Contact us

Data protection

1. Foreword

We, EMPAC GmbH (hereinafter: “EMPAC,” “we”), take the protection of your personal data very seriously. Below, we inform you about which personal data we collect from you, how we process it, and what rights you are entitled to under applicable data protection law (in particular the GDPR).

1.1 Who is responsible for data processing?

Responsible person within the meaning of the GDPR:
EMPAC GmbH
Hollefeldstraße 22
48282 Emsdetten
Phone: 02572 93 64 – 0
Fax: 02572 93 64 – 222
Email: info@empac.de
Web: www.empac.de
Represented by the managing directors: Richard Sievers, Michael Hans, Sebastian Sievers, Sebastian Hans
Register court: Steinfurt District Court, HRB 9527
VAT ID: DE 815 346 952

Data Protection Officer:
microPLAN IT-Systemhaus GmbH
Spatzenweg 2
48282 Emsdetten
Email: datenschutz@microplan.de
Phone: +49 (2572) 9365-77

1.2 Scope of this privacy policy

This privacy policy applies to the processing of personal data of customers, interested parties, applicants and visitors to our website www.empac.de as well as when using our services.
Legal basis: Art. 13 GDPR.

2. Categories of personal data, purposes and legal bases of processing

We process personal data only to the extent necessary to provide our services, to establish contact, to initiate/execute contracts, to process applications, to comply with legal obligations or to protect legitimate interests.

2.1 Categories of data processed:

  • Identification data: name, address, email, telephone number
  • Company data: company, department, function
  • Contract and order data: customer number, order number, invoice data
  • Usage data: IP address, pages visited, date/time, device type, browser information
  • Communication data: Contents of contact forms, emails, telephone calls
  • Applicant data: master data, cover letter, CV, certificates, qualifications, professional career
  • Analytics and marketing data: Data collected via cookies/tools such as Google Analytics, Tag Manager, Microsoft Clarity

2.2 Purposes of processing and related legal bases:

  • For the provision and security of the website: Art. 6 (1) (f) GDPR (legitimate interest)
  • To process inquiries/contact: Art. 6 (1) (b) and (f) GDPR (pre-contractual measure/legitimate interest)
  • For the execution and processing of contracts: Art. 6 (1) (b) GDPR (performance of contract)
  • For processing applications: Art. 6 (1) (b) GDPR, Section 26 BDSG
  • For marketing/analysis/optimization: Art. 6 (1) (a) GDPR (consent), Section 25 (1) TDDDG
  • To fulfill legal obligations: Art. 6 (1) (c) GDPR
  • For protection against misuse and IT security: Art. 6 (1) (f) GDPR

We do not collect or process special categories of personal data pursuant to Art. 9 GDPR (e.g. health data, religion).

3. Cookies, tracking technologies and external services

3.1 Consent management with Borlabs Cookie
We use Borlabs Cookie (Borlabs GmbH) to obtain and manage your consent for the use of cookies and external services.
Legal basis: Art. 6 (1) (c) GDPR (legal obligation to document), Art. 7 GDPR.

3.2 Google Analytics
Directly integrated, used to analyze website usage. IP anonymization is enabled. Data transfer to the USA is possible.
Legal basis: Art. 6 (1) (a) GDPR (consent), Section 25 (1) TDDDG
More information: Google Analytics Privacy Policy

3.3 Google Tag Manager
Used to manage website tags and integrate additional services. No personal data is stored.
Legal basis: Art. 6 (1) (a) GDPR (consent)

3.4 Microsoft Clarity
Integrated via the Tag Manager, it is used to analyze mouse movements, clicks, and scrolling behavior. Data may be transferred to the USA.
Legal basis: Art. 6 (1) (a) GDPR (consent), Section 25 (1) TDDDG
More information: Microsoft Privacy Policy

3.5 Google Fonts
We only use locally embedded fonts. When you visit our pages, no personal data is transferred to Google.
Legal basis: Art. 6 (1) (f) GDPR (legitimate interest)

Recipients of your data for these services are in particular:
– Google Ireland Limited or Google LLC (USA)
– Microsoft Corporation (USA)
– Our hosting provider (e.g. Mittwald CM Service GmbH & Co. KG, Germany)
– Other IT service providers as processors (Art. 28 GDPR)

Data transfer to third countries:
Google and Microsoft may transfer personal data to countries outside the EU, particularly to the USA. This is based on the EU standard contractual clauses pursuant to Art. 46 GDPR.

Note: We will be happy to provide you with a complete list of the tools and service providers we use upon request.

4. Recipients and categories of recipients

4.1 Internal recipients:
Within EMPAC GmbH, only those people who need your data to perform their duties (e.g. sales, customer service, accounting, IT, human resources) will have access to your data.

4.2 External recipients:
We only share data if permitted by law, if you have consented, or if it is necessary to fulfill a contract. Possible recipients are:
– IT service providers/hosting providers
– Shipping/logistics companies
– Banks/payment service providers
– Tax consultants/auditors/lawyers
– Authorities and public bodies (if legally required)
– Marketing, analytics and tracking providers (see section 3)
– Other processors according to Art. 28 GDPR

4.3 Transfer to third countries:
Transfer to third countries (e.g. USA) takes place exclusively in accordance with Art. 44 et seq. GDPR (e.g. EU standard contractual clauses).

4.4 No disclosure for advertising purposes:
Your data will not be passed on for advertising purposes (sale of your data).

4.5 Information on specific recipients:
We will be happy to provide you with a detailed overview of all recipients and processors upon request.

5. Storage and deletion periods

We generally only store personal data for as long as it is necessary for the respective purposes or to fulfill legal obligations.

  • Contract/business documents: up to ten years (commercial/tax law, Section 257 HGB, Section 147 AO)
  • Contact requests: until final processing, unless there are retention obligations
  • Application documents: at the latest six months after completion of the application process, unless longer storage is necessary to defend against legal claims or you have consented (Section 26 of the Federal Data Protection Act)
  • Analysis/tracking data: according to tool settings, at the latest after 14 months

As soon as the purpose no longer applies and there are no legal retention obligations, your data will be deleted or anonymized.

6. Data protection in the application process

When you apply for a position, we process your data (name, contact details, CV, certificates, etc.) exclusively for the purpose of conducting the application process and deciding on a hiring decision.

Legal basis:
Art. 6 (1) (b) GDPR, Section 26 BDSG (justification of employment relationship). If special categories of personal data (e.g., health data) are processed, this is done in accordance with Art. 9 (2) GDPR.

Recipient:
Only those people in our company involved in the selection process. Data will only be shared with third parties with your consent or as required by law.

Storage periods:
Deletion at the latest six months after completion of the application process, unless longer storage is necessary to defend against legal claims or you have consented.

Note on your rights:
You have the right to information, rectification, erasure, restriction of processing, objection, data portability, and revocation of consent. If you withdraw your consent/objection during the application process, your application can no longer be considered.

7. Your rights

You have the following rights under Articles 15 to 21 GDPR:

  • Information: Art. 15 GDPR
  • Correction: Art. 16 GDPR
  • Deletion: Art. 17 GDPR
  • Restriction: Art. 18 GDPR
  • Objection: Art. 21 GDPR
  • Data portability: Art. 20 GDPR
  • Revocation of consent: Art. 7 para. 3 GDPR (at any time for the future)
  • Right to lodge a complaint: Art. 77 GDPR
    Competent supervisory authority:
    State Commissioner for Data Protection and Freedom of Information NRW
    PO Box 20 04 44, 40102 Düsseldorf
    Email: poststelle@ldi.nrw.de

To exercise your rights, please contact our data protection officer.

8. Obligation to provide data and consequences of non-provision

Within the scope of contracts, business initiations, or applications, you are obligated to provide the personal data necessary for the initiation, implementation, and termination of the respective legal relationship, as well as for the fulfillment of legal obligations. Without this data, a contract cannot be concluded or your application processed.
There is no obligation to provide personal data simply by visiting the website.

9. Updating this Privacy Policy

We reserve the right to update this privacy policy at any time to reflect changes in legal requirements or changes to our services. The version published on our website at the time of your visit applies.

As of July 2025