PRIVACY POLICY
Introduction and Overview
We have drafted this privacy policy (version 21.07.2022-112064270) to inform you, in accordance with the provisions of the General Data Protection Regulation (EU) 2016/679 and applicable national laws, about which personal data (short: data) we, as the responsible party – and the processors commissioned by us (e.g., providers) – process, will process in the future, and the lawful options available to you. The terms used are to be understood as gender-neutral.
In short: We provide you with comprehensive information about the data we process about you.
Privacy policies often sound very technical and use legal terminology. This privacy policy, however, is intended to describe the most important aspects as simply and transparently as possible. Where helpful for clarity, technical terms are explained in a reader-friendly manner, links to further information are provided, and graphics may be used. We want to inform you in clear and simple language that we process personal data only when a corresponding legal basis exists within the scope of our business activities. This is certainly not possible if one provides vague, unclear, and overly technical legal explanations, as is often the standard on the internet when it comes to data protection. We hope you find the following explanations interesting and informative, and perhaps there is even some new information for you.
If you still have questions, we kindly ask you to contact the responsible party mentioned below or in the imprint, follow the provided links, and review further information on third-party websites. Of course, you can also find our contact details in the imprint.
Wenn trotzdem Fragen bleiben, möchten wir Sie bitten, sich an die unten bzw. im Impressum genannte verantwortliche Stelle zu wenden, den vorhandenen Links zu folgen und sich weitere Informationen auf Drittseiten anzusehen. Unsere Kontaktdaten finden Sie selbstverständlich auch im Impressum.
Scope of Application
This privacy policy applies to all personal data processed by our company and to all personal data processed by companies commissioned by us (processors). By personal data, we mean information as defined in Art. 4 No. 1 of the GDPR, such as a person’s name, email address, and postal address. The processing of personal data enables us to offer and bill for our services and products, whether online or offline.
The scope of this privacy policy includes:
All online presences (websites, online shops) operated by us
Social media presences and email communication
Mobile apps for smartphones and other devices
In short: This privacy policy applies to all areas where personal data is processed within our company via the mentioned channels. If we enter into legal relationships with you outside these channels, we will inform you separately if necessary.
Legal Basis
In the following privacy policy, we provide transparent information about the legal principles and regulations, i.e., the legal bases of the General Data Protection Regulation, that allow us to process personal data.
For EU law, we refer to REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of April 27, 2016. You can access this General Data Protection Regulation of the EU online on EUR-Lex, the access point to EU law, at https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A32016R0679.
We process your data only if at least one of the following conditions applies:
Consent (Article 6(1)(a) GDPR): You have given us your consent to process data for a specific purpose. An example would be the storage of the data you entered in a contact form.
Contract (Article 6(1)(b) GDPR): To fulfill a contract or pre-contractual obligations with you, we process your data. For example, if we conclude a purchase contract with you, we need personal information in advance.
Legal Obligation (Article 6(1)(c) GDPR): If we are subject to a legal obligation, we process your data. For instance, we are legally required to keep invoices for accounting purposes, which typically contain personal data.
Legitimate Interests (Article 6(1)(f) GDPR): In cases of legitimate interests that do not override your fundamental rights, we reserve the right to process personal data. For example, we must process certain data to operate our website securely and economically. This processing is therefore a legitimate interest.
Other legal bases, such as processing data in the public interest or exercising official authority, as well as protecting vital interests, generally do not apply to us. If such a legal basis becomes relevant, it will be indicated at the appropriate point.
In addition to the EU regulation, national laws also apply:
In Austria, this is the Federal Act on the Protection of Natural Persons in the Processing of Personal Data (Data Protection Act, DSG).
In Germany, the Federal Data Protection Act (BDSG) applies.
If additional regional or national laws apply, we will inform you in the following sections.
Contact Details of the Responsible Party
If you have any questions about data protection or the processing of personal data, you will find the contact details of the responsible person or entity below:
Matoga OG
Margeritengasse 1/9, 2700 Wiener Neustadt, Austria
Email: kontakt@matoga.at
Imprint: https://www.matoga.at/impressum/
Retention Period
As a general principle, we store personal data only for as long as it is absolutely necessary to provide our services and products. This means that we delete personal data as soon as the reason for data processing no longer exists. In some cases, we are legally required to retain certain data even after the original purpose has ceased, for example, for accounting purposes.
If you wish to have your data deleted or revoke your consent to data processing, the data will be deleted as quickly as possible, provided there is no legal obligation to retain it.
If we have additional information regarding the specific duration of individual data processing activities, we will inform you further below.
Rights under the General Data Protection Regulation (GDPR)
In accordance with Articles 13 and 14 of the GDPR, we inform you about the following rights you have to ensure fair and transparent data processing:
Right of access (Article 15 GDPR): You have the right to know whether we process your data. If this is the case, you are entitled to receive a copy of the data and to obtain the following information:
-
The purpose of the data processing;
-
The categories (types) of data being processed;
-
The recipients of the data and, if the data is transferred to third countries, how security is ensured;
-
The duration for which the data is stored;
-
The existence of the right to rectification, deletion, restriction of processing, and the right to object to processing;
-
The right to lodge a complaint with a supervisory authority (links to these authorities can be found below);
-
The source of the data if it was not collected from you;
-
Whether profiling is performed, meaning whether data is automatically analyzed to create a personal profile about you.
-
Right to rectification (Article 16 GDPR): If you find errors in your data, you have the right to request correction.
-
Right to erasure ("right to be forgotten," Article 17 GDPR): You may request the deletion of your data.
-
Right to restriction of processing (Article 18 GDPR): You can request that your data be stored but no longer used.
-
Right to data portability (Article 20 GDPR): You have the right to receive your data in a commonly used format upon request.
-
Right to object (Article 21 GDPR): If the processing of your data is based on Article 6(1)(e) (public interest, exercise of public authority) or Article 6(1)(f) (legitimate interest), you can object to the processing. We will then review as soon as possible whether we can legally comply with your objection.
-
If your data is used for direct marketing, you can object at any time. We will then no longer use your data for marketing purposes.
If your data is used for profiling, you can object at any time. We will then no longer process your data for this purpose.
Right not to be subject to automated decision-making (Article 22 GDPR): You may have the right not to be subject to a decision based solely on automated processing (e.g., profiling).
Right to lodge a complaint (Article 77 GDPR): If you believe that the processing of your personal data violates the GDPR, you can file a complaint with a supervisory authority at any time.
In summary:
You have rights—don’t hesitate to contact the responsible entity listed above!
If you believe that the processing of your data violates data protection regulations or that your data protection rights have been infringed in any other way, you can file a complaint with the relevant supervisory authority.
For Austria, this is the Austrian Data Protection Authority, whose website you can find at https://www.dsb.gv.at/.
In Germany, each federal state has its own data protection officer. For more information, you can contact the Federal Commissioner for Data Protection and Freedom of Information (BfDI).
The responsible local data protection authority for our company is:
Austrian Data Protection Authority
Leiterin: Mag. Dr. Andrea Jelinek
Adresse: Barichgasse 40-42, 1030 Wien
Telefonnr.: +43 1 52 152-0
E-Mail-Adresse: dsb@dsb.gv.at
Website: https://www.dsb.gv.at/
Security of Data Processing
To protect personal data, we have implemented both technical and organizational measures. Whenever possible, we encrypt or pseudonymize personal data to make it as difficult as possible for third parties to link our data to personal information.
Article 25 of the GDPR refers to “data protection by design and by default,” meaning that security considerations should be integrated into both software (e.g., forms) and hardware (e.g., access to server rooms). Below, we provide further details on specific measures where necessary.
TLS Encryption with HTTPS
TLS, encryption, and HTTPS may sound technical—and they are. We use HTTPS (Hypertext Transfer Protocol Secure) to securely transmit data over the internet.
This ensures that all data transmission between your browser and our web server is encrypted and cannot be intercepted by third parties.
With this additional security layer, we comply with data protection by design (Article 25(1) GDPR). The use of TLS (Transport Layer Security), an encryption protocol for secure data transmission over the internet, ensures the protection of confidential data.
You can recognize this secure data transmission by the small padlock icon in the upper left corner of your browser, next to the website address (e.g., examplepage.com), and the use of https instead of http in the web address.
For more information about encryption, we recommend searching for “Hypertext Transfer Protocol Secure wiki” on Google to find useful resources.
Communication
Communication Summary
👥 Affected Individuals: Anyone who communicates with us via phone, email, or online forms
📓 Processed Data: e.g., phone number, name, email address, form input data. More details are provided under each communication method
🤝 Purpose: Handling communication with customers, business partners, etc.
📅 Retention Period: Duration of the business transaction and in accordance with legal requirements
⚖️ Legal Bases: Article 6(1)(a) GDPR (consent), Article 6(1)(b) GDPR (contract), Article 6(1)(f) GDPR (legitimate interests)
Communication Details
If you contact us via phone, email, or an online form, personal data may be processed.
These data are used for handling and processing your inquiry and the associated business transaction. The data will be stored for as long as necessary to complete the transaction or as required by law.
Affected Individuals
All individuals who contact us through our provided communication channels are affected by this processing.
Phone
When you call us, call data is pseudonymized and stored on the respective device and by the telecommunications provider. Additionally, information such as your name and phone number may be forwarded via email and stored for responding to inquiries. The data will be deleted as soon as the business case is concluded and legal requirements allow.
Email
If you communicate with us via email, data may be stored on the respective device (computer, laptop, smartphone, etc.) and on our email server. The data will be deleted once the business case is concluded and legal requirements allow.
Online Forms
When you communicate with us via an online form, data is stored on our web server and may be forwarded to one of our email addresses. The data will be deleted once the business case is concluded and legal requirements allow.
Legal Bases
The processing of data is based on the following legal grounds:
Article 6(1)(a) GDPR (Consent): You grant us permission to store and use your data for purposes related to the business case.
Article 6(1)(b) GDPR (Contract): The processing is necessary for fulfilling a contract with you or a service provider (e.g., a telecommunications provider) or for pre-contractual activities such as preparing an offer.
Article 6(1)(f) GDPR (Legitimate Interests): We aim to manage customer inquiries and business communication professionally. Certain technical infrastructures, such as email programs, Exchange servers, and mobile network providers, are required to facilitate efficient communication.
Data Processing Agreement (DPA)
In this section, we explain what a Data Processing Agreement (DPA) is and why it is necessary. Since “Data Processing Agreement” is quite a mouthful, we will often use the abbreviation DPA in this text. Like most companies, we do not work alone but also use services from other companies or individuals.
By involving various companies or service providers, we may need to share personal data for processing. These partners act as data processors, with whom we establish a Data Processing Agreement (DPA). The most important thing for you to know is that the processing of your personal data is carried out exclusively under our instructions and must be regulated by the DPA.
Who Are Data Processors?
As a company and website owner, we are responsible for all data that we process from you. In addition to data controllers, there are also data processors. A data processor is any company or individual that processes personal data on our behalf.
According to the GDPR definition, any natural or legal person, authority, agency, or other body that processes personal data on our behalf is considered a data processor. Examples of data processors include service providers such as hosting companies, cloud providers, payment processors, newsletter providers, or large companies like Google or Microsoft.
To clarify the roles in GDPR, here is an overview:
Data Subject (you as a customer or user) → Data Controller (we as the company) → Data Processor (service providers like web hosting or cloud providers
Content of a Data Processing Agreement
As mentioned earlier, we have established a DPA with our partners who act as data processors. The agreement primarily ensures that the data processor processes the data strictly in accordance with the GDPR.
The agreement must be concluded in writing, but electronic agreements are also considered legally binding under GDPR. Only after the contract is in place can personal data be processed.
The DPA must include the following:
Obligation to follow our instructions as the data controller
Duties and rights of the data controller
Categories of affected individuals
Types of personal data processed
Nature and purpose of data processing
Scope and duration of data processing
Location of data processing
Additionally, the contract outlines the obligations of the data processor. The key responsibilities include:
Ensuring data security measures
Implementing necessary technical and organizational measures to protect data subject rights
Maintaining a data processing record
Cooperating with the data protection authority upon request
Conducting a risk analysis of the received personal data
Sub-processors may only be engaged with written consent from the data controller
For an example of what a DPA looks like, you can refer to a sample contract provided at https://www.wko.at/service/wirtschaftsrecht-gewerberecht/eu-dsgvo-mustervertrag-auftragsverarbeitung.html.
Cookies
Cookies Summary
👥 Affected parties: Visitors of the website
🤝 Purpose: Varies depending on the specific cookie. More details can be found below or from the software provider that sets the cookie.
📓 Processed data: Depends on the specific cookie. More details can be found below or from the software provider that sets the cookie.
📅 Storage duration: Varies by cookie, ranging from hours to years.
⚖️ Legal basis: Art. 6(1)(a) GDPR (Consent), Art. 6(1)(f) GDPR (Legitimate Interests)
What Are Cookies?
Our website uses HTTP cookies to store user-specific data.
Whenever you browse the internet, you use a web browser. Common browsers include Chrome, Safari, Firefox, Internet Explorer, and Microsoft Edge. Most websites store small text files in your browser—these files are called cookies.
Cookies are incredibly useful tools, and nearly all websites use them. Specifically, we are referring to HTTP cookies, which are the most common type used for web browsing. These small files are stored on your computer in your browser’s cookie folder. A cookie consists of a name and a value, and additional attributes define its behavior.
Cookies store user-related data, such as language preferences or website settings. When you revisit our website, your browser sends these stored data back to us. This allows the website to recognize you and apply your previous settings automatically.
Some browsers store each cookie in a separate file, while others (such as Firefox) store all cookies in a single file.
There are first-party cookies and third-party cookies:
First-party cookies: Created directly by our website.
Third-party cookies: Created by partner services (e.g., Google Analytics).
Each cookie stores different data and has varying expiration periods, from a few minutes to several years. Cookies are not software programs and do not contain viruses, Trojans, or other malware. They also cannot access information on your PC.
Example of Cookie Data
Name Value Purpose Expiration
_ga GA1.2.1326744211.152112064270-9 Differentiates website visitors 2 years
Most browsers support at least:
4096 bytes per cookie
50 cookies per domain
3000 cookies total
What types of cookies are there?
In the next sections of our Privacy Policy, we will specify which cookies we use and for what purposes. Below, we provide an overview of the different types of HTTP cookies.
Types of Cookies
There are four main types of cookies:
1. Essential Cookies
These cookies are necessary to ensure basic website functions. For example, when a user adds a product to the shopping cart, continues browsing, and later returns to checkout, these cookies prevent the cart from being emptied—even if the user closes their browser window.
2. Functional Cookies
These cookies collect information about user behavior and detect potential error messages. Additionally, they help measure website performance, including load times and browser compatibility.
3. Preference Cookies
These cookies improve user experience by storing preferences, such as locations, font sizes, or form data.
4. Advertising Cookies
Also known as targeting cookies, these are used to deliver personalized ads. While they can be useful, they may also feel intrusive.
User Consent for Cookies
When you visit a website for the first time, you are usually asked which types of cookies you want to allow. Your preferences are then stored in a cookie.
If you're interested in a technical deep dive on cookies, you can read the IETF’s RFC 6265, which details the HTTP State Management Mechanism.
Purpose of Cookie Data Processing
The specific purpose of each cookie depends on its function. More details can be found below or from the software provider that sets the cookie.
What Data is Processed?
Cookies can store a variety of data, depending on their function. Below is a summary of cookies used on our website
Cookie Names
Necessary AWSALB, AWSALBCORS, hs, platform_app_#-#-#-#-#_#-#-#-#-#, ssr-caching, TS#, XSRF-TOKEN
Statistics fedops.logger.defaultOverrides, fedops.logger.sessionId
Marketing svSession
Cookie Storage Duration
Short-lived cookies: Deleted within hours.
Long-lived cookies: Can remain stored on a computer for years.
User control: You can manually delete cookies in your browser settings (see "Right to Object" below).
Consent-based cookies: If you withdraw your consent, these cookies will be deleted immediately. However, processing before withdrawal remains lawful.
Right to Object – How to Delete Cookies
You have full control over how cookies are used. Regardless of which website or service they originate from, you can:
Delete cookies
Disable cookies
Allow only selected cookies (e.g., block third-party cookies while allowing others)
Managing Cookies in Different Browsers
You can check which cookies are stored in your browser and adjust your settings accordingly. Below are the links for managing cookies in major browsers:
Google Chrome: Manage cookies in Chrome
Safari: Manage cookies in Safari
Mozilla Firefox: Clear cookies in Firefox
Internet Explorer: Delete and manage cookies
Microsoft Edge: Manage cookies in Edge
Disabling Cookies Completely
If you don’t want any cookies, you can configure your browser to notify you before a cookie is set. This way, you can decide case by case whether to allow each cookie. Since the process varies by browser, it's best to search for specific instructions online using phrases like:
“Disable cookies in Chrome”
“Delete cookies in Firefox”
Legal Basis
Since 2009, the so-called "Cookie Directive" has required user consent (Article 6(1)(a) GDPR) for cookie storage. However, different EU countries have implemented this directive in various ways:
Austria: Implemented via § 96(3) Telecommunications Act (TKG).
Germany: No direct national law, but the directive is mostly covered under § 15(3) of the Telemedia Act (TMG).
For strictly necessary cookies, consent is not required because of legitimate interests (Article 6(1)(f) GDPR), often of an economic nature—e.g., ensuring a smooth website experience.
For non-essential cookies, processing occurs only with user consent under Article 6(1)(a) GDPR.
The next sections provide more details on specific cookies and software that use them.
Web Hosting – Introduction
Web Hosting Summary
👥 Affected Users: Website visitors
🤝 Purpose: Professional website hosting and operational security
📓 Processed Data: IP address, visit time, browser type, and more (details below)
📅 Storage Duration: Typically 2 weeks, depending on the hosting provider
⚖️ Legal Basis: Article 6(1)(f) GDPR (Legitimate Interests)
What is Web Hosting?
When you visit websites today, certain information—including personal data—is automatically generated and stored, including on this website. These data should be processed as sparingly as possible and only with justification. By “website,” we mean the entirety of all web pages under a domain, from the homepage to the very last subpage (like this one). A “domain” refers to addresses like example.com or samplewebsite.com.
To view a website on a computer, tablet, or smartphone, you use a program called a web browser. You may be familiar with some browsers by name: Google Chrome, Microsoft Edge, Mozilla Firefox, and Apple Safari. We simply refer to them as browsers or web browsers.
To display the website, your browser must connect to another computer where the website’s code is stored—the web server. Operating a web server is complex and resource-intensive, which is why it is usually managed by professional providers known as hosting providers. These providers offer web hosting, ensuring reliable and error-free storage of website data. That’s a lot of technical terms, but stay with us—it gets even more interesting!
When your browser connects to a web server and transmits data back and forth, personal data may be processed. Your computer stores certain data, and the web server must also temporarily store some data to ensure smooth operation.
Why Do We Process Personal Data?
The purposes of data processing are:
Professional website hosting and operational security
Maintaining operational and IT security
Anonymous analysis of access behavior to improve our services and, if necessary, for law enforcement or legal claims.
What Data is Processed?
Even as you visit our website right now, our web server—the computer where this website is stored—typically automatically saves data such as:
- The full internet address (URL) of the accessed webpage
- Browser and browser version (e.g., Chrome 87)
- The operating system used (e.g., Windows 10)
- The address (URL) of the previously visited page (referrer URL) (e.g., https://www.example-source-site.com/fromhereicame/)
- The hostname and IP address of the device accessing the site (e.g., COMPUTERNAME and 194.23.43.121)
- Date and time of access
These details are stored in files known as web server log files.
How Long Are Data Stored?
The data mentioned above is usually stored for two weeks and then automatically deleted. We do not share this data, but we cannot rule out the possibility that authorities may access it in cases of unlawful behavior.
In short: Your visit is logged by our hosting provider (the company that runs our website on special computers called servers), but we do not share your data without your consent!
Legal Basis
The legal basis for processing personal data in the context of web hosting is Article 6(1)(f) of the GDPR (legitimate interests), as the use of professional hosting by a provider is necessary to securely and user-friendly present our company online and to track and address potential attacks or claims.
There is usually a data processing agreement (DPA) between us and the hosting provider in accordance with Article 28 et seq. GDPR, ensuring compliance with data protection regulations and guaranteeing data security.
World4You Privacy Policy
We use World4You as a web hosting provider for our website. The service provider is World4You Internet Services GmbH, located at Hafenstraße 35, 4020 Linz, Austria.
For more information on the data processed by World4You, please refer to their privacy policy:
https://www.world4you.com/de/unternehmen/datenschutzerklaerung.html.
Website Builder Systems – Introduction
Website Builder Systems Privacy Policy – Summary
👥 Affected parties: Website visitors
🤝 Purpose: Optimization of our service
📓 Processed data: Technical usage data such as browser activity, clickstream activities, session heatmaps, as well as contact details, IP address, or geographical location. More details can be found below in this privacy policy and in the provider’s privacy policy.
📅 Storage duration: Depends on the provider
⚖️ Legal basis: Article 6(1)(f) GDPR (legitimate interests), Article 6(1)(a) GDPR (consent)
What Are Website Builder Systems?
We use a website builder system for our website. Website builders are a special type of Content Management System (CMS) that allows website owners to create a website easily and without programming knowledge. In many cases, web hosting providers also offer website builders.
By using a website builder, personal data may be collected, stored, and processed. In this privacy notice, we provide general information about data processing through website builders. For more details, please refer to the provider’s privacy policy.
Why Do We Use a Website Builder for Our Website?
The biggest advantage of a website builder is its ease of use. We want to provide you with a clear, simple, and user-friendly website that we can manage and maintain ourselves—without external assistance.
Modern website builders offer a variety of helpful features that can be used without programming knowledge. This allows us to design our web presence the way we want and provide you with an informative and enjoyable experience on our website.
What Data Is Stored by a Website Builder?
The specific data stored depends on the website builder used. Each provider collects and processes different data from website visitors. However, in general, the following technical usage information is recorded:
- Operating system
- Browser type and version
- Screen resolution
- Language and keyboard settings
- Hosting provider
- Date of website visit
Additionally, tracking data may be processed, such as:
- Browser activity
- Clickstream behavior
- Session heatmaps
Personal data may also be collected and stored, including:
- Contact details (email address, phone number—if provided)
- IP address
- Geolocation data
For the exact data storage details, please refer to the provider’s privacy policy.
How Long and Where Is Data Stored?
Information about data retention can be found further below, depending on the website builder system we use. You can also find detailed information in the provider’s privacy policy.
In general, we process personal data only as long as necessary to provide our services and products. However, the provider may store your data according to its own policies, over which we have no control.
Right to Object
You always have the right to access, correct, and delete your personal data. If you have any questions, you can contact the responsible parties of the website builder system we use. You can find their contact details in our privacy policy or on the provider’s website.
Cookies used by the provider for their functions can be deleted, disabled, or managed in your browser settings. The method varies depending on the browser you use. However, please note that some website functions may no longer work as expected if you disable cookies.
Legal Basis
We have a legitimate interest in using a website builder system to optimize our online services and present them efficiently and attractively to users. The corresponding legal basis is Article 6(1)(f) GDPR (legitimate interests). However, we only use the website builder system if you have given your consent.
If data processing is not strictly necessary for the operation of the website, data will only be processed based on your consent. This applies in particular to tracking activities, where the legal basis is Article 6(1)(a) GDPR (consent).
This privacy policy provides you with the most important general information about data processing. If you would like more details, please refer to the next section or the provider’s privacy policy.
Email Marketing – Introduction
Email Marketing Summary
👥 Affected parties: Newsletter subscribers
🤝 Purpose: Direct advertising via email, notifications about system-relevant events
📓 Processed data: Data entered during registration, at a minimum, your email address. More details can be found in the privacy policy of the email marketing tool used.
📅 Storage duration: As long as the subscription is active
⚖️ Legal basis: Article 6(1)(a) GDPR (consent), Article 6(1)(f) GDPR (legitimate interests
What Is Email Marketing?
To keep you informed, we use email marketing. If you have agreed to receive our emails or newsletters, your data will be processed and stored accordingly.
Email marketing is a subset of online marketing, where news, updates, or general company, product, or service information is sent via email to a specific group of interested individuals.
How Does Email Marketing Work?
If you want to participate in our email marketing (usually through newsletters), you typically only need to register with your email address. To do this, you fill out an online form and submit it. In some cases, we may ask for your name and salutation so that we can address you personally.
Newsletter registration generally follows the double opt-in process. After signing up on our website, you will receive a confirmation email to verify your subscription. This ensures that the email address belongs to you and that no one else has signed up with your email. We or our email service provider log each registration to document the legally compliant signup process. This includes:
- Time of registration
- Time of confirmation
- Your IP address
- Any changes you make to your stored data
Why Do We Use Email Marketing?
We want to stay in touch with you and keep you updated on our latest company news. That’s why we use email marketing, also known as a newsletter, as a key part of our online marketing strategy.
If you consent (or if legally permitted), we will send you newsletters, system emails, or other notifications via email. When we mention “newsletter” in this text, we mainly refer to regularly sent emails.
We strive to ensure that our newsletters contain only relevant and interesting content—whether about our company, services, or products. If we offer special promotions or updates, you will hear about them first via our newsletter.
If we use a third-party email marketing service provider, it’s to ensure fast and secure newsletter delivery. Our goal is to keep you informed about new offers and to advance our business objectives.
What Data Is Processed?
When you subscribe to our newsletter, you confirm your membership in an email list. Besides your email address and IP address, we may also store:
- Salutation
- Name
- Address
- Phone number
However, this information is only stored with your consent. If you do not provide this data, you may not be able to use certain features of our email marketing service.
Additionally, we may collect information about:
- Your device
- Your preferred website content
More details on automatic data storage can be found in the relevant section of our privacy policy. We document your consent to ensure compliance with legal requirements.
How Long Do We Store Your Data?
If you unsubscribe from our newsletter, we may store your email address for up to three years based on our legitimate interests to prove that you once consented. However, we will only process this data if we need to defend ourselves against potential legal claims.
If you confirm that you previously gave consent, you can request deletion of your data at any time. If you permanently object to receiving emails, we may place your email address on a blocklist to prevent future mailings.
As long as you voluntarily subscribe to our newsletter, we will store your email address accordingly.
Right to Object
You can unsubscribe from our newsletter at any time by revoking your consent. This process typically takes only a few seconds and requires just one or two clicks. You will usually find an unsubscribe link at the bottom of each email.
If you cannot find the link, please contact us via email, and we will immediately remove you from our mailing list.
Legal Basis
The legal basis for sending our newsletter is your explicit consent under Article 6(1)(a) DSGVO. This means we are only allowed to send you a newsletter if you have actively subscribed to it.
However, under § 7(3) UWG, we may also send promotional messages if you have become a customer and have not objected to the use of your email address for direct marketing.
Further details on specific email marketing services and how they process your personal data can be found in the sections below (if applicable).
Messenger & Communication
Messenger & Communication Privacy Policy – Summary
👥 Affected Individuals: Website visitors
🤝 Purpose: Handling inquiries and general communication between us and you
📓 Processed Data: Name, address, email address, phone number, general message content, and potentially IP address
📅 Storage Duration: Varies depending on the communication method used
⚖️ Legal Basis:
- Article 6(1)(a) DSGVO (Consent)
- Article 6(1)(f) DSGVO (Legitimate Interests)
- Article 6(1)(b) DSGVO (Contractual or Pre-Contractual Obligations)
What Are Messenger & Communication Tools?
Our website provides various ways for you to communicate with us, including:
- Messenger & Chat features
- Online contact forms
- Email
- Phone
When you use these options, we may process and store your data as needed to respond to your inquiry and take any necessary follow-up actions.
Besides traditional methods like email, phone, and contact forms, we may also use chats or messengers. A widely used messenger service is WhatsApp, but there are many other providers offering communication tools specifically for websites.
If a messaging service uses end-to-end encryption, this will be noted in the privacy statement of the respective provider. End-to-end encryption ensures that the contents of your message remain invisible to the service provider itself. However, technical data, such as device information and location settings, may still be processed and stored.
Why Do We Use Messenger & Communication Tools?
Communication with you is very important to us. We want to answer all your questions and provide the best possible support. A well-functioning communication system is a key part of our service.
We offer multiple options so that you can choose the method most convenient for you.
However, in some cases, certain inquiries cannot be handled via chat or messenger—especially when they involve internal contractual matters. In such cases, we recommend using email or phone communication instead.
Joint Responsibility & Data Processing
Generally, we assume that we remain the data controller when using social media platforms. However, the European Court of Justice (ECJ) has ruled that in some cases, the platform provider and we may be joint controllers under Article 26 GDPR.
If this applies, we will specifically indicate this and operate based on a corresponding joint responsibility agreement. The essential details of such an agreement are outlined below for the relevant platform.
Data Processing Outside the EU
Please be aware that when using our integrated elements, your data may be processed outside the European Union (EU). Many service providers—such as Facebook Messenger or WhatsApp—are U.S.-based companies.
This may affect your ability to enforce your rights regarding your personal data. The data protection standards in non-EU countries may not match the high standards of the GDPR, potentially making it harder to exercise your rights.
What Data is Processed?
The type of data processed depends on the provider of the messenger & communication services. Typically, the following personal data is collected:
- Name
- Address
- Phone number
- Email address
- Content data (e.g., information entered into a contact form)
- Device information
- IP address
All data collected via messenger & communication tools is stored on the provider's servers.
To understand exactly which data is stored and how you can object to data processing, please refer to the privacy policy of the respective provider.
How Long is Data Stored?
The storage duration depends primarily on the tool we use. You can find specific details about data processing for each tool further below.
The privacy policies of individual providers usually outline:
- Which data is stored
- How long it is stored
- How it is processed
In general, personal data is only processed for as long as necessary to provide our services.
For cookies, storage durations can vary:
- Some cookies are deleted immediately after leaving the website
- Others remain stored for years
If you want detailed information on cookie storage, check the individual cookie settings or the privacy policy of the respective provider.
Right to Object
You have the right and the ability to withdraw your consent to the use of cookies or third-party providers at any time. This can be done either via our cookie management tool or other opt-out options. For example, you can also prevent the collection of data through cookies by managing, deactivating, or deleting cookies in your browser. For further information, please refer to the section on consent.
Since cookies may be used in messenger and communication functions, we also recommend reading our general privacy policy regarding cookies. To find out exactly which data of yours is stored and processed, please review the privacy policies of the respective tools
Legal Basis
If you have given your consent for data to be processed and stored by embedded messenger and communication functions, this consent constitutes the legal basis for data processing (Art. 6 para. 1 lit. a GDPR). We handle your request and manage your data as part of contractual or pre-contractual relationships in order to fulfill our contractual or pre-contractual obligations or to respond to inquiries. The legal basis for this is Art. 6 para. 1 sentence 1 lit. b GDPR. In general, if consent has been given, your data may also be processed and stored on the basis of our legitimate interest (Art. 6 para. 1 lit. f GDPR) in maintaining fast and effective communication with you or other customers and business partners.
Social Media Introduction
Social Media Privacy Policy Summary
👥 Data Subjects: Website visitors
🤝 Purpose: Presentation and optimization of our service, communication with visitors, interested parties, etc., advertising
📓 Processed Data: Data such as phone numbers, email addresses, contact details, user behavior, device information, and your IP address.
More details can be found in the respective social media tool's privacy policy.
📅 Storage Duration: Depends on the social media platform used
⚖️ Legal Bases: Art. 6 para. 1 lit. a GDPR (consent), Art. 6 para. 1 lit. f GDPR (legitimate interests)
What is Social Media?
In addition to our website, we are also active on various social media platforms. User data may be processed so that we can specifically target users who are interested in us via social networks. Furthermore, elements of a social media platform may be directly embedded into our website. This is the case, for example, when you click on a so-called social button on our website and are redirected directly to our social media presence. Social media refers to websites and apps through which registered members can produce content, exchange content either publicly or within specific groups, and connect with other members.
Why do we use Social Media?
For years, social media platforms have been the place where people communicate and connect online. Through our social media presence, we can showcase our products and services to interested users. The social media elements integrated into our website help you easily and seamlessly access our social media content.
The data stored and processed through your use of a social media channel primarily serves the purpose of enabling web analytics. The aim of these analyses is to develop more precise and personalized marketing and advertising strategies. Based on your behavior on a social media platform, the data collected can provide valuable insights into your interests, which can then be used to create user profiles. This allows platforms to show you tailored advertisements. Cookies are usually set in your browser for this purpose, which store data about your usage behavior.
As a rule, we assume that we remain legally responsible for data protection, even when using services of a social media platform. However, the European Court of Justice has ruled that in certain cases, the operator of the social media platform may be jointly responsible with us under Article 26 GDPR. In such cases, we will explicitly indicate this and operate on the basis of a corresponding agreement. The essential content of such an agreement is provided below under the relevant platform section.
Please note that when using social media platforms or our integrated elements, your data may also be processed outside the European Union, as many social media providers—such as Facebook or Twitter—are American companies. This may make it more difficult for you to assert or enforce your rights regarding your personal data.
What data is processed?
The exact data that is stored and processed depends on the specific provider of the social media platform. However, it generally includes data such as phone numbers, email addresses, information you enter into contact forms, user data such as which buttons you click, who you like or follow, when you visit which pages, as well as information about your device and your IP address. Most of this data is stored in cookies. If you have your own profile on the social media platform and are logged in while visiting it, this data can be directly linked to your profile.
All data collected via a social media platform is also stored on the providers' servers. This means that only the providers have access to this data and can provide you with the appropriate information or make changes accordingly.
If you want to know exactly what data is stored and processed by social media providers and how you can object to data processing, you should carefully read the respective company’s privacy policy. If you have questions about data storage and data processing or would like to assert your rights, we recommend contacting the provider directly.
Duration of data processing
We will inform you about the duration of data processing further below, if we have additional information on this. For example, the social media platform Facebook stores data until it is no longer needed for its own purpose. However, customer data that is matched with the platform’s own user data is deleted within two days. In general, we only process personal data for as long as it is strictly necessary to provide our services and products. If required by law—as is the case with bookkeeping, for example—this storage duration may be exceeded.
Right to object
You also have the right and the opportunity at any time to revoke your consent to the use of cookies or third-party services such as embedded social media elements. This can be done via our cookie management tool or other opt-out options. For example, you can prevent data collection via cookies by managing, disabling, or deleting cookies in your browser settings.
Since cookies may be used in social media tools, we also recommend reading our general privacy policy on cookies. To find out exactly what data of yours is stored and processed, you should review the privacy policies of the respective tools.
Legal Basis
If you have consented to the processing and storage of your data by embedded social media elements, this consent serves as the legal basis for data processing (Art. 6 para. 1 lit. a GDPR). In general, your data may also be stored and processed based on our legitimate interest (Art. 6 para. 1 lit. f GDPR) in maintaining fast and efficient communication with you or other customers and business partners—provided you have given consent. We only use such tools if you have given your explicit permission. Most social media platforms also set cookies in your browser to store data. Therefore, we recommend that you carefully read our privacy policy regarding cookies and consult the privacy or cookie policies of the respective service providers.
Information about specific social media platforms—if available—can be found in the sections below.
Facebook Privacy Policy
Facebook Privacy Policy Summary
👥 Data subjects: Visitors to the website
🤝 Purpose: Optimizing our services
📓 Processed data: Customer data, user behavior data, information about your device, and your IP address
More details can be found below in this privacy policy.
📅 Storage duration: Until the data is no longer useful for Facebook's purposes
⚖️ Legal basis: Art. 6 para. 1 lit. a GDPR (consent), Art. 6 para. 1 lit. f GDPR (legitimate interests)
What are Facebook Tools?
We use selected tools from Facebook on our website. Facebook is a social media network operated by Meta Platforms Inc., or for users in Europe, by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. These tools help us offer the best possible service to you and to people interested in our products and services.
If your data is collected via our embedded Facebook elements or our Facebook page (Fan Page), both we and Meta Platforms Ireland Ltd. are jointly responsible. However, for any further processing of the data, Facebook assumes sole responsibility. Our shared responsibilities are outlined in a publicly accessible agreement available at:
https://www.facebook.com/legal/controller_addendum.
This agreement specifies, among other things, that we are obligated to clearly inform you about the use of Facebook tools on our site. We are also responsible for ensuring that these tools are properly and securely integrated in compliance with data protection laws. Facebook, on the other hand, is responsible for the security of its products. For any questions regarding the collection and processing of your data by Facebook, you may contact the company directly. If you send the inquiry to us, we are required to forward it to Facebook.
Below, we provide an overview of the different Facebook tools, which data is transmitted to Facebook, and how you can delete that data.
In addition to many other products, Facebook also offers what are known as “Facebook Business Tools.” This is the official term used by Facebook. However, since the term is not widely known, we have decided to refer to them simply as Facebook tools. These include, among others:
- Facebook Pixel
- Social plug-ins (such as the “Like” or “Share” button)
- Facebook Login
- Account Kit
- APIs (Application Programming Interfaces)
- SDKs (Software Development Kits)
- Platform Integrations
- Plugins
- Code
- Specifications
- Documentation
- Technologies and Services
These tools allow Facebook to expand its services and gain access to information about user activities outside of the Facebook platform.
Why do we use Facebook tools on our website?
We only want to show our services and products to people who are genuinely interested in them. With the help of ads (Facebook Ads), we can target exactly these people. However, in order to show relevant advertisements to users, Facebook needs information about people’s interests and preferences. Through the tools used on our website, Facebook receives information about user behavior (and contact data). This allows Facebook to collect more precise user data and display targeted ads about our products and services to interested individuals. These tools therefore enable personalized advertising campaigns on Facebook.
Facebook refers to the data about your behavior on our website as “event data.” This data is also used for measurement and analytics services. Facebook can generate “campaign reports” for us, providing insights into the effectiveness of our advertising campaigns. Additionally, through these analytics, we gain a better understanding of how you use our services, website, or products. As a result, we can improve your user experience on our website through the use of some of these tools. For example, with social plug-ins, you can directly share content from our site on Facebook.
What data is stored by Facebook tools?
By using individual Facebook tools, personal data (customer data) may be sent to Facebook. Depending on the tools used, customer data such as name, address, phone number, and IP address may be transmitted.
Facebook uses this information to match it with the data it already has about you (if you are a Facebook member). Before any customer data is transmitted to Facebook, a process called “hashing” takes place. This means that a data record of any size is transformed into a string of characters. This also serves to encrypt the data.
In addition to contact information, “event data” is also transmitted. “Event data” refers to information we receive about you through our website—for example, which subpages you visit or which products you purchase from us. Facebook does not share this information with third parties (such as advertisers) unless the company has explicit permission or is legally obligated to do so. Event data may also be linked to contact data to allow Facebook to provide better, personalized advertising. After this matching process, Facebook deletes the contact data.
To deliver ads in an optimized manner, Facebook uses event data only when it is aggregated with other data collected by Facebook through other means. These event data are also used by Facebook for security, protection, development, and research purposes. Many of these data are transmitted to Facebook through cookies. Cookies are small text files that store data or information in browsers. Depending on the tools used and whether you are a Facebook member, a different number of cookies may be placed in your browser. In the descriptions of each individual Facebook tool, we go into more detail about specific Facebook cookies. General information about Facebook's use of cookies can also be found at https://www.facebook.com/policies/cookies.
How long and where are the data stored?
In general, Facebook stores data for as long as it is necessary for its services and Facebook products. Facebook operates servers all over the world where data are stored. However, customer data are deleted within 48 hours after being matched with existing user data.
How can I delete my data or prevent data storage?
According to the General Data Protection Regulation (GDPR), you have the right to access, rectify, transfer, and delete your data.
A complete deletion of your data will only occur if you permanently delete your Facebook account. Here's how to delete your Facebook account:
1. Click on Settings at the top right of Facebook.
2. Then click on “Your Facebook Information” in the left column.
3. Now click on “Deactivation and Deletion.”
4. Select “Delete Account” and then click “Continue to Account Deletion.”
5. Enter your password, click “Continue” and then “Delete Account.”
The data Facebook receives through our site is stored in part through cookies (e.g., via social plugins). In your browser, you can disable, delete, or manage individual or all cookies. Depending on which browser you use, this works differently. In the Cookies section of our privacy policy, you’ll find links to instructions for the most common browsers.
If you generally do not want to have cookies, you can set your browser to notify you every time a cookie is about to be placed. This way, you can decide individually whether to allow each cookie.
Legal Basis
If you have consented to your data being processed and stored through embedded Facebook tools, this consent serves as the legal basis for data processing (Art. 6 para. 1 lit. a GDPR). Your data is also processed based on our legitimate interest (Art. 6 para. 1 lit. f GDPR) in fast and efficient communication with you and other customers and business partners. However, we only use these tools if you have given your consent. Most social media platforms also store data in your browser using cookies. Therefore, we recommend that you read our privacy policy on cookies carefully and review Facebook's privacy or cookie policies.
Facebook also processes your data in the USA, among other locations. We would like to point out that, according to the European Court of Justice, there is currently no adequate level of protection for the transfer of data to the USA. This may entail various risks for the legality and security of data processing.
As a basis for data processing with recipients in third countries (outside the European Union, Iceland, Liechtenstein, Norway — especially in the USA) or for transferring data there, Facebook uses Standard Contractual Clauses (SCCs) in accordance with Art. 46 para. 2 and 3 GDPR. These are templates approved by the EU Commission and are intended to ensure that your data continues to comply with European data protection standards, even when stored and processed in third countries. Through these clauses, Facebook commits to comply with the European level of data protection when processing your relevant data, even if it is stored and managed in the USA. These clauses are based on an implementing decision by the EU Commission. You can find this decision and the relevant clauses here:
https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=at
Facebook's data processing terms, which are in line with the Standard Contractual Clauses, can be found here:
https://www.facebook.com/legal/terms/dataprocessing
We hope this gives you a clear overview of the use and processing of data by Facebook tools. If you want to learn more about how Facebook handles your data, we recommend reviewing their data policy:
https://www.facebook.com/about/privacy/update
Instagram Privacy Policy
Instagram Privacy Policy Summary
👥 Data Subjects: Website visitors
🤝 Purpose: Optimization of our services
📓 Processed Data: Data such as user behavior, device information, and IP address
📅 Storage Period: Until Instagram no longer needs the data for its purposes
⚖️ Legal Bases: Art. 6 para. 1 lit. a GDPR (consent), Art. 6 para. 1 lit. f GDPR (legitimate interests)
What is Instagram?
We have integrated Instagram features into our website. Instagram is a social media platform owned by Instagram LLC, 1601 Willow Rd, Menlo Park, CA 94025, USA. Since 2012, Instagram has been a subsidiary of Meta Platforms Inc. and is part of the Facebook product family. The embedding of Instagram content on our website is called embedding. This allows us to display content such as buttons, photos, or videos from Instagram directly on our website. When you visit pages on our site that include an Instagram feature, data is transmitted to, stored, and processed by Instagram. Instagram uses the same systems and technologies as Facebook, meaning your data is processed across all Meta companies.
Below, we’ll give you a closer look at why Instagram collects data, what data it involves, and how you can control the processing of your data to a large extent. Since Instagram is part of Meta Platforms Inc., we base our explanations partly on Instagram’s policies and partly on Meta’s broader privacy guidelines.
Instagram is one of the world’s most well-known social media networks. It combines the benefits of blogging with those of audiovisual platforms like YouTube or Vimeo. On “Insta” (as many users casually call it), you can upload photos and short videos, edit them with various filters, and share them across other social networks. And if you prefer not to post content yourself, you can simply follow other interesting users.
Why do we use Instagram on our website?
Instagram is one of the social media platforms that has really taken off in recent years. Naturally, we’ve responded to this trend as well. Our goal is to make you feel as comfortable as possible on our website. That’s why providing a diverse and engaging presentation of our content is a top priority. By embedding Instagram features, we can enhance our content with helpful, entertaining, or interesting elements from the Instagram world. Since Instagram is a subsidiary of Facebook, the collected data can also be useful to us for personalized advertising on Facebook. This means that our ads are shown only to people who are genuinely interested in our products or services.
Instagram also uses the collected data for measurement and analysis purposes. We receive aggregated statistics, giving us deeper insight into your interests and preferences. It is important to note that these reports do not personally identify you.
What data is stored by Instagram?
When you visit one of our pages that includes Instagram features (such as images or plug-ins), your browser automatically connects to Instagram’s servers. During this process, data is transmitted to, stored by, and processed by Instagram—regardless of whether you have an Instagram account or not. This data may include information about our website, your device, purchases you make, ads you view, and how you interact with our services. The date and time of your interaction with Instagram are also recorded. If you have an Instagram account or are logged in, Instagram stores significantly more data about you.
Facebook distinguishes between customer data and event data, and we assume that Instagram handles this the same way. Customer data includes, for example, your name, address, phone number, and IP address. This customer data is only transferred to Instagram after a process called hashing. Hashing transforms a dataset into a string of characters, effectively encrypting your contact information. In addition to this, the aforementioned event data is also transmitted. Event data refers to user behavior data, as defined by Facebook—and presumably Instagram as well. In some cases, contact data may be linked with event data. The collected contact information is compared with the data Instagram already has about you.
The collected data is transmitted to Facebook via cookies, which are small text files stored in your browser. Depending on the Instagram features used and whether you have an Instagram account, different amounts of data are stored.
We assume that Instagram handles data processing similarly to Facebook. This means that if you have an Instagram account or have visited www.instagram.com, Instagram has likely already set a cookie in your browser. If that’s the case, your browser will send information to Instagram via this cookie whenever you interact with an Instagram feature. These data are deleted or anonymized at the latest after 90 days, following the matching process. Although we have researched Instagram’s data processing in detail, we cannot say with absolute certainty what data Instagram collects and stores.
Cookies used by Instagram
Below are the cookies that are at least set in your browser when you click on an Instagram function (such as a button or image). For our testing, we assumed you do not have an Instagram account. If you are logged in, significantly more cookies will be set.
Name Value Purpose Expiry
csrftoken "" Likely used for security purposes to prevent cross-site request forgery. After 1 year
mid "" Helps Instagram optimize its services inside and outside the platform. Generates a unique user ID. End of session
fbsr_112064270124024 Not specified Stores login requests for Instagram app users. End of session
rur ATN Ensures functionality on Instagram. End of session
urlgen {“194.96.75.33”: 1901}:1iEtYv:Y833k2_UjKvXgYe112064270 Used for Instagram’s marketing purposes. End of session
Note: This list is not exhaustive. The actual cookies set depend on the embedded functions and your specific Instagram usage.
How long and where is the data stored?
Instagram shares the information it receives with Facebook companies, external partners, and people you connect with around the world. Data is processed in accordance with its own data policy. For security reasons, among others, your data is distributed across Facebook servers worldwide. Most of these servers are located in the USA.
How can I delete my data or prevent it from being stored?
Thanks to the General Data Protection Regulation (GDPR), you have the right to access, transfer, rectify, and delete your data. You can manage your data in the Instagram settings. If you want to completely delete your data from Instagram, you must permanently delete your Instagram account.
Here’s how to delete your Instagram account:
First, open the Instagram app. On your profile page, scroll down and click on “Help Center.” This will take you to the company’s website. On the website, click on “Managing Your Account,” then select “Delete Your Account.”
If you delete your account entirely, Instagram will remove posts such as your photos and status updates. Information that others have shared about you does not belong to your account and will therefore not be deleted.
As mentioned above, Instagram primarily stores your data via cookies. You can manage, deactivate, or delete these cookies in your browser. Depending on your browser, cookie management may vary slightly. In the "Cookies" section, you will find the relevant links to guides for the most common browsers.
You can also generally configure your browser to always notify you when a cookie is about to be set. This way, you can decide individually whether to allow each cookie or not.
Legal Basis
If you have consented to your data being processed and stored through integrated social media elements, this consent is the legal basis for data processing (Art. 6 para. 1 lit. a GDPR). Your data is also generally stored and processed based on our legitimate interest (Art. 6 para. 1 lit. f GDPR) in fast and effective communication with you or other customers and business partners. We only use embedded social media elements if you have given your consent. Most social media platforms also place cookies in your browser to store data. Therefore, we recommend that you carefully read our privacy text on cookies and review the privacy policy or cookie guidelines of the respective service provider.
Instagram or Facebook also processes data in the USA, among other places. We point out that, according to the European Court of Justice, there is currently no adequate level of protection for data transfers to the USA. This may involve various risks regarding the legality and security of data processing.
As a basis for data processing by recipients in third countries (outside the European Union, Iceland, Liechtenstein, Norway — particularly the USA) or for data transfers to such countries, Facebook uses the so-called standard contractual clauses approved by the EU Commission (Art. 46 para. 2 and 3 GDPR). These clauses require Facebook to uphold the EU level of data protection when processing relevant data outside the EU. These clauses are based on an implementing decision by the EU Commission. You can find the decision and the clauses, among others, here:
https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=at
We have tried to explain the most important information about Instagram’s data processing to you. You can find more detailed information about Instagram’s data policy at:
https://help.instagram.com/519522125107875
Payment Providers Introduction
Payment Providers Privacy Policy Summary
👥 Data subjects: Visitors to the website
🤝 Purpose: To enable and optimize the payment process on our website
📓 Processed data: Data such as name, address, bank details (account number, credit card number, passwords, TANs, etc.), IP address, and contract data
More details can be found in the privacy policies of the respective payment provider tools.
📅 Storage period: Depends on the payment provider used
⚖️ Legal basis: Art. 6 para. 1 lit. b GDPR (fulfillment of a contract)
What is a payment provider?
We use online payment systems on our website to ensure secure and smooth payment processing for both you and us. In doing so, personal data may be transmitted to, stored by, and processed by the respective payment provider. Payment providers are online payment systems that allow you to complete an order using online banking. The payment transaction is handled by the payment provider you select. We then receive a notification of the completed payment. This method can be used by any user with an active online banking account and access credentials like PIN and TAN. There are hardly any banks left that do not offer or accept such payment methods.
Why do we use payment providers on our website?
Our aim is to offer you the best possible service through our website and integrated online shop so that you feel comfortable and make full use of our offers. We know your time is valuable, and especially the payment process must be fast and seamless. For this reason, we offer various payment providers. You can choose your preferred payment provider and pay in the way you're used to.
What data is processed?
The exact data that is processed depends on the specific payment provider. However, in general, data such as your name, address, bank details (account number, credit card number, passwords, TANs, etc.) is stored. These are necessary for carrying out the transaction. Additionally, contract-related data and user behavior (e.g. when you visit our website, what content you're interested in, or which subpages you click on) may also be stored. Most payment providers also store your IP address and information about your device.
The data is generally stored and processed on the servers of the payment providers. As the website operator, we do not receive this data. We are only informed whether the payment was successful or not. For identity and credit checks, payment providers may pass on data to the relevant authorities. All payment processes are subject to the terms and privacy policies of the respective provider. Please be sure to review their terms and privacy policies. You also have the right to request data correction or deletion at any time. For these matters, please contact the respective payment provider directly (e.g. for withdrawal rights, access rights, and data subject rights).
Duration of data processing
We inform you about the duration of data processing below, if further information is available. In general, we process personal data only as long as is absolutely necessary to provide our services and products. If required by law—such as for accounting purposes—this retention period may be extended. For example, booking records related to a contract (invoices, contracts, account statements, etc.) are stored for 10 years (§ 147 AO), and other relevant business documents for 6 years (§ 247 HGB).
Right to object
You always have the right to access, correct, and delete your personal data. If you have any questions, you can contact the responsible party of the payment provider. Contact details can be found in our specific privacy policy or on the respective provider’s website.
Cookies used by payment providers can be deleted, deactivated, or managed in your browser. How this works depends on the browser you use. Please note, however, that disabling cookies may result in the payment process no longer functioning properly.
Legal basis
To handle contractual or legal relationships (Art. 6 para. 1 lit. b GDPR), we offer, in addition to traditional banks/credit institutions, other payment service providers. The privacy policies of each payment provider (such as Amazon Payments, Apple Pay, or Discover) provide a detailed overview of data processing and storage.
You can also contact the responsible parties directly if you have any questions regarding data protection.
eps Transfer Privacy Policy
We use the eps Transfer service for online payments on our website. This service is provided by the Austrian company Stuzza GmbH, Frankgasse 10/8, 1090 Vienna, Austria.
For more information about the data processed through the use of eps Transfer, please refer to their privacy policy:
https://eservice.psa.at/de/datenschutzerklaerung.html
PayPal Privacy Policy
We use the online payment service PayPal on our website. The service provider is the American company PayPal Inc. For the European area, PayPal Europe (S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg) is responsible.
PayPal also processes your data in the USA, among other places. We would like to point out that, according to the opinion of the European Court of Justice, there is currently no adequate level of data protection for the transfer of data to the USA. This may pose various risks to the legality and security of data processing.
As a basis for data processing with recipients based in third countries (outside the EU, Iceland, Liechtenstein, and Norway—especially in the USA), or for transferring data to such countries, PayPal uses Standard Contractual Clauses (SCCs) according to Art. 46 para. 2 and 3 GDPR. These clauses are templates provided by the EU Commission to ensure that your data continues to meet European data protection standards even when transferred and stored in third countries (such as the USA). Through these clauses, PayPal commits to maintaining the European level of data protection even if the data is stored, processed, and managed in the USA. You can find the official decision and the standard contractual clauses here:
👉 https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=at
More information about the standard contractual clauses and the data processed by PayPal can be found in their privacy policy:
👉 https://www.paypal.com/webapps/mpp/ua/privacy-full
Apple Pay Privacy Policy
We also offer Apple Pay as a payment method on our website. The provider of this payment service is Apple Inc., Infinite Loop, Cupertino, CA 95014, USA, represented in Europe by Apple Distribution International Ltd., Hollyhill Industrial Estate, Hollyhill, Cork, Republic of Ireland, contact: contactus.de@euro.apple.com, registration number: 470672, VAT ID: DE 27946362.
When you select Apple Pay as your payment method, the payment data you enter is transmitted to Apple Pay. The transmission of your data to Apple Pay is based on:
Art. 6 para. 1 lit. a GDPR (consent), and
Art. 6 para. 1 lit. b GDPR (processing for contract fulfillment).
You may revoke your consent to data processing at any time. Revocation does not affect the legality of data processing carried out prior to the revocation.
Further information on Apple Pay payments can be found here:
https://support.apple.com/de-de/HT201469
https://support.apple.com/de-de/HT203027
https://www.apple.com/legal/privacy/de-ww/
https://www.apple.com/de/privacy/
Klarna Sofort Privacy Policy
We use Klarna on our website, a globally active payment provider. The service provider is the Swedish company Klarna Bank AB.
More information on Klarna’s data processing practices is available at:
👉 https://www.klarna.com/at/datenschutz/
China UnionPay Privacy Policy
We use China UnionPay, a global payment provider, on our website. The service provider is UnionPay International Co., Ltd., which operates in Europe through its office in France.
China UnionPay may process your data in the USA and/or Asia. We would like to point out that the European Court of Justice currently considers there to be no adequate level of protection for data transfer to the USA/Asia, which may present certain risks to the legality and safety of your data.
As a basis for data processing or transfer to third countries, China UnionPay uses Standard Contractual Clauses (Art. 46 para. 2 and 3 GDPR). These clauses are intended to ensure that your data remains protected at the European standard, even if transferred abroad. By using these clauses, China UnionPay commits to complying with European data protection levels even if the data is stored and processed outside the EU.
You can view the SCC decision and text here:
👉 https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=at
More information can be found at:
👉 https://www.unionpayintl.com/en/cookiepolicy/
JCB Privacy Policy
We use JCB, a globally operating payment provider, on our website. The service provider is JCB Co., Ltd., with operations in Europe located in the UK and Germany.
JCB may also process your data in the USA/Asia. Again, we note that, according to the European Court of Justice, there is currently no adequate data protection in place for such transfers, which may carry legal and security risks.
JCB also uses Standard Contractual Clauses (Art. 46 para. 2 and 3 GDPR) to maintain compliance with European data protection standards even in third countries.
You can find the decision and clauses here:
👉 https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=at
More information on JCB's privacy practices can be found here:
👉 https://www.global.jcb/en/about-us/policy/privacy/
Diners Club Privacy Policy
We use Diners Club on our website, a global payment service provider. The service is operated by the American company Diners Club International Ltd.
Diners Club processes your data, among other locations, in the United States. We would like to point out that, according to the European Court of Justice, there is currently no adequate level of data protection for transfers to the U.S. This may pose various risks to the legality and security of the data processing.
As the legal basis for data processing by recipients located in third countries (outside the European Union, Iceland, Liechtenstein, Norway – particularly in the U.S.) or for data transfers to such countries, Diners Club relies on so-called Standard Contractual Clauses (Art. 46 para. 2 and 3 GDPR). Standard Contractual Clauses (SCCs) are templates provided by the European Commission to ensure that your data complies with European data protection standards even when transferred and stored in third countries (such as the U.S.). By using these clauses, Diners Club commits to maintaining the European level of data protection when processing your relevant data, even if it is stored, processed, and managed in the U.S. These clauses are based on an implementing decision by the European Commission. You can find the decision and the corresponding clauses here:
https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=at
More information about Diners Club’s data practices can be found at:
https://www.dinersclub.com/privacy-policy/
Discover Privacy Policy
We use Discover on our website, a global payment service provider. The service is operated by the American company Discover Financial Services.
Discover processes your data, among other locations, in the United States. We would like to point out that, according to the European Court of Justice, there is currently no adequate level of data protection for transfers to the U.S. This may pose various risks to the legality and security of the data processing.
As the legal basis for data processing by recipients located in third countries (outside the EU, Iceland, Liechtenstein, Norway – particularly in the U.S.) or for data transfers to such countries, Discover uses Standard Contractual Clauses (Art. 46 para. 2 and 3 GDPR). These are legal templates issued by the European Commission to ensure that data transferred to third countries is protected to the same level as under EU law. Through these clauses, Discover commits to complying with European data protection standards when processing your data in the U.S. or other third countries.
You can find the clauses and the implementing decision here:
https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=at
More information about Discover’s data processing can be found here:
https://www.discover.com/credit-cards/discover-terms-of-use/?ICMPGN=PUB_FTR_QUICK_LINKS_TERMS_OF_USE
Visa and Visa Electron Privacy Policy
We use Visa on our website, a global payment provider. The service is operated by the American company Visa Inc. For the European region, Visa Europe Services Inc. (1 Sheldon Square, London W2 6TT, United Kingdom) is responsible.
Visa processes your data, among other locations, in the United States. We would like to point out that, according to the European Court of Justice, there is currently no adequate level of data protection for transfers to the U.S. This may pose various risks to the legality and security of the data processing.
As the legal basis for data processing by recipients located in third countries (outside the EU, Iceland, Liechtenstein, Norway – particularly in the U.S.) or for data transfers to such countries, Visa relies on Standard Contractual Clauses (Art. 46 para. 2 and 3 GDPR). These contractual clauses are intended to ensure that your personal data is subject to appropriate safeguards even when processed outside the European Union. By adopting these clauses, Visa commits to maintaining EU-level data protection for your information, even when processed in the U.S.
You can find the decision and the clauses here:
https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=at
Further information about Visa’s use of Standard Contractual Clauses:
https://www.visa.de/nutzungsbedingungen/visa-globale-datenschutzmitteilung/mitteilung-zu-zustandigkeitsfragen-fur-den-ewr.html
To learn more about the data processed by Visa, please see their privacy policy at:
https://www.visa.de/nutzungsbedingungen/visa-privacy-center.html
Mastercard/Maestro Privacy Policy
We use Mastercard as a payment service provider on our website. The service is provided by the American company Mastercard Inc. For the European region, Mastercard Europe SA (Chaussée de Tervuren 198A, B-1410 Waterloo, Belgium) is responsible.
Mastercard processes data in the United States, among other locations. We would like to point out that, according to the European Court of Justice, there is currently no adequate level of data protection for data transfers to the U.S. This may involve various risks regarding the legality and security of data processing.
As the legal basis for data processing by recipients in third countries (outside the European Union, Iceland, Liechtenstein, and Norway — particularly in the U.S.) or for data transfers to such countries, Mastercard relies on Standard Contractual Clauses (Art. 46 para. 2 and 3 GDPR) approved by the EU Commission. These clauses oblige Mastercard to maintain the EU level of data protection when processing relevant data outside the EU. They are based on an implementing decision by the EU Commission.
You can find the decision and the clauses here:
https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=at
You can learn more about the data processed by Mastercard in their privacy policy:
https://www.mastercard.at/de-at/datenschutzbestimmungen.html
American Express Privacy Policy
We use American Express on our website, a globally operating financial services provider. The service is offered by the American company American Express Company. For the European region, American Express Europe S.A. (Avenida Partenón 12–14, 28042, Madrid, Spain) is responsible.
American Express processes your data in the United States, among other locations. We would like to point out that, according to the European Court of Justice, there is currently no adequate level of data protection for data transfers to the U.S. This may pose various risks to the legality and security of data processing.
As the legal basis for data processing by recipients in third countries (outside the EU, Iceland, Liechtenstein, and Norway — particularly in the U.S.) or for data transfers to such countries, American Express uses so-called Standard Contractual Clauses (Art. 46 para. 2 and 3 GDPR). These are legal templates provided by the European Commission and are designed to ensure that your data complies with European data protection standards even when transferred and stored in third countries such as the U.S. Through these clauses, American Express commits to upholding the European level of data protection when processing your data, even when this occurs in the United States. These clauses are based on an implementing decision by the EU Commission.
You can find the decision and the Standard Contractual Clauses here:
https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=at
Further details on how American Express uses Standard Contractual Clauses can be found in the “European Implementing Principles”:
https://www.americanexpress.com/en-pl/company/legal/privacy-centre/european-implementing-principles/
You can find more information about the data processed by American Express in their privacy policy:
https://www.americanexpress.com/de-de/firma/legal/datenschutz-center/online-datenschutzerklarung/
Website Builder Systems – Introduction
Website Builder Systems Privacy Policy Summary
👥 Data Subjects: Website visitors
🤝 Purpose: Optimization of our service
📓 Processed Data: Technical usage data such as browser activity, clickstream activity, session heatmaps, contact data, IP address, or geographic location. More details are provided below and in the privacy policies of the respective providers.
📅 Retention Period: Depends on the provider
⚖️ Legal Bases: Art. 6(1)(f) GDPR (legitimate interests), Art. 6(1)(a) GDPR (consent)
What Are Website Builder Systems?
We use a website builder system on our website. Builder systems are a special type of content management system (CMS). They allow website operators to create websites easily and without programming knowledge. In many cases, web hosting providers also offer builder systems. By using such a system, personal data may be collected, stored, and processed. In this section, we provide general information on the data processing associated with website builder systems. More detailed information can be found in the respective provider’s privacy policy.
Why Do We Use Website Builder Systems?
The main advantage of a builder system is its ease of use. We aim to provide you with a clear, user-friendly website that we can manage and update ourselves without external support. Website builders now offer many useful features that we can utilize without coding knowledge. This allows us to design our website to our preferences and offer you an informative and enjoyable online experience.
What Data Is Stored by a Website Builder System?
The exact data stored depends on the specific system used. Each provider collects and processes different visitor data. Typically, technical usage data is collected, such as operating system, browser, screen resolution, language and keyboard settings, hosting provider, and the date of your website visit. Tracking data may also be processed, such as browser activity, clickstream data, and session heatmaps. Additionally, personal data like contact information (email address, phone number, if provided), IP address, and geographic location may be collected. The exact data collected can be found in the privacy policy of the respective provider.
How Long and Where Are Data Stored?
We provide information on the duration of data processing further below in relation to the website builder system used, if we have more details available. You can find detailed information in the privacy policy of the respective provider. In general, we only process personal data for as long as it is strictly necessary to provide our services and products. However, the provider may store your data according to its own policies, over which we have no influence.
Right to Object
You always have the right to access, rectify, and delete your personal data. If you have any questions, you can also contact the responsible parties of the website builder system used. Contact details can be found in our privacy policy or on the respective provider’s website.
Legal Basis
We have a legitimate interest in using a website builder system to optimize our online services and present them in an efficient and user-friendly manner. The corresponding legal basis is Art. 6(1)(f) GDPR (legitimate interests). However, we only use the builder system to the extent you have given your consent.
Where the processing of data is not strictly necessary for the operation of the website, data is processed solely based on your consent. This especially applies to tracking activities. The legal basis in such cases is Art. 6(1)(a) GDPR.
With this privacy notice, we have provided the most important general information regarding data processing. If you would like to find out more, you can find additional details — if available — in the following section or in the provider’s privacy policy.
Wix Privacy Policy
We use Wix for our website, a website builder or content management system (CMS). The service provider is the Israeli company Wix.com Ltd., 40 Namal St., 6350671 Tel Aviv, Israel.
You can learn more about the data processed through the use of Wix in their privacy policy:
https://de.wix.com/manage/privacy-security-hub
External Online Platforms – Introduction
External Online Platforms Privacy Policy Summary
👥 Data Subjects: Website visitors and visitors of external online platforms
🤝 Purpose: Presentation and optimization of our services, contact with visitors and potential customers
📓 Processed Data: Data such as phone numbers, email addresses, contact details, user behavior data, information about your device, and your IP address.
More details can be found in the privacy policies of the respective platforms.
📅 Retention Period: Depends on the platform used
⚖️ Legal Bases: Art. 6(1)(a) GDPR (consent), Art. 6(1)(f) GDPR (legitimate interests)
What Are External Online Platforms?
To offer our services or products beyond our own website, we also use external platforms. These are typically online marketplaces such as Amazon or eBay. In addition to our own data protection responsibilities, the privacy policies of these external platforms also apply — especially when our products are purchased via the platform and payment processes are involved. Furthermore, most platforms use your data to optimize their own marketing strategies. For example, platforms can use collected data to tailor advertisements specifically to the interests of customers and website visitors.
Why Do We Use External Online Platforms?
We aim to offer our products not only on our website but also on other platforms to reach a broader audience. External marketplaces like Amazon, eBay, or Digistore24 provide major sales platforms that allow us to reach potential customers who might not know our website. Embedded elements on our website may also link to external platforms. Data processed and stored by these platforms are used to log payment processes and perform web analytics.
The purpose of these analyses is to develop more targeted, personalized marketing and advertising strategies. Based on your behavior on a platform, data analysis can provide insights into your interests and result in the creation of user profiles. This enables platforms to present tailored ads or product suggestions. Typically, cookies are used in your browser to store data about your user behavior.
Please note that when using such platforms or their embedded elements, your data may also be processed outside the European Union, as many platforms like Amazon or eBay are U.S.-based companies. As a result, you may not be able to exercise or enforce your data protection rights as easily
.
What Data Is Processed?
The exact data stored and processed depends on the respective external platform. However, it typically includes information such as your phone number, email address, data you enter into a contact form, user data such as which buttons you click, when you visited which pages, information about your device, and your IP address. Most of this data is commonly stored in cookies. If you have your own profile with an external platform and are logged in, data may be linked to your profile. The collected data is stored and processed on the servers of the platform used.
To learn how an external platform stores, manages, and processes data, please refer to its respective privacy policy. If you have questions about data storage or processing or wish to exercise your rights, we recommend contacting the platform directly.
Duration of Data Processing
We provide information on the duration of data processing further below if we have additional details. For example, Amazon stores data until it is no longer needed for its purposes. In general, we only process personal data for as long as it is strictly necessary to provide our services and products.
Right to Object
You also have the right and the option to withdraw your consent for the use of cookies at any time. This can be done either via our cookie management tool or through opt-out features offered by the respective external platform. Additionally, you can prevent data collection through cookies by managing, disabling, or deleting them in your browser settings.
Since cookies may be used, we also recommend reading our general cookie policy. To find out exactly which data is stored and processed about you, please refer to the privacy policies of the respective external platforms.
Legal Basis
If you have consented to the processing and storage of your data by external platforms, this consent serves as the legal basis for data processing (Art. 6(1)(a) GDPR). In general, your data may also be processed on the basis of a legitimate interest (Art. 6(1)(f) GDPR), such as for fast and efficient communication with you or other customers and business partners. If we use embedded elements from external platforms on our website, we do so only with your prior consent.
You can find information on specific external platforms — if available — in the following sections.
Amazon (Europe) Privacy Policy
We also use the Amazon (Europe) online marketplace. The service provider is the American company Amazon Inc. For the European region, Amazon Europe Core S.à r.l., 38 avenue John F. Kennedy, L-1855 Luxembourg, is responsible.
Amazon also processes your data in the United States. We note that, according to the European Court of Justice, there is currently no adequate level of protection for data transfers to the U.S. This may pose various risks to the legality and security of data processing.
As a basis for data processing by recipients in third countries (outside the European Union, Iceland, Liechtenstein, Norway — particularly the U.S.) or for data transfers to such countries, Amazon uses so-called Standard Contractual Clauses (= Art. 46(2) and (3) GDPR). These are EU Commission model contracts designed to ensure that your data remains subject to European data protection standards even when transferred and stored outside the EU. By agreeing to these clauses, Amazon commits to maintaining European data protection standards when processing your relevant data, even if it is stored, processed, and managed in the U.S.
These clauses are based on an implementing decision of the European Commission. You can find the decision and the relevant Standard Contractual Clauses here:
https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=en
Amazon’s Data Processing Addendum (AWS GDPR DATA PROCESSING), which corresponds to the Standard
Contractual Clauses, can be found here:
https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf
You can find more information about the data processed through the use of Amazon in their privacy policy:
https://www.amazon.de/gp/help/customer/display.html?nodeId=201909010&ref_=footer_privacy
Explanation of Terms Used
We always strive to make our privacy policy as clear and understandable as possible. However, this is not always easy when it comes to legal and technical subjects. In many cases, it makes sense to use legal terms (such as personal data) or certain technical expressions (such as cookies, IP address). Nevertheless, we do not want to use these terms without explanation.
Below, you’ll find an alphabetical list of important terms that may not have been fully explained elsewhere in this privacy policy. If these terms are taken from the GDPR and constitute legal definitions, we will also provide the corresponding GDPR text and, if necessary, add our own explanations.
Supervisory Authority
Definition according to Article 4 GDPR:
“Supervisory authority” means an independent public authority which is established by a Member State pursuant to Article 51.
Explanation:
Supervisory authorities are always public, independent bodies that may have authority to issue binding instructions. They are responsible for enforcing data protection laws and are usually part of ministries, special departments, or other government offices.
In Austria, for example, the Austrian Data Protection Authority is responsible. In Germany, each federal state has its own data protection authority.
Processor
Definition according to Article 4 GDPR:
“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Explanation:
As a company and website operator, we are responsible for any data we process about you. However, there may also be so-called processors — these are any parties that process personal data on our behalf.
Processors may include service providers such as tax advisors, hosting or cloud providers, payment or newsletter services, or large companies like Google or Microsoft.
Information Society Service
Definition according to Article 4 GDPR:
“Information society service” means a service within the meaning of Article 1(1)(b) of Directive (EU) 2015/1535.
Explanation:
The term "information society" refers to a society that relies on information and communication technologies. As a website visitor, you regularly use various types of online services, most of which fall under this category.
A classic example is an online transaction such as purchasing goods over the internet.
Cross-Border Processing
Definition according to Article 4 GDPR:
“Cross-border processing” means either:
a) processing of personal data in the context of the activities of establishments in more than one Member State of a controller or processor in the Union,
or
b) processing of personal data in the context of the activities of a single establishment in the Union, which substantially affects or is likely to substantially affect data subjects in more than one Member State.
Explanation:
For example, if a company has branches in Spain and Croatia and processes personal data as part of the activities of these branches, this constitutes cross-border processing.
Even if the data is only processed in one country (e.g., Spain), but the processing affects individuals in another country (e.g., Croatia), it is still considered cross-border processing.
Main Establishment
Definition according to Article 4 GDPR:
“Main establishment” means:
a) for a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter is authorised to have such decisions implemented — in which case that other establishment is the main establishment;
b) for a processor with establishments in more than one Member State, the place of its central administration in the Union, or if there is no central administration in the Union, the establishment where the main processing activities take place.
Explanation:
For example, Google is a U.S.-based company that also processes data in the U.S., but its European headquarters is located in Ireland (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland).
Thus, Google Ireland Limited is legally considered a separate entity and is responsible for all Google products offered in the European Economic Area.
In contrast to a main establishment, a branch is not a legally independent entity and differs from a subsidiary. A main establishment is the location where a business has its operational center
Relevant and Reasoned Objection
Definition according to Article 4 of the GDPR
For the purposes of this Regulation, the term:
"relevant and reasoned objection" means an objection to a draft decision as to whether there is an infringement of this Regulation or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free movement of personal data within the Union.
Explanation:
If certain measures taken by us as the controller or by our processors do not comply with the GDPR, you may lodge a so-called “relevant and reasoned objection.” In doing so, you must explain the significance of the risks to your fundamental rights and freedoms and, if applicable, the free movement of your personal data within the EU.
Undertaking (Company)
Definition according to Article 4 of the GDPR
For the purposes of this Regulation, the term:
"undertaking" means a natural or legal person engaged in an economic activity, regardless of its legal form, including partnerships or associations regularly engaged in an economic activity.
Explanation:
For example, we are a company and conduct economic activities through our website by offering and selling services and/or products. Each company has a formal legal status, such as a limited liability company (GmbH) or a joint-stock company (AG).
Controller
Definition according to Article 4 of the GDPR
For the purposes of this Regulation, the term:
"controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Explanation:
In our case, we are responsible for processing your personal data and are therefore the “controller.” If we pass on collected data for processing to other service providers, they are referred to as “processors.” In such cases, a “Data Processing Agreement (DPA)” must be signed.
Processing
Definition according to Article 4 of the GDPR
For the purposes of this Regulation, the term:
"processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Note:
When we refer to processing in our privacy policy, we mean any type of handling of personal data. As mentioned in the original GDPR definition above, this includes not only collection but also storage and any other form of data processing.
All texts are protected by copyright.
Source: Created using the privacy policy generator by AdSimple.