1. Terminology Used
1.1. "Personal data" refers to any information relating to an identified or identifiable natural person (hereinafter referred to as the "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie), or one or more specific characteristics expressing the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
1.2. "Processing" means any operation or set of operations performed on personal data, whether or not by automated means. The term is broad and encompasses practically any handling of data.
1.3. The "controller" is the natural or legal person, authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data.
2. Relevant Legal Basis
The legal basis for obtaining consent is Article 6(1)(a) and Article 7 of the GDPR. The legal basis for processing in order to fulfill our services and carry out contractual measures, as well as to respond to inquiries, is Article 6(1)(b) of the GDPR. The legal basis for processing to fulfill our legal obligations is Article 6(1)(c) of the GDPR. The legal basis for processing to protect our legitimate interests is Article 6(1)(f) of the GDPR. In the event that the vital interests of the data subject or another natural person require the processing of personal data, Article 6(1)(d) of the GDPR serves as the legal basis.
3. Changes and Updates to the Privacy Notice
We kindly ask you to regularly inform yourself about the content of our privacy notice. We will adapt the privacy notice as soon as changes in the data processing we carry out make this necessary. We will inform you as soon as the changes require your cooperation (e.g., consent) or any other individual notification.
4. Security Measures
4.1. In accordance with Article 32 of the GDPR, taking into account the state of the art, the implementation costs, the nature, scope, context, and purposes of the processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. These measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical access to the data, as well as the access, input, disclosure, availability, and separation thereof. Furthermore, we have established procedures to ensure the exercise of data subject rights, the erasure of data, and the response to data breaches. Additionally, we consider the protection of personal data already during the development or selection of hardware, software, and procedures, in accordance with the principle of data protection by design and by default (Article 25 of the GDPR).
4.2. One of the security measures in place is the encrypted transmission of data between your browser and our server.
5. Disclosure and Transfer of Data
5.1. If, as part of our processing activities, we disclose data to other individuals or companies (data processors or third parties), transmit them to them, or otherwise grant them access to the data, this is done only on the basis of a legal permission (e.g., if the transfer of data to third parties, such as payment service providers, is necessary for the performance of a contract in accordance with Article 6(1)(b) of the GDPR), if you have given consent, if there is a legal obligation, or based on our legitimate interests (e.g., when using agents, hosting providers, tax, economic, and legal advisors, customer support, accounting, billing, and similar services that enable us to efficiently and effectively fulfill our contractual obligations, manage tasks, and meet our obligations).
5.2. If we engage third parties to process data on the basis of a so-called "data processing agreement," this is done in accordance with Article 28 of the GDPR.
6. Transfers to Third Countries
If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of using third-party services or disclosing/transferring data to third parties, it will only take place if it is necessary for the fulfillment of our contractual or pre-contractual obligations, based on your consent, due to a legal obligation, or based on our legitimate interests. Subject to legal or contractual permissions, we process or have the data processed in a third country only if the special requirements of Articles 44 onwards of the GDPR are met. This means that the processing is, for example, based on specific safeguards, such as the officially recognized determination of a data protection level corresponding to the EU (e.g., for the USA, through the Privacy Shield) or compliance with officially recognized special contractual obligations (so-called "standard contractual clauses").
7. Rights of Data Subjects
7.1. You have the right to obtain confirmation as to whether or not personal data concerning you is being processed and to request information about these data, as well as further information and a copy of the data, in accordance with Article 15 of the GDPR.
7.2. In accordance with Article 16 of the GDPR, you have the right to request the completion of incomplete personal data or the rectification of inaccurate personal data concerning you.
7.3. In accordance with Article 17 of the GDPR, you have the right to request the erasure of personal data concerning you without undue delay, or alternatively, in accordance with Article 18 of the GDPR, to request the restriction of processing of your personal data.
7.4. In accordance with Article 20 of the GDPR, you have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format, and have the right to transmit those data to another controller.
7.5. Furthermore, according to Article 77 of the GDPR, you have the right to lodge a complaint with the competent supervisory authority.
8. Right to Withdraw Consent
You have the right to withdraw your consent at any time with effect for the future, in accordance with Article 7(3) of the GDPR. This means that if you have previously given your consent for the processing of your personal data, you can revoke that consent. Please note that the revocation does not affect the lawfulness of the processing based on the consent before its withdrawal.
9. Right to Object
According to Article 21 of the GDPR, you have the right to object to the future processing of your personal data at any time. This right can be exercised particularly if the data processing is carried out for direct marketing purposes.
10. Cookies and Right to Object to Direct Advertising
10.1. "Cookies" are small files that are stored on users' computers. Cookies can contain various pieces of information. Their primary purpose is to store information about a user (or the device on which the cookie is stored) during or after their visit to an online service. Temporary cookies, also known as "session cookies" or "transient cookies," are cookies that are deleted after a user leaves an online service and closes their browser. Such a cookie can, for example, store the contents of a shopping cart in an online store or a login status. "Persistent cookies" are cookies that remain stored even after the browser is closed. For example, the login status can be saved if users visit the service again after several days. Similarly, such a cookie can store users' interests, which can be used for audience measurement or marketing purposes. "Third-party cookies" are cookies from providers other than the controller operating the online service (otherwise, if they are only the controller's cookies, they are referred to as "first-party cookies").
11. Data Deletion
11.2. Germany: In accordance with legal requirements, data is stored for a period of 6 years in particular according to Section 257(1) of the German Commercial Code (Handelsgesetzbuch, HGB) (commercial books, inventories, opening balance sheets, annual financial statements, commercial letters, accounting records, etc.) as well as for 10 years according to Section 147(1) of the German Fiscal Code (Abgabenordnung, AO) (books, records, management reports, accounting records, commercial and business letters, documents relevant for taxation, etc.).
12. Order Processing in the Online Shop and Customer Account
12.1. We process the data of our customers as part of the order process in our online shop in order to enable them to select and order the chosen products and services, as well as to facilitate their payment and delivery or execution.
12.2. The processed data includes inventory data, communication data, contract data, and payment data. The data subjects are our customers, prospective customers, and other business partners. The processing is carried out for the purpose of providing contractual services within the operation of an online shop, invoicing, delivery, and customer support. In this process, we use session cookies to store the contents of the shopping cart and permanent cookies to store the login status.
12.3. The processing is based on Art. 6(1)(b) (performance of contract) and (c) (legal obligations) of the GDPR. The information marked as required is necessary for the establishment and fulfillment of the contract. We only disclose the data to third parties within the scope of delivery, payment, or as permitted by law and required by legal obligations to legal advisors and authorities. The data is processed in third countries only if it is necessary for the fulfillment of the contract (e.g., at the customer's request for delivery or payment).
12.4. Data is deleted after the expiration of statutory warranty and similar obligations, and the necessity of retaining the data is reviewed every three years. In the case of statutory archiving obligations, deletion takes place after their expiration (end of commercial retention obligations of 6 years and tax retention obligations of 10 years). Information in the customer account is retained until it is deleted.
13. Business Analysis and Market Research
13.1. In order to operate our business economically and to identify market trends, customer and user preferences, we analyze the data available to us regarding business transactions, contracts, inquiries, etc. We process inventory data, communication data, contract data, payment data, usage data, and metadata based on Art. 6(1)(f) of the GDPR. The data subjects include customers, prospective customers, business partners, visitors, and users of the online offering. The analyses are carried out for the purpose of business evaluations, marketing, and market research. In these analyses, we may take into account the profiles of registered users, including information about their purchase transactions. The analyses serve to improve user-friendliness, optimize our offering, and enhance our business efficiency. The analyses are conducted solely by us and are not disclosed externally, unless they involve anonymous analyses with aggregated values.
13.2. If these analyses or profiles are personally identifiable, they are deleted or anonymized upon termination of the user's contract, or otherwise after two years from the conclusion of the contract. In addition, the overall business analyses and general trend determinations are anonymized to the extent possible.
13.3. Checking the creditworthiness of a customer is permissible if there is a risk of non-payment, such as when delivering goods without the payment having been received (e.g., when the customer chooses the "purchase on account" option). No risk of non-payment exists, for example, if the customer chooses the prepayment option or makes the payment through third-party providers such as PayPal.
Please note that obtaining an automatic credit check is considered an "automated individual decision-making" under Art. 22 of the GDPR, which means it is a legal decision made without human involvement. This is permissible if the customer has given consent or if this decision is necessary for the conclusion of the contract. Whether the decision is necessary is not yet conclusively clarified, but it is widely accepted, including by the author of this template. However, if you want to eliminate any risk, you should obtain consent.
Consent is also required if the credit check is used to determine whether the "purchase on account" option should be displayed at all. This is because it could have been the case that the customer would have chosen prepayment or PayPal anyway, and the credit check would not have been necessary.
Such consent could be as follows:
14. Contact and Customer Service
14.1. When contacting us (via contact form or email), the user's information provided will be processed for the purpose of handling the contact inquiry and its processing in accordance with Art. 6(1)(b) of the GDPR.
14.2. The user's information may be stored in our Customer Relationship Management system (CRM system) or a comparable inquiry organization.
14.3. We delete inquiries as soon as they are no longer necessary. We review the necessity every two years. Inquiries from customers who have a customer account with us are stored permanently, and for deletion, we refer to the information regarding the customer account. Furthermore, statutory retention obligations apply.
15. Collection of Access Data and Log Files
15.1. Based on our legitimate interests pursuant to Art. 6(1)(f) of the GDPR, we collect data about every access to the server on which this service is located (referred to as server log files). The access data includes the name of the accessed website, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page), IP address, and the requesting provider.
15.2. For security reasons (e.g., to investigate misuse or fraudulent activities), log file information is stored for a maximum of seven days and then deleted. Data that needs to be retained for evidentiary purposes is exempt from deletion until the respective incident is finally clarified.
16. Online Presence in Social Media
16.1. Based on our legitimate interests pursuant to Art. 6(1)(f) of the GDPR, we maintain online presences within social networks and platforms to communicate with and provide information about our services to customers, prospects, and users active on these platforms. When accessing the respective networks and platforms, the terms of service and data processing policies of their respective operators apply.
16.3. We use Google Analytics to display advertisements within Google's advertising services and its partners' services to users who have shown an interest in our online offerings or who exhibit certain characteristics (e.g., interests in specific topics or products determined based on visited websites), which we transmit to Google (referred to as "remarketing" or "Google Analytics audiences"). With the help of remarketing audiences, we aim to ensure that our ads correspond to the potential interests of users and are not perceived as intrusive.
17. Google Analytics
17.2. Google is certified under the Privacy Shield agreement, which provides a guarantee of compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
17.3. Google will use this information on our behalf to evaluate the use of our online offering by users, to compile reports on activities within this online offering, and to provide us with further services related to the use of this online offering and internet usage. The processed data may be used to create pseudonymous user profiles.
17.4. We only use Google Analytics with IP anonymization enabled. This means that the IP address of users is truncated by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the United States and truncated there.
17.5. The IP address transmitted by the user's browser is not merged with other data from Google. Users can prevent the storage of cookies by adjusting their browser software accordingly. Furthermore, users can prevent Google from collecting and processing the data generated by the cookie and related to their use of the online offering by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=de.
17.6. For more information about Google's data usage, settings, and opt-out options, please visit Google's websites: https://www.google.com/intl/de/policies/privacy/partners ("How Google uses data when you use our partners' sites or apps"), https://policies.google.com/technologies/ads ("Data usage for advertising purposes"), https://adssettings.google.com/authenticated ("Managing information that Google uses to show you advertisements").
18. Google Marketing Services
18.1. Based on our legitimate interests (i.e., the interest in analyzing, optimizing, and operating our online offering within the meaning of Art. 6(1)(f) of the GDPR), we use the marketing and remarketing services (collectively "Google Marketing Services") provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google").
18.2. Google is certified under the Privacy Shield agreement, which provides a guarantee of compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
18.3. The Google Marketing Services allow us to display targeted advertisements for and on our website to users who may be interested in our products or services. If a user is shown ads for products they previously viewed on other websites, this is referred to as "remarketing." To achieve this, Google runs a code and integrates (re)marketing tags (invisible graphics or code, also known as "web beacons") into our website when it is accessed, along with other websites where Google Marketing Services are active. These tags enable the storage of an individual cookie (a small file) on the user's device. The cookies may be set by various domains, including google.com, doubleclick.net, invitemedia.com, admeld.com, googlesyndication.com, or googleadservices.com. The cookie contains information about the user's visited websites, the content they are interested in, the offers they clicked on, as well as technical information about the browser and operating system, referring websites, visit time, and other information about the use of the online offering. The IP address of users is also captured. We inform you that within the framework of Google Analytics, the IP address of users is truncated within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the United States and truncated there. The IP address is not merged with other data from Google within other offerings. The aforementioned information may be combined by Google with information from other sources. Subsequently, when users visit other websites, they may be shown tailored advertisements based on their interests.
18.4. The user data is processed pseudonymously within the Google Marketing Services. This means that Google does not store or process the names or email addresses of users but processes the relevant data cookie-related within pseudonymous user profiles. From Google's perspective, the ads are not managed and displayed for a specifically identified person but for the cookie holder, regardless of who this cookie holder is. This does not apply if a user has expressly allowed Google to process the data without pseudonymization. The information collected by Google Marketing Services about users is transmitted to Google and stored on Google's servers in the United States.
18.5. One of the Google Marketing Services we use is the online advertising program "Google AdWords." In the case of Google AdWords, each AdWords customer receives a different "conversion cookie." Cookies, therefore, cannot be tracked through the websites of AdWords customers. The information obtained through the cookie is used to compile conversion statistics for AdWords customers who have opted for conversion tracking. AdWords customers are provided with the total number of users who clicked on their ad and were redirected to a page tagged with a conversion tracking tag. However, they do not receive any information that personally identifies users.
18.8. We may also use the service "Google Optimizer." Google Optimizer allows us to track the effects of different changes on a website (e.g., changes to input fields, design, etc.) through so-called A/B testing. For these testing purposes, cookies are stored on users' devices, and only pseudonymous user data is processed.
18.9. We may also use the "Google Tag Manager" to integrate and manage Google Analytics and Marketing Services into our website.
19. Facebook Custom Audiences and Facebook Marketing Services
19.1. Within our online offering, we use the "Facebook pixel" provided by the social network Facebook, operated by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, or, if you are located in the EU, by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Facebook"), based on our legitimate interests in analyzing, optimizing, and operating our online offering.
19.2. Facebook is certified under the Privacy Shield agreement, which provides a guarantee of compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).
19.3. The Facebook pixel allows Facebook to determine the visitors of our online offering as a target group for displaying ads (called "Facebook ads"). Accordingly, we use the Facebook pixel to display Facebook ads only to Facebook users who have shown an interest in our online offering or who have certain characteristics (e.g., interests in specific topics or products based on visited websites) that we transmit to Facebook (called "custom audiences"). With the help of the Facebook pixel, we also want to ensure that our Facebook ads correspond to the potential interests of users and are not annoying. Additionally, the Facebook pixel allows us to track the effectiveness of Facebook ads for statistical and market research purposes by seeing whether users were redirected to our website after clicking on a Facebook ad (called "conversion").
19.4. The processing of data by Facebook is carried out in accordance with Facebook's data usage policy. For general information about displaying Facebook ads, please refer to Facebook's data usage policy: https://www.facebook.com/policy.php. For specific information and details about the Facebook pixel and how it works, please visit Facebook's Help Center: https://www.facebook.com/business/help/651294705016616.
19.5. You can opt-out of the collection by the Facebook pixel and the use of your data for displaying Facebook ads. To control the types of ads shown to you on Facebook, you can visit the page set up by Facebook and follow the instructions for ad settings: https://www.facebook.com/settings?tab=ads. These settings apply across platforms, meaning they are applied to all devices, such as desktop computers or mobile devices.
19.6. You can also opt-out of cookies used for audience measurement and advertising purposes by visiting the Network Advertising Initiative's deactivation page (http://optout.networkadvertising.org/) and additionally the U.S. website (http://www.aboutads.info/choices) or the European website (http://www.youronlinechoices.com/uk/your-ad-choices/).
20. Facebook Social Plugins
20.1. Based on our legitimate interests (i.e., interest in analyzing, optimizing, and operating our online offering within the meaning of Art. 6(1)(f) of the GDPR), we use social plugins ("plugins") from the social network facebook.com, operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Facebook"). The plugins can display interaction elements or content (e.g., videos, graphics, or text posts) and can be recognized by one of the Facebook logos (a white "f" on a blue tile, the terms "Like" or "Gefällt mir," or a thumbs-up symbol) or are marked with the addition "Facebook Social Plugin." The list and appearance of Facebook Social Plugins can be viewed here: https://developers.facebook.com/docs/plugins/.
20.2. Facebook is certified under the Privacy Shield agreement, which provides a guarantee of compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).
20.3. When a user accesses a function of this online offering that contains such a plugin, their device establishes a direct connection to Facebook's servers. The content of the plugin is transmitted by Facebook directly to the user's device and integrated into the online offering. This allows usage profiles of users to be created from the processed data. We have no influence on the scope of data that Facebook collects using this plugin and therefore inform users based on our knowledge.
20.4. By integrating the plugins, Facebook receives the information that a user has accessed the corresponding page of the online offering. If the user is logged in to Facebook, Facebook can assign the visit to their Facebook account. When users interact with the plugins, for example, by pressing the Like button or leaving a comment, the corresponding information is directly transmitted from their device to Facebook and stored there. Even if a user is not a member of Facebook, there is still a possibility that Facebook will learn and store their IP address. According to Facebook, only anonymized IP addresses are stored in Germany.
20.6. If a user is a Facebook member and does not want Facebook to collect data about them via this online offering and link it to their stored Facebook member data, they must log out of Facebook before using our online offering and delete their cookies. Further settings and objections to the use of data for advertising purposes can be made within the Facebook profile settings: https://www.facebook.com/settings?tab=ads or via the US website http://www.aboutads.info/choices/ or the EU website http://www.youronlinechoices.com/. These settings apply across platforms, meaning they are applied to all devices, such as desktop computers or mobile devices.
21. Communication via Mail, Email, Fax, or Telephone
21.1. For business transactions and marketing purposes, we use remote communication methods such as mail, telephone, or email. In doing so, we process master data, address and contact data, as well as contract data of customers, participants, interested parties, and communication partners.
21.2. The processing is based on Art. 6(1)(a), Art. 7 of the GDPR, Art. 6(1)(f) of the GDPR in connection with legal requirements for promotional communications. Contact is made only with the consent of the contact partners or within the scope of legal permissions, and the processed data will be deleted as soon as they are no longer necessary or upon objection/revocation or the expiration of legal retention obligations.
22. Integration of Third-Party Services and Content
22.1. Within our online offering, based on our legitimate interests (i.e., interest in the analysis, optimization, and economic operation of our online offering within the meaning of Art. 6(1)(f) of the GDPR), we use content or service offerings from third-party providers to incorporate their content and services, such as videos or fonts (hereinafter uniformly referred to as "content"). This always presupposes that the third-party providers of this content perceive the IP address of the users because they could not send the content to their browsers without the IP address. The IP address is therefore necessary for the display of this content. We endeavor to use only content whose respective providers use the IP address solely for the delivery of the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. The "pixel tags" can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user's device and may contain, among other things, technical information about the browser and operating system, referring web pages, visit time, and other information about the use of our online offering, as well as be linked to such information from other sources.
22.2. The following presentation provides an overview of third-party providers and their content, along with links to their privacy policies, which provide further information on the processing of data and, in some cases, already mentioned opt-out options:
- If our customers use third-party payment services (e.g., PayPal or Sofortüberweisung), the terms and conditions and privacy policies of the respective third-party providers apply, which can be accessed within the respective websites or transaction applications.