Privacy Policy
Basic Information
We are delighted to have you visit our website, and we would like to thank you for your interest. In the following, we would like to inform you about how we handle your personal data when you use our web services, like our website and our online shops. The following information also relates to the use of our websites on mobile devices, e.g. smartphones or tablets. Personal data includes all data which could be used to identify you personally, or which make you identifiable via a username or identification code, such as your IP address.
This Privacy Statement explains the legal basis and the purpose for this collection or processing of your data. We would like to inform you of your rights regarding the use of your personal data. If you have any questions regarding our use of your personal data, please contact us as the responsible entity — Controller under data protection law.
For security reasons and to protect the transfer of personal data and other confidential information (e.g., orders or queries sent to Controllers), these online services use SSL or TLS encryption. You can identify an encrypted connection by checking that the letters “https://” and a lock symbol appear in your browser address line.
Who we are (Controller for Data Privacy)
The Controller for the processing of data on our online services pursuant to the General Data Protection Regulation (Datenschutz-Grundverordnung — GRPD) is:
Kaschae Datenschutz & Compliance GmbH,
vertreten durch den Geschäftsführer Dr. Wolfram Konertz,
An der Alster 62, 20099 Hamburg, Deutschland,
Tel.: +49 (0)40 280 952 86 0
E-Mail: info@kaschae.de
We are not obliged to appoint a company data protection officer. In our company, less than 10 people are entrusted with the processing of personal data.
Data collection when accessing our online services
Accessing our web pages (without registration) will result in the automatic anonymised collection of the following data on our servers:
- masked IP address,
- access date/ time/ time zone,
- access status,
- type of access,
- type of protocol,
- type and number of pages accessed on our site,
- name and size of accessed files,
- referring website,
- web browser,
- operating system.
The listed non-personal data is collected automatically as part of the normal operations of our internet services. The information gathered about the use of our pages is not combined with any personal information provided through the online registration form. We do not have any personal references in our usage data.
We use the above data for the purposes of troubleshooting, generating statistics and measuring website activity with the aim of improving the value and use of our services. As such, we have a legitimate interest to justify the data processing activity pursuant to Article 6 (1) (f) GRPD.
Within our company, our IT Administrator is the only person with access to this data for the purposes listed above.
The above data is only collected for the period of use; once the use has ended, the data shall be deleted without delay, after seven days at the latest.
We use cookies and web analysis services to obtain information as soon as your web browser accesses our website. These identifiers enable a range of our website’s service functions and are automatically transferred to the hard drive of your computer or other mobile device via your browser. This function can be deactivated in the settings of your browser. Should cookies be disabled, personalised service will be unavailable. In this case, your anonymised IP address may be transferred to the USA. For more information on the cookies and web analysis tools we use, see the “Use of cookies and tools” section below.
Contact
On our pages, we have provided an online form which enables you to make contact with us electronically. The form requires your first name and family name, your email address and telephone number as well as a box for entering a message to us. We need this data to process your request. You can also choose to provide us with your postal address. Additionally, you can contact us at any time via email. Contacting us is always voluntary.
This data is solely used for the purpose of answering your request or responding to your request for contact, and the technical administration involved. This processing is lawful pursuant to Art. 6 (1) (b) GRPD, as we require the data listed above for the initiation, conduct or termination of a contractual relationship with you.
You request will be handled by one of our employees.
We do not pass on your requests to third-parties or to organisations outside of the EU.
After your request has been processed, we delete your contact information, at the latest, seven days after your request has been dealt with. This period of storage may be subject to statutory storage periods, for example, when your request is in connection with the processing of a contract or a warranty or guarantee. In this case, we store your request beyond seven days only for the purpose of complying with our legal obligations (Art. 6 (1) (c) GRPD). In this case, we delete your data on termination of the statutory storage period (Section 147 (3) Fiscal Code of Germany (Abgabeordnung – AO)), i.e. after a period of 10 years, beginning at the conclusion of the contract. We will delete your data at the end of this retention period without any request to do so on your part.
Use of your data for advertising purposes (product recommendations to existing cus-tomers/ newsletter subscription)
Recommending products to existing customers
If you have ordered products from us and provided your email address, we allow ourselves under the law to send you product recommendations for similar products which could be of interest to you, where you have not objected this use during the purchase process. This form of contact will only occur for the purpose of sending product recommendations via email to you as an existing customer. In this, we are pursuing our legitimate interest in sending personalised direct advertising to existing customers. This is consistent with our legitimate interest in direct advertising to existing customers under Art. 6 (1) (f) DSGVO in conjunction with Section 7 (3) German Unfair Competition Act (Gesetz gegen den unlauteren Wettbewerb – UWG). If you have initially objected to this use of your email address, we will not send this information to you via email. You may withdraw your consent to the use of your email address to receive such messages from us at any time and with future effect. After receipt of your withdrawal of consent, we will cease the use of your email address for this purpose without delay.
Newsletter subscription
You can register for our email newsletter on our website. Our newsletter provides regular updates on new items, interesting offers and new promotions and campaigns. To receive our newsletter, you must only provide your email address. You may also choose to provide your name, to allow us to address you personally. We use the double opt-in process for our newsletter subscription. For this purpose, we will send you a confirmation email after we have received your consent to a newsletter subscription. In this email, we will ask you to confirm your subscription via a provided link. You will only receive our newsletter after this (second) activation of the service.
Consent to newsletter subscription
The address you provided for our newsletter subscription and any other data you provided such as your name will solely be used for the purposes of sending advertisements to you via electronic mail. This sending of electronic advertising is lawful pursuant to Art. 6 (1) (a) DSGVO.
You can withdraw your consent to the use of your email to receive newsletters at any time with future effect by sending an email or using our online contact form, or the link provided in the email. After cancellation of this service, we will delete your email address without delay from our distribution list, unless you have expressly consented to another use of your data, or we reserve the right to use your data for lawful purposes and of which you have been informed appropriately.
Your declaration of consent will be recorded electronically for the purposes of verification. You can see your declarations of consent at any time online in your account. On registration for the newsletter we also store the IP address provided by your Internet Service Provider (ISP) as well as the date and time of your subscription to trace any potential misuse of your email address at a later date.
If you have not consented to the newsletter subscription or withdrawn said consent, you will only receive electronic mail from us in connection with the processing of orders you have placed with us.
Service providers for sending electronic advertising
Product recommendations and our newsletter are sent via email using the services provided by CleverReach GmbH & Co. KG, Mühlenstrasse 43, 26180 Rastede (“CleverReach”). This service provider acts strictly on our instructions on our behalf, and for this purpose, your email address and your name where provided, will be passed on to it. This data will be processed on the CleverReach servers located in Germany and Ireland.
CleverReach, acting on our behalf, will only use this information for the purposes of delivery and for the statistical assessment of the newsletter. For the purposes of this assessment, the emails contain web beacons or tracking pixels. This allows us to ascertain whether a newsletter has been opened, and which links you may have clicked. Using conversion tracking, we can then also analyse whether a certain action (e.g. the purchase of a product on our online pages) has taken place after clicking the link in the newsletter. Additionally, we collect further technical information, namely the time of access, the masked IP address, browser type and operating system. This technical information is exclusively collected in an anonymised form and is not linked to your personal data or your customer account, making it impossible for us to link that information back to you. The data is only utilised for statistical analysis of our newsletter campaigns. The results of this analysis assist us in adapting our newsletter to make future offers better suit our customers’ interests. This analysis is lawful pursuant to Art. 6 (1) (f) GDPR as a legitimate interest in the optimisation and adaptation of our newsletter to better meet demand.
If you wish to reject the use of this data for analytical purposes, you must unsubscribe from the newsletter.
We have entered into a Data Processing Agreement with CleverReach for the above purpose, which obliges CleverReach to protect our customers’ data and to not disclose that data to third parties.
More information on data processing by CleverReach is available here: https://www.cleverreach.com/en/features/reporting-tracking/. You can read CleverReach’s Privacy Policy here: https://www.cleverreach.com/en/privacy-policy/.
We do not send the data collected as part of newsletter delivery to countries or organisations outside the EU.
We store your email address and name if provided along with the declaration of consent for newsletter deliver for the period of your subscription, or until you withdraw your consent (cancel subscription).
There is no automated decision making or profiling.
Cleverreach works with Amazon Web Services (AWS) as a subcontractor. AWS processes data in Germany and Ireland. For technical reasons, the infrastructure may be maintained from the US. AWS is certified with the US Privacy Shield:
https://www.privacyshield.gov/participant?id=a2zt0000000TOWQAA4&status=Active
However, the European Court of Justice found that the USA does not have a level of data protection comparable to that in the EU (ECJ, judgement of 16 July 2020 – C-311/18, para. 200, Facebook/Schrems II).
AWS does offer a GDPR Data Processing Addendum for each customer that contains the standard data protection clauses (Data Processing Addendum). In addition to this, further data protection guarantees are required according to the European Court of Justice, which are currently not yet available.
Use of cookies and tools
Wir verzichten auf den Einsatz von Cookies.
Integration of social media and other services
Wir verzichten auf den Einsatz sozialer Medien und anderer Dienste.
Your rights as a data subject
Please read the following information about your rights as a data subject regarding the processing of your personal data.
The Right of Access
You have the right to request a confirmation whether your personal data is being processed. Should this be the case, you have the right to be informed of the personal data that has been collected, stored or processed, as well as to the following information:
- the processing purpose,
- the recipients or categories of recipients to whom this data has been disclosed or will be disclosed,
- the duration of storage or the criteria for determining that duration,
- your additional rights (see below),
- if the personal data has not been collected from you, all available information regarding its source,
- the existence of automated decision-making, including profiling, and where existent, further relevant information.
You have the right to be informed of the appropriate safeguards available pursuant to Art. 46 DSGVO against the transfer of your data to a third country or international organisation.
The right to rectification
You have the right to request the correction without delay of incorrect or incomplete personal data.
Right to erasure (right to be forgotten)
You have the right to request that we delete all your personal data without delay. We are obliged to delete your personal data without delay where one of the following grounds applies:
- Your personal data are no longer required for the purpose for which they were collected or otherwise processed.
- You are withdrawing your consent and there are no other legal grounds for processing that data.
- You are filing an objection (see below) to the data processing.
- Your personal data were unlawfully processed.
- The deletion of your personal data is necessary to fulfil an obligation under EU law or the law of the Member States.
- A child has provided consent to the collection of personal data.
Right to restriction of processing
You have the right to request a restriction of our data processing when one of the following conditions is met:
- you are contesting the accuracy of the personal data,
- the data processing is unlawful, but you do not agree to the deletion of the personal data, instead requesting a restriction of its use,
- we no longer need the personal data for the purposes of processing, but you need the data to establish, exercise or defend legal claims; or
- you have objected to processing (see below) and it is not yet clear whether our legitimate interest will prevail.
Right to notification
If you have exercised your right to rectification, erasure or restriction of processing against us, we are obliged to inform all recipients to whom your personal data has been disclosed of this rectification, erasure of the data or restriction of the data processing unless this proves impossible or requires a disproportionate effort. You have the right to be informed of those recipients.
Right to data portability
You have the right to receive the personal data you have provided to us in a structured, commonly used and machine-readable format. You also have the right to transfer this data to another controller without interference on our part provided that:
- the processing is based on consent granted pursuant to Art. 6 (1) (a) DSGVO or Art.9 (2) (a) DSGVO or on a contract pursuant to Art. 6 (1) (b) DSGVO; and
- the processing is carried our using automated methods.
In exercising this right, you may request that personal data related to you be transferred directly from us to another controller insofar as this is technically feasible, and does not infringe on the freedoms and rights of any other person. The right to data portability does not apply to the processing of personal data required for fulfilling a task carried out in the public interest or in the exercise of an official authority invested in the controller.
Right to object
You have the right, based on grounds relating to your particular personal situation to object at any time to the processing of your personal data, unless it is based on one of the following grounds:
- the processing of your personal data by us is required for the fulfilment of a task that lies in the public interest or in the exercise of public authority that has been delegated to us; or
- the processing is necessary to safeguard our legitimate interest or the legitimate interest of a third-party, in so far as your interests or basic rights require that protection of your personal data prevail.
The right to object also applies to profiling based on these processes.
If the personal data that concerns you is being processed for direct marketing purposes, you have the right to object to the processing of your personal data for such marketing purposes. This also applies to profiling insofar as it is associated with such direct marketing.
You also have the right, on grounds arising from your particular personal situation, to object to the processing of your personal data undertaken by us for scientific or historical research purposes or for statistical purposes, unless such processing is necessary for the performance of a task in the public interest.
Right to withdraw consent and data protection law
You may revoke your consent at any time with future effect. The revocation may be simply sent to us at any time, e.g., an informal email. Processing of your data which occurred prior to the withdrawal of consent is not affected.
Right of appeal to the supervisory authority
Do you think that the processing of your personal data was illegal? Then you have the right to lodge a complaint with a supervisory authority, particularly in your country of residence or country of work, or at the location the alleged breach took place. If you are in doubt, contact the agency responsible for us at Hamburg Commissioner for Data Protection and Freedom of Information (Ludwig-Erhard-Str 22, 7 OG, 20459 Hamburg, Tel.: 040 428 544040, Fax: 040 / 428 54 – 4000, E-Mail: mailbox@datenschutz.hamburg.de). Other administrative or judicial remedies are not affected by the exercise of these rights.
January 2021
© Kaschae Datenschutz & Compliance GmbH