Data Protection Policy

This data protection policy explains to you the nature, scope and purpose of the processing of personal data ("Data") within our website and the associated webpages, functions and content, along with our external online presence such as e.g. our social media profile (further together referred to as "Website"). In regard to the terms used such as "processing" or "controller" we refer to the definitions in Article 4 General Data Protection Regulation (GDPR).


Preh GmbH
Schweinfurter Str. 5-9
D-97616 Bad Neustadt a. d. Saale
Tel.: +49 (9771) 92-0
Fax: +49 (9771) 92-105

Types of Data processed:

- Inventory Data (e.g. names, addresses).
- Contact details (e.g. e-mails, telephone numbers).
- Content Data (e.g. text input, photographs, videos).
- Usage Data (e.g. webpages visited, interest in content, access times).
- Meta/communication Data (e.g. device information, IP addresses).

Categories of data subjects

Visitors and users of the Website (we further refer to data subjects together as "Users").

Purpose of the processing

- the provision of the Website, its functions and content.
- the answering of contact requests and for communication with Users.
- security precautions.
- audience measurement/marketing

Terms used

'Personal data' is any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

"Processing" means any operation or set of operations which is performed in connection with personal data, whether or not by automated means; the term is extensive and encompasses virtually any handling of Data.

'Pseudonymisation' means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

'Profiling' means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

'Controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

'Processor' means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Relevant legal bases

Further to Article 13 GDPR we provide you with the legal basis for the processing. Where the legal basis is not specified in the Data Protection Policy, the following applies: the legal basis for the collection of consents is Article 6(1)(a) and Article 7 GDPR; the legal basis for processing in the performance of our services and in the implementation of steps under a contract along with the response to requests is Article 6(1)(b) GDPR; the legal basis of processing for compliance with our legal obligations is Article 6(1)(c), and the legal basis of processing for the protection of our legitimate interests is Article 6(1)(f) GDPR. Where processing is necessary in order to protect the vital interests of the data subject or of another natural person, Article 6(1)(d) GDPR serves as the legal basis.

Security precautions

In compliance with Article 32 GDPR, we take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

These measures include in particular the safeguarding of confidentiality, integrity and availability of Data through the control of physical access to the Data as well as any sharing in relation to it, input, transfer, safeguarding of availability and its segregation. Furthermore, we have put procedures in place that ensure the rights of data subjects are observed, Data is erased and any threats to the Data are addressed. In addition, we factor in the protection of personal data in our development and/or selection of hardware, software and processes in line with the principle of data protection by design and by default (Article 25 GDPR).

Collaboration with processors and third parties

To the extent we disclose Data to other persons and organisations (processors or third parties) in the course of processing, transfer it to the latter or otherwise allow them access to the Data, this shall be done only on the basis of a legal authorisation (e.g. if a transfer of the Data is required to third parties, such as payment service providers, under Article 6(1)(b) GDPR for performance of a contract), you have given consent, a legal obligation envisages this or [this is done] on the basis of our legitimate interests (e.g. where subcontractors, web hosting providers etc. are used).

Where we engage third parties to process Data on the basis of a "processing contract", this occurs on the basis of Article 28 GDPR.

Transfers to third countries

To the extent we process Data in a third country (i.e. one outside the European Union (EU) and the European Economic Area (EEA)) or this is done within the framework of our use of third-party services or there is disclosure or transfer of Data to third parties, this occurs only in performance of our (pre-)contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we process Data or have it processed in a third country only where the particular requirements of Articles 44 et seq. GDPR are in place. This means processing is done, for example, on the basis of special guarantees such as the officially recognised identification of a level of data protection matching that of the EU (e.g. for the USA, through the "privacy shield") or compliance with particular contractual obligations that have been officially recognised ("standard contractual clauses").

Rights of the data subjects

You have the right to obtain confirmation as to whether personal data concerning you is being processed, and information about such Data as well as further information and a copy of the Data under Article 15 GDPR.

Under Article 16 GDPR you have the right to have incomplete Data about you completed or inaccurate Data relating to you rectified.

Under Article 17 GDPR you have the right to request the erasure of personal data without undue delay or, alternatively, under Article 18 GDPR, to request a restriction of processing of the Data.

You have the right under Article 20 GDPR to receive the personal data concerning you, which you have provided to us, and have the right to request its transmission to another controller.

Furthermore, under Article 77 GDPR, you have the right to lodge a complaint with a supervisory authority.

Right of revocation

Under Article 7(3) GDPR you have the right to withdraw consents given, with future effect.

Right to object

You may, under Article 21 GDPR, object at any time to the future processing of personal data concerning you. The objection may, in particular, be made against processing for direct marketing purposes.

Cookies and the right to object in the case of direct marketing

"Cookies" are small data files that are stored on Users' computers. A variety of information can be stored inside cookies. A cookie primarily serves to store information relating to a User (or to the device on which the cookie is stored) during or even following that User's visit to a website. Temporary, "session" or "transient" cookies are cookies that are erased once the user leaves the website and closes his or her browser. The content of a shopping basket in an online shop or a login status can, for example, be stored in these types of cookies. "Permanent" or "persistent" cookies are those which remain stored even after the browser has been closed. Hence, for example, the login status can be stored if Users look for this several days later. Similarly, the User's interests can be stored on a cookie of this type which are used to measure audience or for marketing purposes. "Third-party cookies" are cookies that are offered by providers other than the controller who operates the website (otherwise, where the cookies are only the latter's, we talk about "first-party cookies").

We are able to use temporary and permanent cookies and explain this within the framework of our data protection policy.

Where Users do not want cookies to be stored on their browsers they are asked to deactivate the relevant option in the system settings of their browser. Stored cookies can be erased in the browser's system settings. The exclusion of cookies may lead to reduced functionality for this Website.

It is possible to make a general objection to the use of cookies for online marketing purposes in the case of multiple services, primarily in the case of tracking, via the US American page or the EU page Furthermore, you can store cookies by turning them off in your browser settings. Please note that in some circumstances it will not be possible to use all of this Website's functions.

Erasure of Data

The Data processed by us is erased or restricted in terms of its processing under Articles 17 and 18 GDPR. Unless expressly indicated in this data protection policy, the Data stored with us will be erased as soon as it is no longer needed for its purpose and its erasure does not contravene any statutory retention obligations. Where Data is not erased because it is required for other, legally permitted purposes, its processing shall be restricted. This means the Data is made unavailable to users and not used for other purposes. That applies to Data that has to be retained on commercial or tax law grounds, for example.

Under legal regulations in Germany, records are retained specifically for ten years under Article 147(1) German Fiscal Code, Section 257(1) Nos. 1 and 4, and (4) German Commercial Code (books, records, management reports, vouchers, trading books, tax-relevant documentation, etc.) and six years under Section 257(1) Nos. 2 and 3, and (4) German Commercial Code (business letters).

Transaction-related processing

In addition, we process
- Contractual data (e.g. the subject matter of the contract, term, customer category).
- Payment details (e.g. bank details, payment history)
of our customers, potential buyers and business partners for the purpose of performing our contractual services, customer service and support, marketing, advertising and market research.

Administration, financial accounting, office administration, contact administration

We process Data as part of our administrative responsibilities and the organisation of our business, financial accounting and compliance with legal obligations such as archiving, for example. In so doing, we process the same Data as we process in the context of performing our contractual obligations. The processing bases are Article 6(1)(c) GDPR and Article 6(1)(f) GDPR. Customers, potential buyers, business partners and visitors to our webpage are affected by the processing. The purpose of and our interest in processing the Data lies in the administration, financial accounting, office administration and archiving of Data, i.e. tasks for the purpose of maintaining our business activities, fulfilling our responsibilities and performing our services. The erasure of Data in relation to contractual services and the contractual communications is in line with the information given in relation to this processing activity.

In this way, we publish or transfer Data to the financial management department, advisers such as tax advisers or auditors in addition to other charges offices and payment services providers.

Moreover, we store information based on our business interests relating to suppliers, operators and other business partners, for example, in order to contact them later. We generally store such - largely organisation-related - information long-term.

Data protection in application procedures

The applicant portal is used jointly by Preh GmbH and its subsidiaries, described here as the "Preh Group"
The following companies are included in the Preh Group:

  • Preh GmbH (operator of the applicant portal)
  • Preh Thüringen GmbH
  • Preh Romania S.R.L.
  • Preh Portugal, LDA
  • Preh Sweden AB
  • Preh, Inc
  • Preh de México S.A. DE C.V.
  • Ningbo Preh Joyson, Automotive Electronics Co., Ltd.

We process applicant data solely for the purpose and as part of the application process in compliance with the legal regulations. Applicant data is processed in performance of our (pre-)contractual obligations as part of the application process within the meaning of Article 6(1)(b) GDPR, Article 6(1)(f) GDPR where the data processing is necessary for us e.g. as part of the legal procedure (Section 26 Federal Data Protection Act also applies within Germany).

The application process requires applicants to share applicant data with us. The necessary applicant data is marked (where we provide an online form) and is otherwise made clear from the job descriptions, and essentially includes information about the person, his or her postal address and contact details and the documents relating to the application such as cover letter, CV and education certificates. Aside from this, applicants may share additional information with us voluntarily.

By sending us their applications, applicants declare their consent to the processing of their Data for the purposes of the application process in the manner and scope set out in this data protection policy.

Where particular categories of personal data under Article 9(1) GDPR are shared voluntarily as part of the application process, they are additionally processed in line with Article 9(2)(a) GDPR (e.g. health information such as a severe disability or ethnic background). Where particular categories of personal data under Article 9(1) GDPR are requested from applicants as part of the application process, they are additionally processed in line with Article 9(2)(b) GDPR (e.g. health information where this is required for the exercise of the profession).

Applicants are able to send us their applications using an online form on our webpage. The Data is sent to us using state-of-the-art encryption. In a further step the Data is stored by a service provider as part of the latter's contractual performance under Article 28 GDPR. Both the Preh Group and the processor shall take technical and organisational precautions to protect the Data collected against manipulation, loss, destruction or access by unauthorised persons.

In addition, applicants may send us their applications by e-mail. Here, we ask them to note that e-mails are not generally sent in encrypted form and the applicants must take care of encryption themselves. We are therefore unable to accept responsibility for the route via which the application is transferred from the sender and its receipt on our server and therefore sooner recommend the use of an online form or of sending the application by post. This is because, instead of applying via the online form or e-mail, applicants have the further option of sending us their application by post.

The Data provided by applicants may be further processed by us (in case of a successful application) for employment-related purposes. Otherwise, where the application for a position is not successful, the applicants' Data are erased. Applicants' Data are similarly erased if an application is withdrawn, which the applicants are entitled to do at any time.

Subject to a legitimate withdrawal by the applicant, the Data are erased once a period of six months has elapsed so that we are able to respond to any follow-up questions in relation to the application and are able to satisfy our evidential obligations under Germany's General Act on Equal Treatment. Invoices in relation to any reimbursement of travel costs are archived in line with tax law regulations.

Talent Pool

As part of the application process we offer applicants the option of being accepted into our "talent pool" for a period of two years on the basis of a consent under Article 6(1)(a) and Article 7 GDPR.

The application documents in the talent pool are processed solely in the context of future job advertisements and recruitment and are destroyed no later than at the end of the period. Applicants are notified that their consent to inclusion in the talent pool is voluntary, has no effect on the current application process and may be withdrawn at any time in the future or objected to under Article 21 GDPR.


Users may set up a user account. As part of the registration, the necessary mandatory information is notified to the Users and processed on the basis of Article 6(1)(b) GDPR for the purposes of the provision of a user account. The processed Data includes in particular login information (name, password and e-mail address). The data entered as part of the registration process is used in order to use the user account.

Users may be informed by e-mail about information that is relevant to their user account, such as technical alterations, for example. Where Users have given notice to terminate their user account, their Data in relation to the user account is erased, subject to any retention obligation. Where notice of termination has been given, it is a matter for the Users to protect their data before the contract ends. We are obliged to erase all Data of the User stored during the term of the contract such that the Data cannot be recovered.

In the context of the use of our registration and log-in functions and the use of the user account, we store the IP address and the time of the relevant user operation. The Data is stored on the basis of our legitimate interests and the Users' interests in being protected against misuse and other unauthorised use. In principle, no transfer of this Data to third parties is permitted unless it is required in pursuit of our rights or there is a legal obligation to do so under Article 6(1)(c) GDPR. IP addresses shall be rendered anonymous or erased after seven days.

Comments and contributions

Where Users leave comments or other contributions, their IP addresses may be stored for seven days based on our legitimate interests within the meaning of Article 6(1)(f) GDPR. This is done for our protection in case anyone leaves illegal content in comments and contributions (libellous comments, prohibited political propaganda etc.). In this case, we cannot be prosecuted for the comment or contribution ourselves and therefore have an interest in the author's identity.

Moreover, we reserve the right to process the User's information for the purpose of spam recognition based on our legitimate interests under Article 6(1)(f) GDPR.

The Data provided in the context of the comments and contributions, is stored by us long-term pending an objection by the User.

Comment subscriptions

Users can sign up to below-the-line comments by giving consent under Article 6(1)(a) GDPR. Users receive a confirmation e-mail to verify that they are the owners of the e-mail address provided. Users may unsubscribe from ongoing comment subscriptions at any time. The confirmation e-mail will contain advice about the cancellation options. For the purposes of providing evidence of the User's consent, we store the log-in time along with the User's IP address and erase this information when Users unsubscribe.

You may give notice to terminate receipt of our subscription at any time, meaning you withdraw your consents. We can store the signed-out e-mail addresses for up to three years on the basis of our legitimate interests before we erase them, in order to be able to provide evidence of any consent given previously. The processing of this data is limited to the purpose of defending against potential claims. An individual request for erasure is possible at any time provided the former existence of consent is confirmed at the same time.

Contacting us

When a User contacts us (e.g. via a contact form, e-mail, telephone or via social media) that person's information is processed for the purpose of dealing with the contact request and processing it under Article 6(1)(b) GDPR. User information can be stored in a Customer Relationship Management System ("CRM System") or equivalent system for organising requests.

We delete the requests as soon as they are no longer needed. We verify the need for them every two years; the statutory archiving obligations also apply.


The hosting services we use serve to provide the following services: infrastructure and platform services, computing capacity, storage and database services, security services and technical maintenance services that we use in order to operate the Website.

In the course of the same, we process (or our hosting provider processes) inventory data, contact details, content data, contractual data, usage data, meta and communications data of customers, potential buyers and visitors to the website based on our legitimate interests in the efficient and secure provision of this Website under Article 6(1)(f) GDPR in conjunction with Article 28 GDPR (entry into a processing contract).

Collection of access data and log files

We collect (or our hosting provider collects) data about every occasion when the server on which this service is located is accessed ("server logfiles") within the meaning of Article 6(1)(f) GDPR on the basis of our legitimate interests. Access data includes the name of the webpage accessed, the file, date and time of access, the amount of data transferred, confirmation of the successful retrieval of data, browser type and version, the User's operating system, the referrer URL (the page visited before), IP address and the requesting provider.

Logfile information is, on security grounds (e.g. to clarify instances of misuse or fraudulent operations), stored for a maximum of seven days and then erased. Data that is required to be retained for evidence purposes is exempt from being erased until final clarification of the relevant case.

Google Analytics

Based on our legitimate interests (meaning our interest in analysing, optimising and the commercial operation of our Website within the meaning of Article 6(1)(f) GDPR), we use Google Analytics, a web analysis service of Google LLC ("Google"). Google uses cookies. The information generated by the cookie on the use of the Website by the User is generally transferred to a Google server in the USA and stored there.

Google is certified under the Privacy Shield Framework and as a result offers a guarantee of compliance with European data protection law (

Google will use this information on our behalf to evaluate the use of our Website by the Users, to compile reports on activities within the Website and to perform other services for us associated with the use of the Website and internet. In so doing, Google may create pseudonymous user profiles from the data processed.

We use Google Analytics only with activated IP anonymisation. This means Users' IP addresses are abbreviated by Google within European Union member states or in another country that is a signatory to the European Economic Area Agreement. Only in exceptional cases is the full IP address transferred to a Google server in the USA and abbreviated there.

The IP address sent by the User's browser is not combined with other Google data. Users are able to prevent the storage of cookies by changing the settings in their browser software to that effect; in addition, Users are able to prevent the Data generated by the cookie on their use of the Website from being gathered, and the processing of such Data by Google, by downloading and installing the browser plugin available under the following link:

Further information on data use by Google, options for settings and for making an objection is available in Google's data protection policy ( and in the settings for pop-ups by Google (

After 14 months Users' personal data is either erased or rendered anonymous.

Google Universal Analytics

We use Google Analytics in its configuration as "Universal-Analytics". "Universal Analytics" describes a process of Google Analytics, in which user analysis is done on the basis of a pseudonymous user ID, and a pseudonymous profile of the user is created using information from the use of different devices ("Cross Device Tracking").

Online social media presence

We maintain an online presence on social networks and platforms in order to communicate with customers, potential buyers and users who are active on them and to be able to tell them about our services. When accessing the relevant networks and platforms, the relevant operator's commercial terms and data processing guidelines apply.

Unless otherwise indicated under our data protection policy, we process Users' data where they communicate with us on social networks and platforms, for example, by making contributions on our websites or sending us updates.

Incorporation of third-party services and content

Within our Website and based on our legitimate interests (meaning our interest in analysing, optimising and the commercial operation of our Website within the meaning of Article 6(1)(f) GDPR), we use content or service packages of third-party providers for the purpose of incorporating their content and services such as, for example, videos or fonts (together referred to as "Content").

This is always conditional upon the third-party providers of such content recognising the users' IP address, as without the IP address they would be unable to send the content to the Users' browser. Hence the IP address is required in order to show such content. We endeavour to use only content in respect of which the relevant providers use the IP address solely for the purpose of delivering the content. Third-party providers may furthermore use "pixel tags" (invisible graphics also referred to as "web beacons") for statistical or marketing purposes. The "pixel tags" can be used to evaluate information such as user traffic on the pages of this Website. Pseudonymous information can further be stored in cookies on the User's device and may contain, among other things, technical information about the browser and operating system, linked webpages, length of the visit as well as other information on the use of our Website, and may also be linked to such information from other sources.

Google ReCaptcha

We incorporate the "ReCaptcha" bot-recognition function, in the case of information entered into online forms for example, of the provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data protection policy:, opt-out:

Google Maps

We incorporate the "Google Maps" map function of the provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The data processed may in particular include Users' IP addresses and session data which cannot be collected without the Users' consent, however (usually through the settings on their mobile devices). The data may be processed in the USA. Data protection policy:, opt-out:

Use of Facebook Social Plugins

Based on our legitimate interests (meaning our interest in analysing, optimising and the commercial operation of our Website within the meaning of Article 6(1)(f) GDPR), we use social plugins ("Plugins") of the social network, which is operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Facebook"). The plugins may be interaction elements or content (e.g. videos, graphics or text contributions) and are recognisable from one of the Facebook logos (white "f" on a blue tile, the terms "like" or a "thumbs-up" sign) or marked with the phrase "Facebook Social Plugin". The list and the appearance of Facebook Social Plugins can be seen here:

Facebook is certified under the Privacy Shield Framework and as a result offers a guarantee of compliance with European data protection law (

If a user views a function of this Website containing such a plugin, his or her device builds a direct link to Facebook's servers. The content of the plugin is sent by Facebook direct to the User's device and incorporated by the latter into the Website. This allows the creation of User profiles from the data processed. We therefore have no influence on the scope of the data that Facebook collects with the help of this plugin and have therefore informed the User according to the extent of our knowledge.

By incorporating the plugin Facebook receives the information that a User has viewed the corresponding page of the Website. If the User is logged into Facebook, Facebook is able to attribute the visit to his or her Facebook account. If Users interact with plugins, by activating the "Like" button for example or leaving a comment, the corresponding information is sent direct from your device to Facebook and stored there. If a User is not a member of Facebook, the possibility still exists that Facebook will find out and store his or her IP address. According to Facebook, only an anonymised IP address is stored in Germany.

Facebook's data protection policy ( provides Users with more information on the purpose and scope of data collection and the further processing and use of Data by Facebook, along with the related rights and settings options for the protection of Users' privacy.

Where users are Facebook members and do not want Facebook to collect data about them from this Website or connect it to their membership data stored with Facebook, they need to log out of Facebook before using our Website and delete their cookies. Other settings and objections to the use of data for advertising purposes are possible within the Facebook profile settings: or via the US-American page or the EU page The settings do not depend on the platform i.e. they are applied to all devices, whether desktop computers or mobile devices.