(2) the processing is unlawful, and you object to the erasure of the personal data and request instead the restriction of the use of the personal data.
(3) the controller no longer needs the personal data for the purposes of the processing, but you need it for the establishment, practice, or defence of legal claims; or
(4) if you have objected to the processing in accordance with Article 21(1) of the GDPR and it is not yet clear whether the legitimate grounds of the controller outweigh your grounds.
Where the processing of personal data relating to you has been restricted, such data may - apart from being stored - only be processed with your consent or for the establishment, practice, or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of substantial public interest of the Union or a Member State.
If the restriction of processing has been restricted in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.
You may request the controller to erase the personal data concerning you without undue delay and the controller is obliged to erase such data without undue delay if one of the following reasons applies:
(1) The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.
(2) You withdraw your consent on which the processing was based pursuant to Art. 6 (1)a or Art. 9 (2) a GDPR and there is no other legal basis for the processing.
(3) You object to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) of the GDPR.
(4) The personal data concerning you have been processed unlawfully.
(5) The erasure of the personal data concerning you is necessary for compliance with a legal obligation under Union or Member State law to which the controller is subject.
(6) The personal data concerning you have been collected in relation to information society services offered pursuant to Article 8(1) GDPR.
If the controller has made the personal data concerning you public and is obliged to erase it pursuant to Article 17(1) of the GDPR, it shall take reasonable steps, including technical measures, having regard to the available technology and the cost of implementation, to inform data controllers which process the personal data that you, as the data subject, have requested that they erase all links to, or copies or replications of, that personal data.
The right to erasure does not apply insofar as the processing is necessary for
(1) for the exercise of the right to freedom of expression and information.
(2) for compliance with a legal obligation which requires processing under Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
(3) for reasons of public interest in the area of public health pursuant to Article 9(2)(h) and (i) and Article 9(3) of the GDPR;
(4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to Article 89(1) GDPR, insofar as the right referred to in section a) is likely to render impossible or seriously prejudice the achievement of the purposes of such processing; or
(5) to assert, practice or defend legal claims.
(6) Right to information
If you have asserted the right to rectification, erasure, or restriction of processing against the controller, the controller is obliged to inform all recipients to whom the personal data concerning you have been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort.
You have the right to be informed of these recipients by the controller.
You have the right to receive the personal data concerning you that you have provided to the controller in a structured, common, and machine-readable format. You also have the right to transfer this data to another controller without hindrance from the controller to whom the personal data has been provided, provided that.
(1) the processing is based on consent pursuant to Art. 6 (1) lit. a GDPR or Art. 9 (2) lit. a GDPR or on a contract pursuant to Art. 6 (1) lit. b GDPR and
(2) the processing is carried out with the help of automated procedures.
In exercising this right, you also have the right to have the personal data concerning you transferred directly from one controller to another controller, insofar as this is technically feasible. This must not affect the freedoms and rights of other persons.
The right to data portability does not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6(1)(e) or (f) of the GDPR; this also applies to profiling based on these provisions.
The controller shall no longer process the personal data relating to you unless it can demonstrate compelling legitimate grounds for the processing which are
Your interests, rights and freedoms are overridden, or the processing serves the assertion, practice, or defence of legal claims.
If the personal data concerning you is processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling, insofar as it is related to such direct marketing.
If you object to the processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.
You have the possibility, in connection with the use of information society services, notwithstanding Directive 2002/58/EC, to exercise your right to object by means of automated procedures using technical specifications.
You have the right to revoke your declaration of consent under data protection law at any time. The revocation of the consent does not affect the lawfulness of the processing carried out based on the consent until the revocation.
You have the right not to be subject to a decision based solely on automated processing - including profiling - which produces legal effects vis-à-vis you or similarly significantly affects you. This does not apply if the decision.
(1) is necessary for the conclusion or performance of a contract between you and the controller,
(2) is permissible on the basis of legal provisions of the Union or the Member States to which the controller is subject, and these legal provisions contain appropriate measures to safeguard your rights and freedoms as well as your legitimate interests; or
(3) is made with your express consent.
However, these decisions may not be based on special categories of personal data pursuant to Article 9(1) of the GDPR, unless Article 9(2)(a) or (g) of the GDPR applies and appropriate measures have been taken to protect your rights and freedoms and your legitimate interests.
Regarding the cases referred to in (1) and (3), the controller shall take reasonable steps to safeguard the rights and freedoms as well as your legitimate interests, including at least the right to obtain the intervention of a person on the part of the controller, to express his or her point of view and to contest the decision.
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, workplace or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.
The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Article 78 of the GDPR.
Last modifications: 16.02.2023