Privacy policy GMH Gruppe

1. Foreword

GMH Gruppe (hereinafter also referred to as “company”, “we” or “us”) takes the protection of your personal data seriously. For this reason, we would like to inform you (hereinafter also referred to as “customer”, “user”, “you” or “data subject”) about data protection in our group of companies.
The GDPR obliges us to provide transparent information about the purposes and means of processing. The aim of this declaration is to provide you with information on how your data is processed by us.


2. General information

2.1 Definitions

Following the example of Art. 4 GDPR, this privacy policy is based on the following definitions:


  • “Personal data” (Art. 4 No. 1 GDPR) means any information relating to an identified or identifiable natural person (“data subject”). A person is identifiable if they can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, an online identifier, location data or information relating to their physical, physiological, genetic, mental, economic, cultural or social identity. Identifiability can also be achieved by linking such information or other additional knowledge. The origin, form or embodiment of the information is irrelevant (photos, video or audio recordings can also contain personal data).
  • “Processing” (Art. 4 No. 2 GDPR) means any operation which is performed on personal data, whether or not by automated means (i.e. using technical specifications). This includes, in particular, the collection (i.e. acquisition), recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data, or alteration of the purposes for which they were originally processed.
  • “Controller” (Art. 4 No. 7 GDPR) means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • “Processor” (Art. 4 No. 8 GDPR) is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller, in particular in accordance with the controller’s instructions (e.g. IT service provider). In terms of data protection law, a processor is in particular not a third party.
  • “Third party” (Art. 4 No. 10 GDPR) means any natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data; this also includes other legal entities belonging to the group.
  • “Consent” (Art. 4 No. 11 GDPR) means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.


2.2 Who is responsible?

The person responsible for the website is:

Georgsmarienhütte Holding GmbH
Neue Hüttenstraße 1
49124 Georgsmarienhütte

Phone: +49 (0) 5401 39-0
Fax: +49 (0) 40 284069-26


2.3 Data protection officer

You can reach our data protection officer at the postal address:

GMH Systems GmbH,
Neue Hüttenstraße 2,
49124 Georgsmarienhütte,



2.4 Legal bases

The processing of personal data requires a legal basis or another defined justification. If there is no legal basis or similar justification, processing is prohibited. The legal bases defined in the law include


  • Consent (Art. 6 para. 1 lit. a) GDPR)
    If you have voluntarily, in an informed and unequivocal manner, by means of a statement or other clear affirmative act, indicated that you consent to the processing of your personal data for a specific purpose
  • Contract fulfillment / initiation (Art. 6 para. 1 lit. b) GDPR)
    If the processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract.
  • Legal obligation (Art. 6 para. 1 lit. c) GDPR)
    If the processing is necessary for compliance with a legal obligation to which we are subject (e.g. a legal obligation to retain data).
  • Protection of vital interests (Art. 6 para. 1 lit. d) GDPR)
    If the processing is necessary to protect your vital interests or those of another natural person.
  • Public interest (Art. 6 para. 1 lit. e) GDPR)
    If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.
  • Legitimate interests (Art. 6 para. lit. f) GDPR)
    If the processing is necessary for the purposes of the legitimate interests (in particular legal or economic interests) pursued by the controller or by a third party, except where such interests are overridden by your interests or rights (in particular where the data subject is a minor).


2.5 Deletion and storage duration

If no storage period is specified for our data processing, your data will generally be blocked or deleted as soon as the purpose no longer applies. Under certain circumstances, however, the data may be stored for longer because statutory retention periods (e.g. under tax law) prevent deletion.


2.6 Data security

We use suitable technical and organizational measures to ensure the security of your personal data. These measures help to protect your data against accidental or intentional manipulation, loss, destruction or unauthorized access by third parties. Technical and organizational measures are implemented taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.


2.7 Data processing by order

We sometimes use service providers to process our business transactions, but they only act on our instructions and are contractually obliged to comply with data protection regulations.


2.8 Profiling

We do not intend to use personal data collected from you for automated decision-making (including profiling).


2.9 What rights can you assert?

You have the following rights vis-à-vis us with regard to your personal data:


  • Right to information,
  • Right to rectification,
  • Right to erasure,
  • Right to restriction of processing,
  • Right to object to the processing,
  • Right to data portability,
  • Right of withdrawal,
  • Right to lodge a complaint with a supervisory authority


2.10 Rights in detail

Right to information in accordance with Art. 15 GDPR

You have the right to request confirmation from us as to whether personal data concerning you is being processed. If this is the case, you have the right to information about this personal data and to the following information:


  • For what purpose is the data processed?
  • What kind of data is processed?
  • Who has access to the data?
  • Is the data stored or transferred to third countries?
  • If a statement can be made, how long will the data be stored?
  • Information about other data subject rights, such as the right to rectification or erasure.


Right to rectification in accordance with Art. 16 GDPR

As the controller, we have a duty to ensure that the personal data processed is factually correct. If this is not the case, you have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you.


Right to erasure in accordance with Art. 17 GDPR

You have the right to erasure of your personal data stored by us insofar as,


  • the purpose of the processing no longer applies,
  • you withdraw your consent,
  • you object to the processing,
  • the data processing was unlawful from the outset,
  • the deletion is necessary to fulfill a legal obligation under Union law or the law of the Member States
  • your data was collected in relation to information society services offered in accordance with Art. 8 para. 1 GDPR.


Right to restriction of data processing in accordance with Art. 18 GDPR

You may request the restriction of data processing on the following grounds:


  • the accuracy of the data is disputed by you,
  • the processing is unlawful and you oppose the erasure of the data,
  • we no longer need your data, but you need the data to assert, exercise or defend legal claims or
  • You have lodged an objection to the processing pursuant to Art. 21 GDPR.


Right to data portability pursuant to Art. 20 GDPR


You can request that the data we have collected be handed over to you in a structured, commonly used and machine-readable format or that it be transferred to another controller.


Right to lodge a complaint pursuant to Art. 77 GDPR


You have the option of contacting a supervisory authority in the event of data protection complaints.


Right to withdraw consent, Art. 7 para. 3 GDPR


If you have given us your consent to process your data, you can withdraw this at any time. Such a revocation affects the permissibility of processing your personal data in the future. The permissibility of the data processing carried out up to that point remains unaffected by the revocation. All you need to do is send an email to:


Right to object Art. 21 GDPR


The right to object protects against processing that is not in accordance with your wishes – to assert this right, you must take action and make your claim clear to us. All you need to do is send a simple email to:
You may object if we base the processing of your personal data on the balancing of interests pursuant to Art. 6 (1) sentence 1 (f) GDPR and there are reasons arising from your particular situation. In the event of your justified objection, we will examine the situation and either discontinue or adapt the data processing or point out to you our compelling reasons worthy of protection on the basis of which we will continue the processing.


3. Webseite

3.1 Explanation

Information about our group of companies, competencies and services can be found at together with the associated subpages (hereinafter jointly referred to as “website”) of the respective group companies. When you visit our website, it is possible that your personal data will be processed.


3.2 Processed data and legal basis

When using the website for information purposes only, i.e. if you do not register (e.g. shopping portal) or otherwise provide us with information, we only collect the personal data that your browser transmits to our server. If you wish to view our website, we collect the following data, which is technically necessary for us to display our website to you and to ensure stability and security


  • IP address
  • Date and time of the request
  • Time zone difference to Greenwich Mean Time (GMT)
  • Content of the request (specific page)
  • Access status/HTTP status code
  • Amount of data transferred in each case
  • Website from which the request comes
  • Browser
  • Operating system and its interface
  • Language and version of the browser software.


The aforementioned data is processed by us on the basis of Art. 6 para. 1 lit. f) GDPR. The data processing is necessary to ensure the presentation of the website and its security


3.3 Contact and callback form

On our website, we offer you the opportunity to contact us via a contact or callback form. In order to answer your request, it is necessary to process your personal data. The data will be used exclusively for this purpose.


  • Name
  • E-mail address


The following data is processed when the callback form is used:


  • Name
  • E-mail address
  • Telephone no.


The legal basis in this context is Art. 6 para. 1 lit. f GDPR in order to be able to effectively process the inquiries addressed to us.
If your request is necessary for the fulfillment of a contract or for the implementation of pre-contractual measures, this data is processed on the basis of Art. 6 para. 1 lit. b GDPR.


3.4 Cookies

When you use our website, we use cookies that are stored on your computer. A cookie is a data record. Specifically, a cookie consists of data, a value and a key. Cookies are managed by the browser on your end device and stored there. They are used to make the website more user-friendly and effective overall, i.e. more pleasant for you.

You can generally prevent the setting of cookies via the settings in your browser or alternatively remove the unwanted cookies from the history of your browser after your session.

You can specify in your browser settings that you only allow the acceptance of cookies in certain cases or in general. You can configure your browser settings according to your wishes and, for example, refuse to accept third-party cookies or all cookies. Please note that if you deactivate the acceptance of cookies, you may not be able to use all the functions of this website.

Cookies can contain data that makes it possible to recognize the device used. In some cases, however, cookies only contain information on certain settings that are not personally identifiable.

A distinction is made between session cookies, which are deleted as soon as you close your browser, and persistent cookies, which are stored beyond the individual session.


a) Session cookies are only stored during your current visit to our website and are used to enable you to use our services without restriction and to make the use of our website as convenient as possible for the current visit to our website. If session cookies are deactivated, it cannot be guaranteed that you will be able to use all our services without restriction.

b) Persistent cookies are automatically deleted after a specified period, which may vary depending on the cookie. You can delete the cookies at any time in the security settings of your browser.


3.5 Consent technology – consent

We use a service provider for the administration and data protection-compliant documentation of cookie consents. This is the consent technology of Borlabs Cookie, a consent management service of Borlabs GmbH, Rübenkamp 32, 22305 Hamburg.

When you visit our website, a cookie is stored in your browser in which the consents you have given or the revocation of these consents are stored.

Name: borlabs-cookie
Description: This cookie stores consent information for service groups and individual services.
Service life: 60 days
Purpose: Functional
Type: HTTP


The following information is stored in the borlabs-cookie:


  • Cookie runtime
  • Cookie version
  • Domain and path of the WordPress website
  • Consents
  • UID


The legal basis here is Art. 6 para. 1 lit. c) GDPR – the legally required consents for the use of cookies


3.6 Website analysis – Matomo

We use the open source software Matomo to analyze and statistically evaluate the use of our website. Cookies are used for this purpose. The information obtained about website use is transmitted exclusively to the server of our service provider and summarized in pseudonymous user profiles. We use the data to analyze the use of the website. The data collected is not passed on to third parties.

Server location:
Mittwald CM Service GmbH & Co. KG
Königsberger Straße 4-6
32339 Espelkamp

The IP addresses are anonymized (IP masking) so that they cannot be assigned to individual users.

The data is processed on the basis of Art. 6 para. 1 lit. f) GDPR. In doing so, we are pursuing our legitimate interest in optimizing our website for our external presentation.

You can revoke your consent at any time by deleting the cookies in your browser or changing your data protection settings.


You may choose to prevent this website from aggregating and analyzing the actions you take here. Doing so will protect your privacy, but will also prevent the owner from learning from your actions and creating a better experience for you and other users.


3.7 Social media

On our website it is possible to access the following social media by clicking on them: Facebook, Instagram, X (formerly Twitter), Xing, LinkedIn and YouTube. We use the so-called “two-click solution”. This means that when you visit our site, no personal data is initially passed on to the providers

The legal basis for the use is Art. 6 para. 1 lit. f) GDPR.

Only if you click on the marked field of the social networks and thereby activate it will your personal data be transmitted to the respective provider and stored there (in some cases with US providers in the USA). This happens even if you do not have a profile on the respective social network. The data processing procedures and their scope differ depending on the respective social network. Further information on the purpose and scope of data collection and its processing by the provider of the social network can be found in the privacy policies of the respective provider. There you will also find further information on your rights in this regard and setting options to protect your privacy.


Addresses of the respective providers and URL with their data protection notices:


  1. Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, IrlandMeta | Meta | Privacy Center | Manage your privacy on Facebook, Instagram and Messenger | Facebook Privacy
    Including further; weitere Informationen zur Datenerhebung:; weitere Informationen
  2. Xing AG, Dammtorstraße 30 , 20354 Hamburg, DE;
  3. LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Irland
  4. X (formerly Twitter), Twitter International Unlimited Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Irland
  5. YouTube, Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland.
    Zertifizierung nach dem „EU-US Data Privacy Framework“ Datenschutz-Framework (


3.9 Google Maps

On our website, we direct you to the map service “Google Maps” to plan a site visit (“Plan journey”).

The provider is: Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland.
Certification according to the “EU-US Data Privacy Framework (EU-US DPF)” data protection framework (


4. Business partner

4.1 Explanation

We are a GMH Gruppe company and operate mainly in the European Economic Area (EEA). However, we also have branches outside the European Economic Area. Together we process personal data of our contact persons, such as surname, first name, telephone numbers, etc., in order to be able to contact you.

A business relationship or business initiation is not possible without processing the personal data of the contact person. We use your data in the area of business to business (B2B).


4.2 Person responsible

With regard to the controller pursuant to Art. 4 No. 7 GDPR, we refer to the company named in the legal notice and its contact details.


4.4 Purpose, data categories, legal basis

We store the personal data provided by you in the context of our business relationship and / or a business initiation (interested party), in particular for the fulfillment of existing contracts and / or for the implementation of pre-contractual measures.


4.4.1 Inquiry, quotation and order

These are the company data provided to us for the purpose of an inquiry, offer preparation and order (clarification of queries / inquiries, appointment coordination, invoicing, customer advice / customer service and other legal obligations of the person responsible), including the contact details of the respective contact persons. We generally collect this data when contact is made by telephone, business cards received / provided (interested party or potential customer / service provider / supplier) and / or e-mail received.

The legal basis for data collection is the processing of personal data for the fulfillment of a contract or for the implementation of pre-contractual measures in accordance with Art. 6 para. 1 b) GDPR.


4.4.2 Statistics and optimization of our sales and shipping processes

In order to safeguard our legitimate interests in accordance with Art. 6 para. 1 lit. f) GDPR, the contact data is also used for statistical purposes and to optimize our sales and shipping processes. This personal data may be stored in a customer database (customer relationship management – CRM) to provide an overview of customer support, to improve our products and to maintain our contractual relationship.


4.4.3 Legal regulations

Due to various legal regulations, the companies of GMH Gruppe are subject to further obligations, such as those arising from the German Commercial Code or the German Tax Act. These are, in particular, the control and reporting obligations under tax law, the performance of compliance screenings (comparison of the “EU terror lists” (European anti-terror regulations 2580/2001 and 881/2002) and the prevention of fraud and money laundering) – the legal basis for data collection for the fulfillment of legal obligations is Art. 6 para. 1 lit. c) GDPR.


4.4.4 Information on events or trade fairs/ customer satisfaction survey

The contact details of the contact persons are also used to provide information about products, events or trade fairs and to conduct a customer satisfaction survey (on a voluntary basis). The use for these purposes is based on our legitimate interests in direct marketing measures in accordance with Art. 6 para. 1 lit. f) GDPR or, if consent is required, by means of a declaration of consent on the basis of Art. 6 para. 1 lit. a) GDPR. You have the right to withdraw your consent at any time with effect for the future without giving reasons.


4.5 Data transfer

Personal data may also be processed by affiliated companies of GMH Gruppe. Within the respective responsible body of GMH Gruppe, only those bodies receive your data that are entrusted with the fulfillment of existing contracts, the execution of pre-contractual business relationships and / or the protection of our legitimate interests. These are in particular the employees who are entrusted with the preparation and execution of the request for quotation, order processing (sales, dispatch, finance and accounting), purchasing and customer service.

Further access to the data is possible by service providers employed by us and acting on our behalf (so-called processors, Art. 28 GDPR) for the care and maintenance of our systems, for error analyses and corrections and to ensure IT security. These accesses are regulated by contracts for order processing in accordance with the GDPR.


4.6 Data transfer to third countries

Due to our business relationships and branches outside the European Economic Area, your personal data may be transferred to third countries. Such processing takes place exclusively to fulfill contractual and business obligations and to maintain your business relationship with us.


4.7 Storage

If there is no legal retention period and / or storage is no longer required, the data will be deleted. This is the case

a) if you do not place an order and do not wish to receive any further offers, information or contacts and / or

b) after termination and full completion of the contract and no legal obligation to retain data prevents deletion.

The obligatory period for storage of personal data may extend from three (3) to thirty (30) years.


5. Applicants

5.1 Explanation

Personal data is processed when your application is received by a GMH Gruppe company.
The application procedure applies uniformly to all GMH Gruppe companies in order to ensure a Group-wide process that complies with data protection regulations. We attach great importance to the protection of your privacy and your personal data as well as the necessary data security for the processing of your data. Only personal data that is necessary for the application process and does not violate the EU General Data Protection Regulation is processed via the applicant portal provided.

Applicant data that reaches us outside of applicant management is also transferred to the system for further processing in compliance with the GDPR.


5.2 Processors

GMH Gruppe uses the following processors for applicant management:
d.vinci HR-Systems GmbH, Nagelsweg 37-39, 20097 Hamburg (hereinafter referred to as “d.vinci”)
A data processing agreement under data protection law has been concluded with d.vinci. Further information on data processing by d.vinci can be found at


5.3 Person responsible

The controller in terms of data protection is the respective company to which you wish to apply or have applied.

If you would like us to consider you for other vacancies in our company and/or keep your application for longer than the maximum retention period of 6 months, please let us know directly with your application.


5.3 What categories of data we use?

We process the data that you have sent us in connection with your application in order to check your suitability for the position (or any other open positions in our company) and to carry out the application process (including contacting you).

The personal data processed includes, in particular, your master data (such as first name, surname, name affixes), contact data (such as private address, telephone number, e-mail address), all data resulting from your application documents (including health data, if included).

As a rule, this data is collected directly from you as part of the application process. We may also have received data from third parties (e.g. recruitment agencies).

We also process personal data that we have reliably obtained from publicly accessible sources (e.g. professional networks).


5.4 For what purposes and on what legal basis are data processed?

We store the personal data provided by you as part of the application process. This applies both to applications in response to specific job advertisements and to unsolicited applications.

The data processing is necessary for the decision on the establishment of an employment relationship. The primary legal basis is Art. 6 para. 1 lit. b) GDPR in conjunction with Article 88 GDPR and Section 26(1) BDSG.

In addition, your separate consent in accordance with Art. 6 para. 1 lit. a) GDPR in conjunction with Section 26 para. 2 BDSG may be used as a data protection authorisation provision. This applies in particular if you have given us your permission to store your personal data beyond the application procedure for a longer specified period of time or to use the data to companies of GMH Gruppe for similar recruitment procedures.


5.5 Who gets your data?

Within our company, access to the applicant data you submit will only be granted to those persons in the responsible department who must be involved in filling the position. Your applicant data will be reviewed by the relevant HR department after receipt of your application. Suitable applications are then released internally to the relevant departments for the respective open position for inspection. The works council may then be given access to the application documents (§ 99 BetrVG (co-determination in individual personnel measure.


5.7 How long will your data be stored?

If no discontinuation takes place and no legal retention period exists, the data will be deleted as soon as storage is no longer required or the legitimate interest in storage has ceased to exist. This is regularly the case six (6) months after the application procedure has been completed at the latest.

If you have given us your permission to store your personal data for a specified period of time beyond the application process, this storage period applies.

Further information on data protection and the processing of your data is provided within the applicant portal.


Stand May.2024
We reserve the right to make any adjustments to this privacy policy.