Data privacy statement
This data privacy statement explains the nature, scope and purpose of processing of personal data (hereinafter termed "data" in short) as part of our online offer and the related web pages, functions, content and external online presences, such as our social media profile (hereinafter collectively termed "online offer"). With regard to employed terminology, such as "processing" or "controller", please refer to the definitions in Article 4 of the general data protection regulation (GDPR).
Types of processed data:
- Master data (e.g. names, addresses).
- Contact data (e.g. e-mail, phone numbers).
- Content data (e.g. text entries, photographs, videos).
- Usage data (e.g. visited websites, content of interest, access times).
- Meta data/communication data (e.g. device information, IP addresses).
Categories of data subjects
Visitors and users of the online offer (data subjects are collectively termed "users" in the following).
Purpose of processing
- Provision of the online offer, its functions and content
- Response to contact requests and communication with users
- Security measures
- Audience measurement/marketing
"Personal data" means any information relating to an identified or identifiable natural person (hereinafter referred to as "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more features specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
"Processing" means any operation or set of operations performed on personal data, whether or not by automated means. This expression is far-reaching and encompasses practically all ways of handling data.
"Pseudonymisation" means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures which ensure that the personal data are not attributed to an identified or identifiable natural person.
"Profiling" means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
"Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data.
"Processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Relevant legal bases
In accordance with Article 13 GDPR, we inform you about the legal bases of our data processing operations. If the legal bases are not mentioned in the data privacy statement, the following applies: The legal basis for obtaining consent is Article 6 Paragraph 1 Item a) and Article 7 GDPR; the legal basis for processing to perform our services and implement contractual measures, as well as answer questions is Article 6 Paragraph 1 Item b) GDPR; the legal basis for processing to fulfil our legal obligations is Article 6 Paragraph 1 Item c) GDPR; the legal basis for processing to preserve our legitimate interests is Article 6 Paragraph 1 Item f) GDPR. In case vital interests of the data subject or another natural person require processing of personal data, Article 6 Paragraph 1 Item d) GDPR serves as the legal basis.
According to Article 32 GDPR, we take appropriate technical and organizational measures to ensure a level of protection commensurate with risk, taking into account the state of the art, implementation costs, the type, scope, circumstances and purposes of processing, as well as the different probabilities of occurrence and severity of risk to the rights and freedoms of natural persons.
These measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical access to the data, as well as the related permissions, entry, relay and separation. Furthermore, we have established procedures which ensure safeguarding of data subjects' rights, deletion of data and response to data risks. In addition, we take into account the protection of personal data already during development and selection of hardware, software and procedures in accordance with data privacy principles through technological design and privacy-friendly default settings (Article 25 GDPR).
Cooperation with delegated processors and third parties
Insofar as we disclose data to other persons and companies (delegated processors and third parties), communicate such data to them or otherwise provide them access to such data as part of our processing activities, this is done only if legal permission has been issued (for example, when transmission of data to third parties such as payment service providers is required for contract fulfilment pursuant to Article 6 Paragraph 1 Item b) GDPR), you have provided your consent, a legal obligation to this exists, or if our legitimate interests provide grounds for this (e.g. if agents, web hosting providers etc. are engaged).
Insofar as we appoint third parties to process data in accordance with a delegated processing agreement, this is done on the basis of Article 28 GDPR.
Transfers to third countries
Insofar as we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or this takes place during a use of third-party services, or disclosure / communication of data to third parties, this is done only if it serves to fulfil our (pre-)contractual obligations, if you have provided your consent, if a legal obligation to this exists, or if our legitimate interests provide grounds for this. Subject to legal or contractual permissions, we process data, or have them processed, in a third country only given fulfilment of the special conditions of Articles 44 et seq. GDPR, i.e. processing takes place, for example, on the basis of special guarantees such as officially recognized establishment of data protection levels compliant with the EU (e.g. "privacy shield" in the case of the USA) or compliance with officially recognized, special contractual obligations ("standard contractual clauses").
Rights of data subjects
You have the right to request confirmation whether relevant data are processed, and to receive details regarding these data, as well as further information and copies of the data in accordance with Article 15 GDPR.
In accordance with Article 16 GDPR, you have the right to completion of data concerning you, as well as rectification of incorrect data concerning you.
In accordance with Article 17 GDPR, you have the right to demand that relevant data be immediately deleted, or that their processing alternatively be restricted in accordance with Article 18 GDPR.
In accordance with Article 20 GDPR, you have the right to receive, on your request, the personal data which you have provided to us, and to have the data communicated to other controllers.
According to Article 77 GDPR, you furthermore have the right to submit a complaint to the responsible supervisory authority.
Right to withdrawal
Pursuant to Article 7 Paragraph 3 GDPR, you have the right to withdraw consent with effect for the future.
Right to objection
In accordance with Article 21 GDPR, you can at any time object to future processing of your personal data. Objections can be raised, in particular, against processing for purposes of direct marketing.
Cookies and right of objection in case of direct marketing
"Cookies" are small files stored on the user's computer. A variety of details can be saved inside the cookies themselves. A cookie is used primarily to save information concerning a user (or concerning the device on which the cookie is stored) during or after the user's visit to an online offer. Temporary cookies known as "session" or "transient" cookie are deleted after the user leaves an online offer and closes their browser. Such a cookie can be used to save, for example, the contents of a shopping cart at an online shop or a login status. "Permanent" or "persistent" cookies are kept even after the browser has been closed. For example, login details can be saved in case a user requires them again several days later. A cookie can also be used to save the user's interests for the purpose of audience measurement or marketing purposes. "Third-party" cookies are those offered by vendors other than the controller conducting the online offer (cookies belonging exclusively to the latter are otherwise called "first-party" cookies).
We may use temporary and permanent cookies, and clarify this in our data privacy statement.
If a user does not want cookies to be stored on their computer, they can disable the corresponding option in their browser's system settings. Previously stored cookies can be deleted via the browser's system settings. Exclusion of cookies can restrict the functionality of this online offer.
Deletion of data
In accordance with Articles 17 and 18 GDPR, data processed by us are deleted, or their processing is restricted. Unless explicitly specified in this data privacy statement, data stored by us are deleted as soon as they are no longer required for their intended purpose, and no statutory retention obligations exist to the contrary. If data are not deleted because they are required for other legally permissible purposes, their processing is restricted, i.e. the data are blocked and not processed for any other purpose. This applies, for example, to data which must be retained for reasons pertaining to commercial or tax laws.
German laws stipulate storage, in particular, for 10 years in accordance with §§ 147 Paragraph 1 of the tax code, 257 Paragraph 1 Items 1 and 4, Paragraph 4 of the commercial code (books, records, reports, vouchers, trading books, documents of relevance to taxation etc.) and 6 years in accordance with § 257 Paragraph 1 Items 2 and 3, Paragraph 4 of the commercial code (commercial letters).
According to statutory provisions in Austria, storage takes place, in particular, for 7 years according to § 132, Paragraph 1 of the federal tax code (accounting records, receipts/invoices, accounts, documents, business papers, statements of income and expenditure etc.), for 22 years in connection with real estate, and for 10 years for documents in connection with electronically supplied services, telecommunication, radio and television services provided to non-entrepreneurs in EU member states and for which the mini-one-stop-shop (MOSS) is used.
We also process
- contract data (e.g. subject matter, duration, customer category)
- payment information (e.g. bank details, payment history)
of our customers, interested parties and business partners for the purpose of rendering contractual performance, service provision and customer care, marketing, advertising and market research.
Order processing in the online shop and customer account
We process the data of our customers within the framework of order handling in our online shop, so that they can choose and order the relevant products and services, and so that these can subsequently be paid for and received / implemented.
Processed data include master data, communication data, contract data and payment data; data subjects include our customers, interested parties and other business partners. Processing takes place for the purpose of rendering contractual performance as part of operating an online shop, billing, delivery and customer service. Here we use session cookies to store shopping carts' contents, and permanent cookies for storing login statuses.
Processing takes place on the basis of Article 6 Paragraph 1 Item b) (order procedures) and c) (legally required archiving) GDPR. Details marked as required here are needed to substantiate and fulfil the contract. We disclose the data to third parties only in the scope of delivery, payment or within the framework of statutory permissions and obligations vis-à-vis to legal advisors and authorities. Data are processed in third countries only if this is necessary for contract fulfilment (e.g. on customer request during delivery or payment).
Users can optionally create a user account allowing them, in particular, to view their orders. Mandatory details are communicated to users as part of registration. User accounts are not public and cannot be indexed by search engines. If a user cancels their account, their data associated with the account will be deleted, subject to any retention as required by reasons pertaining to commercial or tax law in accordance with Article 6 Paragraph 1 Item c) GDPR. Details in the customer's account will remain until its deletion, and archived subsequently in case of a legal obligation. It is the user's responsibility to back up their data after termination before the end of the contract.
As part of registration, renewed logins as well as use of our online services, we record the IP address and time of each user action. Recording here takes place on the basis of our legitimate interests, as well as those of the user with regard to protection against misuse and other unauthorized use. These data are generally not transferred to third parties, unless this is needed to fulfil our requirements or unless there is a legal obligation for this pursuant to Article 6 Paragraph 1 Item c) GDPR.
Deletion is performed on expiry of legal warranty obligations and similar obligations; the need for retaining data is examined every three years; in the case of legal archiving obligations, deletion is performed after their expiry (end of commercial retention period (6 years) and fiscal retention period (10 years)).
We process the data of our contract partners and interested parties, as well as other principals, customers, clients and contractual partners (uniformly referred to as "contractual partners") according to Article 6 Paragraph 1 Item b) GDPR, in order to provide them with our contractual / pre-contractual services. The data processed here, as well as the nature, scope, purpose and necessity of their processing, are determined by the underlying contractual relationship.
The processed data include master data of our contractual partners (for example, names and addresses), contact details (e.g. e-mail addresses and phone numbers), as well as contract data (e.g., engaged services, contract content, contractual communication, names of contact persons) and payment information (e.g. bank details, payment history).
In principle, we do not process special categories of personal data unless these are constituents of commissioned or contractual processing.
We process data required for establishing and rendering contractual performance, and draw attention to the need for specifying them if this not evident for the contractual partner. Disclosure to external persons or companies occurs only if required in the framework of a contract. During processing of data provided to us as part of a mandate, we act according to the client's instructions as well as statutory requirements.
Within the framework of use of our online services, we can save the IP address and time of each user action. Storage is performed on the basis of our legitimate interests, as well as the user's interests with regard to protection against misuse and other unauthorized use. These data are not relayed to third parties, unless this is needed to fulfil our requirements as per Article 6 Paragraph 1 Item f) GDPR, or there is a related legal obligation pursuant to Article 6 Paragraph 1 Item c) GDPR.
Data are deleted when no longer needed to fulfil contractual or statutory duties of care, or deal with any warranty and similar obligations; the need for data retention is reviewed every three years; statutory retention obligations apply otherwise.
External payment service providers
We employ external payment service providers, via whose platforms users and we can make payment transactions (e.g. Stripe, Inc. (https://stripe.com/privacy), Paypal (https://www.paypal.com/uk/webapps/mpp/ua/privacy-full), Wirecard (https://www.wirecard.com/privacy-protection/), Visa (https://www.visaeurope.com/privacy/), Mastercard (https://www.mastercard.us/en-us/about-mastercard/what-we-do/privacy.html), American Express (https://www.americanexpress.com/us/content/legal-disclosures/online-privacy-statement.html)
As part of contract fulfilment, we engage payment service providers on the basis of Article 6 Paragraph 1 Item b) GDPR. Furthermore, we engage external payment service providers on the basis of our legitimate interests pursuant to Article 6 Paragraph 1 Item b) GDPR to provide our users with effective and secure payment options.
Applicable to payment transactions are the respective payment service providers' general terms and conditions as well as data privacy policies, which can be viewed at the respective websites or via the transaction applications. Kindly also refer to these for further information and assertion of rights regarding withdrawal and information, as well as other rights of data subjects.
Administration, financial accounting, office organization, contact management
We process data within the framework of administrative tasks, organization of our operations, financial accounting and compliance with legal obligations, such as those regarding archiving. Here we process the same data as those which we process during provision of our contractual services. Processing is based on Article 6 Paragraph 1 Items c) and f) GDPR. Customers, interested parties, business partners and website visitors are concerned by processing. Our purpose and interest in processing relates to administration, financial accounting, office organization and data archiving, i.e. tasks serving to maintain our business activities, realize our duties and provide our services. Deletion of data with regard to contractual services and contractual communication complies with the specifications issued as part of these processing activities.
Here we disclose and transmit data to fiscal authorities, advisors such as tax consultants and auditors, as well as billing centres and payment service providers.
In accordance with our business interests, we additionally save information regarding suppliers, organizers and other business partners, e.g. for the purpose of establishing later contact. In principle, we permanently save such mainly business-related data.
Users can create an account. As part of registration, users are notified about mandatory details, which are then processed on the basis of Article 6 Paragraph 1 Item b) GDPR for the purpose of deploying the user account. The processed data include, in particular, login details (name, password, and e-mail address). Data entered during registration are utilized for the purposes of deploying the user account.
Users can receive news of relevance to their account, such as technical changes, via e-mail. When a user cancels their account, the related data are deleted, subject to any statutory retention obligations. Users are responsible for backing up their data in the event of termination before the end of the contract. We are entitled to irretrievably delete all the user's data stored during the contractual period.
In the context of utilization of our registration and login functions as well as user accounts, we store the IP address and time of each user action. Storage is performed on the basis of our legitimate interests, as well as those of users with regard to protection against misuse and other unauthorized utilization. Such data are generally not transferred to third parties, unless this is necessary to fulfil our requirements or there is a legal obligation for this according to Article 6 Paragraph 1 Item c) GDPR. IP addresses are anonymized or deleted after 7 days at the latest.
Establishment of contact
During establishment of contact with us (e.g. via contact form, e-mail, phone or social media) the user's data are processed in order to handle the contact request pursuant to Article 6 Paragraph 1 Item (b) GDPR. The user's data can be stored in a customer relationship management (CRM) system or similar means of organizing inquiries.
We delete inquiries once they are no longer required. We check the need for this every two years; legal archiving requirements apply in addition.
The following information concerns the content of our newsletter, as well as the subscription, dispatch and statistical evaluation procedures and your rights to objection. By subscribing to our newsletter, you agree to receipt and to the described procedures.
Newsletter content: We send newsletters, e-mails and other electronic notifications with promotional information (hereinafter called "newsletter") only with the recipient's consent or legal permission. Newsletter content specifically defined in the context of a newsletter subscription is authoritative with regard to the user's consent. Our newsletter furthermore contains information about us and our services.
Double opt-in and logging: Subscription to our newsletter is performed using a so-called double opt-in procedure, i.e. after subscribing, you will receive an e-mail requesting you to confirm your subscription. This confirmation is necessary so that no one can log in using unknown e-mail addresses. Subscription to the newsletter is logged to be able to provide corresponding proof of the subscription process according to legal requirements. This includes storage of the subscription and confirmation times, as well as the IP address. Also logged are any changes to your data stored by the service provider in charge of dispatch.
Subscription data: To sign up for the newsletter, it is sufficient for you to specify your e-mail address. Optionally, we ask you to specify a name for the purpose of personal addressing in the newsletter.
Newsletter dispatch and the associated performance measurements take place on the basis of the recipient's consent pursuant to Article 6 Paragraph 1 Item a), Article 7 GDPR in conjunction with § 7 Paragraph 2 No. 3 of German laws against unfair competition or, if consent is not required, on the basis of our legitimate interests in direct marketing pursuant to Article 6 Paragraph 1 Item f) GDPR in conjunction with § 7 Paragraph 3 of German laws against unfair competition.
The subscription procedure is logged on the basis of our legitimate interests according on Article 6 Paragraph 1 Item f) GDPR. Our interest focuses on a user-friendly and secure newsletter system which serves our business interests and also meets the expectations of users, besides allowing us to provide proof of consent.
Termination/cancellation - you can cancel receipt of our newsletter at any time, i.e. you can withdraw your consent. A link to cancellation of the newsletter can be found at the end of each newsletter. On the basis of our legitimate interests, we can save de-registered e-mail addresses for a period of up to three years before deleting them, in order to prove former issue of consent. Processing of these data is limited to the purpose of defence against possible claims. Individual applications for deletion are possible at any time, provided that a former existence of consent can be proven simultaneously.
Hosting and e-mail dispatch
The hosting facilities utilized by us are meant for provision of the following services: Infrastructure and platform services, processing capacity, storage capacity and database services, e-mail dispatch, security services as well as technical maintenance services which we employ in order to run this website.
Here, we and our hosting provider process master data, contact data, content data, contract data, usage data, meta data and communication data of clients, interested parties and visitors of this website on the basis of our legitimate interest in efficient and secure provision of the website in accordance with Art. 6 Paragraph 1 Item f) GDPR in conjunction with Art. 28 GDPR (conclusion of delegated processing contracts).
Collection of access data and log files
On the basis of our legitimate interests within the meaning of Article 6 Paragraph 1 Item f) GDPR, we and our hosting provider collect data pertaining to each access to the server on which this service resides (so-called server log files). Access data include the name of the invoked web page, file, date and time of invocation, transferred data volume, confirmation of successful invocation, browser type and version, user's operating system, referrer URL (the previously visited page), IP address and the requesting provider.
For security reasons (e.g. clarification of misuse or fraud), log-file information is stored for a maximum period of 7 days and then deleted. Excluded here are data which need to be stored for longer to serve as evidence until final clarification of the related incident.
Google Tag Manager
Google Tag Manager is a solution with which we can manage website tags via a user interface (and thereby integrate, for example, Google Analytics as well as other Google marketing services into our online offer). The Tag Manager itself (which implements the tags) does not process any data concerning the user's person. With regard to the processing of data concerning the user's person, kindly refer to the following information on Google services. Usage guidelines: https://www.google.com/analytics/tag-manager/use-policy/.
Google is certified under the privacy shield agreement and thus provides a guarantee of compliance with European data protection laws (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
Google uses this information on our behalf, to evaluate utilization of our online offer, compile reports of activities within the online offer, and provide us with further services related to use of the online offer and the Internet. Pseudonymous user profiles can be created from the processed data.
We use Google Analytics only with activated IP anonymization. This means that Google truncates the user's IP address within the member states of the European Union or in other states which are party to the agreement on the European Economic Area. Only in exceptional cases is a full IP address transmitted to a Google server in the USA and truncated there.
The IP address communicated by the user's browser is not merged with other data by Google. The user can prevent storage of cookies by appropriately setting their browser's software; in addition, the user can prevent registration of the data generated by cookies and related to their use of the online offer with Google, as well as processing of these data by Google, by downloading and installing the browser plug-in available at the following link: http://tools.google.com/dlpage/gaoptout?hl=en.
The user's personal data are deleted or anonymized after 14 months.
Google AdWords and conversion measurement
On the basis of our legitimate interests (i.e. interest in analysis, optimization and economical operation of our website within the meaning of Article 6 Paragraph 1 Item f) GDPR), we use the services of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, ("Google").
Google is certified under the privacy shield agreement and thus provides a guarantee of compliance with European data protection laws (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
We use Google's "AdWords" online marketing technique to place ads in the Google advertising network (e.g. in search results, videos, on web pages etc.) so that they can be shown to users who have a presumed interest in the ads. This allows us a more targeted display of ads for and within our online offer, so that users are presented only with ads potentially corresponding to their interests. For example, one speaks of "remarketing" when a user is shown ads for products in which the user exhibited an interest at other online offerings. For this purpose, Google code is executed by directly Google on invocation of our and other websites where the Google advertising network is active, and so-called (re)marketing tags (invisible graphics or code, also called "web beacons") are integrated into the web page. With their help, an individual cookie i.e. a small file is saved on the user's device (comparable technologies can also be used instead of cookies). This file notes the websites which the user has visited, the content which they are interested in, the offers which the user has clicked, further technical information about the browser and operating system, referring websites, visit time and additional information on use of the online offer.
In addition, we receive an individual "conversion cookie". The information collected by means of cookies is used by Google to prepare conversion statistics for us. However, we only discover the anonymous total number of users who have clicked on our advertisement and have been redirected to a page furnished with a conversion tracking tag. We receive no information allowing personal identification of a user.
The user's data are processed pseudonymously within the framework of Google's advertising network, i.e. Google does not store or process, for example, the user's name or e-mail address, but instead processes the relevant data on the basis of the cookies within pseudonymous user profiles. Accordingly, from Google's point of view, advertisements are managed and displayed not for specifically identified persons, but for cookie owners regardless of who these individuals are. This does not apply if a user has explicitly allowed Google to process data without a use of such pseudonyms. Information collected about users is transmitted to Google and stored on Google's servers in the United States.
Online presences in social media
We maintain online presences within social networks and platforms to communicate with customers, interested parties and users active there, and to inform them about our services. When these networks and platforms are visited, the general terms and conditions as well as the data processing guidelines of their respective operators apply.
Integration of services and third-party content
As part of our online offer and on the basis of our legitimate interests (i.e. interest in analysis, optimization and economical operation of our website within the meaning of Article 6 Paragraph 1 Item f) GDPR), we make use of offers by third parties in order to integrate their content and services, such as videos and fonts (hereinafter uniformly referred to as "content").
A prerequisite for this always is the third party's awareness of the user's IP address because without it, the third party would not be able to send the contents to the user's browser. The IP address is therefore needed to present such content. We strive to only employ content whose respective provider uses the IP address exclusively to deliver this content. Furthermore, third parties can use so-called pixel tags (invisible graphics, also called "web beacons") for statistical and marketing purposes. Pixel tags can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information can also be stored in cookies on the user's device, and include technical information about the browser and operating system, referring websites, time of visit and further information on use of our online offer, and also be associated with such details from other sources.
We integrate this function for detecting bots, for example, during input into online forms ("ReCaptcha"); it is provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data privacy statement: https://www.google.com/policies/privacy/; opt-out: https://adssettings.google.com/authenticated.
Typekit fonts from Adobe
On the basis of our legitimate interests (i.e. in analysis, optimization and economical operation of our website within the meaning of Article 6 Paragraph 1 Item f) GDPR), we use external "typekit" fonts from the provider Adobe Systems Software Ireland Limited, 4-6 Riverwalk, Citywest Business Campus, Dublin 24, Republic of Ireland. Adobe is certified under the privacy shield agreement and thus provides a guarantee of compliance with European data protection laws (https://www.privacyshield.gov/participant?id=a2zt0000000TNo9AAG&status=Active).
Functions and content of the Twitter service, offered by Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA can be integrated into our online offer. This can include content such as pictures, videos, text and buttons allowing users to express their appreciation of the content and subscribe to the authors of the content or our posts. If users are members of the Twitter platform, Twitter can associate invocation of the above-mentioned content and functions to the user profiles there. Twitter is certified under the privacy shield agreement and thus provides a guarantee of compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status=Active). Data privacy statement: https://twitter.com/en/privacy; opt-out: https://twitter.com/personalization.