(* e.g. those interested in our products)

The following information is intended to inform you about how we process your personal data and what rights you have under data protection law.

1. Who is responsible for data processing and who can you contact?

The Hettich company with which you enter into a business relationship or with which you contact as a (potential) customer or interested party is generally responsible for data processing.

A list of the companies in the Hettich Group and the respective data protection officers, including contact details, can be found in Appendix 1.

2. What sources and data do we use?

We process personal data of employees or contact persons of customers that we receive in the course of initiating, establishing and conducting a business relationship. This includes, in particular, title, name, business contact details (e.g. email address, telephone number) and other data that is provided to us by the customer or arises from the respective context (e.g. position and function at the customer, power of representation).

If the customer is a natural person - sole trader or self-employed, we also collect personal data related to the customer's business activities, such as bank details, VAT identification number and creditworthiness data.

In addition, we process personal data that we obtain from public sources (e.g. commercial registers) in a permissible manner or that is legitimately transmitted to us by third parties (e.g. credit agencies, distribution partners).

3. Why do we process your data (purpose of processing) and on what legal basis?

We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and other applicable data protection regulations.

3.1 To fulfil contractual obligations (Art. 6 (1) (b) GDPR)
We process your personal data for the purpose of performing our contracts with you, in particular in the context of our order processing. Furthermore, your personal data is processed for the purpose of carrying out measures and activities in the context of pre-contractual relationships.

3.2 To fulfil legal obligations (Art. 6 (1) (c) GDPR)
We process your personal data if this is necessary to fulfil legal obligations, in particular commercial and tax law retention and documentation obligations.

3.3 To pursueour legitimate interests (Art. 6 (1) (f) GDPR)
Where necessary, we process your data beyond the actual fulfilment of the contract in order to pursue our legitimate interests, which consist of managing, maintaining and optimising our supply relationships in an efficient, transparent and documented manner. We process your data for the following purposes in particular:

• Checking the creditworthiness of customers,
• Including the customer in our trade credit insurance,
• Advertising and marketing measures,
• Statistical evaluations and market analyses,
• Asserting claims and defending them in court and out-of-court disputes,
• Exercising domiciliary rights (including visitor management and access control),
• Holding events (trade fairs, events, training courses, etc.),
• Developing and training AI models,
• Restricted storage of your data if deletion is not possible or only possible with disproportionate effort due to the special nature of the storage.  

Note on AI training: The development and training of AI models takes place in secure environments.

3.4 Based on your consent (Art. 6 (1) (a) GDPR) 
If you have given us your consent to process personal data for specific purposes, the lawfulness of this processing is based on your consent.

Consent that has been given can be withdrawn at any time. The withdrawal of consent only has effect for the future and does not affect the lawfulness of the data processed until the withdrawal. 

4. Who receives your data?

We only pass on your personal data to companies within the Hettich Group if this is necessary to fulfil the purposes specified in section 3.

For these purposes, recipients outside the Hettich Group may also receive your data, in particular

• service providers used by us, e.g. logistics service providers, IT service providers, telecommunications companies, service providers for business information, consulting firms (including solicitors, tax consultants and auditors), 

• insurance companies, in particular trade credit insurance companies,

• distribution partners,

• public authorities and institutions in the event of a legal or official obligation.

In this context, your data may be transferred to recipients in countries outside the EU and the EEC (so-called ‘third countries’). However, data will only be transferred to recipients in third countries if the EU Commission has confirmed that the third country has an adequate level of data protection or if other appropriate data protection guarantees (e.g. binding internal company data protection regulations or EU standard contractual clauses) are in place.

5. How long do we store your data?

We process and store your personal data to the extent and for as long as this is necessary to fulfil contractual or legal obligations. For example, we store your data to comply with commercial or tax law retention and documentation obligations. Furthermore, longer storage may be necessary to preserve evidence within the national limitation period regulations.

Your personal data will only be stored in AI models to the extent and for as long as this is necessary for the development and training of the AI model in question. Once development or training has been completed, the data will be deleted from the AI model.

6. To what extent do we use automated decision-making (including profiling)?

We use automated processing methods (including AI) to optimise and support our internal processes. However, we do not use fully automated decision-making in accordance with Art. 22 GDPR. Should we use these procedures in individual cases, we will inform you separately if this is required by law.

7. What data protection rights do you have?

The applicable data protection law grants you comprehensive rights as a data subject vis-à-vis the controller (see section 1 above) with regard to the processing of your personal data. Every data subject has 

• the right to information about the data we have stored about them, 

• the right to rectification, erasure or restriction of the processing of their personal data,

• the right to object to processing (see section 9 below), 

• the right to data portability, 

• the right to lodge a complaint with a data protection supervisory authority.

8. Are you obliged to provide data?

Within the scope of our business relationship, you are required to provide the personal data necessary for the establishment, execution and termination of a business relationship and for the fulfilment of the associated contractual obligations, or which we are legally obliged to collect. Without this data, we will generally not be able to conclude, execute or terminate a contract with you. 

9. Information about your right to object (Art. 21 GDPR)

9.1 Right to object on grounds relating to your particular situation
You have the right to object at any time, on grounds relating to your particular situation, to the processing of your data carried out on the basis of Article 6 (1) (f) GDPR (data processing based on a balancing of interests). This also applies to profiling based on this provision within the meaning of Article 4 (4) GDPR. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

9.2 Right to object to direct marketing
If we process your personal data for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing purposes; this also applies to profiling insofar as it is related to such direct marketing. If you object to processing for direct marketing purposes, your personal data will no longer be processed for these purposes.

9.3 Recipient of the objection 
You can exercise your right to object using the contact details provided in Appendix 1.

Status: January 2026