Privacy Policy and Data Protection Notice for Customers, Suppliers and other Business Partners

1. Automatic data collection and processing on Geberit websites

Our websites use certain technologies and tools, which are outlined below. If there are any that you do not want us to use, provided these are optional, we have provided various options and settings for each one that will prevent it from being used.

2. Collection and processing of voluntarily provided data

We collect and process personal data that has been shared with us voluntarily during the course of interacting with customers, suppliers and other business partners (for example, via email, telephone or our websites). The following overview provides you with information on the legal basis and purposes of the individual data processing activities.

3. Further data processing besides our website

In addition to our website, further data processing by third-party providers takes place in individual cases and depending on your settings, about which you can find out here.

4. Further data processing, data transfer to third countries, data erasure

In individual cases, we need your data for specific, non-standard data processing, which you can find out about here.

5. Your rights

As regards your personal data processed by us, you are entitled to the rights outlined below. In order to exercise any of these rights, please send us a written request using the contact details specified above or send an email to the following address: dataprotection@geberit.com.

6 Further data processing besides our website

6.1.1 Facebook Insights (Facebook fan page):

We operate our Facebook fan page together with Meta Platforms Inc. 1 Hacker Way, Menlo Park, California 94025, USA (hereafter ‘Facebook’). For this purpose, we have concluded an agreement with Facebook regarding which party has which obligations concerning the GDPR. You can view the essential content of this agreement at https://www.facebook.com/legal/terms/page_controller_addendum. Information about how Facebook processes your personal data can be found at https://www.facebook.com/legal/terms/information_about_page_insights_data. The legal basis for processing your personal data is established in point (f) of Article 6(1) of the GDPR. By processing your personal data using Facebook Insights, we can analyse your user behaviour. We evaluate the captured data and use it to collate information about our Facebook fan page activity. This helps us to design our Facebook fan page in a more user-friendly way that meets the needs of our target audience. The personal data that is collected from our Facebook fan page is provided to us by Facebook. Your personal data is deleted as soon as it is no longer necessary for the aforementioned purposes. If you do not want your data to be collected by Facebook Insights, you can object to the processing of your personal data by Facebook Insights at any time and with future effect. If you do so, we refer your objection to Facebook.

6.1.2 Instagram

Instagram is a product belonging to Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland (hereafter ‘Meta’). We run our Instagram page together with Meta. For this purpose, we have concluded an agreement with Meta regarding which party has which obligations concerning the GDPR. You can find the detailed information on the processing of your personal data by the Instagram service at: https://help.instagram.com/519522125107875. Information about how Meta processes your personal data can be found at https://help.instagram.com/519522125107875. The legal basis for processing your personal data is established in point (f) of Article 6(1) of the GDPR. The processing of your personal data by Meta via the Instagram service helps us analyse your user behaviour. We evaluate the captured data and use it to collate information about activity on our Instagram page. This helps us to design our Instagram page in a more user-friendly way that appeals to our target audience. The personal data that is collected from our Instagram page is provided to us by Meta. Your personal data is deleted as soon as it is no longer necessary for the aforementioned purposes. If you do not want your data to be collected by Meta, you can object to the processing of your personal data by Instagram/Meta at any time and with future effect. If you do so, we refer your objection to Meta.

6.1.3 YouTube channel

To ensure we design our social media offering to meet customers’ needs, we use a YouTube channel which is operated by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (hereafter ‘Google’). YouTube is a video platform that enables users to upload and publish their videos for public viewing. You can find more information on how Google processes your personal data at https://policies.google.com/privacy?hl=en&gl=en#infocollect. If you wish to use our YouTube channel, we remind you that you use this service at your own risk. This applies especially to the features offered within the YouTube platform, such as the comment, like and share features under each video. We have no influence over the type and scope of the data processed by Google in relation to the YouTube channel. By using the YouTube channel, your personal data is processed by Google and, in doing so, will be transferred to the United States, Ireland and any other country in which Google does business, regardless of your place of residence, and may be further processed there. The legal basis for processing your personal data is established in point (f) of Article 6(1) of the GDPR. Your personal data is processed for the purposes of designing an appealing and user-friendly YouTube channel that meets the needs of our viewers. In this context, we only process your personal data within the YouTube channel insofar as it is necessary for providing information on our offers and services. We also process personal data in relation to this YouTube channel for the purposes of communicating with users and potential interested parties. The personal data that is collected from our YouTube channel is provided to us by Google. Your personal data is deleted as soon as it is no longer necessary for the aforementioned purposes. If you do not want your data to be collected by Google, you can object to the processing of your personal data in relation to this YouTube channel at any time. If you do so, we refer your objection to Google.

6.2 Twitter

Twitter is a product of Twitter International Company, One Cumberland Place, Fe-nian Street, Dublin 2, D02 AX07, Ireland (hereinafter “Twitter“). We operate our Twitter site together with Twitter. For this purpose, we have concluded an agreement with Twitter on which of us fulfils which obligation in accordance with the GDPR. You can view the main content of the processing of your personal data by Twitter at https://twitter.com/de/privacy. The legal basis for the processing of your personal data is point (f) of Article 6(1) of the GDPR. The processing of your personal data by Twitter enables us to analyse your usage behaviour. By evaluating the data obtained, we are able to compile information about the attractiveness of our Twitter page. This helps us to make our Twitter page more user-friendly and tailored to your needs. Your personal data collected in the course of operating our Twitter page is made available to us by Twitter. Your personal data will be deleted as soon as it is no longer required for our aforementioned purposes. If you do not wish your data to be collected by Twitter, you have the option at any time to object to the processing of your personal data within the framework of Twitter for the future. In this case, we will forward your request for objection to Twitter.

7 Data subject information in accordance with Article 12 ff. of the GDPR

The legal basis for processing your personal data as part of processing your data protection enquiries (data-subject information) is established in point (c) of Article 6(1) of the GDPR in connection with Article 12 ff. of the GDPR. The legal basis for the subsequent documentation of the legally compliant processing of the data-subject information is established in point (f) of Article 6(1) of the GDPR. The purpose of processing your personal data for processing the data-subject information is to answer your data protection enquiry. The legally compliant processing of the relevant data-subject information is subsequently documented to fulfil legal obligations regarding accountability according to Article 5(2) of the GDPR. Your personal data is deleted as soon as it is no longer required for the purpose for which it was processed. In the case of processing data-subject information, this is three years after the end of the process. You can object to the processing of your personal data with regard to processing data-subject information at any time with future effect. However, if you do so, we cannot continue to process your data-protection enquiry. It is strictly necessary to document the legally compliant processing of the affected data-subject information. It is therefore not possible for you to object to this.

9 Sharing your data with third parties

Personal data is provided within our company to the appropriate positions and departments which require it for fulfilling the previously mentioned purposes. We also some-times use various service providers and transfer your personal data to other trustworthy recipients. These may include:

  • other Geberit companies for the purpose of centralised customer administration and order processing
  • other Geberit companies for the purpose of providing centralised IT and other services
  • logistics providers
  • banks and other payment service providers for the purpose of processing any payments
  • service providers for the purpose of organising, carrying out and handling of possible installation work and after-sales services
  • scanning services
  • printers
  • IT service providers
  • lawyers and courts

10 Transfer to third countries

10.1.1 In the course of processing your personal data, we may transfer your personal data to trusted service providers in third countries. Third countries are countries that are outside the European Union (EU) or the European Economic Area (EEA). We only work with service providers who can provide us with suitable guarantees for the security of your personal data and who can guarantee that your personal data will be processed in accordance with strict European data protection standards. A copy of these suitable guarantees can be inspected at our premises.

10.1.2 If we transfer personal data to third countries, this will be done on the basis of a so-called adequacy decision of the European Commission, or, in the absence of such a decision, on the basis of so-called standard contractual clauses, which have also been issued by the European Commission, and if required further measures.

11 Your rights

11.1 As regards your personal data processed by us, you are entitled to the rights outlined below. In order to exercise any of these rights, please send us a written request using the contact details specified above or send an email to the following address: dataprotection@geberit.com.

11.2 Right to access

You have the right to request that we provide access to the personal data concerning you that we have processed. You may exercise this right within the scope outlined in Article 15 of the GDPR.

11.3 Right to rectification

In accordance with Article 16 of the GDPR, you have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

11.4 Right to erasure

Subject to the prerequisites specified in Article 17 of the GDPR, you have the right to request from us the erasure of personal data concerning you. The prerequisites provide for a right to erasure in particular where the personal data is no longer necessary for the purposes for which it was collected or otherwise processed. The ability to exercise this right is restricted in accordance with Article 17(3) of the GDPR, particularly in cases where we require your data in order to meet a legal obligation or to process legal claims.

11.5 Right to restriction of processing

You have the right to request from us restriction of processing under the terms specified in Article 18 of the GDPR. This right exists in particular (a) where the accuracy of personal data is contested by you, for a period enabling us to verify the accuracy of the personal data, (b) where you oppose the erasure of the personal data (in cases where the right to erasure applies) and request the restriction of its use instead, (c) where we no longer need the personal data for the purposes for which it was being processing, but it is required by you for the establishment, exercise or defence of legal claims, and (d) where the successful exercise of an objection is still contested between you and us. If the processing of your data has been restricted on any of these bases, such data may only be processed in exceptional cases; for example, where you have given your consent to this or where such processing is necessary for the enforcement of legal claims.

11.6 Right to object to processing

In accordance with Article 21 of the GDPR, you have the right to object, on grounds relating to your particular situation and at any time, to the processing of personal data concerning you on the basis of point (e) or (f) of Article 6(1) of the GDPR. We will no longer process your personal data unless we can demonstrate compelling legitimate grounds for processing that override your interests, rights and freedoms, or unless the circumstances

11.7 Right to data portability

You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format under the terms specified in Article 20 of the GDPR. This requires that the data processing has been based on you having given your consent and has been carried out by automated means.

11.8 Right to lodge a complaint with the relevant data protection supervisory authority.

You have the right to lodge a complaint with a supervisory authority – in particular, within the EU member state of your habitual residence, your place of work or the location of the alleged infringement – if you believe that the processing of personal data relating to you infringes the applicable data protection legislation.

regards your personal data processed by us, you are entitled to the rights outlined below. In order to exercise any of these rights, please send us a written request using the contact details specified above or send an email to the following address: dataprotection@geberit.com.

12 Erasure of your data

Generally speaking, we erase or anonymise your personal data as soon as it is no longer needed for the purposes for which we collected or used it in accordance with the sections above. If data needs to be retained for legal reasons, it will be blocked. This means that it will no longer be available for further processing. If you require further information regarding our erasure and retention periods, please contact the controller specified in Section 2 using the relevant contact data.

13 Changes of purpose

Your personal data will only be processed for purposes other than those described if a legal provision requires this course of action or if you have given your consent to the changed purpose of the data processing. In cases of further processing for purposes other than those for which we originally collected the data, we will notify you of these other purposes prior to the data being processed further, and will provide you with all other information that relates to this.

14 Automated individual decision-making or profiling

We do not use any automated processing systems for coming to specific decisions – including profiling.

The privacy of your personal data is very important to us. The purpose of this privacy policy is to inform users of the Geberit Internet services, particularly the Geberit website(s) (“website”) – as well as customers, suppliers and other business partners – about how the Geberit companies within the EU, the EEA, Switzerland and the United Kingdom process personal data. With this in mind, not all aspects of this information may apply to you.

Personal data within the scope of this privacy policy refers to any data that relates or can be related to you, such as your name, address or email address. The controller responsible for processing your personal data is

Geberit Sales Ltd, Geberit House, Edgehill Drive, Warwick, CV34 6NH

Our data protection department, including the data protection officer can be reached at dataprotection@geberit.com or at our postal address with the added information “data protection”. To arrange a confidential appointment with only our data protection officer, please use the following contact details: KREMER Rechtsanwälte, Disch-Haus, Brückenstraße 21, 60667 Köln, E-Mail: dpo@geberit.com.

Version: April 2023