We are glad that you are interested in our company. The management at Licht im Raum Dinnebier GmbH accords high priority to data protection. Use of the Licht im Raum Dinnebier GmbH website is generally possible without the need to provide personal data. However, if a data subject wishes to use the special services offered by us on our website, it is possible that the processing of personal data will be necessary. If the processing of personal data is necessary and there is no legal basis for the processing, we generally obtain the data subject’s consent.
Data subjects’ personal data, such as name, address, e-mail address or telephone number are always processed in accordance with the General Data Protection Regulation and the applicable country-specific privacy policies of Licht im Raum Dinnebier GmbH. This privacy statement informs you about the type, extent and purpose of the personal data which we collect, use and process. It also informs data subjects about their rights.
Licht im Raum Dinnebier GmbH, as the data controller, has implemented numerous technical and organisational measures to ensure the most comprehensive possible protection of personal data that is processed via this website. However, online data transmissions may not be secure and absolute protection is therefore impossible to provide. For this reason, every data subject may choose to communicate personal data to us by alternative means, such as the telephone.
a) Personal data
Personal data means any information relating to an identified or identifiable natural person (hereinafter “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
b) Data subject
A data subject is an identified or identifiable natural person whose personal data are processed by the controller.
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
d) Restriction of processing
Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future.
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
g) Controller or data controller
Controller or data controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.
j) Third party
Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Consent means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
2. Name and address of controller
The controller pursuant to the General Data Protection Regulation, other data protection legislation which is effective in the Member States of the European Union and other data protection laws and regulations is:
Licht im Raum Dinnebier GmbH
Phone: +49 (0)211 994 000
3. Name and address of the data protection officer
The controller’s data protection officer is:
Licht im Raum Dinnebier GmbH
Phone: +49 (0)211 994 0028
All data subjects can contact our data protection officer directly if they have any questions or suggestions relating to data protection.
4. Contact (telephone consultation, contact form)
Visitors can obtain advice by telephone or by sending messages to us via the contact form on the website. All information is provided to us voluntarily and, in doing so, the data subject consents to the processing of his or her personal data. In order to receive an e-mail response from us the sender must provide us with a valid e-mail address. The data are only processed for the purposes of providing advice by telephone or responding to contact form enquiries.
The data are processed on the basis of the data subject’s voluntary consent pursuant to Art. 6 (1) 1 a) EU GDPR. The personal data which are collected in order that the contact form can be used are automatically erased when the enquiry has been dealt with if there are no reasons to continue storing it.
Cookies are used by the Licht im Raum Dinnebier GmbH website. Cookies are text files which are placed and stored on your computer via an Internet browser.
Cookies also allow us to optimise the information and services on the website and thus improve the user experience. As already mentioned, cookies enable us to identify previous website users when they visit our website again. This serves the purpose of providing a more convenient user experience. For example, users of websites with cookies don’t have to enter their login data each time they visit the site because the website and the cookie on their computer does it for them. Another example is a shopping cart cookie in a web shop. It remembers the products that the customer has put in the virtual shopping cart.
Data subjects can change their browser settings to prevent our website’s cookies from being stored there and permanently block the placement of cookies. Cookies that have already been placed on your computer can be deleted at any time via the browser or other software progams. This is possible in all standard Internet browsers. However, if the data subject deactivates cookies in their browser, it is possible that they may not be able to use all the functions of our website to their full extent.
6. Website registration
The data subject can become a registered user of the controller’s website by providing personal data. The personal data transferred to the controller is the data entered in the registration input mask. The personal data entered by the data subject are only used and stored internally by the controller for own purposes. The controller may transfer the personal data to one or several processors, such as a parcel service provider. Such processors also use the data exclusively for the controller’s internal purposes.
When a data subject registers on the controller’s website the IP address assigned to the data subject by the Internet Service Provider (ISP) and the time of registration is saved. These data are stored to prevent any misuse of our services and, should it be necessary, to facilitate investigations into committed criminal acts. Therefore, the storage of these data are necessary for security purposes relating to the controller. Data are not transferred to third parties unless the controller is under legal obligation to transfer it, or it is transferred for criminal prosecution purposes.
Registration of the data subject with voluntary provision of personal data serves the purpose of offering content and services to the data subject which, by nature, can only be offered to registered users. Registered users can change the personal data provided or request the erasure of their personal data from the controller’s database at any time.
The controller will provide information to the data subject about the personal data concerning him or her which it stores upon request. Furthermore, the controller will correct or erase the personal data upon the data subject’s request or notice unless legislation imposes a mandatory storage period for the data. The data subject can contact any one of the controller’s employees in this connection.
7. Subscription to our newsletter
Users of the Licht im Raum Dinnebier GmbH website can subscribe to our newsletter. The personal data which has to be provided to the controller in order to subscribe to the newsletter is the data entered in the subscription input mask.
Licht im Raum Dinnebier GmbH provides information about its offerings to customers and business partners at regular intervals via a newsletter. Our company’s newsletter can be sent to the data subject only if (1) the data subject has a valid e-mail address and (2) the data subject subscribes to the newsletter. When the data subject first provides an e-mail address to receive the newsletter a double opt in process applies for legal reasons. The e-mail with confirmation link sent to the address provided by the data subject serves to verify that the e-mail account holder is the data subject who has subscribed to the newsletter.
When the newsletter is subscribed to we also store the IP address of the computer used to subscribe to the newsletter, which is given to the data subject by his or her Internet service provider (ISP), as well as the date and time of subscription. It is necessary to collect this data to identify (potential) misuse of the data subject’s e-mail address at a later time. It therefore serves the purpose of the legal protection of the controller.
The personal data collected during the newsletter subscription process are exclusively used for the purpose of distributing our newsletter. Furthermore, newsletter subscribers may receive information by e-mail if this is necessary to provide the newsletter service or a registration is necessary, as may be the case when the newsletter service or technical factors change. The personal data collected is not transferred to third parties in connection with the newsletter service. Data subjects can unsubscribe to our newsletter at any time. The consent to the storage of personal data given to us by the data subject so that we can provide the newsletter service can be revoked at any time. Every newsletter contains an unsubscribe link which can be used to revoke consent. It is also possible, at any time, to unsubscribe to the newsletter directly on the website, or by otherwise notifying the controller.
8. Newsletter tracking
The Licht im Raum Dinnebier GmbH newsletters contain so-called tracking pixels. A tracking pixel is a 1×1 pixel graphic that is embedded in HTML-format e-mails to make logfile recording and analysis possible. As a result, it is possible to statistically evaluate the success or failure of online marketing campaigns. With the embedded tracking pixel Licht im Raum Dinnebier GmbH can identify when an e-mail was opened by the data subject and which of the links in the e-mail were used.
Personal data obtained via tracking pixels in newsletters are stored and analysed by the controller to optimise the newsletter service and adapt future newsletter content in line with the data subject’s interests. These personal data are not transferred to third parties. Data subjects have the right, at any time, to revoke the consent they provided separately in the double opt-in process. When consent is revoked the personal data are erased by the controller. Licht im Raum Dinnebier GmbH automatically interprets unsubscription to the newsletter as a revocation.
We also use the personal data for our own advertising purposes, both in general and individualised form. We send general information to customers about our product portfolio or specific products and/or marketing promotions, and personalised advertising material based on web shop usage history (both with regard to concluded transactions and unconcluded transactions, e.g. products placed in the shopping cart but not ordered). Such information and materials are sent by post and/or e-mail.
The data are processed on the legal basis of Art. 6 (1) 1f) EU GDPR for the purpose of our legitimate interests of providing information to the customer and customer retention.
Our customers can revoke use of the data for these purposes (all or specific advertising purposes) at any time.
10. Contacting us via the website
The Licht im Raum Dinnebier GmbH website is required by law to provide mechanisms enabling fast electronic contact to our company and direct communication with us, including a general electronic mail (e-mail) address. If a data subject contacts the controller by e-mail or a contact form, the personal data provided are automatically stored. Personal data provided to the controller voluntarily by the data subject in this way are stored for the purposes of processing and contacting the data subject. None of these personal data are transferred to third parties.
10.1. Web shop
When our web shop is used personal data are collected and processed for registration and order handling purposes. These are inventory data, such as the name and address of the person, and usage data (e.g. password).
The data are processed for the conclusion, performance and execution of contracts and for the purposes of future customer service and care. The legal basis for the processing of the data is Art. 6 (1) 1 b) EU GDPR, i.e. for the performance of a contract to which the data subject is party or in order to take steps prior to entering into a contract with the data subject.
11. Routine erasure and blocking of personal data
The controller only processes and stores personal data concerning the data subject for as long as necessary to achieve the purpose for which it is stored or for as long as required by other laws and regulations governing the processing of data.
If the purpose for which the data are stored ceases to apply, or a statutory retention period under European directives or regulations or a retention period prescribed by other laws expires, the personal data are routinely blocked or erased.
12. Data subject rights
a) Right to request confirmation
Every data subject is granted the right by the European legislators and regulators to request confirmation from the controller about whether their personal data are being processed. Data subjects who choose to exercise this right can contact one of the controller’s employees at any time.
b) Right of access
All data subjects whose personal data are processed are granted the right by the European legislators and regulators to obtain from the controller, at any time and without charge, information about the personal data concerning them which is stored, and to receive a copy of the personal data being processed. Furthermore, the European legislators and regulators have granted data subjects the right to obtain the following information:
• the purposes of processing
• the categories of personal data concerned
• the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations
• where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period
• the existence of the right to obtain from the controller rectification or erasure of personal data concerning the data subject, the right to restriction of processing by the controller or the right to object to processing
• the right to lodge a complaint with a supervisory authority
• where the personal data are not collected from the data subject, any available information as to their source
• the existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject
The data subject also has the right to obtain information about whether personal data has been transferred to a third country or an international organisation. If this is the case, the data subject also has the right to obtain information about appropriate safeguards in connection with the transfer of the data.
Data subjects who choose to exercise this right can contact one of the controller’s employees at any time.
c) Right to rectification
All data subjects whose personal data are processed are accorded the right by the European legislators and regulators to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Data subjects who choose to exercise this right to rectification can contact one of the controller’s employees at any time.
d) Right to erasure (right to be forgotten)
Every data subject is granted the right by the European legislators and regulators to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
• The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
• The data subject withdraws his or her consent on which the processing is based according to Article 6 (1) a), or Article 9 (2) a) GDPR, and where there is no other legal ground for the processing.
• The data subject objects to the processing pursuant to Article 21 (1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21 (2) GDPR.
• The personal data have been unlawfully processed.
• The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
• The personal data have been collected in relation to the offer of information society services referred to in Article 8 (1) GDPR.
If one of the above applies, and a data subject wishes to obtain the erasure of personal data which is stored by Licht im Raum Dinnebier GmbH, he or she may contact one of the controller’s employees at any time. The Licht im Raum Dinnebier GmbH employee will then comply with the request for erasure without undue delay.
If the personal data have been made public by Licht im Raum Dinnebier GmbH and our company is the controller pursuant to Art. 17 (1) GDPR with the obligation to erase the personal data, Licht im Raum Dinnebier GmbH will, taking the available technology and implementation costs into consideration, undertake suitable measures, including technical measures, to inform other data controllers who process the published personal data that the data subject has requested the erasure of all links to said personal data or copies or replicas thereof, unless processing of the personal data are necessary. The employee of Licht im Raum Dinnebier GmbH will take any necessary action on a case-by-case basis.
e) Right to restriction of processing
Every data subject whose personal data are processed is accorded the right by the European legislators and regulators to obtain from the controller restriction of processing where one of the following applies:
• The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data.
• The processing is unlawful and the data subject opposes the erasure of the personal data and requests restriction of their use instead.
• The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims.
• The data subject has objected to processing pursuant to Article 21 (1) GDPR pending verification of whether the legitimate grounds of the controller override those of the data subject.
If one of the above applies, and a data subject wishes to obtain the restriction of processing of personal data which is stored by Licht im Raum Dinnebier GmbH, he or she may contact one of the controller’s employees at any time. The employee of Licht im Raum Dinnebier GmbH will then arrange for the restriction of processing.
f) Right to data portability
Every data subject whose personal data are processed is accorded the right by the European legislators and regulators to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format. Furthermore, the data subject has the right to transmit those data to another controller without hindrance from the controller to which the personal data had been provided where the processing is based on consent pursuant to of Article 6 (1) a) or Article 9 (2) a) or on a contract pursuant to Article 6 (1) b); and the processing is carried out by automated means, unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Furthermore, in exercising his or her right to data portability pursuant to Art. 20 (1) GDPR, DS-GVO, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible and provided that the rights and freedoms of others are not adversely affected as a result.
To exercise the right to data portability the data subject can contact an employee of Light im Raum Dinnebier GmbH at any time.
g) Right to object
Every data subject whose personal data are processed is accorded the right by the European legislators and regulators to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on Article 6 (1) e) or f), including profiling based on those provisions.
Licht im Raum Dinnebier GmbH will no longer process the personal data concerning a data subject who has lodged an objection unless we can demonstrate compelling legitimate grounds for the processing which override the data subject’s interests, rights and freedoms, or the processing is necessary for the establishment, exercise or defence of legal claims.
Where personal data are processed by Licht im Raum Dinnebier GmbH for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. If the data subject objects to the processing of his or her personal data by Licht im Raum Dinnebier GmbH for direct marketing purposes, Licht im Raum Dinnebier GmbH will no longer process the personal data for such purposes.
Where personal data are processed for scientific or historical research purposes or statistical purposes by Licht im Raum Dinnebier GmbH pursuant to Article 89 (1) GDPR, the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
To exercise the right to object the data subject can contact any employee of Licht im Raum Dinnebier GmbH at any time. In the context of the use of information society services, and notwithstanding Directive 202/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.
h) Automated, individual decision-making, including profiling
Every data subject whose personal data are processed is accorded the right by the European legislators and regulators not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, unless the decision (1) is necessary for entering into, or performance of, a contract between the data subject and a data controller; or (2) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or (3) is based on the data subject’s explicit consent.
If the decision is (1) necessary for entering into, or performance of, a contract between the data subject and a data controller; or (2) based on the data subject’s explicit consent, Licht im Raum Dinnebier GmbH will implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests and, at least, the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
If the data subject wishes to exercise rights relating to automated decision making, he or she may contact one of the controller’s employees at any time.
i) Right to withdraw consent to the processing of personal data
All data subjects whose personal data are processed are accorded the right by the European legislators and regulators to revoke their consent to the processing of their personal data at any time.
If the data subject wishes to exercise his or her right to revocation, he or she may contact one of the controller’s employees at any time.
13. Data protection in job applications and the job application process
The controller will collect and process the personal data of job applicants for the purpose of the application procedure. This processing may be carried out by electronic means. This will be the case, in particular, if an applicant transmits application documents to the controller by electronic means, e.g. by e-mail or via an application form located on the website. Should the controller conclude an employment contract with the applicant, the data provided for the purpose of the employment relationship will be stored in compliance with statutory regulations. Should no employment contract be concluded by the controller with the applicant, the application documents will be automatically erased two months after the time when notice of refusal was given, providing no other legitimate interests on the part of the controller conflict therewith. Legitimate interest in this sense would be, for instance, a burden of proof obligation in proceedings under the German Equality of Treatment Act (Allgemeines Gleichbehandlungsgesetz, AGG).
The controller has integrated a Facebook component into this website. Facebook is a social network.
A social network is a social meeting point or online community operated on the Internet that generally enables its users to communicate with each other and interact in a virtual space. A social network can serve as a platform for exchanging opinions and experiences, or it may enable the Internet community to provide personal or commercial information. Facebook enables users of the social network to create private profiles, upload photos and establish a network via friend requests, for example.
The operator of Facebook is Facebook, Inc., 1 Hacker Way, Menlo Park, CA 94025, USA. If a data subject lives outside the USA and Canada, the data controller responsible for processing personal data is Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
By accessing individual pages of this website, which are operated by the data controller and in which a Facebook component (Facebook plug-in) has been integrated, the Internet browser on the data subject’s information technology system will be automatically prompted by the Facebook component to download and display the corresponding Facebook component from Facebook. A complete overview of all Facebook plug-ins can be called up via https://developers.facebook.com/docs/plugins/?locale=de_EN. Within the framework of this technical process, Facebook receives information regarding the actual sub-pages of our website visited by the data subject.
If the data subject is logged into Facebook at the same time, Facebook recognises which sub-pages of our website the data subject visits when they access our website for the entire duration of the data subject’s visit to our site. This information is collected by the Facebook component and assigned to the data subject’s Facebook account by Facebook. If the data subject clicks on one of the Facebook buttons integrated into our website, for example the “Like” button, or if the data subject makes a comment, Facebook will assign this information to the data subject’s personal Facebook account and store this personal data.
Via the Facebook component Facebook receives the information that the data subject has visited our website, the time of the visit and, if the data subject is logged into Facebook when visiting our website, this information is transferred to Facebook whether the data subject clicks on the Facebook component or not. If you don’t want this information to be transferred to Facebook, log out of your Facebook account before visiting our website.
The data controller has integrated a Google Analytics component (with anonymization function) in this website. Google Analytics is a web analysis service. Web analysis is the acquisition, collection and evaluation of data on the behaviour of website visitors. A web analysis service logs data and information such as the referrer website, the sub-pages of the website that a data subject visits, as well as how often and for what length of time a sub-page was viewed. A web analysis service is predominantly used in order to optimise a website and to analyse the value for money of Internet advertising.
The provider of the Google Analytics component is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.
The controller uses the suffix “_gat._anonymizeIp” for web analysis with Google Analytics. Using this suffix, the IP address of the Internet connection of the data subject is truncated and anonymised by Google, if our website is accessed from a European Union Member State or another state that is a party to the Agreement on the European Economic Area.
The purpose of the Google Analytics component is to analyse the flow of visitors to our website. Google uses the data and information acquired, for example, to evaluate the use of our website, to generate online reports for us which show activities on our web pages, and to provide further services related to the use of our website.
Google Analytics sets a cookie on the data subject’s IT system. We have already explained what cookies are. By setting cookies, Google is able to analyse the use of our website. By calling up individual pages of this website, which are operated by the data controller and into which a Google Analytics component has been integrated, the Internet browser on the IT system of the data subject will be automatically prompted by the respective Google Analytics component to transfer data to Google for online analysis purposes. Within the framework of this technical process, Google obtains knowledge of personal data such as the IP address of the data subject, which Google uses, among other things, to track the origin of visitors and clicks, and to enable commission settlements.
Personal information concerning the data subject – such as time of access, place from which access was initiated, and the frequency of visits to our website – is saved via the cookie. Each time our website is visited this personal data, including the IP address of the Internet connection used by the data subject, is transmitted to Google in the United States of America. This personal data is stored by Google in the United States of America. Google may pass this personal data, acquired via the technical process, to third parties under certain circumstances.
As explained previously, data subjects can change their browser settings to prevent our website’s cookies from being stored there. Applying these settings to the Internet browser used would also prevent Google setting a cookie on the data subject’s IT system. Furthermore, any cookie previously set by Google Analytics can be deleted via the Internet browser or another software program at any time.
The data controller has integrated Google AdWords into this website. Google AdWords is an online advertising service that allows advertisers to place advertisements in the Google search results and in the Google advertising network. Google AdWords allows the advertiser to define specific keywords in advance that are used to match user search terms with the advertiser’s advertisements. The advertisement is only shown if the Google user enters one of the keywords as a search term. In the Google advertising network, advertisements are shown on the basis of an automatic algorithm and the defined keywords on thematically relevant websites.
The provider of the Google AdWords services is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.
The purpose of Google AdWords is to advertise our website by displaying interest-based advertising on third party websites and in Google search results, and to display third party advertising on our website.
If a data subject accesses our website via a Google ad, a so-called conversion cookie is set on the data subject’s IT system by Google. We have already explained what cookies are. A conversion cookie expires thirty days after the ad is clicked on and it is not used to identify the data subject. Conversion cookies which have not expired provide information about specific sub-pages which are visited, such as the shopping cart in our web shop. Conversion cookies tell both us and Google whether a data subject accessed our website via an AdWords advertisement and whether a sale was transacted, i.e. whether the data subject made or aborted a purchase.
The information obtained through the use of conversion cookies is used by Google to prepare visitor statistics for our website. These visitor statistics are used by us to ascertain the total number of users who access our website via AdWords advertisements and thus to assess the performance of the AdWords advertisement and optimise our AdWords advertisements for the future. Neither we nor other Google AdWords advertisers receive information from Google via which the data subject could be identified.
The conversion cookie stores personal data, such as the websites that the data subject has visited. Each time our website is visited this personal data, including the IP address of the Internet connection used by the data subject, is transmitted to Google in the United States of America. This personal data is stored by Google in the United States of America. Google may pass this personal data, acquired via the technical process, to third parties under certain circumstances.
As explained previously, data subjects can change their browser settings to prevent our website’s cookies from being stored there. Applying these settings to the Internet browser used would also prevent Google setting a conversion cookie on the data subject’s IT system. Furthermore, any cookie previously set by Google AdWords can be deleted via the Internet browser or another software program at any time.
The data subject can also object to interest-based advertising from Google. To do this, the data subject has to access the link www.google.de/settings/ads in every web browser that he or she uses and make the appropriate settings.
The data controller has integrated PayPal components into this website. PayPal is an online payment services provider. Payments are effected via PayPal accounts, which are virtual personal or business accounts. PayPal also offers users the opportunity to make virtual payments via credit card if they do not have a PayPal account. A PayPal account doesn’t have an account number because it is identified by an e-mail address. PayPal makes it possible to send payments to and receive payments from third parties. PayPal performs trustee functions and provides buyer protection services.
PayPal’s European operating company is PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22–24 Boulevard Royal, 2449 Luxembourg, Luxembourg.
If the data subject selects the payment option of “PayPal” when placing an order in our web shop, data concerning the data subject are automatically transferred to PayPal. By selecting this payment option, the data subject agrees to the transfer of the personal data necessary to complete the payment transaction.
The personal data transferred to PayPal is generally first name, surname, address, e-mail address, IP address, telephone number, mobile telephone number or other data which are necessary for the payment transaction. Personal data relating to the order being placed are also necessary to execute the purchase contract.
The data is transferred for the purpose of transacting the payment and for the prevention of fraud. The data controller will transfer data to PayPal, in particular, if it is in the data controller’s legitimate interest to do so. The personal data exchanged between PayPal and the controller will be transmitted by PayPal to credit agencies for the purpose of identity and credit checks.
PayPal will, if necessary, pass on personal data to affiliates and service providers or subcontractors to the extent that this is necessary to fulfil contractual obligations or if they process that data under contract.
The data subject may revoke consent to the handling of personal data by PayPal at any time. A revocation shall not have any effect on personal data which must be processed, used or transmitted in accordance with (contractual) payment processing.
18.1. Invoice-based payments
When the payment type of invoice-based payment is selected a credit check process will be initiated without explicit consent if it is in our legitimate interest to perform the check and such a check does not impair the customer’s protectable interests.
18.2. Credit card payments
When the payment type of credit cardis selected, the customer effects the payment simply and securely online after placing the order. To make the payment the customer is redirected to a Six Payment web page to enter the necessary credit card details.
Data is transferred via an SSL-encrypted connection to the verified Six Payment page. The customer then confirms the payment, which is directly debited from his or her bank account. You can find further information about direct debit payments and the protection of personal data on the Six Payment website. We request all customers using the electronic direct debit payment method to read their financial service provider’s terms and conditions for the use of bank data.
19. Legal basis for processing
Art. 6 (I) a) GDPR is our company’s legal basis for processing activities where we obtain consent to process the personal data for a specific purpose. Should the processing of personal data be required for the performance of a contract to which the data subject is party – as is the case, for instance, when processing is necessary to deliver goods or to render other performance or counterperformance – the basis for processing is Art. 6 (I) b) GDPR. This also applies to the processing of data for the purpose of taking steps prior to entering into a contract, e.g. in connection with enquiries about our products or services. Should our company be subject to a legal obligation which makes the processing of personal data necessary, e.g. to fulfil tax obligations, the legal basis for the processing is Art. 6 (I) c) GDPR. In rare cases the processing of personal data may be necessary in order to protect the vital interests of the data subject or another natural person. This would be the case, for instance, if a visitor to our company suffered an injury and his name, age, medical insurance details or other vital information had to be passed on to a medical practitioner, a hospital or other third parties. Then the legal basis for the processing would be Art. 6 (I) d) GDPR. Finally, personal data may be processed on the legal basis of Art. 6 (I) f) GDPR. In such cases processing of the data is not covered by any of the foregoing legal bases and is necessary for the purposes of a legitimate interest pursued by us or by a third party, unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject. Such processing operations are permitted to us in particular because the European legislators make specific reference to them. They were of the opinion that a legitimate interest can be assumed if the data subject is a customer of the controller (Recital 47 (2) GDPR).
20. Legitimate interests in processing pursued by the controller or a third party
If the legal basis for the processing of personal data is Article 6 (I) f) GDPR, our legitimate interest is the pursuit of our business operations to the benefit of all our employees and shareholders.
21. Duration for which the personal data is stored
The period of storage for personal data is always the statutory retention period. Upon expiry of the statutory retention period the data are routinely erased unless they are necessary for contract execution or initiation purposes.
22. Statutory or contractual regulations on the provision of personal data; when such provision is requisite for conclusion of contract; duty of data subject to provide personal data; possible consequences of non-provision
Please note that the provision of personal data is sometimes required by law (e.g. tax regulations) or under contractual arrangements (e.g. information about contracting partner). When concluding a contract it may sometimes be necessary for a data subject to provide us with personal data, which we must subsequently process. The data subject is under obligation to provide us with personal data, for example, if our company is concluding a contract with him or her. Failure to provide these personal data would mean in consequence that the contract with the data subject could not be concluded. Prior to provision of personal data by the data subject, the data subject must contact one of our employees. Our employee will explain to the data subject whether the provision of these personal data are compulsory under law or contract, or necessary for the conclusion of the contract, whether a duty exists to provide the personal data, and what the consequences of failure to provide the personal data would be.
23. Existence of automated decision making
We are a responsible business and therefore do not use automated decision making or profiling.