Name/co.: phaeno gGmbH
Street, house no.: Willy-Brandt-Platz 1
Postal code, city, country: DE-38440 Wolfsburg, Germany
Commercial register/no.: HRB 100986
Chief Executive: Michel Junge
Phone number: +49 (0)5361 890100
E-mail address: firstname.lastname@example.org
Data Protection Officer:
Name: Svenja Hohnstock
Company: Hohnstock GmbH
Street, house no.: Borsigstraße 12
Postal code, city: DE-38446 Wolfsburg
E-mail address: email@example.com
Types of data processed:
- Inventory data
- Contact data
- Contract data
- Payment data
- Usage data (e.g. web pages visited, interest in content, access times)
- Meta/communication data (e.g. device information, IP addresses)
Processing of special categories of data (Art. 9, Para. 1 GDPR):
In principle, no special categories of data are processed, unless these are supplied by the user into the processing, e.g. in online forms.
Categories of data subjects:
- Customers / interested parties / suppliers
- Visitors and users of the online service offered
Purpose of the processing:
- Provision of the online offer, its contents and functions
- Contractual performance, service and customer care
- Reply to contact requests and communication with users
- Marketing, advertising and market research
- Security measures
Effective: 23 May 2018
1. Applicable legal basis
3. Security measures
- In accordance with Art. 32 of the GDPR, we take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing, as well as the different likelihood and severity of the risk to the rights and freedoms of natural persons; the measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical access to the dataas well as their access, input, disclosure, availability and separation. In addition, we have established procedures that ensure awareness of data subject rights, the deletion of data and a reaction to data risks. Furthermore, we already consider the protection of personal data during the development or selection of hardware, software and procedures in accordance with the principle of data protection through technology design and data privacy-friendly pre-settings. (Art. 25 of the GDPR).
- The security measures include in particular the encrypted transmission of data between your browser and our server.
4. Cooperation with contract processors and third parties
- If we disclose data to other persons and companies (contract processors or third parties) within the scope of our processing, transfer these data to them or otherwise grant them access to the data, this only takes place on the basis of a legal permission (e.g. if a transfer of the data to third parties, such as to payment service providers, is required for contract fulfilment pursuant to Art. 6. Para. 1, Point b) of the GDPR), if you have given your consent, if a legal obligation stipulates such an action, or on the basis of our legitimate interests (e.g. when using agents, web hosts, etc.).
- If we commission third parties with the processing of data on the basis of a so-called "order processing contract", this is conducted on the basis of Art. 28 of the GDPR.
5. Transfers to third countries
If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of the use of third-party services or disclosure or transfer of data to third parties, this only takes place if it occurs for the fulfilment of our (pre)contractual obligations, on the basis of your consent, on the basis of a legal obligation, or on the basis of our legitimate interests. Subject to legal or contractual permissions, we process or have the data processed in a third country only when the special requirements of Art. 44 ff. of the GDPR are met. This means, for example, that processing is carried out on the basis of special guarantees, such as the officially recognised determination of a data protection level corresponding to the EU (e.g. for the USA through the "Privacy Shield") or compliance with officially recognised special contractual obligations (so-called "standard contractual clauses").
6. Rights of data subjects
- You have the right to request confirmation as to whether the respective data are being processed, to receive information about these data, and to obtain further information and a copy of the data in accordance with Art. 15 of the GDPR.
- In accordance with Art. 16 of the GDPR, you have the right to request the completion of data that concerns you or the rectification of inaccurate data that concerns you.
- In accordance with Art. 17 of the GDPR, you have the right to request that relevant data are deleted without delay or, alternatively, to request a restriction on the processing of the data in accordance with Art. 18 of the GDPR.
- In accordance with Art. 20 of the GDPR, you have the right to receive the data relating to you that you provided to us and to demand their transmission to other controllers ("right to data portability").
- In accordance with Art. 77 of the GDPR, you also have the right to file a complaint with the competent supervisory authority.
7. Right of withdrawal
You have the right to revoke your consent according to Art. 7, Para. 3 of the GDPR with effect for the future.
8. Right of objection
You can object to the future processing of the data concerning you in accordance with Art. 21 of the GDPR at any time. The objection may in particular be lodged against processing for direct marketing purposes.
9. Cookies and the right to object in the case of direct marketing
10. Deletion of data
- In Germany: in accordance with statutory requirements, the records are kept for 6 years in accordance with Sec. 257, Para. 1 of the German Commercial Code (HGB) (trading books, records, management reports, accounting records, trade and business letters, tax documents, etc.) and for 10 years in accordance with Sec. 147, Para. 1 of the German Fiscal Code (AO) (books, records, management reports, accounting documents, commercial and business letters, tax documents, etc.).
11. Performance of contractual services
- We process inventory data (e.g. the names, addresses and contact details of users), contract data (e.g. services used, names of contact persons, payment information) for the purpose of fulfilling our contractual obligations and services pursuant to Art. 6, Para. 1, Point b) of the GDPR. The entries marked as obligatory in online forms are required for the conclusion of the contract.
- Users can optionally create a user account, in which they are able, in particular, to view their orders. During the registration process, the mandatory information required is communicated to the users. The user accounts are not public and cannot be indexed by search engines. If users terminate their user account, their data with regard to the user account is deleted, unless their storage is necessary for commercial or tax reasons in line with Art. 6, Para. 1, Point c) of the GDPR. It is the responsibility of the users to save their data before the end of the contract when they have given notice of termination. We are entitled to irretrievably delete all user data stored during the term of the contract.
- During the course of registration, renewed logins and the use of our online services, we save the IP address and the time of the respective user action. The data are stored on the basis of our legitimate interests as well as to protect the user against misuse and other unauthorised use. A transfer of these data to third parties does not take place, unless it is necessary to pursue our claims or there is a legal obligation in accordance with Art. 6, Para. 1, Point c) of the GDPR.
- The deletion takes place after the expiry of the statutory warranty and comparable obligations, and the necessity of keeping the data is reviewed every three years; in the case of statutory archiving obligations, the deletion takes place after their expiry (end of the commercial law (6 years) and fiscal law (10 years) storage obligation); information in the customer account remains in existence up until its deletion.
- When contacting us (by e-mail), the details of the user are processed to manage the contact inquiry and its handling in accordance with Art. 6, Para. 1, Point b) of the GDPR.
- The details of the user may be stored in our Customer Relationship Management system ("CRM system") or a comparable system for inquiry organisation.
- We delete the inquiries if they are no longer required. We review their requirement every two years; inquiries from customers who have a customer account are stored permanently, and for deletion we refer to the customer account information. In the case of statutory archiving obligations, the deletion takes place after their expiry (end of the commercial law (6 years) and fiscal law (10 years) storage obligation).
13. Comments and posts
- If users make comments or other contributions, their IP addresses will be stored for seven days on the basis of our legitimate interests within the meaning of Art. 6, Para. 1, Point f) of the GDPR.
- This takes place for our security in case someone deposits illegal content in comments and postings (insults, forbidden political propaganda, etc.). In such cases, we can ourselves be prosecuted for the comment or posting and are therefore legitimately interested in the identity of the author.
14. Collection of access data and log files
- On the basis of our legitimate interests within the meaning of Art. 6, Para. 1, Point f) of the GDPR, we collect data on every access to the server on which this service is located (so-called server log files). The access data includes the name of the accessed website, file, date and time of access, transferred data volume of the user, notification of successful access, browser type and version, operating system of the user, referrer URL (the previously visited page), IP address and the requesting provider.
- Log file information is stored for a maximum of seven days for security reasons (e.g. to investigate misuse or fraud) and then deleted. Data whose further storage is required for evidentiary purposes are exempted from deletion until the respective incident has been finally clarified.
15. Online presence in the social media
- We maintain an online presence within social networks and platforms in order to communicate with the customers, interested parties and users active therein and to inform them there about our services. When the respective networks and platforms are accessed, the terms and conditions and the data processing guidelines of the respective providers have application.
16. Cookies & reach measurement
- Cookies are information that is transferred from our web server or third-party web servers to the user's web browser and stored there for later retrieval. Cookies can be small files or other types of information storage.
- We use "session cookies", which are only stored on our website for the duration of the current visit to our online presence (e.g. to enable the storage of your login status or the shopping basket function and thus enable the use of our online offer). A randomly generated unique identification number, a so-called session ID, is stored in a session cookie. A cookie also contains information about its origin and the storage period. These cookies cannot store any other data. Session cookies are deleted when you have finished using our online offer and, for example, you log out or close your browser.
- If users do not want cookies to be stored on their computer, they are asked to deactivate the corresponding option in the system settings of their browser. Stored cookies can be deleted in the system settings of the browser. The exclusion of cookies can lead to functional restrictions of this online offer.
17. Google Analytics
- Google is certified under the Privacy Shield agreement, thereby offering a guarantee to comply with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
- Google will use this information on our behalf to evaluate the use of our online offer by users, to compile reports on the activities within this online offer, and to provide us with further services connected with the use of this online offer and Internet usage. In this context, pseudonymous user profiles may be created from the processed data.
- We only use Google Analytics with activated IP anonymisation. This means that Google will shorten the IP address of users within the member states of the European Union or in other states party to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transferred to a Google server in the US and shortened there.
- The IP address transmitted by the user's browser will not be amalgamated with other Google data. Users can prevent the storage of cookies by setting their browser software accordingly; users can also prevent Google from collecting the data generated by the cookie relating to their use of the online offer and prevent Google from processing these data by downloading and installing the browser plug-in available under the following link: https://tools.google.com/dlpage/gaoptout?hl=en-GB. Alternatively they can disable tracking here: Google Analytics deaktivieren
- Further information on data use by Google, possible settings and objections can be found on Google's websites: https://policies.google.com/technologies/partner-sites?hl=en("How Google uses information from sites or apps that use our services"), https://policies.google.com/technologies/ads?hl=en("Advertising" about the use of data for advertising purposes), and https://adssettings.google.com/authenticated("Manage information that Google uses to show you advertising").
18. Facebook social plugins
- On the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online offer within the meaning of Art. 6, Para. 1, Point f) of the GDPR), we use social plugins ("plugins") of the social network facebook.com, which is operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Facebook"). The plugins can display interaction elements or contents (e.g. videos, graphics or text contributions) and are identified by one of the Facebook logos (white "f" on blue tile, the term "like" or a "thumbs up" sign) or are marked with the addition "Facebook Social Plugin". The list and appearance of Facebook Social Plugins can be viewed here: https://developers.facebook.com/docs/plugins/?locale=en_US.
- Facebook is certified under the Privacy Shield agreement, thereby offering a guarantee to comply with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).
- When a user accesses a function of this online service that contains such a plugin, his or her device establishes a direct connection to Facebook's servers. The content of the plugin is transmitted by Facebook directly to the user's device and integrated into the online offer. The processed data can be used to create user profiles. We therefore have no influence on the amount of data Facebook collects with the help of this plugin and are therefore informing users solely on the basis of our current knowledge.
- Through the integration of the plugins, Facebook receives information that a user has called up the corresponding page of the online offer. If the user is logged in to Facebook, Facebook can assign the visit to his or her Facebook account. When users interact with the plugins, such as pressing the Like button or posting a comment, the information is transmitted directly from their device to Facebook and stored there. If a user is not a member of Facebook, it is still possible for Facebook to find out and store his or her IP address. According to Facebook, only an anonymised IP address is stored in Germany.
- The purpose and scope of the data collection and the further processing and use of the data by Facebook, as well as the relevant rights and setting options for the protection of the privacy of users, can be found in the Facebook data protection information: https://www.facebook.com/about/privacy/.
- If a user is a Facebook member and does not want Facebook to collect data about him or her via this online offer and link it to his or her member data stored on Facebook, he or she must log out of Facebook and delete his or her cookies before using our online offer. Further settings and objections to the use of data for advertising purposes are possible within the Facebook profile settings: https://www.facebook.com/settings?tab=adsor via the US website http://www.aboutads.info/choices/or the EU website http://www.youronlinechoices.com/. The settings are made platform-independent, i.e. they are applied to all devices such as desktop computers or mobile devices.
- The following notes inform you about the contents of our newsletter as well as the registration, dispatch and statistical evaluation procedure and your right of termination. By subscribing to our newsletter, you agree to its receipt and agree to the procedures described below.
- Content of the newsletter: we only send newsletters, e-mails and other electronic notifications containing advertising information (hereinafter "newsletters") with the consent of the recipients or a legal permission. If the contents of a newsletter are specifically described within the scope of a registration, these are decisive for the consent of the users. In addition, our newsletters also contain information about our offers, promotions and activities and about our company.
- Double opt-in and logging: the registration for our newsletter takes place in a so-called double opt-in procedure. This means that you will receive an e-mail after registration in which you are asked to confirm your registration. This confirmation is necessary to ensure that nobody can register with third party e-mail addresses. Subscriptions to the newsletter are logged to prove that the registration process has been carried out in accordance with the legal requirements. This includes the storage of the login and confirmation time as well as the IP address. Likewise, changes to your data stored with the newsletter shipping service provider will also be logged.
- Shipping service provider: the newsletter is sent by CleverReach GmbH & Co. KG, Mühlenstr. 43, 26180 Rastede, hereinafter referred to as "shipping service provider". The data protection regulations of the shipping service provider can be viewed here: https://www.cleverreach.com/en/privacy-policy/.
- Furthermore, according to its own declaration, the shipping service provider may use these data in pseudonymous form, i.e. without allocation to a user, to optimise or improve its own services, e.g. for the technical optimisation of the dispatch and presentation of the newsletter or for statistical purposes in order to determine the countries from which the recipients come. However, the shipping service provider does not use the data of our newsletter recipients to contact them itself, nor does it pass the data on to third parties.
- Registration data: to subscribe to the newsletter, the provision of an e-mail address is sufficient.
- Performance measurement – the newsletters contain a so-called "web beacon", i.e. a pixel-sized file that is retrieved from the shipping service provider's server when the newsletter is opened. Within the scope of this retrieval, technical information is initially collected, such as information about the browser and your system as well as your IP address and the time of retrieval. This information is used to technically improve the services based on the technical data or the target groups and their reading behaviour based on their retrieval locations (which can be determined using the IP address) or access times. The statistical surveys also include determining whether the newsletters are opened, when they are opened and which links are clicked. For technical reasons, this information can be assigned to the individual newsletter recipients. However, it is not our intention, nor that of the shipping service provider, to observe individual users. In point of fact, the evaluations serve us to recognise the reading habits of our users and to adapt our contents to them or to send different contents according to the interests of our users.
- Germany: the shipping of the newsletter and the performance measurement are based on the recipients' consent pursuant to Art. 6, Para. 1, Point a) and Art. 7 of the GDPR in conjunction with Sec. 7, Para. 2, No. 3 of the German Act Against Unfair Competition (UWG) or on the legal permission pursuant to Sec. 7, Para. 3 of the German Act Against Unfair Competition (UWG).
- The registration procedure is recorded on the basis of our legitimate interests pursuant to Art. 6, Para. 1, Point f) of the GDPR and serves as proof of consent to receipt of the newsletter.
- Cancellation/withdrawal – you can cancel the receipt of our newsletter at any time, i.e. withdraw your consent. You will find a link to cancel the newsletter at the end of each newsletter. If users have only subscribed to the newsletter and then cancelled their subscription, their personal data will be deleted.
20. Integration of third-party services and contents
- On the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online offer within the meaning of Art. 6, Para. 1, Point f) of the GDPR), we make use of the content or service offers of third parties within our online offer in order to incorporate contents and services from them such as videos or fonts (hereinafter uniformly referred to as "content"). This always presupposes that the third-party providers of this content are aware of the IP address of the users, since they could not send the contents to their browser without the IP address. The IP address is therefore required for the display of these contents. We make every effort to use only that content whose respective providers use the IP address solely for the delivery of the contents. Third-party providers may also deploy so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. These pixel tags can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user's device and may contain technical information about the browser and operating system, referring websites, visiting time and other information about the use of our online offer, and it may be linked to such information from other sources.
- If our customers use the payment services of third parties (e.g. PayPal or immediate transfer), the terms and conditions and the data protection information of the respective third-party providers, which can be retrieved within the respective websites or transaction applications, apply.