A. Name and address of the data controller
For the purposes of the General Data Protection Regulation (GDPR) and other national data protection laws the data controller is:
Since the criteria of section 38 of the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) do not apply to the Wilo-Foundation, the Foundation is not obliged to appoint a data protection officer. Should you have any questions relating to data protection issues, please contact:
B. General information on data processing
1. Scope of the processing of personal data
We only collect and use our user’s personal data to the extent necessary to provide a functioning website, contents and services. We only collect and use our user’s personal data after having obtained the user’s consent. An exception applies in cases when the user’s consent cannot be obtained for factual reasons and the processing of the data is permitted by law.
2. Legal basis for the processing of personal data
Article 6(1) point (a) GDPR serves as the legal basis if we obtain the data subject’s consent to the processing of personal data.
Article 6(1) point (b) GDPR serves as the legal basis for the processing of personal data required to perform a contract to which the data subject is a party. This also applies to processing operations that are necessary for the implementation of pre-contractual measures.
Article 6(1) point (c) GDPR serves as the legal basis if the processing of personal data is required to perform statutory obligations owed by our company.
Article 6(1) point (d) GDPR serves as the legal basis in the event that vital interests of the data subject or another real person require the processing of personal data.
Article 6(1) point (f) GDPR serves as the legal basis if the data processing is necessary to safeguard a legitimate interest of our company or a third party that prevails over the data subject’s interests, fundamental rights and fundamental freedoms.
3. Data deletion and storage period
The personal data of the data subject is deleted or blocked as soon as the purpose of their storage has been achieved. Storage for a longer period is possible if provided for by the European or national legislator in relevant Union regulations, laws or other provisions governing the data controller. The data is also deleted or blocked once the statutory retention period lapses, unless there is a requirement to retain the data for entering into or performing a contract. The data we delete includes, inter alia
- log data, which is deleted after 180 days, and anonymised after 7 days.
C. Provision of the website and generation of log files
1. Description and scope of data processing
Our system automatically collects data and information from the accessing computer on each occasion a user visits our website.
The following data is collected:
(1) The user’s IP address, but in partially anonymised form, so it cannot be traced back to the user
(2) Date and time of access
(3) Websites from which the user was referred to our website
(4) Sub-websites accessed by the user
(5) Websites accessed by the user’s system via our website
(6) Duration of the user’s visit
(7) Time of the user’s first visit and most recent visit
2. Legal basis for the data processing
The legal basis for the temporary storage of the data and log files is Article 6(1) point (f) GDPR.
3. Purpose of the data processing
The purpose of the data use is the evaluation of the use of websites so as to further improve the offer and user experience. Through the evaluation, information on how the website is used can be obtained, and in this way the content of the website continuously optimised. The user data collected in this way for the purpose of analysis is anonymised by technical measures. Therefore, the data can no longer be allocated to the user accessing the site. The data is not stored together with other personal data of the users.
4. Storage period
Our provider’s services store the data they process for an unlimited period. They do not use any cookies but only process the access log data. IP addresses are stored in the access log as partially anonymised information. Consequently, this information does not constitute personal data.
The actual website (Typo3) stores the data for a period of 180 days, with IP addresses being anonymised after 7 days.
5. Right to object and contest a decision
The collection of the data for the provision of the website and storage of the data in log files is absolutely essential for the operation of the website. This means that the users cannot object to this collection and storage of data.
1. Description and scope of the data processing
Our website or its services use no cookies.
E. Contact by e-mail and contact form
1. Description and scope of the data processing
Our website offers a contact page providing an e-mail address and a contact form. Both can be used to send electronic correspondence to us. In this case, the user’s personal data transmitted in the e-mail or the contact form will be stored.
The data is not disclosed to any third parties in this context. The data is used exclusively for processing the correspondence unless we use contractors for the performance of our services, in which case we will forward the request to them with your consent.
2. Legal basis for the data processing
The legal basis for the processing of data submitted in an e-mail or via the contact form is Article 6(1) point (f) GDPR. If the objective of the e-mail contact is to enter into a contract, e.g. a funding contract, the data processing is also based on Article 6(1) point (b) GDPR
3. Purpose of the data processing
We exclusively process the personal data submitted via an online form for processing the user’s inquiry. In the case of contact via e-mail or using the contact form, this also includes the required legitimate interest in the processing of the data.
4. Storage period
The data is deleted as soon as the purpose of collecting them has been achieved. Personal data entered into the online form is not stored on our servers. The data sent via e-mail is deleted once the respective correspondence with the user has been concluded. The correspondence is deemed concluded if the circumstances indicate that the respective inquiry has been resolved in final.
If the user’s getting in contact with us leads to ongoing business relations, we will retain the data for 10 years.
5. Right to object and contest a decision
The user may revoke their declaration of consent to the processing of personal data at any time. Users who contact us by e-mail may revoke their consent to the storage of their personal data at any time. If a consent is revoked, the correspondence with the user will be terminated.
In this case, all personal data stored during the course of making contact will be deleted
F. Website analysis services
No website analysis tools are used by the website or its services.
G. Rights of the data subject
If your personal data is processed, you are a data subject in the meaning of the GDPR. You have the following rights against the data controller:
1. Access to information
You have the right to request the controller to confirm whether we process any of your personal data. If this is the case, you have the right to request the data controller to furnish you with the following information:
(1) The purposes for processing the personal data;
(2) The categories of personal data that is processed;
(3) The recipients or categories of recipients to whom your personal data was or will be disclosed to;
(4) The intended period for storing your personal data or, if no precise information is available, the criteria for determining the period of storage;
(5) The existence of a right to the deletion or correction of your personal data, a right to restrict the data processing by the data controller, and a right to revoke your declaration of consent for such data processing;
(6) The existence of a right to lodge a complaint with a supervisory authority;
(7) All available information on the source of any personal data that was not collected from the data subject;
(8) The existence of automated individual decisions, including profiling pursuant to Article 22(1) and (4) GDPR and, where this is the case, meaningful information regarding the logical reasoning involved and the magnitude and intended effects of such data processing for the data subject.
You also have the right to demand information on whether your personal data was transmitted to a third country or an international organisation. You may in this respect demand to be informed about the adequate safeguards pursuant to Article 46 GDPR in relation to the transmission.
2. Right to rectification
You have a right to request the data controller to correct or complete your data if your personal data is incorrect or incomplete. The data controller must correct the data without undue delay.
3. Right to restrict the data processing
You have the right to impose a restriction on the processing of your personal data under the following conditions:
(1) You contest the correctness of your personal data and allow the data controller sufficient time to verify the correctness of the personal data;
(2) The data processing is unlawful and you decline the deletion of your personal data relating and rather demand the processing of your personal data to be restricted;
(3) The data controller no longer requires the personal data for the purposes they were collected for, but you require the data for the purpose of asserting, exercising or defending legal interests, or
(4) You have objected against the data processing in accordance with Article 21(1) GDPR and a decision on whether the data controller’s legitimate interests prevail over yours has not been made.
If the processing of your personal data has been restricted, this data – except for their storage – may only be processed with your consent, for the purpose of asserting, exercising or defending legal interests, to protect rights of another person or legal entity or for reasons of important public interest of the European Union or a Member State.
If the restriction imposed on the processing of the data under the stated conditions is modified, you will be informed by the data controller before the restriction is lifted.
4. Right to erasure
a) Obligation to delete data
You may request the controller to promptly delete your personal data and the data controller is under an obligation to delete such data without undue delay, provided one of the following reasons apply:
(1) Your personal data is no longer required for the purposes for which they were collected or processed otherwise.
(2) You revoke your consent on which the data processing is based pursuant to Article 6(1) point (a) or Article 9(2) point (a) GDPR and there is no other legal basis for the data processing.
(3) You object to the data processing in accordance with Article 21(1) GDPR and there are no overriding legitimate interests in the data processing, or you object against the data processing in accordance with Article 21(2) GDPR
(4) Your personal data was processed unlawfully.
(5) The deletion of your personal data is required to perform a statutory obligation prescribed by EU law or the law of the Member States governing the data controller.
(6) Your personal data was collected in relation to services offered by the information society pursuant to Article 8(1) GDPR.
b) Notification of third parties
If the controller has made your personal data public and is under an obligation to delete such data pursuant to Article 17(1) GDPR, the data controller must, within the bounds of the available technology and implementation costs, take adequate measures, including those of a technical nature, to inform data controllers processing the personal data about the fact that you as the data subject have requested them to delete all links to this personal data, as well as copies or reproductions of this personal data.
You do not have a right to the deletion of your data to the extent the data processing is required
(1) to exercise the right to freedom of expression and freedom of information;
(2) to perform a statutory obligation that requires the data processing under EU law or the law of the Member States governing the data controller, or to perform a function in the public interest or to exercise a public authority conferred upon the data controller;
(3) or reasons of public interest in the area of public health pursuant to Article 9(2) points (h) and (i), as well as Article 9(3) GDPR;
(4) for archiving purposes that are in the public interest, scientific or historical research purposes, or for statistical purposes in accordance with Article 89(1) GDPR, to the extent the right stated in section a) is expected to render the achievement of the objectives of this data processing infeasible or to significantly impeded them, or
(5) for the purpose of asserting, exercising or defend legal interests.
5. Right to onward notification
If you have exercised your right to the correction or deletion of your data, or to impose a restriction on the data processing, against the data controller, the data controller is required to notify all recipients to whom your personal data was disclosed about such correction or deletion of your data, or the imposition of a restriction on the processing of your data, unless such action is infeasible or would entail unreasonable effort or expenses. You have the right to be informed about these recipients of your data by the data controller.
Ihnen steht gegenüber dem Verantwortlichen das Recht zu, über diese Empfänger unterrichtet zu werden.
6. Recht auf Datenübertragbarkeit
Sie haben das Recht, die Sie betreffenden personenbezogenen Daten, die Sie dem Verantwortlichen bereitgestellt haben, in einem strukturierten, gängigen und maschinenlesbaren Format zu erhalten. Außerdem haben Sie das Recht diese Daten einem anderen Verantwortlichen ohne Behinderung durch den Verantwortlichen, dem die personenbezogenen Daten bereitgestellt wurden, zu übermitteln, sofern
(1) the data processing is based on consent pursuant to Article 6(1) point (a) or Article 9(2) point (a) GDPR, or based on a contract pursuant to Article 6(1) point (b) GDPR, and
(2) the processing is conducted with the help of automated processes.
When you exercise this right, you are also entitled to have the personal data transmitted directly from one data controller to another, subject to technical feasibility. This must not compromise the rights and freedoms of third parties. The right data portability does not apply to data processing necessary for the performance of a function in the public interest, or in the exercise of a public authority conferred upon the data controller
7. Right to object
You have the right to object against the processing of your personal data on the basis of Article 6(1) point (e) or (f) GDPR for reasons resulting from your personal circumstances at any time; this also applies to profiling based on the same provisions.
The data controller will then cease the processing of your personal data, unless the controller demonstrates compelling legitimate interests in the data processing which prevail over your interests, rights and freedoms, or unless the processing serves the purpose of asserting, exercising or defending legal interests. Where personal data is processed for direct advertising purposes, you have the right to object against the processing of your personal data for such direct advertising purposes at any time; this also applies to profiling associated with such direct advertising. Your personal data will no longer be processed for direct advertising purposes if you object against the data processing for such purposes. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by via automated processes that use technical specifications.
8. Right to revoke your declaration of consent under data protection law
You have the right to revoke a previously granted declaration of consent under data protection law. A revocation of consent will be without prejudice to the lawfulness of the data processing conducted prior to the revocation.
9. Automated individual decisions, including profiling
You have the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision
(1) is necessary for entering into or performing a contract between you and a data controller,
(2) is authorised by Union or Member State law to which the data controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
(3) is based on your explicit consent.
However, decisions must not be based on special categories of personal data pursuant to Article 9(1) GDPR, unless Article 9(2) point (a) or (g) applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place. In the cases referred to in points (1) and (3), the data controller must implement suitable measures to safeguard your rights, freedoms and legitimate interests, at least the right to obtain human intervention on the part of the data controller, to express your point of view and to contest the decision.
10. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint, including the possibility of a judicial remedy pursuant to Article 78 GDPR.
If you wish to object against the collection, processing or use of your data by the Wilo-Foundation in accordance with this Privacy Statement, either categorically or for individual measures, you may send us your objection to the address:
or via email to
The Foundation implements technical and organisational security measures to protect your data administered by us against accidental or deliberate manipulation, loss and destruction and/or access by unauthorised persons.
Our security measures are continuously improved as new technology becomes available.
As at June 2019
Please note that this statement may be supplemented or amended in the future due to legal or other requirements. Please inform yourself regularly about the current status.