Englische Vorlage: Data Privacy Policy

of ...................... (Anbieter der Webseite eintragen, z.B. Rotkäppchen-Mumm Sektkellereien GmbH) 

Status...................... (xx.xy.202x = Go live Datum der neuen Version /des Updates mit Usercentrics eintragen)

This website is operated by

...................... (Anbieter der Webseite eintragen, z.B. Rotkäppchen-Mumm Sektkellereien GmbH)

In the following, we inform you about the gathering of personal data during the use of this website. Personal data is all data that can be attributed to you personally, thus, e.g. name, address, email address, and user behaviour.

Your data are gathered, processed and used in accordance with the provisions of the German Telemedia Act (“TMG”) and data protection law, in particular the Federal Data Protection Act (“BDSG") and the General Data Protection Regulation (“GDPR"). In this Data Privacy Policy, we inform you, as the data subject pursuant to Art. 13 GDPR, about the gathering of personal data and our website.

1. Gathering of Personal Data During Use for Information 

(1) If the website is used merely for the purposes of information, meaning if you do not sign in, register or otherwise transfer information to us for the use of the website, we do not gather personal data, except for the data that is transmitted by your browser. The purpose of this data gathering is to enable you to visit the website and ensure the functionality of the website. Moreover, the data serves for the optimisation of the website and for ensuring the security of our information technology systems. This data includes:

  • IP address
  • Date and time of the retrieval
  • Time zone difference to Greenwich Mean Time (GMT)
  • Content of the retrieval (concrete page)
  • Access status/HTTP status code
  • Respectively transferred data volume
  • Referrer website
  • Browser
  • Operating system and its interface
  • Language and version of the browser software

(2) In addition, when the website is used, cookies, web beacons and/or pixel (or comparable functions for the transmission of event data) will be stored on your computer if this is required for technical purposes or you have consented to the storing. Cookies are small text files that are stored on your hard drive as attributed to the browser you use and by means of which the people setting the cookie (we in this case) receive certain information. A cookie typically contains the name of the domain from which the cookie originates, the “lifetime” of the cookie and a value, which is regularly a randomly generated unique number. Cookies cannot execute any programs or infect your computer with viruses. The purpose of the use is to make our website overall more user friendly and more effective. Some elements on our webpage require that the retrieving browser can also be identified after switching pages.

(3) We use a solution of Usercentrics GmbH for the management of cookies and your consent to them. Within the scope of commissioned data processing, personal data (consent data) will therefore be transmitted to Usercentrics GmbH, Sendlingerstr. 7, 80331 Munich, as the data processor. We understand consent data to mean the following data: date and time of the visit or consent/rejection, device information. The data is processed for the purpose of compliance with legal obligations (duty to present evidence according to Art. 7 (1) GDPR) and the related documentation of consents and therefore on the basis of Art. 6 (1) lit. c) GDPR. Local storage is used for storing the data. The consent data will be stored for 3 years. The data will be stored within the European Union. You can find more information regarding the gathered data and contact details at https://usercentrics.com/privacy-policy/. Details on the cookies used and the possibility to consent to the use of cookies can be found in the Consent settings.

(4) This stored information will be separated from any other data possibly disclosed to us. In particular, the data of cookies will not be linked with your other data if you such are transmitted.

2. Gathering of Personal Data During Personalised Use

(1) Besides the purely informational use of our website, we offer various services that you can use if interested. For this, you usually have to enter additional personal data, which we will use for the performance of the respective service. If additional voluntary information can be provided, this is marked accordingly. We will gather, process and use only the personal data, which is required for your use of the website and/or the performance of a contract concluded with us or data that you have provided yourself. This is, in particular, the following inventory data and usage data, which may be transmitted via forms on our website:

  • Name (consisting of salutation, title, first name, last name and gender)
  • Address
  • Phone number
  • Email address
  • Date of birth
  • Registration and login data of the user

(2) Inventory data and usage data will be used by us to establish a contractual relationship with you, if applicable, and to arrange it substantively, change or terminate it in order to fulfil our contractual obligations, enable the user’s login on the website and contact you if you have so requested or if this is required or permitted under the law within the scope of the contractual relationship.

(3) The personal data is stored and processed within the European Union, except for the data gathered by the third-party providers named below.

3. Deletion Periods

(1) Unless described otherwise in this Data Privacy Policy, we will store your data only for as long as this is required for the purposes for which it has been gathered or as necessary, unless legal retention periods require longer storage. Thus, your personal data will be deleted after the processing of your request, unless agreed otherwise or prescribed otherwise by law.

(2) Inventory will be deleted two years after termination of the contractual relationship toward the end of the calendar year, unless a longer storage period is required and legally permissible.

4. Statistical Anonymous Analysis of the Usage Data

Unless you object to it, we are permitted to create user profiles under pseudonyms for the purpose of marketing, market research or the design of the website appropriate to need. In particular, we analyse the usage data in anonymous form for statistical purposes in order to design the website as

appropriate to need. You can object to this use of your personal data by notifying us.

5. Email Newsletter ......................(Ja oder Nein angeben: Dieser Passus kann entfallen, wenn kein Newsletter angeboten wird)

(1) If you have given your separate consent thereto, we may send you information by email about the use of the website and general customer and product information (newsletter). The advertised merchandise and services are named in the consent declaration. Your consent will be logged by storing the time of the subscription and confirmation and you can call up the content of the consent as well as this note at any time. You may revoke your consent at any time with effect for the future by notifying us (e.g. by email or via the link for unsubscribing from the newsletter, which you can find in each newsletter email). The right to object can be exercised in particular with regard to the processing for the purposes of direct marketing. Your data for the mailing of the newsletter will be deleted within 3 months after the termination of the newsletter receipt, provided that no statutory retention obligations oppose the deletion.

(2) For mailing of newsletter, we use products of the company

...................... (Bitte prüfen ob Firma CleverReach GmbH & Co. KG, Mühlenstr. 43, 26180 Rastede oder andere Firma zuständig)

CleverReach GmbH & Co. KG, Mühlenstr. 43, 26180 Rastede and we therefore transfer your data to this provider as required for the mailing.

(3) Please be informed that we analyse your user behaviour by mailing the newsletter and we personalise the content of the newsletter. By subscribing to the newsletter, you grant your consent that we may analyse your actions of clicking in and opening of the newsletter to facilitate an optimal offer of our newsletter mailing. For this analysis, the mailed emails contain so-called tracking pixels, which comprise one-pixel image files that are stored on our website. The information will be stored for as long as you subscribe to the newsletter. Subject to an explicit consent by the users, the newsletter and performance measurement will be analysed on the basis of our legitimate interests for the purposes of using a user-friendly and secure newsletter system that not only serves our business interests but also meets our users’ expectations. A separate revocation of the performance measurement is not possible, unfortunately. To revoke the performance measurement, the user must either cancel or object to the complete newsletter subscription.

6. External Contents

We might have integrated the contents of third parties (e.g. videos or pixel) in our online offer. You can find details about this here in the Consent settings.

7. Subcontractors and Recipients of Personal Data

In dem folgenden Abschnitt müssen die Partner ausgewiesen werden mit denen man einen Datenverarbeitungsvertrag hat- also die Dienstleister und Agenturen, die zu den personenbezogenen Daten Zugang haben

In the context of the processing of personal data, we hire subcontractors and conclude agreements with these commissioned data processors in accordance with the requirements of Art. 28 GDPR.

(1) For the hosting of the website

...................... (Bitte prüfen ob hier die Firma DFAU GmbH, Gustav-Weißkopf-Str. 5, 90768 Fürth zum Einsatz kommt oder eine andere Firma)

is used as a subcontractor.

(2) For the monitoring of our general email addresses, we use the company

......................(Bitte prüfen ob hier die Firma KiKxxl GmbH, Mindener Str. 127, 49084 Osnabrück zum Einsatz kommt oder eine andere Firma. Wenn hier keine Firma eingesetzt wird, enfällt der Passus)

as commissioned data processor.

(3) For the administration of consent data, we use Usercentrics GmbH, Sendlingerstr. 7, 80331 Munich as commissioned data processor.

(4) For the mailing of the newsletter, we use the company

...................... (Bitte prüfen, ob hier die Firma CleverReach GmbH & Co.KG, Mühlenstr. 43. 26180 Rastede zu Einsatz kommt oder eine andere. Wenn keine Firma genannt wird, gehen wir davon aus, dass es keinen Newsletter Versand gibt und der Passus entfällt)

as commissioned data processor.  

Bitte überprüfen, ob zusätzlich zu den oben genannten Unterauftragnehmern mit Kontakt zu personenbezogenen Daten noch weitere Partner, Agenturen oder Dienstleister genannt werden müssen. Diese sind dann im Folgenden nach gleiche Prinzip wie oben aufzulisten)

(5) ......................

(6) ......................

(7) ......................

8. Protection of personal data

We take technical and organisational measures according to the requirements of Art. 32 GDPR for the protection of the users’ personal data. All of our employees entrusted with the processing of personal  data are obligated to observe data secrecy. The user’s personal data will be encrypted by means of HTTPS in the transmission to the website.

9. Legal Bases

In accordance with Art. 13 GDPR, we inform you of the legal bases for our data processing.

  • Insofar as we obtain a declaration of consent from the data subject for the processing of personal data, Art. 6 (1) lit. a) GDPR serves as the legal basis. You can manage your consents at any time here: Consent settings
  • For the processing of personal data that is required for the performance of a contract to which the data subject is a party, Art. 6 (1) lit. b) GDPR serves as the legal basis. This also applies to processing that is required to conduct pre-contractual measures.
  • Where processing of personal data is required for the fulfilment of a legal obligation that applies to our company, Art. 6 (1) lit. c) GDPR serves as the legal basis.
  • The legal basis for the temporary storing of the data and logfiles is Art. 6 (1) lit. f) GDPR.
  • The legal basis for the processing of personal data by means of technically necessary cookies is Art. 6 (1) lit. f) GDPR. The legal basis for the processing of personal data by means of cookies for analysis purposes is Art. 6 (1) lit. f) GDPR.
  • ......................(Newsletter Ja oder Nein: der folgende Passus kann entfallen, wenn kein Newsletter angeboten wird) After you have subscribed to our newsletter, we will store your email address for the purpose of mailing you the newsletter. The legal basis is Art. Art. 6 (1) sent. 1, lit. a) GDPR

  • If the processing serves to protect a legitimate interest of our company or of a third party and if the interests, civil rights and fundamental freedoms of the data subject do not override the interest mentioned first, Art. 6 (1) lit. f) GDPR serves as the legal basis for the processing.

If the processing of data is not required for the provision of the functionalities of the website, but if it serves for the security of the website or our business interests (e.g. gathering of data for the purposes optimising the website or for security purposes) takes place on the basis of our legitimate interests according to Art. 6 (1) lit. f) GDPR.

 

10. No Automated Decision-Making/No Profiling

We do not operate automated decision-making or profiling.

 

11. Rights of data subjects

The user and other data subjects are entitled to the following rights with regard to their personal data:

  • Right to receive confirmation of the personal data concerned (Art. 15 GDPR)
  • Right to correction (Art. GDPR 16)
  • Right to erasure (Art. GDPR 17)
  • Right to restrict the processing (Art. GDPR 18)
  • Right to object to the processing if the data processing takes place on the basis of Art. 6 (1) lit. e) or lit. f) GDPR (Art. 21 GDPR); in this regard, please also see the notes below regarding the right to object pursuant to Art. 21 GDPR
  • Right of data portability (Art. GDPR 20)
  • Right to revoke a granted consent at any time, without affecting the legitimacy of the processing that has taken place up until the revocation, if the data processing is based on a consent pursuant to Art. 6 (1) lit. a) or Art. 9 (2) lit. a) GDPR.

You furthermore have the right to lodge complaint with a data protection supervisory authority about our processing of your personal data (Art. 77 GDPR).

12. Instruction On the Right to Object Pursuant to Art. 21 GDPR

A. Right to object based on the specific situation

You have the right to object to the processing of personal data relating to you at any time for reasons arising from your specific situation on the basis of Art. 6 (1) lit. e) (public safety) or lit. f) (data processing based on an assessment of interests) GDPR. This also applies to profiling based on these provisions. We will then cease the processing of your personal data, unless we can prove compelling reasons for the processing that qualify for protection and override your interests, rights and freedoms, or if the processing serves the purpose of filing, enforcing or defending against legal claims.

B. Right to object to direct marketing

If we process personal data relating to you to operate direct marketing, you have the right to object at any time to the processing of the personal data relating to you for the purpose of such marketing; this also applies to profiling if it is connected to such direct marketing. If you object to the processing for the purposes of direct marketing, the personal data will no longer be processed for these purposes.

C. Exercise of the right to object

he right to object can be exercised formlessly, for example, by sending a letter to

...................... (Hier Anbieter der Webseite mit Adresse eintragen)

or email to

...................... (Hier E-Mail-Adresse eintragen)

13. Service Providers/ Data Controller/ Contact Details/ Objection/ Revocation of a Consent

Service provider according to Sec. 13 TMG and data controller in the definition of the GDPR, other data protection laws applicable in the Member States of the European Union and other provisions of a nature similar to data protection regulations is:

...................... (Hier Anbieter der Webseite mit Adresse eintragen. Bitte keine Telefon- oder Faxnummer angeben.)

...................... (Hier E-Mail-Adresse eintragen)

Please direct all requests for information, correction and deletion, objections or revocations of a consent, assertion of the right to restrict the processing or the right of data portability, and comments or questions of the user relating to data protection to this address.

 

14. Data Protection Officer

You can reach our Data Protection Officer at

datenschutzbeauftragter(at)rotkaeppchen-mumm.de (ggf. anzupassen)

or at our postal address with the addition “The Data Protection Officer.”

 

15. Data Protection Supervisory Authority and Right to Lodge Complaint

The data protection supervisory authority competent for us is:

The State Data Protection Officer of Hesse, Gustav-Stresemann-Ring 1, 65189 Wiesbaden
Phone: 0611/1408-0, fax 0611/1408-900 or -901, email: poststelle(at)datenschutz.hessen.de.

Hinweis: Für Unternehmen der Gruppe ist unabhängig vom Sitz des jeweiligen Unternehmens immer die Hessische Aufsichtsbehörde zuständig.

16. Update of this Data Privacy Policy

It is necessary from time to time to adjust the content of this Data Privacy Policy. We therefore reserve the right to change this Data Privacy Policy at any time. We will send the modified version of the Data Privacy Policy to registered users before it takes effect and publish it in the same place as this Data Privacy Policy.


Liste der genutzten Tracking-/ Taggingdienste

Für die technische Implementierung von Usercentrics bitte außerdem die aktuell eingesetzten Dienste (Tracking & Tagging mit jeweiliger ID/ Pixel…) der Webseite auflisten.

 

Auf der Seite

...................... (Angabe der Domain) 

werden aktuell

...................... (Datum: xx.xy.xxxx)

die im folgenden genannten Tracking-und Taggingdienste genutzt:

1. GA Property ID

...................... (Angabe der UA-xxxxxxxx-xx ID. Falls noch keine GA property existiert bitte über support@dfau.de beantragen unter Angabe: 1. Domain; 2. Geschäftsbereich + 3. Mailadressen/ Google-Accounts, die auf GA Zugriff bekommen sollen.) 

2. GTM 

......................(ja/nein)

3. Youtube 

......................(ja/nein)

4. Facebook/Instagram 

......................(ja/nein)

5. Flockler (Social Media Wall für Webseiten)

......................(ja/nein)

6. Spotify

......................(ja/nein)

7. Adform

......................(ja/nein)

8. Sonstige Adserver

......................(ja/nein)

9. Weitere Services oder Trackingdienste

......................(ja/nein)