Data Protection

7. Routine Erasure and Blocking of Personal Data

The controller processes and stores personal data of the data subject only for the period necessary to achieve the purpose of storage, or insofar as this is provided for by the European legislator or another competent legislator in laws or regulations to which the controller is subject.

If the purpose of storage no longer applies, or if a storage period prescribed by the European legislator or another competent legislator expires, the personal data are routinely blocked or erased in accordance with legal requirements.

8. Rights of the Data Subject

• a) Right to Confirmation

  Every data subject has the right granted by the European legislator to obtain confirmation from the controller as to whether personal data concerning them are being processed. If a data subject wishes to exercise this right, they may contact an employee of the controller at any time.

• b) Right of Access

  Every data subject has the right to obtain free information from the controller at any time about the personal data stored concerning them, as well as a copy of this information. The European legislator also grants access to the following details:

  • The purposes of processing
  • The categories of personal data processed
  • The recipients or categories of recipients to whom the personal data have been or will be disclosed, especially recipients in third countries or international organisations
  • If possible, the planned duration of storage, or if not possible, the criteria used to determine this duration
  • The existence of rights to rectification, erasure, restriction of processing, or objection
  • The existence of a right to lodge a complaint with a supervisory authority
  • If the data were not collected from the data subject: all available information about their origin
  • The existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and intended consequences of such processing

  Data subjects also have the right to know whether personal data have been transferred to a third country or international organisation, and if so, to be informed of the appropriate safeguards relating to the transfer.

• c) Right to Rectification

  Every data subject has the right to request the immediate rectification of inaccurate personal data concerning them. They also have the right to request completion of incomplete personal data, including by means of a supplementary statement.

• d) Right to Erasure (“Right to be Forgotten”)

  Every data subject has the right to request the immediate erasure of personal data concerning them, provided one of the following grounds applies and processing is not required:

  • The data are no longer necessary for the purposes for which they were collected or processed.
  • The data subject withdraws consent and no other legal basis exists.
  • The data subject objects to processing and there are no overriding legitimate grounds.
  • The data have been unlawfully processed.
  • Erasure is required to comply with a legal obligation under Union or Member State law.
  • The data were collected in relation to services offered to children under Article 8 GDPR.

  If Handelskontor Ostrhauderfehn GmbH has made personal data public and is obliged to erase them, it will take reasonable steps, including technical measures, to inform other controllers processing the data that the data subject has requested erasure of all links, copies or replications of those personal data.

• e) Right to Restriction of Processing

  Data subjects have the right to request restriction of processing if:

  • The accuracy of the data is contested, for a period enabling verification.
  • Processing is unlawful and the data subject opposes erasure, requesting restriction instead.
  • The controller no longer needs the data, but the data subject requires them for legal claims.
  • The data subject has objected to processing pending verification of overriding legitimate grounds.

• f) Right to Data Portability

  Data subjects have the right to receive their personal data, provided to a controller, in a structured, commonly used and machine-readable format, and to transmit those data to another controller without hindrance, where processing is based on consent or contract and carried out by automated means. They also have the right to request direct transfer between controllers where technically feasible.

• g) Right to Object

  Data subjects have the right to object at any time, on grounds relating to their particular situation, to processing of personal data concerning them based on Article 6(1)(e) or (f) GDPR, including profiling. The controller will cease processing unless compelling legitimate grounds override the interests of the data subject, or processing is required for legal claims.

  If personal data are processed for direct marketing, the data subject has the right to object at any time. If they object, the data will no longer be processed for such purposes.

  Data subjects also have the right to object to processing for scientific or historical research or statistical purposes, unless necessary for a task carried out in the public interest.

• h) Automated Decisions Including Profiling

  Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects them, unless necessary for a contract, authorised by Union or Member State law, or based on explicit consent. In such cases, Handelskontor Ostrhauderfehn GmbH will implement measures to safeguard rights and freedoms, including the right to human intervention, to express a viewpoint and to contest the decision.

• i) Right to Withdraw Consent

  Data subjects have the right to withdraw consent to processing of personal data at any time. To exercise this right, they may contact an employee of the controller.

9. Data Protection in Applications and the Recruitment Process

The controller collects and processes the personal data of applicants for the purpose of handling the recruitment process. Processing may also take place electronically, particularly if an applicant submits application documents electronically, for example by e-mail or via a web form on the website. If the controller concludes an employment contract with an applicant, the transmitted data will be stored for the purpose of managing the employment relationship in compliance with legal requirements. If no employment contract is concluded, the application documents will be automatically deleted two months after notification of the rejection decision, unless deletion conflicts with other legitimate interests of the controller. A legitimate interest in this sense could be, for example, a duty to provide evidence in proceedings under the General Equal Treatment Act (AGG).

10. Privacy Policy on the Use of Facebook

The controller has integrated components of the company Facebook into this website. Facebook is a social network.

A social network is an online community that generally allows users to communicate and interact with each other in a virtual space. It can serve as a platform for exchanging opinions and experiences or enable the online community to provide personal or business-related information. Facebook allows users to create private profiles, upload photos and network via friend requests.

The operating company of Facebook is Facebook, Inc., 1 Hacker Way, Menlo Park, CA 94025, USA. If a data subject lives outside the USA or Canada, the controller responsible for processing personal data is Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

Each time one of the individual pages of this website operated by the controller and containing a Facebook component (Facebook plug-in) is accessed, the internet browser on the data subject’s IT system is automatically prompted by the Facebook component to download a representation of the component from Facebook. An overview of all Facebook plug-ins can be found at https://developers.facebook.com/docs/plugins/?locale=en_GB. In this process, Facebook learns which specific subpage of our website the data subject visits.

If the data subject is logged in to Facebook at the same time, Facebook recognises with each visit to our website which specific subpage is being accessed. These data are collected by the Facebook component and assigned to the data subject’s Facebook account. If the data subject clicks on one of the integrated Facebook buttons, such as the “Like” button, or leaves a comment, Facebook assigns this information to the personal Facebook account and stores the personal data.

Facebook receives information via the component whenever the data subject visits our website while logged in to Facebook, regardless of whether they click the component or not. If such transmission of information to Facebook is not desired, the data subject can prevent this by logging out of their Facebook account before visiting our website.

The data policy published by Facebook, available at https://www.facebook.com/about/privacy/, provides information about the collection, processing and use of personal data by Facebook. It also explains the settings Facebook offers to protect the privacy of the data subject. In addition, various applications are available that allow data transmission to Facebook to be suppressed. Such applications can be used by the data subject to prevent data transfer to Facebook.

11. Privacy Policy on the Use of Google Analytics (with Anonymisation Function)

The controller has integrated the component Google Analytics (with anonymisation function) into this website. Google Analytics is a web analytics service. Web analytics involves the collection, gathering and evaluation of data about the behaviour of visitors to websites. A web analytics service collects, among other things, data about the website from which a data subject has come (referrer), which subpages are accessed, how often and for what duration they are viewed. Web analytics is primarily used to optimise a website and to carry out cost-benefit analyses of internet advertising.

The operating company of Google Analytics is Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043-1351, USA.

The controller uses the “_gat._anonymizeIp” add-on for Google Analytics. This ensures that the IP address of the data subject’s internet connection is shortened and anonymised by Google when access to our website originates from a Member State of the European Union or another contracting state of the Agreement on the European Economic Area.

The purpose of the Google Analytics component is to analyse visitor flows on our website. Google uses the collected data to evaluate the use of our website, compile online reports showing website activity, and provide other services related to website usage.

Google Analytics sets a cookie on the data subject’s IT system. With the cookie, Google is enabled to analyse the use of our website. Each time a page of this website containing a Google Analytics component is accessed, the browser is prompted to transmit data to Google for online analysis. In this process, Google obtains personal data such as the IP address, which helps to trace the origin of visitors and clicks and to enable commission settlements.

Personal information such as access time, location of access and frequency of visits is stored via the cookie. Each visit to our website transmits these data, including the IP address, to Google in the USA, where they are stored. Google may pass these personal data collected through the technical process on to third parties.

The data subject can prevent the setting of cookies by adjusting their browser settings, as explained above. Such a setting would also prevent Google from setting a cookie. In addition, cookies already set by Google Analytics can be deleted at any time via the browser or other software.

The data subject can also object to the collection of data generated by Google Analytics relating to the use of this website and to the processing of these data by Google. To do so, they must download and install a browser add-on available at https://tools.google.com/dlpage/gaoptout. This add-on informs Google Analytics via JavaScript that no data about website visits may be transmitted. Installation of the add-on is considered an objection. If the IT system is later deleted, formatted or reinstalled, the add-on must be reinstalled to disable Google Analytics. If the add-on is uninstalled or deactivated, it can be reinstalled or reactivated.

Further information and Google’s applicable privacy policy can be found at https://www.google.com/policies/privacy/ and at http://www.google.com/analytics/terms/. More details about Google Analytics are available at https://www.google.com/analytics/.

12. Privacy Policy on the Use of Google+

The controller has integrated the Google+ button as a component on this website. Google+ is a social network. A social network is an online community that generally allows users to communicate and interact with each other in a virtual space. It can serve as a platform for exchanging opinions and experiences or enable the online community to provide personal or business-related information. Google+ allows users to create private profiles, upload photos and network via friend requests.

The operating company of Google+ is Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043-1351, USA.

Each time one of the individual pages of this website operated by the controller and containing a Google+ button is accessed, the internet browser on the data subject’s IT system is automatically prompted by the Google+ button to download a representation of the button from Google. In this process, Google learns which specific subpage of our website the data subject visits. More information about Google+ can be found at https://developers.google.com/+.

If the data subject is logged in to Google+ at the same time, Google recognises with each visit which specific subpage is being accessed. These data are collected by the Google+ button and assigned to the data subject’s Google+ account. If the data subject clicks on a Google+ button and gives a Google+1 recommendation, Google assigns this information to the personal Google+ account and stores the personal data. Google stores the recommendation and makes it publicly available in accordance with the conditions accepted by the data subject. Such recommendations may be displayed together with other personal data (e.g. account name, photo) in other Google services such as search results, the Google account or in advertisements. Google may also link the visit to our website with other personal data stored by Google. Google records this information to improve or optimise its services.

Google receives information via the Google+ button whenever the data subject visits our website while logged in to Google+, regardless of whether they click the button. If such transmission is not desired, the data subject can prevent it by logging out of their Google+ account before visiting our website.

Further information and Google’s applicable privacy policy can be found at https://www.google.com/policies/privacy/. Additional guidance on the Google+1 button is available at https://developers.google.com/+/web/buttons-policy.

13. Privacy Policy on the Use of Instagram

The controller has integrated components of Instagram into this website. Instagram is an audiovisual platform that enables users to share photos and videos and to distribute such data in other social networks.

The operating company of Instagram is Instagram LLC, 1 Hacker Way, Building 14 First Floor, Menlo Park, CA, USA.

Each time one of the individual pages of this website containing an Instagram component (Insta button) is accessed, the internet browser on the data subject’s IT system is automatically prompted by the Instagram component to download a representation of the component from Instagram. In this process, Instagram learns which specific subpage of our website the data subject visits.

If the data subject is logged in to Instagram at the same time, Instagram recognises with each visit which specific subpage is being accessed. These data are collected by the Instagram component and assigned to the data subject’s Instagram account. If the data subject clicks on an Instagram button, the transmitted data are assigned to the personal Instagram account and stored and processed by Instagram.

Instagram receives information via the component whenever the data subject visits our website while logged in to Instagram, regardless of whether they click the component. If such transmission is not desired, the data subject can prevent it by logging out of their Instagram account before visiting our website.

Further information and Instagram’s applicable privacy policy can be found at https://help.instagram.com/155833707900388 and https://www.instagram.com/about/legal/privacy/.

14. Privacy Policy on the Use of Twitter

The controller has integrated components of Twitter into this website. Twitter is a multilingual, publicly accessible microblogging service where users can publish and distribute short messages (“tweets”) limited to 280 characters. These tweets are visible to everyone, including non-registered users, and are also shown to the followers of the user. Followers are other Twitter users who subscribe to a user’s tweets. Twitter also enables communication with a wider audience via hashtags, links or retweets.

The operating company of Twitter is Twitter, Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA.

Each time one of the individual pages of this website containing a Twitter component (Twitter button) is accessed, the internet browser on the data subject’s IT system is automatically prompted by the Twitter component to download a representation of the button from Twitter. More information about Twitter buttons can be found at https://about.twitter.com/resources/buttons. In this process, Twitter learns which specific subpage of our website the data subject visits. The purpose of integrating the Twitter component is to allow users to share content, increase awareness of our website and boost visitor numbers.

If the data subject is logged in to Twitter at the same time, Twitter recognises with each visit which specific subpage is being accessed. These data are collected by the Twitter component and assigned to the data subject’s Twitter account. If the data subject clicks on a Twitter button, the transmitted data are assigned to the personal Twitter account and stored and processed by Twitter.

Twitter receives information via the component whenever the data subject visits our website while logged in to Twitter, regardless of whether they click the component. If such transmission is not desired, the data subject can prevent it by logging out of their Twitter account before visiting our website.

The applicable privacy policy of Twitter can be found at https://twitter.com/privacy.

15. Privacy Policy on the Use of YouTube

The controller has integrated components of YouTube into this website. YouTube is an internet video portal that allows video publishers to upload video clips free of charge and other users to view, rate and comment on them free of charge. YouTube permits the publication of all types of videos, including complete films and TV programmes, music videos, trailers or user-generated videos.

The operating company of YouTube is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA, a subsidiary of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043-1351, USA.

Each time one of the individual pages of this website containing a YouTube component (YouTube video) is accessed, the internet browser on the data subject’s IT system is automatically prompted by the YouTube component to download a representation of the component from YouTube. More information about YouTube can be found at https://www.youtube.com/yt/about/. In this process, YouTube and Google learn which specific subpage of our website the data subject visits.

If the data subject is logged in to YouTube at the same time, YouTube recognises with each visit which specific subpage is being accessed. These data are collected by YouTube and Google and assigned to the data subject’s YouTube account.

YouTube and Google receive information via the component whenever the data subject visits our website while logged in to YouTube, regardless of whether they click the video. If such transmission is not desired, the data subject can prevent it by logging out of their YouTube account before visiting our website.

The privacy policy published by YouTube, available at https://www.google.com/policies/privacy/, provides information about the collection, processing and use of personal data by YouTube and Google.

16. Payment Method: Privacy Policy on the Use of PayPal

The controller has integrated PayPal components into this website. PayPal is an online payment service provider. Payments are processed via so-called PayPal accounts, which are virtual private or business accounts. PayPal also allows virtual payments to be processed via credit cards if a user does not hold a PayPal account. A PayPal account is managed via an e-mail address, meaning there is no traditional account number. PayPal enables online payments to third parties as well as the receipt of payments. PayPal also performs trustee functions and offers buyer protection services.

The European operating company of PayPal is PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg, Luxembourg.

If the data subject selects “PayPal” as a payment option during the ordering process in our online shop, personal data are automatically transmitted to PayPal. By choosing this payment option, the data subject consents to the transmission of personal data required for payment processing.

The personal data transmitted to PayPal usually include first name, surname, address, e-mail address, IP address, telephone number, mobile phone number or other data necessary for payment processing. Data relating to the specific order are also required to fulfil the purchase contract.

The transmission of data is intended for payment processing and fraud prevention. The controller will transmit personal data to PayPal in particular if there is a legitimate interest in doing so. The personal data exchanged between PayPal and the controller may be transmitted by PayPal to credit reference agencies. This transmission is intended for identity and creditworthiness checks.

PayPal may pass personal data on to affiliated companies, service providers or subcontractors, insofar as this is necessary to fulfil contractual obligations or if the data are to be processed on behalf of PayPal.

The data subject has the option to revoke consent to the handling of personal data at any time vis-à-vis PayPal. Such revocation does not affect personal data that must be processed, used or transmitted for contractual payment processing.

The applicable privacy policy of PayPal can be accessed at https://www.paypal.com/de/webapps/mpp/ua/privacy-full.

17. Legal Basis for Processing

Article 6(1)(a) GDPR serves as the legal basis for processing operations for which we obtain consent for a specific purpose. If the processing of personal data is necessary for the performance of a contract to which the data subject is party, such as processing operations required for the delivery of goods or the provision of another service or consideration, processing is based on Article 6(1)(b) GDPR. The same applies to processing operations necessary for pre-contractual measures, for example in cases of enquiries about our products or services. If our company is subject to a legal obligation requiring the processing of personal data, such as for compliance with tax obligations, processing is based on Article 6(1)(c) GDPR. In rare cases, processing of personal data may be necessary to protect the vital interests of the data subject or another natural person. This would be the case, for example, if a visitor were injured on our premises and their name, age, health insurance data or other vital information had to be passed on to a doctor, hospital or other third party. Processing would then be based on Article 6(1)(d) GDPR. Finally, processing operations may be based on Article 6(1)(f) GDPR. This legal basis applies to processing operations not covered by any of the above, if processing is necessary to safeguard the legitimate interests of our company or a third party, provided the interests, fundamental rights and freedoms of the data subject do not prevail. Such processing operations are particularly permitted because they were specifically mentioned by the European legislator. Recital 47 GDPR states that a legitimate interest may be assumed if the data subject is a customer of the controller.

18. Legitimate Interests Pursued by the Controller or a Third Party

If processing of personal data is based on Article 6(1)(f) GDPR, our legitimate interest is the conduct of our business activities for the benefit of the well-being of all our employees and shareholders.

19. Duration of Storage of Personal Data

The criterion for the duration of storage of personal data is the respective statutory retention period. After expiry of this period, the corresponding data are routinely deleted, provided they are no longer required for the fulfilment of a contract or the initiation of a contract.

20. Statutory or Contractual Requirements for the Provision of Personal Data; Necessity for Contract Conclusion; Obligation of the Data Subject to Provide Personal Data; Possible Consequences of Non-Provision

We inform you that the provision of personal data is partly required by law (e.g. tax regulations) or may also result from contractual provisions (e.g. details of the contracting party). In some cases, it may be necessary for a contract to be concluded that a data subject provides us with personal data which must subsequently be processed by us. For example, the data subject is obliged to provide us with personal data if our company concludes a contract with them. Failure to provide personal data would mean that the contract with the data subject could not be concluded. Before providing personal data, the data subject must contact one of our employees. Our employee will explain to the data subject on a case-by-case basis whether the provision of personal data is legally or contractually required, or necessary for the conclusion of a contract, whether there is an obligation to provide personal data, and what the consequences of non-provision would be.

21. Existence of Automated Decision-Making

As a responsible company, we do not use automated decision-making or profiling.

This privacy policy was generated by the Privacy Policy Generator of DGD Deutsche Gesellschaft für Datenschutz GmbH, which acts as External Data Protection Officer Unterfranken, in cooperation with the data protection lawyers of the law firm WILDE BEUGER SOLMECKE | Rechtsanwälte.