1. Basic information on data processing and legal bases
A
This privacy policy provides information on the nature, scope and purpose of personal data processing within our online presence and the websites, functions and content associated with the same (hereinafter referred to collectively as the ‘online presence’ or ‘website’). The privacy policy applies regardless of the domains, systems, platforms and devices (e.g. desktop computer or mobile device) the online presence is operated on.
B
For definitions of the terms used, such as ‘personal data’ or ‘personal data processing’, see Article 4 of the General Data Protection Regulation (GDPR).
C
Users’ personal data processed in the context of this online presence includes: general data (names, addresses), contact details (email addresses, phone numbers, fax numbers), usage data (interests, websites visited, access times) and meta/communication data (device IDs, IP addresses)
D
The term ‘user’ encompasses all categories of data subjects affected by data processing. They include: clients, prospective clients, users, website visitors and recipients of marketing campaigns. The terms used (e.g. ‘user’) apply to people of all genders and none.
E
We process users’ personal data exclusively in compliance with the relevant data protection regulations. This means users’ data is only processed if we are legally permitted to do so. This applies, in particular, if data processing is necessary or legally required for the provision of our contractual services (e.g. order processing) and our online services, if the user has given their consent to this effect and due to our legitimate interests (i.e. our interest in analysing, optimising and economically operating and securing our online presence under Article 6 (1) (f) of the GDPR), which is the case, notably, in the event of reach measurements, creating profiles for advertising and marketing purposes, collecting access credentials and using third-party services. Where a user is below the age of 16 years, consent to data processing must be given or authorised for the child by the holder of parental responsibility over the child.
F
We would like to point out that the legal basis for consent is Article 6 (1) (a) and Article 7 of the GDPR and for consent in the case of minors is Article 8 of the GDPR, the legal basis for processing for the performance of our services and the implementation of contractual activities is Article 6 (1) (a) (1) (c) of the GDPR and the legal basis for processing to uphold our legitimate interest is Article 6 (1) (f) of the GDPR. (1) (a) c. DSGVO, und die Rechtsgrundlage für die Verarbeitung zur Wahrung unserer berechtigten Interessen Art. 6 Abs. (1) (a) GDPR, the legal basis for processing for the fulfilment of our legal obligations is Article 6 of the GDPR.
2. Users’ rights
Your rights:
A
Under Article 15 of the GDPR, you have a right of access to the personal data about you that we process. In particular, you can access information about the purposes of processing, the categories of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned duration of storage, the existence of a right to rectification, a right to erasure, a right to restriction of processing or a right to object, the existence of the right to lodge a complaint, the origin of your data, provided we did not collect it, the existence of automated decision-making, including profiling, and if applicable, meaningful information on these details.
B
Under Article 16 of the GDPR, you have the right to obtain, without undue delay, the rectification of inaccurate or incomplete personal data about you that we store.
C
Under Article 17 of the GDPR, you have the right to request the erasure of personal data about you that we store, provided that processing is not required for exercising the right to freedom of expression and information, for compliance with a legal obligation, on grounds of public interest or for the establishment, exercise or defence of legal claims.
D
Under Article 18 of the GDPR, you have the right to request the restriction of processing of your personal data, provided you contest the accuracy of the data, processing is unlawful but you oppose the erasure of the personal data and we no longer need the data for the purposes of processing and you nonetheless need it for the establishment, exercise or defence of legal claims or you have objected to processing pursuant to Article 21 of the GDPR.
E
Under Under Article 20 of the GDPR, you have the right to receive your personal data, which you provided to us, in a structured, commonly used and machine-readable format or to request it be transmitted to another controller.
F
Under Article 7 (3) of the GPPR, you have the right, at any time, to revoke the consent you gave us. This means we will not be permitted to continue with data processing based on this consent in the future.
G
Under Article 77 of the GDPR, you have the right to lodge a complaint with a supervisory authority. In general, you may contact the supervisory authority in your habitual place of residence or place of work, or our company’s registered office.
3. Right to object
If your personal data is being processed based on legitimate interests pursuant to the first sentence of Article 6 (1) (f) of the GDPR, you have the right under Article 21 GDPR to object to the processing of your personal data on grounds relating to your particular situation or to object to processing of your personal data for direct marketing purposes. In the latter case, you have a general right to object; we will apply this without a specific situation being stated.
4. Security measures
A
We take state-of-the-art organisational, contractual and technical security measures to ensure that the regulations set out in data protection law are complied with and to protect the data we process from accidental or intentional manipulation, loss, destruction or access by unauthorised individuals.
B
In particular, these security measures include encrypted data transfer between your browser and our server.
5. Disclosure of data to third parties and third-party providers
A
A Data is only disclosed to third parties as permitted by law. In this case, we only disclose users’ data to third parties if doing so is required for contractual purposes based on Article 6 (1) (a) of the GDPR, for instance, or based on our legitimate interests in economically Article 6 (1) (a) of the GDPR.
B
If we engage subcontractors to provide our services, we take suitable legal precautions and appropriate technical and organisational measures to protect personal data in line with the relevant legal requirements.
C
If, in the context of this privacy policy, content, tools or other resources made available by other providers (hereinafter referred to collectively as ‘third-party providers’) are used and their registered office is located in a third country, it is to be assumed that data is transferred to the countries in which the third-party providers’ registered offices are located. Third countries are nations in which the GDPR does not apply directly (i.e. countries outside of the EU and the European Economic Area, in principle). Data is transferred to third countries either if there is an adequate level of data protection, the user has granted their consent to this effect or there is otherwise legal permission to do so.
6. Provision of contractual services
A
We process general data (e.g. users’ names, addresses and contact details) and contract data (e.g. services used, names of contacts, payment information) for the purpose of fulfilling our contractual obligations and services pursuant to Article 6 (1) (b) of the GDPR.
B
As part of registration and repeated login, and the utilisation of our online services, we store the IP address and the time of the user’s action in question. Die Speicherung erfolgt auf Grundlage unserer berechtigten Interessen, als auch der Nutzer an Schutz vor Missbrauch und sonstiger unbefugter Nutzung. Such storage is undertaken based on both our and the user’s legitimate interests in preventing abuse and other unauthorised access. In principle, this data is not disclosed to third parties unless doing so is required for pursuing our claims or there is a legal obligation in this respect pursuant to Article 6 (1) (a) of the GDPR.
7. Contact
A
When users contact us (using the contact form or by email), their details are processed for handling and processing the contact request pursuant to Article 6 (1) (a) of the GDPR or based on your voluntary consent under Article 6 (1) (a) of the GDPR. The personal data we collect for use of the contact form and the personal data you transfer by email is erased as soon as it is no longer required for its purpose.
B
User details can be stored in our customer relationship management (CRM) system or a similar system for organising enquiries.
8. Collection of access data and log files
A
We collect data on every instance of access to the server that our services are located on (known as ‘server log files’); we do so based on our legitimate interests under Article 6 (1) (a) of the GDPR. This access data includes the name of the website accessed, the file, the date and time of access, the quantity of data transferred, notification of successful access, the browser type and version, the user’s operating system, the referrer URL (the page visited previously), the IP address and the provider making the request.
B
Log file information is stored on security grounds (e.g. to clarify abusive or fraudulent actions) for a maximum of 14 days, after which it is erased. Data that needs to be retained for a longer period of time for evidence purposes is excluded from such erasure until the case in question has been definitively clarified.
9. Cookies and reach measurement
A
Cookies are pieces of information that are transferred from our web server or third-party web servers to users’ web browsers, where they are stored and can be subsequently accessed. Cookies may be small files or other forms of information storage.
B
We use what are known as ‘session cookies’, which are only stored for the duration of your current visit to our online presence (e.g. to save your login status or the shopping basket feature, which thus enable our online presence to be used in the first place). session cookie stores a randomly generated, unique identification number, known as a ‘session ID’. A cookie also contains information about its origin and the storage period. These cookies cannot store any other information. Session cookies are deleted when you have finished using our online presence and either log out or close the browser.
C
This privacy policy provides users with information on the use of cookies during pseudonymised reach measurement.
D
If users object to the storage of cookies on their computer, they are requested to disable the relevant option in their browser’s system settings. Stored cookies can be erased using the browser’s system settings. Excluding cookies can limit the functionality of this online presence.
E
You can object to the use of cookies to measure reach and for advertising purposes using the NAI opt-out page (http://optout.networkadvertising.org/). You can also do this using the US website (http://www.aboutads.info/choices) or the European website (http://www.youronlinechoices.com/uk/your-ad-choices/).
10. Google Analytics
A
We use Google Analytics, a web analytics service provided by Google, Inc. (‘Google’), based on our legitimate interests (i.e. our interest in analysing, optimising and economically operating our online presence under Article 6 (1) (f) of the GDPR). Google uses cookies. The information that the cookie generates on how users use the online presence is generally transferred to and stored on a Google server in the USA.
B
B Google is certified under the EU-US Privacy Shield and therefore guarantees it will comply with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
C
Google will use this information on our behalf to evaluate how users use our online presence, to compile reports on activities within this online presence and to provide us with further services associated with the use of this online presence and the internet. Pseudonymised user profiles may be created from the data processed for this purpose.
D
D We only use Google Analytics with IP anonymisation activated. This means that Google truncates users’ IP addresses within Member States of the European Union or in other states that are party to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transferred to and truncated on a Google server in the USA.
E
The IP address transferred by the user’s browser is not merged with any other data that Google holds. Users can prevent the setting of cookies by changing their browser settings accordingly. Additionally, users can also prevent Google’s collection and processing of the information the cookie generates about their use of the online presence by downloading and installing the browser plugin available at: http://tools.google.com/dlpage/gaoptout?hl=en.
As an alternative to the browser add-on or for browsers on mobile devices, please click on the hyperlink below to prevent Google Analytics from collecting data within this website in future: Google Analytics opt-out (the opt-out only works within the browser and only for this domain).
F
Please refer to Google’s websites – https://policies.google.com/technologies/partner-sites?hl=en (‘How Google uses information from our partners’ websites or apps), http://www.google.com/policies/technologies/ads (‘Using data for advertising purposes’), http://www.google.en/settings/ads (‘Managing information that Google uses to show you advertising) – for further information on how Google uses data, settings and opting out.
11. Integrating third-party services and content
A
Within our online presence, we use content or services offered by third-party providers to integrate their content and services (e.g. videos or fonts) (hereinafter referred to collectively as ‘content’). We do so based on our legitimate interests (i.e. our interest in analysing, optimising and economically operating our online presence under Article 6 (1) (f) of the GDPR). This always requires the third-party providers of this content to know users’ IP addresses, as they cannot send the content to their browsers without the IP addresses. As a result, an IP address is required for this content to be displayed. We strive only to use content from providers that use the IP address to exclusively deliver this content. Furthermore, third-party providers may use what are known as ‘pixel tags’ (invisible graphics, also known as ‘web beacons’) for statistical or marketing purposes. The pixel tags enable evaluation of information, such as visitor traffic to this website’s pages. The pseudonymised information may also be stored in cookies on the users’ devices and may contain technical information about the browser and operating system, websites referred to, the length of the visit and further details on how our online presence is used, along with other pieces of data. It may also be associated with information of this nature from other sources.
B
The list below provides an overview of third-party providers and their content, along with links to their privacy policies, which contain further details on data processing and opt-out options, some of which are listed here:
-
- External fonts from Google, Inc., https://www.google.com/fonts (‘Google Fonts’). Google Fonts are integrated by means of retrieval from Google’s server (generally in the USA). Privacy policy: https://www.google.com/policies/privacy/, opt-out: https://www.google.com/settings/ads/.
-
- Maps from the ‘Google Maps’ service provided by the third-party provider Google, Inc., of 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy policy: https://www.google.com/policies/privacy/, opt-out: https://www.google.com/settings/ads/.
-
- Videos from the platform ‘YouTube’ provided by the third-party provider Google, Inc., of 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy policy: https://www.google.com/policies/privacy/, opt-out: https://www.google.com/settings/ads/.
12. Erasure of data
A
The data we store is erased as soon as it is no longer required for its purpose and such erasure does not conflict with any statutory retention requirements. Provided that users’ data is not erased because it is required for other, legally permissible purposes, processing of the same will be limited. This means the data will be blocked and not processed for other purposes. This applies to user data that needs to be retained under commercial or tax law, for example.
B
Under the legal requirements, data is retained for six years pursuant to Section 257 (1) of the German Commercial Code (commercial records, inventories, opening balance sheets, annual financial statements, commercial letters, vouchers for accounting entries, etc.) and for ten years pursuant to Section 147 (1) of the German Fiscal Code (accounts and records, situation reports, accounting records, trade and business letters, documents of relevance for taxation, etc.).
13. Modifications to the privacy policy
A
We reserve the right to modify the privacy policy to take regulatory changes, changes to the service and changes to data processing into account. However, this only applies in respect of declarations regarding data processing. Provided users’ consent is required or components of the privacy policy include provisions on the contractual relationship with users, the modifications may only be made with the users’ consent.
B
Users are requested to obtain information about the content of the privacy policy at regular intervals.