Overview

Hailo Colours GmbH processes personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG). This page summarises our GDPR compliance position and explains how to exercise your rights as a data subject.

Data controller

Hailo Colours GmbH
Schillerstraße 14, 80336 Munich, Germany
Email: [email protected]
Telephone: +49 89 412 087 600

For data protection enquiries specifically, you may also write to: [email protected]

Data Protection Officer

Given the scale of our data processing activities, we are not required under Article 37 GDPR to appoint a Data Protection Officer. Our data protection queries are handled by our legal and compliance team, reachable at [email protected].

Categories of personal data we process

  • Website usage data (IP address, browser type, pages visited, duration) — collected automatically via server logs
  • Contact and enquiry data (name, email address, message content) — provided voluntarily
  • Customer and order data (name, address, order details, payment records) — provided by customers
  • Cookie and analytics data — collected with consent

Legal bases for processing

  • Article 6(1)(a) — Consent: analytics cookies, marketing communications (where opted in)
  • Article 6(1)(b) — Contractual necessity: order processing, customer account management, service delivery
  • Article 6(1)(c) — Legal obligation: accounting records, tax compliance, legal proceedings
  • Article 6(1)(f) — Legitimate interests: website security, server log collection, fraud prevention, business analytics

Data transfers outside the EU/EEA

We do not transfer personal data to countries outside the EU/EEA as part of our standard operations. If a transfer were required, it would be protected by appropriate safeguards as required by Chapter V GDPR (such as Standard Contractual Clauses).

Google Fonts is served from Google's CDN infrastructure, which may involve processing in the United States. Google operates under the EU–US Data Privacy Framework (DPF) for these transfers.

Your rights under GDPR

As a data subject, you have the following rights under the GDPR:

  • Right of access (Article 15) — You may request confirmation of whether we process your personal data and receive a copy of it.
  • Right to rectification (Article 16) — You may request correction of inaccurate personal data we hold about you.
  • Right to erasure (Article 17) — You may request deletion of your personal data where no legal ground for continued processing exists.
  • Right to restriction of processing (Article 18) — You may request that we restrict processing in certain circumstances.
  • Right to data portability (Article 20) — Where processing is based on consent or contract and is automated, you may request your data in a structured, commonly used format.
  • Right to object (Article 21) — You may object to processing based on legitimate interests; we will stop unless we can demonstrate compelling legitimate grounds.
  • Right to withdraw consent (Article 7(3)) — Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, send a request to [email protected]. We will respond within one month; complex requests may extend to three months with notification.

Right to lodge a complaint

If you believe our processing of your personal data violates the GDPR, you have the right to lodge a complaint with the supervisory authority for our registered office:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18, 91522 Ansbach, Germany
www.lda.bayern.de

Automated decision-making and profiling

We do not use automated decision-making or profiling as defined by Article 22 GDPR in any of our data processing activities.

Data breach notification

In the event of a personal data breach that poses a risk to individuals' rights and freedoms, we will notify the BayLDA within 72 hours in accordance with Article 33 GDPR. Where the breach poses a high risk, affected data subjects will be notified directly without undue delay.