Privacy policy

We, HERMES Einrichtungs Service GmbH & Co. KG (“Hermes”), take the protection of your privacy and personal data very seriously. We therefore attach great importance to ensuring that your data is secure and that data processing complies with the applicable data protection regulations, in particular the EU General Data Protection Regulation (GDPR). Furthermore, we use technical and organizational measures to ensure that your data is optimally protected against unauthorized access by third parties.

1 Personal data

Personal data – the law also speaks of personal data – is personal information that allows conclusions to be drawn about your identity as a natural person. This includes, for example, information such as name, address, telephone number or e-mail address, but also information about surfing behaviour, provided that this information can be directly or indirectly assigned to you. Data relating to legal entities is not personal data and does not fall within the scope of this Privacy Notice.

When you access the Hermes website, certain data is automatically collected and temporarily stored. This is mainly technical data (e.g. internet browser, operating system or time of page access). (For details, see section 2)

In principle, you can use the Hermes website without disclosing your personal data. However, if you log in with your Hermes user account, we can identify you based on the data provided there. If you also contact us via the Hermes website, we will collect and process your personal data for the purpose of contacting you.

2 Collection of log data

2.1 Type of data and purposes of processing

Each time the Hermes website is accessed, certain data from the accessing device is automatically recorded and temporarily stored by our web servers. The following data is collected:

Folgende Daten werden erhoben:

  • IP address of the accessing device
  • Browser and operating system type
  • Endpoint Type
  • Date and time of visit (timestamp)
  • User’s Internet Service Provider
  • Technical Request
  • Session-ID
  • The subpages of our website accessed by the user
  • The website from which the respective user visits us (referrer URL)
  • Web pages accessed by the user’s system through our website

This data is collected to ensure the functionality of the website. Furthermore, the data is used to ensure the security of our information technology systems. In this context, the data is not evaluated for marketing purposes or profiling.

2.2 Legal basis

The legal basis for the collection and temporary storage of the data is Art. 6 (1) (f) GDPR. Our legitimate interest in data processing lies in ensuring the functionality of the website and the security of the information technology systems. 

2.3 Duration of storage

The data will be anonymised as soon as they are no longer necessary to achieve the purpose for which they were collected.

3 Use of cookies and other technologies

3.1 Cookies

Our website uses cookies. Cookies are small text files that can be stored in the Internet browser or by the Internet browser on the user’s end device. Cookies usually contain a characteristic string of characters that allows the browser or terminal device to be uniquely identified when the website is called up again. Cookies do not cause any damage to your computer and do not contain viruses. Cookies are used to make our website more userfriendly, effective and secure.

Cookies that are necessary to carry out the electronic communication process or to provide certain functions desired by you (e.g. shopping cart function) are stored on the basis of Art. 6 (1) (f) GDPR. The website operator has a legitimate interest in storing cookies for the technically error-free and optimized provision of its services.

Different types of cookies are used on this website. A distinction must be made between:

  • Temporary session cookies, which are periodically deleted after closing your
    internet browser
  • Functional cookies , which are stored on your device by the Hermes website

The functional cookies used by this Hermes website (first-party cookies) include temporary session cookies and persistent cookies. In the persistent cookies, the website stores information in order to store your personal user preferences and to improve your user experience on your next visit (e.g. the language settings you have selected). In the temporary session cookies, the website stores technical information that is necessary for the website to function. The storage period of these cookies depends on the periods specified in this section.

In general, you can use the cookie banner as well as your web browser to make settings that prevent the storage of cookies or the execution of analysis technologies. In addition, all cookies can be manually deleted at any time. You can also use the cookie icon or the button below to access the settings menu at a later date and change your settings.


3.2 User-friendliness of the website

We use cookies to make the Hermes website more user-friendly. Some elements of our website require that the accessing browser can be identified even after a page change. The cookies can be used to store settings related to the account.

The legal basis for data collection and processing is Art. 6 (1) (a) GDPR, provided that you have consented to the use of cookies on the Hermes website.

The collection and processing of data for the purposes specified in this section is absolutely necessary for the operation of the Hermes website. Consequently, there is no possibility of objection on your part. 

3.3 Statistics Cookies and Google Analytics

Statistics cookies help website owners understand how visitors interact with websites by collecting and reporting information anonymously.

Google Analytics

This website uses Google Analytics, a web analytics service provided by Google Inc, (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; “Google”). The usage includes the “Universal Analytics” operating mode. This makes it possible to assign data, sessions and interactions across multiple devices to a pseudonymous user ID and thus analyze a user’s activities across devices. Google Analytics uses so-called Google Analytics. “Cookies” are text files that are stored on your computer and enable an analysis of your use of the website.

The information generated by the cookie about your use of this website is usually transmitted to a Google server in the USA and stored there. However, if IP anonymization is activated on this website, your IP address will be shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. The IP address transmitted by your browser as part of Google Analytics will not be merged with other data held by Google. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports on website activity and to provide the website operator with other services related to website activity and internet usage.

Sessions and campaigns end after a certain amount of time has elapsed. By default, sessions end after 30 minutes of inactivity, and campaigns end after six months. The time limit for campaigns can be a maximum of two years.

The legal basis for the use of Google Analytics is your consent (Article 6 (1) sentence 1 (a) GDPR). This means that you can voluntarily decide for yourself whether you want to allow this cookie or not. You can also prevent the collection of the data generated by the cookie and related to your use of the website (including your IP address) to Google, as well as the processing of this data by Google, by downloading and installing the browser addon. Optout cookies prevent the future collection of your data when you visit this website. To prevent Universal Analytics from collecting data across devices, you must opt-out on all systems you use.

For more information on terms of use and data protection, please see and

3.4 SSL or TLS encryption

This site uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as orders or inquiries that you send to us as the site operator. You can recognize an encrypted connection by the fact that the address bar of the browser changes from “http://” to “https://” and by the lock symbol in your browser line.

If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

like to point out that data transmission on the Internet (e.g. when communicating by e-mail) may have security gaps. It is not possible to completely protect the data from access by third parties.

On the basis of our legitimate interests (interests in the optimisation, analysis and economic operation of our online offering within the meaning of Art. 6 (1) (f) GDPR), we use content and services from third-party providers within our online offering in order to integrate their content and services. These are, for example, videos or fonts.

4 Integration of third-party services for credit checking purposes

On the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online offer within the meaning of Art. 6 (1) (f) GDPR), we use content or services offered by third-party providers within our online offering in order to integrate their content and services, such as videos or fonts (hereinafter referred to as “content”).

The following content will be integrated:

The provider’s video platform: Vimeo Inc.,
Attention: Legal Department, 555 West 18th Street New York, New York 10011, USA
Privacy Policy:

The provider’s video platform: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
Privacy Policy:

Maps are integrated into the “OpenStreetMap” service, which are offered by the OpenStreetMap Foundation (OSMF) on the basis of the Open Data Commons Open Database License (ODbL).
Privacy Policy: 

Social network of the provider XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany.
Privacy Policy: 

Social network of the provider Ireland Unlimited Company Wilton Place, Dublin 2, Ireland
Privacy Policy:

Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland
Privacy Policy:

5 Comparison with sanctions lists

Furthermore, we are obliged to protect your data with personal sanctions lists / embargoes (esp. Financial sanctions against listed persons) in order to provide the listed persons with non-economic resources or financial means and to ensure compliance with foreign trade law (Article 6 (1) (c) GDPR).

6 Your rights

With regard to your personal data, you have the following rights vis-à-vis Hermes:

Right of access (according to Article 15 GDPR)

You have the right to request information as to whether or not we are processing personal
data about you. When we process your personal data, you have the right to know:

  •  why we process your data
  • what types of data we process about you
  • what kind of recipients receive or are expected to receive data from you
  • how long we will keep your data; if it is not possible to specify the storage period, we must inform you how the storage period is determined (e.g. after expiry of statutory retention periods)
  • that you have the right to rectification and deletion of data concerning you, including the right to restriction of processing and/or the right to object
  • that you have the right to lodge a complaint with a supervisory authority
  • where your data comes from, if we have not collected it directly from you
  • whether your data will be used for an automated decision and, if so, to know the logic behind the decision and the impact and scope of the automated decision for you
  • that if data about you is transferred to a country outside the European Union, you have the right to know whether and, if so, on the basis of which safeguards an adequate level of protection is ensured for the data recipient
  • that you have the right to request a copy of their personal data. Copies of data are generally provided in electronic form. The first copy is free of charge, but a reasonable fee may be charged for further copies. A copy can only be provided if it does not affect the rights of other persons. 

Right to rectification or erasure (pursuant to Articles 16 and 17 GDPR)

You have the right to ask us to correct your data if it is inaccurate and/or incomplete. This right also includes the right to be completed by means of supplementary declarations or communications. A correction and/or addition must be made without undue delay.

You also have the right to ask us to erase your personal data if:

  • the personal data are no longer necessary for the purposes for which they were collected and processed
  • the data processing is carried out on the basis of your consent and you have withdrawn your consent.
    (However, this does not apply if:
    • there is another legal permission for data processing
    • you have objected to data processing whose legal permission is based on the so-called “legitimate interest” (referred to in Article 6(1)(e) or (f))
    • There are overriding, legitimate grounds for further processing.)
  • you have objected to data processing for the purpose of direct marketing
  • your personal data has been unlawfully processed
  • it is data of a child that has been collected for information society services (= electronic service) on the basis of consent (pursuant to Art. 8 para. 1 GDPR).

There is no right to erasure of personal data if:

  • the right to freedom of expression and information precludes the request for erasure
  • the processing of personal data is necessary for compliance with a legal obligation (e.g. statutory retention obligations), for the performance of public tasks and interests under applicable law (including “public health”) or for archiving and/or research purposes
  • the personal data is necessary for the establishment, exercise or defence of legal

The deletion must take place immediately (without undue delay). If personal data has been made public by us (e.g. on the Internet), we must ensure, within the scope of what is technically possible and reasonable, that other data processors are also informed about the deletion request, including the deletion of links, copies and/or replications.

Right to restriction of processing (pursuant to Article 18 GDPR)

You have the right to have the processing of your personal data restricted in the following cases:

  • If you have disputed the accuracy of your personal data, you can ask us not to use your data for any other purpose for the duration of the verification of accuracy and thus to restrict its processing.
  • In the event of unlawful data processing, you can request the restriction of data use instead of data deletion.

If you need your personal data to assert, exercise or defend legal claims, but we no longer need your personal data, you can request that we restrict the processing to the purposes of legal prosecution.

If you have objected to data processing (Art. 21 para. 1 GDPR) and it is not yet clear whether our interests in processing outweigh your interests, you can request that your data not be used for other purposes for the duration of the review and thus that their processing be restricted.

Personal data, the processing of which has been restricted at your request, may only be stored, subject to storage:

  • with their consent,
  • to assert, exercise or defend legal claims,
  • to protect the rights of another person or entity, or
  • processed for reasons of important public interest.

If a processing restriction is lifted, you will be informed in advance.

Right to data portability (according to Art. 20 GDPR)

You have the right to request from us the data you have provided to us in a commonly used electronic format (e.g. as a PDF or Excel document). You can also ask us to transmit this data directly to another company (designated by you), if this is technically possible for us. The prerequisite for you to have this right is that the processing is carried out on the basis of consent or for the performance of a contract and is carried out with the help of automated processes. Exercising the right to data portability must not adversely affect the rights and freedoms of other persons. If you exercise the right to data portability, you still have the right to data deletion in accordance with Article 17 GDPR.

Right to object to certain data processing operations (pursuant to Art. 21 GDPR)

If your data is processed for the performance of tasks carried out in the public interest or for the pursuit of legitimate interests, you may object to such processing. To do this, you must explain to us the reasons for your objection that arise from your particular situation. These can be, for example, special family circumstances or confidentiality interests worthy of protection.

In the event of an objection, we must refrain from any further processing of your data for the aforementioned purposes, unless

  • there are compelling legitimate grounds for processing which outweigh their interests, rights and freedoms, or
  • the processing is necessary for the establishment, exercise or defence of legal claims.

You can object to the use of your data for the purpose of direct marketing at any time; this also applies to profiling insofar as it is related to direct marketing. In the event of an objection, we may no longer use your data for direct marketing purposes.

Prohibition of automated decision-making/profiling (Art. 22 GDPR)

Decisions by us that have a legal effect on you or significantly affect you may not be based solely on automated processing of personal data. This also includes profiling.

This prohibition does not apply to the extent that the automated decision-making

  • is necessary for the conclusion or performance of a contract with you,
  • is permitted by law where that legislation contains appropriate measures to protect your rights and freedoms and legitimate interests, or
  • with their explicit consent.

Decisions based solely on automated processing of special categories of personal data (= sensitive data) are only permissible if they are made on the basis of your explicit consent or if there is a significant public interest in the processing and appropriate measures have been taken to protect your rights and freedoms as well as your legitimate interests.

6.1 Exercising the rights of data subjects

To exercise your rights as a data subject, please contact the authorities listed under 6.2. Requests submitted electronically are usually answered electronically. The information, communications and measures to be made available under the GDPR, including “the exercise of the rights of data subjects”, are generally provided free of charge. Only in the case of manifestly unfounded or excessive requests are we entitled to charge an appropriate fee for the processing or to refrain from taking action (Art. 12 (5) GDPR).

If there are reasonable doubts about your identity, we may request additional information from you for the purpose of identification. If we are unable to identify you, we are entitled to refuse to process your request. We will notify you separately if there is no possibility of identification (see Art. 12 para. 6 and Art. 11 GDPR).

Requests for information and information are usually processed immediately (within one month) of receipt of the request. The deadline may be extended by a further two months if necessary, taking into account the complexity and/or number of requests; in the event of an extension of the deadline, we will inform you of the reasons for the delay within one month of receipt of your request. If we fail to act on a request, we will inform you of the reasons for this without undue delay within one month of receipt of the request and inform you of the possibility of lodging a complaint with a supervisory authority or seeking judicial remedy. (Art. 12 para. 3; 4 GDPR).

Please note that you can only exercise your rights as a data subject within the limits and limitations provided for by the Union or the Member States. (Art. 23 GDPR)

6.2 Contact

If you have any questions regarding the collection, processing or use of your personal data, as well as if you would like information, corrections, deletions, processing restrictions, objections or regarding the transfer of your data, please contact:

HERMES Einrichtungs Service GmbH & Co. KG
Data Protection Coordination
Albert-Schweitzer-Straße 33
D-32584 Löhne

When making your request, please make sure to provide us with your full contact details (first name, surname and address); this is the only way we can clearly identify you and respond to your request quickly.

The data protection officer of our company is Mr. Georg Möller. The Data Protection Officer can be contacted as follows:

SK-Consulting Group GmbH
Osterweg 2; 32549 Bad Oeynhausen

6.3 Right to lodge a complaint

You have the right to complain to a data protection supervisory authority about the processing of your personal data by Hermes.

A list of supervisory authorities and their contact details can be found at the following link:

In case of complaints, you can contact the competent supervisory authority at any time. You have the right to an effective judicial remedy against a supervisory authority (Art. 78 GDPR), as well as against our company (Art. 79 GDPR).

7 Responsible body

According to Art. 4 para. 7 GDPR, the following is responsible:

HERMES Einrichtungs Service GmbH & Co. KG
Albert-Schweitzer-Straße 33
32584 Löhne

Headquarters: Löhne
Registry court: Amtsgericht Bad Oeynhausen
Registration number: HRA 10039

Managing Director: Carsten Meinders, Michael Dildey, Viviane Reichert-Brown
VAT identification number according to § 27a UStG: DE 813 973 991
Personally liable: Verwaltungsgesellschaft HERMES Einrichtungs Service mbH, AG Hamburg HRB 79507

Contact details:
HERMES Einrichtungs Service GmbH & Co. KG

Albert-Schweizer-Straße 33
D-32584 Löhne

Phone +49 (0)5732 103-0 (no shipment information possible)
E-mail (no shipment information possible)

Do you have any questions?

contact us