1 Privacy statement
This privacy statement explains how we process your personal data (hereinafter referred to as “data”).
1.1 Data controller
In accordance with the provisions in the General Data Protection Regulation (GDPR), the data controller is:
Sto SE & Co. KGaA
79780 Stühlingen, Germany
Tel.: +49 77 44 57-0
1.2 Contact details for our data protection officer
1.3 General information on data processing
We process data as part of our business and website activities.
This includes disclosing data by transferring it to third parties and, where applicable, to non-member countries outside the European Union (hereinafter referred to as the “EU”) and the European Economic Area (hereinafter referred to as the “EEA”). In cases where we transfer data to parties or locations outside the EU or EEA, we identify this as outlined below.
2 Data processing
The specific items of data affected, purposes of processing, legal bases, recipients, and, where applicable, transfers to non-member countries are listed below.
2.1 Log file from website visit
We log your visit to our website. As part of this, we process:
• The name(s) of the page(s) on our website that you visited
• The date and time of your visit
• The quantity of data transferred
• The browser type you used and its version
• The operating system you used
• The referrer URL (the website you visited before ours)
• Your IP address
• The requesting provider
The legal basis for this data processing is our overriding legitimate interest in the ongoing provision and security of our website, in accordance with Article 6(1) f) of the GDPR.
The log file is deleted after a period of seven days unless it is required to provide evidence of or verify actual legal infringements that become known during this period.
To maintain our online presence, we use the services of web hosting providers, which process all the aforementioned data associated with the operation of this website (log file of website visit) on our behalf.
The legal basis for this data processing is our overriding legitimate interest in the provision of our website, in accordance with Article 6(1) f) of the GDPR.
2.3 Establishing contact
If you establish contact with us, we will process the following data for the purposes of dealing with your request: your name, your contact details (if you provide them), and your message.
The legal basis for this data processing is our obligation to perform a contract and/or fulfil the obligations that apply to us prior to entering into a contract, in accordance with Article 6(1) b) of the GDPR, and/or our overriding legitimate interest in processing your request, in accordance with Article 6(1) f) of the GDPR.
2.4 Establishing contact in the case of job applications
If you establish contact with us in order to submit an application for employment with us – by e-mail or using a contact form, for example – the data that you have submitted (such as your name, e-mail address, and requested employment location), your message, and the application documents you have submitted will be processed exclusively for the purpose of dealing with your application.
The primary legal basis for this data processing is Section 26 of the BDSG (German Federal Data Protection Act), which states that data that is required in order to make a decision about entering into an employment relationship may be processed.
Should this be necessary on completion of the application process (as part of legal proceedings, for example), data processing to safeguard our legitimate interests is permitted according to Article 6(1) f) of the GDPR, specifically to pursue and/or defend a claim.
2.5 Contract performance and data management as part of our service provision
We process various items of data when providing our services and for the purposes of initiating and processing contractual relationships between you and us.
If you have assigned us to provide a service, we will process your data (name, contact details, and address, where provided) and all the information required to perform this assignment exclusively for the purpose of handling the contractual relationship.
In particular, this includes appropriate consulting services and support, correspondence with you, delivery and invoicing, and fulfilling our accounting and tax-related obligations.
Accordingly, the data will be processed on the basis of Article 6(1) b) of the GDPR and for the purpose of complying with our legal obligations in accordance with Article 6(1) c) of the GDPR.
Your data may be passed on to third parties where necessary for the purposes of processing the assignment.
We will pass on your address information to the company entrusted with making delivery. Where necessary to execute the contract, we will also pass on your e-mail address or your telephone number to the company entrusted with making delivery in order to arrange a delivery date (dispatch notification).
We will pass on your transaction data (name, date of order, payment method, date of dispatch and/or receipt, amount and payee, and where applicable, bank details or credit card details) to the payment provider commissioned with handling the payment.
This may also include passing data on to supervisory authorities for correspondence purposes and in order to assert and defend your rights.
In doing so, we will put all suitable measures in place to ensure that personal data is only transferred to the extent necessary for the underlying purpose.
2.6 Credit Check
If this is provided for the payment method you have selected, we will carry out a credit check. In this process, we transmit your name and address to a credit agency, which compares this data with its own database in order to check your creditworthiness. The credit agency then transmits the corresponding creditworthiness information to us.
The legal basis for data processing in the case of purchase on account is our legitimate interest in accordance with Art. 6 (1) f) GDPR, as we make advance payments for the dispatch of goods and bear the risk of default. In all other cases, data processing in the context of a credit check is carried out exclusively on the basis of your prior consent pursuant to Art. 6 (1) a) GDPR.
2.7 Customer account
You must register before you can use our online shop. In addition to information about your company, personal data (contact person, e-mail address, name of the business owner) may also be processed in this case. We will also process your usage data (user name, password). This enables you to manage your orders and assignments and us to identify you as a customer. The legal basis for this data processing is your consent in accordance with Article 6(1) a) of the GDPR.
2.8 Tradesmen list
Via our website, we offer specialist tradesmen the opportunity to enter their company in the STO list via their customer account. In addition to the information about your company, personal data (contact person, e-mail address, name of the company owner, telephone number) may also be processed and displayed in the list.
The data processing is based on your consent in accordance with Art. 6 (1) a) GDPR.
We offer you the option of receiving an e-mail newsletter so that we can share regular information about our company and our offers with you. If you subscribe to our newsletter, we will process the data you provide when doing so (e-mail address and other information shared voluntarily). To prevent abuse, once you have subscribed, we will send you an e-mail asking you to confirm your subscription (double opt-in procedure). Your subscription is logged so that we can verify that the subscription process complies with legal requirements. The data that is logged as part of this is the point in time at which you subscribed and confirmed, and your IP address.
The legal basis for sending the newsletter is your consent in accordance with Article 6(1) a) of the GDPR. The legal basis for processing the data connected with sending the confirmation e-mail for your subscription and for the related data logging process is our legitimate interest in verifying that your subscription is correct, in accordance with Article 6(1) f) of the GDPR.
In order to send the newsletter, we use service providers to which we transfer the data referred to above.
2.10 Personalised newsletter
Provided you consent to this in advance, you will receive a newsletter featuring personalised content from us.
By using the newsletter, we receive information regarding when an e-mail was opened. In addition, we analyse your user activity by determining which links you clicked on in the newsletter. We use this information to further tailor the content of our newsletter to your personal interests.
The legal basis for sending the newsletter is your consent in accordance with Article 6(1) a) of the GDPR.
2.11 Direct email advertising for existing customers
In order to offer you similar goods and services in connection with the goods and services you have purchased, we will send you direct mail to the email address you used in connection with the purchase.
The legal basis for sending this direct mail is Section 7 (3) UWG in conjunction with Art. 95 GDPR.
We use service providers to send the newsletter to whom we transmit the mentioned data. They process the data in accordance with instructions on our behalf.
2.12 Shop system, data management, and newsletter via Salesforce
In order to provide our shop system, manage our customer data, and send our personalised newsletter, we use systems from Salesforce.com Germany GmbH, Erika-Mann-Str. 63, 80636 Munich (“Salesforce”). The data that we process in the context of providing your customer account, purchase transactions, and personalised newsletter, including the analysis of your user activity, is therefore processed by us in Salesforce systems.
We do not process your data using Salesforce systems for any additional purposes. The legal basis for this processing therefore corresponds to the legal bases described under sections 2.5, 2.6, and 2.8 above.
Salesforce is a group of companies with branches worldwide. The group’s parent company is salesforce.com Inc., Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105, USA.
It is therefore possible that data may be transferred to the USA in the context of data processing undertaken by Salesforce. The EU Commission has not agreed a framework regarding the adequacy of the level of protection when data is transferred to the USA. However, Salesforce ensures an adequate level of data protection by means of binding corporate rules (BCR). These are binding internal regulations which have been approved by a European supervisory authority. You can access a copy of the BCR at the following link: https://compliance.salesforce.com/en/salesforce-bcrs
In addition, Salesforce ensures an adequate level of data protection by means of the EU standard contractual clauses. You can access a copy of the clauses at the following link: https://www.salesforce.com/content/dam/web/en_us/www/documents/legal/Agreements/data-processing-addendum.pdf
2.13 Requests for marketing support
Via our website, we offer trade/specialized companies the opportunity to receive offers for the conception of individual advertising material from our partner agencies. We will forward your inquiries via our contact form to our respective partner agency for further coordination with you. In addition to the information about your company, the selected motifs and products, personal data (contact person, email address, name of the company owner, telephone number) may also be processed.
The data processing takes place for the implementation of pre-contractual measures, which take place on your respective request. The legal basis for data processing is Art 6 I b) GDPR.
Our website uses what are known as cookies. These are small text files that are stored on your device (PC, smartphone, tablet, etc.) by your web browser.
Information about the specific cookies we use, their providers and purposes can be found in our Consent banner. There you can give your consent to the respective services, revoke it or subsequently adjust your settings.
2.15 Consent banner from Cookie Information
So that we can document your selections relating to certain data processing procedures and communicate this information to third-party providers, our website uses the Cookie Information service (hereinafter referred to as “Cookie Information”) provided by Cookie Information A/S, Kristen Bernikows Gade 4, 1105 Copenhagen K, Denmark. Cookie Information uses the data processing procedures you select and communicates this information to third-party providers as appropriate.
This data processing is carried out in order to fulfil our legal obligation to process data in a way that is compliant with data protection requirements, in accordance with Article 6(1) c) of the GDPR.
You can find more information about how Cookie Information processes data at:
(a) Google services
Our website uses various services provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter referred to as “Google”). As part of this, there is the potential for data to be transferred to Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043 in the USA.
There is no EU Commission adequacy decision for data transfers to the USA. Google ensures an adequate level of data protection via the EU standard contractual clauses. You can access a copy of the contractual clauses here:
Please also note the information on the use of data by Google in the Google Partner Network at:
(b) Google Analytics
Our website uses the tracking tool Google Analytics in order to analyse your use of the website. This makes it possible to compile reports about activity on our web presence, provide further services associated with use of the website, and improve user-friendliness as a result.
The use of Google Analytics primarily involves using cookies to collect data about and systematically evaluate interactions by users of our website.
You can find details of the cookies we use in our cookie settings. You can change or withdraw your consent at any time by clicking on the appropriate icon at the bottom left-hand corner of the website.
We use Google Analytics with the “anonymizeIp()” extension. This truncates IP addresses within member states of the EU or EEA. If data is transferred to Google servers in the USA, the complete IP address is only transferred and truncated there in exceptional cases. In most cases, this prevents the possibility of the data being used to directly identify an individual person. In particular, it makes it impossible to link the data to the computer or other device that the visitor to the website used.
Google Analytics processes the following data:
• Bytes from the IP address of the system used by the website visitor (anonymised IP address)
• The website visited
• The website from which users access our website (referrer)
• The individual pages visited on our website
• The duration for which users remain on the website
• The frequency with which the website is visited
Google has itself stated that it will never unite your IP address with other Google data.
The legal basis for this data processing is your prior consent in accordance with Article 6(1) a) of the GDPR.
(c) Google Remarketing/Retargeting
We use so-called tracking cookies from Google on our website. When you visit our site, information is stored in permanent cookies about which products you have viewed on our site and through which third-party advertisements and pages users reach our website. If you subsequently visit a partner website, we can display personalised advertising for you based on the items you have viewed on our site.
(d) Legal basis and revocation
The legal basis for data processing within the scope of the aforementioned Google services is your prior consent pursuant to Art. 6 (1) a) GDPR.
You can revoke your consent at any time with effect for the future by adjusting your preferences in our Consent Banner.
2.17 Facebook custom audiences (pixel/cookies)
Our website uses what is known as a tracking pixel from Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, a subsidiary of Facebook Inc. 1601, Willow Road Menlo Park, CA 94025, USA. We use the Facebook pixel to track the success of our Facebook advertising campaigns and to optimise how Facebook advertising campaigns are displayed to interested target groups.
When you click on a Facebook advertisement or visit our website, the pixel on our website is used to store a cookie on your device. The cookie processes data relating to whether you have accessed our website via a Facebook advertisement and enables your activity up to the point that you make a purchase to be analysed. This allows us to track the success rate of our Facebook advertising campaigns. In addition, the pixel processes data relating to the fact that you have visited our website, enabling the advertising shown to you on Facebook to be adapted to your interests.
Via the Facebook pixel integrated on our website, a direct connection to the Facebook servers is established when you visit our website. The information generated by the cookie about your use of this website (including your IP address) is transmitted to Facebook in the USA.
There is no adequacy decision of the EU Commission for data transfers to the USA. Facebook ensures an adequate level of data protection via the EU standard contractual clauses. You can access a copy of the contractual clauses here:
The data collected is anonymous for us and does not allow us to draw any conclusions about the user. If you are registered with Facebook, Facebook can assign the collected information to your account. Even if you do not have a Facebook account or are not logged in when you visit our website, it is possible for Facebook to process and store your IP address and other identification data.
You can revoke your consent for data processing by Facebook Pixel for our web domain at any time with future effect by adjusting your preferences in our Consent banner.
The legal basis for this data processing is your consent in accordance with Article 6(1) a) of the GDPR.
2.18 External content
We use dynamic content (hereinafter referred to as “content”) from third parties to optimise the appearance and content of our website. When you visit our website, a request is sent automatically to the corresponding content provider’s server via an interface. Certain log data (e.g. the user’s IP address) is transferred in this request. The dynamic content is then transferred to our website, where it is displayed.
We use external content from Google/YouTube in connection with the following functionalities [2.18 (a) to (c)]. Data transfer to the USA is not excluded. There is no EU Commission adequacy decision for data transfers to the USA. Google/YouTube ensures an adequate level of data protection via the EU standard contractual clauses. You can access a copy of the contractual clauses here: https://policies.google.com/privacy/frameworks?hl=en&gl=en
Further information on data protection can be found at:
(a) Integration of YouTube videos
We have included videos from the YouTube portal of YouTube LLC, 901 Cherry Ave. San Bruno, CA 94066, USA ("YouTube"). When the videos are played, log data is transmitted to YouTube's servers in the USA.
The legal basis for the data processing is our overriding legitimate interest in the optimal marketing of our online offer in accordance with Art. 6 (1) f) GDPR.
(b) Google Maps
We use the map service "Google Maps" from Google on our website to provide you with an interactive map. When displaying the map, data including your IP address and your location are transmitted to Google servers in the USA and stored there. This processing is carried out on the basis of our overriding legitimate interest in optimal marketing of our offer in accordance with Art. 6 (1) f) GDPR.
In order to protect the input forms of our websites from spam and misuse, we use the external service reCAPTCHA. This is a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter Google). reCAPTCHA enables a distinction to be made between entries of human origin and those made improperly by automated software (also known as bots).
The following data is processed by you: Referrer URL, IP address of the user, input behaviour of the user as well as mouse movements in the area of the "reCAPTCHA" checkboxes, recognition and assignment to the Google account if the user logs in to his Google account at the same time, information about the browser used, browser size, browser resolution, browser plug-ins, language settings, date, scripts and display instructions of the website.
The processing is based on our overriding legitimate interest in the security of our website in accordance with Art. 6 (1) f) GDPR.
3 Data retention
3.1 Data retention duration
We retain personal data only for as long as is necessary for the purposes for which it is being processed or until you withdraw your consent. Insofar as statutory retention requirements need to be complied with, the retention period for certain data can be up to 10 years, regardless of the purposes for which the data is being processed.
4 Your rights as a data subject
4.1 Information and access
You can request information about/access to all personal data we are holding for you, free of charge and at any time.
4.2 Rectification, erasure, restriction of processing, objection
If you no longer agree to your personal data being stored or if your personal data is no longer correct, on receipt of a corresponding instruction from you, we will have your data erased or blocked or make the necessary corrections (insofar as this is possible under applicable law). The same applies if we are to restrict the processing of your data in the future. In particular, you have the right to object in cases where your data is necessary for the performance of a task in the public interest or our legitimate interest, including any profiling that is based on this. You also have the right to object in cases where data is processed for direct marketing purposes.
4.3 Your right to withdraw consent with effect for the future
You can withdraw consent with effect for the future at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
4.4 Data portability
If data is being processed on the basis of a contract or negotiations prior to entering into a contract, on the basis of consent, or using automated methods, you have the right to data portability. On request we will provide your data to you in a commonly used, structured, and machine-readable format so that you can transfer this data to another controller should you wish to do so.
4.5 Right to lodge a complaint
You also have the option to lodge a complaint with a supervisory authority in relation to your rights as a data subject.
The above rights do not apply to data where we are not able to identify the data subject (if the data has been anonymised for analysis purposes, for example). It may be possible for you to exercise your right to access/be informed, right to erasure, right to block, right to rectification, or transfer to another organisation in relation to this data if you provide us with additional information that will enable us to identify you.
5 Exercising your rights as a data subject
5.1 Exercising your rights as a data subject
If you have any questions about the processing of your personal data or if you wish to exercise your right to access/be informed, right to rectification, right to block, right to object, or right to erasure, or should you wish to submit a request for your data to be transferred to another organisation, please contact firstname.lastname@example.org.