Name of company: Carl Kühne KG (GmbH & Co.)
Street/ No.: Kühnehöfe 11
Postal code, town, country: 22761 Hamburg, Germany
Commercial Register No.: District Court of Hamburg HRA 47 618
CEO: Stefan Leitz
Telephone number: +49 (0) 40 85 305-0
Email address: firstname.lastname@example.org
Data protection officer:
Types of processed data:
Processing of other special categories of personal data (Art. 9 (1) GDPR):
Categories of data subjects:
From here on, we shall also collectively refer to the data subjects as “users”.
Purpose of processing:
1. Relevant legal bases
3. Security measures
3.1. We take appropriate technical measures in accordance with Art. 32 GDPR, taking into account the state of the art technology, the costs of implementation and the nature, scope, circumstances and purpose of the processing as well as the varying degrees of probability and severity of the risk to the rights and freedoms of individuals to ensure a level of protection appropriate to the risk; measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical access to the data, as well as their access, input, disclosure, security of their availability and their separation. We have also put in place procedures to ensure observance of data subject rights, data deletion and data vulnerability. Furthermore, we take the protection of personal data into consideration already in the development respectively selection process of hardware, software and procedures, according to the principle of data protection by technology design and by privacy-friendly default settings (Art. 25 GDPR).
3.2. In particular, one of the security measures we take is to encrypt the data for transfer between your browser and our server.
4. Cooperation with contract processors and third parties
4.1. If, as part of our processing, we disclose data to other persons and companies (contract processors or third parties), transmit these to them or otherwise grant them access to the data, this will only be done if there is legal authorisation for this (e.g. if a transmission of the data to third parties, such as to payment service providers, is required to fulfil the contract in accordance with Art. 6 (1) (b) GDPR), you have consented to this, there is a legal obligation for this, or if it is based on our legitimate interests (e.g. the use of agents, web hosts etc.).
4.2. If we commission third parties with processing data under a so-called “data processing contract”, this is done on the basis of Art. 28 GDPR.
5. Data transfer to third countries
If we process data in a third country (this means outside the European Union (EU) or the European Economic Area (EEA)) or as part of our using third-party services or disclosure respectively transmission of data to third parties, this will only be done if it is to fulfil our (pre-)contractual obligations, with your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we process or have the data processed in a third country only subject to the special conditions of articles 44 et seqq. GDPR. That means that the processing takes place, for example, on the basis of specific guarantees, such as an officially recognised level of data protection according to EU law (e.g. for the US through the Privacy Shield) or compliance with officially recognised special contractual obligations (so-called “standard contractual clauses”).
6. Rights of data subjects
6.1. In accordance with Art. 15 GDPR, you have the right to ask for confirmation as to whether the data in question is being processed and for information about this data as well as for further information and a copy of the data.
6.2. In accordance with Art. 16 GDPR, you have the right to demand completion of the data concerning you or correction of incorrect data concerning you.
6.3. In accordance with Art. 17 GDPR, you have the right to demand that the relevant data be deleted immediately or, alternatively, to require that the processing of the data be restricted in accordance with Art. 18 GDPR.
6.4. You have the right to receive the personal data concerning you, which you have provided to us in a manner pursuant to Art. 20 GDPR and to request their transmission to other responsible entities.
6.5. Furthermore, in accordance with Art. 77 GDPR, you have the right to file a complaint with the competent supervisory authority.
7. Right of withdrawal
In accordance with. Art. 7 (3) GDPR, you have the right to withdraw your consent with effect for the future.
8. Right of objection
In accordance with Art. 21 GDPR, you may at any time object to the future processing of your data. You may, in particular, object to data processing for direct marketing purposes.
9. Cookies and the right to object to direct mail
10. Deletion of data
10.2. According to legal requirements, storage takes place in particular for 6 years in accordance with Paragraph 257(1) German Commercial Code (HGB) (trading books, inventories, opening balance sheets, annual accounts, trade letters, accounting documents etc.) and for 10 years in accordance with Paragraph 147(1) German Tax Code (AO) (books, records, management reports, accounting documents, commercial and business letters, documents relevant to taxation etc.).
11. Provision of contractual services
11.1. We process user data (e.g. names and addresses as well as contact information of users), contract data (e.g. services used, names of contacts, payment information) for the purpose of fulfilling our contractual obligations and services in accordance with Art. (6) (1) (b) GDPR. The entries marked as obligatory in online forms are required for the contract to be concluded.
11.2. We process usage data (e.g. the web pages of our online offering that were visited, interest in our products) and content data (e.g. entries in the contact form or user profile) for promotional purposes in a user profile to show the user product hints based on the services they previously used.
11.3. Deletion takes place after the legal warranty and comparable obligations have expired, the necessity of keeping the data is checked every three years; in the case of legal archiving obligations, deletion takes place after these have expired (end of retention obligation under commercial law (6 years) and tax law (10 years)); information in the customer account remains until this account is deleted.
12.1. When a user contacts us (via contact form or email), the user’s details are processed for purpose of the contact request and processing thereof in accordance with Art. 6 (1) (b) GDPR.
12.2. User information can be stored in our Customer Relationship Management System (CRM system) or similar inquiry system.
13. Collection of access data and log files
13.1. On the basis of our legitimate interests within the meaning of Art. 6 (1) (f) GDPR, we collect data regarding every instance of access to the server hosting this service (so-called server log files). The access data include the name of the website that was accessed, the file, date and time of access, the amount of data transferred, the notification of successful retrieval, the browser type and version, the user's operating system, the referrer URL (the previously visited page), the IP address and the requesting provider.
13.2. Log file information is stored for security purposes (e.g. to investigate abusive or fraudulent activities) for a maximum of seven days and then deleted. Data that must be retained beyond this period for evidential purposes shall be excluded from deletion until final clarification of the incident.
14. Online presence in social media
14.1. Based on our legitimate interests within the meaning of Art. 6 (1) (f) GDPR, we maintain an online presence within social networks and platforms in order to communicate with customers, interested parties and users who are active there, and to inform them of our services. When the respective networks and platforms are accessed, the terms and conditions and the data processing guidelines of their respective operators apply.
15. Cookies & reach measurement
15.1. A cookie is information that is transmitted from our web server or third-party web servers to the web browsers of users, to be stored there for later retrieval. Cookies can be small files or other types of information storage.
15.2. We use session cookies that are only stored for the duration of the current visit to our online presence (e.g. to enable the storage of your login status or the shopping cart feature and thus the use of our online offer at all). In a session cookie, a randomly generated unique identification number is stored, a so-called session ID. In addition, a cookie contains information about its origin and the retention period. These cookies cannot save any other data. Session cookies will be deleted when you have finished using our online offer and you have for example logged out or closed your browser.
15.4. If users do not want cookies stored on their computer, they will be asked to disable this option in the system settings of their browser. Saved cookies can be deleted in the browser’s system settings. Excluding cookies may lead to restricted access to the features of this online offer.
16. Google Analytics
16.2. Google is certified under the Privacy Shield Agreement, thereby providing a guarantee to comply with European privacy legislation (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=A).
16.3. Google will use this information on our behalf to evaluate the use of our online offer by users, to compile reports on the activities within this online offer and to provide us with further services related to the use of this online offer and internet usage. In doing so, pseudonymous usage profiles of the users may be created from the processed data.
16.4. We use Google Analytics to show the advertisements displayed within the advertising services of Google and its affiliates only to users who have shown an interest in our online offering or who have certain characteristics (e.g. interests in particular topics or products that are determined by the websites they visited) that we provide to Google (so-called “remarketing audiences” or “Google Analytics audiences”). By using remarketing audiences, we also want to make sure that our advertisements are aligned with the potential interest of users and are not a nuisance.
16.5. We only use Google Analytics with activated IP anonymisation. This means that the user’s IP address is shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transferred to a server of Google in the USA, and shortened there.
16.6. The IP address transmitted by the user’s browser is not merged with other data from Google. Users can prevent the storage of cookies by setting their browser software accordingly; users may also prevent Google from collecting the data generated by the cookie and related to their use of the online offer as well as the processing of this data by Google, by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=en.
16.7. For more information about Google’s data usage, settings and options for objection, please visit Google’s websites: https://policies.google.com/technologies/partner-sites?hl=en-GB(“How Google uses information from sites or apps that use our services”), https://policies.google.com/technologies/ads(“ Advertising”), https://adssettings.google.com/authenticated (“Ad personalisation”).
16.8. Incidentally, personal data will be anonymised or deleted after a period of 14 months.
17. Google re-/marketing services
17.1. On the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online offer within the meaning of Art. 6 (1) (f) GDPR), we use the marketing and remarketing services (“Google Marketing Services”) of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, (“Google”).
17.2. Google is certified under the Privacy Shield Agreement, thereby providing a guarantee to comply with European privacy legislation (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=A).
17.3. Google Marketing Services allows us to better target advertisements for and on our website, so that we present users only with advertisements that potentially match their interests. If a user is for example shown advertisements of products they have shown an interest in on other websites, this is called remarketing. For these purposes, when Google and our other websites accessing Google Marketing Services are directly accessed by Google, a code is executed by Google and so-called (re) marketing tags (invisible graphics or code, also called “web beacons”) are incorporated into the website. With their help, the user is provided with an individual cookie, i.e. a small file is saved (instead of cookies, comparable technologies can also be used). The cookies can be set by different domains, including google.com, doubleclick.net, invitemedia.com, admeld.com, googlesyndication.com or googleadservices.com. This file contains information, which web pages the user visited, what content they are interested in and what offers they have clicked on, as well as technical information regarding the user’s browser and operating system, referring web pages, duration of visit and other information on the use of the online offer. The user's IP address is also recorded, whereby in the context of Google Analytics we inform you that the IP address is shortened within member states of the European Union or other parties to the Agreement on the European Economic Area and is only in exceptional cases transmitted to a Google server in the US and shortened there. The IP address will not be merged with the user’s data within different offers from Google. Google may also link the above information with such information from other sources. If the user then visits other websites, they can then be shown advertisements tailored to the user's interests.
17.4. Users’ data are processed under a pseudonym in the context of Google Marketing Services. That means that Google stores and processes for example not the name or email address of the users, but processes the relevant data cookie-related within pseudonymous user profiles. This also means that from the perspective of Google, the advertisements are not managed and displayed to a specifically identified person, but to the cookie owner, regardless of is the identity of the cookie owner. This does not apply if a user has explicitly allowed Google to process the data without this pseudonymisation. The information collected about users through Google Marketing Services is transmitted to Google and stored on Google’s servers in the United States.
17.5. The Google Marketing Services we use include the online advertising program Google AdWords. In the case of Google AdWords, each advertiser receives a different “conversion cookie”. Cookies can thus not be tracked through AdWords advertisers’ websites. The information collected through the cookie is used to generate conversion statistics for AdWords advertisers who have opted for conversion tracking. Advertisers will see the total number of users who clicked on their advertisements and were redirected to a conversion tracking tag page. However, they do not receive information that personally identifies users.
17.8. We can also use the service Google Optimiser. Google Optimiser allows us to understand through so-called A/B tests how various changes to a website (such as changes to the input fields, the design etc.) can take place. Cookies are stored on users’ devices for these purposes. Only pseudonymous data of the users are processed.
17.9. In addition, we may use Google Tag Manager to integrate and manage Google Analytics and Marketing Services on our website.
17.11. If you wish to opt out of interest-based advertising through Google Marketing Services, you can take advantage of Google’s settings and opt-out options: https://adssettings.google.com/authenticated.
18. Facebook, custom audiences and Facebook marketing services
18.1. On the basis of our legitimate interests in the analysis, optimisation and economic operation of our online offer, and for these purposes, the so-called “Facebook Pixel” of the social network Facebook, operated by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, or – if you are located in the EU – Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”) is used.
18.2. Facebook is certified under the Privacy Shield Agreement, thereby providing a guarantee to comply with European privacy legislation (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=A).
18.3. With the help of the Facebook Pixel, it is possible for Facebook to determine the visitors to our online offer as a target group for the display of advertisements (so-called “Facebook ads”). Accordingly, we use the Facebook pixel to display the Facebook advertisements we have placed only to users who have shown an interest in our online offering or who have certain characteristics (e.g. interests in particular topics or products that are determined by the websites they visited) that we transmit to Facebook (so-called “custom audiences”). By using the Facebook pixel, we also want to make sure that our Facebook advertisements are in line with the potential interest of users and are not annoying. The Facebook Pixel furthermore helps us understand the effectiveness of Facebook advertisements for statistical and market research purposes, in which we see whether users were redirected to our website after clicking on a Facebook advertisement (so-called “conversion”).
18.4. In addition, when using the Facebook pixel, we use the additional feature “advanced matching” (data such as telephone numbers, email addresses or Facebook IDs of the users) for the formation of target groups on Facebook (“custom audiences” or “look-alike audiences”) transmitted (encrypted). More about “advanced matching”: https://www.facebook.com/business/help/611774685654668).
18.5. We also use the Custom Audiences from File method of the social network Facebook, Inc. In this case, the email addresses of newsletter recipients are uploaded to Facebook. The upload process is encrypted. The upload serves solely to identify recipients of our Facebook advertisements. We want to ensure that the advertisements are only displayed to users who are interested in our information and services.
18.6. Facebook processes the data within the context of Facebook’s Data Policy. Accordingly, general notes on the display of Facebook advertisements can be found in Facebook’s Data Policy: https://www.facebook.com/policy.php. For specific information and details about the Facebook Pixel and how it works, please refer to Facebook’s help section: https://www.facebook.com/business/help/651294705016616.
18.7. You can object to your data being collected by the Facebook Pixel and used to display Facebook advertisements. To set which types of advertisements you see on Facebook, you can go to the following page that has been set up by Facebook and follow the instructions for usage-based advertising settings: https://www.facebook.com/settings?tab=ads. The settings are independent of platform, this means they are adopted for all devices, such as desktop computers or mobile devices.
18.8. Tracking via the Facebook Pixel on this website is deactivated. Click here to deactivate tracking
19. Facebook social media plugins
19.1. On the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online offer within the meaning of Art. 6 (1) (f) GDPR), we use social plugins (“plugins”) of the social network facebook.com, which is operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”). The plugins can represent interaction elements or content (e.g. videos, graphics or text contributions) and can be recognised by one of the Facebook logos (white “f” on blue tile, the word “Like” or a “thumbs up” sign) or are marked with the addition “Facebook Social Plugin”. The list and appearance of Facebook Social Plugins can be viewed here: https://developers.facebook.com/docs/plugins/.
19.2. Facebook is certified under the Privacy Shield Agreement, thereby providing a guarantee to comply with European privacy legislation (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=A).
19.3. When a user invokes a feature of this online offering that includes such a plugin, their device establishes a direct connection to the Facebook servers. Facebook transmits the content of the plugin directly to the user's device, where it is incorporated into the online offer. In doing so, usage profiles of the users may be created from the processed data. We therefore have no influence on the amount of data that Facebook collects with the help of this plugin and hereby inform users accordingly of the extent of our knowledge.
19.4. By integrating the plugins, Facebook receives the information that a user has accessed the corresponding page of the online offer. If the user is logged in to Facebook, Facebook can assign the visit to their Facebook account. If users interact with the plugins by, for example, pressing the Like button or leaving a comment, the information is transmitted from their device directly to Facebook and stored there. If a user is not a member of Facebook, there still is the possibility that Facebook will detect and save their IP address. According to Facebook, only an anonymous IP address is stored in Germany.
19.6. If users are a member of Facebook and do not want Facebook to collect data about them via this online offer and link it to their member data stored on Facebook, they must log out of Facebook and delete their cookies before using our online offer. Other settings and objections regarding the use of data for advertising purposes are possible within the Facebook profile settings: https://www.facebook.com/settings?tab=ads or via the US website http://www.aboutads.info/choices/ or the EU site http://www.youronlinechoices.com/. The settings are independent of platform, i.e. they are adopted for all devices, such as desktop computers or mobile devices.
20.1. Based on our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online offer within the meaning of Art. 6 (1) (f) GDPR), we use the analytics service “etracker” provided by etracker GmbH, Erste Brunnenstrasse 1 20459 Hamburg, Germany.
20.2. A user profile can be created under a pseudonym from the data processed by etracker. Cookies may be used for this purpose. These cookies make it possible to recognise your browser. The data collected with the etracker technologies will not be used to personally identify visitors to our website without the data subject’s separate consent and will not be combined with personal data concerning the bearer of the pseudonym. Furthermore, the personal data are processed only for us, this means they are not combined with personal data collected within other online offers.
20.3. You can object to the collection and storage of your data at any time with effect for the future. In order to object to the collection and storage of your visitor data for the future, you can obtain an opt-out cookie from etracker under the following link, which ensures that etracker will not collect and store any visitor data from your browser in the future: https://www.etracker.com/en/data-privacy/
20.4. When you choose the opt-out feature, etracker places an opt-out cookie on your computer with the name “cntcookie”. Please do not delete this cookie at any time while you want to maintain your objection. For further information, please refer to etracker’s data protection provisions: https://www.etracker.com/en/data-privacy/.
21. Integration of services and content of third parties
21.1. We use contents or services offered by third-party providers within our online offer, based on our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online offer within the meaning of Art. 6 (1) (f) GDPR), in order to integrate their content and services, such as videos or fonts (collectively referred to as “contents”). This always presupposes that the third-party providers of these contents detect the user's IP address, since they could not send the contents to their browser without an IP address. Presentation of these contents therefore requires an IP address. We endeavour to use only contents where the respective providers use the IP address solely for delivering their contents. Third parties may also use so-called pixel tags (invisible graphics, also referred to as “web beacons”) for statistical or marketing purposes. These pixel tags can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user’s device and may include – but is not limited to – technical information about the user’s browser and operating system, referring web sites, visit time and other information regarding the use of our online offer.
21.2. Below is an overview of third-party providers and their contents, as well as links to their privacy policies, where you will find more information on the processing of data and, as already to an extent mentioned here, your opt-out options:
External fonts from Google, LLC., https://www.google.com/fonts (“Google Fonts”). Google fonts are integrated through a server call on Google (usually in the USA). Privacy Statement: https://policies.google.com/privacy, Opt-Out: https://adssettings.google.com/authenticated.
Maps provided by “Google Maps” from third-party provider Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA. Privacy Statement: https://www.google.com/policies/privacy/, Opt-Out: https://www.google.com/settings/ads/.
Videos provided by the platform YouTube from third-party provider Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA. Privacy Statement: https://policies.google.com/privacy, Opt-Out: https://adssettings.google.com/authenticated.
Our online offer includes features of the service Google+. These features are offered through the third-party provider Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA. If you are logged in to your Google+ account, you can link the contents of our pages to your Google+ profile by clicking the Google+ button. This allows Google to associate your visit to our pages with your user account. We hereby point out that we as the provider of the pages are not aware of the contents of the transmitted data and how these are used by Google+. Privacy Statement: https://policies.google.com/privacy, Opt-Out: https://adssettings.google.com/authenticated.
Our online offer includes features of the service Instagram. These features are offered through Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA. If you are logged in to your Instagram account, you can link the contents of our pages to your Instagram profile by clicking the Instagram button. This allows Instagram to associate your visit to our pages with your user account. We hereby point out that we as the provider of the pages are not aware of the contents of the transmitted data and how these are used by Instagram. Privacy Statement: http://instagram.com/about/legal/privacy/.
We use social plugins from the Pinterest social network operated by Pinterest Inc., 635 High Street, Palo Alto, CA, 94301, USA (“Pinterest”). When you visit a page containing such a plugin, your browser connects directly to the Pinterest servers. The plugin transmits protocol data to the Pinterest server in the USA. This log data may include your IP address, the addresses of the websites you visited that also include Pinterest features, your browser type and settings, the date and time of the request, how you use Pinterest, as well as cookies. Privacy Statement: https://about.pinterest.com/de/privacy-policy.
Our online offer may include features of the service or the platform Twitter (hereinafter referred to as “Twitter”). Twitter is an offer from Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. Features include displaying our posts on Twitter within our online offering, a link to our Twitter profile and the ability to interact with Twitter’s posts and features, as well as measuring whether users are using the ads we have posted on Twitter to access our online offer (so-called conversion measurement). Twitter is certified under the Privacy Shield Agreement, thereby providing a guarantee to comply with European privacy legislation (https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status=A). Privacy Statement: https://twitter.com/de/privacy, Opt-Out: https://twitter.com/personalization.