Data Protection


This privacy policy explains to you the nature, scope, and purpose of the processing of personal data (hereinafter referred to as "data") within our online offer and the associated websites, functions, and contents as well as external online presences, such as our social media profile (hereinafter jointly referred to as "online offer"). With regard to the terms used, such as "processing" or "controller", we refer to the definitions in Article 4 of the General Data Protection Regulation (GDPR).


Torbau Schwaben GmbH
Enzianstraße 14
D-88436 Oberessendorf

Telephone: 07355/9310-0

Types of processed data:


  • User data (e.g. names, addresses).
  • Contact data (e.g. email, telephone numbers).
  • Content data (e.g. text input, photographs, videos).
  • Usage data (e.g. visited websites, interest in content, access times).
  • Metadata/communication data (e.g. device information, IP addresses).


Categories of data subjects

Visitors and users of the online offer (hereinafter referred to together as "users").

Purpose of processing


  • Provision of the online offer, its functions, and contents.
  • Response to contact inquiries and communication with users.
  • Security measures
  • Assessing reach/marketing


Terms used

"Personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookies), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

"Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The term is very broad and covers practically every instance of handling data.

"Pseudonymization" means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

"Profiling" means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

"Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

"Processor" means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

Applicable legal basis

In accordance with Article 13 GDPR, we hereby inform you of the legal basis of our data processing. If the legal basis is not mentioned in the privacy policy, the following applies: The legal basis for obtaining consent is Article 6(1)(a) and Article 7 GDPR; the legal basis for processing for the performance of our services and performance of contractual measures as well as for responding to inquiries is Article 6(1)(b) GDPR; the legal basis for processing to fulfill our legal obligations is Article 6(1)(c) GDPR; and the legal basis for processing to protect our legitimate interests is Article 6(1)(f) GDPR. In the event that the vital interests of the data subject or another natural person require the processing of personal data, Article 6(1)(d) GDPR serves as the legal basis.

Security measures

We take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk, taking into account the state of the art, implementation costs, and the nature, scope, circumstances, and purposes of processing, as well as the different probability of occurrence and severity of the risk to the rights and freedoms of natural persons, in accordance with Article 32 GDPR.

Such measures shall in particular include ensuring the confidentiality, integrity and availability of data by controlling physical access to the data, as well as the access, input, transmission, safeguarding of availability, and its separation. Moreover, we have established procedures to ensure the exercise of rights of data subjects, deletion of data, and reaction to endangerment of data. Furthermore, we take account of the protection of personal data during the development or selection of hardware, software, and processes, in accordance with the principle of data protection through technology design and data protection by default (Article 25 GDPR).

Cooperation with processors and third parties

If we disclose data to other persons and companies (processors or third parties) within the scope of our processing, transmit it to them, or otherwise grant them access to the data, this shall only take place on the basis of legal permission (e.g. if a transmission of the data to third parties, such as payment service providers, is necessary in accordance with Article 6(1)(b) GDPR for performance of the contract), if you have consented, if a legal obligation provides for this, or on the basis of our legitimate interests (e.g. when using agents, web hosts, etc.).
If we commission third parties with the processing of data on the basis of an "order processing contract", this is done on the basis of Article 28 GDPR.

Transfers to third countries

If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of the use of third-party services or disclosure or transfer of data to third parties, this only takes place if it occurs for the performance of our (pre-)contractual obligations, on the basis of your consent, on the basis of a legal obligation, or on the basis of our legitimate interests. Subject to legal or contractual permissions, we process or have the data processed in a third country only if the special requirements of Article 44 ff. GDPR are met. This means, for example, processing is carried out on the basis of special guarantees, such as the officially recognized determination of a data protection level corresponding to the EU (e.g. for the USA by the "Privacy Shield") or compliance with officially recognized special contractual obligations ("standard contractual clauses").

Rights of data subjects

You have the right to request confirmation as to whether the data is being processed and to request information about this data as well as further information and a copy of the data in accordance with Article 15 GDPR.
In accordance with Article 16 GDPR, you have the right to request the completion of your personal data or the correction of inaccurate personal data.
In accordance with Article 17 GDPR, you have the right to demand that relevant data be deleted immediately or, alternatively, to demand a restriction on the processing of the data in accordance with Article 18 GDPR.
You have the right to request that your personal data that you have provided to us be received in accordance with Article 20 GDPR and to request its transmission to other controllers.
In accordance with Article 77 GDPR, you also have the right to file a complaint with the competent supervisory authority.

Right to withdraw

You have the right to withdraw consents granted pursuant to Article 7(3) GDPR with future effect

Right to object

You can object to the future processing of your personal data in accordance with Article 21 GDPR at any time. The objection may be lodged in particular against processing for direct marketing purposes.

Cookies and right of objection in direct advertising

"Cookies" are small files stored on the user's computer. Different information can be stored within the cookies. A cookie is primarily used to store information about a user (or the device on which the cookie is stored) during or after their visit to an online offer. Temporary cookies, or "session cookies" or "transient cookies", are cookies that are deleted after a user leaves an online offer and closes their browser. Such a cookie can be used, for example, to store the content of a shopping basket in an online shop or a login status. Cookies referred to as "permanent" or "persistent" remain stored on the user's computer even after the browser is closed. For example, the login status can be saved when users visit again after several days. Likewise, the interests of users used for assessing reach or for marketing purposes may be stored in such a cookie. "Third-party cookies" are cookies which are offered by providers other than the controller that operates the online offer (they are otherwise referred to as "first-party cookies").
We may use temporary and permanent cookies and clarify this within the framework of our privacy policy.
If users do not want cookies to be stored on their computer, they are asked to disable the corresponding option in their browser's settings. Stored cookies can be deleted in the browser's settings. The exclusion of cookies can restrict the functionality of this online offer.
A general objection to the use of cookies for online marketing purposes can be declared for a large number of services, especially in the case of tracking, via the US site or the EU site Furthermore, the storage of cookies can be achieved by disabling them in the browser settings. Please note that in this case, not all functions of this online offer can be used.

Deletion of data

The data processed by us will be deleted, or its processing restricted, in accordance with Articles 17 and 18 GDPR. Unless expressly stated in this privacy statement, the data stored by us will be deleted as soon as it is no longer required for its intended purpose and the deletion does not conflict with any statutory storage obligations. If the data is not deleted because it is necessary for other and legally permissible purposes, its processing is restricted. This means that the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax reasons.
According to legal requirements in Germany, retention is carried out in particular for 10 years in accordance with Section 147 (1) of the Tax Code [AO], Section 257 (1)(1) and (4) and Section 257 (4) of the Commercial Code [HGB] (books, records, management reports, accounting documents, trading books, documents relevant for taxation, etc.) and 6 years in accordance with Section 257 (1)(2) and (3) Section 257 (4) HGB (commercial correspondence).
In accordance with legal requirements in Austria, retention is carried out in particular for 7 years in accordance with Section 132 (1) of the Federal Tax Code [BAO] (accounting documents, receipts/invoices, accounts, receipts, business papers, statement of income and expenses, etc.), for 22 years in connection with real estate, and for 10 years for documents in connection with electronically provided services, telecommunications, radio, and television services which are provided to non-entrepreneurs in EU Member States and for which the Mini-One-Stop-Shop (MOSS) is used.


When contacting us (e.g. via contact form, email, telephone, or social media), the user's details are processed in order to handle the contact inquiry pursuant to Article 6(1)(b) (in the context of contractual/pre-contractual relationships), Article 6(1)(f) (other inquiries) GDPR. The user's details can be stored in a Customer Relationship Management system ("CRM system") or comparable inquiry organization.
We delete inquiries if they are no longer required. We review this requirement every two years; the statutory archiving obligations also apply.

Hosting and sending emails

We use hosting services to provide the following services: Infrastructure and platform services, computing capacity, storage space and database services, sending emails, security services, and technical maintenance services that we use for the purpose of operating this online offer.
We or our hosting provider process user data, contact data, content data, contract data, usage data, metadata, and communication data of customers, interested parties, and visitors to this online offer on the basis of our legitimate interests in an efficient and secure provision of this online offer according to Article 6(1)(f) GDPR in conjunction with Article 28 GDPR (conclusion of order processing contract).

Content Delivery Network from Cloudflare

We use a Content Delivery Network (CDN), offered by Cloudflare, Inc. 101 Townsend St, San Francisco, CA 94107, USA. Cloudflare is certified under the Privacy Shield agreement and thus offers a guarantee to comply with European data protection law (
A CDN is a service for the rapid delivery of the contents of our online offer; large media files in particular, such as graphics or scripts, are delivered faster with the help of regionally distributed servers connected via the Internet. User data is processed solely for the aforementioned purposes and to maintain the security and functionality of the CDN.
Usage is based on our legitimate interests, i.e. interest in a secure and efficient provision, analysis, and optimization of our online offer in accordance with Article 6(1)(f) GDPR.
For more information, see Cloudflare's privacy policy:

Google Analytics

We use Google Analytics, a web analysis service of Google LLC ("Google"), on the basis of our legitimate interests (i.e. interest in the analysis, optimization, and economic operation of our online offer within the meaning of Article 6(1)(f) GDPR). Google uses cookies. The information generated by the cookies on the user's use of the online offer is generally transferred to a server operated by Google in the USA and stored there.
Google is certified under the Privacy Shield agreement and thus offers a guarantee to comply with European data protection law (
Google will use this information on our behalf to evaluate the use of our online offer by users, to compile reports on the activities within this online offer, and to provide us with further services associated with the use of this online offer and the use of the Internet. Pseudonymous user profiles can be created from the processed data.
We use Google Analytics only with IP anonymization enabled. This means that Google will shorten the IP address of users within Member States of the European Union or in other states, party to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be sent to a Google server in the USA and truncated there.
The IP address transmitted by the user's browser is not merged with other Google data. Users may refuse the use of cookies by selecting the appropriate settings in their browser software; users may also prevent Google from collecting data generated by the cookie and relating to their use of the website, and from processing this data, by downloading and installing the browser plug-in available at the following link:
Further information on data use by Google, possible settings and opportunities to object can be found in Google's privacy policy ( and in the settings for displaying advertisements by Google (
Users' personal data will be deleted or made anonymous after 14 months.

Google Tag Manager

We use the Google Tag Manager on our website. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
The Google Tag Manager is a tool that we can use to integrate tracking or statistical tools and other technologies on our website. Google does not store any cookies for the Google Tag Manager and does not collect any personal data. However, Google Tag Manager can trigger other tags that may collect personally identifiable information. You will find a corresponding note in this data protection declaration for the respective providers. The Google Tag Manager itself does not access this data. If a deactivation has been made at domain level or cookie level, this will remain in place for all tracking tags implemented with Google Tag Manager.
The legal basis for the processing of personal data is Art. 6 I lit. a GDPR if we ask for your consent to the use of third-party providers. Otherwise, the legal basis is Art. 6 I lit. f GDPR. We have a legitimate interest in analyzing website visitor behavior in order to create statistics and thereby make our website attractive and user-friendly. The consent can be revoked at any time.
Further information on the use of data for advertising purposes by Google, setting and objection options can be found on the Google websites:

Google AdWords and conversion measurement

We use the services of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, ("Google"), on the basis of our legitimate interests (i.e. interest in the analysis, optimization, and economic operation of our online offer within the meaning of Article 6(1)(f) GDPR).
Google is certified under the Privacy Shield agreement and thus offers a guarantee to comply with European data protection law (
We use the Google "AdWords" online marketing process to place ads in the Google Advertising Network (e.g. in search results, in videos, on websites, etc.) so that they are displayed to users who have a presumed interest in the ads. This allows us to display ads for and within our online offer in a more targeted manner in order to only present users with ads that potentially match their interests. For example, if a user is shown ads for products in which they are interested in other online offers, this is known as "remarketing". For these purposes, when our and other websites on which the Google Advertising Network is active are accessed, Google directly executes a code from Google, and (re-)marketing tags (invisible graphics or code, also known as "web beacons") are integrated into the website. With the aid of this, an individual cookie, i.e. a small file, is stored on the user's device (comparable technologies can also be used instead of cookies). This file notes which websites the user visits, which content they are interested in and which offers the user has clicked on, technical information on the browser and operating system, referring websites, visiting time, and further information on the use of the online offer. We also receive an individual "conversion cookie". The information collected through cookies is used by Google to generate conversion statistics for us. However, we only see the total number of anonymous users who have clicked on our ad and were redirected to a page with a conversion tracking tag. We do not receive any information that personally identifies users. User data is processed pseudonymously within the Google advertising network. This means that Google does not store and process, for example, the names or email addresses of users, but processes the relevant data based on cookies within pseudonymous user profiles. From Google's point of view, this means the ads are not managed and displayed for a specifically identified person, but for the owner of the cookie, regardless of who this individual is. This does not apply if a user has expressly permitted Google to process data without this pseudonymization. The information collected about users is transmitted to Google and stored on Google's servers in the USA. Further information on data use by Google, possible settings and opportunities to object can be found in Google's privacy policy ( and in the settings for displaying advertisements by Google (

Online presences in social media

We maintain online presences within social networks and platforms in order to communicate with active customers, potential customers, and users and to inform them about our services.
We would like to point out that user data may be processed outside the European Union. This can pose risks for users because, for example, the enforcement of users' rights could be made more difficult. With regard to US providers certified under the Privacy Shield, we would like to point out that they commit themselves to comply with EU data protection standards.
Furthermore, user data is usually processed for market research and advertising purposes. This means, for example, user profiles can be created from the users' behavior and their resulting interests. On the other hand, the user profiles can be used, for example, to place advertisements inside and outside the platforms that presumably correspond to the users' interests. Cookies are usually stored on the user's computer for these purposes, in which the user's usage behavior and interests are stored. Furthermore, data can also be stored in the user profiles independently of the devices used by the users (especially if the users are members of the respective platforms and are logged in to these).
The processing of users' personal data is carried out on the basis of our legitimate interests in effective user information and communication with users pursuant to Article 6(1)(f) GDPR. If the users are asked by the respective providers for consent to data processing (i.e. to give their consent by ticking a checkbox or pressing a button), the legal basis of processing is Article 6(1)(a) and Article 7 GDPR.
For a detailed description of the respective processing and the possibilities of objection (opt-out), we refer to the information provided by the providers linked below.
Also in the case of requests for information and the assertion of user rights, we point out that these can be asserted most effectively with the providers themselves. Only the providers have access to users' data and can directly take appropriate measures and provide information. If you still need help, please contact us.


Integration of third-party services and content

We use content or service offerings from third parties to incorporate their content and services, such as videos or fonts (hereinafter referred to as "content"), within our online offer based on our legitimate interests (i.e. interest in the analysis, optimization, and economic operation of our online offer within the meaning of Article 6(1)(f) GDPR).
This always presupposes that the third-party providers of this content receive the users' IP addresses, since without the IP address, they could not send the content to their browser. The IP address is therefore required for displaying this content. We make every effort to only use content whose respective providers use the IP address only for the delivery of the content. Third-party providers may also use pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. "Pixel tags" can be used to assess information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user's device and may include technical information about the browser and operating system, referring websites, visiting time, and other information about the use of our online offer, as well as be linked to such information from other sources.


We integrate videos from the "YouTube" platform by the provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy Policy:, Opt-Out:

Google Fonts

We integrate fonts ("Google Fonts") from the provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy Policy:, Opt-Out:

Created by by Dr. Thomas Schwenke.

