Privacy Policy

With this privacy policy, we would like to inform you about the scope, nature and purpose of the processing of personal data (hereinafter referred to as "data") on this website and the associated content of us and third parties. A precise definition of the terms, such as "personal data" or "processing", can be found in Art. 4 of the General Data Protection Regulation (DSGVO).


Company: RISTO GmbH & Co.KG
Address: Kreuzbreite 43, 31675 Bückeburg, Germany
Phone: +49-5722 888970
Managing Directors: Günter Wortmann, Matthias Wortmann

Types of data processed

  • Contact details (e.g., email, phone numbers)
  • Usage data (e.g., web pages visited, access times)
  • Meta/communication data (e.g., device information, IP addresses)

Processing of special categories of data (Art. 9 (1) DSGVO)

As a matter of principle, no special categories of data are processed unless they are supplied for processing by the users, e.g. entered in online forms or emails.

Categories of persons concerned by the processing

  • Customers, prospects and suppliers
  • Visitors and users of the online offer

Status: 11.04.2022

1. Legal basis according to Art. 13 DSGVO

If the legal basis for data processing is not stated in this privacy policy, the following applies: The legal basis for processing for the performance of our services and implementation of contractual measures as well as answering inquiries is Art. 6 (1) lit. b DSGVO, the legal basis for obtaining consent is Art. 6 (1) lit. a and Art. 7 DSGVO, the legal basis for processing to protect our legitimate interests is Art. 6 (1) lit. f DSGVO and the legal basis for processing to comply with our legal obligations is Art. 6 (1) lit. c DSGVO. If vital interests of a data subject or another natural person make processing of personal data necessary, the legal basis is Art. 6 (1) lit. d DSGVO.

2. Changes and updates to the privacy policy

Please inform yourself regularly about the content of our privacy policy. This will be adapted as soon as changes to the data processing carried out by us make this necessary. If a change requires your cooperation (e.g. consent), we will inform you proactively.

3. Security measures according to Art. 32 DGGVO

a) In order to ensure an adequate level of protection, we take appropriate technical and organizational measures, taking into account the implementation costs, the state of the art and the nature, scope, circumstances and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons. These include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical access to the data, as well as access to, entry into, disclosure of, assurance of availability of and segregation of the data. We have established procedures to ensure the exercise of data subjects' rights, deletion of data and response to data compromise. We also take the protection of personal data into account when selecting hardware, software and processes, as well as through data protection-friendly default settings (Article 25 of the GDPR).

b) These security measures include the encrypted transmission of data between your browser and our server (https/SSL encryption).

4. Cooperation with processors and third parties

a) If we grant third parties access to data, this will only be done on the basis of a legal permission, for example if you have consented, a legal obligation exists or on the basis of our legitimate interest.

b) If we commission third parties with the processing of data on the basis of a "contract processing agreement", Art. 28 DSGVO is the basis for this.

5. Transfer to third countries

Subject to legal or contractual permissions, we allow data to be processed in a third country outside the European Union (EU) or the European Economic Area (EEA) only if special conditions are met in accordance with Art. 44 et seq. DSGVO, e.g. on the basis of officially recognized guarantees that a level of data protection similar to that in the EU is maintained.

Furthermore, processing or disclosure or transfer to third parties will only take place if it is necessary for the fulfillment of our (pre)contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interest.

6. Rights of the data subjects

a) Pursuant to Art. 15 of the GDPR, you have the right to request information as to whether data relating to you is being processed, information about this data and a copy of the data.

b) Pursuant to Art. 16 DSGVO, you also have the right to request that the data concerning you be completed or that incorrect data concerning you be corrected.

c) In accordance with Art. 17 of the GDPR, you also have the right to demand that your data be deleted immediately or, alternatively, that processing be restricted in accordance with Art. 18 of the GDPR.

d) Pursuant to Art. 20 of the GDPR, you may also request that data which you have provided to us be received in a structured, commonly used and machine-readable format, and you have the right to transfer this data to another controller without hindrance from us, provided that the processing is based on consent or on a contract and is carried out with the aid of automated processes.

In exercising the right to data portability, you may obtain that the personal data be transferred directly from us to another controller, where this is technically feasible. The exercise of the right to data portability does not affect the right to erasure ("right to be forgotten"). This right does not apply to processing which is necessary for the performance of a task assigned to us, which is in the public interest or which is carried out in the exercise of official authority.

e) You also have the right to lodge a complaint with the competent supervisory authority pursuant to Art. 77 DSGVO.

7. Right of withdrawal

You have the right to revoke given consents according to Art. 7 para. 3 DSGVO with effect for the future.

8. Right of objection

In accordance with Art. 21 DSGVO, you may object to the future processing of data relating to you at any time. This objection can be made in particular against the processing for purposes of direct marketing.

9. Data deletion

a) Unless expressly stated otherwise within the scope of this data protection declaration, data processed by us will be deleted or restricted in its processing in accordance with Art. 17 and 18 DSGVO as soon as the data is no longer required for its intended purpose and the deletion is not contradicted by any statutory retention obligations. Data restricted in processing will be blocked and not processed for other purposes. This concerns data that must be retained for tax or commercial law reasons.

b) In accordance with legal requirements, data is retained for 6 years pursuant to Section 257 (1) of the German Commercial Code (commercial books, inventories, opening balances, annual financial statements, commercial letters, accounting vouchers, etc.) and for 10 years pursuant to Section 147 (1) of the German Fiscal Code (AO) (books, records, management reports, accounting vouchers, commercial and business letters, documents relevant for taxation, etc.).

10. Provision of contractual services

a) We process inventory data (e.g. names and addresses as well as contact data of visitors), contract data (e.g. services used, names of contact persons, payment information) for the purpose of fulfilling our contractual obligations and services pursuant to Art. 6 para. 1 lit b. DSGVO. The entries marked as mandatory in online forms are required for the conclusion of the contract.

11. Contact

a) When contacting us (e.g. by email or contact form), the user's details will be processed for the purpose of handling the request pursuant to Art. 6 para. 1 lit. b) DSGVO.

b) The information provided may be stored in a customer relationship management system (CRM system) or comparable organizational tools.

c) We delete the requests when they are no longer necessary. We regularly review the necessity every two years. If customers have a customer account, we store the conversation permanently until the customer account is deleted. In the case of legal archiving obligations, for example when a contract is concluded in the course of the conversation, the deletion takes place after its expiry.

12. Collection of access data and log files

a) We collect on the basis of our legitimate interest pursuant to Art. 6 para. 1 lit. f. DSGVO data about accesses to the server on which this website is located. The following data is stored: Name of the page accessed, file, date and time of access, amount of data transferred, notification of successful access, browser used and version, the user's operating system, if applicable the page that led to the visit, IP address and the provider to which the data was sent back.

b) Log file information is stored primarily for security reasons (e.g. for the clarification of abuse or fraud) for a maximum of seven days. Excluded from this is data whose further storage is necessary for evidentiary purposes.

c) Our Internet presence is hosted by the hosting service provider

Service provider: Mittwald CM Service GmbH & Co. KG
Privacy Policy: ,

which provides us with platform services, computing capacity, storage space and database services, security services and technical maintenance services. We have concluded an order processing agreement with this provider. For the proper presentation of our website, the user establishes connections to the provider's web servers, which also transmit your IP address. The data processing is carried out for the purpose of ensuring the operational readiness of our Internet presence, in which we have a legitimate interest pursuant to Art. 6 Para. 1 lit. f DSGVO.

13. Online presence in social media

a) We maintain online presences in social networks in order to communicate with the customers, interested parties and users active there and to inform them about our services. When calling up the respective networks and platforms, the terms and conditions and data processing policies of their respective operators apply.

b) Unless otherwise stated below, we only process the data of users when they communicate with us within the social networks and platforms, e.g. write posts on our online presences or send messages to us.

14. Integration of third-party services and content

a) Within our online offer, we use content or service offers of third party providers on the basis of our legitimate interests (i.e. interest in the analysis, optimization and economic operation of our online offer within the meaning of Art. 6 para. 1 lit. f. DSGVO) to use content or services offered by third-party providers in order to offer their content and services, such as videos or fonts on our website (hereinafter uniformly referred to as "content"). This requires that the providers of this content become aware of the IP address of the user, as without the IP address they would not be able to send the content to their browser. This is necessary for the presentation of the content. We endeavor to use only such content whose respective provider uses the IP address only for the delivery of the content and does not store it for other purposes. Content from these providers may use so-called pixel tags (invisible graphics known as "web beacons") for statistical or marketing purposes. This allows information such as the volume of visitors to this website to be evaluated. This pseudonymous information may be stored in cookies on the user's device and may contain, among other things, technical information about the browser used, the user's operating system, referring websites, time of visit and other information about the use of our online offer. It is also possible for the provider to combine the data with information from other sources.

This privacy statement was created using the data protection generator of the Institute for Data Protection and Compliance (ifduc) at