Privacy Policy
Introduction
With the following Privacy Policy, we would like to explain which types of your personal data (hereinafter also referred to as “data”) we process, for which purposes and to what extent. This Privacy Policy applies to all processing of personal data carried out by us, both in the context of providing our services and, in particular, on our websites, in mobile applications, as well as within external online presences such as our social media profiles (hereinafter collectively referred to as the “online offering”).
The terms used are not gender-specific.
Last updated: 2 June 2022
Table of contents
Introduction
Controller
Overview of processing
Relevant legal bases
Security measures
Transfer of personal data
Data processing in third countries
Erasure of data
Use of cookies
Business services
Provision of the online offering and web hosting
Contact and enquiry management
Web analysis, monitoring and optimisation
Online marketing
Presences on social networks (social media)
Plugins and embedded functions and content
Amendment and updating of the Privacy Policy
Rights of data subjects
Definitions
Controller
Art in Nature GmbH
Niederrheinstr. 69
41472 Neuss
Germany
Authorised representative:
Gregor Schmitz
E-mail address:
info@baumgigant.de
Imprint:
Sie sehen gerade einen Platzhalterinhalt von Standard. Um auf den eigentlichen Inhalt zuzugreifen, klicken Sie auf den Button unten. Bitte beachten Sie, dass dabei Daten an Drittanbieter weitergegeben werden.
Weitere InformationenOverview of processing
The following overview summarises the types of data processed, the purposes of their processing and the categories of data subjects.
Types of data processed
– Inventory data.
– Payment data.
– Contact data.
– Content data.
– Contract data.
– Usage data.
– Meta/communication data.
Categories of data subjects
– Prospective customers.
– Communication partners.
– Users.
– Business and contractual partners.
Purposes of processing
– Provision of contractual services and customer support.
– Handling contact requests and communication.
– Reach measurement.
– Tracking.
– Office and organisational procedures.
– Administration and response to enquiries.
– Feedback.
– Marketing.
– Profiles with user-related information.
– Provision of our online offering and user-friendliness.
– Information technology infrastructure.
Relevant legal bases
Below you will find an overview of the legal bases of the GDPR on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or registered seat. Where more specific legal bases are relevant in individual cases, we will inform you of these in this Privacy Policy.
Consent (Art. 6(1)(a) GDPR) – The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
Performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR) – The processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract.
Legal obligation (Art. 6(1)(c) GDPR) – The processing is necessary for compliance with a legal obligation to which the controller is subject.
Legitimate interests (Art. 6(1)(f) GDPR) – The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data.
In addition to the data protection regulations of the GDPR, national data protection provisions apply in Germany. These include in particular the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). The BDSG contains, in particular, specific provisions on the right of access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, and transmission, as well as automated individual decision-making including profiling. It also regulates data processing for employment-related purposes (§ 26 BDSG), in particular with regard to the establishment, performance or termination of employment relationships and the consent of employees. Furthermore, data protection laws of the individual federal states may apply.
Security measures
We take appropriate technical and organisational measures in accordance with the legal requirements, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, in order to ensure a level of security appropriate to the risk.
Such measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to the data, as well as access to, input into, transfer of, securing of availability and separation of the data. Furthermore, we have implemented procedures to ensure the exercise of data subject rights, the erasure of data and responses to threats to data. We also take the protection of personal data into account when developing or selecting hardware, software and procedures, in accordance with the principle of data protection by design and by default.
SSL encryption (https): In order to protect data transmitted via our online offering, we use SSL encryption. You can recognise such encrypted connections by the prefix https:// in your browser’s address bar.
Transfer of personal data
In the course of processing personal data, it may occur that data is transferred to other entities, companies, legally independent organisational units or persons, or disclosed to them. Recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In such cases, we comply with the legal requirements and, in particular, conclude appropriate contracts or agreements with the recipients of your data that serve to protect your data.
Data processing in third countries
If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)), or if processing is carried out in the context of the use of services of third parties or the disclosure or transfer of data to other persons, entities or companies, this is done only in accordance with the legal requirements.
Subject to your explicit consent or where transfer is necessary for contractual or legal reasons, we process or have the data processed only in third countries with a recognised level of data protection, on the basis of contractual obligations using so-called standard contractual clauses of the EU Commission, where certifications exist or where binding internal data protection rules apply (Art. 44–49 GDPR; information page of the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_de).
Erasure of data
The data processed by us will be erased in accordance with the legal requirements as soon as consents on which processing is based are revoked or other legal permissions cease to apply (e.g. if the purpose of the processing no longer applies or the data is no longer necessary for that purpose).
If the data is not erased because it is required for other and legally permissible purposes, its processing will be restricted to these purposes. That is, the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons or whose storage is necessary for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person.
Our data protection notices may also contain further information on the retention and erasure of data that applies in priority to the respective processing operations.
Use of cookies
Cookies are small text files or other storage markers that store information on end devices and allow information to be read from such devices. For example, they can be used to store the login status in a user account, the contents of a shopping cart in an online shop, viewed content or used functions of an online offering. Cookies can also be used for various purposes, for example to ensure the functionality, security and convenience of online offerings, as well as to prepare analyses of visitor flows.
Notes on consent: We use cookies in accordance with legal requirements. Therefore, we obtain prior consent from users, unless this is not required by law. Consent is not required, in particular, when the storage and reading of information, including cookies, is strictly necessary to provide users with a telemedia service (i.e. our online offering) expressly requested by them. Revocable consent is clearly communicated to users and contains information about the respective use of cookies.
Notes on the legal bases under data protection law: The legal basis on which we process personal data of users with the help of cookies depends on whether we ask users for consent. If users give their consent, the legal basis for processing their data is the declared consent. Otherwise, data processed with the help of cookies is processed on the basis of our legitimate interests (e.g. in the economically efficient operation of our online offering and its usability) or, where this occurs in the context of fulfilling our contractual obligations, if the use of cookies is necessary to fulfil our contractual obligations. We explain for which purposes cookies are processed by us over the course of this Privacy Policy or within the framework of our consent and processing procedures.
Storage period: With regard to the storage period, the following types of cookies are distinguished:
Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user has left an online offering and closed their end device (e.g. browser or mobile application).
Permanent cookies: Permanent cookies remain stored even after the end device has been closed. For example, the login status can be saved or preferred content can be displayed directly when the user revisits a website. Likewise, data collected by means of cookies can be used for reach measurement. Unless we provide explicit information to users about the type and storage period of cookies (e.g. when obtaining consent), users should assume that cookies are permanent and that the storage period can be up to two years.
General notes on withdrawal and objection (opt-out): Users may withdraw any consent they have given at any time and may furthermore object to the processing in accordance with the legal requirements set out in Art. 21 GDPR. Users may also declare their objection using their browser settings.
Further notes on processing operations, procedures and services:
Processing of cookie data on the basis of consent: We use a cookie consent management procedure by which the consents of users to the use of cookies, and the processing and providers mentioned in the context of the cookie consent management procedure, are obtained, as well as managed and withdrawn by users. In this process, the declaration of consent is stored in order to avoid having to request it again and to be able to prove consent in accordance with legal obligations. Storage can take place on the server side and/or in a cookie (so-called opt-in cookie or by means of comparable technologies) in order to be able to assign the consent to a user or their device. Unless individual details are provided for the providers of cookie management services, the following notes apply: The storage duration of consent may be up to two years. A pseudonymous user identifier is created and stored together with the time of consent, information on the scope of consent (e.g. which categories of cookies and/or service providers) as well as the browser, system and end device used.
Business services
We process data of our contractual and business partners, e.g. customers and prospective customers (collectively referred to as “contractual partners”), in the context of contractual or comparable legal relationships and associated measures, and in the context of communication with the contractual partners (or pre-contractually), for example in order to respond to enquiries.
We process this data in order to fulfil our contractual obligations. These include, in particular, obligations to provide the agreed services, any obligations to update and remedy warranty and other performance defects. Furthermore, we process the data to protect our rights and for the purposes of associated administrative tasks and corporate organisation. In addition, we process the data on the basis of our legitimate interests in proper and economically efficient business management, as well as in security measures to protect our contractual partners and our business operations against misuse, threats to their data, secrets, information and rights (e.g. by involving telecommunications, transport and other support services, subcontractors, banks, tax and legal advisors, payment service providers or tax authorities). In accordance with applicable law, we only disclose the data of contractual partners to third parties to the extent that this is necessary for the aforementioned purposes or to fulfil legal obligations. We inform contractual partners about other forms of processing, for example for marketing purposes, within the framework of this Privacy Policy.
We inform contractual partners which data is required for the purposes mentioned above before or during data collection, e.g. in online forms, through specific marking (e.g. colours) or symbols (e.g. asterisks), or in person.
We erase the data after the expiry of statutory warranty and comparable obligations, generally after 4 years, unless the data is stored in a customer account, for example because it must be retained for legal reasons (e.g. for tax purposes, generally 10 years). Data that has been disclosed to us by the contractual partner in the context of an order is erased in accordance with the specifications of the order, generally after the end of the order.
Insofar as we use third-party providers or platforms to provide our services, the terms and conditions and data protection notices of the respective third-party providers or platforms apply in the relationship between the users and the providers.
Craftsman services
We process the data of our customers and clients (hereinafter collectively referred to as “customers”) in order to enable them to select, purchase or commission the chosen services or works and associated activities, as well as their payment and delivery or execution.
The required information is identified as such in the context of the order, purchase or comparable conclusion of a contract and includes the information needed for delivery and invoicing, as well as contact details in order to be able to clarify any queries.
Types of data processed: inventory data (e.g. names, addresses); payment data (e.g. bank details, invoices, payment history); contact data (e.g. email, telephone numbers); contract data (e.g. subject matter of the contract, term, customer category).
Data subjects: prospective customers; business and contractual partners.
Purposes of processing: provision of contractual services and customer support; contact requests and communication; office and organisational procedures; administration and response to enquiries.
Legal bases: performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR); legal obligation (Art. 6(1)(c) GDPR); legitimate interests (Art. 6(1)(f) GDPR).
Provision of the online offering and web hosting
In order to be able to provide our online offering in a secure and efficient manner, we make use of the services of one or more web hosting providers from whose servers (or servers they manage) the online offering can be accessed. For these purposes, we may use infrastructure and platform services, computing capacity, storage space and database services, as well as security services and technical maintenance services.
The data processed in the context of the provision of the hosting offering may include all information relating to the users of our online offering that is generated in the course of use and communication. This regularly includes the IP address, which is necessary to deliver the content of online offerings to browsers, and all entries made within our online offering or on websites.
Types of data processed: content data (e.g. entries in online forms); usage data (e.g. visited websites, interest in content, access times); meta/communication data (e.g. device information, IP addresses).
Data subjects: users (e.g. website visitors, users of online services).
Purposes of processing: provision of our online offering and user-friendliness; information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)).
Legal basis: legitimate interests (Art. 6(1)(f) GDPR).
Further notes on processing operations, procedures and services:
Collection of access data and log files: We ourselves (or our web hosting provider) collect data on every access to the server (so-called server log files). The server log files may include the address and name of the accessed websites and files, date and time of access, transferred data volumes, messages about successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider. The server log files may be used, on the one hand, for security purposes, e.g. to avoid overloading the servers (especially in the event of misuse attacks, so-called DDoS attacks) and, on the other hand, to ensure the utilisation of the servers and their stability; legal basis: legitimate interests (Art. 6(1)(f) GDPR); erasure of data: Log file information is stored for a maximum period of 30 days and then erased or anonymised. Data whose further retention is required for evidential purposes is excluded from erasure until the respective incident has been finally clarified.
Contact and enquiry management
When contacting us (e.g. via contact form, email, telephone or via social media) and in the context of existing user and business relationships, the information provided by the enquiring persons is processed to the extent necessary to respond to contact requests and any requested measures.
Responding to contact enquiries, as well as managing contact and enquiry data in the context of contractual or pre-contractual relationships, takes place for the performance of our contractual obligations or to answer (pre-)contractual enquiries and, for the rest, on the basis of our legitimate interests in answering enquiries and maintaining user or business relationships.
Types of data processed: inventory data (e.g. names, addresses); contact data (e.g. email, telephone numbers); content data (e.g. entries in online forms).
Data subjects: communication partners.
Purposes of processing: contact requests and communication; provision of contractual services and customer support.
Legal bases: performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR); legal obligation (Art. 6(1)(c) GDPR).
Further notes on processing operations, procedures and services:
Contact form: When users contact us via our contact form, email or other communication channels, we process the data provided to us in this context to handle the communicated request. For this purpose, we process personal data within the context of pre-contractual and contractual business relationships to the extent that this is necessary for their fulfilment and, for the rest, on the basis of our legitimate interests as well as the interests of the communication partners in responding to their requests and in accordance with our statutory retention obligations; legal bases: performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR), legal obligation (Art. 6(1)(c) GDPR), legitimate interests (Art. 6(1)(f) GDPR).
Web analysis, monitoring and optimisation
Web analysis (also referred to as “reach measurement”) serves to evaluate visitor flows to our online offering and may include behavioural, interest-related or demographic information about visitors, such as age or gender, stored as pseudonymous values. With the help of reach analysis we can, for example, recognise at which time our online offering, its functions or content are most frequently used or invite reuse. We can also identify which areas require optimisation.
In addition to web analysis, we may also use test procedures, for example to test and optimise different versions of our online offering or its components.
Unless otherwise stated below, profiles, i.e. data summarised in a usage process, can be created for these purposes and information can be stored in a browser or on an end device and read from it. The information collected includes, in particular, visited websites and elements used there, as well as technical information such as the browser used, the computer system and information on times of use. If users have consented to the collection of their location data, this may also be processed.
IP addresses of users are also stored. However, we use an IP masking procedure (i.e. pseudonymisation by abbreviation of the IP address) to protect users. In general, no clear user data (such as email addresses or names) is stored in the context of web analysis, A/B testing and optimisation, but pseudonyms only. That is, we and the providers of the software do not know the actual identity of the users, only the data stored in their profiles for the purposes of the respective procedures.
Types of data processed: usage data (e.g. visited websites, interest in content, access times); meta/communication data (e.g. device information, IP addresses).
Data subjects: users (e.g. website visitors, users of online services).
Purposes of processing: reach measurement (e.g. access statistics, recognition of returning visitors); profiles with user-related information (creation of user profiles); tracking (e.g. interest/behaviour-based profiling, use of cookies); provision of our online offering and user-friendliness.
Security measures: IP masking (pseudonymisation of the IP address).
Legal basis: consent (Art. 6(1)(a) GDPR).
Further notes on processing operations, procedures and services:
Google Analytics: Web analysis, reach measurement and measurement of user flows; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; legal basis: consent (Art. 6(1)(a) GDPR); website: https://marketingplatform.google.com/intl/de/about/analytics/; Privacy Policy: https://policies.google.com/privacy; data processing agreement: https://business.safety.google/adsprocessorterms; standard contractual clauses (ensuring data protection level for processing in third countries): https://business.safety.google/adsprocessorterms; opt-out option: opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, settings for displaying advertisements: https://adssettings.google.com/authenticated; further information: https://privacy.google.com/businesses/adsservices (types of processing and processed data).
Online marketing
We process personal data for the purposes of online marketing, which may include, in particular, the marketing of advertising space or the display of advertising and other content (collectively referred to as “content”) based on potential interests of users, as well as the measurement of their effectiveness.
For these purposes, so-called user profiles may be created and stored in a file (a “cookie”) or similar procedures may be used by which the data relevant to the display of the aforementioned content is stored about the users. This data may include, for example, viewed content, visited websites, used online networks, but also communication partners and technical information such as the browser used, the computer system and information on times of use and functions used. Where users have consented to the collection of their location data, this may also be processed.
IP addresses of users are also stored. However, we use available IP masking procedures (i.e. pseudonymisation by shortening the IP address) to protect users. As a rule, in the context of online marketing procedures, no clear data such as names or email addresses of users are stored, but pseudonyms only. That is, we and the providers of online marketing procedures do not know the actual identities of users, only the information stored in their profiles.
The information in the profiles is usually stored in cookies or by means of similar procedures. These cookies can later generally be read and analysed on other websites that use the same online marketing procedure, and supplemented with additional data, and stored on the server of the provider of the online marketing procedure.
In exceptional cases, clear data may be assigned to the profiles. This is the case, for example, if users are members of a social network whose online marketing procedures we use and the network links the profiles of the users with the aforementioned information. We kindly ask you to note that users may enter into additional agreements with the providers, e.g. by giving consent during registration.
As a rule, we only receive access to aggregated information about the success of our adverts. However, within the framework of so-called conversion measurement, we can check which of our online marketing procedures have led to a so-called conversion, i.e. for example, to the conclusion of a contract with us. Conversion measurement is used solely to analyse the success of our marketing measures.
Unless otherwise stated, you can assume that cookies used are stored for a period of up to two years.
Types of data processed: usage data (e.g. visited websites, interest in content, access times); meta/communication data (e.g. device information, IP addresses).
Data subjects: users (e.g. website visitors, users of online services).
Purposes of processing: reach measurement (e.g. access statistics, recognition of returning visitors); tracking (e.g. interest/behaviour-based profiling, use of cookies); marketing; profiles with user-related information (creation of user profiles).
Security measures: IP masking (pseudonymisation of the IP address).
Opt-out options: We refer to the data protection notices of the respective providers and the opt-out options specified there. Where no explicit opt-out option is provided, there is the option of disabling cookies in the browser settings. However, this may restrict the functions of our online offering. We therefore additionally recommend the following opt-out options, which are offered collectively for the respective regions:
a) Europe: https://www.youronlinechoices.eu
b) Canada: https://www.youradchoices.ca/choices
c) USA: https://www.aboutads.info/choices
d) Cross-region: https://optout.aboutads.info
Presences on social networks (social media)
We maintain online presences within social networks and process data of users in this context in order to communicate with the users active there or to provide information about us.
We would like to point out that data of users may be processed outside the territory of the European Union. This may entail risks for users because, for example, the enforcement of users’ rights could be more difficult.
Furthermore, user data is generally processed within social networks for market research and advertising purposes. For example, usage profiles may be created based on user behaviour and the resulting interests of users. The usage profiles can in turn be used, for example, to place adverts inside and outside the networks that are likely to correspond to the interests of users. For these purposes, cookies are usually stored on the users’ devices, in which the user’s behaviour and interests are stored. Furthermore, data may also be stored in the usage profiles regardless of the devices used by users (especially if users are members of the respective platforms and are logged into them).
For a detailed description of the respective forms of processing and the opt-out options, we refer to the privacy policies and information provided by the operators of the respective networks.
In the case of requests for information and the assertion of data subject rights, we also point out that these can most effectively be asserted directly with the providers. Only the providers have access to the data of users and can take appropriate measures and provide information directly. However, if you need help, you can contact us.
Types of data processed: contact data (e.g. email, telephone numbers); content data (e.g. entries in online forms); usage data (e.g. visited websites, interest in content, access times); meta/communication data (e.g. device information, IP addresses).
Data subjects: users (e.g. website visitors, users of online services).
Purposes of processing: contact requests and communication; feedback (e.g. collecting feedback via online form); marketing.
Legal basis: legitimate interests (Art. 6(1)(f) GDPR).
Further notes on processing operations, procedures and services:
Instagram: Social network; service provider: Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA; website: https://www.instagram.com; Privacy Policy: https://instagram.com/about/legal/privacy.
Facebook pages: Profiles within the Facebook social network – We are jointly responsible with Meta Platforms Ireland Limited for the collection (but not the further processing) of data from visitors to our Facebook page (so-called “Fanpage”). This data includes information on the types of content that users view or interact with, or the actions they take (see “Things you and others do and provide” in Facebook’s Data Policy: https://www.facebook.com/policy), as well as information about the devices used by users (e.g. IP addresses, operating system, browser type, language settings, cookie data; see “Device information” in Facebook’s Data Policy: https://www.facebook.com/policy). As explained in Facebook’s Data Policy under “How do we use this information?”, Facebook also collects and uses information to provide analytics services, called “Page Insights”, for page operators, so that they can gain insights into how people interact with their pages and the content associated with them. We have concluded a special agreement with Facebook (“Information about Page Insights”, https://www.facebook.com/legal/terms/page_controller_addendum), which sets out in particular which security measures Facebook must observe and in which Facebook has agreed to fulfil the rights of data subjects (i.e. users can, for example, send requests for information or erasure directly to Facebook). The rights of users (in particular the right of access, deletion, objection and complaint to the competent supervisory authority) are not restricted by the agreements with Facebook. Further information can be found in the “Information about Page Insights data”: https://www.facebook.com/legal/terms/information_about_page_insights_data; service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/about/privacy; standard contractual clauses (ensuring an adequate level of data protection for processing in third countries): https://www.facebook.com/legal/EU_data_transfer_addendum; further information: joint controller arrangement: https://www.facebook.com/legal/terms/information_about_page_insights_data.
LinkedIn: Social network; service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; website: https://www.linkedin.com; Privacy Policy: https://www.linkedin.com/legal/privacy-policy; data processing agreement: https://legal.linkedin.com/dpa; standard contractual clauses (ensuring data protection level for processing in third countries): https://legal.linkedin.com/dpa; opt-out option: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
Plugins and embedded functions and content
We integrate functional and content elements into our online offering that are obtained from the servers of their respective providers (hereinafter referred to as “third-party providers”). These may include, for example, graphics, videos or maps (collectively referred to as “content”).
Such integration always requires that the third-party providers of this content process the IP address of the users, since without the IP address they would not be able to send the content to their browsers. The IP address is therefore required for the display of this content or functions. We endeavour to use only content whose respective providers use the IP address solely for the delivery of the content. Third-party providers may also use so-called pixel tags (invisible graphics, also referred to as “web beacons”) for statistical or marketing purposes. The “pixel tags” can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the users’ devices and may contain, among other things, technical information on the browser and operating system, referring websites, time of visit and further information on the use of our online offering, and may also be combined with such information from other sources.
Notes on legal bases: If we ask users for their consent to the use of third-party providers, the legal basis for the processing of data is consent. Otherwise, user data is processed on the basis of our legitimate interests (i.e. interest in efficient, economical and recipient-friendly services). In this context, we also refer you to the information on the use of cookies in this Privacy Policy.
Types of data processed: usage data (e.g. visited websites, interest in content, access times); meta/communication data (e.g. device information, IP addresses).
Data subjects: users (e.g. website visitors, users of online services).
Purposes of processing: provision of our online offering and user-friendliness.
Amendment and updating of the Privacy Policy
We kindly ask you to regularly inform yourself about the content of our Privacy Policy. We will adapt the Privacy Policy as soon as changes in our data processing activities make this necessary. We will inform you if such changes require your cooperation (e.g. consent) or another individual notification.
If we provide addresses and contact information of companies and organisations in this Privacy Policy, please note that addresses may change over time and please check the information before contacting them.
Rights of data subjects
As a data subject, you have various rights under the GDPR, in particular those arising from Art. 15 to 21 GDPR:
Right to object: You have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you which is based on Art. 6(1)(e) or (f) GDPR; this also applies to profiling based on these provisions. Where personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing; this also applies to profiling to the extent that it is related to such direct marketing.
Right to withdraw consent: You have the right to withdraw consent you have given at any time.
Right of access: You have the right to obtain confirmation as to whether or not personal data concerning you is being processed and, where this is the case, to obtain access to such data and further information as well as a copy of the data, in accordance with legal requirements.
Right to rectification: You have the right, in accordance with legal requirements, to request the completion of data concerning you or the rectification of inaccurate data concerning you.
Right to erasure and restriction of processing: You have the right, in accordance with legal requirements, to request that data concerning you be erased without undue delay, or, alternatively, to request restriction of processing of the data in accordance with legal requirements.
Right to data portability: You have the right to receive the data concerning you which you have provided to us in a structured, commonly used and machine-readable format, or to request its transmission to another controller, in accordance with legal requirements.
Right to lodge a complaint with a supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.
Definitions
In this section, you will find an overview of the terms used in this Privacy Policy. Many of the terms are taken from the law and are defined primarily in Art. 4 GDPR. The legal definitions are binding. The explanations below are intended primarily to aid understanding. The terms are listed in alphabetical order (in English).
Personal data: “personal data” means any information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Profiles with user-related information: The processing of “profiles with user-related information” (or “profiles” for short) includes any form of automated processing of personal data consisting in the use of such personal data to analyse, evaluate or predict certain personal aspects relating to a natural person (depending on the type of profiling, this may include different information relating to demographics, behaviour and interests, such as interaction with websites and their content, etc.) – for example, interests in certain content or products, click behaviour on a website or location. Cookies and web beacons are often used for profiling purposes.
Reach measurement: Reach measurement (also referred to as web analytics) is used to evaluate visitor flows of an online offering and may include behaviour or interests of visitors in certain information, such as content on websites. With the help of reach analysis, website owners can, for example, recognise when visitors access their website and which content they are interested in. This enables them to better adapt the content of the website to the needs of visitors. For reach analysis, pseudonymous cookies and web beacons are often used to recognise returning visitors and thus obtain more precise analyses about the use of an online offering.
Tracking: “Tracking” is the term used when the behaviour of users can be traced across several online offerings. As a rule, behavioural and interest-related information regarding the used online offerings is stored in cookies or on servers of the providers of tracking technologies (so-called profiling). This information can then, for example, be used to display adverts to users that are likely to correspond to their interests.
Controller: “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data.
Processing: “Processing” means any operation or set of operations which is performed on personal data, whether or not by automated means. The term is broad and covers practically any handling of data, whether it involves collection, analysis, storage, transmission or erasure.
