Data Privacy Statement
We take the protection of your personal data very seriously during the collection, processing and use of the data with regard to your visit to our website and would like you to know when we collect what data and how we use the data. We have taken technical and organisational measures which ensure that the data protection rules are observed by us as well as by any service providers.
This Data Privacy Statement will explain to you the type, scope and purpose of the processing of personal data (hereinafter referred to as 'data' for short) within our website and its affiliated websites, functions and contents as well as our external online presences such as our social medial profiles (hereinafter referred to as the 'online presence').
The controller for the collection, processing and use of your personal data in accordance with Article 4(7) of the General Data Protection Regulation (GDPR) is
Spirit of Artramon
Tel.: +49-(0)4532-21 500
Types of data processed
- Master data (e.g. your name and address)
- Contact data (e.g. your email address and telephone number)
- Content data (e.g. your text entries on our site as well as photographs and videos that you upload)
- Usage data (e.g. the sub-pages visited by you and access times)
- Meta/communications data (e.g. device information, IP addresses)
We also process the
- contract data (e.g. subject matter of the contract, term of the contract, customer category)
- payment data (e.g. bank account details, payment history)
of our customers, interested parties and business partners for the purpose of contractual performance as well as service and customer care.
Categories of data subjects
Visitors and users of the online presence (hereinafter referred to as 'users'), customers, interested parties, business partners
Purpose of the processing
- Provision of the online presence, its functions and its contents
- Responding to contact requests and communication with users
- Security measures
- Reach measurement/marketing
- Sale of goods
Terms used in this document
- 'Personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Article 4(1) of the GDPR).
- 'Processing' means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (Article 4(2) of the GDPR).
- 'Profiling' means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements (Article 4(4) of the GDPR).
- 'Pseudonymisation' means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person (Article 4(5) of the GDPR).
- 'Controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (Article 4(7) of the GDPR).
- 'Processor' means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (Article 4(8) of the GDPR).
Relevant legal bases
Article 13 of the GDPR states that we shall provide you with the legal bases for the processing. Where the legal basis is not explicitly specified within the following Data Privacy Statement, the following applies:
- The legal basis for the collection of consents is Article 6(1)(a) and Article 7 of the GDPR.
- The legal basis for the processing for the performance of our services and the carrying out of contractual measures as well as responding to queries is Article 6(1)(b) of the GDPR.
- The legal basis for the processing for compliance with our legal obligations is Article 6(1)(c) of the GDPR.
- The legal basis for the processing for the safeguarding of our legitimate interests is Article 6(1)(f) of the GDPR.
- The legal basis in the case that vital interests of the data subject or of another natural person necessitate the processing of personal data is Article 6(1)(d) of the GDPR.
In order to secure your data, we maintain technical and organisational measures in accordance with Article 32 of the GDPR, which we always adapt to the state of the art.
In particular, the measures include ensuring the confidentiality, integrity and availability of data by controlling physical access to the data.
We have set up processes that ensure that data subjects can exercise the right to erasure of data and there is a reaction to any threat to the data.
Furthermore, we take the protection of personal data into account through technology design ('privacy by design') and through privacy-friendly default settings ('privacy by default) in accordance with Article 25 of the GDPR.
Your personal data is transmitted by us encrypted. This applies for all communication carried out via our website. We use the SSL (Secure Sockets Layer) coding system. Please note that data transmissions via the Internet (e.g email communication) cannot be entirely secure and may have security vulnerabilities.
Cooperation with processors and third parties
In cases where we disclose data to processors or third parties, transmit data to them or otherwise grant them access to the data within the context of our processing, this is carried out exclusively on a lawful basis, e.g. if you have given consent in accordance with Article 6(1)(a) of the GDPR, the transmission is necessary for the performance of a contract in accordance with Article 6(1)(b) of the GDPR, it is necessary for compliance with a legal obligation in accordance with Article 6(1)(c) of the GDPR or for the purposes of our legitimate interests in accordance with Article 6(1)(f) of the GDPR.
Disclosure to processors is carried out on the basis of the processing contract concluded with the processor in accordance with Article 28 of the GDPR.
Transmission to third countries
The transmission of data to a third country, e.g. when using the services of third parties, will only be carried out if you have given consent, on the basis of a legal obligation or on the basis of our legitimate interests in accordance with the legal bases specified above. Subject to other legal or contractual permissions, we process data or have data processed in a third country only if the conditions of Article 44 ff. of the GDPR (e.g. on the basis of special guarantees such as the officially recognised establishment of a level of data privacy corresponding to that of the EU [e.g. through the 'Privacy Shield' for the USA] or compliance with officially recognised special contractual obligations [known as 'standard contractual clauses']) are satisfied.
Rights of the data subject
- Right of confirmation and right of access: In accordance with Article 15 of the GDPR, you have the right to obtain confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data concerning you being processed in addition to a copy of these data.
- Right to rectification: In accordance with Article 16 of the GDPR, you have the right to obtain the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed.
- Right to erasure: In accordance with Article 17 of the GDPR, you have the right to obtain the erasure of personal data concerning you without undue delay.
- Right to restriction of processing: Under the conditions of Article 18 of the GDPR, you have the right to obtain restriction of processing of your personal data.
- Right to data portability: In accordance with Article 20 of the GDPR, you have the right to receive the personal data concerning you, which you have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller where technically feasible.
- Right to withdraw consent: In accordance with Article 7(3) of the GDPR, you have the right to withdraw your consent to the future processing of your personal data at any time.
- Right to object: In accordance with Article 21 of the GDPR, you have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions.
You can exercise the rights specified above at any time by contacting the controller specified above or the Data Protection Officer specified above.
- Right to lodge a complaint with a supervisory authority: In accordance with Article 77 of the GDPR, you have the right to lodge a complaint with a supervisory authority.
Erasure of data
Unless explicitly stated otherwise, the data stored by us will be erased in accordance with Article 17 of the GDPR as soon as they are no longer necessary in relation to their intended purposes, provided that this is not barred by any legal obligations to preserve data.
If the data are not deleted because they are necessary for other lawful purposes then their processing will be restricted in accordance with Article 18 of the GDPR, i.e. the data will be blocked and not processed for other purposes. This applies for data that must be preserved for reasons of commercial law or tax law, for example. In accordance with the statutory provisions in Germany, the data is to be retained in particular for 10 years in accordance with Section 147(1) Nos 1, 4 and 4a and Subsection 3 of the German Tax Code (AO), Section 257(1) Nos 1 and 4 and Subsection 4 of the German Commercial Code (books, records, reports, accounting documents, books of account, documents relevant for taxation, etc.) and 6 years in accordance with Section 147(1) Nos 1, 2, 3 and 5 and Subsection 3 of the German Tax Code (AO), Section 257(1) Nos 2 and 3 and Subsection 4 of the German Commercial Code (commercial letters).
Operation of the website and access to the website
The hosting services of our hosting provider used by us serve to provide the following services: infrastructure and platform services, computing capacity, storage capacity and database services, security services and technical maintenance services that we use to operate the website.
In so doing, we process or our hosting provider processes master data, contact data, content data, contract data, usage data, metadata and communications data of customers, interested parties and visitors to this online presence on the basis of our legitimate interests in the efficient and secure provision of this online presence in accordance with Article 6(1) sentence 1(f) of the GDPR in connection with Article 28 of the GDPR.
We or our hosting provider also process access data. These include:
- the name and URL of the accessed file
- the date and time of the access
- the data volume transferred
- the HTTP response code for successful data transfer
- the browser type and version
- the operating system
- the referrer URL (i.e. previously visited page)
- websites accessed by the user's system through our website
- the Internet service provider of the user
- the IP address and requesting provider
Without associating them with your identity or other profiling, we use these log data for the purpose of the operation, security and optimisation of our online presence, for the anonymised recording or the number of visitors to our website, to measure the scope and type of use of our website and services, for invoicing purposes and in order to measure the number of hits received from cooperation partners. Based on this information we can provide personalised and location-based content and analyse data traffic, search for and correct errors and improve our services.
Therein lies our legitimate interest in accordance with Article 6(1)(f) of the GDPR as well.
We reserve the right to inspect the log data if there is any concrete evidence justifying suspicion of unlawful use. We store IP addresses in the log files for a limited period of time if this is necessary for security purposes or for the performance or invoicing of services, e.g. if you make use of one of our offers. After the order transaction is cancelled or after payment is received we will delete the IP address if it is no longer necessary for security purposes. We will also store IP addresses if we have concrete suspicion of a criminal act in connection with the use of our website.
When a user contacts us (e.g. by email, by telephone call or through social media), the user's data will be processed for the processing of the contact request and its handling in accordance with Article 6(1)(b) of the GDPR. Our legitimate interest in the processing of your transmitted data in accordance with Article 6(1)(f) of the GDPR also lies in responding to your request.
We will delete the requests once they are no longer necessary. We regularly review their necessity, every two years at the latest. In addition, the statutory obligations regarding archiving apply.
Google is certified under the Privacy Shield agreement and thereby offers a guarantee that it will comply with EU data privacy laws (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
Google will use this information on our behalf in order to evaluate the use of our online presence by users, to compile reports about their activities within this online presence and to perform further services for us relating to the use of this online presence and Internet use. In doing so, pseudonimysed usage profiles of the users can be created from the processed data.
We only use Google Analytics with active IP anonymisation. This means that the IP address of users will be shortened by Google within the member states of the European Union or other contractual states of the Treaty on the European Economic Area. Only in exceptional cases the whole IP address will be first transferred to a Google server in the USA and truncated there.
The IP address transmitted by the browser of the user will not be merged with other data held by Google. Users can prevent the installation of cookies by adjusting browser settings accordingly; in addition, users can prevent Google from collecting and processing the data generated by the cookie relating to their use of the website, they can download and install the browser plugin available through the following link: http://tools.google.com/dlpage/gaoptout?hl=en.
For further information concerning the use of data by Google as well as setting options and options to object, please view the Google Data Policy (https://policies.google.com/privacy) as well as the settings for the display of advertisements by Google (https://adssettings.google.com/authenticated).
Users' personal data will be deleted or anonymised after 14 months.
Order processing in the online shop
We process the data of our customers within the context of order transactions in our online shop in order to enable you to select and order the selected products and services as well as to pay for the order and delivery or performance.
The data processed includes master data, communications data, contract data and payment data and the data subjects of the processing include our customers, interested parties and other business partners. The processing is carried out for the purpose of performing contractual services within the context of the operation of our online shop, invoicing, delivery and customer service.
The processing is carried out on the basis of Article 6(1)(b) (processing of order transactions) and (c) (legal obligation to archive) of the GDPR. The information marked as required for this is necessary for the establishment and performance of the contract. We will only disclose the data to third parties within the framework of delivery or payment or within the framework of the statutory permissions and obligations with regard to legal counsel and authorities. The data will only be processed in third countries if this is necessary for the performance of the contract (e.g. upon delivery or payment at the request of the customer).
Within the framework of the use of our online services we store the IP address and the time of the respective user action. The storage is carried out on the basis of our legitimate interests as well as those of users in protection against the misuse and other unauthorised use of the data. These data will never be transferred to third parties unless this is necessary for the pursuing of our claims or there is a legal obligation to do in accordance with Article 6(1)(c) of the GDPR.
The data will be deleted once the statutory warranty obligation and comparable obligations have expired; the necessity of the preservation of the data will be reviewed every three years; in the event of a statutory obligation to archive the data, the data will be deleted after this obligation expires (end of the obligation to preserve data in accordance with commercial law [6 years] or tax law [10 years]).
Changes to this Data Privacy Statement
We revise this Data Privacy Statement when changes are made to our website or for other reasons requiring this. The latest current version can always be found on our website.
Data Privacy Statement last updated: 25 May 2018.