Data Security Declaration

Information with regard to the processing of Personal Data in accordance with Art. 13 of the General Data Protection Regulation (GDPR) of the European Union.

1. Scope

This Data Security Declaration applies for the Website of 3A Composites GmbH. In particular it refers to personal information that are processed while utilizing our websites. It does not apply for external websites or other services. Here, the respective data security declarations are to be considered. 

References to the legal framework refer to the General Data Protection Regulation (GDPR) of the European Union in the version of May 25th 2018. Additionally, the respective German national legislation (Bundesdatenschutzgesetz/BDSG) in the version of November 26th 2019 applies.

Personal Information ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Art. 4 GDPR). Furthermore this declaration contains all relevant information with regard to the provision of our services.

2. Controller

The responsible authority/controller for the processing of data is

3A Composites GmbH
Alusingenplatz 1
78224 Singen
Phone: +4977319410
Represented by: Dr. Joachim Werner

3. Data Protection Officer

We have appointed an external Data Protection Officer:

Pfeil Concepts GmbH
Daniel Jahn
Alte Gärtnerei 2
04425 Taucha
Phone: +49 173 998 3928

4. Information regarding the processing of data on our Website

4.1 Web-Hosting:

The web servers for the websites;;;;; are operated by Mittwald CM Service GmbH & Co. KG.

Their contact information are:

Mittwald CM Service GmbH & Co. KG
Königsberger Straße 4-6
32339 Espelkamp
Phone: +49 5772293100

Mittwald CM Service GmbH & Co. KG is a processor on behalf of our service provider com-a-tec GmbH. We appeal on our contract regulating the processing on behalf with com-a-tec GmbH according to Art. 28 GDPR.

The adminsitrative support of the websites;;;;; is ensured by com-a-tec GmbH.

Their contact information are:

com-a-tec GmbH
Am Krebsgraben 15
78048 Villingen-Schwenningen
Phone: +49772198300

We concluded a contract regulating the processing on behalf with com-a-tec GmbH according to Art. 28 GDPR.

4.2 SSL-/TLS-Encryption

This website utilizes SSL- and/or TLS-encryption for securing personal data. A secure connection is established if the address-line in your Browser changes from “http://” to “https://” and indicates a lock-symbol. A third party is not able to read data that is transferred to our website if SSL- or TLS-encryption is enabled. 

4.3 Processing of personal data when visiting our website

When visiting our website, selected personal data is automatically processed by our IT-systems. Predominantly these data is technical data (e.g. Information about your Internet browser, operating system or Time of your visit). These data are processed to ensure the functionality of our website. Furthermore, this data can be used to analyze your user behaviour and to improve our services and products.

4.4 Cookies

Our websites utilize cookies. Cookies are not causing any damage on your system and do not contain viruses. Cookies are used, to improve our services, to make it more effective and to improve security. Cookies are small Text files, that are stored in your browser.

Mostly, “Session-Cookies” are used. They are deleted after every session. Other cookies remain stored on your device until you delete them manually. These cookies enable us, to recognize your browser during your next visit.

You can change your browser settings, in order to be informed about the inclusion of cookies. When deactivating cookies, the functionality can be limited.

Cookies used when exercising the communication process or for the provision of certain functions are processed on the basis of Art. 6(1)f GDPR. We have a vital interest in the storage of cookies in order to provide functional, error-free and optimized services.

4.5 Server-Log-Files

The provider of our websites gathers and stores data automatically in so called Server-Log-Files. Your browser automatically gathers the following data:

  • Visited website
  • Time of the server-request 
  • Quantity of exchanged data
  • Referrer URL
  • Browser type and Browser version
  • Operating system
  • IP-address

The data is used für analytic purposes and to improve our services. The Website-operator reserves the right to check the server log files retrospectively if there are specific indications of illegal use. This data is not aggregated with data from other sources.

The acquisition of this data is conducted on the basis of Art. 6(1)f GDPR. We have a vital interest in the functional, error-free and optimized services on our website. Therefore, Server-Log-Files must be collected. After 7 days the data is anonymized by shortening of the IP-address on the domain-level. Backtracking of the user is no longer possible.

4.6 Content Management Systeme (CMS)

The websites;;;;; utilize the CMS „Typo3“ operated by Agentejo.

Their contact information are:

TYPO3 Association
Sihlbruggstrasse 105
CH 6340 Baar
Phone: +41415110035

TYPO3 is a processor of our service provider com-a-tec GmbH. We appeal on our contract regulating the processing on behalf with com-a-tec GmbH according to Art. 28 GDPR.

4.7 Google Analytics

Our websites utilize the services of the web-analytic-service Google Analytics. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics uses so called "Cookies". These are small text-files that are stored on your device and enable an analysis of your user behavior on our website. 

The following information are processed:

  • Browser-Typ/-Version,
  • operating system,
  • Referrer-URL (previously visited website),
  • Hostname (IP-Address),
  • Time of server-request

The information on your user behaviour, generated by cookies, is regularly transmitted to and stored on a Google-operated server in the USA.

The storage of Google-Analytics-Cookies and the use of analytic tools is conducted on the basis of Art. 6(1)f GDPR. We have a vital interest in the analysis of user behaviour in order to improve our services and our marketing efforts.

To protect your personal data, we have enabled IP-anonymization. Thereby your IP is shortened by Google within the member states of the EU as well as other signatories in the European Economic Area and when transferred in the U.S. Full IPs are transferred to Google servers in the U.S. and shortened there, only in exceptional cases. 

On our order Google evaluates the data in order to create reports on website activities and fulfil other related services.  Data gathered by Google Analytics is not merged with other data from Google.

You can prevent the storage of cookies by implementing special browser settings. Please be advised that some services may not function properly in this case. Furthermore, you can deny the acquisition of data, generated by the cookie and data regarding your use of our website (including your IP-address) as well as the transmission and procession to and by Google, by downloading and installing the following browser-plugin:

Additional information regarding the use of personal data by Google Analytics can be found in the Data Security Declaration of Google:

User and event related data, that is connected to cookies, user recognition data or promotion-IDs are anonymized /deleted after 14 months. More details can be found under the following link:

Google inc. Is certified in accordance with the „EU-Privacy-Shield“, which ensures the fulfilment of GDPR Data processing- standards.

4.8 Google reCAPTCHA

This website utilizes the service reCAPTCHA of Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) in order to differentiate between personal or automated conduct on our websites. This includes the transmission of the utilzed device, as well as the website you are visiting that uses reCAPTCHA, the date, the duration of your visit, your log-in information (in case you are a registered Google-user, mouse-movements on the reCAPTCHA content as well as tasks you have to fulfil. These are provided by Google. This Google Fonts are installed locally. A connection to Google servers is not taking place. The Information can be transmitted to and stored on a Google-operated server in the USA. Google inc. Is certified in accordance with the „EU-Privacy-Shield“, which ensures the fulfilment of GDPR Data processing- standards.

The data und the use of reCAPTCHA is conducted on the basis of Art. 6(1)a GDPR on the basis of given consent or on the basis of Art. 6(1)f GDPR, on our vital interest to avoid misuse and spam of our webiste-services.

Additional information regarding the use of personal data by Google reCAPTCHA can be found in the Data Security Declaration of Google:

4.9 Social Media

Youtube Plugin
Our websites utilizes social plugins of the service Youtube (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland, Mutterunternehmen: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). ). If you contact one of our websites that contains such a plugin, your browser establishes a direct connection with Youtube servers. The plugin transmits protocoll-information to the Instagram servers in the USA.  These protocoll-information might contain your IP-address, the addresses of the visited websites, that contain Instagram-functions as well, type and setting of your browser, date and time of your request, your user-history as well as cookies. The use of the Youtube-plugin is conducted on the basis of Art. 6(1)f GDPR and on our vital interest on a comprehensive visibility of our services on social media.

Further information are to be found in the data-security of Youtube:

Users have the possibilty to dissent (Opt-Out):

Furthermore useres have the possibility to adapt the settings with regard advertising banners:

4.10 Newsletter-distribution

We distribute newsletters, E-Mails and other electronic messages („newsletter“) only with expicit consent of the recipients. Our newsletters contain information with regard to our services and us.

The registration to our newsletters is only possible with a Double-Opt-In-procedure. This means, after the registration you receive an E-Mail that ask to confirm your registration.

Registrations are stored, in order to retrace the registration process according to the valid legal restrictions. Hereby, the time of registration and confirmation as well as the IP-address is processed. Also, all changes to your personal information are stored by the originator of the newsletter. Deleted E-Mail-addresses can be stored up to 3 years because of our vital interest in the previously given consent. The procession of these information is limited to encounter possible claims by former subscribers. An individual request of deletion is possible at all times insofar consent previously has been given. In case of standing obligations of dissents, we reserve the right to store the E-Mail-address for the purpose of a blocking list (so-called „Blacklist“).

The recording of the registration process  is conducted on the basis of Art. 6(1)f GDPR and our vital interest on direct-marketing activities, insofar it is lawful.

In case we task a service provider to distribute E-Mails, it is conducted according to our vital interest as well.

The distribution of our newsletters is conducted for direct-marketing activities, on the basis of given consent as well as on  our vital interest according to Art. 6(1)f GDPR.

You can terminate the newsletter receiving at any time. A link to terminate the newsletter is to be found on the bottom of each mailing. Other than that, you can use any other given contact possibilty, preferably via E-Mail.

5. Information regarding the processing of personal data within our service provision

Insofar the Internet services of 3A Composites GmbH provide the option to enter personal or business data, this data is entered by the user on a voluntary basis. To process your enquiry (to send brochures, samples or to respond to price enquiries), we sometimes work with partners/distributors to whom we forward your data to enable the timely completion of your enquiry. All information is treated confidentially in accordance with the provisions of the applicable data protection legislation.

5.1 Processing purposes

Completion of orders, information regarding orders and delivery data, execution of logistic services, completion of tasks and projects, registration of contract and contact information in fulfilment of tasks or in preparation of tasks, accountancy, accounting, dunning, organization and execution of purchase and procurement, sales and marketing, maintain customer and supplier relationship.

5.2 Legal foundations

  • Fulfillment of contract and pre-contract measures (Article 6 (1)b GDPR),
  • Legal obligations (Article 6 (1)c GDPR), 
  • Public interest (Article 6 (1)e GDPR), 
  • Consent (Article 6 (1)a GDPR iccw (Article 6 (1-4) GDPR)
  • Safeguarding our vital interests (Article 6 (1)f GDPR),

5.3 Categories of affected data subjects

Interested parties, customers and/or employees of customers, suppliers, partners, mediators, ext. service-providers and freelancers.

5.4 Categories of personal data

We process personal data, which we receive from data subjects in their function as representatives or Plenipotentiaries of the respective entities (Interested parties, customers and/or employees of customers, suppliers, partners, mediators, ext. service-providers and freelancers).

In particular:

  • Contact information (name, title, surname, phone, fax, Mobil phone, internet-address, E-Mail, position, company, company address, number of employees, branch, customer-type, contact-history und correspondence, Information with regard to Quotations and und initiation of business),
  • Account data (order information, payment information, account information, bank, IBAN, BIC, name of  the account holder, Information to fulfil contractual duties),
  • Personal data from quotations, orders, contracts address, contact-data, contract components.

5.5 Categories of recipients

Internal entities that are involved in the fulfilment of business processes (e.g. purchase, sales, marketing, administration, order execution, accounting).

Public authorities such as social insurance agencies and fiscal authorities in case of prioritized legislations External contractors (processing on behalf Art. 4 & Art. 28 GDPR for the processing purposes mentioned above).

Further distribution of personal data is only happening with explicit consent according to Art. 6(1)a GDPR or a legal obligation according to Art. 6 (1)c GDPR is in place.

5.6 Legal retention/deletion

If the legal retention period is over, we delete the respective personal data- as long as personal data is no longer needed for preparation of a contract or performance of a contract or a legitimate interest for the storage is no longer given.

Storage period of personal data:

  • 10 years according to § 14 UStG.
  • 10 years according to § 147 AO for all tax-relevant information.
  • 10 years according to § 257 1 Nr. 1 + 4 HGB. 

Data transmission to non EU-countries

A transmission to third states is not conducted and not planned. However, when using internet-based technologies it cannot be ruled out, that at some point a transmission to third states occurs.

6. Processing personal data in applications

We offer to apply digitally (e.g. via E-Mail). Processing of applicant data proceeds in accordance with data security legislation. Furthermore, applicant data is handled as restricted data.

If you transmit your application, we process the related personal data (e.g. contact- and communication, application documents, notes taken during interviews) insofar they are necessary to justify the decision for or against an employment relationship. The legal foundation is § 26 BDSG-new/ German national legislation (initiation of an employment relationship), Art. 6 (1) b GDPR (general initiation of a contract) and in case you consented – Art. 6(1) a GDPR. The consent can be revoked at any time. Internally, your personal data is only transmitted to recipients, involved in the application process. 

If an application is successful, the transmitted personal data is stored in our computer systems on the basis of § 26 BDSG-new und Art. 6(1)b GDPR with the purpose to initiate an employment relationship.

If we cannot offer you a position, you decline a job offer, withdraw your consent or request deletion of your data, we keep your personal information no longer than 6 months after the end of the application process in order to retrace particularities of the application process (Art. 6 (1)f GDPR).

You have the right to veto against the procession of your data at any time. We will keep your data as long as our significant interest is not interfering with your personal interests.

7. Data subject rights

You can obtain information about your personal data at any time free of charge on the basis of data protection regulations or demand their correction, completion, deletion or blocking, if this is not contrary to statutory regulations. You may also request that the processing of your personal data be restricted. 

7.1 Withdrawal of consent (Art. 7 GDPR)

You have the right to withdraw your consent at any time. The withdrawal of consent is not affecting the lawfulness of processing based on consent before the withdrawal. 

7.2 Right to object (Art. 21 GDPR)

You have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. 

7.3 Right to lodge a complaint at the responsible supervisory authority (Art. 13 GDPR)

You have the right to lodge a complaint with a supervisory authority. Equally, you can complain or submit a request about the data processing to the data protection officer. The data subject can address the complaint to the supervisory authority in his or her federal state or to the supervisory authority in the federal state of the responsible company. The supervisory authority in Germany is mostly the Landesbeauftragte für Datenschutz und Informationsfreiheit.

7.4 Right to data portability (Art. 20 GDPR)

It is the right of the data subject to receive the personal data, which he provided the responsible, if the processing is based on a consent (Article 6(1)a or Article 9 (2 ) GDPR or a contract (Article 6 (1) GDPR. The responsible has to provide the data in a structured, common and machine-readable format for the data subject.

7.5 Right to access, immediate rectification, correction and immediate erasure (Art. 15,16,17 GDPR)

You can request the confirmation of the responsible that his or her data are processed. If personal data of the data subject are processed by the responsible you have the right to access, immediate rectification, correction and immediate erasure of your personal data.  

7.6 Right to restriction of processing (Art. 18 GDPR)

You have the right to demand the limitation of the processing from the responsible.

Therefore you can contact us any time under the given contact information

The right to restrict processing your data is possible in the following scenarios.

If you doubt the correctness of your processed information, we need some time in order to verify your claim. In this case you can demand the restriction of processing for the time given.

If your personal information were obtained unlawful, you can request restriction instead of deletion.

If we no longer need your information the personal data would be deleted by the responsible authority, but the data subject would be required to claim, exercise or defend against legal claims. You also have the right to object against the process, however, it is not determined yet, whether the legitimate reasons of the responsible outweigh those of the data subject. Any recipient of the personal data has to be informed accordingly by the responsible authority.

As at 15th January 2020