Data protection statement
This Data Protection Statement informs you about the type, scope, and purpose of the processing of personal data (referred to in the following in brief as “data”) on our website, and on websites, in functions, and content linked to it, as well as at external websites, e.g., our social media profile (referred to jointly in the following as “websites”). We refer to the definitions in Article 4 of the General Data Protection Regulation (GDPR) for the meaning of the terminology, such as “personal data” or “controller,” used in this text.
Schwarzwälder Hausbrennerei GmbH
D-79219 Staufen im Breisgau
Freiburg Local Court HRB 310023
Managing Director: Philipp Schladerer-Ulmann
Tel. +49-7633-832-0 ∙ Fax +49-7633-832-88
email@example.com ∙ www.schladerer.de
Data protection officer
Types of processed data
- Basic data
- Contact information
- Content data
- Contract data
- Payment data
- Usage data
- Metadata / Communication data
Processing of special categories of data (article 9(1) gdpr)
No special categories of personal data are processed.
Categories of data subjects whose data are processed
- Customers, prospective customers, visitors and website users, business partners
In the following we refer to these data subjects collectively as “users.”
Purpose of processing
- Provision of a website and its contents and shop functions
- Provision of contracted services, service, and customer care
- Response to contact inquiries and communication with users
- Marketing, advertising, and market research
- Security measures
Last revised: September 2019
1. Explanation of terms used
1.1. “Personal data” means any information relating to an identified or identifiable natural person (referred to in the following as the “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
1.2. “Processing” means any operation or set of operations, either automated or not, which is performed on personal data or on sets of data. The term is far-reaching and covers practically any action taken using data.
1.3. “Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
2. Applicable legal basis
In compliance with Article 13 GDPR, we hereby inform you about the legal basis for our processing of data. If the legal basis is not referred to in the Data Protection Statement, the following applies: The legal basis for obtaining consent is Article 6(1) a) and Article 7 GDPR; the legal basis for processing which is necessary for the provision of our services and the performance of the contract as well as providing answers to inquiries is Article 6(1) b) GDPR; the legal basis for processing which is necessary for compliance with our legal obligations is Article 6(1) c) GDPR; and the legal basis for the processing which is necessary for the purposes of pursuing our legitimate interests is Article 6(1) f) GDPR. The legal basis for processing which is necessary in order to protect the vital interests of the data subject or of another natural person is Article 6(1) d) GDPR.
3. Changes to and later versions of the data protection statement
Please make sure that you re-read the contents of our data protection statement at regular intervals. We change our data protection statement as soon as any changes in the data processing which we perform makes this necessary. We will inform you as soon as any changes require action to be taken by you (e.g., consent) or any other individual notification needs to be made.
4. Security measures
4.1. In accordance with Article 32 GDPR and taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of the varying likelihood and severity for the rights and freedoms of natural persons, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia measures to ensure the confidentiality, integrity, and availability of data by controlling the physical availability of the data, access to them and the entry, disclosure, secured availability, and separation of data. We have also set up procedures which guarantee that the rights of data subjects are safeguarded, that data are erased, and responses are made to risks to data. We also incorporate the protection of personal data as soon as we begin developing or selecting hardware, software, and procedures according to the principle of data protection by design and by default (Article 25 GDPR).
4.2. Security measures include in particular the encrypted transfer of data between your browser and our server.
5. Disclosure and transmission of data
5.1. When we process data we only disclose data to other persons and companies (processors or third parties), transmit data to other persons and companies, or provide them access to the data in any other way if this is permitted by law (e.g., if transmission of data to a third party, such as a payment services provider, is necessary for the performance of a contract, within the meaning of Article 6 (1) b) GDPR), you have given your consent, this is necessary for compliance with a legal obligation, or is necessary for the purposes of our legitimate interests (e.g., when using agents, web hosts, tax, business and legal advisers, customer care, accounting, billing, and similar services which enable us to honor our contractual duties, perform our administrative tasks, and fulfill our duties efficiently and effectively, etc.).
5.2. The engagement by us of the services of third party processors under a so-called “processing” contract is lawful under Article 28 GDPR.
6. Transfer to third countries
We only process data in a third country (i.e., a country outside the European Union (EU) or the European Economic Area (EEA)) or have data processed in the course of using third-party services, making disclosures or transfer to third parties for the purpose of meeting our (pre)contractual obligations, on the basis of your consent, to comply with a legal duty, or for the purpose of our legitimate interests. Subject to legal or contractual authorization, we only process data or arrange for data to be processed in a third country if the special conditions referred to in Article 44 et seq. GDPR are met. This means that data are only processed if special guarantees are in place, such as official recognition of a level of data protection commensurate with EU levels of data protection (e.g., by the Privacy Shield for the USA ) or compliance with officially recognized special contractual obligations (“standard contractual clauses”).
7. Rights of data subjects
7.1. You have the right to obtain confirmation as to whether or not relevant personal data are being processed and to obtain access to the data and a copy of them in accordance with Article 15 GDPR.
7.2. Article 16 GDPR grants you the right to obtain the rectification of inaccurate personal data concerning you and to have incomplete personal data completed.
7.3. Under Article 17 GDPR you have the right to obtain the erasure of personal data concerning you without undue delay or, alternatively under Article 18 GDPR, to obtain restriction of processing of the data.
7.4. You have the right under Article 20 GDPR to receive the personal data concerning you, which you have provided to us and the right to request that the data are transmitted to another controller.
7.5. Under Article 77 GDPR, you also have the right to lodge a complaint with a responsible supervisory authority.
8. Cancallation right
You have the right under Article 7(3) GDPR to withdraw your consent with effect for the future.
9. Right to object
You have the right under Article 21 GDPR to object at any time to the processing of personal data concerning you in the future. Such objection can be made in particular to processing for direct marketing purposes.
10. Cookies and the right to object to direct marketing
10.1. “Cookies” are small files which are stored on the user’s computer. Cookies can be used to store different types of information. The main purpose of a cookie is to store data about a user (or about the device on which the cookie is stored) during or also after the user has visited a website. Temporary cookies, otherwise known as “session cookies” or “transient cookies,” are cookies which are erased as soon as the user leaves a website and closes his or her browser. These cookies can be used to store the contents of a shopping basket in an online shop or to store a login status. “Permanent” or “persistent cookies continue to be stored even after the browser has been closed. For instance, these can be used to store the login status when the user returns to the website several days later. These cookies can also be used to store the interests of users for range measurement or marketing purposes. “Third-party cookies” are used by providers other than the controller responsible for the website (the controller’s own cookies are referred to as “first-party cookies”).
10.2. We use temporary and persistent cookies and provide information about them in our data protection statement.
If users do not wish cookies to be stored on their computer, they are asked to disable the corresponding option in the system settings. Stored cookies can be deleted in the browser system settings. If cookies are disabled, this may restrict the functions that can be used on this website.
Edit cookie preferences
11. Erasure of data
11.1. The data which we process are erased or their processing restricted under Article 17 and 18 GDPR. Unless otherwise explicitly stated in this data protection statement, the data stored by us are erased as soon as they are no longer required for the purpose for which they have been stored and provided that they are not subject to legal retention requirements. If the data are not erased because they are required for other and legally permissible purposes, the processing of these data is restricted. This means that the data are blocked and not processed for any other purposes. This applies, e.g., to data which must be kept for commercial or tax law reasons.
11.2. Under section 257(1) German Commercial Code (HGB) in particular, data (trading books, inventories, opening balance sheets, end-of-year financial statements, commercial correspondence, accounting documents, etc.) must be stored for six years and under section 147(1) German Tax Code (AO) for ten years (accounts, records, management reports, accounting documents, commercial and business correspondence, documents relevant for tax purposes, etc.).
12. Order processing in the online shop and customer account
12.1. We process our customers’ data when processing their orders in our online shop. We do this to enable customers to choose, order, pay for, and use products and services.
12.2. Processed data includes inventory data, communication data, contract data, payment data, and data about data subjects, our customers, prospective customers, and other business partners. Data are processed in order to provide contractual services within the framework of the operation of an online shop, invoicing, delivery, and customer services. For this purpose we use session cookies to store the contents of the shopping basket and we use permanent cookies to store the login status.
12.3. Data are processed on the legal basis provided by Article 6(1) b) (performance of order transactions) and c) (legal obligation to archive data) GDPR. The information necessary for establishing and performing the contract must be provided. We only disclose data to third parties for delivery or payment purposes, or as permitted by law and our obligations to legal advisers and public authorities. The data will only be processed in third countries if this is necessary for the purpose of performing the contract (e.g., at the customer’s wish upon delivery or payment).
12.4. Alternatively, users can set up a user account in which they are able to view their orders in particular. The information which users must then provide will be notified at the time of registration. User accounts are not public and cannot be indexed by search engines. If users have closed down their user accounts, their user account data are erased unless they must be retained in order to comply with commercial or tax law (Article 6(1) c) GDPR). Data will remain in the customer account until it is erased and subsequently archived where this is required by law. Users are responsible for securing their own data if they close their accounts before the contract is terminated.
12.5. We store the IP address and the time at which the user has acted when the user registers, logs on again, and makes use of our online services. Data are stored on the basis of our legitimate interests and because the user also has an interest in data being protected against misuse or other unauthorized use. These data are not transferred onward to third parties at all unless this is necessary for the purpose of pursuing our claims or in order to comply with a legal obligation (Article 6(1) c) GDPR).
12.6. These data are erased after expiry of our statutory guarantee and other comparable obligations; the need for such data to be stored is reviewed every three years; data which are subject to statutory retention periods are erased when these periods expire (expiry of commercial (six years) and tax (ten years) mandatory retention periods); information in customer accounts will remain in storage until erasure.
13. Business analyses and market research
13.1. We analyses the data available to us on business transactions, contracts, inquiries, etc. to enable us to operate our business economically and to identify market trends and customer and user wishes. We then process inventory data, communication data, contract data, payment data, usage data and metadata on the basis of Article 6(1) f) GDPR; in this context data subjects include customers, prospective customers, business partners, and website visitors and users. Business analyses are performed for the purpose of business evaluations, marketing, and market research. When carrying out such activities we may use the profiles of registered users and information about their purchases, etc. The purpose of such analyses is to enhance user-friendliness and to optimize our offer and improve business efficiency. These analyses are used exclusively internally and are not disclosed externally, unless they are anonymous analyses which make use of summarized values.
13.2. If these analyses or the profiles relate to identifiable persons, they are erased or anonymized when the user terminates or at the latest two years from conclusion of the contract. Overall business analyses and general trends will be prepared anonymously wherever possible.
14. Contact and customer service
14.1. Whenever users make contact with us (using a contact form or by e-mail) the data they provide are used to respond to and deal with the inquiry on the legal basis provided by Article 6(1) b) GDPR.
14.2. User data may be stored in our customer relationship management system (CRM system) or a comparable inquiry organization.
14.3. We erase inquiries as soon as they are no longer necessary. We carry out checks every two years to determine whether inquiries need to be kept or can be erased; we store inquiries from customers who have a customer account indefinitely and refer for erasure purposes to the information about the customer account. Statutory archiving duties also apply.
15. Collection of access data and log files
15.1. In the pursuit of our legitimate interests under section 6(1) f) GDPR, we collect data about every page request made to the server on which this service is provided (so-called “server log files”). Page request data includes the web pages requested, file, date and time the pages were requested, volume of data transferred, notification of successful request, browser type and version, the user’s operating system, referring URL (previously visited page), IP address, and the requesting provider.
15.2. Log file information is stored for security purposes (e.g., to clarify abusive or fraudulent use) for a maximum period of seven days after which they are erased. Data which must be stored for longer as evidence are not erased until the relevant matter has been finally cleared up.
16. Online presence in social media
16.1. In pursuit of our legitimate interests under Article 6(1) f) GDPR we are active in social networks and platforms, where we communicate with and inform active customers, prospective customers, and users about our services. Every time the applicable networks and platforms are requested, the terms and conditions of business and data processing regulations of the applicable operators apply.
16.2 Unless stated otherwise in our data protection statement, we process users’ data to the extent that these users communicate with us on social networks and platforms, e.g., by posting on our websites or by sending us messages.
17. Google Analytics
17.2. Google is certified under the Privacy Shield framework which guarantees compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
17.3. Google will use this information on our behalf in order to evaluate the use made of our website by users, to produce reports on activities on the website and to provide us with other services relating to the use of this website and related services. The processed data can be used to create pseudonymized user profiles.
17.4. We only use Google Analytics with activated IP anonymization. This means that Google will first truncate the IP address in Member States of the European Union or other states which are signatories to the Agreement on the European Economic Area. Only in exceptional circumstances will the full IP address be sent to and truncated on a Google server in the USA.
17.5. The IP address sent by the user’s browser is not combined with other data held by Google. Users can prevent cookies being stored by changing their browser settings; users can also prevent the data captured by the cookie relating to their use of the website being sent to or processed by Google by downloading and installing the browser plug-in from the following link: https://tools.google.com/dlpage/gaoptout?hl=de.
17.6. More information about the way Google uses information as well as about setting options and ways to object is available on Google websites: https://www.google.com/intl/de/policies/privacy/partners ((“How Google uses information from sites or apps that use our services”), https://policies.google.com/technologies/ads (“Use of data for marketing purposes”), https://adssettings.google.com/authenticated (“Manage information used by Google to show your ads”).
18. Google remarketing services
18.1. On the basis of our legitimate interest (i.e., interest in the analysis, optimization, and economic operation of our online services within the meaning of Article 6(1) f) GDPR) we use the marketing and remarketing services (abbreviated to “Google Marketing Services”) of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, (“Google”).
18.2. Google is certified under the Privacy Shield framework which guarantees compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
18.3. Google Marketing Services permit us to place advertisements for and on our website specifically designed to only show advertisements to users which may be of interest to them. “Remarketing” refers to the display to a user of advertisements for products for which he/she may have shown interest on other websites. For these purposes, whenever our and other websites on which Google Marketing Services are active are accessed, Google directly executes a code from Google and so-called (re)marketing tags (invisible graphics or code, also known as “web beacons”) are integrated into the website. These are used to store an individual cookie (i.e., a small file) on users’ devices. Comparable technologies can also be used instead of cookies. These cookies may be set by various domains, including by google.com, doubleclick.net, invitemedia.com, admeld.com, googlesyndication.com, or googleadservices.com. This file records the websites which have been visited by users, the contents they have shown interest in, and the offers they have clicked as well as technical information about their browsers and operating system, linking websites, visit times, and other information about how the online services have been used. Users’ IP addresses are also recorded. For the purposes of Google Analytics IP addresses are truncated within Member States of the European Union or other states which are signatories to the treaty on the European Economic Area and are only sent untruncated to a Google server in the USA and truncated there in exceptional circumstances. The IP address is not combined with the user’s data within other Google offers. Google can combine the above information with information from other sources. If the user then visits other websites, advertisements which are tailored to his/her interests can then be shown.
18.4. Users’ data are processed anonymously in the framework of Google Marketing Services. This means that Google does not store and process users’ names or e-mail addresses, but processes the relevant data in relation to the cookies using anonymous user profiles. This means that, from the perspective of Google, advertisements are not managed and displayed for specific identifiable people, but for the holder of cookies regardless of who they might be. This is not the case if a user explicitly allows Google to process the data without it being pseudonymized. The information about users collected by Google Marketing Services is transmitted to Google and stored on Google’s servers in the USA.
18.5. The Google Marketing Services we use include the “Google AdWords” online advertising service. Google AdWords gives each AdWords customer a different “conversion cookie.” This means that cookies cannot be tracked via the websites of AdWords customers. The information obtained with the aid of the conversion cookie is used to produce conversion statistics for AdWords customers who have opted for conversion tracking. Adwords customers see the total number of users who clicked on their ad and were redirected to a page with a conversion tracking tag. However, they do not receive any information that personally identifies users.
18.8. We may also use the “Google Optimizer” service. Google Optimizer allows us to use “A/B Testings” to trace the impact of various changes to our website (e.g., changes in input boxes, design, etc.). Cookies are stored on users’ devices for these test purposes. Users’ data are only used in anonymous form.
18.9. We can also use the “Google Tag Manager” to integrate and manage Google analysis and marketing services in our website.
18.10. More information about the use of data for marketing purposes by Google can be found on the overview website at: https://policies.google.com/technologies/ads.
18.11. If you wish to object to interest-related advertising by Google Marketing Services, you can use the settings and opt-out options provided by Google: https://adssettings.google.com/authenticated.
19. Facebook-, Custom Audiences and Facebook Marketing Services
19.1. “Facebook-Pixel,” which is provided by the Facebook social network operated by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, or, if you are based in the EU, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”), is used on our website in pursuit of our legitimate interests in the analysis, optimization, and economic operation of our website.
19.2. Facebook is certified under the Privacy Shield framework which guarantees compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).
19.3. Facebook Pixel enables Facebook to identify visitors to our website as target groups for advertisements (so-called “Facebook Ads”). We therefore only use Facebook Pixel to display the Facebook Ads placed by us to users who have also shown an interest in our website or who have certain characteristics (e.g., interest in certain topics or products that are determined by the web pages visited) that we transmit to Facebook (so-called “Custom Audiences”). We also use the Facebook Pixel to ensure that our Facebook ads address the potential interest of users and do not annoy them. We can also use Facebook Pixel to understand how effective Facebook advertisements are for statistical and market research purposes by seeing whether users are sent to our website after clicking on our website (so-called “Conversion”).
19.4. Facebook processes data under Facebook’s guideline on the use of data. Accordingly, general information on the presentation of Facebook ads are provided in Facebook’s guidelines on the use of data: https://www.facebook.com/policy.php. Special information and details on Facebook Pixel and its functioning can be found in the Facebook help area: https://www.facebook.com/business/help/651294705016616.
19.5. SYou can object to the recording and use of your data by Facebook Pixel to present Facebook advertisements. You can go to the Facebook page to set the types of advertisements which will be shown to you on Facebook; follow the instructions on settings for use-based advertising provided there: https://www.facebook.com/settings?tab=ads. The settings are platform independent, i.e., they are for all devices, such as desktop computers or mobile devices.
20. Facebook Social Plugins
20.1. We use social plug-ins (“plug-ins”) from the social network facebook.com, which is operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”), in pursuit of our legitimate interests (i.e., interest in the analysis, optimization, and economic operation of our website within the meaning of Article 6(1) f) GDPR). The plug-ins can present interaction elements or contents (e.g., videos, graphics, or text) and are recognizable from the Facebook logo (white “f” on a blue tile, words “Like,” “Gefällt mir,” or a “thumbs up” symbol) or are identified by the words “Facebook Social Plugin.” A listing and images of Facebook social plug-ins can be viewed on the following website: https://developers.facebook.com/docs/plugins/.
20.2. Facebook is certified under the Privacy Shield framework which guarantees compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).
20.3. When a user accesses a function on this web page which includes such a plug-in, the user’s device establishes a direct link to the Facebook servers. The contents of the plug-in are sent directly by Facebook to the user’s device and integrated in the website. The processed data can be used to create user profiles. This means that we have no influence on the scope of data which Facebook collects using these plug-ins and we can therefore only inform the user to the extent to which we are informed.
20.4. When the plug-in is integrated, Facebook receives the information that a user has visited the relevant page of the website. If the user is logged into Facebook, Facebook can assign the visit to the user’s Facebook account. If users interact with the plug-ins, by for example pressing the Like button or posting a comment, this information is sent directly from the user’s device to Facebook which then stores this information. If a user is not a member of Facebook, Facebook can still find out and store the user’s IP address. According to Facebook, only one anonymized IP address is stored in Germany.
20.5. The purpose and scope of data collection and further processing and use of the data by Facebook as well as the user’s rights and settings options for the protection of the user’s privacy are detailed in the Facebook data protection statement at: https://www.facebook.com/about/privacy/.
20.6. If the user is a member of Facebook and does not want Facebook to collect data about him or her on this website and then link this data with the user’s Facebook membership data, the user must log out of Facebook and delete his or her cookies before visiting our website. Other settings and objections to the use of data for advertising purposes can be made in your Facebook profile settings: https://www.facebook.com/settings?tab=ads or at the US American website at http://www.aboutads.info/choices/ or the EU website at http://www.youronlinechoices.com/. The settings are platform independent, i.e., they are for all devices, such as desktop computers or mobile devices.
21. Communication via Post, Email, Fax or Telephone
21.1 We use distance communication, such as post, telephone, or e-mail for business transaction and marketing purposes. We process customers’, participants’, prospective customers’, and communication partners’ basic data, address, contact, and contract data for this purpose.
21.2 Data are processed on the basis of Article 6(1) a), Article 7 GDPR, Article 6(1) f) GDPR in conjunction with statutory requirements for advertising communications. Contact is only made with the addressee’s consent or to the extent permitted by law; processed data are erased as soon as they are no longer required or otherwise in response to an objection/revocation or cessation of authorization or statutory archiving duties.
22.1. The following provides information about the contents of our newsletter as well as subscription, dispatch, and statistical evaluation procedures and your rights to object. By subscribing to our newsletter you declare that you consent to its receipt and the procedures described.
22.2. Content of the newsletter: We only send newsletters, e-mails, and other electronic messages with marketing information (referred to in the following as “newsletters”) with the recipient’s consent or if permitted by law. If the contents of a newsletter are specifically described during the subscription process, these are the contents to which the user consents. Our newsletter also contains information about our products, offers, campaigns, and our company.
22.3. Double opt-in and recording: We use the so-called double opt-in procedure for subscriptions to our newsletter. This means that after you have subscribed you are sent an e-mail in which you are asked to confirm your subscription. This confirmation is necessary to ensure that nobody is able to register using other peoples’ e-mail addresses. Newsletter subscriptions are recorded as evidence that the legal requirements have been met. This includes storing the times of subscription and confirmation as well as the IP address. Changes to your data stored by the dispatch service provider are also recorded.
22.4. Dispatch service provider: The newsletter is sent by the e-mail marketing service provider “MailChimp,” a newsletter mailing platform of the US provider Rocket Science Group LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA. The dispatch service provider’s data privacy rules can be read here: https://mailchimp.com/legal/privacy/. The Rocket Science Group LLC d/b/a MailChimp is certified under the Privacy Shield agreement and as such guarantees compliance with European data protection standards (https://www.privacyshield.gov/participant?id=a2zt0000000TO6hAAG&status=Active).
22.5. To the extent that we use the services of a dispatch service provider, the dispatch service provider also states that these data may also be used in anonymous form, i.e., without being assigned to a user, to optimize or improve the provider’s own services, e.g., for technical optimization of dispatch and presentation of the newsletter or for statistical purposes to determine which countries recipients are from. The dispatch service provider does not, however, use the data relating to recipients of our newsletter to contact such users itself nor does it pass on such data to third parties.
22.6. Subscription data: You can subscribe to the newsletter by simply entering your e-mail address. Alternatively, we ask you to provide your name so that we can address the newsletter to you personally.
22.7. Outcomes measurement – The newsletter includes a so-called “web-beacon,” i.e., a pixel-sized file which is retrieved by our server, or if we use the services of a dispatch service provider, this service provider’s server, when the newsletter is opened. When this file is retrieved, technical information, such as information about the browser and your system, as well as your IP address and the time of retrieval, are first collected. This information is used to make technical improvements to the services on the basis of technical data or target groups and such groups’ reading behavior derived from retrieval locations (which can be determined with the help of the IP address) or access times. Statistical surveys also include determining whether the newspaper has been opened, when it was opened, and what links have been clicked. Technically this information can be assigned to individual newsletter recipients. However, it is neither our wish nor, to the extent that used, that of the dispatch service provider to observe the behavior of individual users. Instead, the evaluations are undertaken to identify our users’ reading habits and to adapt our contents to them or to send various contents which match our users’ interests.
22.8. The newsletter is dispatched and outcomes are measured with the recipient’s consent pursuant to Article 6(1) a), Article 7 GDPR, and section 7(2) no. 3 Act Against Unfair Competition (UWG) or with legal authorization under section 7(3) UWG.
22.9. The subscription procedure is recorded in accordance with our legitimate interests under Article 6(1) f) GDPR and is evidence of consent to receiving the newsletter.
22.10. Recipients may cancel our newsletter at any time, i.e., they may withdraw their consent. You will find an unsubscribe link at the end of each newsletter. This cancels any consent you may have given to outcomes measurement. Unfortunately, you cannot withdraw your consent to outcomes measurement separately, in this case the entire newsletter subscription will need to be canceled. If you unsubscribe from the newsletter, the personal data are erased, unless they have to be retained by law or their retention is legitimate, whereby in this case their processing is restricted to these exceptional purposes only. We can, in particular, store e-mail addresses taken off our list for up to three years in pursuit of our legitimate interests before we erase them for the purpose of sending the newsletter; this is to demonstrate that consent was previously given. The processing of these data is limited to the purpose of defending against lawsuits. An individual application for erasure can be made at any time provided confirmation is given of previous consent.
23. Integration of services and third-party contents
23.1. In pursuit of our legitimate interests (i.e., interest in the analysis, optimization, and economic operation of our website within the meaning of Article 6(1) f) GDPR), we use third-party content or services on our website in order to integrate such content and services, such as videos or fonts (referred to in the following as “contents”). This always depends on third-party providers of these contents being able to see users’ IP addresses as they would otherwise not be able to send the contents to their browsers. The IP address is consequently needed to display these contents. We endeavor only to use contents from providers who use the IP address solely for the purpose of delivering the contents. Third-party providers can also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. These pixel tags can be used to evaluate information, such as visitor traffic on pages of this website. The information, which is used with pseudonyms, can also be stored in cookies on users’ devices and include data such as technical information about browsers and operating systems, linking websites, visit times, and other information about how the website has been used; this data may be combined with information from other sources.
23.2. The following provides an overview of third-party suppliers, including contents, links to their data protection statements with further information on the processing of data, and, as already referred to in part here, ways to object (so-called opt-outs):
- If our customers use third-party payment services (e.g., PayPal or Sofortüberweisung), the terms and conditions of business and the data protection information of each third-party provider, as shown on each of the websites or in each transaction application, apply.
- Functions for the Instagram service are integrated in our website. These functions are offered by Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA. If you are logged into your Instagram account, you can link the contents of our web pages to your Instagram profile by clicking the Instagram button. This allows Instagram to assign your visit to our web pages to your user account. We draw your attention to the fact that, as website providers, we have no knowledge of the content of the data transferred in this way or how Instagram uses the data. Data Protection Statement: http://instagram.com/about/legal/privacy/.
- • Functions provided by the Twitter service or platform (referred to in the following as “Twitter”) are integrated in our website. Twitter is a service of Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. The functions include the presentation of our contributions on Twitter seen on our website, the link to our profile at Twitter, and the option of interacting with the contributions and functions of Twitter and of measuring whether users land on our website from adverts which we have placed on Twitter (so-called conversion measuring). Twitter is certified under the Privacy Shield framework which guarantees compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status=Active). Data Protection Statement: https://twitter.com/de/privacy, opt-Out: https://twitter.com/personalization.