Bamberger Str. 9
Managing Directors: Yacine Khorchi, Andreas Kraus
Data Protection Officer
Phone: +49 (0)6408 968 6689
Email: [email protected]
Questions concerning data privacy and exercising your rights
Please use the contact details given above if you have any questions concerning data protection or to make claims concerning your data privacy rights.
Technical operation of our website
When you call up our website with your browser, it transfers various personal data to us. From this we process what is known as the IP address so that the browser you are using can retrieve the content of our website and use it.
The legal basis for processing the IP address is formed by Art. 6 (1) (f) GDPR, since, when you visit our website, it is also in your interest that we technically facilitate its use. If your visit to our website serves to conclude, prepare for the conclusion of or execute a contract, the legal basis for processing is Art. 6 (1) (b) GDPR. This data is not stored beyond the period for which it is technically required.
Creating a customer account
When you create a customer account on our website, we process the data you provide in order to set up and manage the customer account and allow you to use the services we offer in connection with the customer account. In the customer account, we may process other data that relates to the use of the account, such as an order history, in addition to the data you provided when setting up the account. The legal basis for the corresponding processing of your data is formed by Art. 6 (1) (b) GDPR.
We will send an email to the email address you provided when registering with a request to confirm your registration. With this, we want to prevent third parties from misusing your email address and opening a customer account for both your and our protection. The legal basis for this is formed by Art. 6 (1) (f) GDPR.
The data relating to the customer account is stored until the customer account is deleted. If we are legally obliged to store data for a longer period of time (e.g. to fulfil accounting obligations or evidence required by law) or if we are legally entitled to store data for a longer period of time (e.g. due to an ongoing legal dispute against a customer account holder), the data is deleted once the obligation or entitlement has come to an end.
When you order a service we offer, we process the data you provide for the purpose of concluding and executing the corresponding contract. The legal basis for processing is formed by Art. 6 (1) (b) GDPR. Due to legal requirements, we are obliged to send an order confirmation by email to the email address you provide when ordering over our website. Furthermore, when a contract is concluded, we are legally obliged to record and retain data. The legal basis for the corresponding processing is formed by Art. 6 (1) (c) GDPR.
We also process the data you provide to identify and prevent attempted fraud on the basis of Art. 6 (1) (f) GDPR. In doing so, we are pursuing the goal of protecting ourselves against fraudulent transactions.
The data will be deleted if there is a legal obligation and the storage obligation no longer applies unless we are entitled to process it further (e.g. in a legal dispute). Otherwise, we delete the data when we no longer need it to prove the existence or non-existence of a claim.
Payment service provider
The provider in each case is responsible under data protection law for all payment options we offer. Insofar as data is transferred to the respective payment service provider for the purpose of executing a contract with you (name, address, purchase price to be paid), this takes place on the basis of Art. 6 (1) (b) GDPR so that the respective service provider has the data at its disposal that it requires to execute the payment transaction and to select the available means of payment. If the payment service provider transfers data about you to us, we also use this data to pursue the corresponding contractual relationship with you. The legal basis is therefore also formed by Art. 6 (1) (b) GDPR.
When you subscribe to receive our email newsletter, we process the data you provide. We use this data to prepare and dispatch our newsletter. The legal basis for processing this data is formed by Art. 6 (1) (a) GDPR based on your consent. You can revoke your consent at any time with effect for the future. Withdrawing your consent does not affect the lawfulness of any processing performed based on the consent you granted until revocation took place.
In order to confirm your subscription to our newsletter, you need to click on the confirmation link in the verification mail we send you after you have subscribed. By clicking on the link provided in the verification mail, we process the date and time when you make the click, the content of the message sent to you and the email address used. We do this in order to be able to provide evidence that you have subscribed to the newsletter and confirmed your consent. The legal basis for processing your data here is formed by Art. 6 (1) (c) GDPR, since we are legally obliged to be able to prove your consent.
We delete your personal data specific to your newsletter subscription when you unsubscribe. We delete data that we require to prove you have subscribed to the newsletter once the limitation period for corresponding obligations to provide proof has expired.
If you purchase a product on our website, we send you our newsletter under the legal conditions set out in Art. 7 (3) Unfair Competition Act (UWG). We use the email addresses you provided you made the purchase for this purpose. You can unsubscribe from our newsletter at any time with future effect by using the unsubscribe link embedded in our newsletters.
If you use the options for making contact with us that we offer, we will use the data you have provided to process your enquiry. The legal basis here is formed by our legitimate interest in processing your enquiry in accordance with Art. 6 (1) (f) GDPR. Insofar as your reason for enquiring is to conclude a contract, then the further legal basis for processing your data is based on Art. 6 (1) (b) GDPR.
Your data will be deleted after your enquiry has been dealt with unless we are legally obliged to store it for a longer period of time. In this case, deletion takes place once the corresponding period of obligation has expired.
a) Cookies that are required for technical purposes
b) Cookies that are used with your consent
Cookies are also used based on the consent you have granted, which can be revoked at any time. Withdrawing your consent does not affect the lawfulness of any processing performed based on the consent you granted until revocation took place. Please note that the controller of the service to which the cookie relates for the purposes of the GDPR is responsible for processing personal data using said cookies.
Please also note that, depending on the extent of the consent you have granted, this may cover services that process your personal data in countries which do not maintain a level of data protection that meets the standards of the GDPR. There, for example, your data may be subject to access by public authorities against which no effective legal remedy is available to you. Furthermore, it may be impossible to enforce the data subject rights to which you are entitled under the GDPR in these countries and/or against the state authorities.
c) Importance of your consent
If you grant your consent by using the function we offer, this primarily refers to cookies being stored in your browser and secondly to the processing of data using the services connected with this. You should therefore also take note of the information in the data protection notices from each of the services connected.
d) Revoking your consent
You can revoke your consent at any time by clicking here. By revoking your consent, our website will stop using the cookies concerned. Please note, however, that this does not remove the relevant cookies from your computer. In order to prevent the respective data controllers from accessing these cookies from other websites, you will need to delete them. Instructions on how to delete cookies in standard browsers can be found here:
Google Chrome (support.google.com/chrome/answer/95647?hl=en)
Please refer to the figure below to find out which cookie is associated with which service.
To advertise the services we offer and by doing so acquire customers, we use the services listed below on the basis of your consent, which can be revoked at any time. The legal basis for this is formed by Art. 6 (1) (f) GDPR. You can revoke your consent to this with effect for the future (click here). Withdrawing your consent does not affect the lawfulness of the processing that took place until revocation.
In addition, the services offer you the chance to object to their use in general, and not just for our website. We refer to this in the respective services.
Please note that the consent you have given relates to two matters:
The storage of cookies on the end device you use;
The use of the respective service as such.
With your consent, when you visit our website, cookies for the Google Ads service are stored in the browser you use and, consequently, this service is used. In the section on "Cookies" here we explain to you which cookies these are and what rights and options you have in this respect.
The data privacy statement applicable to Google Ads can be found here.
Please note our advisories concerning third countries since Google Analytics may process personal data in countries that do not have a level of data protection that meets the standards of the GDPR.
We do not transfer any data that relates to you in connection with Google Ads, but data is transferred solely through the browser or app you are using.
You can revoke your consent to the use of Google Ads on our website with effect for the future by clicking here. Withdrawing your consent does not affect the lawfulness of any processing performed based on the consent you granted until revocation took place.
With your consent, what is known as the Facebook Pixel is saved in your browser when you visit our website. Provider of this function for the EU is Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
We use the Facebook Pixel in order to display our advertising over Facebook and partners who cooperate with Facebook ("Audience Network") only to those persons who have visited our website and who we therefore assume are interested in our offering and hence our advertising. Furthermore, Facebook Pixel allows us to measure the effectiveness of these advertisements, since it identifies whether a person was redirected to our website after clicking on a corresponding advertisement.
In terms of data protection law, Facebook Ireland Ltd. is partly acting on our behalf as a data processing company and we are partly jointly responsible according to Art. 26 GDPR. In all other respects, Facebook Ireland Ltd. is the sole data controller for the corresponding processing of personal data.
Facebook Ireland Ltd. acts as a data processing company to the extent that they process what is referred to as event data on our behalf in order to generate reports for us on the impact of our Facebook-powered advertising campaigns and other Facebook content (e.g. our posts on facebook.com) as well as analyses and insights about users of our website and their use of our website. We do not create profiles that we can associate with specific users of our website for this purpose. “Event data” is information that we share with Facebook using the Facebook Pixel and which relates to individuals and the actions they take on our website, such as visiting our website and making purchases of the products we offer. Event data includes information that is collected and transmitted when people access our website using Facebook login or Facebook plugins (e.g. the "Like" button). However, information is not collected that is created when a user interacts with our website via a Facebook login, Facebook plugins or in any other way (for example, by logging in or tagging or sharing an article with "Like").
The contractual basis for commissioned data processing by Facebook Ireland Ltd. is formed by the Facebook Business Tool Terms, as well as the corresponding Data Processing Terms. The standard contractual clauses of the "Facebook-European Data Transfer Addendum" also apply with regard to Facebook processing personal data in the USA.
Under Art. 26 GDPR, we are joint data controllers with Facebook Ireland Ltd. for the use of event data generated by our use of the Facebook Pixel to the extent that it is used to improve the display of our ads served through Facebook and the delivery optimisation of those ad campaigns. To do this, Facebook Ireland Ltd. relates this event data to people who use Facebook company products to display our advertising campaigns only to people who have visited our website (i.e. ad targeting) or who are assumed to also be interested in our services. In the context of ad targeting and optimising ad delivery, Facebook Ireland Ltd. uses the event data we generate to optimise the delivery of ads only after aggregating it with other data collected by other Facebook advertisers or otherwise on Facebook products. Facebook does not allow other advertisers or third parties to target ads based solely on the event data we submit. An illustration of which personal data we and Facebook Ireland Ltd. process as joint data controllers owing to the use of the Pixel can be found here. According to information from Facebook, this is the following data:
HTTP header information such as, among other things, information about the web browser or app used (e.g. user agent, country-specific language setting/language)
Information about the events page view, adding products to the shopping cart, status of the purchase of a product and whether the purchase was completed
Online identifiers such as, among other things. IP addresses and, where provided, Facebook related identifiers or device IDs (such as mobile operating system ad IDs) and ad tracking disable/restriction status information;
For information on how Facebook Ireland Ltd. processes personal data, including the legal basis on which Facebook Ireland Ltd. relies and on how data subjects can exercise their rights against Facebook Ireland, please refer to the Facebook Ireland Data Policy. Under their contract with us, Facebook Ireland Ltd is responsible for making it possible for data subjects to exercise their rights under Art.15-20 GDPR in respect of personal data held by Facebook Ireland Ltd following joint data processing. It goes without saying that this does not affect your existing rights against us under the GDPR under these provisions (see "Your Rights"). You can assert these against us at the same time.
Sole responsibility of Facebook
Ultimately, you can withdraw your consent to the use of the Facebook Pixel on our site by clicking here. Withdrawing your consent does not affect the lawfulness of any processing performed based on the consent you granted until revocation took place.
Please take note of our warning advisories about third countries since personal data for Facebook Pixel can be processed in countries where the level of data protection does not meet the standards of the GDPR.
Advisory alert concerning data transfers to third countries
You will find a warning in this data privacy statement detailing that data may be transferred to third countries for various services that are used on our website with your consent or that process data using this data (e.g. for advertising purposes).
What does this advisory alert mean?
In the event of data transfer to a third country, your personal data leave the local scope of the GDPR. In individual cases, a level of data protection may apply in the third country that does not meet the requirements of the GDPR. For some states, e.g. Switzerland, what is referred to as an adequacy decision exists. In the opinion of the EU Commission, the level of data protection in these states meets the requirements of the GDPR. They are therefore considered safe for data protection purposes. For other countries, and in particular the USA, no such decision exists, since in these countries no level of protection applies to your personal data that corresponds to that of the GDPR. In the event of a transfer of data to a third country, it is therefore possible that your personal data will be transferred to a country where there is no level of data protection that is comparable with that of the GDPR.
What does this mean for your personal data?
In an economy based on the division of labour, many companies use service providers to process personal data. In other cases, large companies, such as Google, Amazon, Facebook or Apple, use numerous different companies in different countries that do not each carry out data processing on their own. Rather, they use group-wide IT services, so that, for example, a company in Ireland uses the services of the parent company in the USA. For this purpose, either personal data is transferred to the USA or the parent company in the USA has access to the data in the EU.
Through the conclusion of standard contractual clauses, the GDPR allows an agreement to be reached that the contractual partner, e.g. the parent company in the USA, is obliged to observe the requirements of the GDPR for the corresponding data processing, even if they would not otherwise apply to the contractual partner. This is intended to create a level of data protection on a contractual basis that corresponds to that of the GDPR, so that data subjects are not placed in a worse position than if their personal data were processed in the EU.
However, contracts are only binding on the parties to them and not third parties such as government agencies. Therefore, in one country, e.g. the US, government agencies may have the right to access personal data belonging to EU citizens, even if this violates their rights. These instances can be very broad and all relate to all your data being processed there. They can take place without a judge or similar having to order them. It can take place in secret, so you have no knowledge of it. And it may be such that you have no way of defending yourself against it and any use of your data, especially in a court of law. Furthermore, the data subject's rights to which you are entitled under the GDPR (e.g. information, deletion) may also not exist or may not be enforced. Data processed in this way may also be combined with other data relating to you from other sources in order, for example, to create a profile about you.
This possible use of your data could, but does not have to, be associated with drawbacks for you. Since government agencies in third countries in particular are not subject to EU or German law, it is not possible to state precisely what these drawbacks might be. Drawbacks can therefore be of any nature, such as of an economic or political natures. For example, you could be denied entry to a country. It may also be that this data is used against you in criminal proceedings abroad. The drawbacks can therefore be very serious in individual cases.
How high are the risks for me?
We cannot provide a general answer as to how high the described risks are in individual cases. We can only point out that the decisive question is which service and thus which company has access to data about you in connection with your use of our website. Also decisive is which personal data is concerned in relation. In our opinion, on our website the only concern is the potential processing of personal data in third countries in connection with advertising services such as Google, Microsoft or Facebook. This will be data about which website you visited and when, how long you stayed on said website, from where access took place, which end device or which software (browser, app) you used for this purpose, which interactions you performed on the website, if such information is transferred to the service operator (e.g. the purchase of a product after clicking on an advertisement. Please read the information on this from the respective services) and, if applicable, further data that the respective operator processes. In relation, we refer you to the individual data privacy statements from the respective services. The links to these can be found in the data privacy statements under the description of the respective service.
You must decide for yourself whether granting consent and a possible transfer of your data to a third country could create a situation for you that you do not want to live with. In this case, please do not grant your consent to the use of these services.
You will not suffer any drawbacks if you do not grant your consent
If you do not wish to grant your consent to the use of certain or all services or the storage of cookies, it will not have any drawbacks for you on our website. All our offerings are available to our customers under the same conditions, regardless of whether they grant consent or not. You can of course also revoke your consent at any time with effect for the future.
Browser - This is the software that you use to surf the Internet and access our website.
Cookies - These are small text files which are saved in the browser you are using and can contain various different data. A retention period is defined for each cookie, which you can find in the information in your browser.
EEA - Refers to the European Economic Area. In addition to the EU countries, these are Iceland, Liechtenstein and Norway.
Third countries - These are countries that do not belong to the EEA and for which no adequacy decision from the EU Commission exists.
IP Address - Every device that exchanges data over the Internet requires a unique ID, otherwise data (e.g. web pages) which are to be sent to said device cannot be delivered. The computer, smartphone and tablet etc. you use therefore uses an IP address so that it can call up and receive data from the Internet. As a rule, you do not use a separate IP address for each end device, but the technology used for the connecting to the Internet (i.e. your Internet router at home) allows all the end devices in a network to appear under a common IP address externally.
Standard contractual clauses - Refers to a set of clauses provided by the EU Commission that can form the basis for the transfer of data to a third country according to Art. 46 (2) (d) GDPR.
In connection with your personal data you are entitled to the following rights in particular under the GDPR. For details, please refer to the legal provision (in particular Art. 15 ff. GDPR).
Right to information
According to Art. 15 GDPR, you have the right to demand information from the Data Controller about whether we process personal data that relates to you. If this is the case, you have a right to information about said personal data and also to further information, which is stated in Art. 15 GDPR.
Right to rectification
According to Art. 16 GDPR, you have the right to demand that we correct inaccurate personal data concerning your person without delay. You also have the right to request that incomplete personal data be completed, including by means of a supplementary statement, taking into account the purposes for which the data is processed.
Right to deletion (right to be forgotten)
Within the limits of Art. 17 GDPR, you have the right to demand that we delete personal data relating to you without delay. We are obliged to delete personal data without delay if the relevant requirements of Art. 17 GDPR are met. For details, please refer to Art. 17 GDPR.
Right to restrict processing
In accordance with Art. 18 GDPR, under certain circumstances you have the right to demand that we restrict the processing of your personal data. For details, please refer to Art. 18 GDPR.
Right to data portability
Under the conditions of Art. 20 GDPR, you have the right to receive personal data relating to you that you provide us with in a structured, standard and machine-readable format. In accordance with Art. 20 GDPR, you also have the right to transfer this data to another data controller without hindrance from us, provided that the processing is based on consent pursuant to Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR, or on a contract pursuant to Art. 6(1) (b) GDPR and processing is carried out with the aid of automated procedures.
Existence of a right of appeal to a supervisory authority
According to Art. 77 GDPR, you have the right to complain to the supervisory authority without prejudice to any other administrative or judicial remedy. This right exists in particular in the member state where you have your habitual place of residence, place of work or place of the alleged infringement, if you consider that the processing of personal data relating to your person violates the GDPR.
Right to object
According to Art. 21 GDPR, you have the right to object to the processing of personal data that relates to you, which is based on Art. 6 (1) (e) or (f) GDPR; this also applies to profiling based on these provisions.
Insofar as we process your personal data for direct advertising purposes, you are entitled to submit an objection at any time against processing your personal data for the purpose of such advertising; this also applies to profiling insofar as it is associated with such direct advertising.