Privacy policy
This privacy policy provides you with clarification about the nature, extent and purpose of the processing of personal data (hereinafter ‘Data’ in short) within our online offer and associated websites, functions and content as well as external online presences such as our social media profile. (hereinafter referred to together as ‘Online Offer’). We refer to the definitions in Article 4 of the General Data Protection Regulation (GDPR) with regard to terminology used such as ‘processing’ or ‘Controller’. Processing special categories of data (Article 9 (1) GDPR): No special categories of data are processed. Categories of data subjects: Customers, potential customers, visitors and users of the online offer, business partners. Purpose of processing: Provision of the online offer and its content. – Provision of performance, services and customer care. – Responding to contact enquiries and communication with users. – Marketing, advertising and market research. – Security measures. Release: November 2018.
- Terminology used
1.1. 'Personal data' is all information referring to an identified or identifiable natural person (hereinafter 'Data Subject'). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
1.2. 'Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The definition goes further and covers practically any handling of data.
1.3. 'Controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
- Applicable legal bases
In accordance with Article 13 GDPR, we inform you of the legal bases of our data processing. Where the legal basis is not stated in the privacy policy, the following applies: The legal basis for obtaining consent is Article 6 (1, a) and Article 7 GDPR, the legal basis for processing to perform our services and undertake contractual measures, as well as respond to enquiries is Article 6 (1, b) GDPR, the legal basis for processing to comply with our legal obligations is Article 6 (1, c) GDPR, and the legal basis for processing to safeguard our legitimate interests is Article 6 (1, f) GDPR. In the event of vital interests of the data subject or another natural person requiring personal data to be processed, Article 6 (1, d) GDPR forms the legal basis.
- Amending and updating the privacy policy
Please familiarise yourself with the content of our privacy policy on a regular basis. We adapt the privacy policy as soon as changes to data processing performed by us make this necessary. We will inform you as soon as cooperation on your part (e.g. consent) or other individual notification becomes necessary due to the changes.
- Security measures
4.1. In accordance with Article 32 GDPR and in consideration of the latest available technology, the scope, circumstances and purpose of processing, as well as the various likelihoods and severity of risk for the rights and freedoms of natural persons, we implement appropriate technical and organisational measures for safeguarding a level of protection appropriate to the risk, Measures include in particular the safeguarding of the confidentiality, integrity and availability of data by controlling physical access to the data and also the access, input, disclosure, and securing of its availability concerning it and its separation. We have also set up procedures for guaranteeing the assertion of rights by data subjects, deletion of data and reaction to data being jeopardised. In addition, we already consider the protection of personal data when designing or, as may apply, selecting hardware and software as well as procedures in accordance with the principle of data protection by design and default (Article 25 GDPR).
4.2. In particular, security measures include the encrypted transfer of data between your browser and our server.
- Disclosure and transfer of data
5.1. Where we disclose data to other persons and enterprises (processors or third parties) when processing, transmit it to them, or otherwise grant them access to the data, this only occurs based on legal permission (e.g. if sending the data to third parties, such as payment service providers, in accordance with Article 6 (1, b) GDPR is required for performing a contract), you have consented, a legal obligation provides for it, or based on our legitimate interests (e.g. when using agents, hosting providers, tax, business consultants, and customer care bookkeeping, invoicing and similar services allowing the efficient and effective performance of our contractual duties, administrative tasks and duties).
5.2. Where we commission third parties with the processing of data based on a ‘processing agreement', we do so based on Article 28 GDPR.
- Transmission in third countries
Where we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)), or this happens when using third-party services or disclosing/transmitting data to third parties, this only occurs if undertaken for complying with our (pre-) contractual duties, based on your consent, due to a statutory obligation, or based on our legitimate interests. Subject to legal or contractual permission, we only process or arrange for processing of data in a third country where the specific requirements of Articles 44 et seq GDPR are in place. In other words, processing occurs, for example, based on particular guarantees such as the officially recognised determination of a data protection level appropriate the EU (e.g. for the USA by means of the 'Privacy Shield') or compliance with specific recognised contractual obligations (so-called 'standard contractual clauses').
- Rights of data subjects
7.1. You have the right to ask for confirmation as to whether your data is being processed and for access to this data, as well as further information and a copy of the data in accordance with Article 15 GDPR.
7.2. In accordance with Article 16 GDPR, you have the right to demand completion of data concerning you or the rectification of incorrect data concerning you.
7.3. In accordance with Article 17 GDPR, you have the right to demand that the data in question is erased without undue delay or, as may apply, alternatively in accordance with Article 18 GDPR demand a restriction of data processing.
7.4. You have the right to demand, in accordance with Article 20 GDPR, receipt of the data concerning you that you have provided, and transmission to other Controllers.
7.5. In addition, in accordance with Article 77 GDPR you have the right to lodge a complaint with a supervisory authority.
- Right of withdrawal
You have the right to withdraw consent granted in accordance with Article 7 (3) GDPR with future effect.
- Right to object
In accordance with Article 21 GDPR, you are able to object at any time to the future processing of data concerning you. In particular, the objection can be directed at processing for the purposes of direct advertising.
- Cookies and the right to object with direct advertising
10.1. 'Cookies' refer to small files stored on users' computers. Different information may be stored within cookies. A cookie primarily serves to store the details about a user (or, as may apply, the device on which the cookie is stored) during or even after a visit within an online offer. Cookies deleted after a user leaves an online offer and closes their browser are referred to as temporary cookies or, as may apply, session or transient cookies. By way of example, the content of a shopping cart in an online store or a login status can be stored in such a cookie. Permanent or persistent cookies refer to ones that remain stored even after the browser has been closed. This allows, for example, the login status to be stored if the user returns after several days. In the same way, the user's interests can be saved in such a cookie and can be used for gauging the audience or for marketing purposes. Third-party cookies are cookies from providers other than the Controller operating the online offer (otherwise, first-party cookies are spoken about if only referring to its cookies).
10.2. We set temporary and permanent cookies, and will clarify this as part of our privacy policy. Where the user does not want cookies to be stored on his or her computer, they are asked to disable the corresponding option in their browser's system settings. Stored cookies can be deleted in the browser's system settings. Excluding cookies can lead to functions of this online offer being restricted. 10.3. A general objection to the use of cookies for the purposes of online marketing can be declared with a wide range of services, above all in the event of tracking, via the American page http://www.aboutads.info/choices/ or the EU page http://www.youronlinechoices.com/. In addition, the saving of cookies can be achieved by deactivating them in your browser settings. Please note that not all functions of this online offer may then be able to be used.
- Erasing data
11.1. Data processed by us is erased in accordance with Articles 17 and 18 GDPR, or its processing is restricted. Unless expressly stated in this privacy policy, data stored with us is erased as soon as no longer required for its purpose and no statutory duties of retention stand in the way of erasure. Where data is not erased because it is required for other purposes permitted by law, its processing is restricted. In other words, the data is blocked and not processed for other purposes. This applies, for example, to data needing to be retained for reasons under business or tax law.
11.2. Germany: In accordance with statutory requirements, retention is in particular for 6 years in accordance with Section 257 (1) German Commercial Code (trading books, inventories, opening balance sheets, end-of-year financial statements, commercial correspondence, accounting vouchers etc.), and for 10 years in accordance with Section 147 (1) of the German Tax Code (books, records, situation reports, accounting vouchers, commercial and business correspondence, documents relevant for taxation etc.).
11.3. Austria: In accordance with statutory requirements, retention is in particular for 7 years in accordance with Section 132 (1) of the Austrian Federal Tax Code (accounting documents, vouchers/invoices, accounts, vouchers, business papers, lists of revenue and expenditure, etc.), for 22 years in connection with land, and for 10 years with records in connection with electronically provided services, telecommunications, radio and television services provided for non-undertakings in EU Member States, and claimed for those of the mini one-stop-shop (MOSS).
- Business analysis and market research
In order to be able to commercially operate our business and identify market trends as well as client and user requirements, we analyse the data available to us regarding business processes, contracts, enquiries etc. In doing so, we process, inventory data, communication data, contract data, payment data, usage date and meta data based on Article 6 (1, f) GDPR, where data subjects include clients, potential clients, business partners, visitors and users of the online offer. Analysis is performed for the purpose of business evaluation, marketing and market research. This allows us to consider the profiles of registered users with details, for example, of their purchasing processes. Analysis serves to increase user-friendliness, and optimise what we offer and economic efficiency. Analysis serves us alone and is not passed externally unless it involves anonymous analysis with summarised values. Where these analyses or profiles are personal, they are erased or anonymised with cancellation of the user, otherwise two years after a contract has been entered into. Otherwise, analysis of overall business efficiency and general determination of trends is created in an anonymous manner where possible.
- Making contact and customer service
When contacting us (via the contact form or email), user details are processed for handling and dealing with the contact request in accordance with Article 6 (1, b) GDPR. Details of the user can be stored in our customer relationship management system (‘CRM System’) or comparable enquiry structure. We delete the enquiries as soon as they are no longer required. We review the necessity every two years. We permanently save enquiries from customers with a customer account and refer to the details in the customer account for deletion. Statutory archiving duties also apply.
- Collection of access data and log files
We collect data about all access to the server on which the service is located (server log files) based on our legitimate interests in the sense of Article 6 (1, f) GDPR. Access data includes the name, data and time accessed, quantity of data transferred, report about successful access, browser type along with version, user's operating system, referrer URL (previous page visited), IP address, and requesting provider. For security reasons (e.g. for investigating misuse or fraud), log file information is stored for a maximum of seven days and then deleted. Data whose further retention is required for evidential purposes is exempt from deletion until definitive investigation of the incident.
- Online social media presence
Based on our legitimate interests in terms of Article 6 (1, f) GDPR, we maintain online presences with social networks and platforms to be able to communicate with customers, potential customers and users and inform them of our services. The terms and conditions and privacy policies of their respective operators apply when accessing the respective networks and platforms. Unless otherwise stated under our privacy policy, we process the user data when they communicate with us on social networks and platforms, for example by writing articles on our social media presences or messaging us.
- Google Analytics
Based on our legitimate interests (i.e. interests in analysing, optimising and commercially operating our online offer in terms of Article 6 (1, f) GDPR, we use Google Analytics, a web analysis service from Google LLC (‘Google’). Google uses cookies. Information generated by the cookie about usage of the online offer by the user is generally passed to and stored on a Google server in the USA. Google is certified under the Privacy Shield Framework and, as such, offers a guarantee of complying with European Data Protection Legislation (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active). Google will use this information on our behalf for evaluating the usage of our online offer by users, for compiling reports about activities within this online offer, and for providing us with further services associated with the use of this online offer and the internet. This allows pseudonymised user usage profiles to be created from the processed data. We only use Google Analytics with IP anonymisation activated. This means that the user IP address is abbreviated within Member States of the European Union or in other Signatory States to the Agreement on the European Economic Area. The full IP address is only forwarded to and abbreviated on a Google server in the USA in exceptional cases. The IP address provided from the user browser is not combined with other data from Google. Users can prevent the saving of cookies by means of a corresponding setting in their browser software. In addition, they can prevent the collection by Google of data created by the cookie and it referring to their usage of the online offer by downloading and installing the browser plugin available under the following link: https://tools.google.com/dlpage/gaoptout?hl=de. You will find further information about how Google uses data and settings and opt-out options on Google websites. https://www.google.com/intl/de/policies/privacy/partners (‘Use of data by Google when you use websites or apps of our partners’), https://policies.google.com/technologies/ads (‘Use of Data for Advertising Purposes’), https://adssettings.google.com/authenticated (‘Managing Information Used by Google for Showing you Advertising’).,
- Facebook Social Plugins
Based on our legitimate interests (i.e. interests in analysing, optimising and commercially operating our online offer in terms of Article 6 (1, f) GDPR), we use social plugins (‘Plugins’) from the social network Facebook operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (‘Facebook’). Plugins can represent interactive elements or content (e.g. videos, graphics or text articles) and can identified by one of the Facebook logos (white ‘f’ on a blue tile, the term ‘Like’ or a ‘thumbs-up’ sign) or are identified with the ‘Facebook social plugin’ add-on. The list and appearance of Facebook social plugins can be viewed here: https://developers.facebook.com/docs/plugins/. Facebook is certified under the Privacy Shield Framework and, as such, offers a guarantee of complying with European Data Protection Legislation (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active). If you call up a function of this online offer containing a social plugin, your browser establishes a direct link to Facebook servers. The content of the plugin is sent directly to the user’s device and integrated from there in the online offer. This allows user usage profiles to be created from the data processed. We therefore have no influence on the scope of data collected by data with the help of this plugin, and are therefore informing the user according to our level of knowledge. Integrating the plugin informs Facebook that a user has accessed the corresponding page of the online offer. The user being logged in to Facebook allows Facebook to assign the visit to his Facebook account. If users interact with the plugins, for example by liking or commenting, the corresponding information is sent from your device directly to Facebook and saved there. Despite a user not being on Facebook, there is still the possibility of Facebook finding out and saving their IP address. According to Facebook, only an anonymised IP address is saved in Germany. Please refer to the Facebook privacy policy for the scope and purpose of data collection, the further processing and use of data by Facebook, as well as the relevant rights and setting options for protecting the user’s privacy: https://www.facebook.com/about/privacy/ If a user is on Facebook and does not want Facebook to collect data about them via this online offer and link it with their membership details stored with Facebook, they must log out from Facebook before using our online offer and delete their cookies. Further settings and opt-outs to your data being used for advertising purposes are possible in Facebook profile settings: https://www.facebook.com/settings?tab=ads, the US site http://www.aboutads.info/choices/, or the EU site http://www.youronlinechoices.com/. Settings are made regardless of the platform, i.e. they are accepted for all devices such as desktops or mobile devices. https://matomo.org/docs/privacy/#step-3-include-a-web-analytics-opt-out-feature-on-your-site-using-an-iframe.
- Communication via post, email, fax or telephone
For business and marketing purposes we use methods of remote communication such as post, telephone or email. In doing so, we process user data, address and contact details, and contract data from customers, participants, potential customers and communication partners. 27.2 Processing is based on Article 6 (1, a), Article 7 GDPR, and Article 6 (1, f) GDPR in conjunction with statutory requirements for promotional communication. Contact is made only with the consent of the contact partner or where permitted by law, and the data processed is erased as soon as not required and, otherwise, where justification is objected to/revoked or ceases to apply, or there or archiving is required by law.
- Involvement of third parties and third-party content
Based on our legitimate interests (i.e. interest in analysing, optimising and commercially operating our online offer in terms of Article 6 (1, f) GDPR, within our online offer we use content and services offered by third parties to involve their content and services such as videos or fonts (hereinafter referred to together as ‘Content’). This requires the third parties with this content to be provided with the IP address of the users as, without it, they would not be able to send the content to their browser. As such, the IP address is essential for showing this content. We make every effort to only use such content whose respective provider solely uses the IP address for delivering the content. In addition, third party providers may use pixel tags (invisible graphics, also referred to as web beacons) for statistical or marketing purposes. Pixel tags allow information such as visitor traffic on our websites pages to be evaluated. The pseodonymised information can also be stored in cookies on the user’s device and contains, among other things, technical information about the browser and operating system, referring websites, time of visit and other details about how our online offer is used as well as ability to be associated with such information from other sources. The following illustration provides an overview of third-party providers as well as their content, along with links to their privacy policies containing further information for processing data and (partly already stated here) opt-out possibilities (in the event of our customers using third-party payment services (e.g. PayPal, Sofortüberweisung)), the terms and conditions and privacy policy of the respective third-party provider that can be accessed on the respective websites, or as may apply, transaction applications. – External fonts from Google, LLC., https://www.google.com/fonts (‘Google Fonts’). Google Fonts are integrated by accessing a Google server (generally in the USA). Privacy policy: https://policies.google.com/privacy, opt-out: https://adssettings.google.com/authenticated. – maps from the ‘Google Maps’ service placed from the provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy policy: https://www.google.com/policies/privacy/, opt-out: https://www.google.com/settings/ads/. – videos from the ‘YouTube’ platform from the third-party provider Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy policy: https://www.google.com/policies/privacy/, Opt-Out: https://www.google.com/settings/ads/. Functions of the Google+ service are included in our online offer. These functions are offered by the third-party provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. If you are logged in to your Google+ account, clicking on the Google+ button allows you to link the content of our sites with your Google+ profile. This allows Google to log your visit to our site to your user account. We would like to point out that, as the provider of the sites, we are not made aware of the content of the data passed on or how it is used by Google+. Privacy policy: https://policies.google.com/privacy, opt-out: https://adssettings.google.com/authenticated. – Functions of the Instagram service are included in our online offer. These functions are offered by Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA. If you are logged in to your Instagram account, clicking on the Instagram button allows you to link the content of our sites with your Instagram profile. This allows Instagram to log your visit to our site to your user account. We would like to point out that, as the provider of the sites, we are not made aware of the content of the data passed on or how it is used by Instagram.