Data privacy statement

HWA AG is pleased about your visit to our website and your interest in our company.

With this data privacy statement, we inform you about the personal data that is processed when you visit our website and about what rights you have. We would therefore request you to read the following explanations carefully.

Personal data is all information relating to an identified or identifiable natural person. This, for example, includes your name, your address and communication data or your e-mail address.

Processing means any operation or series of operations carried out with or without the aid of automated procedures using personal data, such as the collection, recording, organization, structuring, storage, adaptation or alteration, reading out, querying, use, disclosure by transmission, dissemination or any other form of provision, adjustment or linking, restriction, deletion or destruction.

The person affected is any identified or identifiable natural person whose personal data is processed by the person responsible for processing.

The person responsible or ‘person responsible for processing’ is the natural or legal person, authority, institution or other body which either by themselves or jointly with others decides on the purposes for and means of processing personal data.

Users include all categories of persons affected by data processing. Such persons include our business partners and other visitors to our website.

We would also like to refer you to the definitions set out in Art. 4 of the General Data Protection Regulation – GDPR in regard to the terms used. The terms used, such as ‘user’, are to be understood as gender-neutral.

1. Name and address of the person responsible
Benzstraße 8
DE-71563 Affalterbach, Germany
Phone +49 (0) 71 44/87 17-0
Fax +49 (0) 71 44/87 17-100

The representative of the person responsible is Mr. Ulrich Fritz, Chief Executive Officer.

2. Data protection officer
Udo Noller
stratego IT management GmbH
Hofäckerstr. 32
74374 Zaberfeld

You can reach our data protection officer by e-mail at or by mail addressed to the ‘The Data Protection Officer’ at our postal address.

3. The processing of personal data
3.1. Visiting our website
3.1.1. Scope of data processing
Your browser will transfer certain types of data to our web server also for technical reasons when you visit our website. This is the following data (so-called server log files):
* IP address
* Date and time of the request
* Difference in time zones based on Greenwich Mean Time (GMT)
* Content of the request (concrete page)
* Operating system and its access status/ HTTP status code
* The amount of data transmitted
* Website from which the request is being made (‘referrer URL’)
* Browser, language and version of the browser software

3.1.2. Purpose of data processing
It is necessary to store this data in log files in order to ensure that the website is able to function. It helps us to optimize our website and safeguard the security of our information-technology systems.

3.1.3. Legal basis of processing
We collect this data on the basis of our legitimate interest within the meaning of Art. 6 (1) (f) of the GDPR for the purposes of being able to display our website and to guarantee its security.

3.1.4. Duration of storage
Information in the log files is stored for security reasons for a maximum of seven days (e.g. to investigate misuse or fraud), and then deleted after that. Data that needs to be stored for longer for the purposes of later evidence is excluded from deletion until the respective incident has been finally clarified.

3.1.5. Options for objecting and removing data
The collection of data for providing the website and the storage of this data in log files is absolutely necessary for technical reasons for the operation of the site. That is why consequently no options exist for the user to object in this regard.

3.2. Contact form and e-mail contact
3.2.1. Scope of data processing
You can get into contact with us via the contact forms on our website. In this context, we process the data from the entry mask: company, first name, last name, street, house number, ZIP code, town, e-mail, phone number, message.

As an alternative, you can also contact us via our e-mail address. The sender's personal data that is transferred with the e-mail will then be processed in such cases.

3.2.2. Recipients of the data
The data transmitted to us is processed by internal staff that is responsible for the according business process.

3.2.3. Purpose of data processing
The personal data provided via the entry mask helps us to process your request. The additional personal data that is processed during the process of sending (e.g. IP address, date, time) serves to prevent a misuse of the contact form to ensure the security of our information-technology systems.

3.2.4. Legal basis of processing
The details of users who get in touch with us (using the contact form or by e-mail) are processed in accordance with Art. 6 (1) (b) GDPR to enable us to process and deal with the contact request.

3.2.5. Duration of storage
We delete personal data when it is no longer required for achieving the purposes for which it was collected. This is the case for personal data received through the contact form's entry mask and data sent by e-mail when the respective conversation with the user has been concluded. The conversation will have been concluded when the circumstances indicate that the matter in question or the request for information has been ultimately clarified.

3.2.6. Options for objecting and removing data
You have at all times the option to revoke your consent to personal data being processed.

If you contact us by e-mail, you can object at any time to your personal data being stored. This will, of course, mean that it will no longer be possible to continue our conversation. Please direct such a revocation to All personal data stored within the scope of your efforts to get in touch with us is then deleted.

3.3. Job applications
3.3.1. Scope of data processing
If you are interested in working for our company, you can send an application online. Under the ‘Careers‘ menu item, you can find open positions in our company. You can also send unsolicited applications.

We collect the following data in our applicant form. The fields marked with * are mandatory.
Personal data: Form of address*, Title, First name*, Last name*, Street*, Postcode*, Town*, Country*, Date of birth*, Phone*, E-mail*;
Framework data: How you found us*, Notice period
School, job training, profession: School degree, Professional experience, Job training
Others: Earliest possible date to join the company*, Desired salary
General skills: Other skills, MS Office

Attachments: Here you can attach either the whole application document or single documents such as e.g. photo, cover letter, resume, testimonials, school report cards, university certificates, or other attachments.

3.3.2. Recipients of the data
The personal data provided by you can be seen by the HR department and the specialist department in charge of filling the position.

In the framework of the order processing in line with data regulations in compliance with Art. 28 GDPR, we use the applicant system rexx recruitment by the manufacturer rexx systems GmbH, Süderstraße 77, DE-20097 Hamburg, The data processing takes place in the Federal Republic of Germany.

3.3.3. Purpose of data processing
We process personal data for taking a decision on the establishment of an employment relationship, in particular for the selection process of suitable candidates and the administrative execution of the application process.

3.3.4. Legal basis of processing
The legal basis is § 26 (1) BDSG-neu [German Federal Data Protection Act -new]

3.3.5. Duration of storage
In case the application leads to an employment relationship, we process this data for the execution of the employment relationship. This will then be included into our HR administration system.

In case the application does not lead to an employment relationship, this data will be deleted within 3 months after the ending of the application procedures, taking into account the deadline for taking legal action according to AGG [German Equal Treatment Act] unless the applicant has given their consent for a longer-term retention of their personal data in accordance with Art. 6 (1) (a) GDPR and Art. 7 GDPR to be possibly considered in case of new open positions.

3.3.6. Options for objecting and removing data
You can have the information sent to us renewed or deleted at any time upon request. For this, please send an e-mail to This is not effective when you have applied for a concrete position in an ongoing application process. In this case we save the information you provided for this position until the expiration of the legal deadlines for filing a law suit (in particular § 15 AGG [German Equal Treatment Act]).

3.4. Newsletter
3.4.1. Nature and purpose of the processing:
Your data will only be used to send you the subscribed newsletter by e-mail. Your name is entered in order to address you personally in the newsletter and, if necessary, to identify you if you wish to exercise your rights as a person affected.
To receive the newsletter, it is sufficient to enter your e-mail address. If you register to receive our newsletter, the data you provide will be used exclusively for this purpose. Subscribers can also be informed by e-mail about circumstances relevant to the service or registration (e.g. changes to the newsletter offer or technical conditions).
For an effective registration we need a valid e-mail address. In order to verify that a registration is actually made by the owner of an e-mail address, we use the "double-opt-in" procedure. For this purpose, we log the ordering of the newsletter, the sending of a confirmation e-mail and the receipt of the answer requested hereby. Further data is not collected. The data is used exclusively for the newsletter dispatch and will not be passed on to third parties.
3.4.2. Legal basis:
On the basis of your expressly given consent (Art. 6 para. 1 lit. a GDPR), we will send you our newsletter or comparable information regularly by e-mail to your specified e-mail address.
You can revoke your consent to the storage of your personal data and its use for the newsletter dispatch at any time with effect for the future. You will find a corresponding link in every newsletter. You can also unsubscribe at any time directly on this website or inform us of your revocation via the contact option given at the end of this data protection information.
3.4.3. Recipient:
Recipients of the data may be order processors.
3.4.4. Storage period:
The data will only be processed in this context as long as the corresponding consent has been given. Afterwards they will be deleted.
3.4.5. Provision prescribed or necessary:
The provision of your personal data is voluntary, based solely on your consent. Without existing consent, we unfortunately cannot send you our newsletter.

3.5. Cookies
3.5.1. Scope of data processing
Our website uses cookies. Cookies are small text files that are stored on your computer when you visit our website. Cookies cause no damage on your computer and do not contain any malware, e.g. viruses. Cookies contain a characteristic sequence of characters that enables the browser to be uniquely identified when the website is revisited. Some elements of our website require that the browser making the request can be identified even after a page change.

This is done by assigning an identification number to the cookie (‘cookie ID’) and not by assigning it to you personally. The cookie ID is not combined with your name, your IP address or similar data that would enable the cookie to be assigned to you.

This website uses transient and persistent cookies.

a) Transient cookies are automatically deleted when you close your browser. These include in particular so-called session cookies. These store so-called session IDs, which allow different requests from your browser to be assigned to the joint session. It is possible to recognize your computer when you return to our website. The session cookies will be deleted when you log out or close the browser.

b) Persistent cookies are automatically deleted after a specified period, which may vary depending on the cookie. Cookies may be deleted at any time with the help of your browser's security settings.

3.5.2. Purpose of data processing
We use cookies to make our website attractive and user-friendly, to improve it and to speed up inquiries.

Some of our website's elements, such as for example our applicant management system, require the ability to identify the browser making the request even after changing the page. It is necessary for these to be able to also recognize the browser even after a page change.

3.5.3. Legal basis for data processing
The legal basis for the processing of personal data using the technically necessary cookies is Art. 6 (1) (f) GDPR.

3.5.4. Duration of storage
Session cookies are deleted as soon as the browser is closed.

Persistent cookies are automatically deleted after a specified period.

3.5.5. Options for objecting and removing data
As a user, you have full control over the use of cookies. By changing the settings in your Internet browser, it is possible to set it so that cookies are not stored at all or are automatically deleted at the end of your Internet session. Please select ‘do not accept cookies’ in your browser's settings to this end. In Microsoft Internet Explorer, select ‘Tools > Internet Options > Privacy > Settings’; in Firefox select ‘Tools > Settings > Privacy > Cookies’); please refer to the browser's help function for instructions on how to block and delete cookies if you are using a different Internet browser.

Please note, however, that in this case you may not be able to use all our website's functions.

4. Data security
We take technical, contractual and organizational measures to ensure the security of data processing in accordance with best available technology. It is in this way that we ensure that the regulations set out in the data protection laws, in particular the General Data Protection Regulation, are observed and that the data we process is protected against destruction, loss, modification and unauthorized access. These security measures also include the encrypted transmission of data between your browser and our servers. Please note that SSL encryption is only activated for transmissions made over the Internet if the key symbol appears in the lower menu bar of your browser window and the address starts with https://. SSL (Secure Socket Layer) uses encryption technology to protect data transmission against illegal data access by third parties. You may also choose not to send certain data over the Internet if this option is not available.

All information that you transmit to us is stored and processed on our servers in the Federal Republic of Germany.

5. Forwarding of data to third parties and third-party providers
Data will only be forwarded to third parties within the framework of legal requirements. We will only forward user data to third parties if, for example, it is necessary to do so for contractual purposes on the basis of Art. 6 (1) (b) GDPR or on the basis of legitimate interests in the economic and effective operation of our business activities pursuant to Art. 6 (1) (f) GDPR.

We use subcontractors to help us provide our services, in particular for the operation, maintenance and hosting of the website within the scope of order processing in accordance with Art. 28 DSGVO. We have taken appropriate legal precautions and corresponding technical and organizational measures to ensure the protection of personal data in compliance with the relevant statutory provisions. The data processing takes place in Germany.

6. External services and content on our website
We integrate external services or content on our website. This is done on the basis of our legitimate interests in the analysis, optimization and economic operation of our online offer within the meaning of Art. 6 (1) (f) GDPR.

When such services are used or third-party content is displayed, communication data such as the date, time and IP address are exchanged between you and the respective provider for technical reasons. This, in particular, includes your IP address, which is required to display content in your browser.

The provider of the respective services or contents may process your data for own additional purposes. Due to the fact that we are unable to influence the data collected by third parties and how it is processed by such third parties, we are, however, also unable to make any binding statements about why and the extent to which your data is processed.

6.1. Use of script libraries (Google Webfonts)
6.1.1. Nature and purpose of the processing:
In order to display our content correctly and in a graphically appealing manner across browsers, we use "Google Web Fonts" from Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; hereinafter "Google") on this website to display fonts.
The privacy policy of the library operator Google can be found here:
6.1.2. Legal basis:
The legal basis for the integration of Google Webfonts and the associated data transfer to Google is your consent (Art. 6 para. 1 lit. a GDPR).
6.1.3. Recipient:
Calling up script libraries or font libraries automatically triggers a connection to the operator of the library. It is theoretically possible - although it is currently unclear whether and for what purposes - that the operator collects data from Google in this case.
6.1.4.Storage period:
We do not collect any personal data through the integration of Google Webfonts.
For more information about Google Web Fonts, please visit and Google's privacy policy:
6.1.5. Third Country Transfer:
Google processes your data in the USA and has submitted to the EU_US Privacy Shield
6.1.6.Provision required or necessary:
The provision of personal information is not required by law or contract. However, it cannot be provided without the correct display of the contents of standard fonts.
6.1.7. Revocation of consent:
The programming language JavaScript is regularly used to display the contents. You can therefore object to the data processing by deactivating the execution of JavaScript in your browser or by installing an integration JavaScript blocker. Please note that this may result in functional restrictions on the website.
For further information on the purpose and scope of the collection and processing of your data, please refer to the data protection information of the respective providers of the services or contents integrated by us.
Google Maps
Maps for route planning are provided by the third-party provider Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy policy: Opt-out:
Social Media
HWA AG links on these pages of the web presence to the corporate appearances of HWA AG of the social networks mentioned below. The criteria according to the EU data protection basic regulation apply there, which can be reached under the respectively named link:
Provider: Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
The data processing is based on an agreement on the joint processing of personal data in accordance with Art. 26 GDPR.
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Provider: Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA
Provider: Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA
Provider: LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland
Provider: XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany)

7. Your rights
When we process your personal data, you are the person concerned in the meaning of the General Data Protection Regulation – GDPR and therefore possess the following rights concerning the personal data relating to you in regard to us:

Right of access by the data subject (Art. 15 GDPR)
Right to rectification (Art. 16 GDPR)
Right to erasure (Art. 17 GDPR)
Right to restriction of processing (Art. 18 GDPR),
Right to data portability (Art. 20 GDPR)
Right to object (Art. 21 GDPR)

With regard to the right of information and the right of deletion, the restrictions according to §§ 34 and 35 BDSG [German Federal Data Protection Act] apply.
Right to appeal to a supervisory authority
In addition, there is a right of appeal to a data protection supervisory authority (Art. 77 GDPR in conjunction with Section 19 BDSG [German Federal Data Protection Act]).
The supervisory authority responsible for us is:
The State Commissioner for Data Protection and Freedom of Information oft he State of Baden-Württemberg
PO Box 10 29 32
70025 Stuttgart
Phone: 0711/615541-0
fax: 0711/615541-15

8. Changes to this data privacy statement
We reserve the right to change the data privacy statement in order to adapt it to changed legal situations or in the event of changes to the service and to the data processing. This only applies, however, in regard to declarations about data processing. The changes will only be made with the user’s consent if user’s consent is required or if components of the data privacy statement contain provisions of the contractual relationship with the users.

Please keep yourself regularly informed about the contents of the data privacy statement.

Last update: April 2020