DATA PROTECTION DECLARATION
I. Name and address of the person responsible
The responsible person within the meaning of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection regulations is:
mydeck GmbH
Falkensteiner Str. 6b
61462 Königstein i. Ts.
Germany
T +49 61 74 / 92 43 30
info@MYDECK.de
www.MYDECK.de
II. General information on data processing
1. Scope of the processing of personal data
In the following we inform you about the collection of personal data when using our website. Personal data is all data that can be related to you personally, such as name, address, e-mail address or user behaviour.
As a matter of principle, we collect and use personal data of our users only to the extent that this is necessary for the provision of a functional website as well as our contents and services. The collection and use of our users’ personal data regularly only takes place with the user’s consent. An exception applies, for example, in cases where it is not possible to obtain prior consent for actual reasons and the processing of the data is permitted by legal regulations.
2. Legal basis for the processing of personal data
Insofar as we obtain the consent of the data subject for processing operations involving personal data, Article 6(1)(a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis for the processing of personal data.
When processing personal data that is necessary for the performance of a contract to which the data subject is a party, Art. 6 (1) (b) DSGVO serves as the legal basis. This also applies to processing operations that are necessary for the performance of pre-contractual measures.
Insofar as the processing of personal data is necessary for the fulfilment of a legal obligation to which our company is subject, Art. 6 (1) c DSGVO serves as the legal basis.
In the event that vital interests of the data subject or another natural person make processing of personal data necessary, Art. 6 (1) (d) DSGVO serves as the legal basis.
If the processing is necessary to protect a legitimate interest of our company or a third party and the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 (1) lit. f DSGVO serves as the legal basis for the processing.
3. Data deletion and storage period
The personal data of the data subject will be deleted or blocked as soon as the purpose of the storage no longer applies. Storage may also take place if this has been provided for by the European or national legislator in Union regulations, laws or other provisions to which the controller is subject. The data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or fulfilment of a contract.
4. Passing on of data to third parties and third-party providers
Data is only passed on to third parties within the framework of legal requirements, i.e. e.g. on the basis of Art. 6 Para. 1 lit. b DSGVO if this is necessary for contractual purposes or on the basis of Art. 6 Para. 1 lit. f DSGVO due to legitimate interests.
If we use third parties to provide our services, we take suitable legal precautions and appropriate technical and organisational measures to protect the personal data. The third parties have been carefully selected and commissioned by us, are bound by our instructions and are regularly monitored.
A transfer of data to third countries in which the GDPR is not directly applicable law only takes place if there is an appropriate level of data protection, user consent or otherwise legal permission.
III. Provision of the website and creation of log files
1. Description and scope of data processing
During the mere informative use of the website, i.e. if you do not register or otherwise transmit information to us, our system automatically collects data and information from the computer system of the calling computer.
The following data is collected:
(1) the IP address of the visitor
(2) the visitor’s login name if http authentication is used
(3) time of the request (server time)
(4) Time zone difference to Greenwich Mean Time (GMT)
(5) The user’s operating system
(6) The user’s Internet service provider
(7) The content of the web page request sent by the visitor’s browser
(8) Websites from which the user’s system accessed our website
(9) The result status code of the request
(10) Content of the web page request sent by the visitor’s browser
(11) File size of the request response
(12) referrer (if one is transmitted by the visitor’s browser)
(13) voluntary information provided by the visitor’s browser, e.g. regarding the browser used, which is usually used, for example, to optimise the presentation of the website.
This data is also stored in the log files of our system. This data is not stored together with other personal data of the user.
2. Legal basis for data processing
The legal basis for the temporary storage of the data and the log files is Art. 6 para. 1 lit. f DSGVO.
3. Purpose of the data processing
The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user’s computer. For this purpose, the user’s IP address must remain stored for the duration of the session.
The storage in log files is done to ensure the functionality of the website. In addition, we use the data to optimise the website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context.
These purposes are also our legitimate interest in data processing according to Art. 6 Para. 1 lit. f DSGVO.
4. Duration of storage
The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended.
In the case of storage of data in log files, this is the case after seven days at the latest. Storage beyond this period is possible. In this case, the IP addresses of the users are deleted or alienated, so that an assignment of the calling client is no longer possible.
5. Possibility of objection and removal
The collection of data for the provision of the website and the storage of the data in log files is absolutely necessary for the operation of the website. Consequently, there is no possibility for the user to object.
IV. Use of cookies
1. Description and scope of data processing
Our website uses cookies. Cookies are text files that are stored in the Internet browser or by the Internet browser on the user’s computer system. When a user calls up a website, a cookie may be stored on the user’s operating system. This cookie contains a characteristic string of characters that enables the browser to be uniquely identified when the website is called up again. Cookies cannot execute programs or transmit viruses to your computer. They are used to make the website as a whole more user-friendly and effective.
We use cookies to make our website more user-friendly. Some elements of our website require that the calling browser can be identified even after a page change.
The following data is stored and transmitted in the cookies:
(1) Items in a shopping cart
(2) Log-in information
We also use third-party cookies on our website. These are cookies from partner companies which are placed on our site. These cookies only contain pseudonymous, mostly even anonymous data. For example, this is data about which products you have viewed, whether something was purchased or which products were searched for. Some of our advertising partners also collect information beyond the web pages about which pages you have previously visited or which products you were interested in, for example, in order to be able to show you advertising that best matches your interests. This pseudonymous data is never merged with your personal data.
2. Legal basis for data processing
The legal basis for the processing of personal data using technically necessary cookies is Art. 6 para. 1 lit. f DSGVO.
The legal basis for the processing of personal data using cookies for analysis purposes is Art. 6 para. 1 lit. a DSGVO if the user has consented to this.
The legal basis for the processing of personal data using third-party cookies is Art. 6 para. 1 lit. f DSGVO.
3. Purpose of the data processing
The purpose of using technically necessary cookies is to simplify the use of websites for users. Some functions of our website cannot be offered without the use of cookies. For these, it is necessary that the browser is recognised even after a page change.
We require cookies for the following applications:
(1) Shopping cart
The user data collected through technically necessary cookies are not used to create user profiles.
The use of third-party cookies has the sole purpose of enabling our advertising partners to address you with advertising that might actually interest you.
On the websites of Facebook, Instagram, Pinterest and Trusted Shop, you have the opportunity to view further image material from us, to collect it in albums, to rate it or to contact us via the portals.
These purposes are also our legitimate interest in processing the personal data in accordance with Art. 6 (1) lit. f DSGVO.
4. Duration of storage, possibility of objection and removal
Cookies are stored on the user’s computer and transmitted from it to our site. Therefore, you as a user also have full control over the use of cookies. Some cookies are only used temporarily (so-called transient cookies). These are automatically deleted when you close the browser. Some cookies are not only used temporarily (so-called persistent cookies). These are automatically deleted after a predefined period of time, which may differ depending on the cookie. By changing the settings in your internet browser, you can deactivate or restrict the transfer of cookies. Cookies that have already been stored can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to use all the functions of the website to their full extent.
5. Cookiebot
V. Newsletter
1. Description and scope of data processing
On our website and our Facebook page, you can subscribe to a free newsletter with your consent. For the registration to our newsletter, we use the so-called double-opt-in procedure. This means that after your registration, we will send you an e-mail to the e-mail address you provided, in which we ask you to confirm that you wish to receive the newsletter. When you register for the newsletter, the data from the input mask is transmitted to us. Only your e-mail address is required for sending the newsletter. Your name is optional and will be used to address you personally.
For the processing of the data, your consent is obtained during the registration process and reference is made to this data protection declaration.
In addition, the following other data is collected in the course of registration:
The following data is collected in this process:
(1) the IP address of the visitor
(2) the visitor’s login name if http authentication is used
(3) time of the request (server time)
(4) Time zone difference to Greenwich Mean Time (GMT)
(5) The user’s operating system
(6) The user’s Internet service provider
(7) The content of the web page request sent by the visitor’s browser
(8) Websites from which the user’s system accessed our website
(9) The result status code of the request
(10) Content of the web page request sent by the visitor’s browser
(11) File size of the request response
(12) referrer (if one is transmitted by the visitor’s browser)
(13) voluntary information provided by the visitor’s browser, e.g. regarding the browser used, which is usually used, for example, to optimise the presentation of the website.
This data is also stored in the log files of our system. This data is not stored together with other personal data of the user.
We would like to point out that we evaluate your user behaviour when sending the newsletter. For this evaluation, the e-mails sent contain so-called web beacons or tracking pixels, which are single-pixel image files stored on our website. For the analyses, we link the web beacons with your e-mail address and an individual ID. Links contained in the newsletter also contain this ID. The data is only collected pseudonymously, i.e. the IDs are not linked to your other personal data, a direct personal reference is excluded.
No data is passed on to third parties in connection with the data processing for sending newsletters. The data is used exclusively for sending the newsletter.
1.2 Use of the third-party provider MailChimp
The subscription to the newsletter can be cancelled by the user concerned at any time. For this purpose, a corresponding link can be found in each newsletter.
This website uses the services of MailChimp for sending newsletters. The provider is Rocket Science Group LLC, 675 Ponce De Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA.
MailChimp is a service with which, among other things, the sending of newsletters can be organised and analysed. When data is entered for the purpose of receiving newsletters (e.g. email address), it is stored on MailChimp’s servers in the USA. MailChimp has a certification according to the “EU-US Privacy Shield”. The “Privacy Shield” is an agreement between the European Union (EU) and the USA, which is intended to ensure compliance with European data protection standards in the USA. MailChimp offers us the possibility to analyse our newsletter campaigns. When you open an email sent via MailChimp, a file contained in the email (a so-called web beacon) connects to MailChimp’s servers in the USA. This makes it possible to analyse whether a newsletter message has been opened and which links, if any, have been clicked on. In addition, technical information is recorded (e.g. time of retrieval, IP address, browser type and operating system). This information cannot be assigned to the respective newsletter recipient. It is used exclusively for the statistical analysis of our newsletter campaigns. By analysing our newsletters, we can better adapt the results to the interests of the recipients and thus optimise them.
To avoid analysis by Mailchimp, the newsletter must be unsubscribed. This can be done via the link attached to each newsletter. It is also possible to unsubscribe by email (info@MYDECK.de).
The data processing is based on consent (Art. 6 para. 1 lit. a DSGVO). This consent can be revoked at any time by unsubscribing from the newsletter. The legality of the data processing operations already carried out remains unaffected by the revocation.
The data deposited with us for the purpose of receiving the newsletter will be stored by us until you unsubscribe from the newsletter and will be deleted from our servers as well as from the servers of MailChimp after you unsubscribe from the newsletter. Data stored by us for other purposes (e.g. email addresses for the member area) remain unaffected by this.
For more details, please refer to the data protection provisions of MailChimp at: https://mailchimp.com/legal/terms/.
1.3 Conclusion of a data processing agreement
We have concluded a so-called “Data-Processing-Agreement” with MailChimp, in which we oblige MailChimp to protect the data of our customers and not to pass them on to third parties. This agreement can be viewed at the following link: https://mailchimp.com/legal/forms/data-processing-agreement/sample-agreement/.
2. Legal basis for data processing
The legal basis for the processing of data after registration for the newsletter by the user is Art. 6 para. 1 lit. a DSGVO if the user has given his consent. The collection of other personal data within the scope of the registration process as proof of registration is based on Art. 6 para. 1 lit. f DSGVO.
The legal basis for the processing of data in the context of newsletter tracking is Art. 6 para. 1 lit. f DSGVO.
3. Purpose of the data processing
The collection of the user’s e-mail address is used to deliver the newsletter.
The voluntary provision of your name is used to address you personally in the newsletter. Further data transmitted to me during the newsletter registration will be used separately to the newsletter in order to fulfil your requests (preparation of an offer, etc.) This data will not be transmitted to Mailchimp.
The collection of other personal data as part of the registration process serves to prove your registration and, if necessary, to be able to clarify any misuse of the services or the email address used.
Newsletter tracking serves to tailor the newsletter to your individual interests and to make it more user-friendly. These purposes are also our legitimate interest in data processing according to Art. 6 Para. 1 lit. f DSGVO.
4. Duration of storage
If you do not confirm your registration within 24 hours after receiving our confirmation e-mail as part of the double-opt-in procedure for newsletter registration via our website, your information will be blocked and automatically deleted after one month.
If you have registered, the data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected. The user’s e-mail address is therefore stored for as long as the subscription to the newsletter is active. The other personal data collected as part of the registration process is then usually deleted after a period of seven days.
The information collected during newsletter tracking is stored for as long as you are subscribed to the newsletter. After unsubscribing, we store the data purely statistically and anonymously.
5. Possibility of objection and removal
The subscription to the newsletter can be cancelled by the user concerned at any time. For this purpose, there is a corresponding link to click on in each newsletter.
This also allows the user to revoke the consent given and to object to the storage of the personal data collected during the registration process.
This also means that you object to newsletter tracking. Such tracking is also not possible if you have deactivated the display of images by default in your e-mail programme. In this case, the newsletter will not be displayed in full and you may not be able to use all the functions. If you display the images manually, the above-mentioned tracking will take place.
VI. Registration
1. Description and scope of data processing
On our website, we offer users the opportunity to register by providing personal data. The data is entered in an input mask and transmitted to us and stored. The data is not passed on to third parties. The following data is collected during the registration process:
(1) Name
(2) Your e-mail address
(3) House address, additional delivery address if applicable
(4) Telephone number
(5) Customer group (end customer/reseller)
(6) A freely selectable password
As part of the registration process, the user’s consent to the processing of the data is obtained.
At the time of registration, the following additional data is also stored:
(1) The IP address of the user
(2) Date and time of registration
To prevent unauthorised access by third parties to your personal data, in particular financial data, the connection is encrypted using TLS technology.
2. Legal basis for data processing
The legal basis for the processing of the data provided by you is Art. 6 (1) lit. a DSGVO if the user has given his consent.
The legal basis for processing the data you have provided in accordance with commercial and tax law requirements is Art. 6 (1) lit. c DSGVO.
If the registration serves the fulfilment of a contract to which the user is a party or the implementation of pre-contractual measures, the additional legal basis for the processing of the data is Art. 6 para. 1 lit. b DSGVO.
The storage of the further collected data is based on legitimate interests according to Art. 6 para. 1 lit. f DSGVO.
3. Purpose of data processing
Registration of the user is necessary for the provision of certain content and services on our website. After registration, the full freight costs can be seen, as these depend on the delivery address, which must be entered in the course of registration.
Registration serves to conclude a contract with the user.
Registration of the user is necessary for the fulfilment of a contract with the user or for the implementation of pre-contractual measures.
The registration in our shop serves to be able to place the order of MYDECK floorboards and to manage the orders in the user account. After login/registration, the full freight costs are visible, as these depend on the delivery address.
The other personal data processed during the registration process serve to prevent misuse of the registration process and to ensure the security of our information technology systems. These purposes also constitute the legitimate interest in data processing according to Art. 6 Para. 1 lit. f DSGVO.
4. Duration of storage
The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected.
This is the case for the data collected during the registration process when the registration on our website is cancelled or modified.
This is the case for data collected during the registration process for the fulfilment of a contract or for the implementation of pre-contractual measures when the data is no longer required for the implementation of the contract. Even after the conclusion of the contract, there may be a need to store personal data of the contractual partner in order to comply with contractual or legal obligations. We are obliged by commercial and tax law to store your address, payment and order data for a period of 10 years.
5. Possibility of objection and removal
As a user, you have the option to cancel your registration at any time. You can have the data stored about you changed at any time by sending a short e-mail, a telephone call or by post.
If the data is required for the fulfilment of a contract or for the implementation of pre-contractual measures, premature deletion of the data is only possible insofar as contractual or legal obligations do not prevent deletion.
VII. Contact form and e-mail contact
1. Description and scope of data processing
Our website contains a contact form which can be used for electronic contact. If a user takes advantage of this option, the data entered in the input mask is transmitted to us and stored. These data are:
(1) Name (mandatory field)
(2) Your e-mail address (mandatory field)
(3) Postal address (optional)
(4) Telephone (optional)
(5) Customer group (end customer/reseller) (optional)
(6) A message to us (optional)
(7) Information as to how you became aware of us (optional).
For the processing of the data, your consent is obtained during the sending process and reference is made to this privacy policy.
The following data is also stored at the time the message is sent:
(1) The IP address of the user
(2) Date and time of registration
Alternatively, it is possible to contact us via the e-mail address provided. In this case, the user’s personal data transmitted with the e-mail will be stored.
In this context, the data is not passed on to third parties. The data is used exclusively for processing the conversation.
2. Legal basis for data processing
The legal basis for the processing of the data is Art. 6 para. 1 lit. a DSGVO if the user has given his consent.
The legal basis for the processing of data transmitted in the course of sending an e-mail is Art. 6 para. 1 lit. f DSGVO. If the contact is aimed at concluding a contract, the additional legal basis for the processing is Art. 6 para. 1 lit. b DSGVO.
The storage of the further collected data is based on legitimate interests according to Art. 6 para. 1 lit. f DSGVO.
3. Purpose of the data processing
The processing of the personal data from the input mask serves us solely to process the contact. In the case of contact by e-mail, this also constitutes the necessary legitimate interest in processing the data.
The other personal data processed during the sending process serve to prevent misuse of the contact form and to ensure the security of our information technology systems. These purposes also constitute the legitimate interest in data processing according to Art. 6 Para. 1 lit. f DSGVO.
4. Duration of storage
The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. For the personal data from the input mask of the contact form and those sent by e-mail, this is the case when the respective conversation with the user has ended. The conversation is ended when the circumstances indicate that the matter in question has been conclusively clarified.
The additional personal data collected during the sending process will be deleted at the latest after a period of thirty days.
5. Possibility of objection and removal
The user has the possibility to revoke his consent to the processing of personal data at any time. If the user contacts us by e-mail, he can object to the storage of his personal data at any time. In such a case, the conversation cannot be continued. Please inform us of the deletion request by e-mail, telephone, fax or post.
All personal data stored in the course of contacting us will be deleted in this case.
VIII. Online Shop
1. Description and scope of data processing
On our website, we offer users the possibility of concluding purchase contracts. If you would like to order in our online store, it is necessary for the conclusion of the contract that you provide your personal data, which we need for the order processing. For this purpose, you can enter your data in an input mask and transmit it to us. Mandatory data required for the processing of contracts are marked separately, other data are voluntary.
We process the data you provide to process your order. For this purpose, we may pass on your data to contracted companies for the processing of payment and delivery.
In the course of the online purchase, the following additional data is also stored:
(1) The IP address of the user
(2) Date and time of purchase
To prevent unauthorized access by third parties to your personal data, especially financial data, the ordering process is encrypted using TLS technology.
2. Legal basis for data processing
The legal basis for the processing of data is Art. 6 para. 1 lit. a DSGVO if the user has given his consent.
In the case of processing of personal data that is necessary for the performance of a contract, Art. 6 (1) lit. b DSGVO serves as the legal basis. This also applies to processing operations that are necessary for the implementation of pre-contractual measures.
A transfer of data to third parties takes place on the basis of Art. 6 para. 1 lit. b DSGVO if this is necessary for contractual purposes or on the basis of Art. 6 para. 1 lit. f DSGVO due to legitimate interests to optimize our online offer.
The legal basis for processing the data you provide in accordance with commercial and tax law requirements is Art. 6 (1) lit. c DSGVO.
The storage of the further collected data is based on legitimate interests according to Art. 6 para. 1 lit. f DSGVO.
3. Purpose of the data processing
The transmission of data is necessary for the fulfillment of a contract with the user or for the implementation of pre-contractual measures.
The design planks are delivered due to your length of up to 6 m by freight forwarding. Depending on the postal code area can be very different costs. For this reason, we need your delivery address to determine the freight costs. After ordering, the planks will be delivered to your construction site. Order confirmation and information about the planks will be sent to you by mail. If you have any questions, we will contact you by mail as well. The forwarding agency will also contact you by e-mail if you wish to receive an advice.
A transfer of data to third parties is necessary for the fulfillment of contractual purposes or is done to optimize our online offer, which is also the legitimate interest in data processing under Article 6 paragraph 1 lit. f DSGVO.
The other personal data processed during the registration process serve to prevent misuse of the registration process and to ensure the security of our information technology systems. These purposes also constitute the legitimate interest in data processing pursuant to Art. 6 (1) f DSGVO.
4. Duration of storage
The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. This is the case when the data is no longer required for the performance of the contract. Even after the conclusion of the contract, there may be a need to store personal data of the contractual partner in order to comply with contractual or legal obligations. We are obliged by commercial and tax law to store your address, payment and order data for a period of 10 years.
5. Possibility of objection and removal
The user has the possibility to object to the storage of his personal data at any time. To do so, you can contact us by e-mail or by any other means of contact.
All personal data stored in the context of the conclusion of a contract will be deleted in this case. As the data is required for the fulfilment of a contract or for the implementation of pre-contractual measures, early deletion of the data is only possible insofar as contractual or legal obligations do not prevent deletion.
If we have passed on data to third parties, we will inform these third parties of your objection. We regularly monitor third parties bound by instructions. We take suitable legal precautions as well as appropriate technical and organisational measures to protect personal data.
6. Hosting by Shopify
We use the shop system of the service provider Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland (“Shopify”), for the purpose of hosting and displaying the online shop on the basis of processing on our behalf. All data collected on our website is processed on Shopify’s servers. As part of Shopify’s aforementioned services, data may also be transferred to Shopify Inc, 150 Elgin St, Ottawa, ON K2P 1L4, Canada, Shopify Data Processing (USA) Inc, Shopify Payments (USA) Inc or Shopify (USA) Inc as part of further processing on our behalf. In the event that data is transferred to Shopify Inc. in Canada, the appropriate level of data protection is guaranteed by adequacy decision of the European Commission. Further information on Shopify’s data protection can be found on the following website: https://www.shopify.de/legal/datenschutz.
Further processing on servers other than the aforementioned servers of Shopify only takes place within the framework communicated below.
IX. Use of social media plug-ins
1. Description and scope of data processing
We currently use the following social media plug-ins: Facebook, Instagram, Pinterest.
We use the so-called two-click solution. This means that when you visit our site, no personal data is initially passed on to the providers of the plug-ins. You can recognise the provider of the plug-in by marking the box with its initial letter or logo. We give you the opportunity to communicate directly with the provider of the plug-in via the button. Only if you click on the marked box and thereby activate it, the plug-in provider receives the information that you have called up the corresponding website of our online offer. In addition, the following data is transmitted:
(1) Information about the type of browser and the version used.
(2) The user’s operating system
(3) The user’s Internet service provider
(4) The user’s IP address
(5) Date and time of access.
In the case of Facebook, according to the respective providers in Germany, the IP address is anonymised immediately after collection. By activating the plug-in, your personal data is transmitted to the respective plug-in provider and stored there (in the case of US providers, in the USA). Since the plug-in provider collects the data in particular via cookies, we recommend that you delete all cookies via your browser’s security settings before clicking on the greyed-out box.
We have no influence on the data collected and data processing operations, nor are we aware of the full extent of the data collection.
The data transfer takes place regardless of whether you have an account with the plug-in provider and are logged in there. If you are logged in to the plug-in provider, the data we collect is directly assigned to your account with the plug-in provider. If you click the activated button and, for example, link to the page, the plug-in provider also saves this information in your user account and shares it publicly with your contacts. We recommend that you log out regularly after using a social network, but especially before activating the button, as this will help you to avoid an assignment to your profile with the plug-in provider.
More about the Instagram plugin
On this website, functions of the service Instagram are integrated. These functions are offered by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. When the social media element is active, a direct connection is established between your end device and the Instagram server. Instagram thereby receives information about your visit to this website.
If you are logged into your Instagram account, you can link the content of this website to your Instagram profile by clicking on the Instagram button. This allows Instagram to associate the visit to this website with your user account. We would like to point out that we, as the provider of the pages, have no knowledge of the content of the transmitted data or its use by Instagram. Insofar as consent has been obtained, the use of the above-mentioned service is based on Art. 6 para. 1 lit. a DSGVO and § 25 TTDSG. The consent can be revoked at any time. Insofar as no consent has been obtained, the use of the service is based on our legitimate interest in achieving the greatest possible visibility in social media.
Insofar as personal data is collected on our website with the help of the tool described here and forwarded to Facebook or Instagram, we and Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland are jointly responsible for this data processing (Art. 26 DSGVO). The joint responsibility is limited exclusively to the collection of the data and its forwarding to Facebook or Instagram. The processing by Facebook or Instagram that takes place after the forwarding is not part of the joint responsibility. The obligations incumbent on us jointly have been set out in a joint processing agreement. The text of the agreement can be found at: https://www.facebook.com/legal/controller_addendum. According to this agreement, we are responsible for providing the privacy information when using the Facebook or Instagram tool and for the privacy-secure implementation of the tool on our website. Facebook is responsible for the data security of the Facebook or Instagram products. You can assert data subject rights (e.g. requests for information) regarding the data processed by Facebook or Instagram directly with Facebook. If you assert the data subject rights with us, we are obliged to forward them to Facebook.
The data transfer to the USA is based on the standard contractual clauses of the EU Commission.
More about the Pinterest plugin
On this website, we use social plugins from the social network Pinterest, which is operated by Pinterest Europe Ltd, Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland.
When you call up a page that contains such a plugin, your browser establishes a direct connection to the Pinterest servers. The plugin transmits log data to the Pinterest server in the USA. This log data may contain your IP address, the address of the websites visited that also contain Pinterest functions, the type and settings of the browser, the date and time of the request, how you use Pinterest and cookies. Insofar as a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a DSGVO and § 25 para. 1 TTDSG, insofar as the consent includes the storage of cookies or access to information in the user’s terminal device (e.g. device fingerprinting) within the meaning of the TTDSG. The consent can be revoked at any time.
Further information on the purpose, scope and further processing and use of the data by Pinterest, as well as your rights in this regard and options for protecting your privacy, can be found in the Pinterest data protection information: https://policy.pinterest.com/de/privacy-policy.
2. Legal basis for data processing
The legal basis for the use of the plug-in is Art. 6 para. 1 lit. f DSGVO.
3. Purpose of the data processing
Via the plug-ins, we offer you the opportunity to interact with the social networks and other users so that we can improve our offer and make it more interesting for you as a user. We do not know the full purpose of the data collection by the plug-in provider. The plug-in provider stores the data collected about you as a usage profile and uses this for the purposes of advertising, market research and/or the needs-based design of its website. Such an evaluation is carried out in particular (also for users who are not logged in) for the display of needs-based advertising and to inform other users of the social network about your activities on our website.
These purposes also constitute the legitimate interest in data processing in accordance with Art. 6 Para. 1 lit. f DSGVO.
4. Duration of storage
We do not know the exact storage periods of the data. We have no information on the deletion of the collected data.
5. Possibility of objection and removal
You have the right to object to the creation of user profiles, whereby you must contact the respective plug-in provider to exercise this right.
Further information on the purpose and scope of the data collection and its processing by the plug-in provider can be found in the data protection declarations of these providers provided below. There you will also receive further information on your rights in this regard and setting options for protecting your privacy:
Facebook Inc: 1601 S California Ave, Palo Alto, California 94304, USA; http://www.facebook.com/policy.php; further information on data collection: http://www.facebook.com/help/186325668085084, http://www.facebook.com/about/privacy/your-info-on-other#applications as well as http://www.facebook.com/about/privacy/your-info#everyoneinfo. Facebook has submitted to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.
Instagram: Details can be found here: https://www.facebook.com/legal/EU_data_transfer_addendum, https://help.instagram.com/519522125107875 and https://de-de.facebook.com/help/566994660333381. For more information, please see Instagram’s privacy policy: https://instagram.com/about/legal/privacy/.
Google Inc: 1600 Amphitheater Parkway, Mountainview, California 94043, USA; https://www.google.com/policies/privacy/partners/?hl=de. Google has submitted to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.
Pinterest: Users located outside the US should contact Pinterest Europe Ltd. as data controller, an Irish company registered in Dublin at the following address: Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland. https://policy.pinterest.com/de/privacy-policy, message to data protection officer Pinterest: https://help.pinterest.com/de/data-protection-officer-contact-form
X. Use of Google Tag Manager
1. Description and scope of data processing
We use the Google Tag Manager. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
The Google Tag Manager is a tool that enables us to integrate tracking or statistical tools and other technologies on our website. The Google Tag Manager itself does not create user profiles, does not store cookies and does not perform any independent analyses. It only serves to manage and play out the tools integrated via it. However, the Google Tag Manager records your IP address, which may also be transferred to Google’s parent company in the United States.
2. Legal basis for data processing
The Google Tag Manager is used on the basis of Art. 6 (1) lit. f DSGVO. The website operator has a legitimate interest in a quick and uncomplicated integration and management of various tools on his website. Insofar as a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a DSGVO and § 25 para. 1 TTDSG, insofar as the consent includes the storage of cookies or access to information in the user’s terminal device (e.g. device fingerprinting) within the meaning of the TTDSG. The consent can be revoked at any time.
3. Purpose of data processing
Google Tag Manager is a tool that enables us to integrate tracking or statistical tools and other technologies on our website in order to analyse and regularly improve the use of our website.
4. Objection and removal options
- 4.1 IP anonymisation
We have activated the IP anonymisation function on this website. This means that your IP address is shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area before being transmitted to the USA. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. On behalf of the operator of this website, Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity and providing other services relating to website activity and internet usage to the website operator. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.
- 4.2 Browser plugin
You can prevent the collection and processing of your data by Google by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=de.
You can find more information on how Google Analytics handles user data in Google’s privacy policy: https://support.google.com/analytics/answer/6004245?hl=de.
XI. Use of Google Analytics
Insofar as you have given your consent, this website uses Google Analytics 4, a web analytics service provided by Google LLC. The responsible party for users in the EU/EEA and Switzerland is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (“Google”).
1. description and scope of data processing
Google Analytics uses cookies that enable an analysis of your use of our websites. The information collected by means of the cookies about your use of this website is usually transmitted to a Google server in the USA and stored there.
In Google Analytics 4, the anonymization of IP addresses is activated by default. Due to IP anonymization, your IP address will be truncated by Google within Member States of the European Union or in other contracting states to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and shortened there. According to Google, the IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.
During your website visit, your user behavior is recorded in the form of “events”. Events can be:
– Page views
– First visit to the website
– Start of session
– Your “click path”, interaction with the website
– Scrolls (whenever a user scrolls to the bottom of the page (90%))
– clicks on external links
– internal search queries
– interaction with videos
– file downloads
– seen / clicked ads
– language settings
Also recorded:
– Your approximate location (region)
– Your IP address (in shortened form)
– technical information about your browser and the terminal devices you use (e.g. language setting, screen resolution)
– your internet service provider
– the referrer URL (via which website/advertising medium you came to this website)
Purposes of the processing
On behalf of the operator of this website, Google will use this information for the purpose of evaluating your [pseudonymous] use of the website and compiling reports on website activity. The reports provided by Google Analytics are used to analyze the performance of our website].
Recipients
Recipients of the data are/may be
– Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (as processor according to Art. 28 DSGVO).
– Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA
– Alphabet Inc, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA
It cannot be ruled out that US authorities may access the data stored by Google.
Third country transfer
Insofar as data is processed outside the EU/EEA and there is no level of data protection corresponding to the European standard, we have concluded EU standard contractual clauses with the service provider to establish an appropriate level of data protection. The parent company of Google Ireland, Google LLC, is based in California, USA. A transfer of data to the USA and access by US authorities to the data stored by Google cannot be ruled out. The USA is currently considered a third country from a data protection perspective. You do not have the same rights there as within the EU/EEA. You may not be entitled to any legal remedies against access by authorities.
2. legal basis for the data processing
The legal basis for this data processing is your consent pursuant to Art.6 para.1 p.1 lit.a DSGVO.
3. purpose of data processing
We use Google Analytics to analyze and regularly improve the use of our website. The statistics obtained allow us to improve our offer and make it more interesting for you as a user.
4. possibility of objection and removal
You can revoke your consent at any time with effect for the future by calling up the Change your consent cookie settings and changing your selection there. The lawfulness of the processing carried out on the basis of the consent until the revocation remains unaffected. You can also prevent the storage of cookies from the outset by setting your browser software accordingly. However, if you configure your browser to reject all cookies, this may result in a restriction of functionalities on this and other websites. In addition, you can prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) to Google and the processing of this data by Google bya. not giving your consent to the setting of the cookie or
b. downloading and installing the browser add-on to disable Google Analytics HERE. For more information on Google Analytics’ terms of use and Google’s privacy policy, please visit https://marketingplatform.google.com/about/analytics/terms/de/ or https://policies.google.com/?hl=de.
XII. Use of Google Ads / Google Ads Remarketing / Google Conversion Tracking
XII.I Google Ads
1. Description and scope of data processing
The website operator uses Google Ads. Google Ads is an online advertising programme of Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.
Google Ads enables us to display advertisements in the Google search engine or on third-party websites when the user enters certain search terms on Google (keyword targeting). Furthermore, targeted advertisements can be played on the basis of the user data available at Google (e.g. location data and interests) (target group targeting). As the website operator, we can evaluate this data quantitatively by analysing, for example, which search terms have led to the display of our advertisements and how many advertisements have led to corresponding clicks.
2. Legal basis for data processing
The use of this service is based on your consent in accordance with Art. 6 para. 1 lit. a DSGVO and § 25 para. 1 TTDSG. The consent can be revoked at any time.
Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: https://policies.google.com/privacy/frameworks and https://privacy.google.com/businesses/controllerterms/mccs/.
3. Purpose of data processing
We use Google Ads in order to be able to optimally advertise our products on the Internet.
4. Possibility of objection and removal
Consent can be revoked at any time. Details can be found here: https://policies.google.com/privacy/frameworks and https://privacy.google.com/businesses/controllerterms/mccs/.
XII.II Google Ads Remarketing
1. Description and scope of data processing
This website uses the functions of Google Ads Remarketing. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.
With Google Ads Remarketing, we can assign persons who interact with our online offer to specific target groups in order to subsequently display interest-based advertising to them in the Google advertising network (remarketing or retargeting).
Furthermore, the advertising target groups created with Google Ads Remarketing can be linked to Google’s cross-device functions. In this way, interest-based, personalised advertising messages that have been adapted to you depending on your previous usage and surfing behaviour on one end device (e.g. mobile phone) can also be displayed on another of your end devices (e.g. tablet or PC).
If you have a Google account, you can object to personalised advertising at the following link: https://www.google.com/settings/ads/onweb/.
2. Legal basis for data processing
The use of this service is based on your consent according to Art. 6 para. 1 lit. a DSGVO and § 25 para. 1 TTDSG. The consent can be revoked at any time.
3. Purpose of the data processing
We use Google Ads Remarketing to present our products optimally to suitable interest groups on the Internet.
4. Possibility of objection and removal
Further information and the data protection regulations can be found in Google’s data protection declaration at: https://policies.google.com/technologies/ads?hl=de.
If you have a Google account, you can object to personalised advertising using the following link: https://www.google.com/settings/ads/onweb/.
XII.III Google Conversion Tracking
1. description and scope of data processing
This website uses Google Conversion Tracking. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.
Google Conversion Tracking enables Google and us to recognize whether the user has performed certain actions. For example, we can evaluate which buttons on our website were clicked on and how often, and which products were viewed or purchased particularly frequently. This information is used to create conversion statistics. We learn the total number of users who have clicked on our ads and what actions they have taken. We do not receive any information with which we can personally identify the user. Google itself uses cookies or comparable recognition technologies for identification.
2 Legal basis for data processing
The use of this service is based on your consent in accordance with Art. 6 para. 1 lit. a DSGVO and § 25 Abs. 1 TTDSG. Consent can be revoked at any time.
3 Purpose of the data processing
We use Google Conversion Tracking to analyze which products are of interest and to subsequently optimize the processes on the website.
4. possibility of objection and deletion
Further information on Google Conversion Tracking can be found in Google’s privacy policy: https://policies.google.com/privacy?hl=de.
XIII. Adobe Type Kit / Google Fonts
Our website uses so-called web fonts from Adobe Typekit for the uniform display of certain fonts.
The provider is Adobe Systems Incorporated, 345 Park Avenue, San Jose, CA 95110-2704, USA (Adobe). When you call up our pages, your browser loads the required fonts directly from Adobe in order to be able to display them correctly on your end device. In doing so, your browser establishes a connection to Adobe’s servers in the USA. This enables Adobe to know that our website has been accessed via your IP address. According to Adobe, no cookies are stored when providing the fonts. Adobe has been certified in accordance with the EU-US Privacy Shield. The Privacy Shield is an agreement between the United States of America and the European Union that is intended to ensure compliance with European data protection standards. More information can be found at: https://www.adobe.com/de/privacy/eudatatransfers.html. The use of Adobe Typekit Web Fonts is necessary to ensure a consistent typeface on our website. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 lit. f DSGVO. You can find more information about Adobe Typekit Web Fonts at: https://www.adobe.com/de/privacy/policies/typekit.html. The Adobe data protection declaration can be found at: https://www.adobe.com/de/privacy/policy.html.
The shop area uses so-called web fonts provided by Google for the uniform display of fonts. When you call up a page, your browser loads the required web fonts into its browser cache in order to display texts and fonts correctly.
For this purpose, the browser you are using must connect to Google’s servers. This informs Google that our website has been accessed via your IP address. Google Web Fonts are used in the interest of a uniform and appealing presentation of our online offers. This represents a legitimate interest within the meaning of Art. 6 Para. 1 lit. f DSGVO.
If your browser does not support web fonts, a standard font from your computer will be used.
Further information on Google Web Fonts can be found at https://developers.google.com/fonts/faq and in Google’s privacy policy: https://www.google.com/policies/privacy/.
XIV. Microsoft Advertising
The website operator uses Microsoft Advertising. Microsoft Advertising is an online advertising program of Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA.
Microsoft Advertising enables us to display advertisements in the Bing search engine or on third-party websites when the user enters certain search terms in Bing (keyword targeting). Furthermore, targeted advertisements can be displayed based on the user data available at Microsoft (e.g. location data and interests) (target group targeting). As the website operator, we can evaluate this data quantitatively by analyzing, for example, which search terms led to the display of our advertisements and how many advertisements led to corresponding clicks.
We use universal event tracking (UET) from Microsoft Advertising on this site. Pseudonymized data is collected to track the actions you take on our websites after you have clicked on a Microsoft Advertising ad. UET collects your IP address (anonymized), device identifiers, information about device and browser settings, Microsoft Click ID (stored in cookie), time spent on the website, which areas of the website were accessed, which ad brought you to the website and which keyword you clicked on.
The use of this service is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG. Consent can be revoked at any time.
Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: https://learn.microsoft.com/de-de/compliance/regulatory/offering-eu-model-clauses.
The company is certified in accordance with the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the USA, which is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. Further information on this can be obtained from the provider at the following link: https://www.dataprivacyframework.gov/participant/6474.
Order processing
We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract prescribed by data protection law, which ensures that the provider processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.
XV. Meta Pixel (Facebook Pixel)
We use the “Facebook Pixel” of the social network Facebook, 1601 South California Avenue, Palo Alto, CA 94304, USA within our website. So-called tracking pixels are integrated on our pages. When you visit our pages, the tracking pixel establishes a direct connection between your browser and the Facebook server.
Facebook thereby receives, among other things, the information from your browser that our page has been accessed from your end device. If you are a Facebook user, Facebook can assign your visit to our pages to your user account. We would like to point out that we, as the provider of the pages, have no knowledge of the content of the transmitted data or its use by Facebook. We can only select which segments of Facebook users (such as age, interests) should be shown our advertising.
By calling up the pixel from your browser, Facebook can also see whether a Facebook ad was successful, e.g. led to an online purchase. This enables us to record the effectiveness of the Facebook ads for statistical and market research purposes.
In doing so, we use a method of working in which no data records, in particular no email addresses of our users – either encrypted or unencrypted – are transmitted to Facebook. For more information, please see Facebook’s privacy policy at https://www.facebook.com/about/privacy/ . Please click here if you do not wish any data to be collected via the Facebook Pixel: https://www.facebook.com/settings?tab=ads#_=_. Alternatively, you can deactivate the Facebook Pixel on the page of the Digital Advertising Alliance under the following link: http://www.aboutads.info/choices/.
XVI. Mashshare & Co
The content on our pages can be shared in social networks such as Facebook, Twitter or Google+ in a data protection compliant manner. This site uses the plugin Mashshare for this purpose. This tool only establishes direct contact between the networks and users only when the user actively clicks on one of these buttons. This tool does not automatically transfer user data to the operators of these platforms. If the user is registered with one of the social networks, an information window appears when using the social buttons of Facebook, Google+1, Twitter & Co. in which the user can confirm the text before sending it. Our users can share the contents of this page in social networks in a data protection-compliant manner without complete surfing profiles being created by the operators of the networks.
XVII. Integration of the Trusted Shop trust badge / other widgets
Trusted Shops widgets are integrated on this website to display Trusted Shops services (e.g. seal of approval, collected ratings) and to offer Trusted Shops products to buyers after they have placed an order.
This serves to protect our legitimate interests in optimal marketing by enabling secure shopping, which prevail in the context of a balancing of interests pursuant to Art. 6 para. 1 p. 1 lit. f DSGVO. The Trustbadge and the services advertised with it are an offer of Trusted Shops GmbH, Subbelrather Str. 15C, 50823 Cologne, Germany, with whom we are jointly responsible for data protection pursuant to Art. 26 DSGVO. Within the scope of this data protection notice, we inform you in the following about the essential contractual contents according to Art. 26 (2) DSGVO.
The trust badge is provided as part of a joint responsibility by a US CDN provider (content delivery network). An appropriate level of data protection is ensured by standard data protection clauses and other contractual measures. Further information on the data protection of Trusted Shops GmbH can be found in their privacy policy.
When you call up the Trustbadge, the web server automatically saves a so-called server log file, which also contains your IP address, the date and time of the call, the amount of data transferred and the requesting provider (access data) and documents the call. The IP address is anonymized immediately after collection so that the stored data cannot be assigned to you personally. The anonymized data is used in particular for statistical purposes and for error analysis.
After order completion, your email address, which is hashed by cryptological one-way function, is transmitted to Trusted Shops GmbH. The legal basis is Art. 6 para. 1 p. 1 lit. f DSGVO. This serves to check whether you are already registered for services with Trusted Shops GmbH and is therefore necessary for the fulfillment of our and Trusted Shops’ overriding legitimate interests in the provision of the buyer protection linked to the specific order in each case and the transactional evaluation services pursuant to Art. 6 para. 1 p. 1 lit. f DSGVO. If this is the case, further processing will be carried out in accordance with the contractual agreement between you and Trusted Shops. If you have not yet registered for the services, you will be given the opportunity to do so for the first time. Further processing after registration also depends on the contractual agreement with Trusted Shops GmbH. If you do not register, all transmitted data will be automatically deleted by Trusted Shops GmbH and a personal reference is then no longer possible.
Within the framework of the joint responsibility existing between us and Trusted Shops GmbH, please prefer to contact Trusted Shops GmbH with data protection questions and to assert your rights using the contact options provided in the data protection information linked above. Irrespective of this, however, you can always contact the responsible person of your choice. Your inquiry will then, if necessary, be forwarded to the other responsible party for a response.
XVIII. You Tube Videos
This site uses the provider YouTube LLC , 901 Cherry Avenue, San Bruno, CA 94066, USA, represented by Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, for the integration of videos. Normally, when you call up a page with embedded videos, your IP address is already sent to YouTube and cookies are installed on your computer. However, we have embedded our YouTube videos with the extended data protection mode (in this case, YouTube still contacts Google’s Double Klick service, but according to Google’s privacy policy, personal data is not evaluated). This means that YouTube no longer stores any information about visitors unless they watch the video. If you click on the video, your IP address is transmitted to YouTube and YouTube learns that you have watched the video. If you are logged in to YouTube, this information is also assigned to your user account (you can prevent this by logging out of YouTube before viewing the video).
We have no knowledge of and no influence on the possible collection and use of your data by YouTube. You can find more information in YouTube’s privacy policy at www.google.de/intl/de/policies/privacy/. In addition, we refer to our general presentation in this data protection declaration for the general handling and deactivation of cookies.
XIX. Rights of the data subject
If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:
1. Right of access
You may request confirmation from the controller as to whether personal data concerning you is being processed by us.
If there is such processing, you may request information from the controller about the following:
(1) the purposes for which the personal data are processed;
(2) the categories of personal data which are processed;
(3) the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed;
(4) the envisaged duration of the storage of the personal data concerning you or, if specific information on this is not possible, criteria for determining the storage period;
(5) the existence of a right to obtain the rectification or erasure of personal data concerning you, a right to obtain the restriction of processing by the controller or a right to object to such processing;
(6) the existence of a right of appeal to a supervisory authority;
(7) any available information on the origin of the data, if the personal data are not collected from the data subject;
(8) the existence of automated decision-making, including profiling, pursuant to Article 22(1) and (4) of the GDPR and, at least in these cases, meaningful information about the logic involved and the scope and intended effects of such processing for the data subject.
You have the right to request information on whether personal data concerning you are transferred to a third country or to an international organisation. In this context, you may request to be informed about the appropriate safeguards pursuant to Article 46 of the GDPR in connection with the transfer.
2. Right of rectification
You have a right to rectification and/or completion vis-à-vis the controller if the personal data processed concerning you are inaccurate or incomplete. The controller must make the rectification without undue delay.
3. Right to restriction of processing
You may request the restriction of the processing of personal data concerning you under the following conditions:
(1) if you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;
(2) the processing is unlawful and you object to the erasure of the personal data and request instead the restriction of the use of the personal data;
(3) the controller no longer needs the personal data for the purposes of the processing but you need it for the establishment, exercise or defence of legal claims; or
(4) if you have objected to the processing pursuant to Article 21(1) DSGVO and it is not yet clear whether the controller’s legitimate grounds override your grounds.
Where the processing of personal data relating to you has been restricted, such data may – apart from being stored – only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of substantial public interest of the Union or a Member State.
If the restriction of processing has been restricted in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.
4. Right to erasure
a) Obligation to delete
You may request the controller to erase the personal data concerning you without undue delay and the controller is obliged to erase such data without undue delay if one of the following reasons applies:
(1) The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.
(2) You withdraw your consent on which the processing was based pursuant to Art. 6 (1) (a) or Art. 9 (2) (a) DSGVO and there is no other legal basis for the processing.
(3) You object to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) of the GDPR.
(4) The personal data concerning you have been processed unlawfully.
(5) The erasure of the personal data concerning you is necessary for compliance with a legal obligation under Union or Member State law to which the controller is subject.
(6) The personal data concerning you has been collected in relation to information society services offered pursuant to Article 8(1) of the GDPR.
b) Information to third parties
If the controller has made the personal data concerning you public and is obliged to erase it pursuant to Article 17(1) of the GDPR, it shall take reasonable steps, including technical measures, having regard to the available technology and the cost of implementation, to inform data controllers that process the personal data that you, as the data subject, have requested them to erase all links to, or copies or replications of, that personal data.
c) Exceptions
The right to erasure does not apply insofar as the processing is necessary to.
(1) for the exercise of the right to freedom of expression and information;
(2) for compliance with a legal obligation which requires processing under Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(3) for reasons of public interest in the area of public health pursuant to Article 9(2)(h) and (i) and Article 9(3) of the GDPR;
(4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to Article 89(1) of the GDPR, insofar as the right referred to in section (a) is likely to render impossible or seriously prejudice the achievement of the purposes of such processing; or
(5) to assert, exercise or defend legal claims.
5. Right to information
If you have exercised the right to rectification, erasure or restriction of processing against the controller, the controller is obliged to inform all recipients to whom the personal data concerning you have been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort. You have the right to be informed of these recipients by the controller.
6. Right to data portability
You have the right to receive the personal data concerning you that you have provided to the controller in a structured, commonly used and machine-readable format. You also have the right to transfer this data to another controller without hindrance from the controller to whom the personal data has been provided, provided that.
(1) the processing is based on consent pursuant to Art. 6 para. 1 lit. a DSGVO or Art. 9 para. 2 lit. a DSGVO or on a contract pursuant to Art. 6 para. 1 lit. b DSGVO and
(2) the processing is carried out with the aid of automated procedures.
In exercising this right, you also have the right to have the personal data concerning you transferred directly from one controller to another controller, insofar as this is technically feasible. This must not affect the freedoms and rights of other persons.
The right to data portability does not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
7. Right to object
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6(1)(e) or (f) DSGVO; this also applies to profiling based on these provisions. Data protection is a top priority at Berliner Platz.
The controller will no longer process the personal data concerning you unless it can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims.
If the personal data concerning you is processed for the purposes of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purposes of such marketing; this also applies to profiling insofar as it is related to such direct marketing.
If you object to the processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.
You have the possibility, in connection with the use of information society services, notwithstanding Directive 2002/58/EC, to exercise your right to object by means of automated procedures using technical specifications.
8. Right to revoke the declaration of consent under data protection law
You have the right to withdraw your declaration of consent under data protection law at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
9. Automated decision-making in individual cases, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision
(1) is necessary for the conclusion or performance of a contract between you and the controller
(2) is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
(3) with your express consent.
However, these decisions may not be based on special categories of personal data pursuant to Art. 9 (1) GDPR, unless Art. 9 (2) (a) or (g) applies and appropriate measures have been taken to protect the rights and freedoms as well as your legitimate interests.
With regard to the cases referred to in (1) and (3), the data controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.
10. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 GDPR.
