Last updated: 06.02.2020
2 Overview of processing activities
The following overview summarises the types of data processed and the purposes of processing, and refers to data subjects.
- Types of data processed
Inventory data (e.g. names, addresses), content data (e.g. text, photos, videos), contact data (e.g. email addresses, telephone numbers), meta/communication data (e.g. device information, IP addresses), usage data (e.g. web pages visited, interest in content, access times), contract data (e.g. subject matter of the contract, term, customer category), payment data (e.g. bank details, invoices, payment history)
- Categories of data subject
Business and contract partners, prospects, communication partners, customers, users (e.g. website visitors, users of online services)
- Purposes of processing
3 Relevant legal bases
Our legal bases for processing personal data are listed below. In this regard, it is important to note that national data protection regulations may apply in addition to the provisions set down in the General Data Protection Regulation (GDPR).
- Consent (Art. 6 (1), sentence 1, (a) of the GDPR)
- Performance of a contract and steps prior to entering into a contract (Art. 6 (1), sentence 1, (b) of the GDPR)
- Legal obligation (Art. 6 (1), sentence 1, (c) of the GDPR)
- Legitimate interests (Art. 6 (1), sentence 1, (f) of the GDPR)
In Germany, the German Federal Data Protection Act (BDSG) applies in addition to the data protection provisions set down the GDPR. In particular, the BDSG contains special rules on the right of access, right to erasure, right to object, the processing of special categories of personal data, processing for other purposes, and transmission and automated individual decision-making. In addition, it governs data processing for the purposes of an employment relationship (Section 26 of the BDSG), particularly with regard to establishing, implementing and terminating employment relationships, plus employee consent. Individual federal states’ data protection laws may also apply.
4 Security measures
We use the widespread SSL (Secure Socket Layer) process on our website in combination with the highest level of encryption supported by your browser, which is usually 256-bit encryption. If your browser does not support 256-bit encryption, we shall use 128-bit v3 technology instead. The key or padlock symbol in your browser’s status bar shows you whether pages on our website are using encrypted data transmission.
We also implement appropriate technical and organisational security measures to protect your data against accidental or deliberate manipulation, partial or complete loss, destruction or unauthorised access by third parties. Our security measures are continuously updated in line with technological advances.
5 Transmission and disclosure of personal data
As part of our personal data processing activities, the data may be transferred or disclosed to other bodies, companies or individuals. Recipients of this data may include the likes of payment institutions during payment processes, service providers tasked with providing IT services, or providers of services and content incorporated into a website. In such cases, we comply with legal requirements and, in particular, enter into appropriate contracts or agreements with recipients of your data to protect the same.
6 Data processing in third countries
If we process data in a third country (i.e. outside of the European Union (EU) and the European Economic Area (EEA)), or if third-party services are used for processing or data is disclosed or transmitted to other individuals, bodies or companies for processing, this shall take place only in compliance with legal requirements.
Cookies are used to improve your experience when using our website. We use ‘session cookies’ to detect whether you have previously visited individual pages of our website. Session cookies are deleted automatically once you leave our site.
We also use temporary cookies to make the website more user-friendly. These cookies are stored on your terminal device for a fixed period of time. If you visit our website again to use our services, the fact that you previously visited shall be detected and your information and settings shall be retained, so you don’t need to enter the same details again.
The data processed by cookies is necessary for the specified purposes to protect our legitimate interests and those of third parties in accordance with Art. 6 (1), sentence 1, (f) of the GDPR.
Most browsers automatically accept cookies. However, you can configure your browser not to store cookies on your computer or to always display a message before a new cookie is stored. However, if you disable all cookies, you may be unable to use all of the features of our website.
Regardless of whether processing is carried out based on your consent or is permitted by law, you may withdraw any consent you granted or object to the processing of your data using cookie technologies at any time.
8 Commercial and business services
We process our customers’ and prospects’ data as part of contractual and similar legal relationships and related measures, and when communicating with contractual partners (or prior to entering into a contract), e.g. including to respond to enquiries.
We process this data to fulfil our contractual obligations, to safeguard our rights and for the purpose of related administrative tasks and business organisation. We only forward customer data to third parties to the extent permitted by applicable law and required for the aforementioned purposes or to comply with legal obligations, or with the consent of the contractual partner (e.g. to telecommunications and transport companies involved in our operations, banks, tax and legal advisors, payment service providers or tax authorities).
We erase the data once statutory warranty and similar obligations elapse, which is generally after four years or, where the data is stored in a customer account, for the duration for which archives need to be retained on legal grounds (e.g. usually 10 years for tax purposes). We erase data disclosed to us during a customer order in accordance with the contract and once the contracted work has been completed.
If we use third-party providers or platforms to provide our services, the respective third-party providers’ or platforms’ terms and conditions and privacy policies shall apply to the relationship between users and the providers.
Customers may create an account on our website. If customers need to register for a customer account, they shall be notified to this effect and of the information required for registration. Customer accounts are not public and cannot be indexed by search engines. During registration and subsequent log-in and use of the customer account, we store customers’ IP addresses and access times as evidence of the registration and so that we can prevent misuse of the customer account.
When a customer closes their account, the associated data is erased except where it must be retained on legal grounds. The customer is responsible for backing up their data when closing their customer account.
We process our customers’ data for our online shop and within the scope of our activity to allow customers to select and purchase/order the selected products, goods and associated services or to engage us to provide the selected services, and to enable payment for, delivery/execution of or provision of the same.
The information required is indicated when placing the order or concluding the contract and includes the information needed for delivery and billing, as well as contact information for any consultation needed.
The legal bases are: performance of a contract and steps prior to entering into a contract (Art. 6 (1), sentence 1, (b) of the GDPR), legal obligation (Art. 6 (1), sentence 1, (c) of the GDPR), legitimate interests (Art. 6 (1), sentence 1, (f) of the GDPR).
9 Web hosting via Strato
The legal basis is our legitimate interest in operating and maintaining the operational security of this website in accordance with Art. 6 (1), sentence 1, (f) of the GDPR.
10 Services provided by Ecwid for the online shop
The legal basis is our legitimate interest in operating and maintaining the operational security of this website in accordance with Art. 6 (1), sentence 1, (f) of the GDPR.
11 Payment service providers
In addition to banks and credit institutions, we engage the services of other payment service providers (hereinafter referred to as ‘payment service providers’) in our contractual and other legal relationships, to comply with legal obligations or based on our legitimate interests, so that we can offer the data subjects efficient and secure payment methods.
The data processed by the payment service providers includes inventory data (e.g. name and address), bank details (e.g. account number or credit card number), passwords, transaction numbers and checksums, and contract, amount and recipient-related information. This information is necessary to execute the transaction. However, the data entered is only processed and stored by the payment service providers. This means that we do not receive any account or credit card information; we only receive confirmation of successful payment or notification of a failed payment. In certain circumstances, the payment service providers may transmit the data to credit agencies so that identity and credit checks can be performed. Please refer to the payment service providers’ GTCs and privacy policies.
The following data is processed: inventory data (e.g. names, addresses), payment data (e.g. bank details, invoices, payment history), contract data (e.g. subject matter of the contract, term, customer category), usage data (e.g. web pages visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
The legal bases for processing are: performance of a contract and steps prior to entering into a contract (Art. 6 (1), sentence 1, (b) of the GDPR), legitimate interests (Art. 6 (1), sentence 1, (f) of the GDPR).
Services and service providers used:
12 Contact form
We provide a contact form, which you can use to contact us with any questions that you may have, on our website. The form requires you to enter a valid email address so that we know who submitted the enquiry and to enable us to respond. You can also choose to provide other information. Data processing for the purpose of contacting us is based on your voluntary consent, in accordance with Art. 6 (1), sentence 1, (a) of the GDPR.
13 Marketing by post, email or telephone
We process personal data for marketing purposes, which may take place using various channels such as email, telephone and post. We comply with legal requirements and, unless the communication is permitted by law, obtain the necessary consent. Recipients have the right to withdraw any consent they may have granted or to object to marketing communication at any time.
After this withdrawal of consent or objection, we may store the data necessary to evidence consent for up to three years based on our legitimate interests before erasing the same. This data shall only be processed to defend any claims. An individual erasure request can be made at any time if the existence of previous consent is at the same time confirmed.
The following data is processed for the purpose of direct marketing based on consent given (Art. 6 (1), sentence 1, (a) of the GDPR) or a legitimate interest (Art. 6 (1), sentence 1, (f) of the GDPR): inventory data (e.g. names, addresses), contact details (e.g. email address, telephone numbers).
If you wish to subscribe to and regularly read our newsletter, you shall need to register with your full name and a valid email address, thereby giving your consent to our processing of your personal data. Please also read the declaration of consent on the newsletter registration form.
Before we can send you the newsletter, you need to confirm your subscription to our email newsletter through a double opt-in procedure. This procedure is used to ensure that the email address provided belongs to you. You shall receive a confirmation and authorisation email from us, and we shall ask you to click on the link in the email to confirm that you wish to receive our newsletter. If you do not confirm your subscription, your personal data shall be erased within a reasonable period of time.
In addition to your registered email address, we also store the registration time, confirmation time, IP address and consent text related to your registration. We shall only use the email address to send you our newsletter, unless you have expressly consented to another use.
Small, ‘invisible’ files (beacons) sent with the newsletter may be used to perform various analyses to improve the products and services we offer. The IP address, the browser used and time that the newsletter was accessed and opened, as well as details of the links clicked on in the newsletter are recorded and statistically evaluated.
The newsletter is sent based on the recipient’s consent in accordance with Art. 6 (1), sentence 1, (a) of the GDPR and Art. 7 of the GDPR in conjunction with Section 7 (2), Point 3 of the German Act against Unfair Competition. Opening and click-through rates are analysed based on our legitimate interest in accordance with Art. 6 (1), sentence 1, (f) of the GDPR. We have an interest in continuously optimising the products and services we offer for our users and in analysing user behaviour in order to do so.
Email delivery service provider:
We have concluded a processing contract with the provider pursuant to Art. 28 of the GDPR.
You may withdraw your consent if you no longer wish to receive the newsletter. You can thus unsubscribe from the newsletter at any time. Please use the link provided for this purpose in the newsletter.
15 Online marketing
We process personal data for the purpose of online marketing, which includes displaying promotional and other content (jointly referred to as ‘content’) based on users’ potential interests and measuring the effectiveness of this content.
User profiles are created for this purpose and stored in a file (a ‘cookie’) or similar methods are used to store relevant user information so that the aforementioned content can be displayed. Such information could include the likes of content viewed, websites visited and online networks used, as well as communication partners and technical information such as the browser and computer system used and information about usage times. If users have consented to their location data being shared, this data may also be processed.
Users’ IP addresses are also stored but we use IP masking (i.e. pseudonymisation by truncating the IP address) to protect our users. Generally speaking, no personally identifiable user data (such as names or email addresses) is stored as part of online marketing process, as data is pseudonymised. This means that even we as the provider of the online marketing process do not know the user’s identity, since we only see the information stored in the profiles.
The information in the profiles is usually stored in cookies or using a similar method. These cookies can generally also later be identified on other websites that use the same online marketing process and analysed to display content, supplemented with additional data, and stored on the online marketing service provider’s server.
In certain cases, exceptions apply that mean personally identifiable data may be assigned to profiles. For example, this is the case if a user is a member of a social network whose online marketing process we use and the network links the user’s profile with the above-mentioned information. Please note that users can enter into additional agreements with the providers, e.g. by giving consent at the time of registration.
We only have access to summarised information about the success of our advertising. However, we can use conversion tracking to verify which of our online marketing measures has led to a conversion, i.e. which measure led to the conclusion of a contract. Conversion tracking is only used to analyse the success of our marketing measures.
The following user data is processed: usage data (e.g. web pages visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
Processing is carried out for the purpose of tracking, remarketing, evaluation of user actions, interest and behaviour-based marketing, profiling, conversion tracking and reach measurement.
Please also see the privacy policies published by the respective providers and their opt-out options. If no explicit option is given to opt out, one alternative is to disable cookies in your browser settings. However, doing so may mean that you are unable to use our website’s features. We therefore recommend using the following overall opt-out options offered for your territory: a) Europe: https://www.youronlinechoices.eu. b) Canada: https://www.youradchoices.ca/choices. c) USA: https://www.aboutads.info/choices. d) All territories: http://optout.aboutads.info.
Services and service providers used:
16 How is social media integrated?
Our domain offers the option of sharing social media posts via the social networks Tumblr, Pinterest, Twitter, Facebook, Blogger, Gmail and Yahoo Mail. When the user clicks on the embedded graphic, they are redirected to the Tumblr, Pinterest, Twitter, Facebook, Blogger, Gmail, Yahoo Mail or Google+ site, and it is therefore only at this point that user information is transmitted to the respective provider. In this case, the legal basis for data processing is the user’s consent in accordance with Art. 6 (1), sentence 1, (a) of the GDPR.
If the user is also logged into their profile on the social network concerned, the visit to our website shall be assigned to their profile when they click on the button. If the user does not wish social networks to gather data via the website, they should log out before visiting the website. However, cookies shall still be set each time the website is accessed by clicking on the corresponding link. This means that using this function may allow data to be collected and a profile to be created, which may sometimes also be associated with an individual user. To prevent this from happening, the user can click to disable the link in question on the website. The user may also adjust their browser settings so that cookies are categorically not accepted; however, please note that doing so may restrict our website’s functionality. Information about how personal data is handled when you use these websites can be found in the relevant privacy policies published by the providers.
17 Plug-ins and tools
Booking appointments via Acuity Scheduling
The Acuity Scheduling service is used on this website to simplify the appointment booking process. When this service is used, data is transmitted to Acuity Scheduling in the USA. To comply with the European level of data protection, Acuity Scheduling offers its users the option of entering into an international data transfer agreement created based on EU standard contractual clauses. We have entered into this agreement with Acuity Scheduling to protect your data. Please note that, as the operator of the website, we do not receive any detailed information regarding the content of the data transmitted or how it is used by Acuity Scheduling. The legal basis for this processing, pursuant to Art. 6 (1), sentence 1, (f) of the GDPR, is our legitimate interest in offering you a user-friendly, time-saving and modern way of booking appointments with us. Please also note that you are not obligated to use this service to book your appointments. If you do not wish to use this service, you can also book appointments using the other available contact methods.
These functions are offered by Acuity Scheduling Inc., NY, USA.
18 Erasing data
20 Data subjects’ rights
As a data subject according to the GDPR, you have various rights, arising in particular from Arts. 15 to 18 and Art. 21 of the GDPR:
Right to object: You have the right, on grounds relating to your particular situation, to object at any time to processing of your personal data that is based Art. 6 (1), sentence 1, (e) or (f) of the GDPR; this also applies to profiling based on these provisions. If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for the purposes of such marketing, which includes profiling to the extent that it is related to such direct marketing.
Right to withdraw your consent: You have the right to withdraw your consent at any time.
Right of access: You have the right to obtain confirmation as to whether or not personal data concerning you is being processed, a right of access to this data, and the right to further information and a copy of the data in accordance with the legal requirements.
Right to rectification: According to the legal requirements, you have the right to request that inaccurate or incomplete personal data concerning you be rectified.
Right to erasure and restriction of processing: According to the legal requirements, you have the right to request that data concerning you be erased or, alternatively, to request that the data processing activities be restricted.
Right to data portability: According to the legal requirements, you have the right to receive data concerning you that you have provided to us in a structured, commonly used and machine-readable format or to request that the data be transmitted to another controller.
Lodging complaints with the supervisory authority: According to the legal requirements, you also have the right to lodge a complaint with a supervisory authority, particularly in the member state of your habitual residence, place of work or place of the alleged infringement, if you consider the processing of your personal data to be in violation of the GDPR.
Our competent supervisory authority:
Berlin Commissioner for Data Protection and Freedom of Information
Tel.: +49 30 13889 0
Fax: +49 30 2155050