Name/company.: Gipfelsockerl – Bestle Odesser GbR
Street & No: Maria-Eich-Strasse 14a
Postcode, city, country: 81243 Munich, Germany
Shareholders: Alexander Bestle, Daniela Odesser
Email address: kontakt(at)gipfelsockerl.de
Types of data processed:
– inventory data
– contact details
– content data
– contract data
– payment data
– usage data
– meta-/communication data
Processing of special categories of data (Article 9, Par. 1 GDPR):
No specific categories of data are processed.
Categories of persons affected by data processing:
– customers, prospective customers, visitors and users of the online offer, business partners.
In summary, we also refer to the affected persons as “users”.
Purpose of processing:
– availability of the online offering, its content and shop features
– provision of contractual offers, services and customer care
– response to contact requests and communication with users
– marketing, advertising and market research
– security measures.
Status: September / 2018
1. Terms used
1.1. “Personal data” is any information relating to an identified or identifiable natural person (‘the person concerned’); Identifiable is a natural person who is directly or indirectly identifiable, in particular by assigning it to an identifier such as a name, to an identification number, to location data, to an online identifier (e.g. cookie) or to one or more special features which are an expression of the physical, physiological, genetic, psychological, economic, cultural or social identity of this natural person.
1.2. “Processing” is any process performed with or without the help of automated procedures or any such sequence of operations in connection with personal data. The term encompasses virtually every handling of data.
1.3. “Responsible” is the natural or legal person, authority, institution or other body that decides alone or together with others on the purposes and means of processing personal data.
2. Legal basis
In accordance with Article 13 of the GDPR, we will inform you of the legal basis of our data processing. If the legal basis is not mentioned in the Privacy Statement, the following applies: the legal basis for obtaining consents is Article 6 (1) lit. (a) and Article 7 of the GDPR, the legal basis for processing to fulfil our services and implement contractual measures, as well as answering enquiries is Article 6 (1) lit. b GDPR, the legal basis for processing to fulfil our legal obligations is Article 6 (1) lit. c GDPR, and the legal basis for processing to safeguard our legitimate interests is Article 6 (1) lit. f GDPR. In the event that vital interests of the person concerned or another natural person require the processing of personal data, Article 6 (1) lit. D GDPR serves as the legal basis.
3. Changes and updates to the Privacy Statement
4. Security measures
4.1. In accordance with Article 32 of the GDPR, we shall cover the cost of implementation and the nature, scope, circumstances and purposes of processing, as well as the different probability and severity of the risk for the rights and freedoms of individuals, appropriate technical and organisational measures to ensure a level of protection appropriate to the risk. Measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical access to the data, as well as access to it, entering, sharing, ensuring availability and its separation. We have also established procedures to ensure a perception of affected rights, deletion of data and response to data exposure. In addition, we take the protection of personal data into account in the development, or selection of hardware, software and procedures, in accordance with the principle of data protection through technology design and data protection-friendly presets (Article 25 GDPR).
4.2. Security measures include, in particular, the encrypted transfer of data between your browser and our server.
5. Disclosure and transmission of data
5.1. If, as part of our processing, we disclose data to other persons and companies (processors or third parties), transmit it to them or otherwise grant them access to the data, this will only be done on the basis of a statutory permission (e.g. if a transfer of the data to third parties, such as payment service providers, is required under Article 6 (1)) of 1 lit. b GDPR for the fulfilment of the contract), you have consented, a legal obligation provides for it or on the basis of our legitimate interests (e.g. in the use of agents, hosting providers, tax, economic and legal advisors, customer care, accounting, billing and similar services that provide us with efficient and effective fulfillment of our contractual obligations, administrative tasks and obligations).
5.2. If we instruct third parties to process data on the basis of a so-called “contract of order processing”, this is done on the basis of Article 28 of the GDPR.
6. Transfer to third countries
If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this is done in the context of the use of third-party services or disclosure or transfer of data to third parties, this is only if it is done to fulfil our (pre)contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permits, we process or leave the data in a third country only in the event of the special requirements of Article 44 ff. GDPR. This means processing is carried out, for example, on the basis of special guarantees, such as the officially recognised finding of a data protection level corresponding to the EU (e.g. for the US by the “Privacy Shield”) or compliance with officially recognised special contractual obligations. Obligations (so-called “standard contract clauses”).
7. Rights of the persons concerned
7.1. You have the right to request confirmation as to whether data in question is processed and for information about this data, as well as for further information and copy of the data in accordance with Article 15 of the GDPR.
7.2. According to Article 16 of the GDPR you have the right to require the completion of the data concerning you or the correction of the incorrect data concerning you.
7.3. In accordance with Article 17 of the GDPR, you have the right to request that data in question be deleted immediately or, alternatively, to require a restriction of the processing of the data in accordance with Article 18 of the GDPR.
7.4. You have the right to request that the data you have provided to us be received in accordance with Article 20 of the GDPR and that it be transmitted to other persons responsible.
7.5. You also have the right under Article 77 GDPR to submit a complaint with the responsible supervisory authority.
8. Right of revocation
Sie habeYou have the right to revoke your consent in accordance with Article 7 Par. 3 of the GDPR with effect for the future.
9. Right to object
You may object to the future processing of the data concerning you at any time in accordance with Article 21 GDPR. The objection may be made in particular against processing for direct advertising purposes.
10. Cookies and right to object to direct advertising
10.1. “Cookies” are small files stored on users’ computers. Different information can be stored within the cookies. A cookie is primarily used to store the information about a user (or the device on which the cookie is stored) during or after his visit within an online offer. Temporary cookies, or “session cookies” or “transient cookies,” are referred to as cookies that are deleted after a user leaves an online offer and closes their browser. In such a cookie, for example, the contents of a shopping basket can be stored in an online shop or a login status. Cookies are referred to as “permanent” or “persistent”, which remain stored even after the browser is closed. For example, the login status can be saved if the user visits after several days. Similarly, such a cookie can store the interests of users which are used for reach tracking or marketing purposes. “Third-Party-Cookies” are cookies from other websites. Cookies from the provider who runs the offer are referred to as “First-Party-Cookies”.
If users do not want cookies to be stored on their computer, they are asked to disable the option in their browser’s system settings. Saved cookies can be deleted from the browser’s system settings. The exclusion of cookies can lead to functional limitations of this online offer.
11. Deletion of data
11.1. The data we process will be deleted or restricted in processing in accordance with Articles 17 and 18 GDPR. Unless expressly stated in the context of this Privacy Statement, the data stored with us will be deleted as soon as it is no longer necessary for its purpose and no legal retention obligations stand in the way of deletion. Unless the data is deleted because it is necessary for other and legally permissible purposes, its processing will be restricted. This means that the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax reasons.
11.2. Germany: In accordance with legal requirements, the retention takes place in particular for 6 years in accordance to § 257 Par. 1 of the German Civil Code (trading books, inventories, balance sheets, financial statements, trade letters, receipts, etc.) as well as for 10 years in accordance to § 147 Par. 1 AO (books, records, situation reports, documents, trade and business letters, documents relevant to taxation, etc.).
12. Order processing in the online shop and customer account
12.1. We process the data of our customers as part of the ordering processes in our online shop in order to enable them to select and order the selected products and services, as well as their payment and delivery, or execution.
12.2. The data processed includes inventory data, communication data, contract data, payment data of our customers, interested parties and other business partners. The processing is carried out for the purpose of providing contract services in the context of the operation of an online shop, billing, delivery and customer service. In doing so, we use session cookies for storing the shopping cart content and permanent cookies for storing login status.
12.3. Processing is based on Article 6 Par. 1 lit. b (carrying out ordering) and c (required archiving) GDPR. The information identified as required is necessary to justify and fulfil the contract. We only disclose the data to third parties in the context of extradition, payment or legal permits and obligations to legal advisors and authorities. The data will only be processed in third countries if this is necessary for the fulfillment of the contract (e.g. at the customer’s request for delivery or payment).
12.4. Users can create an optional user account by being able to view their orders in particular. As part of the registration process, the required mandatory information will be communicated to the users. The user accounts are not public and cannot be indexed by search engines. If users have terminated their user account, their data will be deleted with respect to the user account, subject to their retention is valid for commercial or tax reasons in accordance to Article 6 Par. 1 lit. c GDPR. Information remains in the customer account until it is deleted, followed by archiving in the event of a legal obligation. It is the users choice to save their data before the end of the contract.
12.5. As part of the registration and re-registrations as well as use of our online services, we store the IP address and the time of the respective user store. The storage is based on our legitimate interests, as well as the user in terms of protection against abuse and other unauthorized use. In principle, this data is not passed on to third parties unless it is necessary to pursue our claims or there is a legal obligation to do so under Article 6 Par. 1 lit. c GDPR.
12.6. The deletion takes place after the expiry of legal warranty and similar obligations, and the requirement for the retention of the data is reviewed every three years. In the case of legal archiving obligations, the deletion takes place after its expiry (end of commercial law (6 years) and tax law (10 years) retention obligation). Information in the customer account will remain in the customer account until it is deleted.
13. Business analysis and market research
13.1. In order to be able to operate our business economically, to recognize market trends, customer and user requests, we analyze the data available to us on business transactions, contracts, inquiries, etc. We process inventory data, communication data, contract data, payment data, usage data, metadata based on Article 6 Par. 1 lit. f (GDPR), whereby the affected persons include customers, prospective customers, business partners, visitors and users of the online offer. The analyses are carried out for the purpose of business analysis, marketing and market research. In doing so, we can take into account the profiles of registered users with information, e.g. on their purchase processes. The analyses serve us to increase usability, optimize our offer and be operational. The analyses serve us alone and are not disclosed externally, unless they are anonymous analyses with aggregated values.
13.2. If these analyses or profiles are personal, they will be deleted or anonymised with the termination of the users, otherwise after two years from the conclusion of the contract. Moreover, the overall economic analyses and general trend provisions are carried out anonymously where possible.
14. Credit Information
14.1. If we deliver advanced services (e.g. when purchasing on account), we reserve the right to provide an identity and credit report in order to assess credit risk on the basis of mathematical and statistical procedures of specialised service providers (business reporting agencies).
15. Contact and customer service
15.1. When contacting us (by contact form or email), the user’s details are used to process the contact request and how to process it in accordance with Article 6 Par. 1 lit. b) GDPR.
15.2. Users’ information can be stored in our Customer Relationship Management System (“CRM System”) or similar systems.
15.3. We will delete the requests if they are no longer required. We check the requirement every two years. We store requests from customers who have a customer account permanently and refer them to the customer account details for deletion. In addition, the legal archiving obligations apply.
16. Collection of access data and log files
16.1. On the basis of our legitimate interests within the meaning of Article 6 Par. 1 lit. R. GDPR we collect data about every access to the server on which this service is located (so-called server log files). Access data includes name of the website retrieved, file, date and time of retrieval, amount of data transferred, notification of successful retrieval, browser type plus version, the user’s operating system, referrer URL (the previously visited page), IP address and the requesting providers.
16.2. Log file information is stored for security reasons (e.g. to investigate acts of abuse or fraud) for a maximum period of seven days and then deleted. Data that is required for further retention for evidentiary purposes are exempt from deletion pending a final resolution of the incident.
17. Online presence on social media
17.1. We maintain on the basis of our legitimate interests within the meaning of Article 6 Par. 1 lit. f GDPR an online presence within social networks and platforms in order to communicate with the customers, interested parties and users active there and to inform them about our services there. When accessing the respective networks and platforms, the terms and conditions and data processing policies of their respective operators apply.
18. Google Analytics
18.2. Google is certified under the Privacy Shield Agreement and thus offers a guarantee to comply with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
18.3. Google will use this information on our behalf to evaluate the use of our online offer by users, to compile reports on the activities within this online offer and to provide further information with the use of this online offer. And the services associated with the Internet to provide us with us. Pseudonymous user profiles can be created from the processed data.
18.4. We only use Google Analytics with IP anonymization enabled. This means that the IP address of users is being shortened by Google within Member States of the European Union or in other Contracting States to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there.
18.5. The IP address transmitted by the user’s browser is not merged with other Google data. Users can prevent cookies from being stored by adjusting their browser settings accordingly. Users can also prevent the collection of data generated by the cookie and related to its use of the online offer to Google, as well as Google’s processing of that data by using the browser plugin available under the following link. Download and install: https://tools.google.com/dlpage/gaoptout?hl=de.
18.6. For more information on Google’s use of data, settings and objection options, please visit Google’s websites: https://www.google.com/intl/de/policies/privacy/partners (“Data use by Google during your use of websites or Apps from our partners”), https://policies.google.com/technologies/ads (“Data usage for advertising purposes”), https://adssettings.google.com/authenticated(“Manage information that Google uses to show you ads”).
20. Facebook, Custom Audiences and Facebook Marketing Services
20.1. Within our online offer, due to our legitimate interests in the analysis, optimization and economic operation of our online offer and for these purposes, the so-called “Facebook pixel” of the social network Facebook, which is supported by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, or if you are based in the EU, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”).
20.2. Facebook is certified under the Privacy Shield Agreement and thus offers a guarantee to comply with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).
20.3. With the help of the Facebook pixel, Facebook is able, on the one hand, to determine visitors to our online offer as the target group for the presentation of advertisements (so-called “Facebook ads”). Accordingly, we use the Facebook pixel to display the Facebook ads we have switched on only to those Facebook users who have also shown an interest in our online offering or who have certain characteristics (e.g. interests in certain topics or products that are determined by the visited websites), which we transmit to Facebook (so-called “Custom Audiences”). With the help of the Facebook pixel, we also want to make sure that our Facebook ads are in line with the potential interest of the users and do not pose a nuisance. With the help of the Facebook pixel, we can also understand the effectiveness of Facebook ads for statistical and market research purposes, in which we see if users have been forwarded to our website after clicking on a Facebook ad (so-called “Conversion”).
20.4. Facebook processes the data as part of Facebook’s data use policy. Accordingly, general notes about the display of Facebook ads, in Facebook’s data usage policy: https://www.facebook.com/policy.php. For special information and details about the Facebook pixel and how it works, visit Facebook’s help section: https://www.facebook.com/business/help/651294705016616.
20.5. You can object to the capture by the Facebook pixel and use of your data to display Facebook ads. To set what types of ads you see within Facebook, you can visit the following page set up by Facebook and follow the settings of usage-based ads: https://www.facebook.com/settings?tab=Ads. The settings are made on a platform-independent basis, i.e. they are applied to all devices, such as desktop computers or mobile devices.
21. Facebook Social plugins
21.1. We use social plugins (“plugins”) of the social network facebook.com, which is based on our legitimate interests (i.e. interest in the analysis, optimization and economic operation of our online offer within the meaning of Article 6 Par.1 lit. operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”). The plugins can display interaction elements or content (e.g. videos, graphics or text posts) and are recognizable by one of the Facebook logos (white “f” on blue tile, the terms “like”, “like” or a “thumbs up” sign) or are with the addition “Facebook Social plugin”. The list and appearance of Facebook social plugins can be viewed here: https://developers.facebook.com/docs/plugins/.
21.2. Facebook is certified under the Privacy Shield Agreement and thus offers a guarantee to comply with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).
21.3. When a user uses a feature of this online offering that contains such a plugin, their device establishes a direct connection with Facebook’s servers. Facebook transmits the content of the plugin directly to the user’s device and integrates it into the online offering. User profiles of users can be created from the processed data. We therefore have no influence on the amount of data that Facebook collects with the help of this plugin and therefore informs users according to our level of knowledge.
21.4. By integrating the plug-ins, Facebook receives the information that a user has accessed the corresponding page of the online offer. If the user is logged into Facebook, Facebook can assign the visit to their Facebook account. When users interact with the plugins, for example by clicking on the Like button or making a comment, the corresponding information is transmitted directly from your device to Facebook and stored there. If a user is not a member of Facebook, there is still the possibility that Facebook will find out and store their IP address. According to Facebook, only an anonymised IP address is stored in Germany.
21.5. The purpose and scope of the data collection and the further processing and use of the data by Facebook, as well as the rights and settings to protect the privacy of users in this regard, can be inferred from Facebook’s data protection notices: https://www.facebook.com/about/privacy/.
21.6. If a user is a Facebook member and does not want Facebook to collect data about them through this online offer and link it to their member data stored on Facebook, they must log out of Facebook before using our online offer and delete cookies. Further settings and contradictions regarding the use of data for advertising purposes are possible within the Facebook profile settings: https://www.facebook.com/settings?tab=ads or via the US page http://www.aboutads.info/choices/ or the EU side http://www.youronlinechoices.com/. The settings are made on a platform-independent basis, i.e. they are applied to all devices, such as desktop computers or mobile devices.
26. Amazon Partner Program
26.2. For more information on Amazon’s data usage, see the Company’s Privacy Statement: http://www.amazon.de/gp/help/customer/display.html/ref=footer_privacy?ie=UTF8&nodeId=3312401.
27. Communication via post, email, fax or telephone
27.1 We use remote communication tools, such as mail, telephone or email, for business purposes and for marketing purposes. In doing so, we process inventory data, address and contact data as well as contract data of customers, participants, interested parties and communication partners.
27.2 Processing is based on Article 6 Par. 1 lit. a, Article 7 GDPR, Article 6 Par. 1 lit. f GDPR in conjunction with legal requirements for advertising communications. Contact is made only with the consent of the contact partners or within the framework of the legal permits and the processed data is deleted as soon as it is not necessary and otherwise with an objection/revocation or omission of the eligibility bases or legal archiving obligations.
28.1. With the following notices, we inform you about the contents of our newsletter as well as the registration, shipping and statistical evaluation procedure as well as your rights of objection. By subscribing to our newsletter, you agree to the reception and the procedures described.
28.2. Content of the newsletter: We send newsletters, emails and other electronic notifications with advertising information (“Newsletter”) only with the consent of the recipients or a legal permission. If its contents are specifically described as part of a registration for the newsletter, they are decisive for the consent of the users. In addition, our newsletters contain information about our products, offers, promotions and our company.
28.3. Double-opt-in and logging: Our newsletter is registered in a so-called double-opt-in procedure. I.e. you will receive an email after signing up asking you to confirm your registration. This confirmation is necessary so that no one can log in with foreign email addresses. Registrations to the newsletter are logged in order to be able to prove the registration process in accordance with the legal requirements. This includes storing the login and confirmation timing, as well as the IP address. The changes to your data stored with the shipping service provider are also logged.
28.5. To the extent that we use a newsletter service provider, the newsletter service provider may, according to its own information, use this data in pseudonymous form, i.e. without assignment to a user, to optimize or improve its own services, e.g. for technical optimization of the sending and presentation of newsletters or for statistical purposes to determine from which countries recipients are from. However, the newsletter service provider does not use the data of our newsletter recipients to write to them themselves or to pass it on to third parties.
28.6. Login Information: To sign up for the newsletter, it is sufficient to provide your email address. As an option, we ask you to provide a name for personal contact in the newsletter.
28.7. Success tracking – The newsletters contain a so-called “web-beacon”, i.e. a pixel-sized file which is available when opening the newsletter from our server, or if we use a newsletter service provider from whose server it is retrieved. As part of this retrieval, technical information, such as information about the browser and your system, as well as your IP address and time of retrieval, will be collected first. This information is used to improve the technical services on the basis of the technical data or the target groups and their reading behaviour based on the user locations (which can be determined with the help of the IP address) or the access times. Statistical surveys also include determining whether newsletters will open, when they will open and which links will be clicked. For technical reasons, this information can be assigned to the individual newsletter recipients. However, it is neither our intention nor, if used, that of the newsletter service provider to observe individual users. The evaluations serve us mainly to recognize the opening habits of our users and to adapt our content to them or to send different content according to the interests of our users.
28.8. Germany: The sending of the newsletter and the measurement of success are carried out on the basis of the consent of the recipients in accordance with Article 6 Par. 1 lit. A, Article 7 GDPR § 7 Par. 2 Nr. 3 UWG or on the basis of legal permission under Section 7 Par. 3 of the UWG.
28.9. The registration procedure is logged on the basis of our legitimate interests in accordance with Article 6 Par. 1 lit. F GDPR and serves to provide proof of consent to receive the newsletter.
28.10. Newsletter recipients can cancel the receipt of our newsletter at any time, i.e. revoke their consent. A link to the cancellation of the newsletter can be found at the end of each newsletter. At the same time, their consents in measuring success are extinguished. A separate revocation of the measure of success is unfortunately not possible, in which case the entire newsletter subscription must be cancelled. By unsubscribing from newsletters, the personal data will be deleted unless its retention is legally required or justified, whereby in this case its processing is limited only to these exceptional purposes. In particular, we may store the email addresses issued for up to three years on the basis of our legitimate interests before deleting them for the purpose of sending newsletters in order to be able to demonstrate a previous given consent. The processing of this data is limited to the purpose of a possible defense against claims. An individual deletion request is possible at any time, provided that the former existence of consent is confirmed at the same time.
29. Integration of third-party services and content
29.1. We place content or service offers from third-party providers to integrate their content and services, such as videos or fonts (referred to below uniformly as “Content”). This always presupposes that the third-party providers of this content perceive the IP address of the users, since they would not be able to send the content to their browser without the IP address. The IP address is therefore required for the presentation of this content. We make every effort to use only content whose respective providers only use the IP address to deliver the content. Third-party vendors can also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. The “pixel tags” allow information to be analysed on the pages of this website. The pseudonymous information can also be stored in cookies on the user’s device and, among other things, technical information about the browser and operating system, referring websites, visiting time as well as other information about the use of our online offer as well as such information from other sources.
29.2. The following presentation provides an overview of third-party providers as well as their contents, as well as links to their privacy policies, which provide further information on the processing of data and, in some cases already mentioned here, possibilities for objection (so-called opt-out) contain
– If our customers use the payment services of third parties (e.g. PayPal or instant transfer), the terms and conditions and data protection notices of the respective third-party providers apply, which can be accessed within the respective websites or transaction applications.