data privacy

 

I.       Name and address of the person responsible

The person responsible within the meaning of the EU General Data Protection Regulation (GDPR) and other national data protection laws of the member states as well as other data protection regulations is:

Spized GmbH

represented by the Managing Director Mr Robin Teppich

Wilhelm-Mauser-Str. 14 -16

50827 Köln

Germany

Tel.: +49 221 999 890 99

E-Mail: info@spized.de

Website: www.spized.com

 

II.       Name and address of the person responsible for data protection

The following person is responsible for data protection:

Mr Robin Teppich

Holder with the same data as for I.

 

III.       General information on data processing

1.      Scope of processing of personal data

In principle, we collect and use the personal data of our users only to the extent that this is necessary for the provision of a functional website as well as our content and services. The collection and use of the personal data of our users takes place regularly, but only with the consent of the user. An exception applies in such cases in which the prior obtaining of consent is not possible for factual reasons and the processing of the data is permitted by statutory regulations.

2.      Legal basis for the processing of personal data

Insofar as we obtain consent from the data subject for the processing of personal data, Art. 6 para. 1 (a) GDPR serves as a legal basis.

Art. 6 para. 1 (b) GDPR serves as a legal basis for the processing of the personal data that is required for the fulfilment of a contract whose contracting party is the data subject. This also applies to processing operations that are necessary for the implementation of pre-contractual measures.

Insofar as the processing of personal data is required to fulfil a legal obligation to which our company is subject, Art. 6 para. 1 (c) GDPR serves as a legal basis.

In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 para. 1 (d) GDPR serves as a legal basis.

If the processing is necessary to safeguard a legitimate interest of our company or a third party and the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 para. 1 (f) GDPR serves as the legal basis for the processing.

3.      Data deletion and storage period

The personal data of the data subject will be deleted or blocked as soon as the purpose for the storage no longer applies. Storage can also take place if this has been provided for by the European or national legislator in EU regulations, laws or other regulations to which the controller is subject. The data shall also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless there is a necessity for further storage of the data for the conclusion of a contract or for contract fulfilment.

 

IV.       Provision of the website and creation of log files

1.      Description and scope of data processing

Every time our website is accessed, our system automatically collects data and information from the computer system of the accessing computer.

The following data is collected:

(1)    Information about the browser type and the version used

(2)    Operating system of the user

(3)    Internet service provider of the user

(4)     IP address of the user

(5)    Date and time of access

(6)    Websites from which the user's system accesses our website

(7)    Websites that are accessed by the user's system via our website

The data is also stored in the log files of our system. This data is not stored together with other personal data of the user.

2.      Legal basis for data processing

The legal basis for the temporary storage of the data and the log files is Art. 6 para. 1 (f) GDPR.

3.      Purpose of data processing

The temporary storage of the IP address by the system is necessary to enable the delivery of the website to the user's computer. To do this, the user's IP address must remain stored for the duration of the session.

 

It is stored in log files to ensure the functionality of the website. In addition, the data is used to optimise the website and to ensure the security of our information technology systems. The data is not analysed for marketing purposes in this context.

Our legitimate interest in data processing pursuant to Art. 6 para. 1 (f) GDPR is also contained in these purposes.

4.      Duration of storage

The data is deleted as soon as it is no longer required to achieve the purpose of its collection. If the data is collected for the provision of the website, this is the case when the respective session has ended.

In the case of storing the data in log files, this is the case after seven days at the latest. Any additional storage is possible. In this case, the IP addresses of the users are deleted or alienated, so that an assignment of the calling client is no longer possible.

5.      Possibility of objection and elimination

The recording of data for the provision of the website and the storage of data in log files is mandatory for the operation of the website. Consequently, there is no possibility of objection on the part of the user.

 

V.         Use of cookies

1.      Description and scope of data processing

Our website uses cookies. Cookies are text files that are stored in the internet browser or by the internet browser on the computer system of the user. If a user calls up a website, a cookie can be stored on the user's operating system. This cookie contains a characteristic character string that allows the unique identification of the browser when the website is accessed again.

We use cookies to make our website more user-friendly. Some elements of our website require that the calling browser can also be identified after a page change.

The following data is stored and transmitted in the cookies:

(1)    Language settings

(2)    Log-in information

2.      Legal basis for data processing

The legal basis for the processing of personal data using cookies is Art. 6 para. 1 (f) GDPR.

3.      Purpose of data processing

The purpose of the use of technically necessary cookies is to simplify the use of websites for users. Some functions of our website cannot be offered without the use of cookies. For these, it is necessary that the browser is recognised even after a page change.

We require cookies for the following applications:

(1)    Adoption of language settings

(2)    Remembering search terms

The user data collected by technically necessary cookies is not used to create user profiles.

Our legitimate interest in data processing pursuant to Art. 6 para. 1 (f) GDPR is also contained in these purposes.

4.      Duration of storage, possibility of objection and elimination

Cookies are stored on the user's computer and transmitted by the user to our site. Therefore, as a user, you also have full control over the use of cookies. By changing the settings in your internet browser, you can deactivate or restrict the transfer of cookies. Cookies already stored can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to use all the functions of the website in full.

 

VI.       Contact form and email contact

1.      Description and scope of data processing

There is a contact form on our website that can be used for electronic contact. If a user takes advantage of this option, the data entered in the input mask will be transmitted to us and stored. This data is:

(1)   Topic

(2)   Order number

(3)   First name

(4)   Surname

(5)  Email

(6)   Telephone

(7)   What is your query?

(8)   How did you learn about us?

At the time the message is sent, the following data is also stored:

(1)    The IP address of the user

(2)    Date and time of sending

Your consent for the processing of the data will be obtained as part of the sending process and reference will be made to this data protection declaration.

Alternatively, you can contact us via the email address provided. In this case, the personal data of the user transmitted with the email is stored.

The data will not be forwarded to third parties in this context. The data will be used exclusively for the processing of the conversation.

2.      Legal basis for data processing

The legal basis for the processing of the data is Art. 6 para. 1 (a) GDPR if the user consents.

The legal basis for the processing of the data transmitted in the course of sending an email is Art. 6 para. 1 (f) GDPR. If the email contact is aimed at concluding a contract, then the additional legal basis for processing is Art. 6 para. 1 (b) GDPR.

3.      Purpose of data processing

The processing of personal data from the input screen is solely for the purpose of processing the contact. In the event of contact by email, the required legitimate interest in the processing of the data is also contained in this.

The other personal data processed during the sending process is used to prevent the misuse of the contact form and to ensure the security of our information technology systems.

4.      Duration of storage

The data is deleted as soon as it is no longer required to achieve the purpose of its collection. For the personal data from the input mask of the contact form and that sent by email, this is the case when the respective conversation with the user has ended. The conversation is ended if it can be inferred from the circumstances that the matter in question has been conclusively clarified.

The personal data additionally collected during the sending process is deleted no later than after a period of seven days.

5.      Possibility of objection and elimination

The user has the option of revoking his consent to the processing of personal data at any time. If the user contacts us by email, he can object to the storage of his personal data at any time. In such a case, the conversation cannot be continued.

The revocation can be made by email to the data protection officer Robin Teppich at info@spized.de or by letter to the address of the person responsible given above under I.

In this case, all personal data stored in the course of contact will be deleted.

 

VII.      Web analysis by Google Analytics

1.      Scope of processing of personal data

Our website uses Google Analytics, a web analysis service of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA („Google“), https://www.google.de/intl/de/about/. Google Analytics also uses cookies that enable an analysis of your use of our website. Regarding cookies, see V above. The information generated by the cookie about your use of our website is generally transmitted to a Google server in the USA and stored there.

We use Google Analytics with the extension “_anonymizeIp()” to ensure the anonymised collection of IP addresses. Your IP address will therefore only be transmitted to Google in abbreviated form within member states of the European Union or in other contracting states of the Agreement on the European Economic Area, which does not allow conclusions to be drawn about your identity. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and shortened there. In this case, the IP address transmitted by your browser within the scope of Google Analytics will not be merged with other Google data. For the exceptional cases in which personal data is transferred to the USA, Google has subscribed to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework

The following information generated by cookies about the use of our website by users is transferred to a server in the USA and stored there:

(1)   Browser type/version

(2)   Operating system used

(3)   Website from which the user has reached the accessed website (referrer)

(4)   Host name of the accessing computer (IP address)

(5)   Time of server request

The software runs exclusively on the servers of our website. The personal data of the users is only stored there. The data is not passed on to third parties.

The software is set in such a way that the IP addresses are not stored in full, i.e. 2 bytes of the IP address are masked (e.g. 192.168.xxx.xxx). In this way, it is no longer possible to assign the shortened IP address to the calling computer.

2.      Legal basis for the processing of personal data

The legal basis for the processing of the user's personal data is Art. 6 para. 1 (f) GDPR.

3.      Purpose of data processing

Google will use this information on our behalf to evaluate the use of our online offering by the users, to compile reports on the activities within this online offering and to provide us with other services associated with the use of this online offering and the internet usage. In the process, pseudonymous user profiles of the users can be created from the processed data.

4.      Duration of storage

The data is deleted as soon as it is no longer needed for our recording purposes.

5. Use of the advertising functions of Google Analytics

In addition to the standard Google Analytics configuration, this website also uses Google Analytics functions that support interest-based advertising and advertising based on users' surfing behaviour. Google Analytics uses a third-party cookie from DoubleClick to analyse data about users' surfing behaviour on various websites. With the help of this data, statistical statements can be made about demographic data and areas of interest of website users. We expressly point out that we cannot view data on individual users and cannot trace the statistical data we use back to specific users. Some of our website visitors will see our advertisements displayed on other websites after their visit. This form of ad placement is called remarketing or retargeting. If you wish to opt-out of these ads being served, we recommend that you use one of the options listed above to opt-out of website tracking by website users. Google also offers you the possibility to control cookies for ad preferences yourself: https://policies.google.com/technologies/ads?hl=en.

6.      Possibility of objection and elimination

Cookies are stored on the user's computer and transmitted by the user to our site. Therefore, as a user, you also have full control over the use of cookies. By changing the settings in your internet browser, you can deactivate or restrict the transfer of cookies. Cookies already stored can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to use all the functions of the website in full.

You can also prevent the collection of data generated by the cookie and related to your use of our website (including your IP address) by Google and the processing of this data by Google by downloading and installing the browser plug-in available at the following link: https://tools.google.com/dlpage/gaoptout?hl=en.

Alternatively, you can click on the following link, which sets an opt-out cookie that prevents the future collection of your data by Google Analytics when you visit our website: Diabale Google Analytics

For more information about Google Analytics, please visit the following links:

Terms of use for Google Analytics:

 http://www.google.com/analytics/terms/de.html

Overview of data protection: http://www.google.com/intl/de/analytics/learn/privacy.html

Data protection declaration: http://www.google.de/intl/de/policies/privacy.


VIII.    Google Ads

1. Google Conversion Tracking

As a Google Ads customer, we also use Google Conversion Tracking, an analysis service provided by Google Inc. Google Ads sets a cookie on your computer ("conversion cookie") if you have accessed our website via a Google ad. These cookies lose their validity after 30 days and are not used for personal identification. If you visit certain pages of ours and the cookie has not yet expired, we and Google can recognise that someone has clicked on the ad and thus been redirected to our site. Each Google Ads customer receives a different cookie. Cookies can therefore not be tracked across Google Ads customers' websites. The information obtained using the conversion cookie is used to create conversion statistics for Google Ads customers who have opted in to conversion tracking. Google Ads customers will learn the total number of users who clicked on their ad and were redirected to a page tagged with a conversion tracking tag. However, they will not receive any information that personally identifies users. If you do not wish to participate in the tracking procedure, you can also refuse the setting of a cookie required for this - for example, via a browser setting that generally deactivates the automatic setting of cookies. You can also deactivate cookies for conversion tracking by setting your browser to block cookies from the domain "googleadservices.com". Google's privacy policy on conversion tracking can be found at https://services.google.com/sitestats/en.html.

2. Use of remarketing or "similar target groups" function by Google LLC.

We use the remarketing technology of Google LLC. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; "Google"). Through this technology, users who have already visited our internet pages and online services and are interested in what we have to offer are approached again through targeted advertising on the pages of the Google Partner Network. The advertising is displayed through the use of cookies, which are small text files that are stored on the user's computer. With the help of the text files, user behaviour when visiting the website can be analysed and then used for targeted product recommendations and interest-based advertising. If you do not wish to receive interest-based advertising, you can deactivate Google's use of cookies for these purposes by visiting https://www.google.de/settings/ads. Alternatively, users can deactivate the use of cookies from Google or opt out of the use of third-party cookies by visiting the Network Advertising Initiative opt-out page

By using our services, you consent to the processing of data about you by Google in the manner and for the purposes set out above. We would like to point out that Google has its own data protection guidelines, which are independent of ours. We do not accept any responsibility or liability for these policies and procedures. Please inform yourself about Google's privacy policy before using our website.

3. Use of Google Adsense

We also use Google AdSense, a web advertising service provided by Google LLC. to place advertisements (text ads, banners, etc.). In doing so, your browser may store a cookie sent by Google or third parties. The information stored in the cookie may be recorded, collected and analysed by Google or third parties. In addition, Google Adsense also uses small invisible graphics to collect information, through the use of which simple actions such as visitor traffic on the website can be recorded, collected and analysed. The information generated by the cookie and/or the graphics about your use of this website will be transmitted to and stored by Google on servers in the United States. Google uses the information thus obtained to carry out an evaluation of your usage behaviour with regard to AdSense ads. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. Google will not associate your IP address with any other data held by Google. You can prevent cookies from being stored on your hard drive and the display of the aforementioned graphics. As with the other cookies described, the same applies here: To do this, you must deactivate the acceptance of cookies in your browser settings.


IX.    Microsoft Ads, previously Bing Ads

1. Use of the advertising functions of Microsoft Ads

The website uses the remarketing function “Microsoft Ads” provided by Microsoft Corporation One Microsoft Way, Redmond, WA 98052-6399, USA. Microsoft Ads stores a cookie on your computer if you have reached our website via a Microsoft advert. This enables Microsoft Bing and us to determine that someone has clicked on an advert, been forwarded to our website and reached a previously determined target page (conversion page). We only learn the total number of users that have clicked on a Microsoft advert and then been forwarded to the conversion page. No personal information regarding the identity of the user is passed on. If you do not want information on your behaviour to be used by Microsoft as described above, you can refuse the setting of the cookie required for this purpose – for example by configuring the browser setting that disables the automatic setting of cookies generally. You can also prevent the collection of data generated by the cookie relating to your use of the website and the processing of this data by Microsoft by opting out at the following link: http://choice.microsoft.com/en/opt-out. Further information on data protection and the cookies used by Microsoft and in the context of Microsoft Ads is available on the Microsoft website at https://privacy.microsoft.com/en-us/privacystatement.


X.    Facebook Social Plugin

1.      Scope of processing of personal data

Our website uses social plug-ins of the social network facebook.com, which is operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”). The plug-ins are interaction elements and are recognisable by the Facebook logo (dark “f” on a bright background). Facebook is certified under the Privacy Shield Agreement and thereby offers a guarantee that it will comply with European data protection law, https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active

When a user calls up the social plug-in, his device establishes a direct connection to the Facebook servers. This gives Facebook the information that a user has accessed the corresponding website. If the user is logged in, Facebook can allocate the visit to his Facebook account. If the user is not a member of Facebook, there is still the possibility that Facebook will find out and save his IP address. According to Facebook, only an anonymised IP address is stored in Germany.

2.      Legal basis for the processing of personal data

The legal basis for the processing of the user's personal data is Art. 6 para. 1 (f) GDPR.

3.      Purpose of data processing, duration of storage

The purpose and scope of the data collection and the further processing and use of the data by Facebook as well as the relevant rights and settings options for protecting the privacy of the users can be found in the Facebook data protection information: https://www.facebook.com/about/privacy/

4.      Possibility of objection and elimination

A user who is a Facebook member and does not want Facebook to collect data about him via this online offer and link it to his member data stored on Facebook must log out of Facebook and delete its cookies before using our online offer. Further settings and objections regarding the use of data for advertising purposes are possible within the Facebook profile settings: https://www.facebook.com/settings?tab=ads or via the US page http://www.aboutads.info/choices/ or the EU page http://www.youronlinechoices.com/. The settings are independent of the platform, i.e. they are adopted for all devices such as desktop computers or mobile devices.

 

XI.        Instagram

1.      Scope of processing of personal data

UOur website uses the functions and contents of the service Instagram, offered by Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA. The interaction elements are recognisable by the camera logo (white camera in front of a dark background), and the user is guided directly to the Instagram website by clicking on this. This gives Instagram the information that the user's browser has accessed the corresponding page of our website, even if you do not have an Instagram profile or are not currently logged in to Instagram. This information, including your IP address, is transmitted directly to an Instagram server in the USA by the user's browser and stored there.

If the user is logged in to Instagram, Instagram can assign the visit to our website directly to the Instagram account. If the user confirms the Instagram button, this information is also transmitted directly to an Instagram server and stored there. The information is also published on the Instagram account and displayed to the users’ contacts.

2.      Legal basis for the processing of personal data

The legal basis for the processing of the user's personal data is Art. 6 para. 1 (f) GDPR.

3.      Purpose of data processing, duration of storage

The purpose and scope of the data collection and the further processing and use of the data by Instagram can be found in the data protection guidelines of Instagram: https://help.instagram.com/155833707900388/

4.      Possibility of objection and elimination

A user who does not want Instagram to assign the data collected via our website directly to his Instagram account can log out of Instagram before visiting our website. He can also completely prevent loading the Instagram plug-ins with add-ons for the browser, e. g. with the script blocker "NoScript", http://noscript.net/

Rights and settings options for the protection of privacy can be found in the data protection notices of Instagram: https://help.instagram.com/155833707900388/

 

XII.         YouTube

1.      Scope of processing of personal data

Our website refers to the presentation of the offer on videos that are placed on the YouTube platform of the provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. YouTube thus receives the IP address of the user.

2.      Legal basis for the processing of personal data

The legal basis for the processing of the user's personal data is Art. 6 para. 1 (f) GDPR.

3.      Purpose of data processing, duration of storage

he purpose and scope of the data collection and the further processing and use of the data by YouTube as well as the rights and settings options in this regard for protecting the privacy of users can be found in the YouTube data protection information: https://www.google.com/policies/privacy/

4.      Possibility of objection and elimination

A user who does not want YouTube to receive his personal data has the options as listed at https://adssettings.google.com/authenticated

 

XIII.        E-mail marketing

If you subscribe to our company's newsletter, the data in the respective input mask will be transmitted to the data controller. The registration for our newsletter is carried out in a so-called double opt-in procedure. This means that after registration you will receive an e-mail in which you are asked to confirm your registration. This confirmation is necessary so that no one can register with other people's e-mail addresses. When registering for the newsletter, the user's IP address and the date and time of registration are stored. This serves to prevent misuse of the services or the e-mail address of the person concerned. The data is not passed on to third parties. An exception exists if there is a legal obligation to pass on the data. The data is used exclusively for sending the newsletter. The subscription to the newsletter can be cancelled by the data subject at any time. Likewise, consent to the storage of personal data can be revoked at any time. For this purpose, a corresponding link can be found in each newsletter. The legal basis for the processing of the data after the user has registered for the newsletter is Art. 6 para. 1 lit. a) DSGVO if the user has given his consent. The legal basis for sending the newsletter as a result of the sale of goods or services is Article 7 (3) UWG.

1. 1      Use of customer.io

Description and purpose: We use customer.io to send newsletters. Among other things, customer.io is used to organise and analyse the dispatch of newsletters. The data you enter for the purpose of receiving newsletters is stored on customer.io's servers. If you do not wish to have your data analysed by customer.io, you must unsubscribe from the newsletter. For this purpose, we provide a corresponding link in every newsletter message. For the purpose of analysis, e-mails sent with customer.io contain a so-called tracking pixel, which connects to customer.io's servers when the e-mail is opened. In this way it can be determined whether a newsletter message has been opened. Furthermore, with the help of customer.io we can determine whether and which links are clicked on in the newsletter message. All links in the email are so-called tracking links, which can be used to count your clicks.

1. 2      Legal basis

The legal basis for the data processing is Art. 6 para. 1 lit. a) DSGVO. 

Recipient: The recipient of the data is customer.io. 

Duration: The data stored by us in the context of your consent for the purpose of the newsletter will be stored by us until you unsubscribe from the newsletter and deleted from both our servers and the servers of customer.io after you unsubscribe from the newsletter. Data stored by us for other purposes (e.g. e-mail addresses for the member area) remain unaffected by this. 

Option to revoke: You have the option to revoke your consent to data processing at any time with effect for the future. The legality of the data processing operations already carried out remains unaffected by the revocation. Further data protection information: For more details, please refer to the data security information of customter.io at: https://customer.io/legal/gdpr/.

2.1 Use of Typeform

The Typeform service is used on this website. Typeform is operated by TYPEFORM SL, C/Bac de Roda, 163, 08018 Barcelona, Spain. Typeform is a service that we use to display online surveys on our website. In this context, the following data are collected and processed:

  • IP address 
  • E-mail address 
  • Duration of visit 
  • Date and time of the visit 
  • If applicable, further data collected in the context of the survey
2.2 Data processing, duration of storage 

Within the scope of processing via Typeform, data may be transmitted to the USA. The security of the transmission is regularly secured by so-called standard contractual clauses, which ensure that the processing of personal data is subject to a level of security that complies with the GDPR. If the standard contractual clauses are not sufficient to establish an adequate level of security, consent will be obtained from you in advance within the framework of the Usercentrics consent management system in accordance with Art. 49 (1) lit. a GDPR.

2.3 Legal basis for the processing of personal data

The legal basis for processing is your consent pursuant to Art. 6 (1) a GDPR.

2.4 Possibility of objection and removal 

If you do not want the aforementioned data to be collected and processed via Typeform, you can refuse your consent or revoke it at any time with effect for the future. The personal data will be kept for as long as it is necessary to fulfil the purpose of the processing. The data will be deleted as soon as they are no longer required to achieve the purpose.

XIV.        Use of PayPal as payment method

1.      Scope of processing of personal data

Paying with PayPal is possible on our website. PayPal is an online payment service provider. Payments are processed via so-called PayPal accounts, which represent virtual private or business accounts. In addition, PayPal offers the option of processing virtual payments via credit cards if a user does not have a PayPal account. A PayPal account is managed via an email address, which is why there is no classic account number. PayPal enables you to trigger online payments to third parties or to receive payments. PayPal also assumes trustee functions and offers buyer protection services. The European operating company of PayPal is PayPal (Europe) S.a.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg, Luxembourg.

If you select “PayPal” as the payment option during the order process in our online shop, data will be automatically transmitted to PayPal. By selecting this payment option, you consent to the transmission of the personal data required for payment processing.

The personal data transmitted to PayPal is usually first name, surname, address, email address, IP address, telephone number, mobile phone number or other data that is necessary for payment processing. The processing of the purchase contract also requires personal data that is associated with the respective order.

PayPal may pass on the personal data to affiliated companies and service providers or subcontractors if this is necessary to fulfil the contractual obligations or if the data is to be processed as part of the contract.

2.      Legal basis for the processing of personal data

The legal basis for the processing of the user's personal data is Art. 6 para. 1 (a) and (b) GDPR.

3.      Purpose of data processing, duration of storage

The purpose of the transmission of the data is payment processing and fraud prevention. The person responsible for processing transmits personal data to PayPal, in particular if there is a legitimate interest in the transmission. The personal data exchanged between PayPal and the person responsible for processing may be transmitted by PayPal to credit agencies in certain circumstances. The purpose of this transmission is to verify identity and creditworthiness.

4.      Possibility of objection and elimination

The user has the option of withdrawing consent to PayPal for the handling of his personal data at any time. A revocation does not affect personal data that must be processed, used or transmitted for (contractual) payment processing. The applicable data protection regulations of PayPal can be found at https://www.paypal.com/de/webapps/mpp/ua/privacy-full.

 

XV.      Use of Stripe as payment method

1.       Scope of processing of personal data

There is the option of paying with Stripe on our website. Stripe is an online payment service provider, see XI. Stripe’s European operating company is Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland.

If you select “Stripe” as the payment option during the order process in our online shop, data is automatically transmitted to Stripe. By selecting this payment option, you consent to the transmission of the personal data required for payment processing.

The personal data transmitted to Stripe is usually first name, surname, address, account number, sort code, possibly credit card number, invoice amount, currency and transaction number or other data required for payment processing. The processing of the purchase contract also requires personal data that is associated with the respective order.

Stripe may pass on the personal data to affiliated companies and service providers or subcontractors if this is necessary to fulfil the contractual obligations or if the data is to be processed as part of the contract.

2.      Legal basis for the processing of personal data

The legal basis for the processing of the user's personal data is Art. 6 para. 1 (a) and (b) GDPR.

3.      Purpose of data processing, duration of storage

The purpose of the transmission of the data is payment processing and fraud prevention. The person responsible for processing transmits personal data to Stripe, in particular if there is a legitimate interest in the transmission. The personal data exchanged between Stripe and the person responsible for processing may be transmitted by Stripe to credit agencies in certain circumstances. The purpose of this transmission is to verify identity and creditworthiness.

4.      Possibility of objection and elimination

The user has the option of withdrawing consent to Stripe for the handling of his personal data at any time. A revocation does not affect personal data that must be processed, used or transmitted for (contractual) payment processing. Stripe’s applicable Privacy Policy can be found at https://stripe.com/de/privacy#translation.

 

XVI.     Use of Instant Transfer as payment method

1.      Scope of processing of personal data

Payment with Instant Transfer is possible on our website. Instant Transfer is an online payment service provider, see XI. The provider of the service is Sofort GmbH, Theresienhöhe 12, 80339 Munich, Germany.

If you select “Instant Transfer” as the payment option during the order process in our online shop, data is automatically transmitted to Instant Transfer. By selecting this payment option, you consent to the transmission of the personal data required for payment processing.

The personal data transmitted to Instant Transfer is usually first name, surname, address, account number, sort code, possibly credit card number, invoice amount, currency and transaction number or other data required for payment processing. The processing of the purchase contract also requires personal data that is associated with the respective order.

Instant Transfer may pass on the personal data to affiliated companies and service providers or subcontractors if this is necessary to fulfil the contractual obligations or if the data is to be processed as part of the contract.

2.      Legal basis for the processing of personal data

The legal basis for the processing of the user's personal data is Art. 6 para. 1 (a) and (b) GDPR.

3.      Purpose of data processing, duration of storage

The purpose of the transmission of the data is payment processing and fraud prevention. The person responsible for processing transmits personal data to Instant Transfer, in particular if there is a legitimate interest in the transmission. The personal data exchanged between Instant Transfer and the person responsible for processing may be transmitted by Instant Transfer to credit agencies in certain circumstances. The purpose of this transmission is to verify identity and creditworthiness.

4.     Possibility of objection and elimination

The user has the option of withdrawing consent to Instant Transfer for the handling of his personal data at any time. A revocation does not affect personal data that must be processed, used or transmitted for (contractual) payment processing. The applicable data protection provisions of Instant Transfer can be found at https://www.sofort.de/datenschutz.html.

 

XVII.    Rights of the data subject

If your personal data is processed, you are a data subject within the meaning of GDPR and you have the following rights vis-à-vis the person responsible:

1.      Right to information

You may request confirmation from the person responsible whether we are processing personal data relating to you.

If such processing exists, you can request information from the person responsible regarding the following information:

(1)   the purposes for which the personal data is being processed;

(2)   the categories of personal data that are being processed;

(3)   the recipients or categories of recipients to whom your personal data has been disclosed or is still being disclosed;

(4)   the planned duration of storage of your personal data or, if specific information on this is not possible, criteria for determining the duration of storage;

(5)   the existence of a right to rectification or deletion of your personal data, a right to the restriction of processing by the person responsible or a right to object to this processing;

(6)   the existence of a right of appeal to a supervisory authority;

(7)   all available information about the origin of the data if the personal data is not collected from the data subject;

(8)   the existence of automated decision-making, including profiling, in accordance with Art. 22 para. 1 and 4 GDPR and – at least in these cases – meaningful information about the logic involved as well as the scope and the desired effects of such processing for the data subject.

You have the right to request information about whether your personal data will be transferred to a third country or to an international organisation. In this context, you may request that you are informed about the appropriate guarantees in accordance with Art. 46 GDPR in connection with the transmission.

2.      Right to rectification

You have a right to rectification and/or completion vis-à-vis the person responsible, provided that your processed personal data is incorrect or incomplete. The person responsible must perform the correction immediately.

3.      Right to restriction of processing

Under the following conditions, you may request the restriction of the processing of your personal data:

(1)   if you dispute the accuracy of your personal data for a period that allows the person responsible to verify the accuracy of the personal data;

(2)   the processing is unlawful and you turn down the offer to delete your personal data and instead demand the restriction of use of your personal data;

(3)   the person responsible no longer needs your personal data for the purposes of processing, but you need it to assert, exercise or defend legal claims, or

(4)   if you have filed an objection against the processing pursuant to Art. 21 para. 1 GDPR and it has not yet been determined whether the legitimate reasons of the person responsible outweigh your reasons.

If the processing of your personal data has been restricted, this data may only be processed with your consent or for the assertion, exercise or defence of legal claims or to protect the rights of another natural or legal person or for reasons of an important public interest of the Union or a Member State.

If the restriction to processing according to the aforementioned conditions is limited, you will be informed by the person responsible before the restriction is lifted.

4.      Right to deletion

a)         Obligation to delete

You can demand that the person responsible delete your personal data immediately, and the person responsible is obliged to delete this data immediately if one of the following reasons applies:

(1)   Your personal data is no longer necessary for the purposes for which it was collected or otherwise processed.

(2)   You withdraw your consent on which the processing pursuant to Art. 6 para. 1 (a) or Art. 9 para. 2 (a) GDPR is based, and there is no other legal basis for the processing.

(3)   You object to the processing pursuant to Art. 21 para. 1 GDPR and there are no overriding justified reasons for the processing, or you submit an objection pursuant to Art. 21 para. 2 GDPR to the processing.

(4)   Your personal data has been processed unlawfully.

(5)   The deletion of your personal data is required to fulfil a legal obligation under Union law or the law of the Member States to which the person responsible is subject.

(6)   Your personal data was collected in relation to services offered by the information company pursuant to Art. 8 para. 1 GDPR.

b)         Information to third parties

If the person responsible has made the personal data relating to you public and if it is, in accordance with Art. 17 para. 1 GDPR, obliged to delete it, it shall take appropriate measures, in consideration of the available technology and implementation costs, including technical measures, to inform the controllers responsible for data processing who process your personal data, that you, as a data subject, have requested that they should delete all links to this personal data or copies or replications of said personal data.

c)          Exceptions

The right to deletion does not exist if the processing is necessary

(1)     to exercise the right to freedom of expression and information;

(2)     to fulfill a legal obligation that requires processing under the law of the Union or the Member States to which the person responsible is subject, or to perform a task that is in the public interest or is carried out in the exercise of public authority that has been transferred to the person responsible;

(3)     for reasons of public interest in the area of public health pursuant to Art. 9 para. 2 (h) and (i) as well as Art. 9 para. 3 GDPR;

(4)     for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes in accordance with Art. 89 para. 1 GDPR, insofar as the right mentioned under Section a) is thought to make the realisation of the objectives of this processing impossible or seriously impairs it, or

(5)     to assert, exercise or defend legal claims.

5.      Right to notification

If you have asserted the right to rectification, deletion or restriction of processing vis-à-vis the person responsible, the person responsible is obligated to inform all recipients to whom the personal data concerning you has been disclosed of this rectification or deletion of the data or restriction of processing, unless this proves to be impossible or is associated with disproportionate effort.

You have the right vis-à-vis the person responsible to be informed about these recipients.

6.      Right to data portability

You have the right to receive your personal data that you have provided to the person responsible in a structured, standardised and machine-readable format. In addition, you have the right to transfer this data to another person responsible without hindrance by the person responsible to whom the personal data was provided, provided that

(1)   the processing is based on consent pursuant to Art. 6 para. 1 (a) GDPR or Art. 9 para. 2 (a) GDPR or on a contract pursuant to Art. 6 para. 1 (b) GDPR and

(2)   the processing takes place using automated procedures.

In exercising this right, you also have the right to have put into effect that your personal data is transmitted directly from one person responsible to another person responsible, provided this is technically feasible. This may not affect the freedoms and rights of other persons.

The right to data portability does not apply to the processing of personal data that is necessary for the performance of a task that is in the public interest or takes place in the exercise of public authority that was transferred to the person responsible.

7.      Right of objection

You have the right to object at any time to the processing of your personal data, which is carried out on the basis of Art. 6 para. 1 (e) or (f) GDPR, for reasons arising from your special situation; this also applies to profiling based on these provisions.

The person responsible will no longer process your personal data unless he can prove compelling legitimate reasons for the processing that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

If your personal data is processed for direct marketing purposes, you have the right to object to the processing of your personal data for the purpose of such advertising at any time; this also applies to profiling, insofar as it is associated with such direct marketing.

If you object to processing for direct advertising purposes, your personal data will no longer be processed for these purposes.

You have the option of exercising your right of objection in connection with the use of the services of the information society – irrespective of Directive 2002/58/EC – by means of automated procedures in which technical specifications are used.

8.      Right to revoke the declaration of consent under data protection law

You have the right to withdraw your data protection consent at any time. Withdrawal of consent does not affect the legality of the processing carried out on the basis of consent until withdrawal.

9.      Automated decision in individual cases including profiling

You have the right not to be subject to a decision based exclusively on automated processing – including profiling – which has a legal effect on you or which affects you substantially in a similar way. This does not apply if the decision

(1)   für is required for the conclusion or fulfilment of a contract between you and the person responsible,

(2)   is permissible on the basis of the legal provisions of the Union or the Member States to which the person responsible is subject and these legal provisions contain appropriate measures to safeguard your rights and freedoms as well as your legitimate interests, or

(3)   is carried out with your express consent.

However, these decisions may not be based on special categories of personal data pursuant to Art. 9 para. 1 GDPR, unless Art. 9 para. 2 (a) or (g) GDPR applies and appropriate measures have been taken to protect your rights and freedoms as well as your legitimate interests.

With regard to the cases mentioned in (1) and (3), the Controller shall take appropriate measures to protect your rights and freedoms as well as your legitimate interests, which includes at least the right to obtain the intervention of a person on the part of the Controller, to demonstrate your own point of view and to contest the decision.

10.    Right to appeal to a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the member state of your place of residence, your workplace or the location of the suspected violation, if you believe that the processing of your personal data violates the GDPR.

The supervisory authority to which the complaint was submitted informs the complainant about the status and results of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 GDPR.