Privacy Policy

Thank you for visiting the GAF AG (“GAF”) website. We appreciate your interest in our company and your visit to our website.

GAF owns and operates this website: www.gaf.de. GAF has created this privacy policy to demonstrate our firm commitment to privacy and to establish certain guidelines for your use of this website.

Data protection constitutes a particularly high priority for GAF’s management. As a private company, GAF is subject to the provisions of the General Data Protection Regulation (“GDPR”) and the country-specific data protection regulations/laws applicable to GAF, in particular the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG).

Pursuant to Art. 13 of EU Regulation 679/2016, as amended and supplemented (GDPR), as well as German and the laws of the European Union (“EU”) that complement it (“Applicable Privacy Law”), as amended and supplemented, we would like to share the information below as it pertains to your personal data (“Data”).

1 – DATA CONTROLLER

Controller for the purposes of GDPR, other data protection laws applicable in Member States of the European Union and other provisions related to data protection is:

GAF AG
Arnulfstrasse 199
80634 Munich
Germany

Website: https://www.gaf.de
Email: info@gaf.de
Phone: +49 89 121528-0
Fax: +49 89 121528-79

 2 – DATA PROTECTION OFFICER

The Data Protection Officer of the controller can be contacted directly by email at data_protection@gaf.de . Any data subject may contact our Data Protection Officer directly at any time with questions or suggestions concerning data protection. Alternatively, written requests can be sent to:

GAF AG
Privacy Policy / Datenschutz
z.Hd. des Datenschutzbeauftragten
Arnulfstr. 199
80634 Munich
GERMANY

3 – PURPOSE OF DATA PROCESSING 

GAF’s website collects general data and information whenever a data subject or automated system accesses the website. This general data and information are stored in server log files and

(a) allows the Data Controller to carry out activities that are strictly connected to and/or necessary for pursuing statistical, commercial and promotional objectives, as well as updating all personal data of natural or legal persons and requests made by users from time to time through the website https://www.gaf.de/ (‘Requests’ and ‘Site’, respectively) and/or by e-mail;

(b) may also be related to the provision of commercial information, as well as the marketing services of the Data Controller and/or its affiliates; and

(c) it is also related to statutory requirements set out in applicable national or EU legislation or regulations, as well as instructions issued by the relevant supervisory and control bodies.

The following data may be collected:

• browser type and version used;
• Operating System used by the accessing system;
• website that the accessing system used to reach our website (so-called referrers);
• sub-websites visited;
• time and date of accessing the website;
• IP address;
• the internet service provider of the accessing system; and/or
• any other similar data and information that may be used in the event of attacks on/threats to our information technology systems.

GAF does not draw any conclusions about data subjects when using this general data and information. Rather, this information is needed to:

• deliver the content of our website correctly;
• optimize the content of our website and its advertisements;
• ensure the long-term viability of our IT and web technology systems; and/or
• provide law enforcement authorities with the information necessary for criminal prosecution in the event of a cyber-attack.

Therefore, GAF anonymously collects and statistically analyses data with the aim of increasing the data protection and security of our enterprise, and ensuring an optimal level of protection for the personal data we process. Anonymous server log file data is stored separately from all personal data provided by a data subject.

4 – LEGAL BASIS FOR PROCESSING

Article 6 (1) (a) of the GDPR provides the legal basis for processing operations for which we obtain consent for a specific purpose. If processing personal data is necessary for a contract that the data subject is party to, such as processing necessary for delivering goods or providing other services or considerations, the processing is based on Art. 6 (1) (b) GDPR. The same applies to processing operations that are necessary for the implementation of pre-contractual measures, for example, in response to enquiries about our products or services. If our company is subject to a legal obligation that requires the processing of personal data, such as for the fulfilment of tax obligations, the processing is based on Art. 6 (1) (c) GDPR. In rare cases, processing personal data may be necessary to protect the vital interests of the data subject or another natural person. For instance, if a visitor to our premises were to be injured, it may be necessary to pass on their name, age, health insurance details, or other vital information to a doctor, hospital, or other third party. In this case, processing is based on Art. 6 (1) (d) GDPR.

Finally, processing may also be based on Art. 6 (1) (f) GDPR. This legal basis applies to processing not covered by any of the above if it is necessary to safeguard the legitimate interests of our company or a third party, unless the interests, fundamental rights and freedoms of the data subject prevail. Such processing is permitted in particular because it has been specifically mentioned by the European legislator. In this respect, the legislator took the view that a legitimate interest could be assumed if the data subject is a customer of the controller (see Recital 47, second sentence, GDPR). Where the processing of personal data is based on Article 6 (1) (f) GDPR our legitimate interest is to carry out our business in favor of the well-being of all our employees and the shareholders.

5 – STORAGE PERIOD

GAF AG will only process and store the personal data of the data subject for as long as is necessary to fulfil the storage purpose, or for as long as is required by European directives or German legislation to which the controller is subject.

Once the storage purpose has been fulfilled or the prescribed storage period has expired, the personal data will be anonymized, blocked or deleted in accordance with legal requirements.

Storage periods and the criteria used to determine them are defined in our GAF AG Retention Policy, which is available upon request.

6 – DATA DISCLOSURE

Data may be disclosed to third parties who perform specific tasks on behalf of GAF AG, for administrative matters (e.g., management of information systems, certification of financial statements, …), commercial partners (e.g., for internet shopping functionalities) as well as to banks for the management of receipts and payments, to leasing, insurance and debt collection companies, professional firms (legal and commercial) and other external bodies. The consent of data subjects is always obtained in advance for all envisaged personal data transfer processes.

7 – INTERNATIONAL DATA TRANSFERS

Data may be transferred to countries outside the European Economic Area (EEA), including, but not limited to, the United States and India, for outsourcing activities and the use of external service providers. GAF AG confirms that international data transfers are carried out exclusively in compliance with the security measures set out in Articles 44-50 of the GDPR. These security measures include, among other things, EU Commission adequacy decisions, the US Data Privacy Framework list, EU standard contractual clauses (SCCs), transfer impact assessments (TIA), and documentation on data flow relating to the specific data transfer.

8 – DATA SUBJECT RIGHTS

8.1 – With regard to personal data in our possession, the data subject can exercise the rights foreseen by the Applicable Privacy Law. In particular, you may:

1. a) ask the Data Controller to confirm: existence of your personal data, origin of such data, logic and purpose of processing, categories of subjects to whom data may be disclosed, as well as identification details of Data Controller and Data Processors;
2. b) have the right to request access to personal data, as well as the data transformation into anonymous form, to exercise the right of objection, rectification, or eventually to erase and to have incomplete personal data completed or to obtain the restriction of processing;
3. c) oppose to the processing, in cases foreseen by the Applicable Privacy Law;
4. d) exercise the right to portability, within the limits established by Art. 20 of the GDPR;
5. e) revoke consent (if this is the legal basis necessary for processing) at any time without prejudice to the lawfulness of processing based on the consent given prior to revocation;
6. f) have the right to lodge a complaint to a data protection authority about our processing of your personal data (according to Art. 33 GDPR), following the procedures and the instructions published on the official website. The competent supervisory authority in Bavaria is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)

Postfach 1349, 91504 Ansbach, GERMANY

Phone: +49 (0) 981 180093-0

Website: https://www.lda.bayern.de/de/index.html

8.2 – Any amendment to, deletion of and limitation on processing carried out upon your request – unless this proves impossible or involves a disproportionate effort – will be notified by the Data Controller to each of the data subjects of whom personal data have been disclosed. Upon request of the data subject, the Data Controller may share the identity of the recipients.

8.3 – In order to exercise the rights as referred to in paragraph 9.1 above, as well as for any communication, request or notification regarding privacy data, you may send an email to GAF AG Data Protection Officer, at the following address: data_protection@gaf.de

9 – DATA PROTECTION IN THE APPLICATION PROCESS

GAF collects and processes applicants’ personal data in order to handle the application process. This processing may be carried out electronically. This is particularly the case, if an applicant submits their application documents electronically, for example by email or via a web form on the GAF website.

If GAF enters into an employment contract with an applicant, the transmitted data will be stored for the purpose of processing the employment relationship in compliance with statutory provisions.

If GAF does not conclude an employment contract with an applicant, their application documents will be automatically deleted six (6) months after the rejection decision is communicated, unless other legitimate interests of the controller prevent deletion. One example of a legitimate interest in this context is providing evidence in proceedings under the General Equal Treatment Act (AGG).

10 – Denied Party Screening and other Compliance Checks

We are obliged by applicable laws and regulations to perform a Denied Party Screening (DPS) and/or similar compliance checks. This is done to ensure compliance with applicable export control regulations and to avoid entering into any contracts with entities listed on sanctioned and/or restricted party lists.

Within the scope of this contractual relationship, we transfer personal data collected in connection with the application for and implementation of this business relationship to CRIF GmbH, Victor-Gollancz-Str. 5, 76137 Karlsruhe, Germany. The legal basis for these transfers is Article 6 (1) (b) and (f) GDPR. CRIF GmbH processes the data received and uses it to provide its contractual partners in the European Economic Area, Switzerland, and, where applicable, other third countries (provided that an adequacy decision has been made by the European Commission) with information on, among other things, the status of functionaries, including beneficial owners. The transfer of personal data to third countries is carried out in accordance with Art. 44 ff. GDPR.

Information on the activities of CRIF GmbH can be found in its information sheet or online at www.crif.de/datenschutz .

Additionally, partners from whom we source assets may be required to perform such screening or compliance check. We will provide the necessary data for this purpose.

11 – AUTOMATED DECISION-MAKING AND PROFILING

As a responsible company, we do not currently use automated decision-making systems or profiling techniques when processing personal data. All decisions affecting a data subject are made by human operators who carefully consider all relevant factors.

12 – TECHNICAL AND ORGANIZATIONAL MEASURES (TOMs)

GAF confirm the implementation of technical and organizational measures in accordance with Art. 32 GDPR to ensure a secure processing of personal data. Our Technical and Organizational Measures (“TOMs”) can be made available upon request.

13 – COOKIES 

Cookies are small text files that are stored on visitors’ hard drives when they visit websites. They reflect identifying information about each user and retain certain non-identifying information about how they use the websites.

In general, visitors can use the GAF website without cookies. Visitors are always free to decline cookies if their browser permits. However, some parts of the website may not function properly if cookies are disabled.

GAF uses cookies for website logins only. GAF does not collect personal information about visitors from cookies.

14 – LINKS TO OTHER WEBSITES 

GAF’s website contains electronic links (hyperlinks) to third-party websites. All links have been carefully checked for possible violations before activation. However, GAF has no influence over the content or updates of these websites. GAF is not responsible for the privacy practices or content of any linked website and assumes no liability for them. If any violations are detected on these websites, GAF distances itself from such content. Upon notification of any such violation, GAF will immediately remove the link from its website.

15 – CONTACT AND COMMUNICATION

If you use the contact option on the website, your personal data will be processed based on your consent (Art. 6 (1) (a), Art. 7 GDPR).

16 – CHANGES TO THIS POLICY

We reserve the right to amend this privacy policy on a regular basis. This policy was last amended and updated on February 02, 2026.