The owner and operator of the Heckler & Koch Group website (the “Website”) is Heckler & Koch GmbH. Detailed information about the operator and its contact information can be found in the legal notice.

Hereinafter, the Heckler & Koch Group will be referred to as “we“ or “Heckler & Koch”. “You” or “your“ refers to the user of the Website.

In this data protection notice, we would like to inform you of the extent to which we, as the data controller, collect, process and save personal data, and advise you of your rights as data subject.


This data protection notice contains an explanation of what personal data are, what the reasons, purposes and types of personal data collection and processing are, how long we save them and which third parties we transfer them to. Furthermore, we will inform you the legal basis upon which we are allowed to do so and your resulting rights, as well as the point of contact for questions, concerns or notification of violations at our company. You can find information about the cookies used on this Website in a separate cookie guideline.


Data subject or subject Any identified or identifiable natural person whose personal data are processed by the data controller. A natural person is deemed to be identifiable if he or she can be identified (directly or indirectly), in particular by allocating an identifier such as a name to a code number, to location information, to online identification data or to one or more special features which express the natural person’s physical, physiological, genetic, mental, economic, cultural or social identity.
Third party A natural person or legal entity, authority, insti-tution or other body, other than the data subject, the data controller, third-party processor and persons/entities who are explicitly authorised to process the personal data by the data controller or third-party processor in the scope of order processing.
Personal data All information relating to an identified or identi-fiable natural person. The below-mentioned personal data can enable conclusions to be drawn about the physical, physiological, genetic, mental, financial, cultural or social identity of the natural person.
Data controller or party responsible for the processing A natural person or legal entity, authority, insti-tution or other body which decides on the pur-poses and means of the processing of personal data, either on its own or in cooperation with others. If the purposes and means of processing are defined by Union law or the law of the member states, the data controller may define the specific criteria of its appointment under Union law or the law of the member states.
Processing Any procedure conducted with or without the help of automated methods or any such series of procedures in connection with personal data, such as the recording, collection, organisation, ordering, saving, adaptation, modification, read-ing out, disclosure, retrieval, transmission, dis-semination or provision, comparison, linking, restriction, deletion or destruction.
Provider Describes a provider of internet services, such as E-mail, web service or websites.
Recipient A natural person or legal entity, authority, insti-tution or other body to whom personal data is disclosed, regardless of whether or not it is a third party. However, authorities which may receive personal data in the scope of a particular investigation mandate pursuant to Union law or the law of the member states are not considered to be recipients.
Cookie A cookie is text information about a visited web-site (web server, server) which can be saved in the browser on the viewer’s computer. The cookie is either sent from the web server to the browser or generated by a script in the browser. The web server can read out this cookie information directly from the server upon subsequent repeat visits, or transfer the cookie information to the server via a script of the website.
IP address An IP address is an address in computer net-works which – like the internet – is based on the internet protocol (IP). It is assigned to devices which are connected to the network so that the devices can be addressed and are thus available.
Consent Consent is any declaration of intent which the data subject has voluntarily and unambiguously made in an informed manner for the specific case in the form of a statement or other clear confirmatory action with which the data subject makes it clear that he/she agrees to the pro-cessing of the personal data concerning him/her.



The types of personal data which we can collect from you when you visit and use our website include the following:

  • your name,
  • your E-mail address,
  • your (private and business) address,
  • your (private and business) telephone number and mobile phone number,
  • all other data which you enter on the contact or application forms which you are provided with on our website,
  • your IP address, your login information for our web shop, as well as technical data which provide us with information about your use of our website,
  • your location,
  • your function, job title or information about your employer,
  • the industry you work in,
  • other information transmitted during the application process, such as cover letter, CV, references from previous employers, etc. 



Whenever you visit our website, we process the data which your browser transmits to us during your visit so that we can display you the requested website. In order to ensure the stability and security of our website, we process your IP address, the date and time of your request, time zone difference to GMT, the page actually visited, the http status code, the date volume actually transferred, the referrer, the browser type, operating system and interface, monitor resolution as well as the language and version of your browser software and your language setting. “Cookies” are used for this processing in some cases [see point 4]. This way, we can also ensure the constant further development and improvement of the website. The legal basis for processing is provided by Art. 6(1)(b) and (f) GDPR.


Contact can be made via telephone, fax or E-mail address. If you decide to make contact, we will process your master data which you transmit to us when you contact us. Aside from your first and last name, these include such information as your private or business landline or mobile phone number, your E-mail address, address or fax number. 


Regardless of whether you send us your application by post, E-mail or using the application form on our website, we will in any case process the personal data given us here for the purposes of carrying out the application process. The data processed here not only includes the personal data which you enter in the application form or obviously transfer to us by E-mail or post, but also the documents you provide, such as cover letter, CV, references from previous employers, certificates on apprenticeships/advanced training courses/qualifications and the data they contain.

The personal data from the application process will be saved for 6 months after the process is completed and subsequently deleted. If you want the data to be stored longer (e.g. to be taken into consideration for other positions at a later time), then you must let us know this on your own, otherwise the data will be deleted.


Your personal data will be processed by the data controller during ordinary business cooperation or at the time of contract initiation as well as subsequent performance. This includes the communication with you, handling of company transactions, recordkeeping for internal reporting as well as the processing of technical content transferred to us if based on an already concluded contract or the initiation of a contractual relationship. 

In any case, the data controllers are responsible for the data processed in the scope of the contract initiation and/or performance.

In order to use the website, the data subject has the opportunity to register on our website by entering personal data. Which personal data will be transmitted depends on the entry mask which is used for the registration. The personal data which the data subject enters are collected and saved exclusively for internal use and internal purposes with the data controller. The data controller can initiate transfer to one or more third-party processor, such as a package service provider, who will also use the personal data exclusively for internal purposes, for which the data controller is also responsible.

Furthermore, upon registration to the website, the IP address allocated to the data subject by the internet service provider (ISP) as well as the date and time of registration will be saved. The reason for saving these data is that it is the only way to prevent our services from being misused, and these data may aid in investigating any potential violations of the law, if necessary. As such, these data need to be saved as a safeguard for the data controller. As a rule, these data will not be transferred to third parties unless there is a legal obligation to do so, or the transfer is necessary for the purpose of criminal prosecution.

The registration of the data subject with voluntary entry of personal data enables the data controller to provide the data subject with content or services which, due to the nature of the matter in question, can only be offered to registered users. Registered persons have the option of changing the personal data entered upon registration at any time or of having it completely deleted from the data controller’s database.


Should you decide to apply for our HK Academy or attend an event, we will process your first and last name, private or business address, private or business telephone or mobile phone number, E-mail address, information obtained from your hunting licence or firearm permit, as well as information on your preferred shooting hand (right or left-handed shooter). 


If you use the website, we will process the personal data collected using cookies. For detailed information, please see our cookie guideline.


We will transfer your personal data in the scope of using the website if doing so is necessary for the use of the website and to enable the use of the website (Art. 6 (1) (b) and (f) GDPR). Furthermore, we will transfer your personal data to the following third parties if it is required or we are obligated to do so:

  • accountants and external auditors, lawyers and similar advisors, if commissioned by us to provide specialist counselling, and/or
  • if we are obliged ex officio to disclose or transfer your personal data, and/or
  • if we are required to do so at the order of a court, tribunal, supervisory or other authority, on the basis of a search warrant or court ruling, or in the scope of state information security pursuant to the Security Clearance Check Act (SÜG).

If a transmission to third parties outside of the EU is required, we will make sure that the transmission is only made if the recipient demonstrates an adequate level of protection, suitable guarantees are made, you have explicitly granted your consent to do so, or the transmission is allowed for other (in particular, legal) reasons.



We use Google Analytics to operate our website. Google Analytics is a web analysis service from Google Inc. () (1600 Amphitheatre Parkway, Mountain View, CA 94043 USA; hereinafter “Google”). Google uses cookies to save information on your use of the website. Examples of this include the browser type/version, the operating system used, the IP address or the time of server access. The information transferred will be transmitted to a Google server in the USA and stored there. Anonymization is conducted within the EU/European Economic Area and is thus activated automatically.

Google is certified under the EU-US Privacy Shield Agreement, among others, and thus pro-vides certainty that European data protection standards will be upheld. 

The IP address transferred by your browser in the scope of Google Analytics will not be collated with other data from Google. 

If you do not consent to your personal data being saved by Google Analytics cookies, you can make the necessary setting in your browser software. However, if the settings are changed, it is possible that you will no longer be able to access parts of the website. 

In addition, you can prevent Google from recording your personal data by downloading and installing the browser plug-in available here:

Further information about Google’s data protection can be found under  

The legal basis for the use of Google Analytics is Art. 6 (1) (a) GDPR.


We also use Google’s proprietary tag management system on our website. Google Tag Man-ager is a solution from Google Inc. with which companies can manage website tags via an in-terface and control which tags (scripts) we wish to run on our website and at which time. The tag management system encodes the tags for our website. It manages the tags and handles the integration and activation of JavaScript code on our website. Google Tag Manager is a cookie-free domain which does not record any personal data. Google Tag Manager eliminates other tags which may record data on their own. Google Tag Manager does not access these data.

 The most common applications of Google Tag Manager include:

  • Tracking page views on the website,
  • Tracking button clicks,
  • Tracking external links/outgoing clicks,
  • Tracking conversions, e.g. in Google Ads,
  • Tracking user behaviour and “scrolling behaviour” analysis,
  • Recording user data such as geolocalisation, device type and screen width, etc.

Furthermore, we can use the tag management system to configure and update Google Analytics tracking codes. This enables us to determine what kinds of analysis data are to be recorded by the use of Google Analytics. Our goal is not to investigate the behaviour of individual users. Instead, we undertake to continuously improve our website by analysing user behaviour as a whole.


Google reCaptcha enables us to prevent program-controlled and/or undesired access to our website. Google assumes sole responsibility under data protection law for the processing of your personal data in connection with the use of Google reCaptcha. Google’s data protection statement can be found under the following link: We process these data in order to ensure trouble-free operation of our website.


We also advertise presences on social networks on our website (see below). The social networks are exclusively integrated on our website as graphic linking or in the form of a text link. As soon as you select the relevant link, you will be forwarded to the site of the provider in question. Once forwarded, your data will be processed by the social network in question. Please note that the data collected may also be processed by the network operator in the USA.

In particular, data such as IP address, date, time and sites visited, are recorded and processed. If you are logged into your user account of the network in question, the network operator may be able to allocate the information collected on the specific visit to the personal account. If you would like to prevent this, you will have to log out before clicking on the graphic or text link. You can configure further settings in your user account of the network in question.

Please check the relevant data protection conditions of the providers you use to find out the extent to which the websites in question handle your personal data. In the process, we receive information from these networks about your social login and likes for our pages on these social networks. 

Information on the social networks we use: 

1. Facebook
You can find further information on interest-based advertising on Facebook as well as on Facebook’s data protection here: and and

In addition to the aforementioned options, you can also deactivate the interest-based advertising on Facebook under the following link:

2. Instagram
Facebook Ireland Ltd., 4 Grand Canal Square Grand Canal Harbour, Dublin 2, Ireland (hereinafter “Facebook”).

You can find further information on interest-based advertising on Instagram as well as on data protection here:[0]=Instagram-Hilfebe-reich&bc[1]=Instagram%20f%C3%BCr%20Unternehmen und

In addition to the options to deactivate interest-based advertising on Instagram already described under Point 3.2.3, you can manage your data protection settings for advertising on Instagram (if you have linked your Instagram account to your Facebook account) here:

3. Youtube
Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter “Google”).

You can find further information on interest-based advertising on YouTube as well as on data protection here: and

In addition to the options to deactivate interest-based advertising on YouTube already described, you can manage your data protection settings for advertising on YouTube here:

4. Twitter
Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland (hereinafter “Twitter”).

You can find further information on interest-based advertising as well as on data protection at Twitter here: and

Further information on the deactivation of interest based advertising on Twitter, in addition to the options already described under Point 3.2.3, can be found under the following link:


As a general rule, your personal data will only be saved as long as is necessary for the specific purpose of use. Should any circumstances emerge which require a longer storage period, such as any potential legal disputes, observance of limitation periods according to applicable law or other legal obligations, we will meet the need for longer storage. 

Furthermore, we will only save your personal data in accordance with the statutory retention periods and delete them once they are no longer needed.

If you have any more detailed questions as to how long we save your personal data, you can contact the company’s data protection officers at any time.


Since the Heckler & Koch Group has locations outside of the EU/European Economic Area, it is generally possible that your personal data will be transmitted to places which do not provided the same protection level as that at the place where you initially made your personal data available. 

However, your data will only be transmitted to such places if the European Commission believes that they provide an adequate level of protection for your personal data or if we have taken the necessary precautionary measures to protect your data ourselves. 

You can find out about our other locations in greater detail on our internet site. 


Art. 6 (1) (a) GDPR serves our company as a legal basis for processing procedures in which we obtain consent for a particular purpose for processing. If the processing of personal data is necessary to fulfil an agreement to which the data subject is party, as is the case with processing procedures which are necessary to delivery goods or provide other services or services in return, then the processing is based on Art. 6 (1) (b) GDPR. The same applies to processing procedures which are necessary for conducting pre-contractual measures, such as in cases of enquiries about our products or services.

If our company is subject to a legal obligation which requires it to process personal data, such as for the fulfilment of fiscal obligations, then the processing is based on Art. 6 (1) (c) GDPR. In rare cases, it may be necessary to process personal data to protect vital interests of the data subject or other natural person. For instance, this would be the case if a visitor were to be injured on our company premises and his/her name, age, health insurance data or other vital information would have to be sent to a physician, hospital or other third party. In such case, the processing would be based on Art. 6 (1) (d) GDPR.

Finally, the processing procedures could be based on Art. 6 (1) (f) GDPR. Processing proce-dures which are not covered by any of the previous legal bases are based on this legal basis if the processing is necessary to protect a legitimate interest of our company or a third party, as long as the interests do not outweigh the basic rights and basic freedoms of the data subject. We are allowed to conduct such processing procedures in particular because they were specifically mentioned by the EU legislative authorities. These authorities are of the view that a legitimate interest could be assumed if the data subject is a customer of the data controller (Recital 47 Sentence 2 GDPR). 

Beyond the actual fulfilment of the purpose, we also process your data to protect legitimate interests of us and third parties (Art. 6 (1) (f) GDPR). Examples of this include:

  • Assertion of legal claims and defence in case of legal claims,
  • Prevention and investigation of criminal acts,
  • Video surveillance to protect property security, collect evidence in the event of robberies and fraud,
  • Measures for building and facility security (such as access controls), measures to ensure property security,  
  • Measures for business management and further development of services and products,
  • Measures for advising and assisting customers,
  • Testing and optimisation of procedures for analysing the need for direct customer contact.

If you have granted us your consent to the processing of personal data for certain purposes, then the processing is lawful on the basis of your consent. Consent can be revoked entirely or in part at any time. This holds particularly true for consent which had already been granted to us before the EU-GDPR entered into effect (on 25 May 2018). The revocation does not affect the data processed prior to the time of revocation. The processing of personal data remains lawful if it is permitted on the basis of statutory regulations (Art. 6 (1) (c) GDPR) or is in the public interest (Art. 6 (1) (e) GDPR).


We protect your personal data from unauthorised access, unlawful processing or transfer, as well as from loss, corruption or destruction. Because of this, we at the company have implemented technical and organisational measures to fulfil our duties – the protection of your data. Our IT infrastructure as well as our website is hosted on servers in the European Economic Area (EEA). Our website provider has established an ISMS (Information Security Management System) and secures its infrastructure accordingly. The provider demonstrates this with a valid ISO 27001 certificate. The certificate demonstrates adequate security management, data security, confidentiality of information and availability of the IT systems. It furthermore confirms that the security standards are continuously improved and sustainably verified.


Personal data are subject to data confidentiality. We are conscious of the confidentiality of the personal data you provide and are glad to assure you that we will not sell, lease, distribute or otherwise make commercial use of your data. The purposes specified in this data protection notice which justify transfer to third parties or service providers are exempt for this. 

We also ensure that our employees are prohibited from collecting, processing our using your data without authorisation. We consider authorised collection, processing or use of your data to mean collection, processing or use carried out by employees in the fulfilment of their tasks. 


As the data subject, you naturally have rights which you can assert at any time. We would like to inform you of your rights in detail:

  1. You have the right to be informed
    As a user of our website, we endeavour to inform you of how we handle your personal data in a transparent and comprehensible manner. The data protection notice should be useful for this purpose.
  2. You have a right to disclosure
    You may request at any time disclosure as to which personal data, or which origin and in particular for which purpose we process and save your data. You may request a duplicate of your personal data at any time.
    Furthermore, you as data subject have the right to receive disclosure as to whether your personal data are transferred to a non-member state or to an international organisation.
    Art. 15 GDPR, Section 34 Federal Data Protection Act (BDSG)
  3. You have the right to correction
    Should your personal data prove to be inaccurate or incomplete, you, as the data subject, may request us to correct or complete your data. Art. 16 GDPR
  4. You have the right to deletion
    Furthermore, you, as data subject, may demand your personal data to be deleted if there is no (or is no longer any) legal basis for processing. This also applies to cases in which the purpose of the data processing has ceased to exist over the course of time or for other reasons. However, please note that way may not be able to fulfil your deletion request in certain situations, for instance if we need to defend ourselves legally or if there is another urgent reason to process your personal data. Art. 17 GDPR, Section 35 BDSG
  5. You have the right to restrict processing
    Should one of the above-mentioned exceptions be at hand and we are unable to fulfil your deletion request, you will be entitled to restrict the processing of your personal data. This way, you prevent us from using your data further or even from being able to access them. They will remain saved, but anything beyond that will be prohibited. Art. 18 GDPR, Section 35 BDSG
  6. You have the right to data portability
    If you would like to assert your right to data portability, we will be glad to provide you with your personal data in a structured and machine-readable format. You also have the right to request us to effect that the personal data are transferred directly from us to another data controller, as long as doing so is technically feasible and as long as the rights and freedoms of other persons are not jeopardised, impaired or infringed upon by doing so. Art. 20 GDPR
  7. You have the right of objection
    As data subject, you also have the right at any time to raise an objection to the processing of your personal data which takes place on the basis of Art. 6 (1) (e) or (f) GDPR for reasons resulting from your particular situation. In the event of an objection, we will no longer process your personal data as long as it can be demonstrated that there are no compelling legitimate grounds for doing so that override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims. Art. 21 GDPR, Section 36 BDSG


You can reach the data controller’s data protection officer as follows:

Florian Dörfler
c/o Hopp + Flaig PartG mbB
Beratende Ingenieure
Neue Weinsteige 69/71
70180 Stuttgart
Telefon  0711 320 657 – 0

Contact | Informations

Your questions and concerns about privacy are welcome and very important to us. Please address them to: 

Florian Dörfler
c/o Hopp + Flaig PartG mbB
Beratende Ingenieure
Neue Weinsteige 69/71 
70180 Stuttgart
Telefon  0711 320 657 – 0

This website uses cookies more info