Legal

Privacy Policy

This privacy policy informs you about the nature, scope, and purpose of the processing of personal data (hereinafter referred to as “data”) within our online offering and the associated websites, functions, and content, as well as external online presences, such as our social media profiles (hereinafter collectively referred to as the “online offering”). With regard to the terminology used, such as “processing” or “controller,” we refer to the definitions in Article 4 of the General Data Protection Regulation (GDPR).

Types of data processed

  • Inventory data (e.g., names, addresses).
  • Contact data (e.g., email addresses, telephone numbers).
  • Content data (e.g., text entries, photographs, videos).
  • Usage data (e.g., websites visited, interest in content, access times).
  • Meta / communication data (e.g., device information, IP addresses).

Categories of data subjects

Visitors and users of the online offering (Hereinafter, we collectively refer to the data subjects as “users.”)

Purpose of processing

  • Provision of the online offering, its functions, and content.
  • Responding to contact inquiries and communicating with users.
  • Security measures.
  • Reach measurement / marketing.

Definitions of terms used

“Personal data” means any information relating to an identified or identifiable natural person (hereinafter referred to as the “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

“Processing” means any operation or set of operations which is performed on personal data, whether or not by automated means. The term is broad and encompasses virtually any handling of data.

“Pseudonymization” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures which ensure that the personal data are not attributed to an identified or identifiable natural person.

“Profiling” means any form of automated processing of personal data consisting of the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

“Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

“Processor” means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

Relevant legal bases

In accordance with Article 13 of the GDPR, we inform you of the legal bases for our data processing activities. Unless a specific legal basis is stated in this privacy policy, the following applies: The legal basis for obtaining consent is Article 6(1)(a) and Article 7 GDPR. The legal basis for processing necessary for the performance of our services and the execution of contractual measures, as well as for responding to inquiries, is Article 6(1)(b) GDPR. The legal basis for processing necessary to fulfill our legal obligations is Article 6(1)(c) GDPR. The legal basis for processing necessary to safeguard our legitimate interests is Article 6(1)(f) GDPR. In cases where the processing of personal data is necessary to protect the vital interests of the data subject or another natural person, Article 6(1)(d) GDPR serves as the legal basis.

Security measures

We take, in accordance with Article 32 of the GDPR, appropriate technical and organizational measures—taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of risk to the rights and freedoms of natural persons—to ensure a level of security appropriate to the risk.

The measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical access to the data, as well as access, input, transmission, availability, and separation of the data itself. Furthermore, we have established procedures to ensure the exercise of data subject rights, the erasure of data, and the response to data threats. We also take into account the protection of personal data during the development or selection of hardware, software, and processes, in accordance with the principle of data protection by design and by default (Article 25 GDPR).

Cooperation with processors and third parties

If, in the course of our processing, we disclose data to other persons or companies (processors or third parties), transmit such data to them, or otherwise grant them access, this is done only on the basis of a legal permission—for example, if the transfer of data to third parties (such as payment service providers) is necessary for the performance of a contract pursuant to Article 6(1)(b) GDPR, if you have given your consent, if a legal obligation requires it, or on the basis of our legitimate interests (e.g., when using commissioned agents, web hosts, etc.).

If we commission third parties to process data on the basis of a so-called “data processing agreement”, this is carried out in accordance with Article 28 of the GDPR.

Transfers to third countries

If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)), or if this occurs in the context of using third-party services, or through the disclosure or transfer of data to third parties, this will only take place if it is necessary for the fulfillment of our (pre-)contractual obligations, based on your consent, due to a legal obligation, or on the basis of our legitimate interests. Subject to legal or contractual permissions, we process or allow the processing of data in a third country only if the special conditions under Articles 44 et seq. of the GDPR are met. This means that processing takes place, for example, on the basis of special safeguards such as an officially recognized determination of a data protection level equivalent to that of the EU (e.g., for the USA through the “Privacy Shield”) or compliance with officially recognized special contractual obligations (known as “standard contractual clauses”). 

Rights of Data Subjects

You have the right to request confirmation as to whether personal data concerning you is being processed, and, where that is the case, to obtain access to this data as well as further information and a copy of the data in accordance with Article 15 of the GDPR.

In accordance with Article 16 of the GDPR, you have the right to request the completion of personal data concerning you or the rectification of inaccurate personal data concerning you.

In accordance with Article 17 of the GDPR, you have the right to request the erasure of personal data concerning you without undue delay, or, alternatively, to request the restriction of the processing of your data in accordance with Article 18 of the GDPR. You also have the right, pursuant to Article 20 of the GDPR, to receive the personal data concerning you that you have provided to us and to request that such data be transmitted to another controller. Furthermore, under Article 77 of the GDPR, you have the right to lodge a complaint with the competent supervisory authority.

Right of Withdrawal

You have the right to withdraw consent granted pursuant to Article 7(3) of the GDPR with effect for the future. 

Right to Object

You have the right to object at any time, in accordance with Article 21 of the GDPR, to the future processing of your personal data. The objection may in particular be made against processing for the purposes of direct marketing.

Cookies and Right to Object to Direct Marketing

“Cookies” are small files that are stored on users’ devices. Various types of information can be stored within a cookie. A cookie primarily serves to store information about a user (or the device on which the cookie is stored) during or after their visit to an online offering. “Temporary” or “session” cookies (also known as “transient cookies”) are cookies that are deleted after a user leaves an online offering and closes their browser. For example, such a cookie can store the contents of a shopping cart in an online shop or a login status. “Permanent” or “persistent” cookies, on the other hand, remain stored even after the browser is closed. This allows, for example, a user’s login status to be saved when they return to the site after several days. Similarly, user interests can be stored in such cookies for purposes such as audience measurement or marketing. “Third-party cookies” are cookies that are offered by providers other than the controller operating the online service (otherwise, when only the controller’s own cookies are used, they are referred to as “first-party cookies”).

We may use both temporary and permanent cookies and will inform you about this within the scope of our privacy policy.

If users do not wish cookies to be stored on their device, they are asked to disable the corresponding option in their browser’s system settings. Stored cookies can be deleted in the browser’s system settings at any time. Please note that disabling cookies may lead to functional limitations of this online service.

You can opt out of the use of cookies for online marketing purposes—especially for tracking—across many services via the U.S. site http://www.aboutads.info/choices/ or the EU site http://www.youronlinechoices.com/ . You can also prevent cookies from being stored by disabling them in your browser settings. Please note that if you do so, some features of this website may not be available.

Data erasure

The data we process are deleted or their processing is restricted in accordance with Articles 17 and 18 GDPR. Unless expressly stated otherwise in this privacy policy, we delete the data stored by us as soon as they are no longer required for their intended purpose and no statutory retention obligations oppose deletion. If the data are not deleted because they are needed for other, legally permissible purposes, their processing will be restricted—i.e., the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons.

Under statutory requirements in Germany, records are retained in particular for 10 years pursuant to §§ 147(1) of the Fiscal Code (Abgabenordnung, AO) and 257(1) nos. 1 and 4 and 257(4) of the Commercial Code (Handelsgesetzbuch, HGB) (books, records, management reports, accounting vouchers, commercial books, documents relevant for taxation, etc.), and for 6 years pursuant to § 257(1) nos. 2 and 3 and § 257(4) HGB (commercial correspondence).

Under statutory requirements in Austria, records must be retained, in particular, for 7 years under § 132(1) of the Federal Fiscal Code (Bundesabgabenordnung, BAO) (accounting records, vouchers/invoices, ledgers, supporting documents, business papers, statements of income and expenses, etc.); for 22 years in connection with real estate; and for 10 years for documents relating to electronically supplied services, telecommunications, broadcasting, and television services provided to non-business customers in EU Member States for which the Mini-One-Stop-Shop (MOSS) is used.

Business-related processing

Additionally, we process

  • Contract data (e.g., subject matter of the contract, term, customer category).
  • Payment data (e.g., bank details, payment history).

from our customers, prospects, and business partners for the purposes of performing contractual services, providing service and customer care, and for marketing, advertising, and market research.

Order processing in the online shop and customer account

We process our customers’ data in connection with order transactions in our online shop to enable the selection and ordering of the chosen products and services, as well as their payment and delivery/performance.

The data we process include master data, communication data, contract data, and payment data; the data subjects include our customers, prospects, and other business partners. Processing is carried out for the purpose of providing contractual services in the operation of an online shop, billing, delivery, and customer service. In this context, we use session cookies to store the contents of the shopping cart and persistent cookies to store the login status.

Processing is based on Article 6(1)(b) GDPR (performance of order transactions) and Article 6(1)(c) GDPR (legally required archiving). The information marked as required is necessary to enter into and perform the contract. We disclose data to third parties only in the context of delivery and payment, or where permitted or required by law, including to legal counsel and authorities. Data will be processed in third countries only where this is necessary for performance of the contract (e.g., at the customer’s request for delivery or payment).

Users may optionally create a customer account, which allows them—among other things—to view their orders. During registration, users are informed of the mandatory fields. Customer accounts are private and are not indexed by search engines. If users terminate their customer account, the data relating to that account will be deleted, subject to retention where required for commercial or tax law reasons pursuant to Art. 6(1)(c) GDPR. Information in the customer account is retained until the account is deleted and, where there is a legal obligation, subsequently archived. It is the users’ responsibility to back up their data before the end of the contract following cancellation.

In the context of registration, subsequent logins, and use of our online services, we store the IP address and the time of the respective user action. This storage is based on our legitimate interests—and those of the users—in protecting against misuse and other unauthorized use. As a rule, this data is not disclosed to third parties, except where necessary to pursue our claims or where there is a legal obligation to do so under Art. 6(1)(c) GDPR.

Deletion takes place after the expiry of statutory warranty and comparable obligations; the necessity of retaining the data is reviewed every three years. Where statutory archiving obligations apply, deletion occurs after those periods have expired (i.e., at the end of the commercial-law retention period of 6 years and the tax-law retention period of 10 years).

External payment service providers

We use external payment service providers through whose platforms users and we can carry out payment transactions (e.g., each with a link to its privacy policy: PayPal (https://www.paypal.com/de/webapps/mpp/ua/privacy-full ), Klarna (https://www.klarna.com/de/datenschutz/ ), Skrill (https://www.skrill.com/de/fusszeile/datenschutzrichtlinie/ ), Giropay (https://www.giropay.de/rechtliches/datenschutz-agb/ ), Visa (https://www.visa.de/datenschutz ), Mastercard (https://www.mastercard.de/de-de/datenschutz.html ), American Express (https://www.americanexpress.com/de/content/privacy-policy-statement.html )).

In fulfilling contracts, we use payment service providers on the basis of Article 6(1)(b) GDPR. In all other respects, we use external payment service providers on the basis of our legitimate interests pursuant to Article 6(1)(f) GDPR in order to offer our users effective and secure payment options.

The data processed by the payment service providers include master data (e.g., name and address), banking data (e.g., account or credit card numbers), passwords, TANs (transaction authentication numbers) and checksums, as well as information relating to the contract, amounts, and recipients. This information is required to carry out the transactions. However, the data entered are processed and stored solely by the payment service providers. That means we do not receive any account- or credit card–related information—only information confirming the payment or indicating a negative outcome. In certain cases, the payment service providers may transmit data to credit reference agencies for identity and creditworthiness checks. For details, please refer to the providers’ terms and conditions and privacy notices.

For payment transactions, the terms and conditions and privacy notices of the respective payment service providers apply; these can be accessed on their websites or within the relevant transaction applications. We also refer you to those notices for further information and for exercising rights of withdrawal, access, and other data subject rights.

Provision of our statutory and business services

We process the data of our members, supporters, prospects, customers, or other persons in accordance with Article 6(1)(b) GDPR where we offer them contractual services or act within an existing business relationship (e.g., with members), or where we ourselves are recipients of services or donations. In all other cases, we process the data of the individuals concerned on the basis of our legitimate interests pursuant to Article 6(1)(f) GDPR—for example, when this involves administrative tasks or public relations.

The data processed in this context—the type, scope, purpose, and necessity of processing—are determined by the underlying contractual relationship. As a rule, this includes basic and master data of the individuals (e.g., name, address), contact details (e.g., email address, telephone), contract data (e.g., services used, content and information provided, names of contact persons), and—where we offer paid services or products—payment data (e.g., bank details, payment history).

We delete data that are no longer required for the provision of our statutory and business services. This depends on the specific tasks and contractual relationships. In the context of business processing, we retain data for as long as they are needed to conduct business and insofar as they may be relevant to any warranty or liability obligations. The necessity of retaining the data is reviewed every three years; otherwise, the statutory retention periods apply.

Contact

When you contact us (e.g., via contact form, email, telephone, or through social media), the information you provide will be processed for the purpose of handling and responding to your inquiry in accordance with Article 6(1)(b) GDPR (where the communication relates to contractual or pre-contractual obligations) and Article 6(1)(f) GDPR (where the communication constitutes a general inquiry based on our legitimate interests). The information provided by users may be stored in a Customer Relationship Management (CRM) system or a comparable system used for managing inquiries.

We delete enquiries once they are no longer necessary. We review the need for retention every two years; statutory retention/archiving obligations remain unaffected.

Google Analytics

On the basis of our legitimate interests (i.e., our interest in the analysis, optimization, and efficient operation of our online offering within the meaning of Article 6(1)(f) GDPR), we use Google Analytics, a web analytics service provided by Google LLC (“Google”). Google uses cookies. The information generated by the cookie about users’ use of the online offering is generally transferred to a Google server in the United States and stored there.

Google is certified under the Privacy Shield framework and thereby provides a guarantee of compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active ).

Google will use this information on our behalf to evaluate how users utilize our online offering, to compile reports on activities within this online offering, and to provide us with other services related to the use of this online offering and internet usage. Pseudonymous user profiles may be created from the processed data.

We use Google Analytics only with IP anonymization enabled. This means that users’ IP addresses are shortened by Google within member states of the European Union or in other parties to the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transmitted to a Google server in the United States and shortened there.

The IP address transmitted by the user’s browser will not be merged with other data held by Google. Users can prevent the storage of cookies by selecting the appropriate settings in their browser software; users can also prevent Google from collecting the data generated by the cookie and related to their use of the online offering, as well as from processing this data by Google, by downloading and installing the browser plug-in available at the following link: http://tools.google.com/dlpage/gaoptout?hl=de .

Further information about how Google uses data, as well as settings and opt-out options, can be found in Google’s Privacy Policy (https://policies.google.com/technologies/ads ) and in Google’s ad settings for the display of advertisements (https://adssettings.google.com/authenticated ).

Users’ personal data are deleted or anonymized after 14 months.

Facebook Pixel, Custom Audiences, and Facebook Conversion

Within our online offering, and on the basis of our legitimate interests in the analysis, optimization, and efficient operation of our online offering, we use—for these purposes—the so-called “Facebook Pixel” of the social network Facebook, which is operated by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, or, if you are resident in the EU, by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”).

Facebook is certified under the Privacy Shield framework and thereby provides a guarantee of compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active ).

With the help of the Facebook Pixel, Facebook can identify visitors to our online offering as a target group for displaying advertisements (“Facebook Ads”). Accordingly, we use the Facebook Pixel to show the Facebook Ads we place only to those Facebook users who have demonstrated an interest in our online offering, or who exhibit certain characteristics (e.g., interests in specific topics or products determined on the basis of the pages visited) that we transmit to Facebook (“Custom Audiences”). The Facebook Pixel also helps us ensure that our Facebook Ads correspond to users’ potential interests and are not perceived as intrusive. In addition, the Facebook Pixel enables us to measure the effectiveness of Facebook advertisements for statistical and market research purposes by seeing whether users are redirected to our website after clicking a Facebook ad (“conversion”).

The processing of data by Facebook is carried out in accordance with Facebook’s Data Policy. Accordingly, general information on the display of Facebook Ads can be found in Facebook’s Data Policy: https://www.facebook.com/policy . Specific information and details about the Facebook Pixel and how it works are available in Facebook’s Help Center: https://www.facebook.com/business/help/651294705016616 .

You can object to the collection via the Facebook Pixel and to the use of your data for the display of Facebook Ads. To set which types of advertisements are shown to you within Facebook, you can visit the page provided by Facebook and follow the instructions for configuring interest-based advertising: https://www.facebook.com/settings?tab=ads . These settings are applied across platforms, i.e., they will apply to all your devices, such as desktop computers and mobile devices.

You can also object to the use of cookies for audience measurement and advertising purposes via the Network Advertising Initiative’s opt-out page (http://optout.networkadvertising.org/ ) and additionally via the U.S. website (http://www.aboutads.info/choices ) or the European website (http://www.youronlinechoices.com/uk/your-ad-choices/ ).

Online presences on social media

We maintain online presences on social networks and platforms in order to communicate with customers, prospects, and users active there and to inform them about our services.

We would like to point out that users’ data may be processed outside the territory of the European Union. This may entail risks for users, for example because the enforcement of users’ rights could be more difficult. With regard to U.S. providers certified under the Privacy Shield, we note that they thereby undertake to comply with EU data protection standards.

Furthermore, users’ data are generally processed for market research and advertising purposes. For example, usage profiles may be created from users’ behaviour and the interests derived therefrom. These usage profiles can, in turn, be used to place advertisements—on and off the platforms—that presumably correspond to users’ interests. For these purposes, cookies are usually stored on users’ devices in which their usage behaviour and interests are recorded. In addition, data may be stored in usage profiles irrespective of the devices used by the users (particularly if users are members of the respective platforms and are logged in).

The processing of users’ personal data is carried out on the basis of our legitimate interests in effectively informing users and communicating with them pursuant to Article 6(1)(f) GDPR. If users are asked by the respective providers to consent to data processing (i.e., by ticking a checkbox or confirming a button), the legal basis for processing is Article 6(1)(a) GDPR in conjunction with Article 7 GDPR.

For a detailed description of the respective processing operations and the options to object (opt-out), please refer to the providers’ information linked below.

Even for access requests and the exercise of data subject rights, please note that these are most effectively asserted directly with the respective providers. Only the providers have access to users’ data and can take appropriate action and provide information directly. If you nevertheless require assistance, you may contact us.

Integration of third-party services and content

Within our online offering, and on the basis of our legitimate interests (i.e., our interest in the analysis, optimization, and efficient operation of our online offering pursuant to Article 6(1)(f) GDPR), we use third-party content or service offerings to integrate their content and services—such as videos or fonts—(collectively referred to as “Content”).

This necessarily requires that the third-party providers of such content receive the users’ IP address, since without the IP address they cannot send the content to the users’ browser. The IP address is therefore required for displaying this content. We endeavour to use only content whose respective providers use the IP address solely for delivering the content. Third-party providers may also use so-called pixel tags (invisible graphics, also referred to as “web beacons”) for statistical or marketing purposes. Pixel tags can be used to analyse information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on users’ devices and may include, among other things, technical information about the browser and operating system, referring websites, time of visit, and further details about the use of our online offering, and it may also be combined with such information from other sources.

Google Maps

We integrate maps from the “Google Maps” service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The data processed may include, in particular, users’ IP addresses and location data; however, these are not collected without users’ consent (generally granted via the settings of their mobile devices). The data may be processed in the United States. Privacy Policy: https://www.google.com/policies/privacy/ , Opt-out: https://adssettings.google.com/authenticated .

Use of Facebook social plugins

We use, on the basis of our legitimate interests (i.e., our interest in the analysis, optimization, and efficient operation of our online offering within the meaning of Article 6(1)(f) GDPR), social plugins (“Plugins”) of the social network facebook.com, which is operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”). These may include, for example, content such as images, videos, or text, as well as buttons that enable users to share content from this online offering within Facebook. The list and appearance of Facebook Social Plugins can be viewed here: https://developers.facebook.com/docs/plugins/ .

Facebook is certified under the Privacy Shield framework and thereby provides a guarantee of compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active ).

When a user accesses a feature of this online offering that includes such a plugin, their device establishes a direct connection to Facebook’s servers. The content of the plugin is transmitted by Facebook directly to the user’s device and integrated into the online offering from there. In the process, usage profiles of users may be created from the processed data. We therefore have no influence over the scope of the data that Facebook collects by means of this plugin and, accordingly, inform users to the best of our knowledge.

By integrating the plugins, Facebook receives information that a user has accessed the corresponding page of the online offering. If the user is logged in to Facebook, Facebook can attribute the visit to the user’s Facebook account. When users interact with the plugins—for example, by clicking the Like button or leaving a comment—the relevant information is transmitted directly from their device to Facebook and stored there. If a user is not a member of Facebook, it is still possible that Facebook will obtain and store their IP address. According to Facebook, only an anonymised IP address is stored in Germany.

The purpose and scope of data collection, as well as the further processing and use of data by Facebook, and the related rights and settings options for protecting users’ privacy, can be found in Facebook’s privacy notices: https://www.facebook.com/about/privacy/ .

If a user is a Facebook member and does not want Facebook to collect data about them via this online offering and link it to their Facebook member data, they must log out of Facebook before using our online offering and delete their cookies. Further settings and objections to the use of data for advertising purposes can be made within the Facebook profile settings: https://www.facebook.com/settings?tab=ads , or via the U.S. site http://www.aboutads.info/choices/ or the EU site http://www.youronlinechoices.com/ . These settings are applied across platforms, i.e., they will apply to all devices, such as desktop computers or mobile devices.