Privacy policy

PHW Gruppe - Privacy Statement according to the General Data Protection Regulation

Privacy Statement

Thank you for visiting our website. Adhering to data protection regulations is of utmost importance to us. This data protection declaration, or privacy statement, aims to inform you, the website user, about the nature, extent, and purpose of personal data processing, as well as your rights, provided you are recognized as a data subject under Article 4 No. 1 of the General Data Protection Regulation (hereafter referred to as “GDPR”).


1. Responsible body

This website and the range of services are operated by:


Visbek-Rechterfeld branch
Paul-Wesjohann-Straße 45
D - 49429 Visbek

Telephone:     0 44 45 / 891 – 0
Fax:         0 44 45 / 891 - 250


VAT identification number DE 115168160

Represented by its management: Peter Wesjohann (Chairman), Doris Wesjohann Board of Directors: Martin Grapentin (President)
Registered in the Commercial Register of the Oldenburg District Court under HRB 214838
Company’s Registered Office: Vaduz, Principality of Liechtenstein, registration number FL-0002.615.984-5, Office of Justice (Amt für Justiz - AJU), Principality of Liechtenstein.


2. Data protection officer

We have appointed a data protection officer.

Mr. Philipp Herold
Hafenstraße 1a
23568 Lübeck


3. General

We developed the website to collect as little data from you as possible. We always ensure that we only process your personal data in accordance with a legal basis or with your consent. We comply with the provisions of the GDPR, in force since 25 May 2018, and the applicable national regulations, such as the Federal Data Protection Act, the Telecommunications Telemedia Data Protection Act or other more specific data protection laws.


4. Purpose and legal basis for processing personal data

We always process your personal data for a specific purpose.
In summary, we process your personal data for the following purposes:
     a)    To be able to process your enquiry together with you when you contact us (e.g. email address, first name, last name);
     b)    To register for our service offerings;
     c)    For the technical implementation of our website and to be able to provide you with our information on this website (e.g. IP address, cookies, browser information);

Regarding the legal basis for processing your personal data, the following shall apply:
We process personal data that is necessary for the justification, implementation or processing of our service offer (contract processing) on the legal basis of Article 6 (1)(b) GDPR. If we obtain your consent for the processing of your personal data, the consent in accordance with Article 6(1)(a) GDPR forms the legal basis for the data processing. Data processing is also permitted if we process your data to protect our legitimate interests and your interests or fundamental rights and freedoms with regard to the processing of personal data do not outweigh this (Article 6(1)(f) GDPR). Insofar as we use external service providers as part of commissioned data processing, the processing is carried out on the legal basis of Article 28 GDPR.


5. Collection of personal data when you visit our website

If you use the website for informational purposes only, i.e. if you do not register or otherwise provide us with information, we only collect the personal data that your browser transmits to our server. If you would like to view our website, we collect the following data, which is technically necessary for us to display our website to you and to ensure stability and security (legal basis is Article 6 (1) sentence 1 (f) GDPR):

  • IP address
  • Date and time of the request
  • Time zone difference to Greenwich Mean Time (GMT)
  • Content of the request (specific page)
  • Access status/HTTP status code
  • Amount of data transferred in each case
  • Website from which the request originates
  • Browser
  • Operating system and its interface
  • Language and version of the browser software.

This website is hosted by an external service provider (host). The personal data collected on this website is stored on the host’s servers.


We use the following host:
Hetzner Online GmbH
Industriestr. 25
91710 Gunzenhausen


We have concluded an order processing contract (Vertrag über Auftragsverarbeitung - AVV) with the named provider. This is a contract required by data protection law, which ensures that we only process the personal data of our website visitors in accordance with our instructions and in compliance with the GDPR.
In addition to the data mentioned above, Cookies are stored on your computer when you use our website. Further information on this can be found under the “Cookies” section in this privacy statement and in the consent management tool used (


6. Integration of services from other providers

Our website uses content, services and benefits from other providers. These are, for example, services for statistical analysis of the use of and visits to our website. In order for this data to be accessed and displayed in the user's browser, the user's IP address must be transmitted to the third-party providers used.
Even if we try to only use third-party providers who only need the IP address to be able to deliver content or even work with anonymized IP addresses, we have no influence on whether the IP address may be stored. Information about the third-party providers used can be found below in this privacy statement.


Type and extent of processing
We have integrated on our website. is a consent solution from consentmanager AB, Håltegelvägen 1, B723 48 Västerås, Sweden, with which consent to the storage of Cookies can be obtained and documented. uses Cookies or other web technologies to recognize users and store consent that has been given or revoked.


Purpose and legal basis
The use of the service is based on obtaining the legally required consent to the use of Cookies in accordance with Article 6 (1) (c) GDPR.


Storage period
The specific storage period of the processed data cannot be influenced by us, but is determined by consentmanager AB. Further information can be found in the privacy statement for .



Type and extent of processing
We use the open source software tool Matomo (formerly PIWIK) on our website. The software sets a Cookie in your browser (see above for Cookies). If individual pages of our website are accessed, the following data is stored:

  • Two bytes of the IP address of the user’s accessing system (anonymized IP address)
  • The website accessed
  • The website from which the user accessed the website accessed (referrer)
  • The subpages that are accessed from the website being accessed
  • The time spent on the website
  • The frequency of accessing the website

The software runs exclusively on the servers of our website. Your personal data will only be stored there. The data will not be passed on to third parties.


Purpose and legal basis
We process your data using the analysis software Matomo for the purpose of evaluating the use of individual components and content of our website based on your consent in accordance with Article 6 (1) (a) GDPR and Section 25 (1) TTDSG. You give your consent by setting the use of Cookies (Cookie banner / consent manager), with which you can also declare your revocation at any time with future effect in accordance with Article 7 (3) GDPR. There is no legal or contractual obligation to provide your data. If you do not give us your consent, you can visit our website without restrictions, although not all functions may be fully available.


Storage period
The specific storage period for the cookies set is 13 months.


7. Cookies

Cookies are small text files that are stored on your data carrier and store certain settings and data for exchange with our system via your browser. A Cookie typically contains the name of the domain from which the cookie data was sent, information about the age of the Cookie, and an alphanumeric identifier.
Cookies enable our systems to recognize the user’s device and make any default settings immediately available. As soon as a user accesses the platform, a Cookie is transferred to the hard drive of the respective user’s computer. Cookies help us to improve our website and to offer you a better and more tailored service. They enable us to recognize your computer or your (mobile) device when you return to our website and thereby:

  • Store information about your preferred activities on the website and thus tailor our website to your individual interests.
  • To speed up the speed of processing your requests.

We work with third-party services that help us make the Internet offering and the website more interesting for you. Therefore, when you visit the website, Cookies from these partner companies (third-party providers) are also stored on your hard drive. These are Cookies that are automatically deleted after the specified time.
Further information about the individual third-party providers can be found in the Cookie Consent Tool and the data protection information contained therein.
If you do not wish to use browser Cookies, you can set your browser so that it does not accept the storage of cookies. Please note that in this case you may only be able to use our website to a limited extent or not at all. If you only want to accept our own Cookies and not the Cookies of our service providers and partners, you can select the “Block third-party cookies” setting in your browser. We do not assume any responsibility for the use of third-party Cookies.


8. Contact us

You can contact us by email or using our contact form. In this case, we store the personal data you provide in order to process your request and to contact you to process your request. If we request information via our contact form, we have marked the mandatory fields required to contact you accordingly (asterisk). The voluntary information serves us to specify your request and to improve the processing of your request. You will transmit the requested data to us on a solely voluntary basis.

Depending on the type of request, the legal basis for this processing is Article 6 (1) (b) GDPR for inquiries that you make yourself as part of a pre-contractual measure or Article 6 (1) sentence 1 (f) GDPR if your inquiry is of a different nature. The legitimate interest follows the purposes mentioned in Section 4. If personal data is requested that we do not need for the fulfilment of a contract or to protect legitimate interests, it will be transmitted to us on the basis of your consent in accordance with Article 6 (1) (a) GDPR.


9. Rights of the data subject

You have the right:

  • in accordance with Article 15 GDPR, to request information about your personal data processed by us. In particular, you can obtain information about the purposes of processing, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, deletion, restriction of processing or objection, the existence of a right to complain, the origin of your data, if it was not collected by us, as well as the existence of automated decision-making including profiling and, if necessary, meaningful information about its details;
  • in accordance with Article 16 GDPR, to immediately request the correction of incorrect or complete personal data stored by us;
  • in accordance with Article 17 GDPR, to request the deletion of your personal data stored by us, unless the processing is carried out to exercise the right to freedom of expression and information, to fulfil a legal obligation, for reasons of public interest or to assert, exercise or defend legal claims is required;
  • in accordance with Article 18 GDPR, to request to restrict the processing of your personal data if you dispute the accuracy of the data, the processing is unlawful but you refuse its deletion and we no longer need the data but you use it to assert or exercise your rights or need to defend legal claims or you have objected to the processing in accordance with Article 21 GDPR;
  • in accordance with Article 20 GDPR, to receive your personal data that you have provided to us in a structured, common and machine-readable format or to request its transmission to another person responsible (data portability);
  • In accordance with Article 7 (3) GDPR, you can revoke your consent to us at any time. This means that we are no longer allowed to continue the data processing based on this consent in the future
  • to complain to a supervisory authority in accordance with Article 77 GDPR. As a rule, you can contact the supervisory authority at your usual place of residence or work or at our company headquarters.
  • Right to object
    • If your personal data is processed on the basis of legitimate interests in accordance with Article 6 (1) sentence 1 (f) GDPR, you have the right to object to the processing of your personal data in accordance with Article 21 GDPR, provided that there are reasons for this which arise from your particular situation or provided that the objection is directed against direct advertising. In the latter case, you have a general right to object, which will be implemented by us without specifying a particular situation.

If you would like to exercise your right of revocation or objection, simply send an email to


10. Sharing your personal information

Your personal data will be passed on as described below.
Data will also be passed on if we are entitled or obliged to pass on data due to legal regulations and/or official or court orders. This may in particular involve providing information for the purposes of criminal prosecution, to avert danger or to enforce intellectual property rights.
If your data is passed on to service providers to the extent necessary, they will only have access to your personal data to the extent necessary to fulfil their tasks. These service providers are obliged to treat your personal data in accordance with applicable data protection laws, in particular the GDPR. To the extent that your personal data is processed on our behalf on the basis of order processing contracts in accordance with Article 28 GDPR, we ensure that the processing of personal data takes place in accordance with the General Data Protection Regulation.
We believe it is important to process your data within the EU/EEA. However, it may happen that we use service providers who process data outside the EU/EEA. In these cases, we ensure that an adequate level of data protection comparable to standards within the EU is established at the recipient’s end before the transfer of your personal data. This can be achieved, for example, via EU standard contracts or binding corporate rules or special agreements to whose regulations the company can submit.


11. Data Security 

We protect our website through technical and organizational measures against loss, destruction, access, modification or distribution of your data by unauthorized persons.
In particular, your personal data is transmitted to us in encrypted form. We use the SSL/TLS (Secure Sockets Layer/Transport Layer Security) coding system. Our security measures are continuously improved in line with technological developments.


12. Storage period for personal data

With regard to the storage period, we delete personal data as soon as their storage is no longer necessary to fulfil the original purpose and there are no longer any statutory retention periods. The statutory retention periods form the criterion for the final duration of storage of personal data. After the deadline has expired, the relevant data will be routinely deleted. If there are retention periods, processing is restricted in the form of blocking the data.


13. References and links

When you access websites that are referred to on our website, you may be asked again for information such as name, address, email address, browser properties, etc. This privacy statement does not regulate the collection, transfer or handling of personal data by third parties.
Third party service providers may have different and their own regulations regarding the collection, processing and use of personal data. It is therefore advisable to find out about their practices for handling personal data on third-party websites before entering personal data.


14. Reporting Office

As part of our compliance management system, we have set up a whistle-blower hotline. You have the opportunity to provide information on matters that are subject to the Whistle-blower Protection Act (HinSchG) or that we otherwise have a legitimate interest in obtaining knowledge of.
To receive and examine such reports, we have commissioned the law firm HEUKING as an outsourced internal reporting office.
Reports can be sent to the outsourced internal reporting office via web form, by telephone, email, post or in person.
Reports to the outsourced internal reporting office can be made anonymously.
The use of the outsourced internal reporting office is voluntary.
If you submit a report to the outsourced internal reporting office, it records the information you provide. This includes your personal information, if you choose to disclose it, and typically the names and other personal information of the people you name in your report. Further information on how the outsourced internal reporting office handles your personal data can be found in the Privacy statement of the outsourced internal reporting office.


a) Categories of personal data we process

Once the outsourced internal reporting office has verified the report, we receive a report that may contain the following personal data:

  • Names and other personal data of the person providing the information only if the person providing the information does not wish to remain anonymous and agrees to the information being passed on to us;
  • Names and other personal data resulting from the report of the persons named in the report

In the course of further clarification of the reported matter and further processing, further personal data may be collected and processed by us. In principle, there is no obligation to provide the reporting office with personal data. However, the less data you provide to us, the more difficult it may be to resolve the violation you reported.


b) Purposes of data processing, legal basis

Processing the data transmitted to us by the outsourced internal reporting office serves to handle and manage reports of compliance violations, violations of legal regulations and violations in connection with our business operations by employees, customers, suppliers and other third parties.
The legal basis for the processing of your personal data as a reporting person is your consent, provided you disclose your identity and agree to the outsourced internal reporting office passing on your name to us (Article 6 (1) sentence 1 (a) GDPR).
As far as matters are concerned that are subject to the Whistle-blower Protection Act (HinSchG), Section 10 HinSchG is the legal basis for the processing of the personal data of you as the informant and of the person(s) affected by the whistle-blower.
Outside the scope of the HinSchG, the legal basis for processing your personal data and those affected by the report is our legitimate interest in detecting and preventing legal violations and misconduct (Article (1) Sentence 1 (f) GDPR). There is a legitimate interest in detecting and preventing legal violations and misconduct to the extent that we are legally obliged to do so in certain areas. In addition, such violations can not only cause significant economic damage, but also lead to a significant loss of reputation.
If the data subject is an employee of ours, the legal basis for processing in the course of processing or further investigation of the reported facts is Section 26 (1) sentence 1 BDSG (processing for the purposes of the employment relationship) or Section 26 (1) sentence 2 BDSG (processing to detect criminal offenses) and, if applicable, our legitimate interest described above (Article 6 (1) sentence 1 (f) GDPR).


c) Disclosure to third parties

The confidential treatment of all reports and data by the reporting office is ensured at all times and in every processing step. This applies in particular to the personal data of the person providing the information and the person(s) affected by the reported information. Only individual, pre-determined, authorized persons who are obliged to act in a trustworthy manner have access to incoming reports and information about the processing of the report or follow-up measures.
If the report concerns another company in our group of companies, we will pass on the contents of the report and the results of further clarification of the matter to this company in our group of companies.
We may pass on the contents of the report and the results of further clarification of the reported facts to courts, authorities and other public bodies. This may be the case if we are legally obliged to disclose the data or if this is necessary for the establishment, exercise or defence of legal claims.
As part of the educational measures and when asserting, exercising or defending legal claims, we may also rely on the support of law firms or auditing firms.
In addition, when clarifying and processing the reported facts, we may involve (technical) service providers who work for us as processors within the meaning of Article 28 GDPR and on the basis of corresponding agreements. They can also become aware of the contents of the whistle-blower report, but are obliged to treat the data concerned confidentially.
Despite maintaining confidentiality, personal data of the informing persons and those affected may be disclosed to authorities, courts or third parties in exceptional situations. This is the case if it is obligatory for us to pass on this information, such as in the context of an official investigation (e.g. as part of an investigation) or if this is necessary for the assertion, exercise or defence of legal claims. In addition, under certain conditions, we must also disclose the reported information to the persons affected by the report.


d) Duration of data storage

The personal data will be stored for as long as is necessary to clarify the report and the subsequent measures, if necessary, or for as long as there is a legitimate interest on our part, or as long as this is required by law. The data will then be deleted in accordance with legal requirements. According to Section 11 (5) HinSchG, this usually takes place 3 years after the end of the procedure.


e) Transfer of data to third countries

As a rule, no personal data from reports are transferred to countries outside the European Union (EU) or the European Economic Area (EEA), unless the report concerns a company in our group of companies that is based in a country outside the EU or the EEA. Countries outside the European Union or European Economic Area may have different rules regarding the protection of personal data. If we share information in this way, we will comply with the relevant data protection regulations.


As of: 01/2024