Name and contact of the controller under Article 4 (7) GDPR
Alter Schlachthof 51, 76131 Karlsruhe (business location)
Telephone: +49 721 619 31 200
Data Protection Officer
Name: Florijan Hamzic
Address: Alter Schlachthof 51, 76131 Karlsruhe
Security and protection of your personal data
We feel it is our foremost responsibility to guard the confidentiality of the personal data you have provided and protect them from unauthorised access. Therefore, we use the utmost care and up-to-date security standards to guarantee maximal protection of your personal data.
As a company governed by private law, we are subject to the provisions of the European General Data Protection Regulation (GDPR) and the regulations of the Federal Data Protection Act (BDSG). We have taken technical and organisational measures that ensure that both we and our external service providers observe data protection provisions.
The legislature demands that personal data be processed legally, in good faith, and in a manner that is transparent for the data subject (“legality, processing in good faith, transparency”). To guarantee this will occur, we wish to inform you about the individual statutory definitions used in this data privacy statement:
1. Personal data
“Personal data” means all information related to an identified or identifiable natural person (“data subject”). A natural person is deemed “identifiable” if they can be directly or indirectly identified, especially by allocating them to an identifier such as a name, ID number, location data, an online identifier, or to one or more particular characteristics which express this natural person’s physical, physiological, genetic, mental, economic, cultural or social identity.
“Processing” means any operation executed with or without the help of automatic procedures, or any such series of operations in connection with personal data, such as collecting, recording, organising, filing, storing, adjusting or altering, reading, requesting, using, disclosing through transmission, dissemination or another form of provision, comparing or connecting, restricting, deleting or destroying such data.
3. Restriction of processing
“Restriction of processing” means marking stored personal data with the goal of restricting its processing in the future.
“Profiling” means any type of automatic processing of personal data in which those data are used to assess certain personal aspects related to a natural person, especially to analyse or predict aspects regarding their work performance, economic situation, health, personal preferences, interests, reliability, behaviour, abode or change of location.
“Pseudonymisation” means processing personal data to prevent them from being linked to a specific data subject without drawing on additional information, provided this additional information is retained separately and subject to technical and organisational measures that guarantee that the personal data cannot be allocated to an identified or identifiable natural person.
6. File system
“File system” means any structured collection of personal data which is accessible according to certain criteria, regardless of whether that collection is kept centrally or peripherally, or arranged according to functional or geographic aspects.
“Controller” means a natural person or legal entity, government agency, institution or other agency which, alone or in conjunction with others, decides on the purpose and means of processing personal data. If the purpose and means of that processing are prescribed by the law of the European Union or its member states, those laws may also prescribe who the controller must be or the specific criteria according to which the controller must be named.
“Processor” means a natural person or legal entity, government agency, institution or other agency which processes personal data on behalf of the controller.
“Recipient” means a natural person or legal entity, government agency, institution or other agency to which personal data are disclosed, regardless of whether that recipient is a third party. However, authorities who obtain personal data due to a specific investigation mandate under the law of the European Union or its member states are not deemed recipients. The authorities named process that data according to applicable data protection provisions and the purpose of the processing.
10. Third party
“Third party” means a natural person or legal entity, government agency, institution or other agency, besides the data subject, the controller, the processor and the people for whom the controller or the processor are directly responsible, who are authorised to process the personal data.
“Consent” from the data subject means any expression of intent which is voluntarily and unmistakeably given for the case at hand, in an informed manner, in the form of a declaration or other unambiguous affirming action, with which the data subject makes understood that that party agrees to the processing of the personal data concerning them.
Legality of processing
The processing of personal data is legal only if it has a legal basis. In accordance with Article 6 (1) (a–f) GDPR, the particular legal bases for processing can be:
- the data subject has consented to the processing of the personal data concerning them for one or more specific purposes;
- processing is necessary to fulfil a contract to which the data subject is party, or to execute pre-contractual measures on the data subject’s request;
- processing is necessary to fulfil a legal obligation to which the controller is subject;
- processing is necessary to protect vital interests of the data subject or another natural person;
- processing is necessary to carry out a task in the public interest or in the exercise of public authority vested in the controller;
- processing is necessary to guard the legitimate interests of the controller or a third party, unless this need is outweighed by the interests or basic rights and freedoms of the data subject which require that the personal data be protected, especially if the data subject is a child.
Information about the collection of personal data
(1) In the following, we will inform you about the collection of personal data when you use our website. Examples of personal data include name, address, email addresses and user behaviour.
(2) If you contact us through email or a contact form, we will store the data you communicate (your email address and possibly your name and telephone number) to answer your questions. We will delete the data accumulated in this context as soon as storage is no longer necessary, or processing will be restricted if statutory retention requirements exist.
Collection of personal data when you visit our website
If you are using our website only for informational purposes and thus do not register or otherwise transmit information to us, we will collect only the personal data that your browser transmits to our server. If you would like to look at our website, we will collect the following data, which are technically necessary for us to show you our website and guarantee its stability and security (legal basis is Art. 6 (1) (1) (f) GDPR):
- IP address
- Date and time of request
- Time zone difference to Greenwich Mean Time (GMT)
- Contents of the request (specific page)
- Access status / HTTP status code
- Data quantity transferred each time
- Website from which the request comes
- Operating system and its interface
- Language and version of the browser software.
(1) In addition to the aforementioned data, cookies will be stored on your computer when you use our website. Cookies are small text files which are stored on your hard drive by the browser you use and which send certain information to the party who sent the cookies. Cookies cannot execute programmes or transmit viruses to your computer. They serve only to make the internet services more user-friendly and effective as a whole.
(2) This website uses the following types of cookies, whose scope and functionality is explained in the following:
- Transient cookies are deleted automatically when you close your browser. They particularly include session cookies. These store what is known as a “session ID”, with which various requests of your browser can be allocated to the joint session. This lets us recognise your computer whenever you revisit our website. Session cookies are deleted when you log out or close your browser.
- Persistent cookies are deleted automatically after a specified period, which can differ according to the cookie. You can delete the cookies in your browser’s security settings at any time.
- You can configure your browser settings accordingly, and, for example, reject the acceptance of third-party cookies or all cookies. Cookies known as “Third-party cookies” are set by a third party—not by the actual website you are currently visiting. Please note that if you deactivate cookies you might not be able to use all this website’s functions.
- The flash cookies used are not recorded through your browser, but through your flash plug-in. Furthermore, we use HTML5 storage objects, which are placed in your end device. These objects store the necessary data regardless of which browser you use, and have no automatic expiration date. To prevent the flash cookies from being processed, you must install an appropriate add-on, such as “Better Privacy” for Mozilla Firefox (https://addons.mozilla.org/de/firefox/addon/betterprivacy/) or the Adobe Flash Killer Cookie for Google Chrome. You can prevent the use of HTML5 storage objects by using your browser’s private mode. We also recommend manually deleting your cookies and your browser history periodically.
Additional functions and services of our website
(1) Besides the purely informative use of our website, we offer various services which you can use if interested. To do so, you must usually provide additional personal data which we use to render the service in question and to which the aforementioned principles of data processing apply.
(2) We will sometimes use external service providers to process your data. We have selected and commissioned them carefully. They are bound by our instructions and are supervised periodically.
(3) We may also forward your personal data to third parties if we offer services in conjunction with partners, such as special offers, sweepstakes, and contract conclusions. You can obtain additional information by providing your personal data or reading the description below the offer.
(4) If our service provider or partner is domiciled in a state outside the European Economic Area (EEA), we will include any consequences this entails in the offer description.
As a general principle, our services are geared toward adults. People under 18 may not transmit any personal data to us or issue a declaration of consent without the consent of their legal guardian.
Rights of the data subject
(1) Withdrawal of consent
If the processing of your personal data is based on your consent, you have the right to withdraw your consent at any time. Withdrawing your consent will not affect the legality of processing that has already occurred based on your consent.
To exercise your right of withdrawal, you may contact us at any time.
(2) Right to confirmation
You may obtain from the controller confirmation about whether we are processing personal data concerning you. You may demand that confirmation at any time under the contact data specified above.
(3) Right of access
If personal data are being processed, you may at any time demand access to those data and the following information:
- the purposes of processing;
- the categories of personal data being processed;
- the recipients or categories of recipients to whom the personal data are or will be disclosed, especially if those recipients are located in third countries or international organisations;
- if possible, the period planned for storing the personal data, or, if this is impossible, the criteria for determining that period;
- the existence of a right to rectification or erasure of the personal data concerning you, or the restriction of the processing by the controller or a right of objection against this processing;
- the right to complain to a supervisory authority;
- all available information on the origin of the data, if the personal data were not collected from the data subject;
- the existence of automated decision-making, including profiling under Art. 22 (1 and 4) GDPR and—at least in these cases—meaningful information about the logic involved, as well as the implications and sought-after effects such processing would have for the data subject.
If personal data are transmitted to a third country or an international organisation, you may be informed about adequate guarantees in accordance with Article 46 GDPR in connection with that transmission. We will provide one copy of the personal data which are the object of the processing. For all additional copies you request, we may charge a reasonable fee based on administrative costs. If you make the request electronically, the information must be provided in a commonly used electronic form unless you indicate otherwise. The right to receive a copy under paragraph 3 may not impair the rights and freedoms of other people.
(4) Right to rectification
You may also demand that incorrect personal data concerning you be corrected without undue delay. Under consideration of the purposes of the processing, you may demand that incomplete personal data be completed, including by means of a supplementary declaration.
(5) Right to erasure (“right to be forgotten”)
You may demand from the controller that the personal data concerning you be erased without undue delay, and we will be obligated to do so provided one of the following grounds applies:
- The personal data are no longer necessary for the purposes for which they were collected or otherwise processed.
- The data subject withdraws his or her consent on which the processing is based under Art. 6 (1) (a) or Art. 9 (2) (a) GDPR, and there is no other legal basis for the processing.
- The data subject objects to the processing under Art. 21 (1) GDPR and there are no overriding legitimate reasons for the processing, or the data subject objects to the processing under Art. 21 (2) GDPR.
- The personal data were illegally processed.
- The personal data must be deleted to fulfill a legal obligation under EU or Member State law to which the controller is subject.
- The personal data were collected in regard to information society services offered in accordance with Art. 8 (1).
If the controller has publicised the personal data and is obligated under paragraph 1 to erase those data, the controller, taking account of available technology and the cost of implementation, will take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
The right to erasure (“right to be forgotten”) does not exist if the processing is necessary:
- to exercise the right to information and freedom of expression;
- to fulfil a legal obligation which requires the processing under EU or Member State law to which the controller is subject, or to carry out a task in the public interest or in the exercise of public authority vested in the controller;
- for reasons of public interest in the area of public health under Article 9 (2) (h and i) and Article 9 (3) GDPR;
- for science or historical research, archiving which lies in the public interest, or statistical purposes under Art. 89 (1) GDPR, insofar as the right mentioned in paragraph 1 is expected to prevent or seriously impair the realisation of this processing’s objectives, or to establish, exercise or defend against legal claims.
(6) Right to restriction of processing
You have the right to demand that we restrict the processing of your personal data if one of the following conditions is met:
- if the data subject disputes that the personal data is correct, for a duration which enables the controller to check its correctness,
- the processing is incorrect and the data subject waives their right to have the personal data erased, instead demanding that the data’s use be restricted;
- the controller of the personal data no longer needs them for the purposes of their processing, but the data subject needs them to assert, exercise or defend against legal claims, or
- the data subject has filed an objection against the processing under Article 21(1) GDPR, provided it has not yet been established whether the legitimate reasons of the controller outweigh those of the data subject.
If the processing has been restricted, these personal data—regardless of their storage—may be processed only (1) with the data subject’s consent, (2) to establish, exercise or defend against legal claims, (3) to protect the rights of another natural person or legal entity, or (4) for reasons of an important public interest of the EU or a member state.
To exercise their right to restriction of processing, the data subject may contact us at any time using the contact data given above.
(7) Right to data portability
You have the right to receive these personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format, and you have the right to transmit these data to another controller without hindrance from the controller to which the personal data were provided, as long as:
- the processing is based on consent under Article 6(1)(a) or Article 9(2)(a) or on a contract under Article 6(1)(b) GDPR and
- the processing occurs with the help of automated procedures.
In exercising this right of data portability under paragraph 1, you may also have the personal data transmitted directly from one controller to another, insofar as this is technically feasible. Exercising the right to data portability does not affect the right to erasure (“right to be forgotten”). This right does not apply to processing which is necessary to carry out a task in the public interest or in the exercise of public authority vested in the controller.
(8) Right to object
You have the right to object at any time, for reasons arising from your particular situation, to personal data concerning you being processed based on Article 6 (1) (e or f) GDPR. This also applies to profiling based on these provisions. The controller will no longer process the personal data unless that party can prove compulsory reasons for doing so that are worth protecting, which outweigh the data subject’s interests, rights and freedoms, or the processing helps to establish, exercise or defend against legal claims.
If the personal data are processed for direct marketing purposes, you may object to that processing at any time. This also applies to any profiling connected to such direct marketing. If you object to having personal data processed for direct marketing purposes, this processing will be discontinued.
In connection with the use of information society services, you may exercise your right to object using an automatic procedure in which technical specifications are used (regardless of Directive 2002/58/EC).
You have the right, for reasons arising from your particular situation, to object to the processing of the personal data concerning you, which occurs for scientific or historical research purposes or for statistical purposes under Article 89 (1), unless that processing is necessary for a task in the public interest.
You may always contact the controller in question to exercise your right to object.
(9) Automatic decision-making in individual cases, including profiling
You have the right not to be subject to a decision based exclusively on automated processing—including profiling—which legally affects or otherwise significantly impairs you. This does not apply if that decision:
- is necessary to conclude or fulfil a contract between the data subject and the controller,
- is permitted under EU or member state law to which the controller is subject and which stipulates reasonable measures for guarding the data subject’s rights, freedoms and legitimate interests, or
- with the express consent of the data subject.
The controller shall take reasonable measures to guard the data subject’s rights, freedoms and legitimate interests, which must include at least the right to obtain human intervention on the part of the controller, to present the data subject’s own point of view, and to contest the decision.
The data subject may always exercise their right to object by contacting the controller in question.
(10) Right to complain to a supervisory authority
If the data subject believes that the processing of the personal data concerning them breaches the GDPR, they have the right to complain to a supervisory authority—especially in the member state of the data subject’s abode, workplace, or the place of the suspected breach—without prejudice to other administrative rights or judicial remedies.
(11) Right to effective legal remedy
Without prejudice to any available administrative right or judicial remedy, including the right to complain to a supervisory authority under Article 77 GDPR, the data subject has the right to an effective legal remedy if the data subject believes that the rights to which they are entitled under this directive have been breached because the processing of their personal data failed to comply with this directive.
Use of Google Analytics
(2) The IP address transmitted by your browser as part of Google Analytics will not be pooled with other Google data.
(3) You can prevent the cookies from being stored by adjusting your browser settings accordingly, but we must point out that if you do, you might not be able to use all this website’s functions to their full extent. You can also prevent Google from recording and processing the data generated by the cookie which relate to your use of the website (including your IP address) by downloading and installing the browser plug-in available under the following link. http://tools.google.com/dlpage/gaoptout?hl=de.
(4) This website uses Google Analytics with the extension “anonymizeIP”. This means that IP addresses will be further processed in truncated form, thus ruling out any direct connection to a specific person. If the collected data which concern you gain a personal reference, this will be ruled out immediately and the personal data will be erased without undue delay.
(5) We use Google Analytics to analyse the use of our website and improve it periodically. We can use the statistics we gain to improve our services and make them more interesting for you as a user. For the exceptional cases in which personal data is transmitted to the USA, Google participates in the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework. The legal basis for using Google Analytics is Art. 6 (1) sentence 1 f GDPR.
(6) Information of the third-party provider: Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001.
Overview of data privacy:
as well as the Data Privacy Statement:
(7) This website also uses Google Analytics for a cross-device analysis of the influx of visitors, which is performed via a user ID. You can deactivate the cross-device analysis of your usage by going to your customer account under “My Data” > “Personal Data”.
We use external service providers (processors) for such tasks as sending goods and newsletters or handling payments. A separate contract for commissioned data processing is concluded with the service provider to guarantee your personal data will be protected.