Basic information on data processing and the legal principles
- This data protection declaration provides information on the type, scope and purpose of processing personal data within our online range of services and the websites associated with it, functions and content (hereinafter jointly referred to as “online range” or “website”). This data protection declaration applies independently of the domains, systems, platforms and devices used (e.g. desktop or mobile) to call up the online range.
- The terms used such as “personal data” or its “processing” refer to the definitions in Art. 4 of the General Data Protection Regulation (GDPR).
- The user’s personal data processed as part of this online range include inventory data (e.g. customer’s name and address), contract data (e.g. services used, name of administrators, payment information), usage data (e.g. websites from our online range visited, interest in our products) and content data (e.g. entries in the contact form).
- The term “user” covers all categories of people affected by data processing. They include our business partners, customers, potential customers and other visitors to our online range. The terms used, such as “users”, are to be understood as gender neutral.
- We process users’ personal data only in compliance with the key data protection provisions. This means that users’ data is only processed if there is statutory permission to do so. This means in particular that if the data processing is required to provide our contractual services (e.g. process orders) and online services or is required by law, users have provided consent or if we have a justified interest (i.e. interest in the analysis, optimisation, economic operation and security of our online range as defined by Art. 6 Para. 1 lit. f GDPR, in particular to measure the reach, create profiles for advertising and marketing purposes, collect access data and use the services of third-party suppliers.
- We point out that the legal basis for consents is Art. 6 Para.1 lit. a and Art. 7 GDPR, the legal basis for processing to fulfil our services and implement contractual measures is Art. 6 Para.1 lit. b GDPR, the legal basis for processing to fulfil our legal obligations is Art. 6 Para.1 lit. c GDPR and the legal basis for processing to maintain our justified interests is Art. 6 Para.1 lit. f GDPR.
- We undertake up-to-date organisational, contractual and technical security measures to ensure that the regulations of the data protection laws are complied with and to thus protect the data that we process from random or deliberate manipulation, loss, destruction or access by unauthorised persons.
- The security measures include in particular the encrypted transfer of data between your browser and our server.
Transfer of data to third parties and third party suppliers
- A transfer of data to third parties only takes place within the framework of the statutory requirements. We only pass on users’ data if this is required e.g. on the basis of Art. 6 Para.1 lit. b GDPR for contractual purposes or based on justified interests pursuant to Art. 6 Para.1 lit. f GDPR for the economic and effective operation of our business.
- If we use sub-contractors to provide our services, we undertake suitable legal precautions and appropriate technical and organisational measures to protect personal data pursuant to the key statutory regulations.
- If, within the framework of the content in this data protection declaration, tools or other resources of other suppliers are used (hereinafter jointly referred to as “third party suppliers”) and their stipulated head office is in a third country, it can be assumed that data transfer takes place to the country of the third party supplier’s head office. Third party countries are understood as countries where GDPR is not directly applicable law, i.e. countries outside the EU and European Economic Area. The transfer of data to third countries takes place either if there is an appropriate level of data protection, users’ consent or other statutory permission.
Provision of contractual services
- We process inventory data (e.g. users’ name, address and contact data), contract data (e.g. services used, name of contacts, payment information) for the purposes of fulfilling our contractual obligations and services pursuant to Art. 6 Para. 1 lit. b GDPR.
- For advertising purposes, we process usage data (such as the websites of our online range visited, interest in our products) and content data (e.g. entries in the contact form or user profile) in a user profile to show users e.g. product information starting from the services used to date.
- When making contact with us (using the contact form or email), the user’s information are processed to handle the contact request pursuant to Art. 6 Para. 1 lit. b) GDPR.
Comments and contributions
- If users leave comments or other contributions, their IP address is saved based on our justified interests as defined by Art. 6 Para. 1 lit. f. GDPR for 7 days.
- 6.2. This is done for our security in case somebody leaves illegal content or contributions (insults, banned political propaganda etc.). In these cases, we can be sued for the comment or contribution and are therefore interested in the author’s identity.
Collection of access data and log files
- Based on our justified interests as defined by Art. 6 Para. 1 lit. f. GDPR, we collect data on each access to the server on which this service is located (so-called server log files). The access data includes the name of the called up website, file, date and time of call-up, transferred data volume, notification of successful call-up, browser type and version, user’s operating system, referrer URL (the previously visited page), IP addresses and requesting provider.
- Log file information is stored for security reasons (e.g. to clarify abuse or fraud) for a maximum of seven days and then erased. Data that must continue to be stored for evidence purposes is excluded from erasure until the final clarification of the relevant event. You can view the 1&1 data protection provisions here:
Cookies and reach measurement
- Cookies are information transferred from our web server or that of third parties to the user’s web browser and stored there for calling up later. Cookies may be small files or other types of information storage.
- We use “session cookies” that are only stored for the duration of the current visit to our online range (e.g. to store your log in status or shopping basket function and thus permit the use of our online range). A randomly generated unique identification number is stored in a session cookie; this is called a session-ID. A cookie also states its origin and storage period. These cookies cannot store any other data. Session cookies are deleted when the use of our online range has ended and the user logs off or closes the browser.
- If the user does not want cookies to be saved on their computer, they can deactivate the relevant option in their browser’s system settings. Stored cookies can be deleted in the browser’s system settings. The exclusion of cookies may result in functional restrictions to this online range.
- Google is also certified under the Privacy Shield agreement and therefore offers a safeguard that European data protection law is complied with (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
- At our request, Google will use this information to analyse users’ use of the online range, create reports on the activities within the online range and provide other services associated with use of this online range and internet use. Pseudonym usage profiles can be created from users’ processed data.
- We use Google Analytics to show adverts from Google web services and its partners only to those users who have shown an interest in our online range or certain characteristics (e.g. interest in particular themes or products that were determined using the websites visited) that we transfer to Google (so-called “Remarketing” or “Google Analytics Audiences”). With the aid of remarketing audiences, we want to ensure that our adverts meet the potential interests of the users and which are non-invasive.
- We only use Google Analytics with activated IP anonymisation. This means that Google will first shorten your IP address within European Union Member States or in other signatory states of the Agreement on the European Economic Area. Only in exceptional cases, is the full IP address transferred to a Google server in the USA and abbreviated there.
- The IP address provided from the user’s browser is not combined with other Google data. The user can prevent the storage of the cookies by using an appropriate setting in their browser software; users can also prevent the storage of the data generated by the cookie and related to the use of the online range to Google as well as the processing of the data by Google by downloading and installing the browser plug-in available on the following link: http://tools.google.com/dlpage/gaoptout.
- Additional information on data usage by Google, settings and objection options are found on the Google website: https://www.google.com/intl/de/policies/privacy/partners(“data usage by Google when using our partners’ websites or apps”), http://www.google.com/policies/technologies/ads(“data usage for advertising purposes”), http://www.google.de/settings/ads(“manage information that Google uses to show adverts”).
Google re/marketing services
- Based on our justified interests (i.e. interests in analysing, optimising and economically operating our online range as defined by Art. 6 Para 1 lit. f. GDPR), we use the marketing and remarketing services (summarised as “Google marketing services”) of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, (“Google”).
- Google is also certified under the Privacy Shield agreement and therefore offers a safeguard that European data protection law is complied with (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active)).
- The Google marketing services enable us to show adverts for and targeted to our website in order to only present to users adverts that potentially match their interests. If a user e.g. is shown adverts for products for which they are interested on other websites, this is called “remarketing”. For this purpose, when calling up our and other adverts on which Google marketing services are active, Google executes a code and so-called (re)marketing tags (also called invisible graphics or codes and web beacons) are integrated into the website. This is used to store an individual cookie, i.e. a small file, on the user’s device (comparable technologies may be used instead of cookies). The cookies can be set by various domains including google.com, doubleclick.net, invitemedia.com, admeld.com, googlesyndication.com and googleadservices.com. This file records which websites the users visit, which content they are interested in, which offers they have clicked; it also stores technical information on the browser and operating systems, referring websites, visit time and other information on using the online range. It also stores the user’s IP address and, as part of Google Analytics, the IP address is shortened within the member states of the European Union or the signatory states of the Agreement on the European Economic Area and only in exceptional circumstances is it transferred in full to Google servers in the USA and shortened there. The IP address is not merged with the user’s data from other Google offers. The information stated above may be linked by Google to such information from other sources. If the user then visits other websites the adverts can be matched according to their interests.
- The user’s data is processed in Google marketing services using pseudonyms. This means that Google does not store or process e.g. the name or email address of users, but rather processes the relevant data for each cookie within pseudonym user profiles. This means that from Google’s perspective, the adverts are not managed and displayed for a specifically identified person but rather to the cookie owner, no matter who this owner is. This does not apply if a user explicitly allows Google to process the data without this pseudonymisation. The information collected about the users by Google marketing services is transferred to Google and stored on Google’s servers in the USA.
- The Google marketing services that we use include the “Google AdWords” online advertising program. In the case of Google AdWords, each AdWords customer receives a different “conversion cookie”. Cookies can therefore not be tracked via the websites of AdWords customers. The information obtained with the aid of the cookie is used to create conversion statistics for AdWords customers who have chosen conversion tracking. The AdWords customers discover the total number of users who have clicked on their advert and are forwarded to the page that was given a conversion tracking tag. However, they contain no information that could enable the user to be identified in person.
- We can also use the “Google Optimizer” service. Within the framework of so-called “A/B testing”, Google Optimizer allows us to track how various changes to a website have an effect (e.g. changes to entry fields, the design etc.). Cookies are stored on users’ devices for these test purposes. Only pseudonym data is used.
- We may also use the “Google Tag Manager” to integrate and manage Google analysis and marketing services in our website.
- You can find more information on use of the data for marketing purposes by Google on the overview page: https://www.google.com/policies/technologies/ads; the Google data protection declaration can be called up from https://www.google.com/policies/privacy.
- If you wish to object to interest-related advertising by Google marketing services, you can use the setting and opt-out options provided by Google: http://www.google.com/ads/preferences.
Facebook Social Plug-ins
- Based on our justified interests (i.e. interest in the analysis, optimisation and economic operation of our online range as defined by Art. 6 Para. 1 lit. f. GDPR), we use social plug-ins (“plug-ins”) from the social network facebook.com, which is operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”). The plug-ins depict interaction elements or content (e.g. videos, graphics or text blocks) and are recognisable from the Facebook logo (white “f” on a blue tile, the terms “Like”, “Gefällt mir” or a “thumbs up” icon) or are marked with the “Facebook Social Plug-in” supplement. The list and appearance of Facebook social plug-ins can be viewed here: https://developers.facebook.com/docs/plugins/.
- Facebook is certified under the Privacy Shield agreement and therefore offers a safeguard that European data protection law is complied with (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).
- If a user calls up a function from this online range that contains such a plug-in, their browser makes a direct connection with the Facebook servers. The content of the plug-in is transferred by Facebook directly to the user’s device and is integrated into the online range. Usage profiles of the users can be created from the processed data. We therefore have no influence on the scope of the data that Facebook collects using this plug-in and consequently inform the user according to our level of knowledge.
- As a result of the plug-in integration, Facebook receives notification that the user has opened up the relevant page on the online range. If the user is logged into Facebook, Facebook can assign the visit to their Facebook account. If the user interacts with the plug-in, e.g. presses the “Like” button or makes a comment, the relevant information is transferred directly from their browser to Facebook and is saved there. If a user is not a member of Facebook, there is still a chance that Facebook will discover and store their IP address. According to Facebook, only anonymous IP addresses are stored in Germany.
- The purpose and scope of the data collection, the ongoing processing and use of the data by Facebook as well as their rights and setting options related to this to protect their private sphere are shown in the Facebook data protection information: https://www.facebook.com/about/privacy/.
- If a user is a member of Facebook and does not want Facebook to collect data on this online range and link this with their member data saved on Facebook, they must log out of Facebook before visiting the website and delete the cookies. Other settings and objections are possible for advertising purposes within the Facebook profile settings: https://www.facebook.com/settings?tab=adsor the US site http://www.aboutads.info/choices/or the EU site http://www.youronlinechoices.com/. The settings are platform-independent, i.e. they are transferred for all devices such as desktop computers and mobile devices.
Integration of services and the content of third parties
- Based on our justified interests (i.e. interest in the analysis, optimisation and economic operation of our online range as defined by Art. 6 Para. 1 lit.f GDPR) we use on our online range content and service offers from third party suppliers to integrate their content and services, e.g. videos or fonts (hereinafter referred to jointly as “content”). This always requires that third party suppliers of this content see users’ IP addresses as without the IP address they could not send the content to their browsers. The IP address is therefore required to depict this content. We make every effort to use only such content for which the relevant supplier simply uses the IP address to deliver the content. Third party suppliers may also use so-called pixel tags (invisible graphics, also called “web beacons”) for statistical or marketing purposes. The “pixel tags” are used to analyse information such as visitor traffic on the pages of this website. The pseudonym information can also be stored in cookies on the user’s device and includes technical information on the browser and operating systems, referring websites, visit time and other information on the use of our online range as well as such information from other sources.
- The following description offers an overview of third party suppliers and their content, as well as links on their data protection declarations, other information on processing data and sometimes objection options already stated here (so-called opt-outs):
- If our customers use the payment services of third parties (e.g. PayPal or immediate transfers), the business terms and data protection information of the relevant third-party supplier apply and these can be called up within the relevant website or transaction applications.
- External fonts from Google, Inc., https://www.google.com/fonts(“Google Fonts”). The integration of Google fonts is undertaken by calling up a Google server (usually in the USA). Data protection declaration: https://www.google.com/policies/privacy/, Opt-Out: https://www.google.com/settings/ads/.
- Maps for the “Google Maps” services are provided by the third-party supplier Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data protection declaration: https://www.google.com/policies/privacy/, Opt-Out: https://www.google.com/settings/ads/.
- Videos for the “YouTube” platform are provided by the third-party supplier Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data protection declaration: https://www.google.com/policies/privacy/, Opt-Out: https://www.google.com/settings/ads/.
- Our online range integrates the functions of the Google+ service. – These functions are offered by the third-party supplier Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. If you are logged into your Google+ account, you can link the content of our site with your Google+ profile by clicking the Google+ button. This enables Google to assign your visit to our site to your user account. As the provider of the site, we point out that we have no knowledge of the content of the transferred data and its use by Google+. Data protection declaration: https://www.google.com/policies/privacy/, Opt-Out: https://www.google.com/settings/ads/.
- Our online range integrates the functions of the Instagram service. These functions are offered by Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA. If you are logged into your Instagram account, you can link the content of our site with your Instagram profile by clicking the Instagram button. This enables Instagram to assign your visit to our site to your user account. As the provider of the site, we point out that we have no knowledge of the content of the transferred data and its use by Instagram. Data protection declaration: http://instagram.com/about/legal/privacy/.
- Our online range uses functions of the LinkedIn network. The supplier is LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA. When calling up one of our pages containing LinkedIn functions, a link is made to the LinkedIn servers. LinkedIn is informed that you have visited our website and your IP address. If you click the LinkedIn “Recommend button” and are logged into your LinkedIn account, it is possible for LinkedIn to assign your visit to our website to you and your user account. As the provider of the site, we point out that we have no knowledge of the content of the transferred data and its use by LinkedIn. Data protection declaration: https://www.linkedin.com/legal/privacy-policy, Opt-Out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
- We use the social plug-in from the social network Pinterest, which is operated by Pinterest Inc., 635 High Street, Palo Alto, CA, 94301, USA (“Pinterest”). If you call up a page that contains such a plug-in, your browser creates a direct connection to the Pinterest servers. The plug-in transfers log data to the Pinterest server in the USA. This log data may contain your IP address, the address of the websites visited that also contain Pinterest, type and settings of the browser, date and time of the request, your use of Pinterest and cookies. Data protection declaration: https://about.pinterest.com/de/privacy-policy.
- Our online range integrates the functions of the Twitter service. These functions are offered Twitter Inc., 1355 Folsom St., Suite 900, San Francisco, CA 94103, USA. By using Twitter and the “retweet” function, the websites that you visited are linked with your Twitter account and notified to other users. The data is transferred to Twitter. As the provider of the site, we point out that we have no knowledge of the content of the transferred data and its use by Twitter. Twitter data protection declaration http://twitter.com/privacy. You can modify your data protection settings at Twitter in the account settings at http://twitter.com/account/settings.
- We use the social plug-in for the social network Tumblr, which is operated by Tumblr Inc. located at 35 East 21st Street, 10E, New York, NY 10010, USA (“Tumblr ”). If you call up a page that contains such a plug-in, your browser creates a direct connection to the Tumblr servers. The plug-in transfers log data to the Tumblr servers in the USA. This log data may contain your IP address, the address of the websites visited that also contain Tumblr, type and settings of the browser, date and time of the request, your use of Tumblr and cookies. Data protection declaration: https://www.tumblr.com/policy/en/privacy.
- We use the functions of the XING network. The supplier is XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany. When calling up one of our pages containing Xing functions, a link is made to the Xing servers. To the best of our knowledge, no personal data is stored. In particular, no IP address is stored nor is the usage behaviour analysed. Data protection declaration: https://www.xing.com/app/share?op=data_protection.
Rights of users
- Users have the right to receive information without charge on request about the personal data we have saved.
- In addition, users have the right to rectify incorrect data, restrict the processing and erase their personal data if applicable, assert their rights to data portability and, in the event of the assumption of unlawful data processing, submit a complaint to the responsible supervisory authority. Users can also revoke consents, but only with future effect: https://www.uslovewiesbaden.com/general-data-protection-regulation-gdpr-information-request/
- The data we have stored is erased as soon as it is no longer required for the determined purpose and its erasure is not objected to by statutory storage obligations. If the users’ data is not erased because it is required for other statutorily permissible purposes, its processing is restricted. This means that the data is blocked and not processed for other purposes. This applies e.g. to users’ data that must be stored for commercial or tax law purposes.
- According to the statutory requirements, storage is made for 6 years pursuant to Section 257 Para. 1 of the German Commercial Code (HGB) (trading books, inventories, opening balances, annual accounts, trading letters, posting documents etc.) and for 10 years pursuant to Section 147 Para. 1 of the German Tax Code (books, records, management reports, posting documents, trading and business letters, documents relating to taxation etc.). https://www.uslovewiesbaden.com/general-data-protection-regulation-gdpr-information-request/
Right of objection
- Pursuant to the statutory requirements, users can revoke the future processing of their personal data. The revocation can in particular take place with regard to processing for the purposes of direct advertising.
Amendments to the data protection declaration
- We reserve the right to modify the data protection declaration to adapt it to modified legal requirements or for changes to the service and data processing. This applies, however, only to declarations on data processing. If user consents are required or components of the data protection declaration contain provisions on the contractual relationship with the users, the changes are only made with the consent of the user.
- The users are requested to obtain information regularly on the content of the data protection declaration.