This privacy statement sets out the type, scope and purpose of processing personal data (referred to in the following in short as “data”) within the framework of delivering our services and within our online presence, as well as any websites linked with it, any associated functions and contents, and any external online presences, such as our social media profiles for example (commonly referred to in the following as “online presence”). With regards to the terminology used, such as “processing” and “data controller”, we refer also to the definitions in art. 4 of the General Data Protection Regulation (GDPR).
Telephone: +49 (0) 89 46258198
Tel.: +49 (0) 170 1131871
– Inventory data (e.g. personnel master data, names and addresses).
– Contact details (e.g. email addresses, telephone numbers).
– Content data (e.g. text entries, photographs, videos).
– Usage data (e.g. websites visited, interests in content, access times).
– Metadata/communication data (e.g. device information, IP addresses).
Visitors to and users of the online presence (in the following, we also refer to the affected persons on a general basis as “users”).
– Making the online presence, its functions and contents available.
– Replying to contact inquiries and communication with users.
– Security measures.
– Range measurement / marketing.
“Personal data” is all information that pertains to an identified or identifiable natural person (referred to in the following as “affected person”); a natural person is deemed to be identifiable if they can be directly or indirectly identified, in particular with assignment to an identifier such as a name, an identification number, location data, an online identification (e.g. cookie), or one or more particular characteristics, which constitute an expression of the physical, physiological, genetic, psychological, financial, cultural or social identity of this natural person.
“Processing” is any procedure or sequence of procedures, executed with or without the help of automated processes, that takes place in conjunction with personal data. The term is broad and includes almost all handling of data.
“Pseudonymisation” is the processing of personal data in such a way that the personal data can no longer be attributed to a specific affected person without drawing upon additional information, insofar as this additional information is stored separately and is subject to technical and organisational measures that guarantee that the personal data cannot be assigned to an identified or identifiable natural person.
“Profiling” is any form of automated processing of personal data, which consists of using this personal data in order to evaluate specific personal aspects that pertain to a natural person, in particular in order to analyse or predict aspects pertaining to work performance, financial situation, health, personal preferences, interests, reliability, conduct or behaviour, whereabouts or change of location of this natural person.
“Data controller” is the term used to describe the natural or legal person, authority, institution or any other entity that decides, autonomously or together with others, on the purposes and means of processing personal data.
An “order processor” is a natural or legal person, authority, institution or any other entity that processes the personal data on behalf of the data controller.
In accordance with art. 13 GDPR, we hereby inform you of the legal bases for our data processing. Unless the legal basis is specified in the privacy statement, the following applies for users per the scope of validity of the General Data Protection Regulation (GDPR), i.e. the EU and the EEC:
The legal basis for obtaining permission is art. 6 section 1 lit. a and art. 7 GDPR;
The legal basis for processing in order to deliver our performance and carry out contractual measures, as well as respond to inquiries is art. 6 section 1 lit. b GDPR;
The legal basis for processing in order to satisfy our legal obligations is art. 6 section 1 lit. c GDPR;
In the event that the vital interests of the affected person or another natural person result in a requirement to process personal data, the legal basis for this is art. 6 section 1 lit. d GDPR.
The legal basis for a requirement to process data in order to perform a task that is in the public interest or that takes place in exercising official authority that has been transferred to the data controller is art. 6 section 1 lit. e GDPR.
The legal basis for processing in order to safeguard our legitimate interests is art. 6 section 1 lit. f GDPR.
Processing data for purposes other than those for which the data was acquired takes place in accordance with the provisions of art. 6 section 4 GDPR.
Processing special categories of data (in accordance with art. 9 section 1 GDPR) takes place in accordance with the provisions of art. 9 section 2 GDPR.
We implement suitable technical and organisational measures to guarantee an appropriate level of protection against risks to the rights and freedoms of natural persons, in accordance with the legal regulations and with consideration to the latest engineering practice, the implementation costs, as well as the scope, circumstances and purposes of processing, and the respective probability of occurrence and the severity of the risk.
The measures include in particular protecting the confidentiality, integrity and availability of data by controlling physical admittance to the data, as well as associated access, input, distribution, and safeguarding the availability of data and its segregation. Furthermore, we have established processes that guarantee the upholding of affected party rights, the deletion of data and a reaction to a threat to the data. Additionally, we also consider the protection of personal data during the development or selection of hardware, software and processes, in accordance with the principle of data protection through the design of technology and data protection-friendly pre-settings.
Insofar as we disclose data to other persons and companies (order processors, collectively responsible data controllers and third parties) within the scope of our data processing, or transmit data to such parties or allow them access to the data in any other way, this is carried out exclusively on the basis of legal consent (e.g. if transmission of the data to third parties, such as payment service providers, is essential for the fulfilment of the contract), with the user’s consent, if a legal obligation mandates this or on the basis of our legitimate interests (e.g. with the use of commissioned third parties, web hosts, etc.).
Insofar as we disclose or transmit data to other companies within our company group, or provide such companies with access to the data in any other way, this takes place in particular for administrative purposes as a legitimate interest and furthermore on the basis of the legal regulations.
Insofar as we process data in a third country (i.e. outside the European Union (EU), the European Economic Area (EEA) or the Swiss Confederation), or if this occurs during the course of using the services of a third party or within the framework of the disclosure or transfer of data to other persons or companies, this will only happen if required for the fulfilment of our (pre)contractual duties, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we process the data or allow the data to be processed in a third country only if the legal prerequisites apply. This means that the processing is carried out for example on the basis of special guarantees, such as the officially accepted determination of a data protection level equivalent to that of the EU (e.g. through the “Privacy Shield” for the USA) or the observance of officially accepted special contractual obligations.
You have the right to demand confirmation of whether data related to you is processed and the right to information regarding this data, as well as further information and a copy of the data in accordance with the legal regulations.
In accordance with the legal regulations, you have the right to demand that data related to you be completed and that incorrect data related to you be corrected.
In accordance with the legal regulations, you have the right to demand that data related to you be deleted with immediate effect, or alternatively that processing of the data be restricted in accordance with the legal regulations.
You have the right to demand that data related to you, that you have supplied to us, be provided to you in accordance with the legal regulations, and also that it be transmitted to a third party.
You also have the right, in accordance with the legal regulations, to submit a complaint to the regulatory authorities responsible.
You have the right to revoke your consent with future effect at any time.
You can object at any time to the future processing of data related to you in accordance with the legal regulations. This objection can be raised in particular against processing for the purposes of direct advertising.
“Cookies” are small files that are saved on the computers of users. Various information can be saved inside cookies. A cookie primarily serves to save information about a user (or the device on which the cookie is saved) during or after their visit to an online presence. Temporary cookies, “session cookies” or “transient cookies” are cookies that are deleted once the user has exited the online presence and closed their browser. Such cookies can be used to store the contents of a shopping basket in an online shop or a login status. A “permanent” or “persistent” cookie is a cookie that is still stored after the browser has been closed. The login status can be saved in this way for example, if the user visits again after a number of days. Such cookies can also be used to save the user’s interests, which are used for range measurement or marketing purposes. A “third-party cookie” is a cookie that is operated by providers other than the data controller who operates the online presence (if cookies belong to the data controller these are referred to as “first-party cookies”).
We may use temporary and permanent cookies, and we clarify this within the framework of our privacy statement.
If the user does not wish cookies to be saved on their computer, they are asked to deactivate the corresponding option in the system settings of their browser. Saved cookies can be deleted in the system settings of the browser. Disabling cookies may limit the functionalities of this online presence.
The data processed by us is deleted in accordance with the legal regulations, or its processing is accordingly restricted. Unless otherwise specifically stated within the framework of this privacy statement, data stored by us is deleted as soon as it is no longer required for its intended purpose and its deletion is not prevented by any statutory storage obligations.
If the data is not deleted because it is required for other purposes that are legally permissible, its processing is restricted. I.e. the data is blocked and is not processed for other purposes. This applies for example to data that must be stored for reasons of commercial or taxation law.
We kindly ask that you regularly inform yourself of the contents of our privacy statement. We adjust our privacy statement as soon as this is necessary due to changes to the data processing we perform. We will inform you as soon as the changes require cooperation on your part (e.g. consent) or any other personal notification is necessary.
Registration and use take place via Auth0, a provider of services for user authentication and authorisation. This provider is not authorised to use personal data for any other purposes. Auth0 is based in Bellevue (WA), USA. We use an end point in the EU for processing the data. However, the data is replicated via multiple computing centres for failure safety. You can view the privacy statement of Auth0 by visiting https://auth0.com/privacy
Additionally, we also process
– Contractual data (e.g. object of the contract, term, customer category).
– Payment data (e.g. bank details, payment history)
of our customers, interested parties and business partners for the purpose of delivering contractual performance, services and customer care, marketing, advertising and market research.
We process the data of our customers within the framework of order processes in our online shop, in order to enable them to choose and order the selected products and services, and to facilitate payment and supply or execution accordingly.
The data to be processed includes inventory data, communication data, contract data, payment data and the persons affected by the processing include our customers, interested parties and other business partners. Processing takes place for the purpose of delivering contractual services within the framework of running an online shop, billing, delivery and customer services. We use session cookies here for saving the contents of the shopping basket, and permanent cookies for storing the login status.
Processing takes place in order to fulfil our services and perform contractual measures (e.g. execution of order processes) and insofar as this is legally prescribed (e.g. statutory archiving of business processes for commercial and taxation purposes). The information marked as being necessary is required in order to establish and execute the contract. We disclose the data to third parties only within the framework of delivery, payment or within the framework of the legal permissions and obligations, also if this takes place on the basis of our legitimate interests, whereby we inform you of this within the framework of this privacy statement (e.g. in relation to legal or tax consultants, financial institutes, freight companies and authorities).
Users are optionally able to create a user account, in which they can view their orders in particular. During registration, the user will be informed of the mandatory information required. The user accounts are not public and cannot be indexed by search engines. If a user cancels their user account, the user account data will be deleted, subject to any statutory storage requirements arising due to commercial or tax law. Information in the customer account is stored until it is deleted with subsequent archiving in the event of legal obligations or on the basis of our legitimate interests (e.g. in case of legal disputes). It is the user’s responsibility to back up their data in the event of cancellation before the end of the contract.
Within the framework of registration and renewed login and use of our online service, we save the IP address and the time point of the respective user activity. Saving takes place on the basis of our legitimate interests, as well as those of the user in protection against misuse and other unauthorised use. This data is never passed on to third parties unless this is necessary on the basis of our legitimate interests, in order to pursue our legal claims or if a legal obligation to do so exists.
Deletion takes place after the statutory warranty entitlements and other contractual rights and obligations have expired (e.g. payment claims or performance claims arising from contracts with customers), whereby the necessity to store the data is reviewed every three years; in the event of storage due to statutory archiving duties, deletion will take place once this period of time has passed.
We process the data of our contractual partners and interested parties, as well as other purchasers, customers, clients, ordering parties or contractual partners (commonly referred to as “contractual partners”) in accordance with art. 6 section 1 lit. b. GDPR, in order to deliver our contractual or pre-contractual services to them. The data processed in this case, as well as its type, scope, purpose and the requirement for its processing are determined by the underlying contractual relationship.
The data processed includes the master data of our contractual partners (e.g. names and addresses), contact details (e.g. email addresses and telephone numbers), as well as contract data (e.g. services utilised, contract contents, contractual communication, names of contact persons), and payment details (e.g. bank details, payment history).
We do not process particular categories of personal data unless these are components of commissioned or contractual processing.
We process data that is required for establishing and satisfying the contractual services, and we provide information regarding the requirement to provide this information, if this is not apparent to the contractual partner. Disclosure to external persons or companies only takes place if this is necessary within the framework of a contract. When processing data provided to us within the framework of an order, we act in accordance with the instructions of the customer and the legal regulations.
Within the framework of utilising our online services, we may save the IP address and the time point of the respective user activity. Saving takes place on the basis of our legitimate interests, as well as the interests of the user in protection against misuse and other unauthorised use. This data is never passed on to third parties unless this is necessary in order to pursue our legal claims in accordance with art. 6 section 1 lit. f. GDPR, or if a legal obligation to do so exists in accordance with art. 6 section 1 lit. c. GDPR.
The deletion of data takes place if the data is no longer required in order to satisfy contractual or legal fiduciary duties, or for dealing with any warranty and comparable obligations, whereby the necessity to store data is reviewed every three years; furthermore, the statutory storage obligations also apply.
We utilise the following external payment service providers, via whose platforms the users and we ourselves may execute transactions:
Within the framework of fulfilling contracts, we utilise the payment service providers on the basis of art. 6 section 1 lit. b. GDPR. We also utilise external payment service providers on the basis of our legitimate interests in accordance with art. 6 section 1 lit. f. GDPR, in order to offer our users more effective and more secure payment options.
The data processed by the payment service providers includes inventory data such as name and address, bank details such as account numbers or credit card numbers, passwords, TANs and checksums, as well as contract, amount and recipient-related data. The information is required to execute the transaction. However, the data entered is only processed and stored by the payment service provider. I.e. we do not receive any account or credit card information, but rather only payment confirmation or payment rejection information. Under certain circumstances, the data is transmitted by the payment service provider to credit agencies. This transmission facilitates identity and creditworthiness checks. We refer in this regard to the T&Cs and data protection information of the payment service provider.
Payment transactions are subject to the terms and conditions of business and the data protection information of the respective payment service provider, which can be called up from the respective websites or transaction applications. We also refer to these for the purpose of obtaining further information and invoking rights of revocation, rights to information and other rights of the affected party.
Within our online presence and on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economical operation of our online presence) in accordance with art. 6 section 1 lit. f GDPR, we utilise standard industry tracking measures insofar as these are necessary for operation of the affiliate system. In the following section, we explain the technical background to the user.
The services offered by our contractual partners can also be acquired on and linked with other websites (so-called affiliate links or after-buy-systems, for example if links or services of third parties are offered after contractual conclusion). The operators of the respective websites receive commission if the user clicks on the affiliate links and subsequently utilises the offers.
In summary, our online presence requires that we are able to track whether users are interested in affiliate links and/or offers available from us, and whether the offers are subsequently taken up due to the affiliate links or our online platform. For this purpose, the affiliate links and our offers are supplemented with certain values, which can be set as a component of the link or in another way, for example in a cookie. The values include in particular the initial website (referrer), time point, an online identifier for the website operator on which the affiliate link was located, an online identifier for the respective offer, an online identifier for the user, as well as tracking-specific values such as advertising material ID, partner ID and categorisations.
The online identifiers for the user that we use are pseudonymous values. I.e. the online identifiers themselves contain no personal data such as names and email addresses. They merely help us to determine whether the same user that clicked on the affiliate link or was interested in the offer via our online presence also took up the offer, i.e. concluded a contract with the provider for example. However, the online identifier is personal insofar as the partner company and we ourselves present the online identifier together with other user data. Only in this way can the partner company inform us whether the respective user has taken up the offer, and the commission be paid out accordingly for example.
On the basis of our legitimate interests (i.e. interest in the economical operation of our online presence in accordance with art. 6 section 1 lit. f. GDPR), we participate in the partner program of Amazon EU, which was designed for the provision of a medium for websites with which advertising cost compensation can be earned through the placement of advertisements and links with Amazon.de (so-called affiliate system). I.e. as an Amazon partner we generate revenues through qualified sales.
For further information on the use of data by Amazon as well as the objection procedures, please refer to the company’s privacy statement: https://www.amazon.de/gp/help/customer/display.html?nodeId=201909010.
When getting in touch with us (e.g. by contact form, email, telephone or via social media), the information of the user is processed in order to handle and deal with the inquiry in accordance with art. 6 section 1 lit. b. (within the framework of contractual/pre-contractual relations) or art. 6 section 1 lit. f. (other inquiries) GDPR. The user’s information may be saved in a Customer Relationship Management System (“CRM System”) or in a comparable inquiry organisation system.
We delete inquiries if these are no longer required. We review the necessity every two years; furthermore the statutory archiving duties also apply.
The hosting services that we use act to make the following services available: Infrastructure and platform services, computing capacity, storage capacity and database services, sending emails, security services, as well as technical maintenance services that we require for the purpose of operating this online presence.
In doing so, we or our hosting services providers process inventory data, contact data, content data, contractual data, usage data, metadata and communication data from customers, interested parties and visitors to this online presence on the basis of our legitimate interests in the efficient and reliable provision of this online presence per art. 6 section 1 lit. f of the GDPR in conjunction with art. 28 of the GDPR (conclusion of order processing contract).
We or our hosting provider acquire data on the basis of our legitimate interests in accordance with art. 6 section 1 lit. f. GDPR regarding every access of the server on which this service is located (so-called server log files). Access data includes the name of the website called up, the file, date and time of the call-up, quantity of data transferred, message about successful call-up, browser type and version, the operating system of the user, referring URL (the site visited previously), IP address and requesting provider.
Log file information is stored for a maximum of 7 days for security reasons (e.g. in order to handle cases of misuse or fraud), after which it is deleted. Data that must be stored for a longer period of time for reasons of proof is excluded from deletion until the respective case has been fully clarified and dealt with.
Google is certified in accordance with the Privacy Shield agreement and therefore guarantees to comply with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
Google uses this information on our behalf to evaluate use of our online presence by the user, to assemble reports on activities within this online presence, and to provide further services to us that are associated with use of this online presence and the internet. The processed data can be used to generate pseudonymous usage profiles of the users.
We only use Google Analytics with activated IP anonymising. This means that the user’s IP address is shortened by Google within the member states of the European Union or in other countries that are contracting parties to the agreement on the European Economic Area. Only in exceptional cases will your full IP address be transferred to a Google server in the USA, where it will be shortened.
The IP address transmitted by your browser is not associated with other data from Google. The user can prevent the saving of the cookies by adjusting the requisite settings in their browser software. Furthermore, the user can prevent the acquisition of the data created by the cookie and related to their use of the online presence by Google, as well as the processing of this data by Google, by downloading and installing the browser plug-in available through the following link: http://tools.google.com/dlpage/gaoptout?hl=de.
Further information on the use of data by Google, as well as settings and objection procedures can be found in the Google privacy statement (https://policies.google.com/privacy) and in the settings for the display of advertisements by Google (https://adssettings.google.com/authenticated).
The user’s personal data is deleted or anonymised after 14 months.
On the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economical operation of our online presence in accordance with art. 6 section 1 lit. f. GDPR), we utilise the Jetpack plugin (here with the sub-function “Wordpress Stats”), which incorporates a tool for the statistical evaluation of user accesses, from Automattic Inc., 60 29th Street #343, San Francisco, CA 94110, USA. Jetpack uses so-called “cookies”, text files that are saved on your computer and which facilitate the analysis of the use of the website by you.
The information on your use of this online presence generated by the cookie is saved on a server in the USA. The processed data can be used to generate usage profiles of the users, whereby these are only used for analysis purposes and not for advertising. You can find further information on this by referring to the Automattic privacy statement: https://automattic.com/privacy/ and information on Jetpack cookies at: https://jetpack.com/support/cookies/.
We maintain online presences within social networks and platforms, in order to communicate actively with customers, interested parties and users there, and inform them of our services.
Please note that the user’s data may be processed outside the European Union in this case. This may result in risks for the user, because it is more difficult to assert the rights of the user for example. With regards to US providers that are certified under the Privacy Shield, please note that they are obligated to comply with the data protection standards of the EU.
Furthermore, user data is also generally processed for market research and advertising purposes. For example, the usage behaviour and the resultant interests of the user may be used to create usage profiles. The usage profiles can in turn be used for displaying advertisements inside and outside the platforms, which reflect the apparent interests of the users. For these purposes, cookies are generally stored on the computers of the users, which contain the usage behaviour and interests of the users. Additionally, the usage profiles may also contain data that is independent of the devices used by the users (in particular if the users are members of the respective platforms and are logged into these).
The processing of the user’s personal data takes place on the basis of our legitimate interests in providing effective information to users and communicating with users, in accordance with art. 6 section 1 lit. f. GDPR. If the user is requested by the respective providers of the platforms to provide consent to the data processing described above, the legal basis for processing is art. 6 section 1 lit. a., art. 7 GDPR.
For a detailed description of the respective processing and the objection procedures (opt-out), please refer to the linked information from the provider in the following.
Furthermore, if additional information is required or you wish to assert your user rights, please note that this can be most effectively done with the providers. Only the providers have access to the data of the user and are able to implement the corresponding measures directly and provide information accordingly. If you should still require assistance, please feel free to contact us.
– Facebook, -Pages, -Groups, (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) on the basis of an agreement regarding the common processing of personal data – Privacy statement: https://www.facebook.com/about/privacy/, in particular for pages: https://www.facebook.com/legal/terms/information_about_page_insights_data, opt-out: https://www.facebook.com/settings?tab=ads and http://www.youronlinechoices.com, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active.
– Twitter (Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA) – Privacy statement: https://twitter.com/de/privacy, opt-out: https://twitter.com/personalization, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status=Active.
– LinkedIn (LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland) – Privacy statement https://www.linkedin.com/legal/privacy-policy, opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000L0UZAA0&status=Active.
On the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economical operation of our online presence in accordance with art. 6 section 1 lit. f GDPR), we utilise the content or service offers of third party providers in our online presence, in order to integrate their contents and services, such as videos or fonts (referred to commonly in the following as “contents”).
This always requires that the third party providers of this content know the IP address of the user, because they are unable to send the contents to their browsers without this information. The IP address if therefore necessary for the presentation of this content. We strive to ensure that we use only content providers who use the IP address of the respective user solely for the delivery of the content. Third party providers may also use so-called pixel tags (invisible graphics, also referred to as “web beacons”) for statistical or marketing purposes. “Pixel tags” can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymised information can also be saved in cookies on the user’s device and may contain technical information for example regarding the browser and operating system, referrer websites, the time of visit, as well as further details of the use of our online presence, and may also be connected with such information from other sources.
We use the fonts (“Google Fonts”) of the provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy statement: https://www.google.com/policies/privacy/.
On the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economical operation of our online presence in accordance with art. 6 section 1 lit. f GDPR), we utilise external “Typekit” fonts from the provider Adobe Systems Software Ireland Limited, 4-6 Riverwalk, Citywest Business Campus, Dublin 24, Republic of Ireland. Adobe is certified in accordance with the Privacy Shield agreement and therefore guarantees to comply with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000TNo9AAG&status=Active).