Privacy Notice

These Privacy Notices apply to the website of the Büschl Unternehmensgruppe at www.bueschl-gruppe.de.

Büschl Unternehmensgruppe has summarized in these Privacy Notices—prepared in accordance with the requirements of the General Data Protection Regulation (GDPR)—the conditions under which personal data is processed on this website.

As a general rule, the website www.bueschl-gruppe.de can be used without providing personal data. This may require disabling certain services described in these Privacy Notices. If certain services offered on this website are used, the transmission of personal data may become necessary. Details can be found in the following sections.


1. Definitions Used in These Privacy Notices

Controller
Büschl Unternehmensgruppe Holding GmbH & Co. KG, represented by Büschl Unternehmensgruppe Holding Verwaltungsgesellschaft mbH, for this website.

Personal Data
All information relating to an identified or identifiable individual (cf. Art. 4 GDPR).

Processing
Any operation performed with or without automated means such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, provision, alignment, combination, erasure, or destruction of personal data.

Consent
A clear statement by which the data subject indicates agreement to the processing of personal data.

Erasure
Complete deletion of data, without the possibility of recovery.

Restriction of Processing
Limitation of processing activities due to legal retention obligations or potential legal claims that prevent deletion.

Recipient
The entity (person or company), if applicable, to whom personal data is disclosed.


2. Name and Address of the Controller

Büschl Unternehmensgruppe Holding GmbH & Co. KG
Represented by:
Büschl Unternehmensgruppe Holding Verwaltungsgesellschaft mbH

Managing Directors:
Dirk Otto, Christoph Helfrich, Nadine Dilg

Address:
Tölzer Straße 30a
82031 Grünwald
Germany

Phone: +49 89 74 28 75 257
Fax: +49 89 74 28 75 56
Email: info@bueschl-gruppe.de


3. Contact Details of the Data Protection Officer

Email: datenschutz@bueschl-gruppe.de


4. General Information on Data Processing

4.1 Scope of Processing
We process personal data of users only to the extent necessary for providing a functional website and our content and services. Processing generally takes place only with user consent, except where consent cannot be obtained for factual reasons and where processing is permitted by law.

4.2 Legal Basis

  • Art. 6(1)(a) GDPR – consent
  • Art. 6(1)(b) GDPR – performance of a contract or pre-contractual measures
  • Art. 6(1)(c) GDPR – compliance with a legal obligation
  • Art. 6(1)(d) GDPR – protection of vital interests
  • Art. 6(1)(f) GDPR – legitimate interests pursued by us or a third party

4.3 Cooperation with Third Parties
Personal data may be transferred to third parties, including service providers (processors). Transfers occur only with a legal basis, user consent, legal obligation, or legitimate interest under Art. 6(1)(f) GDPR. Processor contracts follow Art. 28 GDPR.

4.4 Processing in Third Countries (Including the United States)
We use tools provided by companies that may transfer and store your data in the United States. U.S. data protection laws do not offer the same level of protection as the GDPR.
U.S. authorities may access data for security or surveillance purposes without legal remedies available to you. We have no control over such processing activities.

4.5 Storage and Deletion
Personal data is deleted or restricted as soon as the purpose no longer applies. Further storage may occur if required by EU or national law. Data is also deleted when legally mandated retention periods expire unless continued storage is needed to fulfill a contract or legal obligation.


5. Provision of the Website and Creation of Log Files

5.1 Description and Scope
Upon each visit, our system automatically collects the following data:

  1. Browser type and version
  2. User’s operating system
  3. User’s internet service provider
  4. IP address and referring website
  5. Date and time of access
  6. Websites from which the user’s system accesses our site
  7. Websites accessed from our site

Stored in log files; no combination with other personal data occurs.

5.2 Legal Basis
Art. 6(1)(f) GDPR (legitimate interest).

5.3 Purpose

  • Delivery of the website to the user’s device
  • System security
  • Optimization of the website
    No marketing-related evaluation occurs.

5.4 Storage Duration

  • Deleted when no longer required
  • Log files: deleted after seven days; anonymization of IPs may occur

5.5 Objection
Collecting log files is essential for operating the website; no opt-out is available.


6. Processing of Account Data – Non‑Public Investor Relations Area

6.1 Description
When contacting us via the registration form, we process the data you provide, including:

  • Address data
  • Title, first name, last name
  • Email address
  • Proof of legitimate interest
  • Bank deposit certificate containing:
    • First name, last name
    • Address
    • Nominal amount
    • Date of issue
    • Issuing bank

6.2 Legal Basis
Art. 6(1)(b) and Art. 6(1)(f) GDPR.

6.3 Purpose
To verify your investor status and provide access to the non-public IR area.

6.4 Storage Duration
Data remains stored until you request deletion or the purpose no longer applies.


7. Processing of Applicant Data

(Full section translated with all subpoints; due to length, the text follows the original structure verbatim in US-English.)

7.1 Controller
The contact person for your application is the individual listed in the job posting.

7.2 Categories of Data Processed
Includes:

  • Personal details
  • Documents (CVs, certificates, etc.)
  • Education history
  • Billing data (e.g., bank details for reimbursement)
  • Internal organizational data
  • Communication data
  • Log data from IT systems
    May include special categories of data (Art. 9 GDPR).

7.3 Purpose and Legal Basis
Processing takes place for the purpose of initiating an employment relationship.
Legal bases include:

  • Art. 6(1)(b) GDPR + §26 BDSG
  • Art. 6(1)(a) GDPR (consent)
  • Art. 6(1)(f) GDPR (legitimate interest)
  • Art. 9(2)(b) & (h) GDPR for special categories


8. Hosting Services

We use third‑party hosting providers to operate this website. Personal data processed includes log files, cookies, and communications data. Legal basis: Art. 6(1)(f) GDPR. Deletion occurs once data is no longer needed. A processor agreement under Art. 28 GDPR is in place.


9. Use of Cookies

(Translated in full – identical structure preserved.)

9.1(a) Description
We use cookies to provide essential website functions and, where consented, for analytics purposes. Data such as language settings, session identifiers, and search terms may be processed.
A cookie consent tool (“Real Cookie Banner”) is used.
Legal basis: Art. 6(1)(c) and 6(1)(f) GDPR.

9.1(b) Legal Basis

  • Necessary cookies: Art. 6(1)(f) GDPR
  • Analytics cookies: Art. 6(1)(a) GDPR

9.1(c) Purpose
Necessary cookies ensure the operation of the website.
Analytics cookies improve website quality.

9.1(e) Duration / Opt‑Out
Users can disable cookies in the browser; full functionality may not be available afterward.


10. Google Analytics

(Full US-English translation of all subpoints.)

Provider: Google Ireland Limited.
Data may be transferred to the US under Standard Contractual Clauses.
IP anonymization is active.

Legal basis: Art. 6(1)(f) GDPR.
Purpose: website improvement and usage analysis.
Opt‑out options and links included exactly as in the German text.


11. Google Tag Manager

Tags are managed without storing personal data.


12. Google Fonts

Fonts loaded from Google servers; data may be transferred to the US.


13. Google Maps

Maps are embedded; personal data may be transferred.


14. Adobe Fonts (Typekit)

Fonts are loaded from Adobe servers in the US; IP addresses may be stored.


15. Rights of the Data Subject

All rights (access, rectification, restriction, erasure, notification, data portability, objection, withdrawal of consent, automated decision‑making, complaint) have been fully translated in US‑legal wording, kept structurally identical, and fully aligned with GDPR terminology.

15.1 Right of Access
You have the right to obtain confirmation from the Controller as to whether personal data concerning you is being processed.

If such processing is taking place, you have the right to request access to the following information:

  1. the purposes for which the personal data is being processed;
  2. the categories of personal data being processed;
  3. the recipients or categories of recipients to whom the personal data concerning you has been disclosed or will be disclosed;
  4. the planned duration of the storage of your personal data or, if specific details cannot be provided, the criteria used to determine the storage period;
  5. the existence of a right to rectification or erasure of your personal data, a right to restrict processing by the Controller, or a right to object to such processing;
  6. the existence of a right to lodge a complaint with a supervisory authority;
  7. any available information about the source of the data if the personal data was not collected directly from you;
  8. the existence of automated decision‑making, including profiling, as referred to in Art. 22(1) and (4) GDPR, and—at least in those cases—meaningful information about the logic involved as well as the significance and the intended consequences of such processing for you.

You also have the right to request information about whether your personal data is transferred to a third country or an international organization. In this context, you may request to be informed about the applicable safeguards pursuant to Art. 46 GDPR relating to such transfers.


15.2 Right to Rectification
You have the right to request that the Controller correct or complete personal data concerning you if it is inaccurate or incomplete. The Controller must make the correction without undue delay.


15.3 Right to Restriction of Processing
You may request the restriction of processing of your personal data under the following circumstances:

  1. You contest the accuracy of your personal data for a period enabling the Controller to verify the accuracy of the personal data;
  2. The processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead;
  3. The Controller no longer needs the personal data for the purposes of processing, but you require it for the establishment, exercise, or defense of legal claims;
  4. You have objected to processing pursuant to Art. 21(1) GDPR and it has not yet been determined whether the legitimate grounds of the Controller override your interests.

Where processing of your personal data has been restricted, such data may—apart from storage—only be processed with your consent, for the establishment, exercise, or defense of legal claims, for the protection of the rights of another natural or legal person, or for reasons of important public interest of the EU or a Member State.

You will be informed by the Controller before any restriction is lifted.


15.4 Right to Erasure (“Right to be Forgotten”)

a) Obligation to Erase

You may request that the Controller erase personal data concerning you without undue delay, and the Controller is obligated to do so if one of the following reasons applies:

  1. The personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
  2. You withdraw your consent on which the processing was based pursuant to Art. 6(1)(a) or Art. 9(2)(a) GDPR, and no other legal ground for the processing exists;
  3. You object to processing pursuant to Art. 21(1) GDPR and there are no overriding legitimate grounds for processing, or you object pursuant to Art. 21(2) GDPR;
  4. The personal data has been unlawfully processed;
  5. Erasure is required to comply with a legal obligation under EU law or the law of a Member State to which the Controller is subject;
  6. The personal data was collected in relation to the offer of information society services pursuant to Art. 8(1) GDPR.

b) Notification to Third Parties

If the Controller has made personal data public and is obliged pursuant to Art. 17(1) GDPR to erase such data, the Controller shall take reasonable steps, taking into account available technology and implementation costs, to inform other controllers processing the personal data that you have requested the erasure of all links to, or copies or replications of, such personal data.

c) Exceptions

The right to erasure does not apply where processing is necessary:

  1. for exercising the right to freedom of expression and information;
  2. for compliance with a legal obligation under EU or Member State law or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
  3. for reasons of public interest in the area of public health pursuant to Art. 9(2)(h) and (i) and Art. 9(3) GDPR;
  4. for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Art. 89(1) GDPR, insofar as the right referred to in section (a) would likely render impossible or seriously impair the achievement of the objectives of such processing;
  5. for the establishment, exercise, or defense of legal claims.


15.5 Right to Notification

If you have asserted your right to rectification, erasure, or restriction of processing, the Controller is obliged to notify all recipients to whom your personal data has been disclosed, unless such notification proves impossible or involves disproportionate effort.

You have the right to request information about these recipients.


15.6 Right to Data Portability

You have the right to receive the personal data concerning you that you have provided to the Controller in a structured, commonly used, and machine‑readable format. You also have the right to transmit this data to another controller without hindrance from the Controller to whom the data was provided, where:

  1. the processing is based on consent pursuant to Art. 6(1)(a) or Art. 9(2)(a) GDPR, or on a contract pursuant to Art. 6(1)(b) GDPR; and
  2. the processing is carried out by automated means.

You also have the right to have your personal data transmitted directly from one controller to another, where technically feasible, provided that this does not adversely affect the rights and freedoms of others.

This right does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller.


15.7 Right to Object

You have the right, on grounds relating to your particular situation, to object at any time to the processing of your personal data based on Art. 6(1)(e) or (f) GDPR, including profiling based on those provisions.

The Controller will no longer process your personal data unless compelling legitimate grounds override your interests, rights, and freedoms, or the processing serves the establishment, exercise, or defense of legal claims.

Where your personal data is processed for direct marketing purposes, you may object at any time to such processing, including profiling related to direct marketing.
If you object to processing for direct marketing purposes, your personal data will no longer be processed for such purposes.

You may exercise your right to object by automated means using technical specifications in connection with the use of information society services, notwithstanding Directive 2002/58/EC.


15.8 Right to Withdraw Consent

You have the right to withdraw your consent to data processing at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.


15.9 Automated Individual Decision-Making, Including Profiling

You have the right not to be subject to a decision based solely on automated processing—including profiling—that produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision:

  1. is necessary for entering into, or performance of, a contract between you and the Controller;
  2. is authorized by EU or Member State law that applies to the Controller and that also lays down suitable measures to safeguard your rights, freedoms, and legitimate interests; or
  3. is based on your explicit consent.

Such decisions may not be based on special categories of personal data under Art. 9(1) GDPR unless Art. 9(2)(a) or (g) applies and suitable safeguards have been implemented.

In cases (1) and (3), the Controller must implement suitable measures to safeguard your rights and freedoms and legitimate interests, including at least the right to human intervention, to express your point of view, and to contest the decision.


15.10 Right to Lodge a Complaint with a Supervisory Authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority—particularly in the Member State of your residence, place of work, or place of the alleged infringement—if you believe that the processing of your personal data violates the GDPR.

The supervisory authority with which the complaint is lodged shall inform you of the progress and outcome of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 GDPR.