Data Security Policy
Kay Knipschild e.K.
“Personal data” means any information relating to an identified or identifiable natural person (hereinafter referred to as the “Data Subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more specific factors.
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The term is broadly defined and includes practically any handling of Data.
“Pseudonymization” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.
Kinds of processed data
- Master data (e.g. name, addresses)
- Contact details (e.g. email address, phone numbers)
- Usage data (e.g. visited websites, interests in contents, times of access)
- Meta/Communication data (e.g. device information, IP addresses)
- Contract data (e.g. subject matter of the contract, term, category of customer)
- Payment data (e.g. bank details, payment history)
Categories of Data Subjects
Visitors and Users of the Online Offer (we refer to Data Subjects hereinafter collectively also as “Users” or “You”).
Purpose of Processing
- Providing the Online Offer, its functions and contents
- Answering contact enquiries and communicate with Users
- Security measures
- Reach measuring/marketing
- Fulfilling obligations under the law or imposed by supervisory authorities
Relevant Legal Basis
The Processing made in the context of executing Your order is based on Article 6 (1) lit. b) (execution of orders) and lit. c) (legally required archiving) GDPR. In this regard, the information marked by us as “required” are needed to conclude and fulfill the contract.
You have the option to create a customer account where You can, for example, view Your orders. In the course of the registration, You will be told which mandatory information is required. The customer accounts are not publicly accessible and cannot be indexed by search engines. If You have terminated Your customer account, Your Data with regard to the customer account will be deleted, unless it is necessary to store the Data for reasons of commercial or tax law in accordance with Article 6 (1) lit. c) GDPR. If you have terminate Your customer account, it is Your responsibility to back up Your Data prior to the end of the contract.
In the course of the registration and repeated login, and when using our online services, we will store the IP address and the time of the respective User action. The Data will be stored based on our justified interests and also based on Your interest in being protected against abuse and other unauthorized use. The Data will generally not be transferred to third parties, unless this is required to successfully pursue our claims or there is a legal obligation to do so according to Article 6 (1) lit. c) GDPR.
The Data will be deleted after the expiration of statutory warranty and similar obligations.
In accordance with Art. 32 GDPR and taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
Cooperation with Processors and Third Parties
If, in the course of the Processing, we disclose Data to other persons and companies (Processors or third parties), transfer Data to them or otherwise grant them access to the Data, this will be done solely on the basis of a legal permission (e.g. when the transfer of Data to a third party, such as a payment services provider, is required according to Art. 6 (1) lit. b) GDPR for the fulfillment of the contract), if You have given your consent, if a legal obligation requires us to do so or if the transfer is based on our legitimate interests (e.g. engaging representatives, webhosting service providers etc.)
We share Your Data with third parties in the context of the delivery of goods or payment and, to the extent legally permitted or required, with legal advisers and authorities.
External Payment Service Providers
Within the scope of the fulfillment of contracts with You, we engage external payment service providers on the basis of Art. 6 (1) lit. b) GDPR. We furthermore engage external payment service providers based on our justified interests according to Art. 6 (1) lit. f) GDPR, in order to offer our Users effective and safe payment options.
The Data processed by the payment service providers includes master data, e.g. the name and address, bank details such as bank account numbers or credit card numbers, passwords, TANs and checksums, as well as information relating to the contract, the sums and the recipient. Such data are required to execute the transactions. Payment Data will only be processed and stored by the payment service providers. This means that we will not receive any information relating to accounts or credit cards but merely information with positive or negative confirmation of the payment. Under certain circumstances, the Data will be transferred to credit bureaus by the payment service providers. This transfer has the purpose of checking identities and credit ratings. In this regard, we refer to the general terms and conditions and the privacy policies of the respective payment service providers.
The general terms and conditions and the privacy policies of the respective payment service providers apply to payment transactions and can be accessed on the respective websites or in the respective transaction apps. We refer to these documents for further information and to the extent that Data Subject rights such as the right to object or the right of access shall be asserted.
Transfer to Third Countries
Where we Process Data in a third country (i.e. outside of the European Union (EU) or the European Economic Area (EEA)) or where Data is being Processed in a third country in the context of using the services of third parties, or disclosing or transmitting Data to third parties, the Processing will only be made if it is necessary to fulfil our (pre-)contractual obligations, if you have given your consent, if there is a legal obligation or if we have legitimate interest to do so. Subject to legal or contractual permissions, we Process Data or arrange for the Processing of the Data in a third country only if the special conditions of Art. 44 seqq. GDPR are fulfilled. This means that the Processing takes place in the third country, e.g. on the basis of special guarantees such as an officially recognized adequacy decision confirming that the data protection level of the third country is equivalent to that of the EU (so-called “adequacy decision”), a “Privacy Shield” certification of the organization to which the Data is transferred or the observation of recognized special contractual obligations (so-called “standard contract clauses”).
Rights of Data Subjects
You have the right to request a confirmation on whether Data relating to You is processed and to obtain information about this Data and further information, as well as a copy of the Data according to Article 15 GDPR.
You have the right according to Article 16 GDPR to request the completion of your Data or the correction of Your inaccurate Data.
In accordance with Article 17 GDPR, You have the right to demand that the relevant Data is deleted immediately or, alternatively in accordance with Article 18 GDPR that the processing of the Data is restricted.
You have the right to receive the Data about You, which You have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit this Data to another Controller in accordance with Article 20 GDPR.
Furthermore, according to Article 77 GDPR, You have the right to lodge a complaint with the competent supervisory authority.
Right of Revocation
You have the right to revoke any consents given with effect for the future according to Article 7 (3) GDPR.
Right to Object
You can object at any time to the future processing of Your Data pursuant to Article 21 GDPR. The right to object can be exercised in particular with regard to the processing for the purposes of direct marketing.
Cookies and Right to Object to Direct Marketing
“Cookies” are small files that contain small amounts of information that are stored on computers or mobile devices of Users when the Users are visiting a website. On subsequent website visits, cookies will be returned to the original website or another website that recognizes the respective cookie.Cookies are primarily used to ensure a proper or efficient functioning of the website and to provide the website operator with information.
Cookies fulfill a number of functions. For example, they allow for an easier navigation between various pages, the saving of Your settings and for being able to generally improve Your User experience. Cookies can tell us, e.g. if You have visited the website previously or if You are a new visitor. They can also help us ensure that ads that You view online have higher relevance to You and Your interests.
There are essentially two kinds of cookies:
- our own cookies that we store directly on Your computer or Your mobile device;
- cookies of third-party providers that are stored by them for us and that can be used by us for various purposes relating to functionality, performance/analysis, advertising/tracking and social networks.
Cookies can remain on Your computer or mobile device for different lengths of time. Some cookies are “session cookies”; these are stored only temporarily for the duration of a session and they expire when You close Your browser. Other cookies are permanent cookies; these will remain on Your computer or mobile device for a defined period and will not be deleted when You close the browser. Permanent cookies can be used by the website to recognize Your computer or mobile device when You reopen Your browser and surf the internet.
- enabling, simplifying and improving Your access to and the functioning of the website;
- tracking data flows and user behavior in connection with the website;
- understanding how many users use our website regularly and which operating systems (e.g. Windows or Mac OS) and internet browsers (e.g. Firefox, Chrome or Internet Explorer) they use for this;
- monitoring and continuously improving the website performance;
- customizing and improving Your online experience according to Your personal preferences.
The kind of cookies that are used in connection with the website can be classified into four categories: “cookies that are required for our fundamental purposes”, “functions cookies”, “performance and analysis cookies” and “advertising and tracking cookies”. Below, we have compiled further information about each category, also providing information about the respective purpose of the cookies set by us or a third party.
Cookies that are required for fundamental purposes:
- to display to You that You are logged in; and
- to save Your access settings.