Data Protection Policy
This data protection policy provides information on the type, scope and purpose of processing of Personal Data (hereinafter, for short, "Data") within our Online Offer and the related websites, features, and items of contents as well as our external online presences, e.g. our social media profiles (hereinafter, jointly, the "Online Offer"). With reference to the terminology used, such as "Processing" or "Controller", please refer to the definitions contained in Chapter 4 of the General Data Protection Regulation (GDPR).
Auktionshaus Stahl GmbH & Co KG
Phone: +49 (40) 34 34 71 and +49 (40) 34 23 25
Fax: +49 (40) 348 04 32
Personally liable partner:
Auktionshaus Stahl Verwaltungs GmbH
Managing Director: Christiana Stahl-Kerle
Publicly appointed and sworn auctioneer
Types of processed Data
- Inventory data (e.g. names, addresses).
- Contact data (e.g. e-mail, phone).
- Content data (e.g. texts, images, videos).
- Usage data (e.g. visited websites, interest in contents, access times).
- Meta / communication data (e.g. device information, IP addresses).
Categories of Data Subjects
Visitors or users of the Online Offer (hereinafter, the Data Subjects are jointly referred to as "Users").
Purpose of processing
- Providing access to the Online Offer, its features and items of contents.
- Responding to inquiries and communicating with Users.
- Security measures.
- Coverage measurement / marketing.
"Personal Data" refers to any information that relates to an identified or identifiable natural person (hereinafter, "Data Subject"); a natural person is deemed identifiable if the individual can be directly or indirectly identified, in particular by connecting him or her to an identifier such as a name, ID number, location data, an online identifier (e.g. cookie) or one or several features describing the person's physical, physiological, genetic, mental, business, cultural or social identity.
"Processing" refers to any procedure carried out with or without the help of automated processes or any series of such procedures relating to Personal Data. This is a very far-reaching term that can basically mean any type of handling Data.
"Pseudonymisation" refers to the processing of Personal Data in such a manner that the Personal Data can no longer be attributed to a specific individual without using additional information, and this additional information is stored separately and is subject to technical or organisational measures to ensure that such Personal Data cannot be directly attributed to an identified or identifiable natural person.
"Profiling" refers to any kind of automated processing of Personal Data which makes use of the Personal Data to evaluate certain aspects relating to a natural person, including use to analyse or predict a person's work performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or change of location of the person.
"Controller" refers to any natural person or legal entity, authority, institution or other body which decides, alone or in conjunction with others, about the purpose and means of processing Personal Data.
"Order Processor" refers to any natural person or legal entity, authority, institution or other body that processes Data on behalf of the Controller.
In accordance with Article 13 GDPR, we hereby inform you of the legal bases of Data processing through us. Where the legal basis is not explicitly mentioned in the Data Protection Policy, the following applies: The legal basis for obtaining consent is Article 6 para. 1 lit. a and Article 7 GDPR; the legal basis for the processing of Data for the performance of our services, execution of contractual measures and responding to inquiries is Article 6 para. 1 lit. b GDPR; the legal basis for the processing of Data to comply with our legal obligations is Article 6 para. 1 lit. c GDPR; and the legal basis for the processing of Data to protect our legitimate interest is Article 6 para. 1 lit. f GDPR. In the event that vital interests of a Data Subject or another natural person make it necessary to process Personal Data, Article 6 para.1 lit. d GDPR serves as the legal basis.
We take appropriate technical and organisational measures in accordance with Article 32 GDPR to ensure a level of protection appropriate to the risk, taking into account the state of the art, implementation costs and the nature, scope, circumstances and purposes of processing as well as the different probability of occurrence and severity of the risk to the rights and freedoms of natural persons.
These measures include, but are not limited to, safeguarding the confidentiality, integrity and availability of Data by controlling physical access to the Data as well as the retrieval, entry and transmission of Data, ensuring availability and separating Data. In addition, we have introduced procedures to ensure that the rights of Data Subjects are respected, Data is deleted and there is a reaction when Data is at risk. Furthermore, we already consider the protection of Personal Data when developing or selecting hardware, software and procedures in accordance with the principle of data protection by technology design and default (Article 25 GDPR).
Cooperation with data processors and third parties
We only disclose, transmit or otherwise make Data available to external individuals or companies (data processors or third parties) in the course of their processing if this is legally permitted (e.g. when a transmission of Data to a third party, such as a payment service provider, is required for the fulfilment of the contract in accordance with Article 6 para. 1 lit. b GDPR), if you have agreed to this, if we are legally obliged, or on the grounds of our own legitimate interests (e.g. when employing agents, web hosting companies etc.).
Should we commission a third party with the processing of Data under a contract usually referred to as "Data Processing Agreement," Article 28 GDPR is the legal basis.
Transfer of Data to third countries
Should we process Data in a third country (e.g. a country outside the European Union (EU) or European Economic Area (EEA)) or should Data be processed there as part of the services provided by third parties, or as part of the disclosure or transmission of Data to third parties, this shall only occur if required for the fulfilment of our (pre)contractual obligations, based on your consent, or on the grounds of a legal obligation or our legitimate interest. Subject to statutory or contractual permissions, we only process or commission the processing of Data in a third country if the special requirements of Article 44 et seqq. GDPR are met. I.e., data processing is based on specific guarantees, such as an officially recognised data protection standard equivalent to that of the EU (e.g., the US "Privacy Shield") or compliance with officially recognised specific contractual obligations (usually referred to as "Standard Contractual Clauses").
Rights of Data Subjects
You have the right to request confirmation as to whether your Data is being processed, to request information about your Data, and additional information and a copy of the Data in accordance with Article 15 GDPR.
In accordance with Article 16 GDPR, you have the right to demand your Data be completed or corrected if incorrect.
In accordance with Article 17 GDPR, you may demand that your Data be deleted immediately, or, in accordance with Article 18 GDPR, you may demand that the processing of your Data is restricted.
You have the right to demand that Data you have provided to us be maintained or transmitted to a different controller in accordance with Article 20 GDPR.
Moreover, in accordance with Article 77 GDPR, you have the right to lodge a complaint with the supervisory authority in charge.
Right of revocation
You have the right to revoke your consent with future effect in accordance with Article 7 para. 3 GDPR.
Right of objection
You can object to the future use of your Data at any time in accordance with Article 21 GDPR. In particular, you can object to processing for direct marketing purposes.
Cookies and right of objection to direct marketing
"Cookies" are small packets of data stored on as User's PC. Different pieces of information may be stored in a cookie. A cookie primarily serves the purposes of saving User information (or rather, information on the device on which the cookie is stored) during or after using the Online Offer. Cookies that are deleted once the User leaves the Online Offer and closes his or her browser are referred to as "session cookies" or "transient cookies". This type of cookie may store information, for example, on what is in an online shop's shopping cart or a user's login status. "Permanent" or "persisent" cookies are stored even after the browser window has been shut. This type of cookie may store information on a user's login status, which is stored even if the User doesn't visit the website until days later. Such a cookie may also contain information on the User's interests, which is used to measure coverage rates or for marketing purposes. "Third-party cookies" are cookies that are placed by other parties than the Controller, who operates the Online Offer (when referring only to the Controller's cookies, the term used is "First-party cookies").
We may use temporary or permanent cookies and provide information on these in this Data Protection Policy.
Should a User not wish to store cookies on their computer, please deactivate the respective option in your Browser's system settings. You can delete cookies in your browser's settings section. However, excluding cookies may impair the Online Offer's functionality.
A general objection to the kind of cookies used for online marketing can be raised for a number of services, in particular related to Tracking, via the US page http://www.aboutads.info/choices/ or the EU page http://www.youronlinechoices.com/ Moreover, you can prevent cookies from being stored by deactivating the respective setting in your browser's settings. However, please note that you may not be able to use some of the functionalities of the Online Offer.
Deletion of Data
The Data we process is deleted or its use restricted in accordance with Articles 17 and 18 GDPR. Unless otherwise expressly stated in the Data Protection Policy, the Data we store is deleted as soon as we no longer need it for its intended purpose and if no statutory storage obligations apply. If Data is not deleted because it is required for other, legally permissible purposes, processing is restricted. I.e., this Data is blocked and not processed for any other purpose. This applies, for instance, to Data that must be retained for commercial or tax reasons.
According to German legislation, a retention period of 10 years in accordance with Article 147 para. 1 AO (German tax code) and Article 257 para. 1 Nos. 1 and 4, and para 4, HGB (German commercial code; books, records, management reports, tax-related documents etc.); and a retention period of 6 years in accordance with Article 257 para. 1 Nos. 2 and 3, and para 4, HGB (trade letters).
In addition, we process:
- Contract data (e.g., subject matter and term of contract, customer category)
- Payment data (e.g., bank details, payment history)
of our customers, interested parties and business partners in order to deliver our contractual services and for the purposes of customer service, customer care, marketing, advertising and market research.
We process Data provided by our contract partners, interested parties and other principals, customers, clients or contractual partners (all referred to as "Contract Partners") in accordance with Article 6 para. 1 lit. b GDPR, in order to perform our contractual or pre-contractual services. The Data we process, and the type, scope, purpose and necessity of their processing are determined by the underlying contractual arrangement.
The Data we process include our Contract Partner's master date (e.g., names and addresses), contact information (e.g., e-mail addresses and telephone numbers) and contractual data (e.g., services already obtained, contents of contract, contractual communication, contact person names) and payment information (e.g., bank details and payment history).
We generally do not process any special categories of Data unless these are part of commissioned or contractual processing.
We process the Data required as a basis and for the fulfilment of contractual obligations, and point out the necessity of their disclosure to us, if this is not evident to the Contract Partner anyway. Data is only disclosed to external individuals or companies if this is required by a contract. When processing Data provided to us within the scope of a contract we act in accordance with our client's instructions and legal requirements.
We may store a User's IP address and the time of their activity when our online services are used. The legal basis for this storage is our own and the User's legitimate interest in the protection of their Data from abuse or unauthorised use. Data is generally not passed on to third parties, unless this is required to pursue our claims in accordance with Article 6 para. 1 lit. f GDPR or we are under a legal obligation to do so in accordance with Article 6 para. 1 lit. c GDPR.
The Data is only deleted if it is no longer required for the fulfilment of contractual or statutory duties of care, or to comply with warranty or comparable obligations. The necessity of storing Data is reviewed every three years. In all other aspects, statutory storage regulations apply.
External payment services
We use external payment services, via whose platforms we and the Users process payment transactions.
Within the scope of the fulfilment of contracts, we employ payment service providers on the basis of Art. 6 para. 1 lit. b GDPR. Additionally, we use external payment service providers based on our own legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR to offer our Users safe and effective payment methods.
Data processed by payment service providers include inventory data, such as names and addresses; bank details, such as account or credit card numbers, passwords, TANs and checksums; and data related to the contract, amounts and recipients. This information is required to perform the transaction. Data that is entered is only processed and stored through the payment service provider. This means that we do not receive any information relating to bank accounts or credit cards, but are only notified of the success or failure of a payment. Data may be submitted to credit agencies by the payment service provider, as the case may be, for the purpose of an identity and credit check. Please refer to our General Terms and Conditions and the payment service provider's data protection statement for more information.
The terms & conditions and the data protection statements of the respective payment service providers apply to the payment transactions themselves, which can be accessed via the respective websites or transaction applications. Please also refer to these for more information or to assert your right of revocation, your right to information or other rights of Data Subjects.
Administration, financial accounting, office organisation, management of contacts
We process Data in the course of managing and organising our business, of financial accounting, and in compliance with legal obligations such as archiving. In doing so, we process the same Data as we process when performing our contractual services. The legal basis for this is Article 6 para. 1 lit. c GDPR, Article 6 para. 1 lit. f GDPR. Data from customers, interested parties, business partners and visitors to our website may be processed. Our interest in and the purpose of the processing of this Data is our administration, financial accounting, office organisation and archiving of Data. These tasks are required to maintain or business activities, fulfil our tasks, and provide our services. The deletion of Data regarding contractual services and communication is described in the sections dealing with these types of data processing.
We disclose or transmit Data to the financial authorities, consultants such as tax accountants or auditors, or other billing centres and payment service providers.
Additionally, we store information relating to suppliers, event organisers and other business partners on our own legitimate interest, e.g. for the purpose of future contact. This Data primarily relates to companies and we generally save it permanently.
Business analyses and market research
In order to operate our business economically, to determine market trends and our contract partners' and User's business needs, we analyse the Data available to us on business processes, contracts, inquiries, etc. This involves processing inventory data, communication data, contract data, payment data, usage data, and meta data on the basis of Art. 6 para. 1 lit. f. GDPR, whereby Data Subjects include contractual partners, interested parties, customers, visitors and users of our online offer.
These analyses are carried out for the purpose of business analyses, marketing and market research. We may use User profiles of registered Users containing information e.g. on the services they have used for this. The analyses serve to improve user friendliness and optimise our offer and our business efficiency. They are used solely for our own purposes and are not disclosed externally, unless the analyses are anonymous and contain only aggregated values.
Should an analysis or profile relate to a specific individual, it will be deleted or made anonymous upon termination of the User, otherwise two years after conclusion of the contract. For the rest, macroeconomic analyses and general trend determinations are prepared anonymously wherever possible.
Data protection in the recruitment process
We only process applicants' Data within the scope and purpose of the application procedure in accordance with statutory requirements. We process applicant Data to fulfil our (pre)contractual obligations in the context of the application procedure within the meaning of Article 6 para. 1 lit. b GDPR and Article 6 para. 1 lit. f GDPR if such processing of Data is required e.g. as part of a legal procedure (in Germany, Article 26 BDSG (Federal Data Protection Act) applies additionally).
The application procedure requires applicants to provide us with their Data. Should we provide an online form for the application, the required applicant Data is highlighted, otherwise it is evident from the job description. Generally, the required information includes personal details, postal address and contact information, and the documents required for the application such as the cover letter, CV and letters of reference. Applicants may also voluntarily disclose additional information.
By submitting their application to us, applicants agree to the processing of their Data for the purpose of the application process according to the scope and nature described in this Data Protection Policy.
Insofar as special categories of Personal Data within the meaning of Article 9 para. 1 GDPR are made available to us voluntarily in the course of the application procedure, they are processed in accordance with Article 9 para. 2 lit. b GDPR (e.g. health data such as disability or ethnic origin). Insofar as special categories of Personal Data within the meaning of Article 9 para. 1 GDPR are requested from applicants in the course of the application procedure, Article 9 para. 2 lit. a GDPR applies additionally (e.g. health data, if these are required for the exercise of the profession).
If provided, applicants may use an online form on our website to submit their application. The Data is encrypted according to the current state of the art and transmitted to us.
Applicants may also submit their application by e-mail. However, we kindly request that applicants note that e-mails are generally not encrypted before sending and applicants must ensure encryption themselves. We cannot accept any liability for the transmission path of the application between the sender and our own servers and recommend using our online form or sending by post, as we continue to accept applications submitted to us by post in addition to those submitted via the online form or by e-mail.
In the event that an application is successful, we may process the applicant Data for the purposes of the employment relationship. In the event that an application relating to a vacancy offer is unsuccessful, the applicant Data is deleted. Applicant Data is also deleted when an applications is withdrawn; applicants have the right to withdraw their application at any time.
Subject to a legitimate revocation by the applicant, applicant Data is deleted after period of six months so that we remain in a position to respond to potential follow-up questions on the application and can comply with our accountability obligations under the Equal Treatment Act. Any invoices for travel expenses incurred are archived in accordance with tax law.
Users may set up a User account. Users are informed of the mandatory information required for the purpose setting up their user account in accordance with Art. 6 para. 1 lit. b GDPR in the course of the registration process. Processed Data includes, but is not limited to, login information (name, password and an e-mail address). The Data entered in the course of registration is used for the purpose of using the User account for its intended purpose.
Users may be informed of matters relating to their user account, such as technical changes, by e-mail. When a User account has been cancelled, the User Data concerning the account is deleted, subject to the statutory retention period. It is the User's obligation to save their Data before account termination. We have the right to irretrievably delete any and all Data stored by the user during the contract term.
In the course of using our registration and login function and the user account, we store the IP address and the time of the activity for the respective user activity. The legal basis for this storage is our own and the User's legitimate interest in the protection of their Data from abuse or unauthorised use. Data is generally not passed on to third parties, unless this is required to pursue our claims or we are under a legal obligation to do so in accordance with Article 6 para. 1 lit. c GDPR. IP addresses are deleted or made anonymous after 7 days at the latest.
When contacting us (e.g. via the contact form, e-mail, telephone or social media), User information is processed for the purpose of processing the contact and User inquiry in accordance with Article 6 para. 1 lit. b GDPR (within the context of (pre)contractual relationships) or Article 6 para. 1 lit. f (other inquiries). User information may be saved in a customer relationship management system ("CRM system") or comparable system for the management of inquiries.
We delete such inquiries if it is no longer necessary to store them. We verify the necessity biannually. Furthermore, statutory archiving obligations apply.
The following section informs you about the contents of our newsletters, the processes of registration, delivery and statistical evaluation, and your revocation rights. By subscribing to our newsletter, you agree to receiving it and to the above-mentioned procedures.
Newsletter contents: We only send newsletters, e-mails or other electronic notifications that contain marketing information (hereinafter, "Newsletter") with the recipient's consent or if permitted by law. If the content of a Newsletter is specifically described during the subscription process, it forms an essential part of the User's consent. Beyond that, our Newsletters contain information on our services and ourselves.
Double opt-in and logging: Subscription to our Newsletters requires what is called a Double Opt-In Process. This means that you will receive an e-mail upon registration requesting you to confirm your subscription. This confirmation is required to ensure that no-one can subscribe to a Newsletter using someone else's e-mail address. Subscriptions to the Newsletter are logged in order to comply with the legal documentation requirements for the registration process. These include storing the time of subscription and confirmation and the IP address. Any changes to your Data stored with the processor commissioned with the delivery are also logged.
Subscription data: Only your e-mail address is required to subscribe to the Newsletter. Optionally, we may ask you to state your name so we can address the Newsletter to you personally.
The delivery of the Newsletter and success measurement are based on the recipient's consent in accordance with Article 6 para. 1 lit.a GDPR in connection with Article 7 para.2 No. 3 UWG (Act against Unfair Competition), or, if no statement of consent is required, on the basis of our own legitimate interest in direct marketing in accordance with Article 6 para. 1 lit. f DGPR in connection with Article 7 para. 3 UWG.
Logging of the registration procedure is based on our own legitimate interest in accordance with Article 6 para. 1 lit. f GDPR. Our own interest aims at ensuring we deploy a user-friendly and secure Newsletter system that serves our business interests, meets our User's expectations, and allows us to document their consent.
Cancellation/revocation - You can cancel your subscription to our Newsletter at any time, i.e., revoke your consent. You will find a link for unsubscribing from the Newsletter in the footer of each Newsletter. We may store unsubscribed e-mail addresses for a period of three years before deleting them based on our own legitimate interest to document that consent was previously given. Processing of this Data is limited to the purpose of defending ourselves against possible claims. An individual request for deletion is always possible so long as it contains a confirmation of previously given consent.
Hosting and e-mail delivery
The hosting services we use serve to provide the following services: infrastructure and platform services, computing capacity, storage space and database services, e-mail delivery, security services and technical maintenance services that we use for the purpose of operating this online offer.
To this end, we or our hosting service providers process inventory data, contact data, content data, contractual data, usage data, meta and communication data from customers, interested parties and visitors of our Online Offer based on our own legitimate interest in providing our Online Offer in an efficient and secure manner in accordance with Article 6 para. 1 lit. f GDPR in connection with Article 28 GDPR (contract conclusion with processor).
Collection of access data and logfiles
We or our hosting service provider collect data on each access to the server that hosts our services (called logfiles) in our own legitimate interest in accordance with Article 6 para. 1 lit. f GDPR. The access information collected includes the name of the accessed website, file, date and time of access, transferred data volume, notification of successful access, browser type and version, the User's operating system, referrer URL (the previously visited page), IP address and the requesting provider.
Logfile information is stored for security reasons (e.g. to investigate acts of abuse or fraud) for a maximum of 7 days and deleted afterwards. Data that requires additional processing to serve as evidence is exempted from deletion until the investigation of an event is closed.
Google Tag Manager
Google Tag Manager is a solution that helps us manage website tags via an interface (which enables integrating Google Analytics and other Google marketing services into our Online Offer). The Tag Manager itself (which implements the tags) does not process any Personal Data of Users. Regarding the processing of Users' Personal Data, we refer to the following Google policies regarding their services. Use policy: https://www.google.com/intl/de/tagmanager/use-policy.html.
Google is certified under the Privacy Shield Agreement, by which it warrants to adhere to European data protection legislation (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
Google will use this information on our behalf to evaluate the use of our Online Offer through Users, to generate reports on the activities within the Online Offer and provide additional services to us in connection with the use of the Online Offer and related services. The processed Data can be used to generate user profiles of Users under a pseudonym.
We only use Google Analytics with anonymised IP addresses. This means that Users IP addresses are abbreviated by Google within the EU member states and the member states of the European Economic Area treaty. Full IP addresses are only transferred to Google servers in the United States and abbreviated there in exceptional cases.
For more information on the use of data by Google, settings, and objection rights, please refer to Google's data protection policy (https://policies.google.com/technologies/ads) and Google's ad settings for ads showing on your screen(https://adssettings.google.com/authenticated).
Users' Personal Data is deleted or made anonymous after 14 months.
Target audience specification with Google Analytics
We use Google Analytics to only display the ads placed by Google and its partners within Google's advertising services to Users who have shown an interest in our Online Offer or who have certain characteristics (e.g. interests in certain topics or products, determined according to the web pages a User visits) that we transmit to Google (what is referred to as "remarketing" or "Google Analytics Audiences"). By addressing such Remarketing Audiences we wish to ensure that our advertisements align with a User's potential interests.
Google AdWords and measurement of conversions
We employ Google the services of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google") based on our own legitimate interest (i.e., our interest in the analysis, optimisation and efficient operation of our Online Offer in accordance with Article 6 para. 1 lit. f GDPR).
Google is certified under the Privacy Shield Agreement, by which it warrants to adhere to European data protection legislation (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
We use Google's "AdWords" online marketing process to place ads in Google's advertising network (e.g. in search results, videos, on web pages etc.), to ensure that these are shown to users who have a presumed interest in the ads. This enables us to place advertisements for and within our Online Services in a more targeted manner, presenting Users only with such advertisements that they may be interested in. If, for instance, a User sees advertisements for products he has expressed an interest in when using other online offers, this is called "remarketing". For this purpose, Google executes a piece of Google code when our or other websites that are active in the Google advertising network; the code places and integrates "(Re)marketing tags" (invisible images or pieces of code, also referred to as "web beacons") on the website. These store an individual cookie, i.e., a small file, on the User's device (similar technologies may also be used instead of cookies). This small file keeps track of the websites a User has visited, which items of contents the User was interested in and which offers the user clicked on, plus technical information relating to the browser and operating system, referrer websites, time spent on a website and other information regarding the use of the Online Offer.
Additionally, we also receive an individual "conversion cookie". The information collected with the help of this cookies enables Google to put together conversion statistics on our behalf. We are only informed anonymously of the total numbers of Users who clicked on our ads and were referred to our page that contains a conversion tracking tag. We do not receive any information that would allow us to personally identify any User.
Within the Google advertising network, User Data is processed under a pseudonym. I.e., Google does not store or process the User's e-mail address, but only processes relevant Data for each cookie by means of pseudonymised User profiles. In other words, from Google's perspective, ads are not managed and displayed to a specific, identified indvidual, but to the owner of the cookie, irrespective of who that person is. This does not apply if a User has expressly given Google his or her consent to process the Data without pseudonymisation. The information on Users that is collected this wawy is transferred to Google and saved on Google's servers in the US.
For more information on the use of data by Google, settings, and objection rights, please refer to Google's data protection policy (https://policies.google.com/technologies/ads) and Google's ad settings for ads showing on your screen (https://adssettings.google.com/authenticated).
Online presence in social media
We maintain online presences on social networks and platforms to communicate with customers, interested parties and users who are active there and to inform them about our services.
Please note that User Data may be processed outside the European Union in this context. This may lead to risks for the Users, for instance because it may make it harder for Users to assert their rights. US providers who are certified under the Privacy Shield agreement have committed to complying with EU data protection standards through their certification.
Moreover, User Data is normally processed for the purposes of market research and advertising. For instance, usage profiles can be established based on user behaviour and the interests that can be derived from that. These user profiles can then be used to place advertisements within and outside of platforms that users are presumably interested in. To this end, cookies are normally placed on the User's PC that track the User's behaviour and interests. Additionally, usage profiles may also track information that is independent of the device the User has used (in particular if Users have accounts with the respective platform and are logged in).
The User's Personal Data is processed based on our legitimate interest in efficient User information and communication in accordance with Article 6 para. 1 lit f. GDPR. Should Users be asked for their consent to the processing of Data (i.e., giving consent by ticking a check box or clicking a confirmation button), this is he legal basis for processing the Data in accordance with Article 6 para. 1 lit. a and Article 7 GDPR.
For a detailed description of the data processing and the revocation options ("opt out"), please refer to the service providers' information under the links hereunder.
Please also note the most effective way of making inquiries or exercising User rights is contacting the service providers directly. Only the service providers have access to the User Data and can take action or provide information accordingly. Of course, should you need help, you may contact us any time.
- Facebook (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) - Data Protection Policy: https://www.facebook.com/about/privacy/, Opt-Out: https://www.facebook.com/settings?tab=ads und http://www.youronlinechoices.com, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active.
- Google/ YouTube (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) – Data Protection Policy: https://policies.google.com/privacy, Opt-Out: https://adssettings.google.com/authenticated, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.
- Instagram (Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA) – Data Protection Policy / Opt-Out: http://instagram.com/about/legal/privacy/.
- Twitter (Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA) - Data Protection Policy: https://twitter.com/de/privacy, Opt-Out: https://twitter.com/personalization, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status=Active.
- Pinterest (Pinterest Inc., 635 High Street, Palo Alto, CA, 94301, USA) – Data Protection Policy / Opt-Out: https://about.pinterest.com/de/privacy-policy.
Integration of third-party services and content
Based on our own legitimate interest (i.e., in the analysis, optimisation and efficient operation of our Online Offer in accordance with Article 6 para. 1 lit f. GDPR), we use contents and services offered by third parties and integrate these contents and services into our offer, e.g. videos or fonts (hereinafter jointly referred to as "Content").
This requires that the third-party Content providers record the User's IP address, as they cannot transfer the Content to the browser without the IP address. The only purpose the IP address is needed for is consequently to display these items of Content. We endeavour only to use such items of Content for which the provider requires the IP address for the sole purpose of delivering the respective Content. Third-party providers may also use pixel tags (invisible images, also referred to as "web beacons") for statistical or marketing purposes. Pixel tags can be used to evaluate information such as traffic on the pages of a website. This pseudonymised information may also be recorded in a cookie on the User's device and contain, amongst other information, technical information on the browser and operating system, referrer websites, time spent on the website, and other information on our Online Offer, or may connect such information to information from other sources.
We have integrated videos from the "YouTube" platform operated by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data Protection Policy: https://www.google.com/policies/privacy/, Opt-Out: https://adssettings.google.com/authenticated.
We have integrated maps from the "Google Maps" platform operated by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data processed may include Users' IP addresses and location information, subject to their consent (as a rule, given when setting their mobile devices). This data may be processed in the US. Data Protection Policy: https://www.google.com/policies/privacy/, Opt-Out: https://adssettings.google.com/authenticated.
Adobe Typekit fonts
Based on our own legitimate interest (i.e., our interest in the analysis, optimisation and efficient operation of our Online Offer in accordance with Article 6 para. 1 lit. f GDPR), we use external "Typekit" fonts provided by Adobe Systems Software Ireland Limited, 4-6 Riverwalk, Citywest Business Campus, Dublin 24, Republic of Ireland. Adobe is certified under the Privacy Shield Agreement, by which it warrants to adhere to European data protection legislation (https://www.privacyshield.gov/participant?id=a2zt0000000TNo9AAG&status=Active).
Use of Facebook social plug-ins
Based on our own legitimate interest (i.e., our interest in the analysis, optimisation and efficient operation of our Online Offer in accordance with Article 6 para. 1 lit. f GDPR), we use social plug-ins ("Plug-ins") provided by the social network facebook.com operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Facebook").
This may include Content such as images, videos, texts or buttons through which users can share the content of this Online Offer within the Facebook community. A list of Facebook social Plug-ins and their appearance is available here: https://developers.facebook.com/docs/plugins/.
Facebook is certified under the Privacy Shield Agreement, by which it warrants to adhere to European data protection legislation (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).
When a User calls up a function of this Online Offer containing such a Plug-in, the User's device establishes a direct connection with Facebook's servers. The Content of the Plug-in is transferred directly between Facebook and the User's device and it is integrated into the Online Offer. Usage profiles can be derived from the processed Data. We have no influence on the scope of Data that Facebook collects through such Plug-ins and can only inform Users to the best of our knowledge.
Through the integration of these Plug-ins, Facebook is informed that the User has called up the relevant page of the Online Offer. If the User is logged in to Facebook, Facebook can link the User's access to the Online Offer to the User's Facebook account. When Users interact with Plug-ins, e.g. by clicking the "Like"-button or posting a comment, this information is transmitted directly from their device to Facebook and stored there. If a User does not have a Facebook account, Facebook may still obtain and store the User's IP address. According to Facebook, only an anonymised IP address is saved for German users.
Information on the purpose and scope of data collection, the use and processing of Data through Facebook, and the related rights and settings to protect your privacy are contained in Facebook's Data Protection Policy: https://www.facebook.com/about/privacy/.
If a User has a Facebook account and does not want Facebook to collect and link information about the User with his or her Facebook account via this Online Offer, the User must log out from Facebook and delete all their cookies before using our Online Offer. You can adjust your settings and object to the Use of Data for advertising purposes in the Facebook account settings: https://www.facebook.com/settings?tab=ads or via the US website http://www.aboutads.info/choices/ or the EU website http://www.youronlinechoices.com/. Settings apply across platforms, i.e., they apply to all kinds of devices, such as desktop computers or mobile devices.
We may integrate contents or functionalities of the Twitter service provided by Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. This may include contents such as images, videos, texts or buttons through which users can share Content of the Online Offer within the Twitter community.
If the User has a Twitter account, Twitter can link the User's access to the above-mentioned Content and functionalities to the User's Twitter account. Twitter is certified under the Privacy Shield Agreement, by which it warrants to adhere to European data protection legislation (https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status=Active). Data Protection Policy: https://twitter.com/de/privacy, Opt-Out: https://twitter.com/personalization.