1. Name and Address of the Data Controller
Pursuant to the General Data Protection Regulation (GDPR), other data protection acts that apply in the Member States of the European Union, and other provisions with a data-protection character, the party responsible for the processing of data (hereafter data controller) is:
Christof Kerber GmbH & Co. KG
Windelsbleicher Strasse 166-170
Tel.: +49 / (0)521 – 95008-10
Data protection officer
Christof Kerber GmbH & Co. KG
Windelsbleicher Straße 166-170
Tel.: +49 / (0)521 – 95008-13
The data subject can prevent our website from storing cookies at any time by setting the Internet browser accordingly, and consequently object long term to the placement of cookies. Furthermore, cookies that have already been stored can be deleted at any time via an Internet browser or other software programs. This is possible in all common Internet browsers. If the data subject deactivates the storage of cookies in the Internet browser being used, not all functions of our website may be used to their full extent.
3. Collection of General Data and Information
The website of the Kerber Verlag collects a range of general data and information every time a particular data subject or automated system accesses an Internet page. These general data and information are saved in the server’s log files. The data and information collected can include (1) the browser type and version being used, (2) the operating system used by the accessing system, (3) the Internet page via which an accessing system arrives at our Internet page (a so-called referrer), (4) the sub-web pages by means of which an accessing system is steered to our Internet page, (5) the date and time when the Internet page is accessed, (6) an Internet protocol address (IP address), (7) the Internet service provider of the accessing system, and (8) other similar data and information that can avert danger in the case of attacks on our information technology systems.
When using these general data and information, the Kerber Verlag draws no conclusions with respect to the data subject. This information is instead necessary in order (1) to deliver the contents of our Internet pages correctly, (2) to optimize the contents of our server as well as advertising for it, (3) to guarantee the long-term ability of our information technology and website to function, and (4) to provide law enforcement authorities with information necessary to prosecute a crime in the case of a cyber-attack. The Kerber Verlag therefore, analyzes these anonymously collected data and information statistically as well as with the aim of improving data protection and data privacy in our company so as to ultimately ensure an optimal level of protection for the personal data that we process. The anonymous data in the server log files are saved separately from all personal data provided by a data subject.
4. Disclosure of Personal Data
Personal data are naturally handled confidentially and only disclosed to third parties if this is necessary to fulfill or process a contract.
Your data is disclosed to the company contracted to process orders (processor):
Koch, Neff & Oetinger
Telephone: +49 (0) 711 / 789 920 10
Telefax: +49 (0) 711 / 789 910 10
and to the shipping company contracted with delivery, as far as these date are necessary for the delivery of the goods. For the processing of payments, we transmit your payment data to an authorized credit institution. The legal basis for this is Art. 6 (1) lit. b) GDPR.
5. Registering on Our Internet Page
The data subject can register on the website of the data controller by providing personal data. What personal data is transmitted to the data controller depends on the respective entry mask that is used for registration. The personal data entered by the data subject are exclusively for internal use by the data controller, and are collected and saved for internal use. The data controller can arrange for transmission of personal data to one or various processors of contracts, for instance a parcel service, which also utilize the personal data exclusively for an internal use assigned by the data controller.
Through registering on the Internet page of the data controller, the IP address assigned to the data subject by the Internet service provider (ISP) as well as the date and time of registration are also saved. The legal basis for this is Art. 6 (1) lit. f) GDPR. The saving of this data occurs with the purpose that this is the only way to prevent misuse of our services; these data also make it possible, if necessary, to solve crimes that have been committed. Insofar, the saving of such data is necessary to safeguard the data controller. Transmission of this data to third parties does not occur, provided there is no legal obligation to disclose it or the transmission of data assists in criminal prosecution.
The registration of the data subject with personal data provided voluntarily assists the data controller in offering the data subject contents or services that can only be provided to registered users due to the nature of the matter. Registered individuals have the possibility to amend the personal data entered for registration at any time or to have it completely deleted from the dataset of the data controller.
Upon request, the data controller provides each data subject with information about which personal data about the data subject have been saved. Furthermore, the data controller amends or deletes personal data at the request or notification of the data subject, provided no legal obligation to store the data prevents this. The entire staff of the data controller is available to the data subject as a contact point in this context.
6. Subscribing to Our Newsletter
Notes on the newsletter and permissions
With the following notes, we clarify the contents of our newsletter and the registration, transmission, and statistical analysis procedures as well as your rights to object. By subscribing to our newsletter, you consent to receive the newsletter and to the procedures described.
Contents of the Newsletter
We send newsletters, emails, and other electronic notifications with advertising information (hereafter “newsletter”) only with the permission of the recipient or with legal permission. Inasmuch as the contents of the newsletter are specifically outlined within the framework of registering for the newsletter, the permission of users is applies. Apart from this, our newsletter contains information about legal topics, in particular from the field of marketing rights and data protection, and about our office (this can include in particular tips about blog entries, presentations, or workshops, our services or online presence).
Double Opt-In and Logging
Registration for our newsletter takes place by means of a so-called double opt-in procedure. This means that you receive an email after registering in which you are asked to confirm your registration. This confirmation is necessary so that no one can register with email addresses of third parties.
Registrations for the newsletter are logged so as to be able to document the registration process according to legal requirements. This includes saving the time of the registration and confirmation as well as the IP address. Changes to your data saved by MailChimp are also logged.
Use of the “MailChimp” Shipping Service
The newsletter is sent via “MailChimp,” a newsletter distribution platform of the US provider Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA.
The email addresses of our newsletter recipients as well as their data, as described within the framework of these notes, are saved on MailChimp servers in the United States. MailChimp uses this information to send and evaluate the newsletter on our behalf. Based on its own information, MailChimp can use these data to optimize or improve its own services, e.g. to technically optimize the distribution and presentation of the newsletter or for commercial purposes so as to determine the countries from which recipients come. MailChimp does not, however, use these data about recipients of our newsletter to write to the recipients itself or pass these data on to third parties.
We trust the reliability and the IT as well as data privacy of MailChimp. MailChimp is certified under the US-EU “Privacy Shield” data protection agreement and consequently commits to comply with EU data protection provisions. In addition, we have entered into a “Data Processing Agreement” with MailChimp. This is a contract in which MailChimp commits to protect the data of our users, to process this data on our behalf according to its data protection provisions, and, in particular, not to pass this data on to third parties. You can see MailChimp’s data protection provisions here.
To register for the newsletter, we ask you to provide us with your email address and name. The name is used solely to personalize the newsletters. Furthermore, we also ask you to optionally provide a specific key topic. We only use this information to adapt the contents of the newsletters to the interests of our readers.
Statistical Surveys and Analyses
The newsletters are equipped with a so-called “web-beacon,” i.e. a pixel-size file that is retrieved by MailChimp when the newsletter is opened. Within the context of this retrieval, technical information such as information about the data subject’s browser and system as well as IP address and the time of the retrieval are collected. This information is used to improve services technically based on the technical data or target groups and their reading behavior based on the location from which the newsletter is retrieved (which can be determined with the help of the IP address) or time of access.
The collection of statistics also includes determining whether the newsletters are opened, when they are opened, and what links are clicked. Although this information can be assigned to individual newsletter recipients for technical reasons, it is nonetheless neither our aim, nor that of MailChimp, to observe individual users. The assessments instead assist us in identifying the reading habits of our users and adapting out contents to them or in sending different contents based on the interests of our users.
Online Access and Data Management
There are cases in which we direct newsletter recipients to the webpage of MailChimp. For instance, our newsletter contains a link with which newsletter recipients can access the newsletter online (e.g. if the email program has problems displaying it). Furthermore, newsletter recipients have the option to correct their data such as email address subsequently. It is also possible to access MailChimp’s data protection declaration on its website.
In this context, we point to the fact that cookies are used on MailChimp’s webpages and personal data are consequently processed by MailChimp, its partners as well as other service providers (e.g. Google Analytics). We have no influence on this collection of data. You can find further information in MailChimp’s data protection declaration. We also point to the possibilities to object to data collection for advertising purposes on the websites http://www.aboutads.info/choices/ and http://www.youronlinechoices.com/ (for the European area).
Termination / Revocation
You can unsubscribe from, i.e. revoke your consent to, our newsletters at any time. This simultaneously deletes your consents to it being sent by MailChimp and to statistical analyses. A separate objection to transmission via MailChimp or statistical evaluation is, unfortunately, not possible.
You find a link to unsubscribe from the newsletter at the end of each newsletter.
Legal Basis for the General Data Protection Regulation
Pursuant to the provisions of the General Data Protection Regulation (GDPR) that came into effect as of May 25, 2018, we inform you that consenting to the transmission of email addresses takes place on the basis of Art. 6 (1) lit. a, 7 GDPR as well as § 7 (2) no. 3, and/or (3) UWG. The use of the MailChimp shipping service, the conducting of statistical surveys and analyses of statistics as well as the logging of registration procedures takes place on the basis of our legitimate interests pursuant to Art. 6 (1) lit. f GDPR. Our interest focuses on the use of a user-friendly as well as secure newsletter system that serves our business interests and also fulfills the expectations of users.
We also point to the fact that you can object at any time to future processing of your personal data according to the legal stipulations pursuant to Art. 21 GDPR. Objections can be made in particular to processing for the purpose of direct advertising.
7. Contact Opportunity Via the Website
Based on legal requirements, the website of the Kerber Verlag contains information that facilitates swift electronic contact with our company as well as direct communication with us, which also includes a general address for so-called electronic post (email address). If a data subject makes contact with the data controller via email or a contact form, the personal data that are transmitted by the data subject are saved automatically. Such personal data that are provided voluntarily by the data subject to the data controller are saved for the purpose of processing the establishment of contact with the data subject. This personal data is not transmitted to third parties.
8. Routine Deletion and Blocking of Personal Data
The data controller shall process and store the personal data of the data subject only for the period necessary to achieve the purpose of storage, or as far as this is granted by the European legislator or other legislators in laws or regulations to which the data controller is subject.
If the storage purpose is not applicable, or if a storage period specified by the European legislator or another relevant legislator expires, the personal data are routinely blocked or deleted in compliance with legal requirements.
9. Rights of the Data Subject
a) Right to Information
Every person affected by the processing of personal data has the right, as granted by the European legislator, to receive information about the personal data stored about them from the data controller free of charge at any time as well as to receive a copy of this information. Furthermore, the European legislator grants the data subject information about the following:
- The purposes of the processing
- The categories of personal data that are processed
- The recipient or categories of recipients to whom the personal data has been disclosed or will be disclosed, particularly in the case of recipients in third countries or in the case of international organizations
- If possible, the planned period for which the personal data is stored, or, if this is not possible, the criteria for determining this period
- The existence of the right to the correction or deletion of personal data concerning them or to limiting processing by those responsible or a right to object to such processing
- The existence of a right to file an appeal with a regulatory authority
- If personal data is not collected in connection with the data subject: all available information about the origin of the data
- The existence of automated decision-making pursuant to Art. 22 (1) and 4 GDPR and—at least in this case—meaningful information about the logic involved as well as the scope and intended effects of such processing for the data subject
Furthermore, the data subject has a right to information about whether personal data has been transmitted to a third country or international organization. If this is the case, the data subject also has the right to receive information about suitable guarantees in connection with such transmission.
If a data subject would like to claim this right to information, the data subject can contact an employee of the data controller at any time.
b) Right to Correction
Every data subject affected by the processing of personal data has the right, as granted by the European legislator, to request the immediate correction of incorrect personal data that concerns them. Furthermore, the data subject has the right to request the completion of incomplete personal data—also by means of a supplemental statement—while bearing in mind the purpose of the processing.
If a data subject would like to make use of this right to correction, they can contact an employee of the data controller at any time.
c) Right to Deletion (Right to Be Forgotten)
Every person affected by the processing of personal data has the right, as granted by the European legislator, to request that the data controller immediately delete the personal data concerned provided that one of the following reasons apply and provided that the processing is not required:
- The personal data were collected for such purposes or processed in another way for which they are no longer necessary.
- The data subject revokes their consent to the processing of data pursuant to Art. 6 (1) a GDPR or Art. 9 (2) a GDPR, and there is no other legal basis for the processing.
- Pursuant to Art. 21 (1) GDPR, the data subject files an objection to the processing of data and there are no overriding legitimate reasons for the processing, or the data subject files an objection to the processing of data pursuant to Art. 21 (2) GDPR.
- The personal data have been processed unlawfully.
- The deletion of personal data is required in order to comply with a legal obligation based on European Union law or the law of the Member States to which the data controller is subject.
- The personal data was collected in connection with services offered by the information society, pursuant to Art. 8 (1) GDPR.
If one of the abovementioned reasons applies and a data subject would like to arrange for the deletion of personal data saved by the Kerber Verlag, they can contact an employee of the data controller at any time. The employees of the Kerber Verlag will arrange to have the request for deletion promptly fulfilled.
d) Right to Restrict Processing
Every person affected by the processing of personal data has the right, as granted by the European legislator, to request that the data controller restrict its processing of the data if one of the following conditions are met:
- The data subject contests the accuracy of the personal data, and indeed for a period of time that enables the data controller or processor to check the correctness of the personal data.
- The processing is unlawful, the data subject objects to the deletion of personal data, and instead requests that the use of the personal data be restricted.
- The data controller no longer requires the personal data for processing purposes, but the data subject requires it for the assertion, exercise, or defense of legal claims.
- The data subject has filed an objection to the processing pursuant to Art. 21 (1) GDPR and it is still not clear that the legitimate reasons of the data controller override those of the data subject.
Should one of the abovementioned conditions be met and a data subject would like to restrict the personal data that are saved by the Kerber Verlag, they can contact an employee of the data controller at any time. The employee of the Kerber Verlag will have the processing restricted.
e) Right to Data Portability
Every data subject has the right, as granted by the European legislator, to receive the personal data concerning them, which the data subject has made available to a data controller or processor, in a structured, standard, machine-readable format. The data subject also has the right to transmit such data to another data controller without being hindered by the data controller to whom the personal data was made available, insofar as the processing is based on consent pursuant to Art. 6 (1) a GDPR or Art. 9 (2) a GDPR, or is based on a contract pursuant to Art. 6 (1) b GDPR and the processing occurs with the assistance of automated processes, insofar as the processing is not necessary for the performance of a task for the public benefit or takes place as part of the exercising of the official authority that has been transferred to the data controller.
Furthermore, pursuant to Art. 20 (1) GDPR, when exercising the right to data portability, the data subject has the right to effect that the personal data are transmitted directly from one data controller to another, provided that this is technically feasible and provided that the rights and freedoms of other persons are not impaired as a result.
To assert the right to data portability, the data subject can contact an employee of the Kerber Verlag at any time.
f) Right to Appeal
Every data subject affected by the processing of personal data has the right, as granted by the European legislator, for reasons that arise from their specific situation, to file an objection to the processing of personal data concerning them, which occurs based on German Art. 6 (1) e or f GDPR.
In the case of objections, the Kerber Verlag no longer processes the personal data unless we can show compelling and legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject, or the if processing serves the assertion, exercise, or defense of legal claims.
If the Kerber Verlag processes personal data in order to engage in direct advertising, the data subject consequently has the right to file an objection to the processing of personal data for the purpose of such advertising. If the data subject objects to the Kerber Verlag processing data for the purpose of direct advertising, the Kerber Verlag will no longer process the personal data for such purposes.
The data subject also has the right, for reasons that arise from their specific situation, to file an objection to the processing of personal data that concerns them that takes place at the Kerber Verlag for purposes of scholarly or historical research pursuant to Art. 89 (1) GDPR, unless such processing is necessary in order to perform a task for the public benefit.
To exercise the right to appeal, the data subject can contact any employee of the Kerber Verlag. In connection with the use of services offered by the information society, the data subject is also free to exercise their right to appeal, notwithstanding Directive 2002/58/EG, by means of automated processes in which technical specifications are used.
g) Right to Revoke Consent Regarding Data Protection
Every person affected by the processing of personal data has the right, as granted by the European legislator, to revoke consent to the processing of personal data at any time.
If the data subject would like to assert their right to revoke consent, they can contact an employee of the data controller for this purpose at any time.
10. Data Protection for Applications and Application Processes
The data controller collects and processes the personal data of applicants for the purpose of managing the application process. The processing can also take place by electronic means. This is the case in particular when an applicant transmits corresponding application documents electronically, for instance, via email or via a web form found on an Internet page, to the data controller. If the data controller signs an employment contract with an applicant, the data transmitted are saved for the purpose of processing the employment relationship in compliance with legal provisions. The legal basis for the collection and processing of applicant and employee data is § 26 BDSG (German Federal Data Protection Act, new). If the data controller does not conclude an employment contract with the applicant, the application documents are automatically deleted two months after notification of the decision to reject the applicant, provided the deletion does not conflict with any other legitimate interests of the data controller. Another legitimate interest in this sense is, for instance, a burden of proof in a trial, pursuant to the German General Act on Equal Treatment (Allgemeinen Gleichbehandlungsgesetz, AGG).
11. Use of Facebook Social Plugins
Our website uses so-called social plugins (“plugins”) from the social network Facebook, which is operated by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA (“Facebook”). The plugins are labeled with a Facebook logo or the phrase: “social plugin by Facebook,” and/or “Facebook social plugin.” You can find an overview of Facebook plugins and how they look at: https://developers.facebook.com/docs/plugins
When you access a page of our Internet presence that contains such a plugin, your browser establishes a direct connection to Facebook’s servers. Facebook transmits the content of the plugin directly to your browser and embeds it in the page. By means of this embedding, Facebook receives the information that your browser has accessed the corresponding page of our Internet presence, even if you do not have a Facebook profile or are not currently logged in on Facebook. This information (including your IP address) is transmitted directly from your browser to a Facebook server in the United States and stored there. If you are logged in on Facebook, Facebook immediately assigns the visit to our website to your Facebook profile. If you interact with the plugins, for instance, use the “Like” button or enter a comment, this information is also transmitted directly to a Facebook server and stored there. The information is also published on your Facebook profile and displayed to your Facebook friends. Please look at Facebook’s data protection provisions to find out the purpose and scope of the collection of data and the further processing and use of data by Facebook as well as your rights and settings options for protecting your private sphere in this context: http://www.facebook.com/policy.php
If you do not want Facebook to assign data collected via our Internet presence directly to your Facebook profile, you have to log out from Facebook before accessing our website. You can also completely block the loading of Facebook plugins by means of add-ons for your browser, e.g. with the “Facebook Blocker”: (http://webgraph.com/resources/facebookblocker/).
Facebook is a service of Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Facebook Ireland Ltd. is certified under the EU-US Privacy Shield, an agreement that guarantees the data protection provisions that apply in the EU.
12. Use of Twitter Plugins (e.g. “Twitter” Button)
Our website uses so-called social plugins (“plugins”) from the micro-blogging service Twitter, which is operated by Twitter Inc., 1355 Market St., Suite 900, San Francisco, CA 94103, USA (“Twitter”). The plugins are labeled with a Twitter logo and/or in the form of a blue “Twitter bird.” You can find an overview of Twitter plugins and how they look at: https://twitter.com/about/resources/buttons
When you access a page of our Internet presence that contains such a plugin, your browser establishes a direct connection to Twitter’s servers. Twitter transmits the content of the plugins directly to your browser and embeds it in the page. By means of this embedding, Twitter receives the information that your browser has accessed the corresponding page of our Internet presence, even if you do not have a Twitter profile or are not currently logged in on Twitter. This information (including your IP address) is transmitted directly from your browser to one of Twitter’s servers in the United States and stored there. If you are logged in on Twitter, Twitter can assign the visit to our website directly to your Twitter account. When you interact with the plugins, for instance, by using the “Twitter” button, the corresponding information is also transmitted directly to a Twitter server and stored there. The information is also published on your Twitter account and displayed to your contacts there. You can find information about the purpose and scope of the data collection and other processing and use of the data by Twitter as well as your rights and related setting options to protect your private sphere in Twitter’s data protection provisions: https://twitter.com/privacy
If you do not want Twitter to assign data collected via our Internet presence directly to your Twitter account, you have to log out from Twitter before visiting our website. You can also completely block the loading of Twitter plugins with add-ons for your browser, e.g. with the script-blocker “NoScript” (http://noscript.net/).
Twitter is a service of Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. Twitter Inc. is certified under the EU-US Privacy Shield, an agreement that guarantees compliance with the data protection provisions that apply in the EU.
13. Use of Instagram Social Plugins
Our website uses so-called social plugins (“plugins”) from Instagram, which is operated by Instagram LLC., 1601 Willow Road, Menlo Park, CA 94025, USA (“Instagram”). The plugins are labeled with an Instagram logo, for instance, in the form of an “Instagram camera.” Your can find an overview of Instagram plugins and how they look at: http://blog.instagram.com/post/36222022872/introducing-instagram-badges
When you access a page of our Internet presence that contains such a plugin, your browser establishes a direct connection to the servers of Instagram. Instagram transmits the content of the plugins directly to your browser and embeds it in the page. By means this embedding, Instagram receives the information that your browser has accessed the corresponding page of our Internet presence, even if you do not have an Instagram profile or are not currently logged on to Instagram. This information (including your IP address) is transmitted directly from your browser to one of Instagram’s servers in the United States and stored there. If you are logged on to Instagram, Instagram can assign a visit to our website directly to your Instagram account. When you interact with the plugins, for instance using the “Instagram” button, this information is also transmitted directly to an Instagram server and stored there. The information is also published on your Instagram account and displayed to your contacts there. You can find information about the purpose and scope of the data collection and other processing and use of the data by Instagram as well as your rights and related setting options to protect your private sphere in Instagram’s data protection provisions: https://help.instagram.com/155833707900388/
If you do not want Instagram to assign data collected via our Internet presence directly to your Instagram account, you have to log out from Instagram before visiting our website. You can also completely block the loading of Instagram plugins with add-ons for your browser, e.g. with the script-blocker “NoScript”: (http://noscript.net/).
We basically retain your data for as long as this is required for compliance with all provisions relating to tax and commercial law. After the expiration of this period of time, we delete your data. You have the right to request information about the data we have stored free of charge at any time and without providing reasons. You can amend, block, or delete these data at any time. You can revoke your consent to our collecting, storing, and using your data at any time, without providing reasons. Should it be necessary to amend this data protection declaration, we have the right to do so at any time. We will, however, inform you about an amended declaration in an appropriate form. We will not make any change to your disadvantage that deviates from this without your consent.
14. Data Protection Provisions Regarding the Deployment and Use of Google Analytics (with Anonymization Function)
The data controller has embedded the components of Google Analytics (with anonymization function) in its website. Google Analytics is a web analysis service. Web analysis is the collection, compiling, and evaluation of data about the behavior of visitors to Internet pages. A web analysis service gathers data about, among other things, the Internet page via which a data arrives at another Internet page (the so-called referrer), what subpages of the Internet page are accessed, or how often and for what period of time a subpage is viewed. Web analysis is primarily used to optimize an Internet page and to perform cost-use analyses of Internet advertising.
The company that provides the Google Analytics components is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.
The data controller uses the addition “_gat._anonymizeIp” for web analysis by Google Analytics. By means of this addition, the IP address of the Internet connection of the data subject is shortened and anonymized by Google if the access to our website takes place from a Member Country of the European Union or from another Contracting State to the Agreement on the European Economic Area.
The purpose of Google Analytics components is to analyze the flow of visitors to our website. Google uses the data and information obtained to, among other things, evaluate the use of our website in order to compile online reports for us on the activities on our Internet pages and to provide further services connected with the use of our website.
Google Analytics stores a cookie on the data subject’s information technology system. What cookies are has already been explained above. Storing cookies enables Google to analyze the use of our website. Each accessing of one of the individual pages of the website operated by the data controller in which a Google Analytics component has been embedded automatically occasions the Internet browser on the data subject’s information technology system to transmit data to Google for the purpose of online analysis as a result of the respective Google Analytics component. Within the framework of this technical procedure, Google receives information about personal data such as the IP address of the data subject, which enables Google, et al., to trace the origin of the visitor and clicks, and to consequently calculate commissions.
By means of cookies, personal information such as the time of access, the place from which access originates, and the frequency of visits to our website by the data subject are stored. These personal data, including the IP address of the Internet connection used by the data subject, are transmitted to Google in every time someone visits our website. Google stores these personal data in the United States of America. Under certain circumstances, Google passes the personal data collected by this technical procedure on to third parties.
As already described above, the data subject can block the placement of cookies by our website at any time by means of a corresponding setting in the Internet browser used and consequently object to the storage of cookies long term. Such a setting in the Internet browser used would also prevent Google from storing a cookie on the data subject’s information technology system. In addition, it is also possible to delete cookies that have already been stored by Google Analytic at any time by means of the Internet browser or other software programs.
You can find further information and the data protection provisions of Google that apply at: https://www.google.de/intl/de/policies/privacy/ and at: http://www.google.com/analytics/terms/de.html. The following link provides a more in-depth explanation of Google Analytics: https://www.google.com/intl/de_de/analytics/.
15. Payment Method: Data Protection Provisions for PayPal as a Payment Method
The party responsible for the processing has embedded components of PayPal in this website. PayPal is an online payment service provider. Payments are processed via so-called PayPal accounts, which represent virtual private or business accounts. If a user does not have a PayPal account, it is also possible with PayPal to process virtual payments via credit card. A PayPal account is managed via an email address, which is why there is no classic account number. PayPal makes it possible to make payments online to third parties as well as to receive payments. PayPal also assumes a fiduciary capacity and offers buyer protection services.
Paypal’s European operating company is PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22–24 Boulevard Royal, 2449 Luxemburg, Luxemburg.
If the data subject selects “PayPal” during the process of ordering from our online shop, data about the data subject are automatically transmitted to PayPal. By selecting this option, the data subject agrees to the transmission of personal data necessary to process the payment.
The personal data transmitted to PayPal generally includes the first name, surname, address, email address, IP address, telephone number, cellphone number, or other data required in order to process payment. To process the purchase agreement, personal data connected with the respective order are also necessary.
Data is transmitted for the purpose of processing payment and preventing fraud. The data controller transmits personal data to PayPal in particular when there is a legitimate interest in the transmission. The personal data that is exchanged between PayPal and the data controller are transmitted by PayPal, if need be, to credit agencies. This transmission is for the purpose of identity and credit checks.
PayPal passes on personal data, if necessary, to affiliated companies and service providers or subcontractors insofar as this is necessary to fulfill contractual obligations or if the data are supposed to be processed by subcontractors.
The data subject has the option to revoke consent to PayPal’s handling of personal data at any time. A revocation has no effect on personal data that must mandatorily be used or transmitted in order to process payment (according to the contract).
You can access PayPal’s data protection provisions at: https://www.paypal.com/de/webapps/mpp/ua/privacy-full.
16. Legal Basis for Processing
Art. 6 I lit. a GDPR serves our company as the legal basis for processing operations, for which we receive consent for a specific processing purpose. If the processing of personal data is necessary to fulfill a contract whose contracting party is the data subject, as is the case, for instance, in processing operations that are required for the delivery of goods or the provision of other services or services in return, the processing is based on Art. 6 I lit. b GDPR. The same applies in the case of such processing operations that are necessary to implement pre-contractual measures, for example, in the case of requests for our products or services. Should our company be subject to a legal obligation that necessitates a processing of personal data, for instance, in order to fulfill tax obligations, the processing is then based on Art. 6 I lit. c GDPR. In rare cases, the processing of personal data might be necessary in order to protect vital interests of the data subject or another natural person. This would be the case, for example, if a visitor to our operations were to be injured and his or her name, age, health insurance data, or other vital information consequently had to passed on to a doctor, hospital, or other third party. The processing would then be based on Art. 6 I lit. d GDPR. Finally, processing operations might be based on Art. 6 I lit. f GDPR. Processing operations that are not covered by any of the abovementioned legal bases are based on this legal basis if the processing is necessary to safeguard a legitimate interest of our company or that of a third party, insofar as the interests, basic rights, or freedoms of the data subject do not override them. We are permitted to perform such processing operations in particular because the European legislator has mentioned them specifically. The legislator maintains that a legitimate interest can be assumed insofar as the data subject is a customer of the data controller (recital Art. 47 (2) GDPR).
17. Legitimate Interests in Processing Pursued by the Data Controller or a Third Party
Should the processing of personal data be based on Art. 6 I lit. f GDPR, our legitimate interest is conducting our business activities for the wellbeing of all our employees and shareholders.
18. Period for which Personal Data Are Stored
The criterion for the period for which personal data are stored is the respective legal retention period. After the end of this period, the corresponding data are routinely deleted, insofar as they are no longer necessary to fulfill or initiate a contract.
19. Legal or Contractual Provisions Regarding the Provision of Personal Data; Necessity for the Conclusion of a Contract; Obligation of the Data Subject to Provide Personal Data; Possible Consequences of a Failure to Provide Personal Data
We inform you that the provision of personal data is, in part, legally required (e.g. tax regulations) or can arise from contractual regulations (e.g. information on the contract partner). It can at times be necessary for the conclusion of a contract that a data subject makes personal data available to us and that we consequently have to process such data. The data subject is obliged, for instance, to provide us with personal data when our company concludes a contract with the data subject. A failure to provide personal data would result in the fact that it would not be possible to conclude the contract with the data subject. Prior to providing personal data, the data subject must contact one of our employees. Our employee(s) clarify to the data subject on a case-by-case basis whether the provision of personal data is legally or contractually mandatory or is necessary to conclude the contract, whether there is an obligation to provide personal data, and what consequences the failure to provide personal data would have.
20. Existence of Automated Decision Making
As a conscientious company, we do not make use of automated decision making or profiling.
In the event of any conflict or contradiction between the German version of this declaration and its English translation, the original German version is legally binding.