1. Introduction

ZUFF Fire GmbH (“we”, “us”, “our”) is committed to protecting the personal data of our employees, contractors, customers, suppliers, and other data subjects (“you”, “your”). This policy outlines how we collect, use, store, share, and safeguard personal data, as well as how we comply with the General Data Protection Regulation (“GDPR”) and applicable EU/Swiss data protection laws.

2. Scope

This policy applies to all employees, contractors, consultants, temporary staff, and third-party service providers of ZUFF Fire GmbH, regardless of their location. It covers all personal data processed by us, in any form (paper, electronic, etc.).

3. Definitions

• Personal data: Any information relating to an identifiable natural person.
• Processing: Any operation involving personal data, e.g., collection, storage, use, disclosure, erasure.
• Controller: The entity that determines the purpose and means of processing personal data.
• Processor: The entity that processes personal data on behalf of a controller.
• Data subject: The natural person whose personal data is processed.
• GDPR: The EU Regulation on data protection (and any applicable Swiss counterpart).
• Data Protection Officer (DPO): The person responsible for overseeing data protection compliance (if applicable).
• High-risk processing: Processing likely to result in high risk to individuals’ rights and freedoms.

4. Principles of Data Processing

We abide by the core data protection principles of the GDPR:

• Lawfulness, fairness, and transparency: Personal data will be processed lawfully, fairly, and transparently.
• Purpose limitation: Data is collected only for specified, explicit, and legitimate purposes and is not further processed in ways incompatible with those purposes.
• Data minimisation: Data collected is adequate, relevant, and limited to what is necessary for the stated purposes.
• Accuracy: Data is accurate and kept up to date; reasonable steps are taken to rectify or erase inaccurate data.
• Storage limitation: Personal data is retained no longer than necessary for the purposes for which it is processed.
• Integrity and confidentiality (security): Appropriate technical and organisational measures are in place to ensure the security of personal data.
• Accountability: We are responsible for, and must be able to demonstrate, compliance with these principles.

5. Legal Bases for Processing

We will only process personal data where one or more of the following applies:

• You have given consent for one or more specific purposes;
• Processing is necessary for the performance of a contract to which you are a party;
• Processing is necessary for compliance with a legal obligation;
• Processing is necessary to protect your vital interests or those of another natural person;
• Processing is necessary for the purposes of our legitimate interests (except where overridden by your interests or fundamental rights), in which case we will document a Legitimate Interest Assessment.

6. Data Subject Rights

Data subjects have the following rights (subject to applicable law):

• The right to access their personal data and certain supplementary information;
• The right to rectify inaccurate data;
• The right to erasure (“right to be forgotten”) in certain circumstances;
• The right to restrict processing;
• The right to data portability (to receive their personal data in a structured, commonly used format and transmit it to another controller), where applicable;
• The right to object to processing (including profiling and direct marketing), where applicable;
• The right to withdraw consent at any time (where processing is based on consent) without affecting the lawfulness of processing prior to consent withdrawal;
• The right to lodge a complaint with a supervisory authority.

Requests to exercise any of the above rights should be directed to info@firezuff.com. We will respond without undue delay and within the timeframe required by law.

7. Data Protection by Design and by Default

We incorporate data protection into the development of our business processes for products and services (“data protection by design”) and ensure that, by default, only personal data necessary for each specific purpose is processed (“data protection by default”).

8. Data Inventory, Processing Activities, and Records

We maintain records of processing activities for which we are responsible (including data categories, purposes, recipients, transfers, retention periods, security measures, etc.). We regularly map the personal data we collect and process.

9. Data Retention and Disposal

We specify retention periods for each category of personal data, ensuring data is not kept longer than necessary. At the end of the retention period, data is securely deleted, anonymized, or otherwise disposed of in accordance with our retention and disposal policy.

10. International Transfers

Where personal data is transferred outside the European Economic Area (EEA) or to a country not deemed adequate, we implement appropriate safeguards (such as standard contractual clauses, binding corporate rules, or explicit consent) in line with GDPR requirements.

11. Security of Processing

We use appropriate technical and organisational measures to ensure a level of security appropriate to the risk (including encryption, pseudonymization, access controls, audit trails, incident detection, etc.). Our systems and processes are regularly reviewed and tested to maintain security.

12. Data Breaches

In the event of a personal data breach, we will, where required by law, notify the supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it. If the breach is likely to result in a high risk to individuals’ rights and freedoms, we will also notify the affected data subjects without undue delay.

13. Processor and Third-Party Contracts

When engaging third-party processors to handle personal data on our behalf, we ensure there is a contract in place specifying obligations, including: action only on our instructions, implementation of appropriate security measures, assistance with data subject rights, return or deletion of personal data at the end of the contract, and provision of audit rights.

14. Training, Awareness, and Staff Responsibilities

All employees and relevant contractors receive data protection and GDPR compliance training. Everyone is responsible for safeguarding personal data and must adhere to this policy. Line managers are accountable for ensuring compliance within their departments. We designate a person (or team) responsible for data protection compliance.

15. Monitoring, Review, and Audit

We regularly review our data protection practices, conduct audits as appropriate, and update this policy and related procedures to reflect changes in business practices, technology, legal/regulatory developments, or the risk environment.

16. Role of Data Protection Officer (DPO)

If required by law or the nature of our processing activities, we will appoint a DPO. The DPO’s contact details are: info@firezuff.com. The DPO serves as a point of contact for data subjects, offers internal guidance, and monitors compliance.

17. Contact Information

If you have questions about this policy, wish to exercise your data subject rights, or wish to report a data breach, you can contact:

Zuff Fire GmbH
Stollestr. 22
01159 Dresden
Germany
Email: info@firezuff.com

18. Amendments

We may update this policy from time to time. The effective date will be updated, and all employees and contractors will be notified of any material changes.