This Privacy Policy will inform you about the type, scope and purposes of the processing of personal data (hereafter referred to as “data”) for our online business and its related websites, functions and contents and external online presences, e.g., our social media profiles (hereafter jointly referred to as the “online offer”). For the terms used, such as “personal data” or their “processing,” please refer to the definitions in Art. 4 of the General Data Protection Regulation (GDPR).
Data protection officer:
Ms. Sylvia Kramer
Kramer & Partner GbR
Büro für Datenschutz und Datensicherheit
Richard-Wagner-Str. 11
01445 Radebeul
Germany
Type of data processed:
– Inventory data (e.g. names, addresses).
– Contact data (e.g. email address, telephone numbers).
– Usage data (e.g. websites visited, interest in contents, access times).
– Meta/communication data (e.g. device information, IP addresses).
Processing special categories of personal data (Art. 9(1) GDPR):
– No special categories of personal data are processed.
Data subject categories:
– Customers/prospective customers/suppliers.
– Visitors and users of the online offer.
Data subjects will hereafter also be collectively referred to as “users.”
Processing purpose:
– Providing the online offer, its contents and functions.
– Answering customer enquiries and communicating with users.
– Marketing, advertising and market research.
– Security measures.
Valid: 14 May 2018
1. Legal Bases
In accordance with Art. 13 GDPR, the legal bases for our data processing will be stated hereafter. If the legal basis is not stated in this Privacy Policy, the following shall apply: the legal basis for the obtainment of consent is Art. 6(1) Letter a and Art. 7 GDPR; the legal basis for processing for the fulfillment of our services, the performance of our contractual measures and answering enquiries is Art. 6(1) Letter b GDPR; the legal basis for processing for the fulfillment of our legal obligations is Art. 6(1) Letter c GDPR; and the legal basis for processing for safeguarding our legitimate interests is Art. 6(1) Letter f GDPR. If the vital interests of the data subject require the processing of personal data, the respective legal basis will be Art. 6(1) Letter d GDPR.
2. Privacy Policy Changes and Updates
Please stay regularly updated about the contents of our Privacy Policy. We adjust our Privacy Policy as soon as required by changes to the data processing performed by us. We will inform you if any changes require your cooperation (e.g. consent) or if other individual notification is necessary.
3. Security Measures
3.1. We have implemented suitable technical and organisational measures to ensure an adequate level of security in accordance with Art. 32 GDPR and in consideration of the state of technology, implementation costs and the type, scope, circumstances and purposes of processing and the respective degree of likelihood and severity of risks to the rights and freedom of persons; these measures especially include securing the confidentiality, integrity and availability of data by controlling physical access to that data as well as its input, transfer, availability and possible selection. Furthermore, we have implemented procedures that ensure that data subject rights can be exercised, data can be erased and any threats to data can be responded to. In addition, we consider the protection of personal data during the development or selection of hardware, software or other procedures in accordance with the principle of data protection through technical design and data protection-friendly presets (Art. 25 GDPR).
3.2. These security measures especially include encrypted transfers of data between your browser and our server.
4. Cooperation with Commissioned Processors and Third Parties
4.1. If we disclose, transfer or otherwise grant access to data to other persons and companies (commissioned processors or third parties) as part of our processing, this will only be done on the basis of legal permissibility (e.g. if data must be transmitted to third parties, such as payment service providers, under Art. 6(1) Letter b GDPR for contract performance), with your consent, if we are required to do so by law or on the basis of our legitimate interests (e.g. when using commissioned parties, webhosts, etc.).
4.2. If we commission third parties to process data on the basis of a so-called “commissioned processing agreement” this will be done on the basis of Art. 28 GDPR.
5. Transmissions to Third Countries
If we process data in a third country (i.e. outside of the European Union (EU) or the European Economic Area (EEA)) or if this is done through the utilisation of third party services or through the disclosure or transmission of data to third parties, this will only be done if required for the fulfilment of our (pre-)contractual obligations, on the basis of your consent, due to legal obligations or on the basis of our legitimate interests. Conditional on legal or contractual permissibility, we will only process or have data processed in a third country if the special requirements of Art. 44 et seq. GDPR are fulfilled. This means that processing will be performed on the basis of special guarantees, such as the official recognition of a level of data protection comparable to that of the EU (e.g. for the USA through the “Privacy Shield”) or compliance with officially recognised special contractual obligations (so-called “standard contract clauses”).
6. Data Subject Rights
6.1. Under Art. 15 GDPR, you have the right to obtain information about how certain data is processed and to have access to this data and to further information on and copies of the data.
6.2. Under Art. 16 GDPR, you have the right to add to any data held about you and to clarify and rectify any inaccurate information.
6.3. Under Art. 17 GDPR, you have the right to request erasure of the respective data without undue delay and, under Art. 18 GDPR, you have the right to request restrictions on processing the data.
6.4. Under Art. 20 GDPR, you have the right to receive any personal data that you have provided to us and the right to have this data transmitted to another controller.
6.5. Furthermore, under Art. 77 GDPR, you have the right to lodge a complaint to a competent supervisory authority.
7. Withdrawal Right
Under Art. 7(3) GDPR, you have the right to withdraw your consent effective for the future.
8. Right to Object
Under Art. 21 GDPR, you may object to the future processing of your data at any time. Objections may especially be raised for processing for direct marketing purposes.
9. Cookies and Right to Object to Direct Marketing
We use temporary and permanent cookies, i.e. small files saved on user devices (for an explanation of this term and its functions, see the last section of this Privacy Policy). Cookies partially serve security purposes or are necessary for operating our online offer (e.g. for presenting our website) or to save user decisions when confirming the cookie banner. In addition, we – together with our technology partners – use cookies for reach measurements and marketing purposes, about which users will be informed by this Privacy Policy.
The American website http://www.aboutads.info/choices/ and the EU website http://www.youronlinechoices.com/ allow objections to be declared for a number of services that use cookies for online marketing purposes, especially if tracking is used. Furthermore, the saving of cookies may be prevented by disabling them through your browser settings. However, please note that doing so may prevent you from accessing every function of our online offer.
10. Data Erasure
10.1. The data we process will be erased or its processing will be restricted in accordance with Art. 17 and Art. 18 GDPR. Unless stated specifically by this Privacy Policy, the data saved by us will be erased when it is no longer required for the purposes for which it was collected and if its erasure is not prevented by legal storage obligations. If the data is not erased because it is required for other and legally permissible purposes, its processing will be restricted. This means that the data will be blocked and not processed for other purposes. This applies, e.g. to data that must be saved for commercial or tax law purposes.
10.2. Germany: In accordance with legal requirements, data will especially be stored for six years in accordance with Section 257(1) of the German Commercial Code [Handelsgesetzbuch, HGB] (trading books, inventories, opening balances, annual financial statements, commercial letters, vouchers, etc.) and for ten years in accordance with Section 147(1) of the German Fiscal Code [Abgabenordnung, AO] (books, records, status reports, vouchers, commercial and business letters, documents relevant to taxation, etc.).
11. Contacting Us
11.1. When contacting us (via contact form or email), user information will be processed to handle the respective enquiry in accordance with Art. 6(1) Letter b GDPR.
11.2. The information provided by users may be saved in our customer relationship management system (CRM system) or in comparable enquiry systems.
12. Access Data and Log File Collection
12.1. On the basis of our legitimate interests in the case of Art. 6(1) Letter f. GDPR, we collect data on every access to the server hosting our services (so-called server log files). This access data includes the name of the retrieved website, file, time and date of access, volume of data transferred, successful retrieval notification, browser type and version, the user’s operating system, referrer URL (last visited page), IP address and the requesting provider.
12.2. For security reasons (e.g. to investigate fraud or abuse), log file information is saved for up to seven days and then erased. Data that must be stored for longer for evidence purposes is excluded from erasure until the settlement of the respective matter.
13. Online Presence on Social Media
13.1. We maintain an online presence on social networks and platforms to communicate with and inform active customers, prospective customers and users about our services. When using the respective networks and platforms, the general terms and conditions and privacy policies of the respective operators apply.
13.2. Unless stated otherwise in this Privacy Policy, we will process the data of users who communicate with us on social networks or platforms, e.g. by commenting on our online activities or sending us messages.
14. Cookies & Reach Measurement
14.1. Cookies contain information transmitted to the user’s web browsers by our or third party web servers and is saved on the user’s web browser for subsequent retrieval. Cookies may be small files or other types of stored information.
14.2. We use “session cookies” that are only saved for the duration of the current visit to our online platform (e.g. to save your login status or shopping cart contents to enable you to use our online offer). Session cookies are given randomly-generated unique identification numbers, so-called session IDs. Furthermore, cookies include information on their origin and storage duration. These cookies cannot save other data. Session cookies will be erased when your session on our online offer ends, e.g. by you logging out or closing your browser.
14.3. This Privacy Policy will inform users about the use of cookies for pseudonymised reach measurement.
14.4. If users do not want cookies to be saved on their computer, they will be asked to disable the respective option in their browser settings. Saved cookies may be deleted from the browser’s system settings. However, disabling cookies may limit the functionality of our online offer.
14.5. The deactivation page of the Network Advertising Initiative (http://optout.networkadvertising.org/) and the American website (http://www.aboutads.info/choices) or the European website (http://www.youronlinechoices.com/uk/your-ad-choices/) allow you to object to cookies that use range measurements for marketing purposes.
15. Newsletter
15.1. The following notices will inform you about the contents of our newsletter, sending process, your subscription, as well as our statistical assessment procedure and your right to object. By subscribing to our newsletter, you consent to receiving it in line with the described procedure.
15.2. Newsletter content: We will only send our newsletter, emails and other electronic notifications containing marketing information (hereafter referred to as “newsletter”) with the subscriber’s consent or legal permission. If a newsletter’s contents are specifically described as part of the subscription, this description will form the basis for the user’s consent. Apart from that, our newsletters feature information on our products, offers, campaigns and our company.
15.3. Closed-loop authentication and record keeping: Our newsletter subscriptions use so-called closed-loop authentication. This means that, after subscribing, you will receive an email asking you to confirm your subscription. This confirmation is required to prevent unauthorised subscriptions using another person’s email address. Newsletter subscriptions are recorded as evidence for the subscription process in accordance with legal requirements. This includes recording the subscription and confirmation date and IP address. Likewise, changes to the data saved by your email service provider will also be recorded.
15.4. Email service provider: The newsletter will be sent via “MailChimp,” a newsletter sending platform of the American provider Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA, whose privacy policy can be found at: https://mailchimp.com/legal/privacy/. The Rocket Science Group LLC d/b/a MailChimp is certified under the Privacy Shield Agreement which guarantees compliance with European levels of data protection. (https://www.privacyshield.gov/participant?id=a2zt0000000TO6hAAG&status=Active).
15.5. Furthermore, according to its own information, the email service provider may use this data in pseudonymous form, i.e. without being able to identify users, to optimise or improve its own services, e.g. for the technical optimisation of the sending process and the display of the newsletter, or for statistical purposes to determine the national origin of subscribers. However, the email service provider will not use our subscriber data to contact our subscribers or to transfer this data to third parties.
15.6. Subscription data: Providing your email address will suffice to subscribe to our newsletter. We may ask you to state your name to address you personally in our newsletter. However, this will be optional.
15.7. Measurement of success – Our newsletters include a so-called “web beacon,” i.e. a file one pixel in size retrieved by the email service provider’s server when the newsletter is opened. As part of this retrieval, technical information, such as information on your browser, system, IP address and the date and time of your access, will be collected. This information will be used to improve our services technically using technical data or target groups and their reading behavior based on the times and places of retrieval (determinable via IP address). Statistical collection also includes a determination of whether and when newsletters are opened and what links are activated. Although this information may be assigned to individual newsletter subscribers for technical reasons, it is neither our nor the email service provider’s intention to monitor individual users. We use these assessments to recognise our user’s reading habits, tailor our content to their needs and send various updates according to our users’ interests.
15.8. Our newsletter is sent and its success is measured on the basis of the subscriber’s consent in accordance with Art. 6(1) Letter a and Art. 7 GDPR pursuant to Section 7(2) Number 3 of the German Act Against Unfair Competition [Gesetz gegen den unlauteren Wettbewerb, UWG] or on the basis of legal permissibility under Section 7(3) of the German Act Against Unfair Competition.
15.9. Records of the subscription process are kept on the basis of our legitimate interest under Art. 6(1) Letter f GDPR and serve to prove consent to the receipt of our newsletter.
15.10. Unsubscribing/withdrawal – You may unsubscribe from, i.e. withdraw your consent to, our newsletter at any time. An unsubscribe link is provided at the end of every newsletter. If users who only subscribed to our newsletter unsubscribe, their personal data will be erased.
16. Inclusion of Third Party Services and Contents
16.1. We use third party provider content and service offers on our online offer to include their contents and services, e.g. videos and fonts, (hereafter collectively referred to as “contents”) on the basis of our legitimate interests (i.e. interest in analysing, optimising and in the economic operation of our online offer in the sense of Art. 6(1) Letter f. GDPR). This requires the third party providers of this content to receive user IP addresses, since they cannot send the respective content to the users’ browsers without their IP addresses. An IP address is therefore required for displaying this content. We try to only use content, the respective providers of which only use IP addresses to provide the content. Furthermore, third party providers may use so-called pixel tags (invisible graphics, also referred to as “web beacons”) for statistical or marketing purposes. “Pixel tags” allow information, such as website traffic, to be assessed. Furthermore, the pseudonymised information may be saved in cookies on user devices and contain, among other things, technical information on the browser and operating system, referring websites, time of access and other information on the use of our online offer and may be merged with such information from other sources.
16.2. An overview of third party providers and their contents and links to their privacy policies – that include information on the processing of data and objection options (so-called opt-outs) that have already partially been stated herein – is provided hereafter:
– External fonts of Google, LLC., https://www.google.com/fonts (“Google Fonts”). Google Fonts are displayed by accessing Google’s servers (usually in the USA). Privacy policy: https://policies.google.com/privacy, opt out: https://adssettings.google.com/authenticated.
– Map services of “Google Maps” of the third party provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy policy: https://www.google.com/policies/privacy/, opt out: https://www.google.com/settings/ads/.
– Videos of the platform “YouTube” of the third party provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy policy: https://policies.google.com/privacy, opt out: https://adssettings.google.com/authenticated.