.png){kind=icon}
.png)
Privacy Policy
Falke Metall Ltd.
ФАЛКЕ МЕТАЛ ЕООД
Zheleznik Str. Zagorka 24, Fl.7 App.46, 6000 Stara Zagora, Bulgaria
Phone: +359 877922392
E-Mail: info@falkemetall.com**
**Status: December 12, 2025**
**Table of Contents (Short)**
* Controller & Data Protection Contact
* Scope of Application
* Overview — What Data We Process and for What Purposes
* Legal Bases for Processing (GDPR) & TTDSG
* Legal Basis & Specifics for Consumers (B2C) and Businesses (B2B)
* Detailed Processing Operations (Website, Contact, Uploads, Newsletter, etc.)
* External Services / Third Parties (Wix, Google Services, Meta, Microsoft/OneDrive, etc.) — Technical & Legal Details
* Cookies, Tracking, Consent Management (TTDSG compliant)
* Data Transfers to Third Countries (e.g., USA) — Risks & Technical/Organizational Measures
* Data Processing Agreements (DPA) & Standard Contractual Clauses (SCCs)
* Storage Periods / Deletion Criteria
* Your Data Subject Rights (Access, Rectification, Erasure, Restriction, Objection, Data Portability, Withdrawal of Consent)
* Right to Lodge a Complaint with a Supervisory Authority & Contact Details
* Security Measures (Technical-Organizational)
* Special Notes (Children, Profiling, Automated Decision-Making)
* Changes to this Privacy Policy
* Implementation Checklist for Falke Metall (What Still Needs to Be Done)
**1. Controller and Data Protection Contact**
The controller within the meaning of the GDPR is:
FALKE METALL Ltd.
ФАЛКЕ МЕТАЛ ЕООД
Zheleznik Str. Zagorka 24, Fl.7 App.46
6000 Stara Zagora, Bulgaria
Phone: +359 879 954 721
E-Mail: info@falkemetall.com
**Data Protection Officer (DPO)**
Currently, no external or internal data protection officer is publicly appointed. If Falke Metall has appointed a DPO, please add the name, email, and phone number here.
*(RECOMMENDATION: In case of regular, extensive processing of personal data — especially large-scale processing of special categories of data or systematic monitoring — consider appointing a DPO.)*
**Competent Supervisory Authority (for data subjects in Bulgaria):**
Commission for Personal Data Protection (CPDP)
2 Prof. Tsvetan Lazarov Blvd., 1592 Sofia, Bulgaria
Website: https://www.cpdp.bg/
For data subjects within the EU, the right to lodge a complaint with the respective national supervisory authority also applies.
**2. Scope of Application**
This privacy policy applies to all personal data that Falke Metall collects, processes, or uses in the context of the following business relationships:
* Visiting the company website (hosting, content, cookies, tracking)
* Contact inquiries (contact form, email, phone)
* Quotations, contracts, order fulfillment, orders (B2B and B2C)
* Use of the upload function (OneDrive)
* Newsletter subscription and distribution
* Use of online content (YouTube, Google Maps)
* Marketing and analysis purposes (Google Analytics, Google Ads, Facebook Pixel)
The statement differentiates, where relevant, between consumers (natural persons acting for private purposes) and businesses (legal entities / natural persons engaged in commercial/self-employed activities).
**3. Overview — What Data We Process and for What Purposes**
**Categories of Personal Data (Examples)**
* Contact data: Name, company, address, email, phone number
* Contract data: Order contents, quotations, order numbers, delivery data, payment data (only as necessary)
* Identification data: e.g., company IDs, tax IDs (B2B)
* Communication data: Message content from emails, contact forms, phone records
* Log and usage data: IP address, date/time, device/browser used, page views, referrer
* Upload data: Files, drawings, technical specifications, CAD/3D files (may contain business secrets)
* Newsletter data: Email address, subscription time, IP addresses at opt-in
* Marketing/Analysis data: Cookies, tracking IDs, usage profiles (if consented)
* Other: File metadata, information from public registers
**Purposes of Processing (Short)**
* Contract fulfillment and quotation processing
* Communication with customers / support / sales
* Fulfillment of legal obligations (commercial and tax law, compliance)
* Operation & security of the website (hosting, maintenance, defense against attacks)
* Marketing, statistics, reach analysis (only with consent)
* Provision of features (e.g., maps, videos)
* Data backup and retention obligations
**4. Legal Bases for Processing**
Processing is based on the legal grounds specified in the GDPR:
* **Art. 6 (1) lit. b GDPR:** Processing for the performance of a contract or to take steps prior to entering into a contract (e.g., preparing a quotation, processing an order).
* **Art. 6 (1) lit. a GDPR:** Consent of the data subject (e.g., for cookies, newsletter, tracking). Consent can be withdrawn at any time without affecting the lawfulness of processing based on consent before its withdrawal.
* **Art. 6 (1) lit. c GDPR:** Compliance with a legal obligation (e.g., tax retention obligations).
* **Art. 6 (1) lit. f GDPR:** Legitimate interests (e.g., ensuring operation, defense against attacks, direct marketing to existing customers). Before applying this legal basis, we conduct a balancing of interests; if the interests of the data subject are overriding, this interest does not prevail.
* **§ 25 TTDSG:** Regulations on storing/accessing information on end devices (cookies, tracking) — non-essential cookies and tracking technologies only with consent.
**5. Specifics for B2C / B2B**
* **Consumers (B2C):** Legal information obligations are extended (right of withdrawal, contract information). For marketing/tracking, specific consents and understandable information are required.
* **Businesses (B2B):** For many processes, Art. 6 lit. b/f GDPR (contract fulfillment and legitimate interest) primarily applies. Nonetheless, assessments for the admissibility of marketing measures are conducted.
**6. Detailed Processing Operations**
**6.1 Visiting Our Website (Hosting, Log Files)**
* **Controller:** Falke Metall (as a customer of Wix)
* **Service Provider:** WIX (Wix.com Ltd. / Wix Europe), hosting provider.
* **Data Types:** IP address, browser, device data, referrer, access time.
* **Purpose:** Operation and stability of the website, security, error analysis.
* **Legal Basis:** legitimate interest (Art. 6 (1) lit. f) for security and operational purposes; for non-essential analysis/tracking: consent.
* **Storage Duration:** max. 30 days for log files (or according to provider rules; please adjust).
* **Special Note:** Data may be processed on servers outside the EU (e.g., USA, Israel) — see section on Third Countries.
*Note for website wording: "Our website is hosted by Wix. Wix may automatically store data in log files upon access (e.g., your IP address)."*
**6.2 Cookies, Tracking & Consent**
We distinguish cookie categories:
* **Necessary/Essential Cookies:** Absolutely required for basic functions (e.g., shopping cart, security, session). Activation is technically permissible without consent (Art. 6 (1) lit. f + § 25 (2) TTDSG). Example: Session-ID, Auth-Cookies.
* **Preference Cookies:** Store settings (e.g., language). Legal Basis: Consent (Art. 6 (1) lit. a GDPR).
* **Statistics/Analysis Cookies:** Google Analytics, Wix Analytics — collect usage data. Legal Basis: Consent (Art. 6 (1) lit. a GDPR).
* **Marketing/Tracking Cookies:** Facebook Pixel, Google Ads Remarketing, third-party ads. Legal Basis: Consent (Art. 6 (1) lit. a GDPR).
**Consent Management:** We use a consent tool (cookie banner) that:
* Obtains consent before setting non-essential cookies;
* Allows granular opt-in/opt-out;
* Enables withdrawal at any time;
* Logs consents (proof function).
*(Practical recommendation: Wix Consent Manager, Cookiebot, OneTrust, etc. — please specify if already in use.)*
**6.3 Contact Forms, Email, Phone**
* **Purpose:** Processing inquiries, preparing quotations, possibly pre-contractual measures.
* **Data Types:** Name, company, address, email, phone, message text, possibly files.
* **Legal Basis:** Art. 6 (1) lit. b (pre-contractual measures) or lit. f (for general contact with a general business context).
* **Storage Duration:** As long as necessary for processing + commercial/tax law retention periods, typically 3–10 years depending on document type.
**6.4 Upload Area / OneDrive**
* **Function:** Upload of construction data, drawings, samples (e.g., for quotation preparation).
* **Service Provider:** Microsoft OneDrive / Microsoft 365 (Microsoft Ireland Operations Ltd.).
* **Data Types:** Files, metadata, possibly name/email of uploader, IP address.
* **Purpose:** Order processing, data exchange, production.
* **Legal Basis:** Art. 6 (1) lit. b (contract fulfillment) or consent if particularly sensitive.
* **Data Processing Agreement (DPA):** A DPA exists with Microsoft (please confirm and insert here).
* **Storage Duration:** Files are stored until the purpose is fulfilled; thereafter deletion according to contractual agreement or upon request.
* **Note on Business Secrets:** If highly sensitive data (e.g., protected designs) are uploaded, we recommend encryption before upload (e.g., password-protected archives).
**6.5 Quotations, Orders, Contract Processing (B2B and B2C)**
* **Data Types:** Contact data, order data, product data, payment information (only as necessary), correspondence, delivery data.
* **Purpose:** Contract execution, delivery, warranty, billing.
* **Legal Basis:** Art. 6 (1) lit. b GDPR (contract).
* **Retention Obligations:** Commercial and tax law retention periods (typically 6 years § 257 HGB, 10 years § 147 AO – depending on national law); internal retention periods may differ but must comply with the law.
* **Deletion:** After expiration of legal obligations or after completion, provided no other legitimate interests oppose.
**6.6 Newsletter**
* **System:** Sending via a service provider (e.g., Mailchimp, Sendinblue, Microsoft/dedicated).
* **Data Types:** Email, possibly name, IP, subscription timestamp.
* **Purpose:** Information about products, service info, marketing (only with consent).
* **Legal Basis:** Art. 6 (1) lit. a GDPR (consent) or, in exceptional cases for existing customers, Art. 6 (1) lit. f (for direct marketing of similar products to existing customers — national assessments vary; in case of doubt: consent).
* **Double-Opt-In:** Mandatory for proof of consent.
* **Withdrawal:** Possible at any time via unsubscribe link in each newsletter or by email to info@falkemetall.com.
* **Storage Duration:** For the duration of the newsletter subscription, thereafter deletion or blocking (blacklist).
**6.7 YouTube (Videos on Website)**
* **Implementation:** Embedded videos in "extended data protection mode" (→ YouTube/Google).
* **Data Types:** Upon playback: IP address, cookie IDs, usage data.
* **Purpose:** Provision of multimedia content.
* **Legal Basis:** Consent according to § 25 TTDSG + Art. 6 (1) lit. a GDPR.
* **Special Note:** Even in extended mode, data may be transferred to Google/YouTube (USA) when starting the video.
**6.8 Google Maps**
* **Function:** Display of company location, route planning.
* **Data Types:** Upon loading: IP address, possibly location data (if user grants permission).
* **Legal Basis:** Consent (Art. 6 (1) lit. a).
* **Third Country:** USA/others; SCCs + consent.
**6.9 Google Analytics (GA4)**
* **Purpose:** Statistics, user behavior, website optimization.
* **Data Types:** Anonymized/partially pseudonymized IP, page views, dwell time, events.
* **Legal Basis:** Consent (recommended, as data may be transferred to third countries and tracking is invasive).
* **Data Protection Measures:** IP anonymization, shortened retention period, data processing agreement with Google (DPA), SCCs (if necessary) and additional technical/organizational measures.
* **Retention:** Adjustable in the tool; recommended: 14–26 months or 2 years or shorter.
**6.10 Google Ads / Remarketing**
* **Function:** Display of targeted ads, remarketing lists.
* **Data Types:** Cookie IDs, conversions, remarketing lists.
* **Legal Basis:** Consent.
* **Objection:** Possible via Google settings / browser opt-out / consent banner.
* **Third Country:** USA — SCCs & consent.
**6.11 Facebook / Meta Pixel**
* **Purpose:** Conversion tracking, audience creation, ad optimization.
* **Data Types:** Pixel events, cookie IDs, page views, possibly email hashes (Custom Audiences).
* **Legal Basis:** Consent (Art. 6 (1) lit. a).
* **Joint Controller Responsibility:** For the collection of Pixel data, there is, in particular for certain processing steps, a joint controller relationship between Falke Metall and Meta Ireland (Art. 26 GDPR) — which must be individually regulated depending on implementation. Please review/establish a Joint Controller Agreement (JCA).
* **Third Country:** USA — SCCs + consent.
* **Objection / Opt-out:** via settings in the consent manager or Meta tools.
**7. Data Transfers to Third Countries (e.g., USA, Israel)**
**General Principles**
With the service providers used, storage or processing may take place outside the EU/EEA (e.g., in the USA or Israel). The GDPR permits such transfers only under certain conditions (adequacy decision, Standard Contractual Clauses (SCCs), binding corporate rules, approved codes of conduct, or consent of the data subject — Art. 45–49 GDPR).
**Practical Measures by Falke Metall**
* Conclusion of Standard Contractual Clauses (SCCs) with providers, where possible. (↳ Please check/document; DPAs + SCCs must be in place with service providers.)
* Obtaining explicit consent of the data subject if SCCs/adequacy are not sufficient (e.g., in case of potential access rights of foreign security authorities).
* Implementing additional technical measures (encryption, minimization, pseudonymization) for particularly sensitive data.
* Documentation in the Record of Processing Activities (Art. 30 GDPR).
**Notes on Risk**
Even if SCCs exist, additional "Supplementary Measures" are required if the third-country recipient does not offer an equivalent level of legal protection (e.g., in the USA). Falke Metall transparently informs data subjects about these risks and the measures taken.
**8. Data Processing Agreements (DPA) & Standard Contractual Clauses (SCCs)**
**Data Processing Agreement (DPA)**
For service providers that process data on behalf of Falke Metall (e.g., hosting, newsletter provider, cloud storage), Falke Metall has concluded DPAs with them. These DPAs regulate, among other things:
* Subject matter and duration of processing
* Type of data / categories of data subjects
* Duties and rights of the controller
* Instruction authority
* Technical and organizational measures (TOMs)
* Rights of data subjects / audit rights
*Please check and confirm: DPA with Microsoft (OneDrive), DPA/data protection agreement with Wix, Google (if applicable), Facebook/Meta (if Pixel and tools are used), newsletter provider.*
**Standard Contractual Clauses (SCCs)**
For data transfers to services outside the EEA (e.g., USA), Falke Metall relies on EU Standard Contractual Clauses (SCCs) and has implemented them where possible. Where SCCs are not available, data subjects are informed according to the GDPR and asked for consent.
**9. Storage Period / Deletion**
Falke Metall stores personal data only as long as necessary to fulfill the respective purpose or as long as legal retention obligations exist.
**Guidelines (please define internally):**
* Contact inquiries: 2–7 years depending on business context
* Order data / invoices: 6–10 years (legal obligations)
* Log files: 7–90 days (depending on security requirements)
* Newsletter data: until withdrawal + possibly 3 years archive for proof
* Tracking data: as short as possible (e.g., 14–26 months)
* Uploads (construction data): until fulfillment + contractual agreements; sensitive material to be deleted immediately if not needed
**Deletion Concept:** Falke Metall implements a process-oriented deletion concept including deletion periods, responsibilities, and documentation.
**10. Data Subject Rights (Practical)**
Data subjects can assert the following rights:
* **Access (Art. 15 GDPR):** What data we process, for what purposes, storage period, recipients.
* **Rectification (Art. 16):** Correct inaccurate data.
* **Erasure (Art. 17):** "Right to be forgotten" — provided no legal retention obligations oppose.
* **Restriction (Art. 18):** Restrict processing.
* **Data Portability (Art. 20):** Receive personal data in a machine-readable format.
* **Withdrawal of Consent (Art. 7 (3)):** Withdrawal without consequences for past processing.
* **Objection (Art. 21):** Object to processing based on legitimate interests — Falke Metall conducts a balancing of interests.
* **Right to Lodge a Complaint:** With a supervisory authority (e.g., CPDP in Bulgaria or respective national authority).
**Request Procedure:** Rights can be asserted by email to info@falkemetall.com. We verify identity and provide information in writing/electronically within one month (extendable by two months for complex cases).
**11. Data Breaches**
Falke Metall has implemented internal processes for detecting, reporting, and investigating data breaches:
* Detection and internal reporting to responsible persons / DPO
* Assessment of risk for data subjects
* Notification to the competent supervisory authority within 72 hours (Art. 33 GDPR), if reportable
* Notification of affected data subjects if a high risk to their rights and freedoms exists (Art. 34 GDPR)
* Documentation of the incident and measures taken
**12. Technical and Organizational Measures (TOMs)**
Falke Metall implements appropriate measures, including at least:
* Encryption (in transit TLS/HTTPS; for sensitive files additional end-to-end encryption recommended)
* Access restrictions / role and permission concepts
* Access logging
* Regular security updates and patches
* Virus/malware protection and firewalls
* Backup concept & recovery plans
* Employee awareness and data protection training
* Confidentiality agreements with employees and service providers
**13. Special Notes**
**13.1 Children**
Our services are not intended for children under 16 years. If we become aware that we have knowingly processed data of a child without parental consent, we delete this data.
**13.2 Automated Decision-Making / Profiling**
Currently, we do not make decisions based solely on automated processing with legal or similarly significant effects (Art. 22 GDPR). Marketing analytics may contain profiling elements; this only occurs with consent and transparency.
**13.3 Transfer to Other Recipients**
Data may be transferred to suppliers, payment service providers, shipping partners, tax and legal advisors — each only as necessary and regulated contractually.
**14. Changes to this Privacy Policy**
This privacy policy may be updated. For significant changes, we may inform customers/data subjects separately (e.g., email or notice on the website). The date of the last change is indicated above.
**15. Contact for Data Protection Inquiries**
Please direct all inquiries regarding data protection, access requests, or withdrawals to:
info@falkemetall.com
*(Optional: Add name & contact details of DPO here, if available.)*
**16. Implementation Checklist (Concrete Steps Falke Metall Must Now Implement / Confirm)**
Many sections contain notes that you must implement or finally confirm. I have formulated this checklist as a pragmatic guide — check off the points, adapt formulations, and document everything.
* [ ] Set up Consent Tool
* Implement a TTDSG-compliant consent banner (e.g., Wix Consent Manager, Cookiebot, OneTrust).
* Ensure: granular opt-in, opt-out, logging, withdrawal function.
* Suggested wording for cookie banner:
* *"We use cookies for functionality, analysis, and personalization. Non-essential cookies are set only with your consent. Adjust cookie settings / Accept all / Reject."*
* [ ] Check & Document DPAs
* Is a DPA with Microsoft (OneDrive) in place? (✓/✗)
* Is a DPA/data protection agreement with Wix in place? (✓/✗)
* Is a DPA with the newsletter provider in place? (✓/✗)
* Are DPAs with other service providers (hosting, payment service provider) in place? (✓/✗)
* [ ] SCCs / Third-Country Safeguards
* Check/conclude SCCs with Google, Meta, Microsoft, Wix, if processing takes place in third countries.
* Documentation of Supplementary Measures (e.g., encryption, data minimization).
* [ ] DPIA (Data Protection Impact Assessment)
* Conduct a DPIA if profiling/targeting/mass tracking is operated (Google Analytics + Facebook Pixel).
* Document results and derive measures if necessary.
* [ ] Newsletter Process
* Implement Double-Opt-In
* Unsubscribe link in every newsletter
* Document procedure for blacklist (opt-out)
* [ ] Upload Process (OneDrive)
* Note on encryption of sensitive files (recommendation)
* Procedure for deletion/archiving after project completion
* [ ] Data Protection Information Obligations Internally
* Prepare standard responses/forms for access requests
* Set up templates for erasure/rectification requests
* [ ] Data Security Measures
* Enforce TLS/HTTPS on the website
* Regular backups + access protection
* Access control (MFA for admin access)
* [ ] Contractual & Legal Additions
* Check Joint Controller Agreement if Facebook/Meta establishes joint responsibility
* Include precisely named deletion periods in internal policies
* [ ] Documentation & Register
* Maintain an updated Record of Processing Activities (Art. 30 GDPR).
* Log security incidents (Incident Response Plan).
**17. Template Texts (for Direct Adoption)**
**A) Template Consent Text Cookie Banner (short)**
*"We use cookies and similar technologies to operate our website, personalize content, and analyze usage. Non-essential cookies (analysis, marketing) are set only with your consent. Details & settings: [Cookie Settings]."*
**B) Template Information Clause for Quotations/Upload Form (short)**
*"By uploading, you declare that you are authorized to transmit the submitted files and documents to Falke Metall. The data is processed for quotation preparation/production (Legal basis: Art. 6 (1) lit. b GDPR). For storage, we use Microsoft OneDrive (Microsoft Ireland)."*
**C) Template Withdrawal Notice (Newsletter)**
*"You can withdraw your consent to receive the newsletter at any time. To do so, click the unsubscribe link in every email or send an email to info@falkemetall.com."*