Data protection of the Dussmann Group
Data Protection and Privacy Statement
A. General provisions
Dussmann Stiftung & Co. KGaA and its affiliates (hereinafter “Dussmann”) take protecting your personal data very seriously and comply with the provisions of the laws on data protection and privacy. Personal data are processed only within the scope necessary for the specific purpose. Our employees have undertaken an obligation to maintain confidentiality and secrecy and to comply with the provisions of data protection and privacy law in accordance with the statutory provisions.
This text explains what information we collect, how this information is used, and how you can exercise your rights. You can access and print the Data Protection and Privacy Statement at any time via the “Data Protection” tab at the bottom of each page.
This general Data Protection and Privacy Statement applies to all websites of the Dussmann Group (including websites of Kursana GmbH, Dresdner Kühlanlagenbau GmbH, and HEBO Aufzugstechnik GmbH) and to our social media presences, e-mail communications, and mobile apps for smartphones and other devices. In addition to the general and required information, we have also compiled additional individual data protection and privacy information for specific websites of the Dussmann Group for you.
Individual data protection and privacy information must be observed on the website kulturkaufhaus.de.
If you have any questions, please contact the controller mentioned below, click the links, and/or consult third-party sites for further information. You can also find our contact information in the legal notice, of course.
1. Controller
The controller responsible for data processing is
Dussmann Stiftung & Co. KGaA
Friedrichstraße 90
10117 Berlin
Germany
A list of affiliates is available here. To the extent that you contact our affiliates directly, via the website or otherwise, this company is the controller.
Contact details for our data protection officer:
Dussmann Stiftung & Co. KGaA
Friedrichstraße 90
10117 Berlin
Germany
2. Personal data
“Personal data” means any information relating to an identified or identifiable natural person (for example, your real name, address, or phone number).
“Special categories of personal data” are a specially protected subgroup of personal data described in Article 9 of the General Data Protection Regulation (GDPR). These include data concerning health and biometric data.
In principle, we collect personal data from you directly unless you grant your consent in another way. We process the personal data transmitted electronically by you as well as information that we collect in writing or electronically during your use of our website or during phone conversations with our employees. This takes place only within the scope of performing and managing our services and based on the contact forms filled out by you or other correspondence.
3. Access by third parties to your personal data
We process personal data ourselves and, unless we have expressly ruled this out, also through other affiliates of the Dussmann Group or service provider companies we have commissioned. In the latter two cases, we will ensure that affiliates and/or service provider companies comply with the relevant statutory provisions on data protection and privacy and the obligations arising from this Data Protection and Privacy Statement.
We do not disclose personal data without your consent except to government agencies that are entitled to information and if we are obligated by law or under a court order to do so (point (c) of Article 6(1) GDPR).
Disclosure may also take place pursuant to point (f) of Article 6(1) GDPR where this is necessary for the establishment, exercise or defense of legal claims and there is no reason to assume that you have an overriding legitimate interest in the non-disclosure of your data.
Your data are also disclosed to third parties to the extent that this is permissible by law and necessary pursuant to point (b) of Article 6(1) GDPR for the performance of contracts with you.
4. Recipients of the personal data
Within the scope of the statutory authorities, your personal data may be disclosed in particular to the following categories of recipients:
- Web analytics service providers
- IT service providers that process data within the scope of provision of services (for example, for IT maintenance activities, hosting service providers)
- Document and data destruction service providers, printing service providers
- Marketing and sales service providers
- Newsletter and logistics service providers
- Suppliers of things like materials and services
- Cooperation partners
- Payment service providers
- Credit bureaus and collection agencies
- Authorized dealers
- Certified accountants and auditors, tax advisors, advising and consulting firms, insurance companies
- Other Dussmann companies, if this is necessary in conjunction with an offer, a call for tenders, or preparations for, implementation or finalization of the business relationship
- Courts, government agencies, legal advisors or arbitral tribunals, to the extent that this is necessary in order to comply with applicable law or for the establishment, exercise or defense of legal claims
Some internal recipients within the group of companies are based in third countries (non-EU countries). Within the group of companies, Dussmann ensures, within the scope of contracts under the law of data protection and privacy based on the standard EU data protection clauses, that your personal data are adequately protected on the recipient’s end as well.
The legal basis for the transfer of data within the group of companies is point (f) of Article 6(1) GDPR. The sharing of data within the group for internal administrative purposes constitutes a legitimate interest (recital 48 of the GDPR).
Before we transfer your information to third parties, we take suitable measures to ensure that recipients undertake an obligation to comply with applicable data protection and privacy laws and maintain the secrecy of personal data. Where necessary, transmission of data takes place within the scope of an agreement on the processing of data on behalf of another party in order to ensure that data are processed only for the intended purpose and adequate security measures are ensured.
5. Information on transfer of data to the United States
Tools of companies based in the United States are among those incorporated into our website. When these tools are active, your personal data may be transferred to these companies’ servers in the United States. Please note that the United States is not a secure third country within the meaning of EU data protection law. U.S. companies are obligated to turn over personal data to security authorities, without there being any legal action you as the data subject can take to prevent this. Therefore, it is not impossible that U.S. authorities (such as intelligence agencies) may process, analyze, and permanently store those of your data that are present on U.S. servers for surveillance purposes. We have no influence over these processing activities.
6. Duration of storage of data
Where no express duration of storage is stated when the data are collected (for example within the scope of a declaration of consent) or within this Data Protection and Privacy Statement, personal data are erased to the extent that they are no longer necessary in order to fulfill the purpose for which they are stored, except where statutory storage obligations (such as obligations of storage under commercial and tax law) conflict with the erasure thereof.
To the extent that we store personal data exclusively to fulfill storage obligations, these data are typically blocked, with the result that access thereto is possible only if it is necessary with an eye to the purpose of the obligation of storage.
Should you wish your data to be erased or withdraw consent to data processing, the data will be erased as soon as possible unless there is an obligation to store them.
7. Security
We take all necessary technical and organizational security measures to protect your personal data from loss and abuse. Your data are stored in a secure operational environment that is not accessible to the public. SSL or TLS encryption is used on all websites. Your data are encrypted directly during transfer. For security reasons, we will refrain from providing any further information here.
8. Rights of data subjects
Withdrawal of consent
To the extent that you have granted your consent to the processing of personal data, you can withdraw it at any time with effect for the future. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. In the event of withdrawal of consent, we will erase the data in question without delay to the extent that there is no legal basis for processing thereof that does not require consent that can be used as the basis for further processing. You can send your withdrawal to datenschutz@dussmanngroup.com, or, alternatively, by mail to Dussmann Stiftung & Co. KGaA, Data Protection Officer, Friedrichstraße 90, 10117 Berlin.
Further rights
You can assert your rights toward the national branch of the Dussmann Group in your country in each case. For the names and addresses of the controller responsible in each case, please see the list of affiliates at or the legal notice of the relevant national branch.
You have the right to obtain from the relevant controller within the Dussmann Group confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to these personal data and the specific information enumerated in Article 15 GDPR.
You have the right to obtain from the relevant controller without undue delay the rectification of inaccurate personal data concerning you and, where applicable, to have incomplete personal data completed (Article 16 GDPR).
You have the right to obtain from the relevant controller the erasure of personal data concerning you without undue delay where one of the specific grounds enumerated in Article 17 GDPR applies, for example if the data are no longer needed for the purposes pursued (right to erasure).
You have the right to obtain from the relevant controller restriction of processing where one of the prerequisites enumerated in Article 18 GDPR applies, for example if you have lodged an objection to the processing.
You have the right to receive the personal data concerning you that you have provided to us in a commonly used and machine-readable format and the right to have the relevant controller transmit those data to another controller (right to data portability, Article 20 GDPR) to the extent that this is feasible in technical terms.
If your personal data have been transferred to a country outside the EU that does not provide an appropriate level of protection, we typically enter into a contract that ensures appropriate protection of personal data. In addition, we use standard data protection clauses accessible via the following URL: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you. The controller will then no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims (Article 21 GDPR).
You can object to the use of your data for direct marketing purposes at any time without any further considerations. After that, we are no longer permitted to use your data for direct marketing.
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you consider that the processing of personal data relating to you infringes the GDPR (Article 77 GDPR). You can exercise this right with a supervisory authority in the Member State of your habitual residence, place of work or place of the alleged infringement. For example, the supervisory authority with jurisdiction over Dussmann Stiftung & Co. KGaA in Berlin is the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit), Friedrichstr. 219, 10969 Berlin, Germany. You can also contact a different supervisory authority at any time. For the relevant controllers responsible in your Member State outside Germany, you can contact the authority with jurisdiction there.
An overview of further national and international data protection authorities is available here.
B. Data processing as a result of visiting our Web pages
1. Categories of data; purposes of and legal bases for data processing
When you visit our Web pages and/or enter into a contract with us via the website, we process your personal data. This processing may include the following data:
- Last name, first name
- Address
- Company name
- e-mail address
- Phone/fax number
- Date and time of inquiry
- Content of request (specific page)
- Access status / http status code
- Volume of data transferred in each case
- Website from which the request originates
- Browser type and version
- Language and version of the browser software
- IP address and Internet service provider
- Operating system
- In the case of mobile devices, possibly the manufacturer/type designation
- Good/service
- Bank and credit card information
- Data on health/care
- Message/information in the text field
We process these data in order to operate the Web pages (points (b) and (f) of Article 6(1) GDPR), to perform and finalize the contract (point (b) of Article 6(1) GDPR), and for our own advertising purposes (if you grant your consent pursuant to point (a) of Article 6(1) GDPR or on the basis of our legitimate interests pursuant to point (f) of Article 6(1) GDPR). Furthermore, we use these data to fulfill our statutory obligations toward the German state and federal authorities (such as the Finanzamt (Revenue Office) (point (c) of Article 6(1) GDPR). To enter into a contract with you, we require at least your last name and first name and possibly your address in order to identify you uniquely. We are unable to perform the contracts in question without this information. If you voluntarily provide us with additional information at your own request, we process this information on the basis of point (f) of Article 6(1) GDPR.
2. Log files
When you visit some of our pages, we temporarily store the connection data – what are known as server log files – that your browser automatically transmits to us by default for purposes of system security and stability, to ensure smooth establishment of connections by the website, and for further administrative purposes. These data are:
- Browser type and version
- Operating system used
- Referrer URL
- Host name of accessing computer
- Time of server query
- IP address
The processing takes place on the basis of point (f) of Article 6(1) GDPR. Our legitimate interests include not only system security and stability, but also the analysis of the data on the use of our website, pursuit of legal claims, investigation of criminal acts, and maintenance of our IT security systems.
3. Contact forms
When you use a contact form on our Web pages, the information you provide (including gender, name, company name, address, e-mail, phone, question or comment) is processed so that we can contact you accordingly, your message can be forwarded to the correct contact person at Dussmann, and you can be contacted by this person.
The legal basis for the processing is point (f) of Article 6(1) GDPR, and to the extent that your inquiry concerns entry into a contract, the legal basis for the processing of the data necessary to this end is point (b) of Article 6(1) GDPR. Our legitimate interest consists in responding to your inquiry.
4. Inquiries sent by e-mail, phone, or fax
If you contact us by e-mail, phone, or fax, the information you provide (such as your name, e-mail address, phone number, and question or concern) will be processed by us for purposes of processing your inquiry.
The processing of the data takes place on the basis of point (b) of Article 6(1) GDPR where your inquiry is aimed at entering into a contract or at performance of a contract. In all other cases, the processing is based on our legitimate interest in the effective processing of the inquiry addressed to us (point (f) of Article 6(1) GDPR) or your consent (point (a) of Article 6(1) GDPR), where the latter has been requested.
The data you transmit via contact inquiries are erased if and when the purpose for which they are stored has ceased to apply (for example, after processing of your question or concern has been completed) or you request that we erase them or withdraw your consent to storage thereof. Nothing herein affects any non-waivable statutory provisions, particularly the retention periods required by law.
5. Newsletters
If you order a newsletter offered by us, all we need from you is a valid e-mail address. Additional information is voluntary. After you register, our system will send you an e-mail containing an activation link with which you confirm that you have registered to receive the newsletter. This helps us ensure that you are in fact the owner of the e-mail address provided and that you agree to receive the newsletter. We will not include you in the distribution list or send any newsletters to you unless and until you have clicked the activation link to receive newsletters that we send to you in the registration e-mail (“double opt-in” procedure). When you register to receive the newsletter, your IP address and the date and time of registration are stored. This processing takes place on the legal basis of point (a) of Article 6(1) GDPR. You can withdraw your consent at any time with effect for the future by using the contact information stated in the Data Protection and Privacy Statement or via the unsubscribe link contained in every newsletter. We work with service providers such as CleverReach (CleverReach GmbH & Co. KG, CRASH Building, Schafjückenweg 2, 26180 Rastede, Germany) and Evalanche (SC-Networks GmbH, Würmstraße 4, 82319 Starnberg, Germany) to send out our newsletters. For more information on the data processed as a result of the use of CleverReach or Evalanche, please consult the relevant privacy policies at https://www.cleverreach.com/de/datenschutz/ and https://www.sc-networks.de/datenschutz/, respectively. We have entered into processing agreements with CleverReach and SC-Networks GmbH within the meaning of Article 28 GDPR.
We will store the data we have on file for you for the purpose of receiving the newsletters until you unsubscribe from the newsletter and erase them after that, with the exception of the personal data that are necessary in order to demonstrate the permissibility of transmitting the newsletter. From the outset, these data are stored not for the purpose of transmitting the newsletter, but rather for the purpose of demonstrating that transmitting it is permissible. The legal basis for the storage (including the ongoing storage) of these data is point (f) of Article 6(1) GDPR. Our legitimate interest consists in demonstrating the permissibility of transmitting the newsletter.
6. Placement of orders via the online portal
If you submit an inquiry or place an order via an online portal operated by us, required fields are used to elicit data that are necessary in order to prepare an offer, execute the order, and settle these matters. These include your full name, e-mail address, address (payment and billing address), information for performance of the contract, and bank and credit card information. These data are registered in a customer account.
We process the data you enter for the preparation of an offer, order, posting, performance, and finalization of the contractual relationship and to process complaints, follow-up inquiries, and account statements. Where necessary, the data necessary to fulfill the relevant task are transferred to the relevant service employees or an external service company.
The personal data are erased after the purpose is fulfilled or, where they are still necessary in order to perform, finalize, and settle accounts for the contractual relationship or for actions such as complaints, follow-up inquiries, or settlement of accounts or to fulfill statutory obligations, they are blocked and further use thereof is limited to these purposes.
The legal basis for the data processing described above is point (b) of Article 6(1) GDPR and, for the processing of complaints, additionally point (c) of Article 6(1) GDPR.
7. Cookies, tracking pixels and similar technologies
Some of our websites use cookies. “Cookies” are small text files that make it possible to store user-specific information on your device (PC, laptop, tablet, smartphone or similar) while you visit one of our websites (hereinafter collectively referred to as “cookies”). Cookies help us determine how frequently our websites are used and by what number of users and to make our offerings as comfortable, convenient, and efficient as possible for you. Our websites use session cookies (which are erased after the end of the browser session) and persistent cookies (which remain on your device even after the end of the browser session).
In some cases, third-party cookies may also be stored on your device when you visit our website. These cookies allow us and you to use certain services provided by the third-party company (such as cookies used to handle payment services).
Cookies have various functions. Many types of cookies are required for technical reasons, as certain website functions would not work without them. Other cookies serve to analyze user behavior or display advertising.
The duration of storage depends on the specific cookie in question. Details are set out below. Some cookies are erased in less than an hour, while others may be stored on your computer for several years. You can also affect the duration of storage yourself. You can clear all cookies manually at any time via your browser (also see “Right to object” below). Furthermore, cookies that are based on consent are erased once you withdraw your consent at the latest; this does not affect the lawfulness of storage up until that time.
Cookies that are required in order to carry out the electronic communication procedure (required cookies) or to provide certain functions desired by you (such as the shopping cart function) or to optimize the website (such as cookies used to measure the Web audience) are stored on the basis of point (f) of Article 6(1) GDPR unless another legal basis is stated. As the website operator, we have a legitimate interest in storing cookies in order to provide our services in a manner that is optimized and free of errors in technical terms. Where consent to the storage of cookies is requested, the cookies in question are stored exclusively on the basis of your consent (point (a) of Article 6(1) GDPR). You can withdraw your consent at any time.
Cookie consent: To be able to determine whether you have consented to the processing of data in connection with cookies (to the extent necessary), we use, on the basis of our legitimate interest (point (f) of Article 6(1) GDPR), a cookie that informs us of the type of data processing to which you have consented or whether you have not consented.
8. Usercentrics consent management platform
This is a consent management service. Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany, is utilized on the website as a processor for the purpose of consent management.
Usercentrics collects log file data and consent data, which enables us to inform the user of his/her consent to certain cookies and other technologies on our website and obtain, manage, and document this consent.
The purpose of data processing is compliance with the statutory obligations and storage of consent.
The legal basis for the processing of the data is point (c) of Article 6(1) GDPR. The goal is to know users’ preferences and take action accordingly.
These data are erased as soon as they are no longer required for our logging purposes. The consent data must be stored for six years in accordance with Sec. 257 of the German Commercial Code (HGB). Proof of withdrawal of consent that has previously been granted is stored for three years. The storage is based, for one thing, on our obligation of accountability pursuant to Article 5(2) GDPR. This obligates us to comply with the processing of personal data in accordance with the General Data Protection Regulation.
For further information on the data protection and privacy practices of Usercentrics, please visit https://usercentrics.com/de/datenschutzerklarung/.
Here is the e-mail address for the data protection officer of the processing company: datenschutz@usercentrics.com.
9. Matomo
Our website uses Matomo, which is a type of analytics software for websites that is operated on EU servers of the provider Matomo. The service provider is InnoCraft Ltd, 7 Waterloo Quay PO625, 6140 Wellington, New Zealand. For more information on the data processed as a result of the use of Matomo, please consult the privacy policy at https://matomo.org/privacy-policy/. You can send questions relating to data protection and privacy by e-mail to privacy@matomo.org.
When Matomo is in use, a cookie may be placed on your device, making it possible to track activity and recognize recurring visits, for example. The user’s IP address is automatically truncated (shortened), which makes it impossible to identify individual persons. The data analyzed include the approximate geographic location, device, screen resolution, browser, and the pages visited, including the amount of time spent on those pages.
Where we have obtained your consent, the processing of data takes place on the legal basis of point (a) of Article 6(1) GDPR. In all other cases, it is based on point (f) of Article 6(1) GDPR. Our legitimate interest consists in optimizing our website, improving what we offer, and online marketing.
10. Google Analytics
We use Google Analytics, a Web analytics service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). Google Analytics makes it possible to generate statistics regarding website use and the sources thereof. The cookies are stored for two years. We use Google Analytics exclusively for statistical purposes, such as to track how many users have clicked on a certain element or a certain piece of information.
This website also uses the “demographic features” function of Google Analytics. This makes it possible to prepare reports containing statements on the age, gender, and interests of page visitors. These data originate from interest-based Google ads and visitor data from third-party providers. These data cannot be associated with a specific person. You can opt out of use of the activity and information from your Google account by going to “ad settings” at https://adssettings.google.com/authenticated
and checking the box.
Google Analytics is based on cookies. It collects information on your use of our website, including your IP address. To prevent website visitors from being identified based on their IP addresses, we use a special code to ensure that your IP address is disclosed only in truncated, and thus anonymized, form. It is no longer possible to identify individual users based on this truncated IP address. For further information on data protection and privacy in the case of Google Analytics, please click here: https://support.google.com/analytics/answer/2700409.
You can prevent the collection and transfer of data to Google by downloading and installing the plugin available via the following link: https://tools.google.com/dlpage/gaoptout.
You can also adjust the settings at https://adssettings.google.com/anonymous
Finally, you can prevent the storage of cookies via your browser’s general settings.
The term of storage of user and event data associated with cookies, user IDs, and advertising IDs that has been agreed with Google is 14 months.
The use of Google Analytics presupposes your consent, which we have obtained with our cookie popup. According to point (a) of Article 6(1) GDPR, this consent constitutes the legal basis for the processing of personal data as may occur during collection of data by Web analytics tools.
In addition to consent, we have a legitimate interest in analyzing the behavior of website visitors and thereby improving what we offer in technical and economic terms. We use Google Analytics to identify errors and bugs on the website. It also allows us to identify attacks and improve economic efficiency. The legal basis for this is point (f) of Article 6(1) GDPR (legitimate interests). Nonetheless, we use Google Analytics only where you have given consent.
Google processes your data in the United States and other countries. Please note that the Court of Justice of the European Union has held that there is currently no adequate legal of protection for the transfer of data to the United States. This may be associated with various risks to the lawfulness and security of the data processing.
Google uses what are known as standard contractual clauses (Article 46(2) and (3) GDPR) as the basis for the data processing in the case of recipients based in third countries (outside the European Union, Iceland, Liechtenstein, and Norway, meaning particularly in the United States) or disclosure of data to those countries. Standard contractual clauses are sample templates provided by the European Commission with the aim of ensuring that your data comply with the European data protection standards even when they are transferred to third countries (such as the United States) and stored there. Through these clauses, Google commits to observe the European level of data protection during the processing of your relevant data, even if and when the data are stored, processed, and managed in the United States. These clauses are based on an implementing decision by the European Commission. You can find the decision and the relevant standard contractual clauses here, among other places: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32021D0914.
The Google Ads Data Processing Terms, which correspond to the standard contractual clauses and also apply to Google Analytics, are available at https://business.safety.google/adsprocessorterms/.
We have entered into a direct customer agreement with Google for the use of Google Analytics by accepting the “Data Processing Addendum” in Google Analytics. For further information on the data processing addendum for Google Analytics, please click here: https://support.google.com/analytics/answer/3379636
11. Use of Google Maps
This website uses Google Maps to display maps and generate driving directions. Google Maps is operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”).
The use of Google Maps presupposes your consent, which we have obtained with our Usercentrics consent management tool. According to point (a) of Article 6(1) GDPR, this consent constitutes the legal basis for the processing of personal data as may occur during collection of data by Google Maps.
In addition to consent, we have a legitimate interest in informing our visitors about our location. The legal basis for this is point (f) of Article 6(1) GDPR (legitimate interests). Nonetheless, we use Google Maps only where you have given consent.
When subpages where Google Maps is incorporated are accessed, information on your use of our website (such as your IP address, the search terms entered, and your coordinates in latitude and longitude) is transferred to Google servers and stored there. Since we have incorporated Google Maps into our website, Google places at least one cookie in your browser. This cookie stores data on your user behavior. As part of this process, personal data may also be transferred to the servers of Google LLC in the United States. Please note that the Court of Justice of the European Union has held that there is currently no adequate legal of protection for the transfer of data to the United States. This may be associated with various risks to the lawfulness and security of the data processing.
Google uses what are known as standard contractual clauses (Article 46(2) and (3) GDPR) as the basis for the data processing in the case of recipients based in third countries (outside the European Union or European Economic Area, meaning particularly in the United States) or disclosure of data to those countries. Standard contractual clauses are sample templates provided by the European Commission with the aim of ensuring that your data comply with the European data protection standards even when they are transferred to third countries (such as the United States) and stored there. Through these clauses, Google commits to observe the European level of data protection when processing your relevant data, even if and when the data are stored, processed, and managed in the United States. These clauses are based on an implementing decision by the European Commission. You can find the decision and the relevant standard contractual clauses here, among other places: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32021D0914.
The Google Ads Data Processing Terms, which correspond to the standard contractual clauses and also apply to Google Maps, are available at https://business.safety.google/adsprocessorterms/.
12. Google Ads | Google Ads Conversion Tracking
We use Google Ads and Google Ads Conversion from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). Google Ads allows us to use ads on external websites to draw attention to our attractive offerings. This allows us to determine how successful individual advertising measures are. To do this, we use what are known as ad server cookies, which can be used to measure certain parameters as a metric of success, such as ads shown or clicks by users. If you click on a Google ad and reach our website as a result, Google Ads stores a cookie on your device. These cookies typically expire after 30 days. They are not intended to identify you personally. The cookies allow Google to recognize your Web browser. The information received as a result of the conversion cookie serves to prepare conversion statistics. We determine the total number of users who have clicked on an ad and been redirected to a website with a conversion tracking tag.
We do not collect or process any personal data ourselves as part of the advertising measures mentioned above. All we receive from Google is statistical analyses. We can use these analyses to determine which of the advertising measures used are especially effective. We do not receive further information from the use of the ads; in particular, we cannot identify users based on this information. Based on the marketing tools used, your browser automatically creates a direct connection to the Google server. We have no influence over the scope or further use of the data collected by Google through the use of Google Ads. According to Google, the data are encrypted and stored on secure servers. If you have a user account with Google and are registered, Google can associate the visit with your user account. Even if you are not registered with Google or are not logged in, it is possible that Google may learn and store your IP address.
You can prevent cookies from being installed by erasing existing cookies and disabling the storage of cookies in your Web browser settings. Please note that if you do this, you may not be able to use all of the functions of our website in full. You can also prevent cookies from being stored by adjusting your browser settings to block cookies from the domain “www.googleadservices.com” (https://www.google.de/settings/ads). Please note that this setting will be deleted if you clear your cookies. You can also disable interest-related ads by visiting http://optout.aboutads.info. Please note that this setting will also be deleted if you clear your cookies.
For further information on how Google uses your data, please visit the following Google website: https://policies.google.com/privacy.
If you have consented to the use of Google Ads, the legal basis for the relevant data processing is point (a) of Article 6(1) GDPR (consent). We also have a legitimate interest in measuring the efficiency of individual ads, offerings, and functions of our informational offerings in cooperation with our service providers in accordance with point (f) of Article 6(1) GDPR. However, we use Google Ads only if you have consented.
Within the scope of the use of Google Ads, personal data may also be transferred to the servers of Google LLC in the United States. Please note that the Court of Justice of the European Union has held that there is not currently an adequate level of protection for the transfer of data to the United States. This may be associated with various risks to the lawfulness and security of the data processing.
Google uses what are known as “standard contractual clauses” as the basis for data processing in the case of recipients based in third countries outside the European Union (meaning the U.S. in particular) or disclosure of data to recipients in these countries. These clauses are based on an implementing decision by the European Commission. You can find the decision and the relevant standard contractual clauses here, among other places: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32021D0914.
The data processing terms for Google advertising products, which are in keeping with the standard contractual clauses and also apply to Google Ads, are available at: https://business.safety.google/adscontrollerterms/.
13. Use of YouTube
We use the provider YouTube in order to be able to present videos to you. YouTube is a video portal that is a subsidiary of Google. The video portal is operated by YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. When you access a page of our website that has a YouTube video embedded, your browser automatically connects with the servers of YouTube and/or Google. Various kinds of data are transferred during this process (depending on the settings). Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland) is the controller responsible for all data processing in Europe.
We use embedded YouTube videos in privacy-enhanced mode. According to information provided by YouTube, this means that YouTube does not store any cookies for a user who displays a website with an embedded YouTube video player, but does not click on the video to launch playback. However, privacy-enhanced mode does not necessarily mean that data will not be shared with YouTube partners. For example, regardless of whether you watch a video, YouTube creates a connection to the Google DoubleClick network.
If the YouTube video player is clicked, YouTube can store cookies on the user’s device (PC, laptop, tablet, smartphone or similar) or use comparable recognition technologies. In this way, YouTube may receive information about visitors to this website. This information is used for various purposes, including to compile video statistics, improve user friendliness, and prevent attempted fraud. Further data processing operations may be triggered after a YouTube video is launched, but we have no influence over these. We do not store any personal cookie information for playback of embedded videos.
The use of YouTube takes place exclusively based on your consent via the Usercentrics consent management tool. The legal basis is point (a) of Article 6(1) GDPR. You can withdraw consent at any time.
Google stores the data collected for periods of differing length. You can erase some data at any time, while others are automatically erased after a limited period and still others are stored by Google for a longer time. Some data (such as elements of “My Activity,” photos or documents, products) that are stored in your Google account remain stored until you erase them. Even if you are not logged in to a Google account, you can erase some data associated with your device, browser, or app.
YouTube processes data in the United States and other countries. Please note that the Court of Justice of the European Union has held that there is currently no adequate legal of protection for the transfer of data to the United States. This may be associated with various risks to the lawfulness and security of the data processing. YouTube uses standard contractual clauses approved by the European Commission (= Article 46(2) and (3) GDPR) as the basis for the data processing in the case of recipients based in third countries (outside the European Union, Iceland, Liechtenstein, and Norway, meaning particularly in the United States) or disclosure of data to those countries. These clauses obligate YouTube to comply with the EU level of data protection during the processing of relevant data, including outside the EU. These clauses are based on an implementing decision by the European Commission. You can find the decision and the clauses here, among other places: https://germany.representation.ec.europa.eu/index_de.
Since YouTube is a subsidiary of Google, the privacy policy is a joint one. If you wish to learn more about how your data are used, we recommend that you read this privacy policy at https://policies.google.com/privacy.
14. Facebook fan page
We operate what are known as “fan pages” on Facebook. These are websites that are offered on the Facebook platform in order to present ourselves as a company and connect with others, such as customers and prospective customers. The service provider is U.S.-based Meta Platforms Inc. (hereinafter “Facebook”). For Europe, the controller responsible is Meta Platforms Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland).
Joint status of controller with Facebook
We share the status of controller with Facebook for the phase involving collection and use for statistical preparation of your data; the processing takes place when you visit our fan page. The information below is provided to comply with our obligation to provide information within the scope of our joint status as controllers. When you visit our fan page, personal data are processed by Facebook, including in the form of your IP address and further information present on your device in the form of cookies. This applies both to visitors who have a Facebook account and those who are not registered with Facebook. To find out specifically which data are processed, please see the information about page insights data provided by Facebook: https://www.facebook.com/legal/terms/information_about_page_insights_data.
The results of this processing are then provided to us, as the operator of the fan page, by Facebook in aggregated, statistical, and anonymized form as user statistics.
The data about you collected in this context are processed by Facebook and may be transferred to countries outside the European Union in the process. Facebook describes which data Facebook processes for further purposes of its own in its data policy, accessible via the following link: https://de-de.facebook.com/policy.php.
This page also contains information on ways to contact Facebook and how to adjust your ad settings. We have no influence over this further processing of data by Facebook. Facebook remains the sole controller responsible for the processing of such personal data in conjunction with visits to fan pages that do not fall under our shared status as controllers.
Facebook processes your data in the United States and other countries. Please note that the Court of Justice of the European Union has held that there is currently no adequate legal of protection for the transfer of data to the United States. This may be associated with various risks to the lawfulness and security of the data processing.
Facebook uses what are known as standard contractual clauses (= Article 46(2) and (3) GDPR) as the basis for the data processing in the case of recipients based in third countries (outside the European Union, Iceland, Liechtenstein, and Norway, meaning particularly in the United States) or disclosure of data to those countries. Standard contractual clauses (SCCs) are sample templates provided by the European Commission with the aim of ensuring that your data comply with the European data protection standards even when they are transferred to third countries (such as the United States) and stored there. Through these clauses, Facebook commits to observe the European level of data protection during the processing of your relevant data, even if and when the data are stored, processed, and managed in the United States. These clauses are based on an implementing decision by the European Commission. You can find the decision and the relevant standard contractual clauses here, among other places: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32021D0914.
If you visit our fan page while you are logged in to Facebook as a user, a cookie containing your Facebook ID will be placed on your device. This allows Facebook to track that you have visited our fan page and how you used it. This also applies to all other Facebook pages. If you wish to prevent this, you should log out of Facebook or deactivate the “stay logged in” function, erase the cookies present on your device, and close and relaunch your browser.
In the agreement entered into with us (accessible at https://www.facebook.com/legal/terms/page_controller_addendum),
Facebook agrees to assume primary responsibility as a controller pursuant to the GDPR for the processing of what are known as “insights data” and to fulfill all obligations arising from the GDPR with regard to the processing of these insights data. We do not make any decisions regarding the processing of insights data or any other information arising from Article 13 GDPR. For the key points of the agreement, please visit
https://www.facebook.com/legal/terms/information_about_page_insights_data.
Should you wish to exercise a right to which you are entitled as a data subject (for information on these rights, please see Sec. E.3 below) pursuant to the GDPR, please note that we may not be able to fulfill these rights in full on our own. It would therefore definitely be more effective for you to contact Facebook directly. Facebook provides information on your rights with regard to page insights here:
https://www.facebook.com/legal/terms/information_about_page_insights_data.
With regard to page insights and our joint status as controllers with Facebook, you have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you. For information on how you can exercise your right to object, please visit
https://www.facebook.com/legal/terms/information_about_page_insights_data.
Should you still need help, please feel free to contact us. We will then forward your inquiry to Facebook to the extent that it relates to insights data.
The processing of personal data of visitors serves to provide the fan page and for purposes of statistical analysis of the use of our fan page. This analysis takes place on an anonymized basis for us. The legal basis for the data processing is point (f) of Article 6(1) GDPR. Our legitimate interests with respect to the collection of personal data when you visit the fan page and to the preparation of statistical analyses are: communication and interaction with potential customers and customers; distributing information about our company; anonymized analysis and depiction of the use of the fan page and creation of pseudonymous use profiles regarding the use of our website by the visitors to our informational offerings. If you have consented to your data being processed and stored by Facebook, this consent is deemed to constitute the legal basis for the data processing (point (a) of Article 6(1) GDPR). We use Facebook only if you have consented. You can withdraw consent at any time.
In principle, Facebook stores data until they are no longer required for its own services and Facebook products. Facebook has servers all over the world where its data are stored. Data are not erased completely unless you delete your Facebook account entirely.
The Facebook data processing terms corresponding to the standard contractual clauses are available at https://www.facebook.com/legal/terms/dataprocessing. For more information on the data processed as a result of the use of Facebook, please consult the privacy policy at https://www.facebook.com/about/privacy.
Our sole responsibility as controller
In addition to the foregoing, we process data from your use of the fan page that you voluntarily provide (for example in a comment) for the purpose of responding to your inquiries and communicating with you and to publish information regarding the content offered on the fan page or information belonging to us. The legal basis for processing is point (f) of Article 6(1) GDPR and, to the extent that an inquiry concerns entry into a contract, point (b) of Article 6(1) GDPR. The legitimate interest consists in effectively providing information to users, customers, and potential customers and communicating with these persons. If you have consented to your data being processed and stored by Facebook, this consent is deemed to constitute the legal basis for the data processing (point (a) of Article 6(1) GDPR). We use Facebook only if you have consented. You can withdraw consent at any time.
You are welcome to contact us and assert the rights to which you are entitled as a data subject toward us to the extent that the matter concerns the data we process on our own responsibility as the controller. However, to the extent that your rights concern processing that takes place purely within Facebook’s sphere of responsibility as the controller, please note in advance that the options available to us in the event that your rights are exercised are limited to referring you to the appropriate bodies of Facebook.
15. Social media links
Some of our websites contain links to other websites, such as Facebook, Instagram, Twitter, Xing, and LinkedIn. These are purely links, not plugins. The relevant providers are required to ensure responsibility for operation in compliance with data protection and privacy laws and regulations. We have no influence over whether the operators comply with the data protection terms. If you would like more information on their data processing, please consult the specific data protection and privacy policies posted on these providers’ websites.
C. Data processing within the cooperative relationship with business partners
E. Changes to this Data Protection and Privacy Statement
To ensure that the information we provide on data protection and privacy is always in keeping with the current statutory specifications, we reserve the right to make changes at any time. This also applies in the event that the information on data protection and privacy requires adjustment due to new or revised offerings or services.
Should you have any questions or suggestions concerning this Data Protection and Privacy Statement, please feel free to contact us. We are delighted that you entrust your data to us.
Last updated September 8, 2022