Privacy Policy
Introduction
This Privacy Policy informs you about the type, scope and purpose of the processing of personal data (hereinafter referred to as "data") in the context of the provision of our range of services and on our websites, mobile applications, functions and contents connected with them as well as external online representations, e.g. Social Media Profiles (hereinafter collectively referred to as "Services"):
- In the second section you will find information about your rights, the relevant legal standards and general information about our data processing.
- The third section contains information on the individual processing operations. This section is divided into further areas, such as our key services, reach measurement or marketing.
- The fourth and final section contains a glossary with explanations and descriptions of the terms used in this Privacy Policy. This means that if you do not know the terms used (e.g. "personal data" or "cookie"), please refer to the last section. All terms used (e.g. "responsible" or "user") are to be understood gender-neutral.
Table of Contents
Section I – Controller and Overview of Data Processing
Contact Data Protection Officer:
Type of processed data:
Processing of special categories of Data (Art. 9 (1) GDPR)
Categories of data subjects
Zweck der Verarbeitung
Section II - Rights of data subjects, legal basis for the processing and general information
Rights of Data Subjects
Right of Withdrawal
Right to Object
Cookies and Right to Object in Direct Marketing
Erasure of data and archiving obligations
Changes and Updates to this Privacy Policy
Relevant Legal Basis for the Processing;
Security of Data Processing
Disclosure and Transmission of Data
Transfers to Third Countries
Section III - Processing operations
The Key Area of Data Processing
Processing of Orders in the Online Shop
Customer Account
Credit Assessment
Answering Inquiries and Customer Service
Business and market research
External online profiles
Webserver and Security
Server-Logs
Our own Global Single Sign-On procedure
Embedded content and functions
Google Services and Content
Facebook Features and Content
Instagram Features and Contents
Pinterest features and content
Marketing
Sweepstakes and Competitions
Web analytics, online marketing and technology partners
Google Display Network
Microsoft Bing Ads
Criteo
JustUno
Outbrain
Sovendus
Taboola
Section IV - Definitions
Section I – Controller and Overview of Data Processing
Controller
ZWILLING J.A. HENCKELS Canada Ltd.
435 Cochrane Drive, Markham, Ontario, L3R 9R5
Tel: 1-905-475-2555
customerservice@zwilling.ca
Contact Data Protection Officer:
email: customerservice@zwilling.ca
Type of processed data:
- Inventory Data (e.g., names, addresses).
- Contact details (e.g., e-mail, phone numbers).
- Content Data (e.g., text input, photographs, videos).
- Contract Data (e.g., subject matter of the contract, duration).
- Payment Data (e.g., bank details, payment history).
- Usage Data (e.g., interests, websites visited, purchasing behaviour, access times, log Data).
- Meta/contact data (e.g., device IDs, IP addresses).
- Job candidate Data (e.g., names, contact details, qualifications, job application documents).
Processing of special categories of Data (Art. 9 (1) GDPR)
No special categories of Data are processed.
Categories of data subjects
- Customers / prospective customers / business partners.
- Visitors and users of the online service.
In the following, we will also summarise the data subjects as "users".
Purpose of Processing
- Provision of our services, its contents and functions.
- Provision of contractual services, customer care and support.
- Response to contact requests and communication with users.
- Marketing, advertising, analysis of consumer behaviour, usage behaviour and market research.
- Security measures.
Automated individual decision-making (Art. 22 GDPR):
- Assessment of creditworthiness in the case of advance payment in accordance with Art. 22 GDPR.
As of: May 2018
Section II - Rights of data subjects, legal basis for the processing and general information
Rights of Data Subjects
You have the right to obtain from the controller confirmation as to whether personal data concerning you are being processed, and, where that is the case, access to the personal data and the further information and a copy of the data in accordance with Art. 15 GDPR.
You have correspondingly. In accordance with Article 16 of the GDPR, the right to obtain from the controller the rectification of inaccurate personal data concerning you, or the completion of the data concerning you.
In accordance with Art. 17 GDPR, you have the right to demand that relevant data be erased without undue delay or, alternatively, to demand a restriction of the processing of the data in accordance with Art. 18 GDPR.
You have in accordance with Art. 20 GDPR the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller.
In accordance with Art. 77 GDPR, you also have the right to file a complaint with the supervisory authority.
Right of Withdrawal
You have the right to withdraw consents granted pursuant to Art. 7 (3 GDPR with effect for the future.
Right to Object
You can object to the future processing of the data concerning you in accordance with Art. 21 GDPR at any time. The objection may be lodged in particular against processing for direct marketing purposes.
Cookies and Right to Object in Direct Marketing
We use temporary and permanent cookies, i.e. small files that are stored on the user's devices (for the explanation of the term and function, see last section of this Privacy Policy). In part, cookies serve security purposes or are required for the operation of our online services (e.g., for the appearance of the website) or to save the user's decision when confirming a cookie banner. In addition, we or our technology partners use cookies to measure the reach and for marketing purposes, about which the users will be informed in the scope of the Privacy Policy.
If users do not want cookies to be stored on their computer, they are advised to deactivate the corresponding option in the system settings of their browser. Stored cookies can be deleted in the system settings of the browser. The exclusion of cookies can lead to functional restrictions of this online services.
http://www.youronlinechoices.com/.
Erasure of data and archiving obligations
The data processed by us will be erased or its processing restricted in accordance with Articles 17 and 18 GDPR. Unless expressly stated in this Privacy Policy, the data stored by us will be erased as soon as it is no longer required for its intended purpose and there are no legal obligations to retain it. If the data are not erased because they are necessary for other and legally permissible purposes, their processing is restricted. This means that the data is excluded and not processed for other purposes. This applies, for example, to data that must be retained for commercial or taxation reasons.
In accordance with statutory requirements, the records shall be kept for 6 years in particular in accordance with § 257 (1) German Commercial Code (trading books, inventories, opening balance sheets, annual financial statements, commercial letters, accounting documents, etc.) and for 10 years in accordance with § 147 (1) German Financial Act (books, records, management reports, accounting documents, commercial and business letters, documents relevant to taxation, etc.).
Changes and Updates to this Privacy Policy
We ask you to keep yourself regularly informed about the contents of our Privacy Policy. We will adapt the Privacy Policy as soon as any changes in data processing carried out by us make this necessary. We will inform you as soon as the changes require your cooperation (e.g. consent) or other individual notification.
Relevant Legal Basis for the Processing;
In accordance with Art. 13 GDPR, we inform you of the legal basis of our data processing. If the legal basis is not explicitly stated in the Privacy Policy, the following applies: The legal basis for obtaining consents is Art. 6 (1) a and Art. 7 GDPR, the legal basis for processing for the performance of our services and performance of contractual measures as well as for answering inquiries is Art. 6 (1) b GDPR, the legal basis for processing to fulfil our legal obligations is Art. 6 (1) c GDPR, and the legal basis for processing to protect our legitimate interests is Art. 6 (1) f GDPR. In the event that the vital interests of the data subject or another natural person require the processing of personal data, Article 6(1)(d) GDPR serves as the legal basis.
The principles for commercial communications outside of business relations, in particular by post, telephone, fax and e-mail, are contained in § 7 of the German Unfair Competition Act (UWG).
Security of Data Processing
We shall take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk in accordance with Article 32 GDPR, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons; the measures include in particular ensuring the confidentiality, integrity and availability of data by controlling physical access to the data, as well as the access, input, transfer, integrity and pseudonymity. Furthermore, we have established procedures that guarantee the assertion of data subjects' rights, the erasure of data and the response to data hazards. Furthermore, we already consider the protection of personal data during the development or selection of hardware, software and procedures, in accordance with the principle of data protection by design of technology and by data protection-friendly presettings (Art. 25 GDPR).
The security measures include in particular the encrypted transmission of data between your browser and our server.
Employees are bound to confidentiality with regard to data protection, are instructed, monitored, and informed of possible liability consequences.
Disclosure and Transmission of Data
If we disclose data to other persons and companies (processors or third parties) within the scope of our processing, transfer the data to them or otherwise grant them access to the data, this will only be carried out on the basis of a legal permission (e.g. if a transfer of the data to third parties, such as to payment service providers, is required for contract fulfilment pursuant to Art. 6 (1) b GDPR), if you have consented, if a legal obligation requires this or on the basis of our legitimate interests (e.g. when using agents, web hosting services, etc.).
If we commission third parties with the processing of data on the basis of a so-called " Data Processing Agreement", this is done on the basis of Art. 28 GDPR.
If we disclose, transfer or otherwise grant access to data to other companies in our Group of Companies (Undertakings), this is done in particular for administrative purposes as a legitimate interest and in addition on the basis of a Data Processing Agreement.
Transfers to Third Countries
If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of the use of third-party services or disclosure or transmission of data to third parties, this only takes place if it is necessary to fulfil our (pre)contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we process or let the data being processed in a third country only if the special requirements of Art. 44 ff. GDPR are met. This means, for example, processing is carried out on the basis of special guarantees, such as the officially recognised adequate data protection level corresponding to the EU (e.g. for the USA by the "Privacy Shield") or compliance with officially recognised special contractual obligations (so-called "Standard Contractual Clauses").
Section III - Processing operations
The following section provides an overview of our processing activities, which we have subdivided into other areas of operation. Please note that the areas of operation are for guidance only and that processing activities may overlap (e.g. the same data may be processed in several operations).
For reasons of clarity and comprehensibility, you will find the frequently repeated terms in Section IV of this data protection declaration.
The Key Area of Data Processing
Processing of Orders in the Online Shop
We process the data of our customers in the context of the online services in our online shop to enable the customers to select and order the selected products and services, as well as their payment and delivery, or performance.
Data processed: Inventory data, contact data, contract data, payment data
- Data processed: Inventory data, contact data, contract data, payment data.
- Data subjects: customers, prospective customers, business partners.
- Purpose of processing: Provision of contractual services in the context of operating an online shop, invoicing, delivery, customer service.
- Type, scope and mode of operation of the processing: Session cookies for shopping cart and login status.
- Legal basis: Art. 6 (1) b (execution of order processes) and c (archiving required by law). GDPR.
- Necessity / interest in processing: The data is required to establish and fulfil the contractual relationship.
- https://www.paypal.com/en/webapps/mpp/ua/privacy-full?locale.x=en_EN - as well as banks and financial institutions).
- Processing in third countries: No, only on customer request upon delivery or payment.
- Retention of data: The deletion takes place after the expiry of statutory warranty and comparable obligations, the necessity of data retention is reviewed every three years; in the case of statutory archiving obligations, the erasure takes place after their expiry (end of commercial law (6 years) and tax law (10 years) retention obligation). Data in the customer account remain up to its erasure.
Customer Account
A customer account requires a registration, which can take place both online, and in local stores.
We offer our own single sign-on method for the customer account. This means that users who register in one of the online services of the companies belonging to the Zwilling-Group can also use the access data for other online services of companies belonging to the Zwilling-Group.
- Data processed: Inventory data (first name, last name; email address; password (will be stored encrypted)), contact data, contract data, payment data, product data/product preference, usage data, referrer data.
- Data subjects: customers, interested parties.
- Purpose of processing: Creation and operation of a customer account to manage the contractual relationship.
- Type, scope and mode of operation of the processing: registration process, cancellation possibility.
- Legal basis: Art. 6 (1) b. GDPR.
- Special security measures: The public account information of users is not visible to external parties such as search engines or other users and cannot be searched by them. Users are responsible for the secure custody of their access credentials.
- Necessity / interest in processing: The customer account is optional, requested data for its operation required. Mandatory fields are marked as such. In addition, each user decides for himself on disclosing additional information.
- External disclosure and purpose: No.
- Processing in third countries: No.
Credit Assessment
If we make advance deliveries (e.g. when purchasing on account), we reserve the right to obtain identity and creditworthiness information from specialized service providers (credit agencies) for the purpose of assessing credit risk on the basis of mathematical-statistical procedures in order to safeguard our legitimate interests. We process the information received from credit agencies on the statistical probability of non-payment within the framework of an appropriate discretionary decision on the establishment, execution and termination of the contractual relationship. We reserve the right to refuse payment on account or any other advance payment in the event of a negative result of the credit assessment.
- Data processed: Name, postal address, date of birth, details of the type of contract, bank details.
- Special categories of personal data: no.
- Legal basis: Art. 6 (1) f. GDPR; If based on user consent: Art. 6 (1) a., Art. 7 GDPR.
- Data subjects: customers, interested parties.
- Purpose of processing: Assessment of the probability of default of receivables.
- Type, scope and mode of operation of the processing: We process the information received from credit agencies on the statistical probability of non-payment within the framework of an appropriate discretionary decision on the establishment, execution and termination of the contractual relationship. We reserve the right to refuse payment on account or any other advance payment in the event of a negative result of the credit assessment.
- Necessity / interest in processing: Business interests.
- https://www.schufa.de/de/ueber-uns/daten-scoring/.
- Processing in third countries: no.
- Automated decision in individual cases according to Art. 22 GDPR: In this case, the decision as to whether we make advance payments is made in line with Art. 22 GDPR solely on the basis of an automated decision in individual cases, which our software makes on the basis of the information provided by the credit agency without the involvement of employees.
Answering Inquiries and Customer Service
- We process the information in the inquiries, which we receive via our contact form and other means, e.g. via e-mail, in order to answer the inquiries. For these purposes, the inquiries may be stored in our Customer Relationship Management (CRM) system or in similar procedures that serve us to manage inquiries. For customer relationship management purposes (CRM) we use so-called CRM software. With the help of the software we can answer the inquiries more effectively and faster.
- Data processed: Inventory data, contact data, contract data, payment data, usage data, metadata; e.g.
- Data subjects: customers, prospective customers, business partners, website visitors.
- Purpose of processing: Answering inquiries.
- Type, scope and mode of operation of the processing: registration process, termination option.
- Legal basis: Art. 6 (1) b./f. GDPR.
- Necessity / interest in processing: Necessary to answer queries, optimization, user-friendliness, business interests.
- External disclosure and purpose: Operator of the CRM system, salesforce.com Germany GmbH, Erika-Mann-Str. 31, 80636 Munich.
- https://www.salesforce.com/de/company/privacy/.
- Special security measures: Data Processing Agreement.
- Processing in third countries: USA.
- https://www.privacyshield.gov/participant?id=a2zt0000000KzLyAAK&status=Active.
- Retention of data: We delete the requests if they are no longer required. We review the requirement every two years; requests from customers who have a customer account are stored permanently and are linked to the customer account details for deletion. In the case of statutory archiving obligations, the erasure takes place after their expiry (end of commercial law (6 years) and tax law (10 years) storage obligation).
Business and market research
In order to operate our business economically and to identify market trends, customer and user requirements, we analyse the data available to us on business transactions, contracts, enquiries, etc., in order to ensure that we are able to offer our customers the best possible service. For this purpose, we combine the personal data of customers from registrations and orders with the behaviour-related data of customers.
In the context of the economic evaluation we bring together the data of the users independently of the used devices (e.g. if users use our on-line offer on a mobile or on a stationary device).
- Data processed: Inventory data, contact data, contract data, payment data, usage data and metadata, e.g. activity data from e-mails via our online channels, e.g. data on the page accessed, the page history, the device used, the approximate location and data for pseudonymous identification of the user profile).
- Legal basis: Art. 6 (1) f. GDPR.
- Data subjects: customers, prospective customers, business partners, visitors and users of the online offer.
- Purpose of processing: business analysis, marketing, advertising, market research.
- Type, scope and mode of operation of the processing: profiling, online behavioural advertising, first party cookies.
- Necessity / interest in processing: Increased user-friendliness, optimization of the service, business efficiency.
- External disclosure and purpose: Analysis and market research by salesforce.com Germany GmbH, Erika-Mann-Str. 31, 80636 Munich.
- https://www.salesforce.com/de/company/privacy/.
- Special security measures: Data Processing Agreement.
- Processing in third countries: USA.
- https://www.privacyshield.gov/participant?id=a2zt0000000KzLyAAK&status=Active.
- Retention of data: If a customer account was opened, with its termination, otherwise after two years from conclusion of contract. For the rest, macroeconomic analyses and general trend determinations are carried out anonymously wherever possible.
- Retention of data: After the deadline of two years.
External online profiles
In this area you will find information about our data processing in the context of operating external online activities, e.g. in social media.
Online Presences in Social Media
We maintain online presences within social networks and platforms in order to communicate with active customers, interested parties and users and to inform them about our services. When accessing the respective networks and platforms, the terms and conditions and the privacy policy of their respective providers apply. Unless otherwise stated in our privacy policy, we will process the data of users who communicate with us within social networks and platforms, e.g. publish contributions on our online profiles or send us messages.
The links/buttons to social networks and platforms (hereinafter referred to as "social media") used within our online services do not establish a data transmission between social networks and users until users click on the links/buttons and access the respective networks or their websites. This function corresponds to the function of a regular online link.
- Social networks/platforms used by us: Facebook, Instagram, LinkedIn, Pinterest, Twitter, Xing, YouTube.
- Data processed: Inventory data, contact data, content data, usage data, metadata.
- Special categories of personal data: In principle, no, except as provided voluntarily by users.
- Legal basis: Art. 6 (1 lit f. GDPR.
- - Data subjects: Users of social media networks/ platforms (this can include customers and prospective customers).
- Purpose of processing: Information and communication.
- Type, scope and mode of operation of the processing: By providers of the respective platforms as a general rule: permanent cookies, tracking, targeting, remarketing, online behavioural advertising.
- Necessity / interest in processing: Expectations of users active on the platforms, business interests.
- External disclosure and purpose: To the social networks/platforms.
- Processing in third countries: USA.
- Guarantee when processing in third countries: Privacy Shield (except Pinterest).
- Retention of data: The deletion policies of the respective networks/ platforms apply.
Webserver and Security
Our services are operated on web servers. In the following section we will inform you about their use and data processed during the operation of our servers.
Server-Logs
The server on which this online service is hosted collects so-called log files each time the online service is accessed, in which user data is stored. The data is used for statistical analysis to maintain and optimize server operation and for security purposes, e.g. to detect potential unauthorized access attempts.
- Data processed: Usage data and metadata (name of the accessed website, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited website), IP address and the requesting provider).
- Special categories of personal data: no.
- Legal basis: Art. 6 (1) f GDPR.
- Data subjects: customers, prospective customers, visitors of the online service.
- Purpose of processing: Optimization of server operation and security monitoring.
- Necessity / interest in processing: Security, business interests.
- Processing in third countries: no.
- Deletion of data: After 7 days from the time of the collection.
Our own Global Single Sign-On procedure
Embedded content and functions
In this section we inform you which contents, software or functions (briefly "contents") of other providers we embed in the context of our website on the basis of Art. 6(1) f GDPR (so-called "embedding"). The embedding is done to make our online offer more interesting for our users or for legal reasons, e.g. to be able to present videos or social media contributions within our online offer at all. Embedding can also be used to improve the speed or security of online content, e.g. when software elements or fonts are obtained from other sources. The processed data includes in all cases the user's usage and metadata and also the IP address necessarily transmitted to the provider for embedding the content, the data subjects include the visitors to our website. The data subject categories include the users of our website, customers and interested parties. Further explanations can be found in the definitions of terms, in particular on the functions and security measures, at the end of this Privacy Policy. The data retention is determined by the data protection conditions of the providers of the embedded content.
Google Services and Content
We use the following services and contents of the provider Google: YouTube - Videos; Google Maps - Maps; Google Fonts - Fonts; Google - Recaptcha.
- Data processed: Usage data, metadata.
- Type, scope and mode of operation of the processing: Permanent cookies, third party cookies, online behavioural advertising, tracking.
- Special security measures: Pseudonymization, opt-out.
- https://adssettings.google.com/.
- External disclosure and purpose: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
- https://www.google.com/policies/privacy.
- Processing in third countries: USA.
- https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.
- Retention of data: The data will be deleted in accordance with Google's conditions.
Facebook Features and Content
Functions and contents of the Facebook service can be integrated within our online offer. This may include, for example, content such as images, videos or texts and buttons with which users can express their appreciation of the content, subscribe to the authors of the content or our contributions.
- Data processed: Usage data, metadata; if users are registered with the service, the above data can be linked to their profiles and to the data stored with the service (in particular inventory data).
- Type, scope and mode of operation of the processing: Social plugins, permanent cookies, third party cookies, online behavioural advertising, tracking, remarketing.
- http://www.aboutads.info/choices (US).
- External disclosure and purpose: Facebook Inc, 1601 Willow Road, Menlo Park, CA, 94025, USA.
- https://www.facebook.com/policy.php.
- Processing in third countries: USA.
- www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active.
- Retention of data: The data will be deleted in accordance with Facebook conditions.
Instagram Features and Contents
Functions and contents of the Instagram service can be integrated within our online offer. This may include, for example, content such as images, videos or texts and buttons with which users can express their appreciation of the content, subscribe to the authors of the content or our contributions.
- Data processed: Usage data, metadata; if users are registered with the service, the above data can be linked to their profiles and to the data stored with the service (in particular inventory data).
- Type, scope and mode of operation of the processing: Social plugins, permanent cookies, third party cookies, online behavioural advertising, tracking, remarketing.
- External disclosure and purpose: Instagram Inc, 1601 Willow Road, Menlo Park, CA, 94025, USA.
- https://www.google.com/policies/privacy.
- Processing in third countries: USA.
- www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active.
- Retention of data: The data will be deleted in accordance with Instagram's policies.
Pinterest features and content
Functions and contents of the Pinterest service can be integrated within our online offer. This may include, for example, content such as images, videos or texts and buttons with which users can express their appreciation of the content, subscribe to the authors of the content or our contributions.
- Data processed: Usage data, metadata; if users are registered with the service, the above data can be linked to their profiles and to the data stored with the service (in particular inventory data).
- Type, scope and mode of operation of the processing: Social plugins, permanent cookies, third party cookies, online behavioural advertising, tracking, remarketing External disclosure and purpose: Pinterest Inc., 635 High Street, Palo Alto, CA, 94301, USA.
- https://about.pinterest.com/de/privacy-policy.
- Processing in third countries: USA.
- Retention of data: The data will be deleted in accordance with Pinterest’s policies.
Marketing
In this section you will find information on data processing carried out by us for the purpose of optimising our marketing and market research activities.
Newsletter Mailing and Performance Measurement
We will only send newsletters, e-mails and other electronic notifications containing advertising information (hereinafter "newsletters") with the consent of the recipients or a legal permission. Subscribers' data is logged as we are required to provide documentation of registrations. We also keep track of whether newsletters have been opened and whether links have been clicked. This information is stored on a per-user basis for technical reasons, but is not used to monitor individual users, but rather, for example, to adapt content and services to users. Information that we should collect in addition to the e-mail address (e.g. name) is used to personally address the users or to adapt the contents of the newsletter to the users.
- Contents of the newsletter: As indicated in the registration form, otherwise information about our services and our company.
- Data processed: Inventory data (e-mail address), usage data (registration time, confirmation time double opt-in, IP address, opening of e-mail, time and place, time and click on a link in the newsletter).
- Special categories of personal data: no.
- Legal basis: Art. 6 (1) a., Art. 7 GDPR and § 7 (2) no. 3 UWG (sending and performance measurement), Art. 6 (1) f GDPR (logging).
- Data subjects: E-mail recipient, SMS
- Purpose of processing: newsletter dispatch, optimization, proof of consent.
- Type, scope and mode of operation of the processing: Web-Beacon.
- Necessity / interest in processing: Only the e-mail information is required for sending, the other information is voluntary and serves to personalize and optimize the content based on the interests of the user; the obligation to provide evidence of consent is the reason for logging; performance measurement is based on legitimate interests in the optimization of the content for users and based on business interests
- Opt-Out: A unsubscribe link is included in every newsletter.
- External disclosure and purpose: Salesforce.com Germany GmbH, Erika-Mann-Str. 31, 80636 Munich.
- Privacy Policy: https://www.salesforce.com/de/company/privacy/.
- Special security measures: Data Processing Agreement.
- Processing in third countries: USA.
- Guarantee when processing in third countries: Privacy Shield https://www.privacyshield.gov/participant?id=a2zt0000000KzLyAAK&status=Active.
- Retention of data: We may store the e-mail addresses we have unsubscribed for up to three years on the basis of our legitimate interests before we delete them for the purpose of sending the newsletter in order to be able to prove a previously given consent. The processing of these data is limited to the purpose of a possible defence against claims. An individual request for erasure is possible at any time, provided that at the same time the former existence of a consent is confirmed.
Communication via Mail, E-Mail, Fax or Telephone
Sending information material, contacting us by telephone.
- Data processed: Inventory data, address and contact data, contract data.
- Special categories of personal data: no.
- Legal basis: Art. 6 (1) a, Art. 7 GDPR, Art. 6 (1) f GDPR in connection with legal requirements for advertising communications.
- Data subjects: customers, prospective customers, communication partners.
- Purpose of processing: Commercial communication.
- Type, scope and mode of operation of the processing: Contact is only established with the consent of the contact partners or within the scope of legal permissions.
- Necessity / interest in processing: Information and business interests.
- External disclosure and purpose: No.
- Processing in third countries: No.
- Retention of data: With objection/ revocation or expiration of the legal basis of eligibility.
Sweepstakes and Competitions
In the course of sweepstakes and competitions (" sweepstakes" for short) we processed the data of the participants for the execution of the sweepstakes. Further information on the processing of your data within the scope of the individual sweepstakes as well as any consent to the publication of their names or contributions to the sweepstakes will be provided to the users within the conditions of participation of the respective sweepstakes.
- content data (e.g. contributions to competitions).
- Special categories of personal data: no.
- Legal basis: 6 (1) b GDPR.
- Data subjects: Participants
- Purpose of processing: Conducting lotteries, notification of prizes, sending prizes, possibly presentation of winners.
- External disclosure and purpose: Shipping companies for the purpose of sending the prizes, possibly partners and sponsors of prizes.
- Processing in third countries: No, except for sending prizes abroad.
- Retention of data: As soon as the data is not required for the competition (e.g. for inquiries regarding prizes); when winners or contributions to the competition are published, they remain permanently online; otherwise, in the event of a legal obligation (end of commercial law (6 years) and tax law (10 years) retention obligation).
Loyalty and Bonus Program
We offer our customers the possibility to in the context of various programs, e.g. for purchases, for recruiting customers, newsletter subscribers or product evaluations.
- Data processed: Inventory data, contact data, usage data.
- Special categories of personal data: no.
- Legal basis: 6 (1) b GDPR.
- Data subjects: customers, prospective customers, third parties.
- Purpose of processing: Rewarding customer loyalty, attracting customers.
- External disclosure and purpose: No, only to the extent that customers disclose the data of third parties in the context of the recruitment of third parties.
- Processing in third countries: no.
- Retention of data: As soon as the data is no longer required to carry out loyalty campaigns or recruit third parties; if bonus points are awarded, they are stored in the customer history and deleted with the customer account; otherwise archiving in the event of a legal obligation (end of commercial law (6 years) and tax law (10 years) retention obligation).
Web analytics, online marketing and technology partners
In this section we inform you which services of technology partners are used for web analytics and online marketing purposes. Their application is based on Art. 6 (1) letter f GDPR and our interest in increasing user convenience, optimizing our services and their economic efficiency. The processed data includes in all cases the usage data and the metadata. Further explanations can be found in the definitions of terms, in particular on the functions and security measures, at the end of this Privacy Policy. The retention of the data is determined, unless otherwise stated, in accordance with the Privacy Policies of the technology partners.
Google Tag Manager
https://www.google.com/intl/de/tagmanager/use-policy.html.
Google Analytics
- We use Google Analytics for purposes of range measurement and target group building.
- Data processed: Usage data, metadata.
- Type, scope and mode of operation of the processing: permanent cookies, third party cookies, tracking, online behavioural advertising, profiling, custom audiences, remarketing.
- Special security measures: pseudonymisation, IP masking, conclusion of Data Processing Agreement, opt-out.
- https://adssettings.google.com/ (setting for advertisements).
- External disclosure: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
- Privacy Policy: https://policies.google.com/privacy.
- Processing in third countries: USA.
- https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.
- Retention of data: 26 months.
Google AdWords
We use Google AdWords to place ads on Google's and Google partner's websites and measure their performance.
- Data processed: Usage data, metadata.
- Type, scope and mode of operation of the processing: permanent cookies, third party cookies, tracking, conversion measurement, online behavioural advertising, profiling, cross-device-tracking.
- Special security measures: Pseudonymisation, IP masking, conclusion of Data Processing Agreement, opt-out.
- Opt-Out: https://adssettings.google.com/.
- External disclosure: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
- https://policies.google.com/privacy.
- Processing in third countries: USA.
- https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.
- Retention of data: The data may be processed by Google for up to two years before it is anonymised or deleted.
Google Display Network
Google's Double-Click technology enables us to target visitors to our website with targeted advertising as part of marketing campaigns for our products on our advertising partners' websites.
- Data processed: Usage data, metadata.
- Type, scope, functioning of processing: permanent cookies, third party cookies, tracking, conversion measurement, interest-based marketing, remarketing, cross-device tracking, profiling.
- Special protective measures: Pseudonymisation, IP masking, conclusion of Data Processing Agreement, opt-out.
- Opt-Out: https://adssettings.google.com/.
- External disclosure: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
- Privacy Policy: https://www.google.com/policies/privacy.
- processing in third countries: USA.
- http://www.privacyshield.gov/participant?id=a2zt00000000001L5AAI&status=Active.
- Deletion of data: The data may be processed by Google for up to two years before it is anonymised or deleted.
Facebook Pixel and Facebook Customer Audience Pixel
We use the Facebook pixel to form target groups and measure the success of the ads we place on Facebook and to build target groups for ads.
- Data processed: Usage data, metadata; if users are registered with Facebook, the data is linked to their Facebook profiles and data belonging to them (in particular inventory data).
- Type, scope and mode of operation of the processing: Permanent cookies, third party cookies, tracking, conversion measurement, online behavioural advertising, profiling, cross-device-tracking, custom audiences from website, custom audiences from file.
- Special security measures: Encrypted communication between Facebook and our website.
- http://www.aboutads.info/choices (US).
- External disclosure: Facebook Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA
- https://www.facebook.com/policy.php.
