2. Data collection when you visit our website
When you use our website for purely informational purposes, without registration or transmission of other information, we only collect so-called “server logfiles”, i.e. the data that your browser sends to our server. In general, this is only the data that is technically required to display the content of the website: date and time of the access, reference to how you reached our website, browser used, operating system and IP address.
Processing is done in accordance with Article 6(1)(f) GDPR based on our legitimate interests in improving the functionality and stability of our website. There is no further use or transfer of data. We only reserve the right to subsequently check the server logfiles if there is specific evidence of possible unlawful use.
Please see our detailed Guidelines on Cookies for an explanation of data collection through the use of cookie.
4. Making contact
Personal data is collected when you contact us (e.g. by contact form or e-mail). The respective contact form indicates which personal data is collected via the contact form. The sole purpose of this data is to process your request or make contact, and it is only stored and used for these purposes and the related technical administration, based on Article 6(1)(f) GDPR. If you contact us with the intention of concluding a contract, your data is processed as a pre-contractual measure under Article 6(1)(b) GDPR. After your inquiry has been fully processed, your data is erased, if it is clear that the relevant matter has been fully clarified and no statutory retention obligation prevents erasure.
5. Data processing to open a customer account and implement a contract
When we are provided with personal data to implement a contract or open a customer account, it will continue to be collected and processed in accordance with Article 6(1)(b) GDPR. The respective form indicates which data is collected. The customer account can be deleted at any time if you send notice to the aforementioned address of the controller. The data you provide is stored and used for contract implementation. After deletion of the customer account or full implementation of the contract, your data will be blocked for the retention periods required by tax and commercial law and then erased after the expiration of the aforementioned periods, unless you expressly consent to further use of the data or we have retained the right to use the data as permitted by law. We provide you with details relating to the latter case below.
6. Comments function
Under the comments function of this website, the comments, information about the times the comments were created, and the given names of the commentators are stored and published on this website. Your IP address is also logged and stored in the course of this. The latter is only done as a precautionary measure in case the rights of third parties are violated by a comment or unlawful content is published. For this reason, we need your e-mail address if you use the comments function in case a third party complains that your published content is unlawful. The legal basis for this is Article 6(1)(b) GDPR. We reserve the right to delete comments alleged to be unlawful.
7. Transfer of data to service providers (processors)
The complexity of today’s data processing processes is the reason we utilise service providers to process your data. Many of these service providers are located outside the territory of the European Union or the European Economic Area. However, in all cases when service providers are used, we ensure that the European level of data protection is provided, and the European data security standard is followed. Please contact the person referred to above if you wish additional information, such as how and to what extent we process your data or transfer your data to service providers in your specific business case and what protection guaranties we have obtained.
8. Transfer of data to supervisory authorities and courts and other third parties
Our company is subject to numerous provisions of law. We may have to disclose the personal data of our customers to government authorities or courts in response to their inquiries. We only comply with such inquiries if we are required to do so by law. In all these cases, we always ensure that the law is followed and therefore your data is protected.
9. Use of data for direct advertising
9.1. Registration for the newsletter
When you register for our e-mail newsletter, we regularly send you information about our offerings via e-mail. To send you the newsletter, we only require your e-mail address. The provision of any other data is voluntary. The so-called double opt-in procedure is used to send the newsletter. After you register, we send you a confirmation e-mail, with the request for you to confirm you want to receive the newsletter from us in the future by clicking on a certain link. This procedure is to ensure that it is actually you who registered with us.
By activating the confirmation link, you give us your consent to use your personal data in accordance with Article 6(1)(a) GDPR. When you register for the newsletter, we store your IP address recorded by your Internet Service Provider (ISP) and the date and time of the registration so that, if your e-mail address is misused, we can trace this as a later time. The data we collect when you register for the newsletter is solely used for purposes of advertising through the newsletter. You can cancel your subscription to the newsletter at any time using the link in the newsletter provided for this purpose or by sending an appropriate message to the controller referred to above. After receiving your request, we will promptly delete your e-mail address from our newsletter distribution list, unless you have expressly permitted further use or your data or we have reserved the legal right to use the data, about which we will inform you below.
9.2. Newsletters sent via Newsletter2Go
Our e-mail newsletter is sent out by the service provider Newsletter2Go GmbH, Köpenicker Str. 126, 10179 Berlin, Germany (https://www.newsletter2go.at), to which we send the data you provided to us in the course of newsletter registration. This data transfer is made in accordance with Article 6(1)(f) GDPR and serves our legitimate interest in the use of a secure and user-friendly newsletter system, which does effective advertising.
Newsletter2Go uses this information to send and statistically analyse the newsletter on our behalf. For purposes of analysis, the e-mails sent contain so-called “web beacons” or “tracking pixels”, which are one-pixel image files that are stored on our website. In this way, it can be determined whether a newsletter message was opened, and which links may have been clicked on. In addition, technical information is collected (such as the time of access, IP address, browser type and operating system). The data is only collected in pseudonymised form and is not linked to additional personal data related to you. This data is only used for the statistical analysis of newsletter campaigns, and their results can be used to make user-specific adjustments to newsletters.
You must cancel the newsletter subscription to object to the analysis of data for statistical purposes.
Moreover, in accordance with Article 6(1)(f) GDPR, Newsletter2Go itself can use this data based on its own legitimate interests in structuring itself to meet the needs of customers and optimising services and for market research purposes. However, Newsletter2Go does not use the data regarding our newsletter recipients to contact them in its own name or to pass the data to third parties.
The data protection policies of Newsletter2Go can be viewed under the following link: Datenschutz.
10. Data processing for order processing
We collaborate with the following service providers to process your order. Certain personal data is sent to these service providers in accordance with the following information. In the course of contract implementation, the personal data we collected is passed on to the transport company hired by us to the extent that this is necessary to deliver the goods. To the extent that payment services providers are used, your payment data is provided to the credit institution that has been hired, to the extent necessary. The legal basis for the aforementioned transfer of data is Article 6(1)(b) GDPR.
10.2. Payment services providers
With payment via PayPal, credit card payment via PayPal, direct debit via PayPal or – if offered – “purchase on account” or “instalment payment” via PayPal, we forward your payment data to PayPal (Europe) S.a.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter referred to as “PayPal”) for purposes of payment processing. The transfer is made in accordance with Article 6(1)(b) GDPR and only to the extent necessary for payment processing.
You can object to the processing of your data at any time by sending a message to PayPal. PayPal may still be entitled to process your personal data if this is necessary to process payments in accordance with the contract.
If you select the “SOFORT” payment method, your payments will be processed using the payment services provider SOFORT GmbH, Theresienhöhe 12, 80339 Munich, Germany (hereinafter referred to as “SOFORT”). As part of the ordering process, we will send SOFORT the information you have provided and the information regarding your order in accordance with Article 6(1)(b) GDPR. Sofort GmbH is part of the Klarna Group (Klarna Bank AB (publ), Sveavägen 46, 11134 Stockholm, Sweden). Your data is transferred solely for the purpose of payment processing by the payment services provider SOFORT and only to the extent necessary. You can obtain additional information regarding the data protection policies of SOFORT at the following Internet address: Datenschutz
11. Rights of data subjects
The applicable data protection law grants you the extensive rights of data subjects vis-a-vis the controller with respect to the processing of your personal data. You will find information about these rights below:
- Right of access to your own personal data in accordance with Article 15 GDPR: In particular, you have the right to information regarding the personal data concerning you that is being processed by us, the purposes of the processing, the categories of personal data being processed, the recipients or categories of recipients to whom your data is or was disclosed, the planned period for which your data will be stored or the criteria for the determining the length of storage, the existence of rights to rectification, erasure, restriction of processing, objection against the processing, lodging a complaint with a supervisory authority, the right to know the source of your data if we did not collect it from you, the existence of automated decision-making, including profiling, and, if necessary, meaningful information about the logic involved and the significance for you and the envisaged consequences of such processing. Moreover, you have a right to be informed of the safeguards under Article 46 GDPR that exist if your data is transferred to third countries (e.g. the USA);
- Right to rectification under Article 16 GDPR: You have the right to prompt rectification of inaccurate data concerning you and/or completion of incomplete data stored by us;
- Right to erasure under Article 17 GDPR: You have the right to demand erasure of your personal data if the requirements of Article 17(1) GDPR are met. However, this right does not apply if processing is necessary to exercise the rights of free expression and information, to comply with a legal obligation, for reasons of public interest or to establish, exercise or defend against legal claims;
- Right to the restriction of processing under Article 18 GDPR: You have the right to demand restriction of the processing of your personal data for as long as the accuracy of the data, contested by you, is being checked, if you oppose the erasure of your data due to impermissible data processing and instead demand restriction of the processing of your data, if you need your data to establish, exercise or defend against legal claims, but we no longer need this data since its purpose has been achieved or if you have lodged an objection for reasons arising from your special situation and it has not been determined whether our legitimate interests are overriding;
- Right to be informed under Article 19 GDPR: If you have asserted your right to rectification, erasure or restriction of the processing against the controller, the latter is obliged to notify all recipients to whom the personal data concerning you was disclosed of this rectification or erasure of data or restriction of processing, unless this is impossible or would involve a disproportionate effort. You have the right to be informed of these recipients.
- Right to data portability under Article 20 GDPR: You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit that data to another controller, insofar as this is technically feasible;
- Right to withdraw consents that have been given under Article 7(3) GDPR: You have the right to withdraw any consent of yours to the processing of data at any time with effect for the future. If you withdraw your consent, we will promptly erase the relevant data, unless further processing can be based on a legal ground that does not require your consent. The withdrawal of consent does not affect the lawfulness of processing carried out based on your consent until it was withdrawn;
- Right to object in accordance with Article 21 GDPR: Even if data concerning you is accurate and complete and we are lawfully processing it, you can object to the processing of this data in special exceptional cases, which must be justified by you. You are entitled to this right to object under the requirements of Article 21 GDPR, i.e. primarily with respect to data processing occurring in our legitimate interest. Likewise, you can object if you receive direct advertising from us and do not wish to receive this advertising in the future.
- Right to lodge a complaint under Article 77 GDPR: If you believe that the processing of personal data concerning you violates the provisions of data protection law, you have the right – irrespective of any other legal remedies under administrative or judicial law – to file a complaint with a supervisory authority, particularly in the Member State where you have your habitual place of residence or place of work or at the place of the alleged violation.
Duration of the storage of personal data
The duration of the storage of personal data is measured by the respective statutory retention period, if any (e.g. retention periods under commercial and tax laws). The relevant data is routinely erased after the expiration of the respective period, unless it is needed for contract fulfilment or contract initiation and/or unless we have a legitimate interest in continuing to store the data.