Data privacy policies

I. Name and address of the controller

The controller in the sense of Article 4 Para. 7 EU regulation 2016/679, referred to as the General Data Protection Regulation (GDPR), other national data protection laws of the member states and other data protection regulations is:

momox GmbH
represented by managing directors Christian von Hohnhorst and Heiner Kroke
Schreiberhauer Straße 30

10317 Berlin

 

II. Name and address of the data protection officer

The controller’s data protection officer is

PROLIANCE GmbH
www.datenschutzexperte.de
Leopoldstr. 21
80802 München, Germany
datenschutzbeauftragter(at)datenschutzexperte.de

 

III. General information about data processing

1. Scope of processing personal data

You can generally visit us (Internet services, notably momox GmbH websites) without telling us who you are. Your browser automatically transmits various data when visiting our website, see below “IV. Provision of the website and creation of log files”. This information is analysed purely for statistical purposes and then erased. Our services are reserved for adult visitors.

Personal data is only collected on our website if you provide it to us of your own accord (e.g. when opening a user account or as part of the order process). We use this data exclusively for the purposes stated in each case, as listed below.

We contractually bind external service providers who process personal data for us, so-called “external processors”, in accordance with Article 28 GDPR. These external processors have been carefully selected by us, specifically commissioned and are bound to our instructions. The GDPR refers to states outside the European Union/European Economic Area as third countries and regulates transfers there separately in accordance with Articles 44 to 49 GDPR. In some cases, we use external processors in third countries. Cooperation with these contract processors is based on standard contractual clauses in accordance with Art. 46 Para. 2 lit. c GPDR.. We maintain current technical measures to guarantee the protection of personal data. These are adapted to the current state of the art.

2. Legal basis for processing personal data

If we obtain the consent of the data subject for processing personal data, Article 6 Para. 1 lit. a GDPR serves as the legal basis for processing personal data.

When processing personal data required for the performance of a contract to which the data subject is a party, Article 6 Para. 1 lit. b serves as the legal basis. This also applies to processing required for executing precontractual measures.

In accordance with Article 6 Para. 1 lit. f), processing personal data is also lawful if it is necessary to safeguard the legitimate interests of the controller or a third party, unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, prevail, in particular if the data subject is a child.

3. Data erasure and storage duration

The personal data of the data subject is erased or blocked as soon as the purpose for storage ceases to exist. Furthermore, data may be stored if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which the controller is subject. The data will also be blocked or erased if a storage period prescribed by the aforementioned standards expires unless there is a need for further storage of the data for the conclusion or fulfilment of a contract.

IV. Provision of the website and creation of log files

1. Description and scope of data processing

On every visit to our website, our system automatically collects data and information from the computer system of the computer being used.

The following data is collected:

1. information about the browser type, language and version used
2. amount of data transferred
3. websites accessed by the user’s system via our website
4. websites from which the user’s system reaches our website
5. access status/HTTP status code
6. content of the request (specific site)
7. data and time of access/time zone
8. the user’s IP address
9. the user’s Internet service provider
10. the user’s operating system

 

The data is also stored in the log files of our system. This data is not stored together with other personal data of the user. However, in the event of an error in an interface query, we also log the ID (identification under a pseudonym), the IP address and the relevant http query, if used by the requesting user to enable subsequent error analysis and correction.

2. Legal basis for data processing

If our log files mean the processing of personal data, the legal basis is Article 6 Para. 1 lit. b and f GDPR.

 

3. Purpose of data processing

The temporary storage of the IP address by the system is necessary within the meaning of Article 6 Para. 1 lit. b GDPR to enable delivery of the website to the user’s computer. The user’s IP address must be stored for its duration for this purpose. The repeated automatic reading of websites (so-called “scraping”) is also made more difficult by recording the IP address. Data storage in the event on an error is necessary in the meaning of Article 6 Para. 1 lit. f GDPR to ensure the functionality of the website.

 

4. Storage duration

The data is erased as soon as it is no longer necessary for achieving the purpose of its collection. In the case of the IP address, this is truncated, therefore made anonymous when the respective session has ended. The data therefore no longer contains personal references. All log files are erased after 50 days.

5. Objection or removal option

The collection of the data for website provision and data storage in log files is necessary for operating the website. As a result, there is no objection option for the user.

V. Use of cookies

1. Description and scope of data processing

The websites use so-called “cookies” in several places. Their purpose is to make our website more user-friendly and effective. Cookies are small text files that are placed on your computer and saved by your browser. Some of the cookies we use are so-called “session cookies” that are automatically erased when you close your browser. In addition, there are also some persistent cookies that we use to recognise you as a visitor. Cookies do not harm your computer and do not contain any viruses. If you do not want cookies to be installed, you can deactivate the acceptance of cookies in your browser. However, we would like to point out that you may not be able to use our website in full with deactivated cookies.

The user data collected in this way is pseudonymised by technical precautions. Therefore, it is not possible to assign the data to the accessing user as a person. The data will not be stored together with the user’s other personal data unless otherwise described below.

The first time our website is accessed, users are informed about the use of cookies via an info banner and are referred to this data privacy policy. This also includes an indication of how the storage of cookies can be prevented in the browser settings.

The following data is stored and transmitted in the technically necessary cookies:

1. language settings
2. items in the shopping basket
3. login information: email address, first name and surname, gender, session ID (no password)

We also use cookies on our website that enable an analysis of the usage behaviour, the advertising success (so-called conversion) and retargeting of the users on websites of third parties and on our website (e.g. last viewed offers or favourites). Third parties can store cookies on the user’s device directly when visiting our websites or we transmit IDs without personal reference.

The following data can be transmitted in this way:

1. search terms entered
2. frequency of page views
3. use of website functions
4. Login (email address)

We use the following third-party providers to analyse usage behaviour:

1. Google Analytics, a web analysis service of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”) in the context of an external processor and with the appropriate level of data protection. Google Analytics also uses cookies, which enable an analysis of the use of the website by the user. The information generated by the cookie about your use of the website (including your IP address) will normally be transmitted to and stored by Google on servers in the USA. We activate IP anonymisation by adding the code “gat._anonymizeIp();” to the websites so that Google truncates your IP address within EU/EEA member states beforehand (so-called “IP masking”). Only in exceptional cases will the full IP address be transmitted to a Google server in the United States and truncated there. Google will use this information on our behalf to evaluate your use of the website (also optimise function for A/B testing, meaning response to various representations of the website), to compile reports on website activities for us and to provide other services relating to website and Internet use. Google will also transfer this information to third parties if this is required by law or if the third party process the data on behalf of Google. Information that Google receives as part of Interest-based advertising and third parties (e.g. demographics, gender and interests) may be collected in the cookie information. You will find more information on Google at http://www.google.com/intl/de/analytics/privacyoverview.html (general information on Google Analytics and data privacy). Google offers an add-on for web browsers to prevent data collection by Google Analytics and processing of this data by Google. The add-on can be downloaded and installed at your own risk at https://tools.google.com/dlpage/gaoptout. This website also uses Google Analytics for a cross-device analysis of visitor flows when selling goods, which is carried out via a user ID. In your medimops customer account, you can deactivate the cross-device analysis of your usage under “Personal settings”; “Data protection setting User ID”.
2. “Hotjar”, an analysis software from Hotjar Ltd, St Julians Business Centre, 3, Elia Zammit Street, St Julians STJ 1000, Malta, is used on the websites to measure and evaluate user behaviour (mouse movements, clicks, scroll height etc.). This is done in accordance with external processing. For this purpose, Hotjar uses cookies on the user’s end devices and may collect non-personal data from users, such as browser information, operating system, length of stay, etc. (only with anonymised IP address). More information here: https://www.hotjar.com/privacy, Option to turn off this function here: https://www.hotjar.com/opt-out

We use the following third-party providers to re-target the user (remarketing):

1. Remarketing by Google using “Double Click” and “Audiences” technology in order to approach users who have already visited our websites through Interest-based advertising on the pages of the Google Partner Network. With the help of cookies, interests can be analysed when visiting the website and subsequently used for relevant product advertising. If users have agreed that their web and app Google browsing history is linked to their Google Account and information from our Google Account is used to personalise advertising they see on third-party websites, Google will use data from those registered users together with Google Analytics data to create and define cross-device remarketing target group lists. To support this feature, Google Analytics collects the Google-authenticated IDs of these users. This personal data from Google is temporarily linked to our Google Analytics data in order to form target groups. You will find more information and options to deactivate these ad placements at http://www.google.com/settings/u/0/ads/anonymous?hl=de (Link “Ad settings”, then “Deactivation”).
2. Criteo SA, 32 Rue Blanche, 75009 Paris, France (“Criteo”) for advertising on the websites and emails of third parties (https://emailprivacy.criteo.com/de/index.html) to address our previous customers. The service works with us as a general data processor. In doing so, the customer is not personally identified but rather only recognised under a pseudonym. This is done across various customer devices using an encrypted (non-reversible) email address. Further information: https://support.criteo.com/hc/de/articles/202427141-Cross- Device-Integration. At http://www.criteo.com/de/privacy you also have the option of objecting to the use of usage data and other data for certain purposes (your preference – “Opt-out”). The advertising is therefore no longer controlled based on usage data collected by Criteo. To extend its reach, Criteo works with a network of partners who implement similar technology and may set cookies on our website in their own name.
3. “Website Custom Audiences” by Facebook Ireland Ltd., 4 Grand Canal Square Grand Canal Harbour Dublin 2, Ireland (“Facebook”) is implemented as a pixel to advertise in the social network. Facebook works with an appropriate level of data protection. If you visit our websites, a direct connection between your browser and the Facebook server is established via the pixel. If you are a Facebook user and do not erase cookies before you login to Facebook, Facebook can associate your visit to our website with your user account. We can only choose which segments of Facebook users (such as age, interests) to whom our advertising should be displayed. No personal data records, in particular none of our users’ email addresses – either encrypted or unencrypted – are transmitted to Facebook. Facebook may be informed about browser and device types, cookie ID, number and amount of orders. You will find more information on Facebook’s data privacy policy https://www.facebook.com/about/privacy. Please click here if you, as a Facebook user, do not want data collection via Custom Audiences: https://www.facebook.com/settings?tab=ads
4. “Adobe Marketing Cloud” from Adobe Systems Software Ireland Limited, 4-6 Riverwalk, City West Business Campus, Saggart D24, Dublin, Ireland and Adobe Systems Incorporated, 345 Park Avenue, San Jose, CA95110, USA. This is done in the context of external processing and with the appropriate level of data protection. You can opt-out here: https://www.adobe.com/de/privacy/opt-out.html
5. “emetriq”, the service of emetriq GmbH, Vorsetzen 35, 20459 Hamburg. We and emetriq insert advertisements on websites on the Internet and use cookies to insert advertisements based on a user’s previous visits to our site. You can deactivate this technology for interest-based advertising here: http://www.emetriq.com/opt- out/
6. Affiliate network “AWIN” from AWIN AG, Eichhornstraße 3, 10785 Berlin, as a general data processor with us. Affiliate marketing is an Internet-based form of selling that enables commercial operators of websites, the so-called “merchants” or “advertisers”, to display advertising, which is usually remunerated via click or sale commissions, on third-party websites, i.e. with sales partners who are also called affiliates or publishers. The merchant provides advertising material via the affiliate network, therefore an advertising banner or other suitable means of Internet advertising, which are subsequently integrated by an affiliate on its own websites or advertised via other channels, such as keyword advertising or email marketing. AWIN places a cookie on the data subject’s IT system. Cookies have already been explained above. AWIN’s tracking cookie does not store any personal data. Only the identification number of the affiliate, meaning that of the partner referring potential customers, as well as the status number of the visitor of a website and the clicked advertising material are stored. The purpose of storing this data is to process commission payments between a merchant and the affiliate, which are processed via the affiliate network, in this case AWIN. AWIN’s valid data privacy provisions can be viewed at https://www.awin.com/de/rechtliches/privacy-policy.
7. “Bing” advertising network from the Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA, (“Microsoft”). The service is as a general data processor with us and works with the appropriate level of data protection. Microsoft will place a cookie if the user accessed the website via a Microsoft Bing advert. In this way Microsoft Bing and we can see that someone has clicked on an ad, has been redirected to our website and has reached a previously defined target page (conversion page). Furthermore, the same requirements apply as for Google's aforementioned conversion tracking. Further information about data privacy at Microsoft and the cookies used at https://www.microsoft.com/privacystatement/de- de/core/default.aspx. Customers can also object to tracking by Microsoft by opting out http://choice.microsoft.com/de-de/opt-out for the future.
8. Market research/analysis “Neory” from NEORY GmbH to conduct effective market research/analysis, to collect statistical data for campaign tracking or to optimise the user-friendliness of our websites. This is done by means of pseudonymous user profiles in which no personal data and only anonymised or pseudonymised data is used. Cookies can be used for this purpose. The following data is collected, among other things: Time of the visit, channel information, including possible parameters and referrer domain. The data is not used to personally identify the visitor to this website. NEORY GmbH will use the transmitted data on our behalf notably to implement campaign tracking. All aforementioned data is collected solely for this purpose and stored without any personal reference. You can prevent campaign tracking by NEORY GmbH and the processing of this data By opting out using the following link: http://d.neory-tm.net/privacy/l661hfqafe4v/optout
9. “RichRelevance” from RichRelevance, Inc., 303 Second Street, Suite 350, San Francisco, CA 94107, USA, to display relevant product recommendations for all channels. For this purpose, a user ID (MD5 hashed), browser info, viewed products, viewed category, time, purchases are transmitted to RichRelevance by pseudonym, meaning not traceable to you. The service is as an external processor and works with the appropriate level of data protection. You will find information about data privacy here: http://richrelevance.de/richrelevance-datenschutzrichtlinie/ Collection can be objected to using the following link: http://richrelevance.de/richrelevance-datenschutzrichtlinie/opt-out/
10. We use Dynamic Yield, a recommendation tool of Dynamic Yield Ltd, Highlands House, Basingstoke Road, Spencers Wood, Reading, Berkshire, England RG7 1NT (Dynamic Yield). With the recommendation tool Dynamic Yield our web offer is optimized, in order to make your web page attendance by fitting recommendations and contents a personal experience. We use the page content and promotions/interactions you previously viewed to recommend and display equivalent or thematically related products or other content that may be relevant to you. Dynamic Yield collects pseudonymous information about your usage activities on our website. Cookies are used to store only pseudonymous information under a randomly generated ID (pseudonym). Your IP addresses are stored exclusively anonymously. A direct personal reference is therefore not possible and cannot be subsequently (re-)established. You can prevent Dynamic Yield from recording your data by clicking on the following link. In this case an Opt-Out-Cookie is set, which prevents the future collection of data of your visit on this web page: https://www.dynamicyield.com/platform-privacy-policy/ In addition you find further information to the used Tracking technology under the following link: https://www.dynamicyield.com

 

We use the following third-party providers to analyse advertising effectiveness:

1. Google Adwords, to draw attention to our attractive offers with the help of advertising materials (Google Adwords) on external websites. The advertising materials are delivered by Google via so-called “AdServers”. We use AdServer cookies to measure certain parameters for measuring success, such as the insertion of advertising or clicks by users. If you access our website via a Google advert, Google Adwords stores a cookie on your device. For this cookie, the unique cookie ID, number of ad impressions per placement (frequency), last impression (relevant for post-view conversions) and opt-out information (mark that user does not want to be addressed) are usually stored as analysis values. These cookies enable Google to recognise your browser. If a user visits certain pages of an Adwords customer’s website and the cookie stored on their computer has not expired, Google and the customer can recognise that the user has clicked on the ad and has been redirected to this page. Every AdWords user receives a different cookie. Cookies can therefore not be tracked via the websites of AdWords users. AdWords users do not receive any personal information. Further information on data privacy at Google at https://www.google.com/policies/?hl=de. Users can also deactivate or object to Google ads in whole or in part at https://privacy.google.com/?hl=de#google-experience (opt-out).
2. Microsoft Bing conversion tracking, see above.
3. AWIN, see above
4. “Kelkoo” and “ProductsUp” for measuring the success of our offers in price comparisons, etc., whereby a cookie from the price comparison page records whether and to what extent a sale was made on our website. Providers are Kelkoo Deutschland GmbH, Hausvogteiplatz 10, 10117 Berlin (http://www.kelkoo.de/unternehmen/datenschutz) and Products Up GmbH, Bahnhofstr. 5, 91245 Simmelsdorf (https://productsup.io/de/rechtlicher- hinweis/).
5. Realytics' Analytics cookie is a cookie used by Realytics (Realytics SAS, 73 Rue D'Anjou, 75008, Paris, France) to measure the performance of advertisers' TV campaigns on digital channels. The Realytics cookie does not collect any personal or sensitive data. It can be deactivated via the Opt-Out function https://www.realytics.io/optout/

We use the following third-party vendors to protect against attacks and improve performance: 

 

1. cloudflare

We use services from our technology partner CloudFlare Inc., 101 Townsend St, San Francisco, CA 94107 USA for our website to protect against attacks, harmful bots and to improve performance. All data to and from this server is transferred through Cloudflare's CDN ("Content Delivery Network"). Cloudflare provides Internet security services and distributed Domain Name Server (DNS) services that act as reverse proxies for Web sites.

 

Cloudflare collects statistical data about visits to this website. The access data includes: Name of the website accessed, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, user's operating system, referrer URL (previously visited page), IP address and requesting provider. Cloudflare uses the log data for statistical evaluations for the purpose of operation, security and optimization of its own offer.

When a customer account is deleted, the data is deleted from the servers. In addition, you can clean up data from the cache at any time. Log files are kept for up to 7 days.

Further information on the provider's data processing, in particular on data protection and data security, can be found at: https://www.cloudflare.com/security-policy/

 

2. Google reCaptcha

We use reCaptcha v2 on our websites. reCaptcha is an offer from Google (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) and serves to prevent abusive automated input into web forms and thus the protection of the host's technical systems. When you visit one of our websites, in which reCaptcha is integrated, a connection to the servers of Google is established. A reCaptcha cookie is set. Your IP address will be transmitted to Google.

In addition, reCaptcha captures the following data using fingerprinting:

- browser plugin used-

- the cookies set by Google in the last 6 months 

- number of mouse clicks and touches you have made on this screen

- CSS information for the page accessed- Javascript objects- the date

- the browser language

You may refuse the use of cookies and fingerprinting by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website.

Google's Privacy Policy and Terms of Use can be found here: https://www.google.com/policies/privacy/ and here: https://policies.google.com/terms.

2. Legal basis for data processing

If our use of cookies means the processing of personal data, the legal basis is Article 6 Para. 1 lit. b and f GDPR.

3. Purpose of data processing

The purpose of using of technically necessary cookies according to Article 6 Para. 1 lit. b GDPR is to simplify the use of websites for users. Some functions on our website cannot be offered without using cookies. For this it is necessary that the browser is recognised even after a page change.

We require cookies for the following applications:

1. Registration
2. Login
3. Shopping basket for buying and selling

The user data collected by technically necessary cookies is not used to create user profiles.

If the other cookies are processed, we have a legitimate interest in processing the personal data in accordance with Article 6 Para. 1 lit. f GDPR:

The use of analysis cookies is for the purpose of improving the quality of our website and its content. Through analysis cookies, we learn how the website is used and can therefore constantly optimise what we offer. We recognise which advertising measures caused our websites to be visited (conversion tracking). We can determine how successful the individual advertising measures are in relation to the data of the advertising measures. We are interested in showing you advertisements that are of interest to you, in making our website more interesting and easier for you and in achieving a fair calculation of advertising costs.

Retargeting is done to address previous users of our websites again on third party websites and to motivate them to interact. Users receive advertising content on third party websites that is related to their interests rather than general.

4. Storage duration

Cookies are stored on the user’s computer and transmitted to our site. Therefore, you as the user also have full control over the use of cookies. You can deactivate or restrict the transmission of cookies by changing the settings in your Internet browser. Cookies that are already stored can be erased at any time. This can be done automatically. If cookies are deactivated for our website, it is possible that not all functions can be used to their full extent (see “technically necessary cookies” above).

The cookie storage duration is indicated above. Otherwise, they are set indefinitely until you erase the memory in the browser.

5. Objection or removal option

You can disable or restrict the processing of cookies by the service providers used by us using the aforementioned links. Furthermore, you can use the preference management of the “yourchoices” commitment for Internet-based advertising: http://www.youronlinechoices.com/de/praferenzmanagement/

The objection is valid as long as the related opt-out cookie is not erased. This cookie is set for the domain, per browser and user of a computer. If you access our website from multiple devices and browsers, you must therefore object to data collection separately and again on each of these devices and in each browser.

VI. Advertising emails (newsletter)

1. Description and scope of data processing

On our website there is the option of subscribing to a free newsletter with advertising contents of our purchase and sales service. This data is transmitted to us when you register for the newsletter:

1. email address and salutation as specified
2. title, first and last name (optional)
3. IP address of the visiting computer
4. date and time of registration

Your consent is obtained for data processing and reference is made to this data privacy policy during the registration process. You will then receive an email asking you to confirm your registration (double opt-in process). If you are a customer, we will create the newsletter for you as individually as possible, taking into account your previous purchases and sales and scanned items that were not included in the shopping cart.

We will send you reminders for incomplete transactions (shopping basket) and ask you to participate in surveys by email. In addition, you will receive loyalty messages by email if you did not carry out any transactions at all on a particularly regular basis or for a longer period of time.

If you buy or sell goods on our website and provide us with your email address, we may subsequently use it to send you a newsletter. If this is the case, only direct advertising for our own similar goods or services will be sent via the newsletter. 

This regulation will be brought to your attention when you register or when buying or selling.

We would like to point out that we measure the use of the newsletter. For the evaluation, the emails sent contain so-called “web beacons” or “tracking pixels” which represent single-pixel image files stored on our website. For the evaluation we link the data and the web beacons with your email address and an individual ID. Links contained in the newsletter are also provided with an ID. With the data obtained in this way, we create a user profile in order to tailor the newsletter to your individual interests. We create a user profile with the data obtained in this way to tailor the newsletter to your individual interests. When you read our newsletter, we record which links you click on in it and deduce your personal interests. We link this data to your actions on our website.

No data is passed on to third parties for their own purposes in connection with data processing for sending of newsletters.

We use the optivo broadmail service from Episerver GmbH, Wallstraße 16, 10179 Berlin for sending the newsletter.

2. Legal basis for data processing

The legal basis for processing the data after the user has registered for the newsletter is Article 6 Para. 1 lit. a GDPR if the user has given consent.

The legal basis for sending the newsletter as a result of the sale of goods or services is Section 7 Para. 3 Unfair Competition Act (UWG).

The legal basis for providing shopping basket reminders, surveys and measuring usage is Article 6 Para. 1 lit. a Lit. f GDPR.

3. Purpose of data processing

Collecting the user’s email address is for delivering the newsletter.

The collection of other personal data as part of the registration process serves to prevent misuse of the services or the email address used.

Messages to customers for shopping basket reminders or loyalty campaigns offer targeted communication for users and us. Requests for surveys and reviews are also in our legitimate interests because they improve our services.

Profiling based on previous purchases, sales and use of the newsletter is in our legitimate interest in order to send relevant news to users.

4. Storage duration

The data is erased as soon as it is no longer necessary for achieving the purpose of its collection. The user’s email address will therefore be stored as long as the newsletter subscription is active.

The other personal data collected during the registration process will generally be erased after a period of seven days.

After cancellation, we store the data purely statistically and anonymously.

5. Objection or removal option

The newsletter subscription can be cancelled by the user concerned at any time. There is a corresponding link in each newsletter for this purpose. Furthermore, you have the option of cancelling the newsletter in your customer account. For more information see “Rights of the data subject” below.

You can also restrict usage measurements by deactivating the images displays in your email program as standard.

VII. Emails for reviews

1. Description and scope of data processing

When you visit our website, you may be asked to participate in surveys with separate windows (pop-ups). If you register, buy or sell goods on our website and provide your email address or subscribe to the newsletter, we may ask you by email to review our performance and/or the product. This is done using the services specified in the email or on third platforms (such as Shopauskunft or Trustpilot). Participation in reviews is always voluntary. The platforms do not receive any personal data from us unless otherwise stated here.

We use the following third parties:

1. Survey pop-ups are delivered by SurveyMonkey Europe UC, 2 Shelbourne Buildings, Second Floor, Shelbourne Road, Dublin 4 and SurveyMonkey Inc, One Curiosity Way, San Mateo, CA 94403, USA. Cookies (see above "Use of cookies" and https://de.surveymonkey.com/mp/legal/survey-page-cookies/) and device data (see https://de.surveymonkey.com/mp/legal/privacy-policy/#pp-section-2 - Respondents) are processed. The service provider is used in the context of order processing and at an appropriate level of data protection.
2. We send emails for reviews via the service provider Mandrill Inc., 512 Means Street, Sweet, 404, Atlanta, GA 30318, USA, a company of the Rocket Science Group, LLC d/b/a MailChimp LLC. Mandrill manages customers’ emails and organises processing. Mandrill processes content and communication for us. This is done in the context of external processing and with the appropriate level of data protection. You fill find more information on data processing by Mandrill in the data privacy policy at https://mailchimp.com/legal/privacy.

3. We work with zenloop GmbH, Pappelallee 78/79, 10437 Berlin. zenloop is a business-to-business software-as-a-service platform that enables us to collect and analyze feedback from our customers through various channels. This enables us to align and improve our services to the needs of our customers. 

The following data is collected for this purpose:

- email address

- Customer ID

- Customer type

- Terminal

- Sales or order number

- Shopping cart value

- Shipping partner

- Number of packages

- Newsletter Status

- Number of orders or sales

- Gender

Additionally zenloop collects your survey answers. You can find more information about zenloop's data processing in the privacy policy at https://www.zenloop.com/de/legal/privacy.

4. We use the analysis software “wootric” from Wootric, Inc. 220 27th St., San Francisco, CA 94131, USA to survey users (of the newsletter). Wootric processes the user’s email address, review and optional comments for us and is an external processor and works with the appropriate level of data protection.

2. Legal basis for data processing

The legal basis for asking for reviews is Article 6 Para. 1 lit. f GDPR.

3. Purpose of data processing

Data processing by us or our contractors is in the legitimate interest of improving our services for users and increasing our reach through (positive) reviews. The purpose of collecting the email address and information about using our service is to send the message with a review request. 

4. Storage duration

The data is erased as soon as it is no longer necessary for achieving the purpose of its collection. For cookies in surveys, our instructions above "Use of cookies" also apply.

5. Objection or removal option

Cancelling the newsletter means that you will no longer receive emails from us asking for reviews. You can object to the processing at any time. Please send your objection to the above mentioned email address. In case of objections in connection with evaluation requests to Customer Support, you can also use the online form provided by our contract processor Google LLC. For cookies in surveys, our instructions above "Use of cookies" also apply.

VIII. Push notifications

1. Description and scope of data processing

There is an option on our website to consent to push notifications. These are brief pieces of information that you receive via your browser. This data is transmitted to us when you register for push notifications:

1. IP address of the visiting computer
2. date and time of registration

Please note that we measure the use of push notifications.

We use the service accengage from accengage S. A., 31 rue du 4 septembre, 75 002 Paris, France for managing push notifications. In this context, data (name, email address) is collected and stored from which user profiles are created using pseudonyms. These usage profiles are used to analyse visitor behaviour and are evaluated to improve and design our offer in line with demand. You will find more information on accengage and data privacy at https://www.accengage.com/privacy-policy. Accengage only receives the relevant data if the user accepts push notifications (in the browser). Accengage will automatically erase this user data after opting out (in the browser) or after 12 months of inactivity by the user.

2. Legal basis for data processing

The legal basis for processing the data after the user has registered for push notifications is Article 6 Para. 1 lit. a GDPR if the user has given consent.

3. Purpose of data processing

Collection of the aforementioned data is for delivering push notifications.

4. Storage duration

The data is erased as soon as it is no longer necessary for achieving the purpose of its collection. It is therefore stored as long as the subscription is active. The other personal data collected during the registration process will generally be erased after a period of seven days. After cancellation, we store the data purely statistically and anonymously.

5. Objection or removal option

The push notification subscription can be cancelled by the user concerned at any time. Please use your browser configuration: settings for contents/websites, then switch off the notifications/messages. You can also use the symbol to the left of the URL in the browser for the respective website’s settings. For more information see “Rights of the data subject” below.

IX. Advertising mail

1. Description and scope of data processing

If you buy or sell goods on our website and provide us with your postal address, we may subsequently use it to send you advertising mail. If this is the case, only direct advertising for our own similar goods or services will be sent. This regulation will be brought to your attention when you register or when buying or selling.

For sending advertising mail, we use the letter shop adressdruck.de, Wilhelm-Kabus-Straße 21-35, 10829 Berlin and www.optilyz.com, a service of optilyz GmbH, Neue Schönhauser Str. 19, 10178 Berlin. 

2. Legal basis for data processing

The legal basis for sending advertising mail as a result of the sale of goods or services is Section 7 Para. 3 Unfair Competition Act (UWG).

3. Purpose of data processing

Collection of the postal address is for delivering advertising mail.

4. Storage duration

The data is erased as soon as it is no longer necessary for achieving the purpose of its collection. The user’s postal address will therefore be stored until there is no further registration (see below).

5. Objection or removal option

You can object to the receipt of advertising mail for the future according to Article 21 Para. 2, 3 GDPR.

X. Registration

1. Description and scope of data processing

On our website, we offer users the option of registering by providing personal data. The data is entered into an input screen, transmitted to us and saved. No data is passed on to third parties. The following data is collected as part of the registration process:

1. title, first and surname
2. email address
3. self-chosen password
4. address (street, house number, postcode, location)
5. optional consent for newsletter
6. optional entry for telephone number
7. optional entry for date of birth 
8. your account data (for buying on momox, after registration)

The following data will also be stored at the time of registration:

1. date and time of registration
2. access source of registration: web, iOS app, Android app

As part of the registration process, the user’s consent to the processing of this data is obtained with reference to our general terms and conditions and this data privacy policy.

2. Legal basis for data processing

The legal basis for processing the data is Article 6 Para. 1 lit. a and lit. b GDPR.

3. Purpose of data processing

The user gives his/her consent. The user’s registration is necessary for fulfilling a contract with the user and/or for executing precontractual measures. This concerns our purchase and sale of goods by or to the user.

4. Storage duration

The data is erased as soon as it is no longer necessary for achieving the purpose of its collection. This is the case for the data for fulfilling a contract or executing precontractual measures if the data is no longer required for executing the contract. Even after conclusion of the contract, it may still be necessary to store the contractual partner’s personal data in order to fulfil contractual or legal obligations. If there is no activity in the customer account for a period of 6 years, the customer account will be deleted.   

5. Objection or removal option

As the user, you have the option of cancelling registration at any time by sending an email to our support team or using our contact form. You can change the data stored about you at any time. For more information see “Rights of the data subject” below.

If the data is required to fulfil a contract or to execute precontractual measures, premature erasure of the data is only possible if there are no contractual or statutory obligations to the contrary.

XI. Buying and selling goods

1. Description and scope of data processing

On our website, we offer customers the option of selling us good and buying goods from us. The user’s consent to the processing of this data is obtained as part of the buying and selling process.

The data will be transmitted to us and stored in accordance with the user’s registration data in connection with goods, means of payment and shipping information selected by the user. The following user data is collected during the purchase and sale process and transmitted to the service providers named here:

1. email address
2. title, first and surname, address
3. goods
4. payment information: Your payment details will be sent to the appropriate payment service provider depending on the payment method you have chosen. The payment service provider is responsible for your payment data. When selecting certain means of payment, payment service providers may carry out a credit risk assessment on the basis of mathematical-statistical procedures (so-called “scoring”) at a credit agency. We have no influence on the assessment and do not receive any results. The payment service providers will provide you with information, in particular about the payment service providers’ controller, the contact details of the payment service providers’ data protection officers and the categories of personal data processed by the payment service providers:

a. Klarna: Klarna Bank AB (publ), Sveavägen 46, 111 34 Stockholm, Sweden, is the responsible party. You will find information on data privacy and also possible credit checks, etc. by BillPay GmbH, Zinnowitzer Str. 1, 10115 Berlin, here: https://cdn.klarna.com/1.0/shared/content/legal/terms/0/de_de/privacy

b. Paypal: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg, is the responsible party. You will find information on data privacy and also possible credit checks by other service providers here: https://www.paypal.com/de/webapps/mpp/ua/privacy-full?locale.x=de_DE

c. PayOne: BS PAYONE GmbH, Lyoner Straße 9, 60528 Frankfurt am Main, is the responsible party (credit cards and direct debits). You will find information on data privacy and also possible credit checks by other service providers here: https://www.bs-card-service.com/de/datenschutz/

d. Amazon Payments: All personal data that you provide to Amazon Payments or that is collected during the payment process is primarily checked by Amazon Payments s.c.a. (as the responsible party) and secondarily by Amazon EU SARL, Amazon Services Europe SARL and Amazon Media EU SARL, all three located on 5, Rue Plaetis L 2338, Luxembourg. You confirm the data privacy policy when you register for Amazon: https://pay.amazon.com/de/help/201751600

5. As part of the purchasing process, we also process your IP address. We collect the IP address for the approximate determination of the residence of our customers and a corresponding personalized pricing on our website in real time. Therefore, it is possible that - depending on the IP address of your device - different purchase prices may be displayed on our website.

6. Delivery information: if we have goods delivered to you, we pass your data on to the transport company commissioned with delivery if this is required for delivery or status update. The service provider is always indicated in the order. These are currently:

1. Deutsche Post AG and DHL Paket GmbH
2. Hermes Germany GmbH
3. PIN Mail AG
4. Asendia Management SAS
5. Postcon Deutsch-land B.V. & Co. KG

7. Inclusion in the Trusted Shops quality label: The Trusted Shops trust badge is included on this website to display our Trusted Shops quality label and the collected reviews as well as to offer Trusted Shops products to buyers after an order. This serves to protect our prevailing legitimate interests in the optimal marketing of our offer as part of balanced interests. The trust badge and associated services are an offer of Trusted Shops GmbH, Subbelrather Str. 15C, 50823 Cologne. When clicking the trust badge, the web server automatically saves a so-called “server log file”, which contains e.g. your IP address, date and time of the click, transferred data volume and the requesting provider (access data) and documents the click. This access data is not evaluated and is automatically overwritten seven days after the end of your website visit at the latest. Other personal data is only transferred to Trusted Shops if you decide to use Trusted Shops products after completing an order or have already registered for use. In this case, the contractual agreement between you and Trusted Shops applies.

8. If you purchase new books on our website, we use the dealer Libri GmbH, Friedensallee 273, 22763 Hamburg, for selling the goods. Libri GmbH therefore receives information regarding the ordered book and the delivery address.

9. Providers of customer contact centres (e.g. call centres): Within the framework of customer support, data is passed on to our service providers Yoummday GmbH, Belgradstraße 68, 80804 Munich and Trizma d.o.o. Beograd, Belgrade - Novi Beograd, 272 Tosin bunar st., Serbia within the framework of order processing.

2. Legal basis for data processing

The legal basis is Article 6 Para. 1 Lit. a, b and f GDPR.

3. Purpose of data processing

The user gives his/her consent. Processing data for customer services, logistics, payment and delivery is necessary for the fulfilment of the contract in accordance with Article 6 Para. 1 lit. b GDPR. This concerns our purchase and sale of goods by or to the user. With regard to the inclusion of the Trusted Shop quality label and work of Libri GmbH, there is a legitimate interest in accordance with Article 6 Para. 1 lit. f GDPR.

4. Storage duration

The data is erased as soon as it is no longer necessary for achieving the purpose of its collection.

This is the case for data during the purchase and sale contract or for executing precontractual measures if the data is no longer required for the execution of the contract. Even after conclusion of the contract, it may still be necessary to store the contractual partner’s personal data in order to fulfil contractual or legal obligations.

5. Objection or removal option

If the data is required to fulfil a contract or to execute precontractual measures, premature erasure of the data is only possible if there are no contractual or statutory obligations to the contrary.

You can change the data stored about you at any time. For more information see “Rights of the data subject” below.

XII. Contact form and email contact

1. Description and scope of data processing

There is a contact form on our website that can be used for electronic contact. If a user uses this option, the data entered in the input screen will be transmitted to us and stored. The user’s message and email address are required. Other information is optional:

1. title, first and surname
2. order number
3. telephone number

Your consent is obtained for data processing and reference is made to this data privacy policy during the sending process.

Alternatively, you can contact us via the email address provided. In this case, the user’s personal data transmitted by email will be stored.

1. We user software from the company Zendesk Inc., 1019 Market St San Francisco, CA 94103 (“Zendesk”) for processing customer enquiries. Zendesk manages customers’ emails and organises processing. Zendesk processes the name, content and technical information of the communication for us. This is done in the context of external processing and with the appropriate level of data protection. You fill find more information on data processing by Zendesk in Zendesk’s data privacy policy at http://www.zendesk.com/company/privacy.
2. We send emails in connection with the purchase and sale of goods (so-called transaction e-mails) via the following service providers:
   
   a) Mandrill Inc., 512 Means Street, Sweet, 404, Atlanta, GA 30318, USA, a company of the Rocket Science Group, LLC d/b/a MailChimp LLC. Mandrill manages customers’ emails and organises processing. Mandrill processes content and communication for us. This is done in the context of external processing and with the appropriate level of data protection. You fill find more information on data processing by Mandrill in the data privacy policy at https://mailchimp.com/legal/privacy.
   
   b) SendGrid Inc. 1801 California St., Suite 500, Denver, Colorado 80202, U.S.A. SendGrid processes content and technology of communication for us. This takes place within the framework of order processing and at an appropriate level of data protection. Further information on data processing by SendGrid can be found in the privacy policy at https://sendgrid.com/resource/general-data-protection-regulation/.

2. Legal basis for data processing

The legal basis for processing data is Article 6 Para. 1 lit. a GDPR if the user has given consent.

If the aim of the email is concluding a contract, the additional legal basis for processing is Article 6 Para. 1 lit. b GDPR.

3. Purpose of data processing

The user gives his/her consent. Processing personal data from the input screen is for processing any contact.

4. Storage duration

The data is erased as soon as it is no longer necessary for achieving the purpose of its collection. For personal data from the contact form input screen and that which was sent by email, this is the case when the respective conversation with the user is finished. The conversation is terminated when the circumstances show that it is certain that the matter in question has been conclusively resolved.

5. Objection or removal option

The user has the option of revoking his/her consent to the processing of personal data at any time. If the user contacts us via email, he/she can object to the storage of his/her personal data at any time. In a case such as this, the conversation cannot be continued. For more information see “Rights of the data subject” below.

 

XIII. Social Media Plug-Ins

1. Description and scope of data processing

You can also find us on social networks. A social network is a social meeting point operated on the Internet, an online community that usually enables users to communicate with each other and interact in virtual space. A social network can serve as a platform for the exchange of opinions and experiences or enables the Internet community to provide personal or company-related information. In addition, we have integrated individual functions of these networks into our online services as so-called plug-ins. However, you can only use functions if you are registered and logged in to the respective social network. Please note that the use of the respective social network is subject to the terms of use and data protection of this company, over which we have no control. However, we will be happy to explain to you how such networks process your personal data in this context:

 

Facebook

On this website we have integrated components of the company Facebook. Facebook is a social network. The operating company of Facebook is Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA. The person responsible for processing personal data is Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland if a data subject lives outside the USA or Canada. Each time one of the individual pages of this website is accessed, which is operated by us and on which a Facebook component (Facebook plug-in) has been integrated, the Internet browser on the information technology system of the data subject is automatically prompted by the respective Facebook component to download a representation of the corresponding Facebook component from Facebook. A complete overview of all Facebook plug-ins can be found at https://developers.facebook.com/docs/plugins/?locale=en_DE. As part of this technical process, Facebook obtains information about which specific subpage of our website is visited by the data subject. If the data subject is logged into Facebook at the same time, Facebook recognizes which specific subpage of our website the data subject is visiting each time the person visits our website and for the entire duration of that person's visit to our website. This information is collected by the Facebook component and assigned by Facebook to the respective Facebook account of the data subject. If the data subject clicks one of the Facebook buttons integrated into our website, such as the "Like" button, or if the data subject makes a comment, Facebook assigns this information to the data subject's personal Facebook user account and stores this personal data. Facebook receives information through the Facebook component that the data subject has visited our site whenever they are logged into Facebook at the same time as they visit our site, whether or not they click on the Facebook component. If the data subject does not choose to submit this information to Facebook in this way, he or she can prevent the submission by logging out of his or her Facebook account before visiting our website. Facebook's published privacy policy, available at https://de-de.facebook.com/about/privacy/, discloses Facebook's collection, processing and use of personal information. It also explains what settings Facebook offers to protect the privacy of the data subject. In addition, various applications are available that make it possible to suppress data transmission to Facebook. Such applications can be used by the data subject to suppress data transmission to Facebook.

 

Instagram

Our website uses plug-ins from Instagram, which is operated by Instagram LLC, 1601 Willow Road, Menlo Park, CA 94025, USA ("Instagram"). When you visit a page on our site that contains such a plugin, your browser connects directly to Instagram's servers. The content of the plugin is sent by Instagram directly to your browser and integrated into the page. This integration tells Instagram that your browser has accessed the appropriate page on our site, even if you do not have an Instagram profile or are not logged into Instagram. This information (including your IP address) is transferred directly from your browser to an Instagram server in the USA and stored there. If you are logged in to Instagram, Instagram can directly associate your visit to our website with your Instagram account. If you interact with the plugins, for example by pressing the "Instagram" button, this information will also be sent directly to an Instagram server and stored there. The information is also published to your Instagram account and displayed to your contacts. The purpose and scope of the data collection and the further processing and use of the data by Instagram, as well as your related rights and privacy settings, can be found in Instagram's privacy policy: https://www.instagram.com/legal/privacy/

YouTube 

We use YouTube, LLC 901 Cherry Ave, 94066 San Bruno, CA, USA, a company of Google Inc., Amphitheatre Parkway, Mountain View, CA 94043, USA, on our website.

To protect your personal information, we use YouTube's enhanced privacy option. When you visit a page that embeds a YouTube video, YouTube connects to the YouTube servers and displays the content on the website by notifying your browser. However, according to YouTube, "Advanced Privacy Mode" only transmits data to the YouTube server when you actively start the video.

If you are logged into YouTube at this time, the information about the videos you view will be associated with your YouTube member account. You can prevent this by logging out of your account before you visit our site.

More information about YouTube's privacy practices is provided by Google at the following link: https://www.google.de/intl/de/policies/privacy/

 

2. Legal basis for data processing

Insofar as our use of cookies involves the processing of personal data, the legal basis is Art. 6 Para. 1 lit. b, lit. f GDPR.

 

3. Purpose of data processing

In the case of processing, our legitimate interest lies in the processing of personal data in accordance with Art. 6 Para. 1 lit. f GDPR: The websites are enriched with more attractive content and the users of the networks can interact directly with them.

 

4. Duration of storage

The collection takes place through the networks mentioned, where you as a member receive information about the storage duration.

 

5. Objection or removal option

If you do not want Facebook or Instagram networks to directly associate the information collected through our website with your account, you must log out before visiting our website. You can assert your rights as a member in accordance with the data protection regulations against the networks. You can also use add-ons for your browser to completely prevent plugins from loading, e.g. the script blocker "NoScript" (http://noscript.net/).

XIV. Facebook fan page 

Both Facebook Ireland Limited ("Facebook Ireland") and momox GmbH are jointly responsible for the operation of our Facebook fan page. The joint responsibility concerns in particular the use of the "Facebook Insights" function, more precisely the collection, storage and further processing of the Insights data. Facebook Ireland Limited ("Facebook Ireland") is responsible for the collection and storage of the data; momox GmbH only receives anonymized evaluations of the Insights data.

The parties have concluded an agreement on joint responsibility (https://www.facebook.com/legal/terms/page_controller_addendum). For the processing of Insights data, it was agreed that Facebook Ireland assumes the obligation to protect the rights of the data subject and the necessary information obligations according to Art. 13 and 14 GDPR. Data protection rights can be asserted both at Facebook Ireland and at momox GmbH. momox GmbH will forward all requests from data subjects concerning processing for which Facebook Ireland is responsible to Facebook Ireland for processing.

 

1. Description and scope of data processing

The following data is collected during the registration process;

 

• User interactions (postings, likes etc.) - Purpose: User communication via social media

• Facebook cookies

• Demographic data (e.g. based on age, place of residence, language or gender)

• Statistical data on user interactions in aggregated form, i.e. without personal reference (e.g. page activities, page views, page previews, likes, recommendations, articles, videos, page subscriptions incl. origin, times of day)

 

The promotional use of your personal data is particularly important for Facebook. We use the statistics function to learn more about the visitors of our fan page. Using this function enables us to adapt our content to the respective target group. In this way, we also use demographic information on the age and origin of the users, for example, whereby no personal reference is possible for us here. 

In order to provide the social media service in the form of our Facebook fan page and to use the Insight function, Facebook generally stores cookies on the user's end device. 

These include session cookies, which are deleted when the browser is closed, and permanent cookies, which remain on the end device until they expire or are deleted by the user. 

According to Facebook, the cookies used by Facebook are for authentication, security, website and product integrity, advertising and measurement, website features and services, performance, and analysis and research. Details of the cookies used by Facebook (e.g., cookie names, duration of function, recorded content and purpose) can be viewed here: https://www.facebook.com/policies/cookies/ by following the links there. There you will also find the option to deactivate the cookies used by Facebook. You can also change the settings for your advertising preferences there.

The collection and storage of data through the use of the above-mentioned Facebook cookies can also, and at any time in the future, be refused via the following opt-out link: http://www.youronlinechoices.com/de/praferenzmanagement/.

Under the above-mentioned link you can manage your preferences regarding usage-based online advertising. If you object to usage-based online advertising with a particular provider using the preference manager, this only applies to the specific business data collection via the web browser you are currently using. Preference management is cookie-based. If you delete all browser cookies, the preferences that you set using the preference manager are also removed. 

2. Note on Facebook Insights

For statistical evaluation purposes we use the function Facebook Insights. In this context, we receive anonymous data on the users of our Facebook fan page. A conclusion on your person is not possible for us. For further information please refer to the Facebook cookie policy. 

 

3. Pursued legitimate interests, if the legal basis is Art. 6 para. 1 lit. f) DSGVO

We see our justified interest in data processing in the presentation of our company and our products and services for your information. 

 

4. Recipients or categories of recipients 

Facebook

As far as you interact within the framework of Facebook, Facebook naturally also has access to your data. In particular, it is possible that Facebook Inc, 1601 Willow Road, Menlo Park, California 94025, USA, has access to your data. Facebook is located here in an insecure third country, where the level of data protection is lower. Facebook uses standard contractual clauses approved by the European Commission and, for data transfers from the EEA to the US and other countries, the Adequacy Decisions issued by the European Commission regarding certain countries.

XV. Comments on our website

1. Description and scope of data processing

Personal data is collected when you rate our websites (e.g. the blog). In this context, the data given in the respective form and your IP address are collected. Name and e-mail address details are voluntary.

2. Legal basis of data processing

The legal basis for processing data is Article 6 Para. 1 lit. a GDPR if the user has given consent.

3. Purpose of data processing

The user gives his consent. The processing of the personal data from the input mask serves us for the treatment of the comment.

4. Storage duration 

The data will be erased if requested by the author of the comment. In addition, an unlimited 

agreement of the representation is to be assumed.

5. Objection and removal option

The user has the possibility to revoke his consent to the processing of personal data at any time. He can also have information anonymized by us, e.g. by shortening the previously mentioned name. For further information, see "Rights of the data subject" below.

 

XVI. Rights of the data subject

If your personal data is processed, you are the data subject according to GDPR and you are entitled to the following rights with regard to the controller:

1. Right to information

You can ask the controller to confirm whether personal data concerning you will be processed by us.

If processing has taken place, you can request the following information from the controller:

1. the purposes for which personal data is being processed;
2. the category of personal data being processed;
3. the recipient or categories of recipients to whom the personal data concerning you has been or is still being disclosed;
4. the planned storage duration the personal data concerning you or, if specific information on this is not possible, criteria for determining the storage period; the existence of a right to have the personal data concerning you corrected or erased, a right to have processing restricted by the controller or a right to object to this kind of processing;
5. the existence of a right to complain to a supervisory authority;
6. all available information regarding the origin of the data if the personal data is not collected from the data subject;
7. the existence of automated decision-making, including profiling in accordance with Article 22 Para. 1 and 4 GDPR and – at least in these cases – significant information on the logic involved and the scope and intended effects of this kind of processing for the data subject.
8. You have the right to request information as to whether the personal data concerning you is transferred to a third country or to an international organisation. In this context, you can request to
9. be informed of the appropriate guarantees according to Art. 46 GDPR in connection with the transmission.

2. Right to correction

You have a right to the correction and/or completion by the controller if the personal data processed concerning you is incorrect or incomplete. The controller must make the correction without delay.

3. Right to restrict processing

You may request that the processing of personal data concerning you be restricted under the following conditions:

1. if you dispute the accuracy of the personal data concerning you for a period of time that enables the controller to verify the accuracy of the personal data;
2. processing is unlawful and you refuse the erasure of the personal data and instead request that the use of the personal data be restricted;
3. the controller no longer needs the personal data for processing purposes but you do need it to assert, exercise or defend legal claims, or
4. if you have filed an objection to the processing according to Article 21 Para. 1 GDPR and it has not yet been determined whether the legitimate reasons of the controller outweigh your reasons.

If the processing of personal data concerning you has been restricted, this data may only be processed – aside from being stored – with your consent or for the purpose of asserting, exercising or defending rights or for protecting the rights of another natural or legal person or on grounds of important public interest of the European Union or a member state.

If the processing restriction has been restricted in accordance with the aforementioned conditions, you will be informed by the controller before the restriction is lifted.

4. Right to erasure

a) Erasure obligation

You can request that the controller erase the personal data concerning you without delay and the controller is obliged to erase this data without delay if one of the following reasons applies:

1. The personal data concerning you is no longer necessary for the purposes for which it was collected or otherwise processed.
2. You revoke your consent on which the processing was based according to Article 6 Para. 1 lit. a or Article 9 Para. 2 lit. a GDPR and there is no other legal basis for processing.
3. You file an objection against processing according to Article 21 Para. 1 GDPR and there are no overriding legitimate reasons for processing or you file an objection against processing according to Article 21 Para. 2 GDPR.
4. The personal data concerning you has been unlawfully processed.
5. The erasure of personal data concerning you is necessary to fulfil a legal obligation under EU law or the member state law to which the controller is subject.
6. The personal data concerning you has been collected in relation to information society services offered according to Article 8 Para. 1 GDPR.

b) Information to third parties

If the controller has made personal data concerning you public and is obliged to erase it according to Article 17 Para. 1 GDPR, it shall take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform those responsible for data processing who process the personal data that you as the data subject have requested the erasure of all links to this personal data or of copies or replications of this personal data.

c) Exceptions

The right to erasure does not exist if processing is required

1. to exercise the right to freedom of expression and information;
2. to perform a legal obligation required for processing under EU law or member states’ law to which the controller is subject or to perform a task in the public interest or to exercise public authority that has been signed to the controller (this is, for example, commercial and tax-related retention obligations);
3. for reasons of public interest in the field of public health according to Article 9 Para. 2 lit. h and i and Article 9 Para. 3 GDPR;
4. for archiving purposes in the public interest, academic or historical research purposes or for statistical purposes according to Article 89 Para. 1 GDPR, if the right referred to in a) is likely to make it impossible or seriously impair the attainment of the objectives of this processing or 
5. for asserting, exercising or defending legal claims.

 

5. Right to notification

If you have exercised your right to have the controller correct, erase or limit processing, it is obliged to inform all recipients to whom the personal data concerning you has been disclosed of this correction or erasure of the data or processing restriction, unless this proves impossible or involves a disproportionate effort.

You shall also have the right to be informed about these recipients by the controller.

6. Right to data transferability

You have the right to receive the personal data concerning you that you have provided to the controller in a structured, common and machine-readable format. Furthermore, you have the right to transmit this data to another controller without any obstruction by the controller to whom the personal data was made available provided that

1. processing is based on consent according to Article 6 Para. 1 lit. a GDPR or Article 9 Para. 2 lit. a GDPR or on a contract according to Article 6 Para. 1 lit. a GDPR and
2. processing is carried out using automated methods.

In exercising this right, you also have the right to affect that the personal data concerning you be transferred directly from one controller to another if this is technically feasible. Freedoms and rights of other people may not be affected because of this.

The right to data transferability does not apply to processing personal data necessary for performing a task in the public interest or in the exercise of public authority assigned to the controller.

7. Right to objection

You have the right, for reasons arising from your particular situation, to object to the processing of personal data concerning you under Article 6 Para. 1 lit. e or f GDPR at any time; this also applies to profiling based on these provisions.

The controller no longer processes the personal data concerning you, unless it can prove compelling legitimate reasons for the processing, which outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

If the personal data concerning you is processed for direct marketing purposes, you have the right to object to the processing of personal data concerning you for the purpose of this kind of advertising at any time according to Article 21 Para. 2, 3 GDPR; this also applies to profiling if it is in connection with this kind of direct marketing.

If you object to the processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.

You have the option of exercising your right of objection using automated procedures in which technical specifications are used, in connection with the use of information society services, notwithstanding Directive 2002/58/EC.

8. Right to revoking the declaration of consent relating to data privacy

You have the right to revoke your declaration of consent relating to data privacy at any time. The revocation of consent shall not affect the legality of the processing carried out on the basis of the consent until revocation.

9. Automated decision on a case-by-case basis, including profiling

You have the right not to be subject to a decision based exclusively on automated processing, including profiling, that has legal effect against you or significantly impairs you in a similar manner. This does not apply if the decision

1. is necessary for concluding or fulling a contract between you and the controller,
2. is admissible due to EU law or the member state law to which the controller is subject and where this law contains appropriate measures to safeguard your rights, freedoms and legitimate interests or
3. takes place with your explicit consent.

However, these decisions may not be based on special categories of personal data according to Article 9 Para. 1 GDPR unless Article 9 Para. 2 Lit. a or g applies, and appropriate measures have been taken to protect your rights, freedoms and legitimate interests.

In the cases referred to in (1) and (3), the controller shall take reasonable measures to safeguard your rights, freedoms and legitimate interests, including at least the right to obtain the intervention of a person by the controller, to state its own position and to challenge the decision.

10 Right to complain to a supervisory authority

Irrespective of any other administrative or judicial remedy, you have the right to complain to a supervisory authority, in particular in the member state in which you are residing, working or suspected of violation, if you believe that the processing of personal data concerning you is contrary to the GDPR. 

The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy under Article 78 GDPR.

11. Validity of this data privacy policy

We reserve to right to makes changes to these data privacy guidelines from time to time. The current version can be seen on our website. If a change significantly restricts the rights of registered users, we will notify them. Furthermore, the currently available data privacy policy is valid for our website users.