Privacy Policy

1. Preamble

We are very pleased that you are interested in our company. Data protection is a particularly high priority for the management of Behälter K.G. Bremen GmbH. You can use our website without disclosing any personal data to us. However, if you wish to use special services via our website, we may need to process your personal data. Where we wish to process data about you and cannot rely on any other legal basis, we will always ask for your consent first (e.g. via our cookie banner).

When handling your personal data (such as name, address, email or telephone number), we always comply with the applicable data protection laws. With this privacy policy, we inform you about what data we process, for what purposes and on what legal basis. You will also learn about your rights as a data subject.

We have taken technical and organisational measures to protect your data as effectively as possible. Nevertheless, there are always residual risks on the internet, and complete protection is not possible. You may therefore also transmit your personal data to us by other means, for example by telephone.

This privacy policy serves to fulfil our obligations under the Datenschutz-Grundverordnung (DSGVO) / General Data Protection Regulation (GDPR), the Bundesdatenschutzgesetz (BDSG) / Federal Data Protection Act, and the Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz (TDDDG) / Telecommunications Digital Services Data Protection Act.

2. Data Controller

The data controller within the meaning of the Datenschutz-Grundverordnung (DSGVO) / General Data Protection Regulation (GDPR) is:

Behälter K.G. Bremen GmbH
Theodor-Barth-Str. 25
28307 Bremen

Managing Director: Julian Beckh
Court of Registration: Amtsgericht Bremen, HRB 6939
VAT ID: DE286605374

Telephone: +49 421 34 85 10
Email: mail@behaelter-kg.de
Website: www.behaelter-kg.de

A Data Protection Officer has not been appointed pursuant to Art. 37(4) GDPR in conjunction with § 38 BDSG, as fewer than 20 persons are constantly engaged in the automated processing of personal data.

3. Definitions

In this privacy policy, we use the following terms as defined by the GDPR. For the complete list of definitions, we refer to Art. 4 GDPR.

a) Personal data — Any information relating to an identified or identifiable natural person (data subject). A person is considered identifiable if they can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data or an online identifier (Art. 4(1) GDPR).

b) Processing — Any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, storage, alteration, retrieval, consultation, transmission, erasure or destruction (Art. 4(2) GDPR).

c) Controller — The natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data (Art. 4(7) GDPR).

d) Processor — A natural or legal person which processes personal data on behalf of the controller (Art. 4(8) GDPR).

e) Consent — Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which they signify agreement to the processing of personal data relating to them (Art. 4(11) GDPR).

f) Profiling — Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour or location (Art. 4(4) GDPR).

4. Legal Bases for Processing

We process personal data on the basis of the following legal grounds:

a) Consent — Art. 6(1)(a) GDPR
Where you grant us explicit consent, e.g. by agreeing via the cookie banner or when subscribing to a newsletter. You may withdraw your consent at any time with effect for the future.

b) Performance of a contract — Art. 6(1)(b) GDPR
Where processing is necessary for the performance of a contract with you, e.g. for orders, customer account creation or pre-contractual enquiries about our products.

c) Legal obligation — Art. 6(1)(c) GDPR
Where we are subject to a legal obligation, e.g. tax retention requirements (§ 147 AO, § 257 HGB) or the obligation to obtain cookie consent (§ 25 TDDDG).

d) Vital interests — Art. 6(1)(d) GDPR
In rare cases, e.g. if a visitor is injured at our premises and data must be passed on to a doctor or hospital.

e) Public interest — Art. 6(1)(e) GDPR
Where processing is necessary for the performance of a task carried out in the public interest.

f) Legitimate interest — Art. 6(1)(f) GDPR
Where processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests, fundamental rights and freedoms. Examples: IT security, website usage analysis, efficient customer communication, direct marketing.

5. Legitimate Interests

Where processing is based on Art. 6(1)(f) GDPR and no more specific legitimate interests are stated, our legitimate interest is the conduct of our business activities for the benefit of the well-being of our staff and our shareholders.

We may send you direct marketing about our own goods or services that are similar to those you have enquired about or purchased (Art. 6(1)(f) GDPR in conjunction with § 7(3) UWG (Gesetz gegen den unlauteren Wettbewerb / Unfair Competition Act)). You may object to direct marketing at any time, e.g. by email to mail@behaelter-kg.de. No costs other than the standard transmission costs at basic rates will be incurred.

6. General Purpose of Processing

The general purpose of processing personal data is to handle all transactions concerning us as the data controller, our customers, prospects, business partners or other contractual or pre-contractual relationships, as well as to fulfil our legal obligations. This general purpose applies where no more specific purposes are stated for a particular processing activity.

Categories of data processed: Customer data, prospect data, employee data (including applicant data) and supplier data.

Categories of recipients: Public authorities (e.g. tax authorities), IT service providers, shipping service providers, analytics and marketing services, CRM systems and processors pursuant to Art. 28 GDPR.

7. Retention Period

We store personal data only for as long as is necessary for the respective processing purpose or as required by statutory retention obligations:

Data category	Retention period	Legal basis
Books, annual financial statements, inventories	10 years	§ 147(1) No. 1 AO
Booking documents / invoices	8 years	§ 147(3) AO (since 01.01.2025)
Business correspondence	6 years	§ 257 HGB
Application documents (rejection)	6 months	AGG
Server log files	14 days	IT security
Newsletter data	Until withdrawal	Art. 6(1)(a) GDPR
Customer account	Until deletion	Art. 6(1)(b) GDPR
Cookie consent	12 months	§ 25 TDDDG

After the expiry of the retention periods, data is routinely deleted unless it is still required for the performance or initiation of a contract.

8. Obligation to Provide Data

The provision of personal data is partly required by law (e.g. tax regulations) or may arise from contractual provisions (e.g. details of the contracting party). In some cases, it may be necessary for the conclusion of a contract that you provide us with personal data. Failure to provide such data would mean that the contract could not be concluded.

Unless otherwise stated in this privacy policy, the provision of personal data is neither legally nor contractually required. You are not obliged to provide it. Failure to do so will have no consequences, unless otherwise indicated in the processing activities described below.

9. Automated Decision-Making

As a responsible company, we generally do not use automated decision-making or profiling within the meaning of Art. 22 GDPR.

Should we, in exceptional cases, carry out automated decision-making including profiling, this is only permissible where the decision (1) is necessary for entering into or the performance of a contract between you and us, (2) is authorised by Union or Member State law which also lays down suitable measures to safeguard your rights, or (3) is based on your explicit consent.

In such cases, you have the right to obtain human intervention, to express your own point of view and to contest the decision.

10. Transfers to Third Countries

Some of the service providers we use process data in countries outside the EU/EEA, in particular in the USA. We ensure the protection of your data through the following safeguards:

a) EU-U.S. Data Privacy Framework (DPF)
The European Commission, by Implementing Decision (EU) 2023/1795 of 10 July 2023, has determined that the USA ensures an adequate level of protection for recipients certified under the EU-U.S. Data Privacy Framework. You can verify the certification status at https://www.dataprivacyframework.gov/list.

b) EU Standard Contractual Clauses (SCCs)
With all other recipients in third countries that do not operate under an adequacy decision or the DPF, we have concluded EU Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR.

c) Adequacy decisions (Art. 45 GDPR)
Where an adequacy decision of the European Commission exists for the respective country, we rely on that decision for the transfer.

You may request a copy of the agreed safeguards from us: mail@behaelter-kg.de

Note on consent: For services requiring consent (e.g. analytics and marketing tools), we obtain your explicit consent pursuant to Art. 6(1)(a) GDPR via our cookie banner. By giving your consent, you also consent to the transfer of your data to the companies named in this privacy policy in third countries (Art. 49(1)(a) GDPR), including countries for which no adequacy decision exists and in which data protection safeguards comparable to EU law may not be available. You may withdraw your consent at any time with effect for the future. The withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent prior to its withdrawal.

11. Server Log Files

Each time our website is accessed, our server automatically records:

Browser type and version
Operating system
Referrer URL (previously visited page)
Page accessed on our website
Date and time of access
IP address
Internet service provider

This data serves to ensure the trouble-free operation of the website, IT security and threat prevention. No merging with other data sources takes place. The data is stored separately from any personal data you provide.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in IT security).
Retention period: The log files are deleted after 14 days, unless a security incident requires longer retention.

12. Contact

12a) Contact form, email and telephone

When you contact us by email, contact form or telephone, your details (name, email address, message content, and telephone number where applicable) are stored for the purpose of processing your enquiry.

Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures) or Art. 6(1)(f) GDPR (legitimate interest in processing enquiries).
Retention period: Your data will be deleted once the enquiry has been fully processed and no statutory retention obligations apply.

12b) Wishlist

Our website offers a wishlist where you can save products. Your selection and, where applicable, your email address are stored.

Legal basis: Art. 6(1)(a) GDPR (consent).

13. Customer Account and Registration

When registering a customer account, we collect: name, company, address, email address, telephone number and password (encrypted). This data is processed for account management and order processing.

Upon registration, the IP address assigned by your internet service provider (ISP) as well as the date and time of registration are also stored. This data is stored because it is the only way to prevent misuse of our services and to investigate criminal offences where necessary.

You are free to modify the data provided during registration at any time or to have it completely deleted from our database.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract) for account management; Art. 6(1)(f) GDPR (legitimate interest in IT security and fraud prevention) for IP address storage.
Retention period: Account data is stored until the customer account is deleted, unless statutory retention obligations apply.

14. Orders and Contract Data

14a) Orders

In the course of processing orders, we process: order and contract data, payment data, delivery and billing addresses. For order fulfilment, we share data with the following categories of recipients:

Shipping service providers: Freight forwarders, DHL and other parcel services (for spare parts and small items)
IT service providers: Technical service providers for the operation of the online shop

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
Retention period: Order data is retained for the duration of the warranty period, and subsequently in accordance with statutory retention periods (6 years pursuant to § 257 HGB, 8 years for booking documents or 10 years for books and financial statements pursuant to § 147 AO).

14b) Payment processing

We offer the following payment methods: invoice and advance payment. The payment data collected is used exclusively for payment processing and fraud prevention.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

15. Cookies and Cookie Consent

15a) General information about cookies

Our website uses cookies. Cookies are small text files that are stored on your device. Some cookies are technically necessary (e.g. shopping cart, login session), while others serve analytical and optimisation purposes.

Technically necessary cookies: Art. 6(1)(f) GDPR (legitimate interest) in conjunction with § 25(2) TDDDG.
Analytics/marketing cookies: Art. 6(1)(a) GDPR (consent) in conjunction with § 25(1) TDDDG.

15b) Cookie consent tool

For managing your cookie preferences, we use a custom-developed cookie consent tool (in-house development). This tool allows you to select which cookies you wish to allow when you first visit the website. Your preference is stored in a cookie on your device.

Legal basis: Art. 6(1)(c) GDPR (legal obligation to obtain consent pursuant to § 25(1) TDDDG).

15c) Managing cookies in your browser

You can delete or block cookies at any time via your browser settings:

Google Chrome: Settings > Privacy and security > Cookies and other site data
Mozilla Firefox: Settings > Privacy & Security > Cookies and site data
Microsoft Edge: Settings > Privacy, search and services > Cookies
Safari: Settings > Privacy > Manage website data

Please note that without certain cookies, not all functions of our website may be available.

16. Google Analytics (GA4)

We use Google Analytics 4 (GA4) to analyse website usage. GA4 records, among other things: pages visited, time spent on page, device information, source of visit and interactions.

Operating company: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA).

In GA4, IP addresses are not stored in full by default. IP addresses are truncated before storage. No merging of the IP address with other Google data takes place.

Opt-out: You can prevent data collection by Google Analytics by installing the Google browser add-on: https://tools.google.com/dlpage/gaoptout

Third-country transfer: Google is certified under the EU-U.S. Data Privacy Framework (see Section 10).
Legal basis: Art. 6(1)(a) GDPR (consent via cookie banner) in conjunction with § 25(1) TDDDG.
Cookie lifetime: The cookies set by GA4 (e.g. _ga) may remain stored on your device for up to 24 months.
Data retention: The usage data stored in Google Analytics is automatically deleted after 14 months.
Further information: https://policies.google.com/privacy

17. Google Ads — Advertising and Remarketing

We use various Google Ads services for serving and displaying advertisements:

Google Ads Conversion Tracking: Records whether users perform an action on our website after clicking on an advertisement (e.g. enquiry, purchase).
Google Ads Remarketing: Displays targeted advertisements in the Google advertising network to users who have visited our website.
Google Dynamic Remarketing: Displays personalised product recommendations based on items viewed and abandoned shopping carts.
Remarketing with Google Analytics: Uses GA4 data to target website visitors with advertisements on partner sites.

In this process, cookies, IP addresses, click data, pages visited, products viewed and user behaviour are processed. When the website is visited, a remarketing tag is embedded that records data about user interactions and associates it with a cookie. This data enables the delivery of relevant advertisements on partner sites within the Google advertising network.

Operating company: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (parent company: Google LLC, USA).
Opt-out: You can deactivate personalised advertising at: https://adssettings.google.com
Third-country transfer: Google is certified under the EU-U.S. Data Privacy Framework (see Section 10).
Legal basis: Art. 6(1)(a) GDPR (consent via cookie banner) in conjunction with § 25(1) TDDDG.
Further information: https://policies.google.com/privacy

18. Google Ads — Conversion Optimisation

In addition to the advertising features described in Section 17, we use the following Google Ads services to optimise our advertising campaigns:

Google Ads Enhanced Conversions: Improves conversion measurement through additional data points. Contact data entered by the user on our website (e.g. email address, telephone number) is cryptographically hashed (SHA-256) before being transmitted to Google. Google matches this hashed data against existing Google accounts to attribute conversions more accurately. Important: Only hashed (encrypted) values are transmitted, never plaintext data.
Google Ads Smart Bidding: An automated bidding strategy that uses machine learning to optimise bids in real time based on conversion data and target specifications.
Google Ads Optimized Targeting: Automated audience optimisation that uses algorithms to determine the best audience for advertisements.

The data processed includes IP addresses, device information, information about past interactions with advertisements, and hashed contact data (Enhanced Conversions only).

Operating company: Google Ireland Limited, Dublin, Ireland (parent company: Google LLC, USA).
Third-country transfer: Google is certified under the EU-U.S. Data Privacy Framework (see Section 10).
Legal basis: Art. 6(1)(a) GDPR (consent via cookie banner) in conjunction with § 25(1) TDDDG.
Further information: https://policies.google.com/privacy

19. Google Tag Manager

We use Google Tag Manager to manage analytics and marketing tags on our website. The Tag Manager itself does not set cookies of its own and does not collect personal data. However, it enables the integration of other services (e.g. Google Analytics, Google Ads) that may process data in their own right. When the Tag Manager is loaded, your IP address is transmitted to Google.

Operating company: Google Ireland Limited, Dublin, Ireland.
Legal basis: Art. 6(1)(a) GDPR (consent via cookie banner) in conjunction with § 25(1) TDDDG. The Tag Manager enables the integration of other services that may set cookies and process data, which is why consent is obtained via our cookie banner.
Further information: https://policies.google.com/privacy

20. Microsoft Clarity

We use Microsoft Clarity to analyse user behaviour on our website. Clarity creates session recordings and heatmaps that visualise click, scroll and session behaviour. IP addresses, browser and device information are processed in this context.

21. Newsletter and Direct Marketing (Mailchimp)

21a) Newsletter

When you subscribe to our newsletter, we process your email address and, where applicable, your name for the purpose of sending the newsletter. The newsletter is sent via Mailchimp.

Operating company: Intuit Inc. (Mailchimp), The Rocket Science Group, LLC, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA.

Mailchimp processes your data in the USA. With each newsletter dispatch, open rates and click behaviour are statistically recorded in order to improve the newsletter.

Third-country transfer: Mailchimp/Intuit is certified under the EU-U.S. Data Privacy Framework. In addition, EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) are in place. Verification at: https://www.dataprivacyframework.gov/list
Legal basis: Art. 6(1)(a) GDPR (consent). You may withdraw your consent at any time, e.g. via the unsubscribe link in every newsletter or by email to mail@behaelter-kg.de.
Retention period: Your email address is stored until withdrawal of consent.
Further information: https://mailchimp.com/legal/privacy/

21b) Direct marketing to existing customers

We may send you direct marketing about our own goods or services that are similar to those you have enquired about or purchased (Art. 6(1)(f) GDPR in conjunction with § 7(3) UWG (Gesetz gegen den unlauteren Wettbewerb / Unfair Competition Act)). This is subject to the condition that we obtained your electronic contact details in the context of the sale of a good or service, that we advertise similar products through the direct marketing, and that you have not objected to such use.

You may object to direct marketing at any time without giving reasons, e.g. by email to mail@behaelter-kg.de. No costs other than the standard transmission costs will be incurred.

22. LiveChat

We use LiveChat for direct communication with visitors to our website. In this process, personal data is processed, in particular: name, email address, IP address, browser information, language settings, geographic location data, chat histories, device types, visit times, referrer URLs and usage data.

Operating company: Text SA (formerly LiveChat Software SA), ul. Zwycieska 47, 53-033 Wroclaw, Poland (parent company: Text, Inc. (formerly LiveChat, Inc.), 1 International Pl, STE 1400, Boston, MA 02110-2619, USA).
Third-country transfer: Text, Inc. is certified under the EU-U.S. Data Privacy Framework. In addition, EU Standard Contractual Clauses are in place (see Section 10).
Legal basis: Art. 6(1)(b) GDPR (performance of a contract / pre-contractual measures) and Art. 6(1)(f) GDPR (legitimate interest in efficient customer communication).
Retention period: In accordance with our contract with the service provider and statutory retention periods.
Further information: https://www.livechatinc.com/legal/privacy-policy/

23. Pipedrive (CRM)

We use Pipedrive as a Customer Relationship Management (CRM) system to manage customer relationships and sales processes. Personal data such as name, email address, telephone number and business relationships are processed in this context.

Operating company: Pipedrive OÜ, Mustamäe tee 3a, 10615 Tallinn, Estonia (Pipedrive Inc. in the USA as parent company).
Third-country transfer: Pipedrive is certified under the EU-U.S. Data Privacy Framework. In addition, EU Standard Contractual Clauses are in place (see Section 10).
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in efficient management of customer relationships).
Retention period: In accordance with statutory retention periods.
Further information: https://www.pipedrive.com/en/privacy

24. WhatsApp Business

We use WhatsApp Business for customer communication. Personal data such as telephone numbers, profile names, message content and location data are processed in this context. WhatsApp uses end-to-end encryption for message content.

Operating company: WhatsApp Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland (parent company: Meta Platforms, Inc., USA).
Third-country transfer: Meta is certified under the EU-U.S. Data Privacy Framework. In addition, EU Standard Contractual Clauses are in place (see Section 10).
Legal basis: Art. 6(1)(b) GDPR (performance of a contract / pre-contractual measures) and Art. 6(1)(f) GDPR (legitimate interest in efficient communication).
Further information: https://www.whatsapp.com/legal/privacy-policy

25. Microsoft 365 (OneDrive, Teams, Outlook, SharePoint, Defender)

We use Microsoft 365 as a central platform for communication, file storage and collaboration. The following services are used in this context:

OneDrive / SharePoint: Storage and sharing of business documents (quotations, orders, correspondence)
Outlook: Email communication with customers, suppliers and business partners
Microsoft Teams: Internal and external communication (chat, video conferencing, file sharing)
Microsoft Defender for Office 365: Protection against phishing, malware and cyber threats in emails and documents. Defender uses artificial intelligence and machine learning to detect threats early and respond automatically.

The following personal data may be processed in this context: name, email address, communication content (emails, chat messages), files, IP addresses, usage data, device information, login histories and timestamps.

Operating company: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland (parent company: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA).
Third-country transfer: Microsoft is certified under the EU-U.S. Data Privacy Framework. EU Standard Contractual Clauses are in place. Information on data protection at Microsoft: https://www.microsoft.com/en-us/trust-center
Legal basis: Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(f) GDPR (legitimate interest in secure communication, IT infrastructure and protection against cyber threats).
Retention period: In accordance with statutory retention periods and our contract with Microsoft.
Further information: https://privacy.microsoft.com

26. Hosting (Hetzner)

Our website is hosted by Hetzner. When you access our website, data (IP address, browser information, time of access) is automatically transmitted to Hetzner's server.

Operating company: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany.

Hetzner operates data centres exclusively in Germany and acts as a processor on our behalf. A data processing agreement (DPA) pursuant to Art. 28 GDPR has been concluded. No third-country transfer takes place.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the secure provision of our website).
Further information: https://www.hetzner.com/de/legal/privacy-policy

27. IT Security (Fortinet)

We use Fortinet products (e.g. firewall, intrusion prevention) to protect our IT infrastructure and networks. The security systems are predominantly operated on-premise. In the course of security analysis, connection data (IP addresses, timestamps, device information) may be processed. For certain security functions (e.g. FortiGuard Cloud), data is transmitted to Fortinet servers.

Operating company: Fortinet GmbH, Feldbergstr. 35, 60323 Frankfurt am Main, Germany (parent company: Fortinet, Inc., 899 Kifer Road, Sunnyvale, CA 94086, USA).
Third-country transfer: Fortinet is certified under the EU-U.S. Data Privacy Framework (see Section 10).
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the security of our IT systems and the prevention of cyber threats).
Further information: https://www.fortinet.com/corporate/about-us/privacy

28. YouTube (enhanced privacy mode)

We embed videos via YouTube in enhanced privacy mode (domain: youtube-nocookie.com). In this mode, no cookies are set and no data is transmitted to YouTube until you actively play a video. Only when the video is played are your IP address and usage data transmitted to YouTube.

Operating company: Google Ireland Limited, Dublin, Ireland (YouTube is a service of Google LLC).
Third-country transfer: Google is certified under the EU-U.S. Data Privacy Framework (see Section 10).
Legal basis: Art. 6(1)(a) GDPR (consent via cookie banner) in conjunction with § 25(1) TDDDG; subsidiarily Art. 6(1)(f) GDPR (legitimate interest in the presentation of video content).
Further information: https://policies.google.com/privacy

29. Google Maps

Google Maps is embedded on our website to display our location. When the map is accessed, data (IP address, location data, browser information) is transmitted to Google.

Operating company: Google Ireland Limited, Dublin, Ireland.
Third-country transfer: Google is certified under the EU-U.S. Data Privacy Framework (see Section 10).
Legal basis: Art. 6(1)(a) GDPR (consent) or Art. 6(1)(f) GDPR (legitimate interest in displaying the location).
Further information: https://policies.google.com/privacy

30. LinkedIn

On our website, we link to our LinkedIn company profile. No LinkedIn tracking pixels or social plugins are integrated on our website. When you click on the link, you are redirected to the LinkedIn platform, where LinkedIn's privacy policy applies.

Operating company: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland (parent company: LinkedIn Corporation, 1000 W. Maude Avenue, Sunnyvale, CA 94085, USA).
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in presenting our company).
Further information: https://www.linkedin.com/legal/privacy-policy

31. Credit Check (Creditreform)

In justified cases, we carry out credit checks via Creditreform. In this process, name, address and, where applicable, date of birth are transmitted to the local Creditreform association (Creditreform Bremen). Creditreform provides us with information on creditworthiness, including a score value representing a statistical assessment of default risk.

No third-country transfer: Data is processed exclusively within Germany.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in securing financial transactions and efficient receivables management).
Retention period: In accordance with statutory retention periods.
Further information: https://www.creditreform.de

32. AI-Assisted Text Processing (Anthropic, OpenAI)

We use AI-assisted systems to support the creation and editing of texts. In individual cases, personal data (e.g. names, enquiry content) may be transmitted to the providers.

Anthropic (Claude)

Operating company: Anthropic PBC, 548 Market Street, PMB 90375, San Francisco, CA 94104, USA.
EU representative: Anthropic Ireland, Ltd., 6th Floor, South Bank House, Barrow Street, Dublin 4, D04 TR29, Ireland.
Third-country transfer: Transfer to the USA on the basis of EU Standard Contractual Clauses (Art. 46(2)(c) GDPR). Anthropic is currently not certified under the EU-U.S. Data Privacy Framework.
Further information: https://www.anthropic.com/privacy

OpenAI (ChatGPT)

Operating company: OpenAI OpCo, LLC, 3180 18th Street, San Francisco, CA 94110, USA.
EU representative: OpenAI Ireland Limited, 1st Floor, The Liffey Trust Centre, 117-126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland.
Third-country transfer: Transfer to the USA on the basis of EU Standard Contractual Clauses (Art. 46(2)(c) GDPR). OpenAI is currently not certified under the EU-U.S. Data Privacy Framework.
Further information: https://openai.com/policies/privacy-policy

Legal basis (both): Art. 6(1)(f) GDPR (legitimate interest in the efficient handling of business processes).

33. Data Processing Agreements

We have concluded data processing agreements (DPAs) pursuant to Art. 28 GDPR with all relevant service providers. These agreements ensure that our service providers process personal data only on our instructions and in compliance with the GDPR.

You may request a current list of our processors free of charge: mail@behaelter-kg.de

34. Rights of the Data Subject

You have the following rights under the GDPR. To exercise your rights, please contact: mail@behaelter-kg.de

a) Right to confirmation

You have the right to obtain confirmation from us as to whether personal data concerning you is being processed (Art. 15 GDPR).

b) Right of access (Art. 15 GDPR)

You have the right to obtain, free of charge and at any time, information about the personal data stored about you and a copy of that data. Furthermore, you are entitled to information about the following:

the purposes of the processing,
the categories of personal data being processed,
the recipients or categories of recipients to whom the data has been or will be disclosed, in particular recipients in third countries,
where possible, the envisaged period for which the data will be stored, or, if this is not possible, the criteria used to determine that period,
the existence of the right to request rectification or erasure of data or restriction of processing, or the right to object,
the existence of the right to lodge a complaint with a supervisory authority,
where the data has not been collected from you: all available information as to the source of the data,
the existence of automated decision-making, including profiling, pursuant to Art. 22(1) and (4) GDPR and — at least in those cases — meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing.

Furthermore, you have the right to be informed as to whether personal data has been transferred to a third country or to an international organisation. Where this is the case, you have the right to be informed of the appropriate safeguards relating to the transfer.

c) Right to rectification (Art. 16 GDPR)

You have the right to obtain the rectification of inaccurate personal data concerning you without undue delay. Furthermore, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement, taking into account the purposes of the processing.

d) Right to erasure / right to be forgotten (Art. 17 GDPR)

You have the right to obtain from us the erasure of personal data concerning you without undue delay, provided that one of the following grounds applies and insofar as processing is not required:

The personal data was collected or processed for purposes for which it is no longer necessary.
You withdraw your consent on which the processing was based pursuant to Art. 6(1)(a) or Art. 9(2)(a) GDPR, and there is no other legal basis for the processing.
You object to the processing pursuant to Art. 21(1) GDPR and there are no overriding legitimate grounds, or you object to the processing for direct marketing purposes pursuant to Art. 21(2) GDPR.
The personal data has been unlawfully processed.
The erasure is required for compliance with a legal obligation under Union or Member State law.
The personal data has been collected in relation to information society services offered pursuant to Art. 8(1) GDPR.

Where we have made the personal data public and are obliged to erase it, we shall, taking account of available technology and the cost of implementation, take reasonable steps to inform other controllers processing the data that you have requested the erasure of all links to, or copies of, that personal data.

e) Right to restriction of processing (Art. 18 GDPR)

You have the right to obtain the restriction of processing where one of the following conditions is met:

The accuracy of the personal data is contested by you, for a period enabling us to verify the accuracy.
The processing is unlawful, you oppose erasure and request the restriction of use instead.
We no longer need the data for the purposes of processing, but you require it for the establishment, exercise or defence of legal claims.
You have objected to processing pursuant to Art. 21(1) GDPR, pending the verification whether our legitimate grounds override yours.

f) Right to data portability (Art. 20 GDPR)

You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format. You also have the right to transmit that data to another controller without hindrance from us, provided that the processing is based on consent or a contract and is carried out by automated means.

Furthermore, you have the right to have personal data transmitted directly from us to another controller, where technically feasible and provided that the rights and freedoms of other persons are not adversely affected.

g) Right to object (Art. 21 GDPR)

General objection: You have the right to object, on grounds relating to your particular situation, at any time, to processing of personal data concerning you which is based on Art. 6(1)(e) or (f) GDPR. This also applies to profiling based on those provisions. We will then no longer process the data, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims.

Objection to direct marketing: Where personal data is processed for direct marketing purposes, you have the right to object at any time and without giving reasons to the processing for the purpose of such advertising. This also applies to profiling insofar as it is related to such direct marketing. If you object to the processing for direct marketing purposes, we will no longer process the personal data for these purposes.

Objection to scientific/statistical processing: You also have the right to object, on grounds relating to your particular situation, to processing for scientific or historical research purposes or statistical purposes pursuant to Art. 89(1) GDPR, unless the processing is necessary for the performance of a task carried out in the public interest.

h) Automated individual decision-making / profiling (Art. 22 GDPR)

You have the right not to be subject to a decision based solely on automated processing — including profiling — which produces legal effects concerning you or similarly significantly affects you, provided that the decision is not (1) necessary for entering into or the performance of a contract, (2) authorised by law, or (3) based on your explicit consent.

In cases (1) and (3), you have the right to obtain human intervention, to express your own point of view and to contest the decision.

i) Right to withdraw consent (Art. 7(3) GDPR)

You have the right to withdraw consent to the processing of personal data at any time with effect for the future. The withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent prior to its withdrawal.

35. Right to Lodge a Complaint and Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The supervisory authority responsible for us is:

Der Landesbeauftragte für Datenschutz und Informationsfreiheit der Freien Hansestadt Bremen
(State Commissioner for Data Protection and Freedom of Information of the Free Hanseatic City of Bremen)
Georgstraße 122-124
27570 Bremerhaven

Telephone: +49 421 361-2010
Email: office@datenschutz.bremen.de
Website: www.datenschutz.bremen.de

You may also contact the supervisory authority of your place of residence or workplace.

36. Contact for Data Protection Enquiries

For all questions regarding data protection and to exercise your data subject rights, please contact:

Behälter K.G. Bremen GmbH
Theodor-Barth-Str. 25
28307 Bremen

Email: mail@behaelter-kg.de
Telephone: +49 421 34 85 10

Last updated: March 2026