Privacy Statement

Data protection statement of the Heckler & Koch Group

As at: December 1th, 2023

We are glad you’ve visited our online presences! In the following, we would like to in-form you about the processing of your personal data that we collect on the Heckler & Koch website, in the HKWebshop, on our social media channels or through other ser-vices and refer to this data protection statement. 

I. Data controller and data protection officer

The owner and operator of the website at (the "Website") for the Heckler & Koch Group is Heckler & Koch GmbH.

The data controller as defined by the General Data Protection Regulation (GDPR) is Heckler & Koch GmbH, Heckler & Koch-Straße 1, 78727 Oberndorf, Tel: +49 (0)7423 79-0, Fax: +49 (0)7423 79-2350,,

Hereinafter, the Heckler & Koch Group will be referred to as "we", "us" or "Heckler & Koch". "You" or "your" refer to the person who is the subject of the data processing.

If necessary, our officially appointed data protection officer can be reached under the following contact information:

Marc Stolz, Hopp + Flaig PartG mbB, Beratende Ingenieure, Neue Weinsteige 69/71, 70180 Stuttgart, e-Mail:, Tel.: +49 (0)711 320 657-0

II. Purpose and types of personal data processing

The protection of your personal data is a matter of great importance to us. For that reason, we exclusively process your personal data for clearly defined purposes to prevent any needless processing of your personal data. We may process your personal data for the following purposes:

1. Benutzung der Website

Whenever you visit our website, we process the data which your browser transmits to us during your visit so that we can display you the requested website. In order to en-sure the stability and security of our website, we process your IP address, the date and time of your request, time zone difference to GMT, the page actually visited, the http status code, the date volume actually transferred, the referrer, the browser type, operating system and interface, monitor resolution as well as the language and version of your browser software and your language setting (hereinafter referred to as "server log files"). The server log files are saved for seven (7) days after collection when the website is used and for fourteen (14) days when the webshop is used. After that, the data will be deleted; see also information on storage period. In some cases, technically necessary Cookies are used for this processing. The processing of these data also serves to prevent fraud.

2. Contact

You can contact us by telephone, post, fax or E-mail. If you decide to contact us, we will process your master data which you transmit to us when you contact us so that we can contact you and process your request. Aside from your first and last name, these master data include such information as your private or business landline or mobile phone number, your E-mail address, fax number, address and/or date of birth.

3. HKWebshop

You can purchase merchandise from Heckler & Koch through the HKWebshop. You can order the selected items using a "guest account" or you can create a customer account in order to access the HKWebshop again at any time and view the status of your orders. If you order as a "guest" in the HKWebshop, your first and last name, address and contact details such as E-mail and/or telephone number will be collected in order to process the order.

If you create a customer account, we also require your first and last name, address and contact details, such as E-mail address and/or telephone number, which you can provide voluntarily. This data is required to process the order placed.

4. Applications/Application form

You can send us your application by post, E-mail or using the application form on our website, we will in any case process the personal data given us here for the purposes of carrying out the application process. The data processed here not only includes the personal data that you enter in the application form or obviously transfer to us by E-mail or post, but also the documents you provide, such as cover letter, CV, references from previous employers, certificates on apprenticeships/advanced training courses/qualifications and the data they contain. 
We use the analysis tool BITE-Recruiting to evaluate and process your application. BITE-Recruiting provides us with an online tool you can use to provide us with your application data and CV. This data is stored at BITE-Recruiting first. This includes ap-plication data, contact information, your CV and the access information you enter (first name, last name, E-mail address, mobile phone number [if applicable]). We have entered into an order processing agreement with BITE-Recruiting to ensure that your personal data in a secure manner.

You can also automatically import your application into our application portal via external providers such as XING or LINKEDIN, if we have advertised a vacancy on these platforms. If you save your application and personal data in your profile on XING or LINKEDIN, these providers’ data protection provisions will apply. For the processing of personal data by "XING" or "LINKEDIN", we refer to the respective data protection statements of these service providers. Further information can be found on our "Social Media data protection statement". 

If you find out about us through advertising on our social media channels on Facebook or Instagram and use them to apply to us, your personal data will initially be collected and processed with the service provider SocialNatives. SocialNatives is a service provider for job placement and employee recruitment. SocialNatives make a preliminary selection for us and then send your application to our HR department. For SocialNatives' data protection statement, please refer to the application portal or the company's website. All of the necessary data protection agreements (especially the order processing agreement) have been concluded with SocialNatives.

The personal data from the application process will be stored for another 6 months after the end of the application process and will then be deleted, unless you provide us with a voluntary declaration of consent to longer storage.

5. Business relationships - contract initiation/performance

In order to implement these contractual relationships, Heckler & Koch will process your personal data such as name, E-mail address, (business) telephone number, date of birth and/or address in the scope of the usual business cooperation or during contract initiation and subsequent implementation. This includes the communication with you, handling of company transactions, recordkeeping for internal reporting as well as the processing of technical content transferred to us if based on an already concluded contract or the initiation of a contractual relationship.
If you are an authorised dealer for Heckler & Koch, we ask request you to complete a questionnaire on a regular basis. It is necessary to fill out the questionnaire in order to become an authorised dealer for Heckler & Koch. Due to various national and international regulations, Heckler & Koch is required to clearly identify the contracting parties before contracts can be concluded.

We also reserve the right to collect necessary information to provide security against defaults on payment by collecting information on creditworthiness from credit agencies.

6. HK Academy

Should you decide to apply for our HK Academy or attend an event, we will process your first and last name, private or business address, private or business telephone or mobile phone number, E-mail address, information obtained from your hunting licence or firearm permit, as well as information on your preferred shooting hand (right or left-handed shooter). The purpose of processing is to operate the HK Academy with suitable participants. The relevant data protection statement for the HK Academy can be found at HK Academy data protection statement.

7. National Weapons Register (NWR) form

If you want to buy or sell a weapon or send in your weapons for repair, you will first have to provide the information required by the National Weapons Register Act. The data provided is needed to process the request and to provide the necessary information to the competent authorities. The information you provide will be stored in the customer account to expedite further processes.

8. Newsletter

If you register for the newsletter offered on our website, the personal data (name and E-mail address) you provide when you register for the newsletter will only be processed for sending the newsletter, unless you consent to further use. We use the double opt-in procedure when you register for the newsletter. After you register, we will send an E-mail to the E-mail address provided. In this E-mail, we ask you to confirm that you want to receive the newsletter. The purpose of this process is to prove verify that you have registered and, if necessary, to be able to prevent or clear up potential misuse of your personal data. You can unsubscribe from the newsletter at any time using the unsubscribe option provided in each newsletter. If you consent to the processing of your personal data for the purpose of receiving the newsletter, you may revoke your consent freely at any time and Heckler & Koch will stop processing your personal data for this purpose.

9. Use of social media channels

Heckler & Koch is on Facebook, Instagram, YouTube, X and XING. Further information can be found on our "Social Media data protection statement". 

III. Legal Bases

Any processing of personal data we carry out is based on a legal authorisation which depends on the purpose of the data processing in question. We process your data based on the following legal bases:

To the extent that you have granted us your voluntary consent, this consent constitutes the legal basis for the processing of your personal data, Art. 6(1)(a) GDPR. For instance, voluntary consent is the legal basis when you register for the newsletter or provide additional voluntary data in your customer account for the HKWebshop. You can revoke your consent at any time with immediate effect from that point on. We will no longer process your data for this purpose after that.

The processing of personal data is based on Art. 6(1)(b) GDPR if the processing is necessary for the fulfilment of a contract to which you are party, or for pre-contractual measures. Your personal data is necessary for such purposes as accepting and processing orders, delivering ordered products and processing payments.

In cases in which processing is necessary to fulfil with a legal obligation to which Heckler & Koch is subject, the relevant legal basis is Art. 6(1)(c) GDPR. For example, we are subject to the obligation to report the handling of weapons and major components thereof to the authority competent for weapons. Furthermore, Heckler & Koch is obliged to verify the identity of potential business partners, e.g. according to the Act on Tracing Profits from Serious Criminal Activities (the "Money Laundering Act" [Geldwäschegesetz]) or the Weapons Act [Waffengesetz].

Processing may also be carried out to protect the legitimate interests of the controller or a third party, unless the interests or fundamental rights and freedoms of the data subject take precedence, Art. 6(1)(f) GDPR. Legitimate interests of Heckler & Koch include maintaining the functioning and security of the IT systems, building and system security, improving service and customer management (for contact through social media channels, for instance), (anonymous) evaluating user behaviour of visitors to our social media channels, product distribution and customer consulting and support. Security against payment failures by collecting credit reports from credit bureaus constitutes another legitimate interest of Heckler & Koch.

For applicants and employees in an employment relationship, the processing can be based on § 26 Federal Data Protection Act (BDSG) (new) in conjunction with Article 88 GDPR.

IV. Personal data recipients

We do not transfer your personal data to third parties as a general rule. However, it is necessary to transfer such data to internal and external recipients in some cases.  But selling on personal data does not come into consideration. There always have to be a legal basis for any transfer of personal data in compliance with the basic principles of data protection law.

1. Internal and external recipients

Internal transfer of your personal data is done to fulfil the purpose for which the data was collected and takes place exclusively in the scope of the purposes defined under III. of this data protection statement according to the principle of data economy and other data protection principles.

We will transfer your personal data to third parties if it is required or we are obligated to do so: An obligation to disclose data may be imposed by law or at the request of law enforcement authorities, or we may require third parties to conduct business processes (such as accounting and/or annual audits) or make use of third parties under a contract processing agreement.

For instance, we work with external service providers (e.g. advertising and content agencies) to ensure the availability of Heckler & Koch's social media pages/profiles and keep them updated. If such service providers process personal data on our behalf, we will have concluded a contract processing agreement with the relevant service providers in accordance with Art. 28 GDPR and have agreed upon on suitable means of guaranteeing that personal data will be protected.

On our Website, we offer "social plug-ins" which you can use to establish a direct connection with a social network such as Facebook, Twitter or Instagram. The social plug-in are deactivated by default. As such, no data is transmitted to the operators of these networks. To use the social networks, you must click on the corresponding button to establish a direct connection with the network in question. 

If you are logged into a social network while using our website and then activate the social plug-in, the social network will be able to allocate your visit to our website to you. To prevent this connection from being made, please log out of the social network in question before using our website or do not activate the respective social plug-in. 

If the social plug-in is activated, data may be transmitted to the social network and controlled from there. For your connection to a social network, the transmissions of data between the social network and your end device, as well as your interactions on the respective social network, are governed exclusively by the data protection provisions of the social network in question.1. Cookies

We sometimes make use of technically necessary "cookies" on our websites. Cookies are tiny data files that are stored on your end device by a website that you visit. They enable us to manage such things as your selection in our webshop or your shopping cart. Most internet browsers are generally set to accept cookies automatically. You can change this setting in your browser at any time. Please see your browser provider's instructions for information on how this works. If you reject the use of cookies disabled them, you may not be able to use all features of the website. We use the following technically necessary cookies to operate the website and webshop: 

a) fe_typo_user
This cookie is used to retain your browser’s status for all page requests and thus make your visit to our page as convenient as possible. This cookie is only saved for the duration of your visit to the website.

b) CookieConsent
 This cookie will save your consent status for the cookies during the ongoing session. This data is saved for one year.

V. Datenübertragung an ein Drittland oder eine internationale Organisation

As a rule, we do not transfer your personal data to countries outside the scope of the GDPR (including organisations operating internationally). Should data be transferred nonetheless (e.g. in the case of software applications or other IT services whose manufacturers are based in a country outside the scope of the GDPR), this would only take place if a suitable EU adequacy decision or other appropriate safeguards (e.g. EU standard contractual clauses) are in place. You have the right to receive detailed information on this. You can request the desired information under the contact details of the data protection officer (see I. Data controller and data protection officer).
If you contact us through our social media channels, it cannot be ruled out that the operator of the social media platform in question (Facebook, Instagram, YouTube, Xing, Twitter) will process the data collected there in a third country. The relevant social media platforms base this processing on the standard contractual clauses of the European Commission.

If your personal data is transmitted to a subsidiary of the data controller that is outside the scope of the GDPR, binding internal company regulations and standard EU contractual clauses will ensure that your personal data will be protected in accordance with statutory requirements.

VI. Duration of personal data storage

As a general rule, your personal data will only be saved as long as is necessary for the specific purpose of use. Should any circumstances emerge such as any potential legal disputes, observance of limitation periods according to applicable law or other legal obligations, we will meet the need for longer storage.

Furthermore, we will only save your personal data in accordance with the statutory retention periods and delete them once they are no longer needed, in accordance with regulations for tax and accounting purposes, for instance.

VII. Rights of data subjects

Right to access, erasure, rectification, objection and restriction of processing of your personal data

You have the right to demand confirmation from us as to whether personal data con-cerning you will be processed. If this is the case, you will have the right to access this personal data and to the following information: 

  • the purposes of processing
  • the categories of personal data which are processed
  • the recipients or categories of recipients to whom your personal data has been or will be disclosed, in particular in the case of recipients in non-EU member states or international organisations
  • if possible, the planned duration for which your personal data will be saved or, if this is not possible, the criteria for the determination of this duration
  • the existence of a right to the correction or deletion of the personal data concern-ing you or to the restriction of processing by us or the existence of a right to object to this processing
  • the existence of the right to file a complaint with a supervisory authority
  • if the personal data are not collected from the data subject, all available infor-mation about the origin of the data
  • if automated decision-making is carried out, including profiling (significant infor-mation about the logic involved and the scope and intended effects of such pro-cessing for your person).

If your personal data is transferred to a non-member state or to an international organisation, you have the right to be informed of suitable "guarantees" to ensure an adequate level of data protection in connection with the transfer.

We will provide you with a free copy of the personal data which is the subject of the processing. We may charge a reasonable fee based on administrative costs for any additional copies you request. If you place the request in electronic form, you will receive the information in a conventional electronic format, unless you specify otherwise.

The right to receive a copy may be restricted if this compromises the rights and freedoms of other persons. You have the right to demand us to rectify any incorrect personal data concerning you. You are entitled to demand the completion of incomplete personal data – also by way of a supplementary declaration – in observance of the purpose of processing. You are welcome to contact our data protection officer to exercise this right.

You are entitled to request the deletion of your personal data stored by us if one of the following criteria is met:

  • The personal data is no longer necessary to fulfil the purpose agreed upon.
  • You withdraw a voluntary declaration of consent you have given (however, this has no effect on the lawfulness of the processing carried out on the basis of the consent up to the time of revocation).
  • Your personal data was previously being processed unlawfully.
  • There is a legal obligation for deletion.
  • The personal data was collected in relation to information society services offered (persons under 16 years of age).

You furthermore have the right to demand us to restrict processing if one of the following prerequisites applies: 

  • You dispute the correctness of the personal data for a duration which makes it possible for us to check the correctness of the personal data.
  • The processing is unlawful and you reject the deletion of your personal data and demand the restricted use of your personal data instead.
  • If we no longer require the personal data for the purposes of processing, but you require it to assert, exercise or defend legal claims.
  • If you have objected to the processing, as long as it has not yet been determined whether our legitimate reasons outweigh yours.

Right to data portability
You have the right to receive the personal data we store about you, if said data is processed in an automated procedure, in a structured, conventional and machine-readable format.

You furthermore have the right to transfer this data to another data controller to whom the personal data has been provided without being hindered by us.

In exercising your right to data portability, you have the right to effect that the personal data is transferred directly from us to another data controller, as long as doing so is technically feasible.

The right to data portability can be restricted if exercising this right would compromise the rights or freedoms of other persons.

Right of revocation for consents and continuation of consents granted
If we process personal data about you on the basis of a declaration of consent, you have the right to revoke the consent granted. However, this has no effect on the lawfulness of the processing carried out on the basis of the consent up to the time of revocation. Chapter VI of this data protection statement must also be observed with regard to compliance with storage periods. You can also direct your revocation to the contact addresses specified under  I. Data controller and data protection officer.

Right to complain to the supervisory authority
If you see the need to file a complaint with the competent supervisory authority, you have the right to do so at any time. 

The contact details of the competent supervisory authority are as follows:

Der Landesbeauftragte
für den Datenschutz und die Informationsfreiheit Baden-Württemberg

Lautenschlagerstraße 20
70173 Stuttgart

Telephone: 0711/615541-0
Fax: 0711/615541-15

Mandatory relinquishment of your personal data and possible consequences of refusal to do so
As a general rule, the provision of personal data neither required by law nor by contract. However, it is possible that the complete functioning of the website or the provision of other services depend on the availability of certain personal data, or certain personal data must be relinquished in order to be able to conclude a contract. If you do not provide this data, it may result in you not being able to use the functions of the website or other services from us, or only being able to use them to a limited extent.

Automatic decision-making and profiling
Automated decision-making in relation to your person is not conducted. No "profiling" (significant information about the logic involved and the scope and intended effects of such processing for your person) is carried out using the personal data collected from you.

Change of purpose
If we intend to change the purpose for which your personal data was originally collected, then we will inform you in advance in a detailed and transparent manner. In this case, we will provide you with all the information required by law as a matter of course. If the change of purpose is to process personal data due to the legal basis of a voluntary declaration of consent, we will inform you accordingly and request your formal consent.

VIII. Open questions, complaints or suggestions

You are welcome to contact us with any questions, complaints or suggestions regarding data protection you may have. You are welcome to contact our data protection officer (see I. Data controller and data protection officer) on this matter if necessary.

IX. Security

We protect your personal data from unauthorised access, unlawful processing or transfer, as well as from loss, corruption or destruction. Because of this, we at the company have implemented technical and organisational measures to fulfil our duties – the protection of your data. Our IT infrastructure and our website are hosted on servers in the European Economic Area (EEA) and are continuously adapted to the latest advancements in technology.