A. Name and Address of the Controller and Data Protection Officer
A.1 The Controller
Paul Pfanzelt is the controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws of the member states and other data protection regulations. For more information, please refer to the Imprint on our website.
A.2 The Data Protection Officer
The controller’s data protection officer is
Dr. Thomas Tetzner, Solicitor
Van-Gogh-Str. 3, 81479 München
B. Principles of Data Protection
B.1 General Information on Data Processing
a.Scope of Personal Data Processing
We collect and use personal data of our users essentially only to the extent necessary to provide a functioning website and our content and services. Personal data are usually collected and used only after consent by the data subjects. An exception to this are cases in which it is not possible to obtain previous consent for valid reasons and the processing of data is permitted by legal regulations. We transmit personal data to third parties only if this is indispensable in the context of contract processing, for instance to companies entrusted with the delivery of the ordered products or the credit institution contracted to process payments. Data is not transmitted outside of this or is transmitted only if you expressly consented to transmission. We do not forward your data to third parties without express consent, for example for marketing purposes.
b.Legal Basis for the Processing of Personal Data
If we obtain consent from the data subject for personal data processing operations, the legal basis for the processing of personal data is Art. 6 (1) lit. a GDPR. During the processing of personal data, which is necessary to perform a contract involving the data subject as a contractual party, the legal basis is Art. 6 (1) lit. b GDPR. This also applies to processing operations that are necessary to implement pre-contractual measures. If processing of personal data is necessary to perform a legal obligation of our company, the legal basis is Art. 6 (1) lit. c GDPR. If the processing is necessary to guarantee a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not override such a legitimate interest, the legal basis of processing is Art. 6 (1) lit. f GDPR.
c. Data Erasure and Storage Period
The data subject’s personal data will be erased or made unavailable as soon as the purpose of storage no longer applies. Furthermore, data can be stored if this is stipulated by the European or national legislator in Union regulations, laws or other policies applicable to the controller. Data are made unavailable or erased also if the retention period prescribed by the above-mentioned standards, unless further retention of data is necessary for a contract conclusion or contract performance.
B.2 Right to Information
In accordance with Art. 15 GDPR, you have the right to obtain confirmation from us as to whether your personal data are being processed by us; if this is the case, then you have the right to access your personal data and receive the following information:
- the purposes of the processing
- the categories of personal data being processed
- the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine this period
- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data or to object to such processing
- the existence of a right to lodge a complaint with a supervisory authority [sic: bullet point missing] where the personal data are not collected from the data subject, any available information as to their source [sic: bullet point missing] the existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Where personal data are transferred to a third country or to an international organization, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 GDPR relating to the transfer.
B.3 Right to Data Transfer
In accordance with Article 20 GDPR, you have the right to have the data that we process by automated means on the basis of your consent or to perform a contract sent to yourself or to a third party in a commonly used, machine-readable format. If you request direct transmission of data to another controller, this will be done only where technically feasible.
B.4 Right to Rectification
In accordance with Art. 16 GDPR, you have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
B.5 Right to Erasure
In accordance with Art. 17 GDPR, you have the right to obtain from us the erasure of personal data concerning you without undue delay where one of the following grounds applies[:] processing is no longer necessary for exercising the right of freedom of expression and information; processing is no longer necessary for compliance with a legal obligation; processing is no longer necessary for reasons of public interest or for the establishment, exercise or defence of legal claims[.] The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
You withdraw your consent on which the processing is based according to point Article 6 (1), lit. a or Article 9 (2) lit. a GDPR, and where there is no other legal ground for the processing. You object to the processing pursuant to Article 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21 (2) GDPR. The personal data have been unlawfully processed. The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject. The personal data have been collected in relation to the offer of information society services referred to in Article 8 (1) GDPR.
B.6 Right to Restriction of Personal Data Processing
In accordance with Art. 18 GDPR, you have the right to obtain from us the restriction of personal data processing where one of the following applies: the accuracy of the personal data is contested by you for a period enabling us to verify the accuracy of the personal data; the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead, we no longer need the personal data for the purposes of the processing, but you need them for the establishment, exercise or defence of legal claims; or you have objected to processing pending the verification of whether the legitimate grounds of the controller override yours.
B.7 Right to Withdraw the Granted Consent
You have the right to withdraw your declaration of consent relating to data protection at any time. By withdrawing consent, the legality of the processing that took place until withdrawal on the basis of consent will not be affected.
B.8 Right to Object
In accordance with Art. 21 GDPR, you have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Article 6 (1) lit. e or f GDPR; this applies also to profiling based on these provisions.
We will no longer process your personal data unless we are able to demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims. Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing; this applies also to profiling to the extent that it is related to such direct marketing. If you object to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes. If you would like to exercise your right to withdraw or object, just send us an e-mail.
B.9 Right to Lodge a Complaint with a Supervisory Authority
In accordance with Art. 77 GDPR, without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you believe that the processing of personal data relating to you infringes the provisions of the GDPR or another data protection provision. You can access a list of data protection officers and their contact information by visiting the following link: https://www.bfdi.bund.de/DE/Service/Anschriften/anschriften_table.html
C. Principles of Data Protection in Connection with the Provision and Use of Our Website
C.1 Data Processing on Visits to Our Website
When you visit our websites, the browser you use on your device automatically sends information to our website server. This information is temporarily stored in a log file. The following information is collected in this process without your involvement and stored until automated erasure: IP address of the requesting computer, date and time of access, name and URL of the accessed file, website, referrer URL, browser used and, if applicable, your computer’s operating system and the name of your access provider. The above-mentioned data are processed by us for the following purposes: to guarantee smooth connection to the website, to guarantee convenient use of our website and to evaluate system security and stability. The legal basis for the data processing is Art. 6 (1), sentence 1, lit. f GDPR. Our legitimate interest arises from the above-mentioned purposes of data collection. We never use the collected data in order to draw conclusions about your person. The above-mentioned data will be deleted as soon as their storage is no longer necessary to achieve the purpose. In case of data collection to provide the website, this occurs once the respective session is over. When storing data in log files, the data are anonymized by shortening the IP address on the domain level at the latest seven days after data collection, so it is no longer possible to link it to the individual user. In addition, the data are processed in anonymized form for statistical purposes; the data are not compared to other data sets or passed on to third parties, even partially. The number of page visits is shown only in the scope of our server statistics. The collection of data for the provision of the website and the storage of data in log files is imperatively necessary for the operation of the website. In consequence, the user does not have the option of objecting. More information about the data processed when visiting our website is provided in the following sections of this data privacy statement.
C.2 Data Processing in Connection with Our Newsletter
We use the double opt-in method for signing up to our newsletter. After you sign up, we send you an e-mail to the provided e-mail address requesting confirmation that you would like to receive our newsletter. If you do not confirm your registration within 25 hours, your information will be made unavailable and automatically erased after one month. Providing an e-mail is sufficient to receive the newsletter.
In addition, the following data will be collected on registration:
(1) IP address of the accessing computer
(2) date and time of registration
If you expressly granted your consent in accordance to Art. 6 (1), sentence 1, lit. a GDPR, we use your e-mail address to regularly send you our newsletter.
The data will be erased as soon as we stop sending out our newsletters or the newsletter subscription you desired is active [sic?]. You can unsubscribe at any time, for example by following a link at the end of each newsletter. Alternatively, you can request to be unsubscribed at any time by sending us an e-mail.
C.3 Data Processing When Using Our Contact Forms
In case of questions of any kind, you can get in touch with us using the form and contact information provided on our website. You will need to provide a valid e-mail address and additional information, so that we know who sent us the request and to where it is directed, allowing us to address it. You can provide other information voluntarily. The data processing for the purpose of contact with us is based on your voluntarily granted consent in accordance with Art. 6 (1), sentence 1, lit. a GDPR. The personal data we collect for the use of the contact forms will be automatically erased once your request has been addressed.
C.4 Data processing for mail order business with us
If you purchase goods from our website, personal data will be collected and processed within the scope of concluding a contract. In this connection, we will process the data you provide in the order process. These include your name and the address at which you wish to receive the ordered goods.
If the processing of data is necessary for the conclusion of the contract, Article 6(1) point (b) GDPR will constitute the permission standard for the data processing. For all other data, Article 6(1) point (a) GDPR (consent) applies.
The personal data collected by us in this connection will be automatically erased once the order you have placed is completed, unless any commercial and tax law provisions require otherwise.For the delivery of the goods you have ordered, we will use the services of shipping providers, to whom we will only provide your name and address. To that extent, Article 6(1) point (b) GDPR shall constitute the permission standard. We will only provide your e-mail address and telephone number to the shipping provider so that they may provide or arrange a delivery window if you have given us your express consent to do so. Article 6(1) point (a) would be the applicable permission standard for this.
C.5 Data processing in payment transactions with us - PayPal
On our website, we offer the option to pay by PayPal, amongst others. The provider of this service is PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter “PayPal”).
If you choose to pay via PayPal, the payment data you provide will be transmitted to PayPal.
The transfer of your data to PayPal shall take place on the basis of Article 6(1) point (a) GDPR (consent) and Article 6(1) point (b) GDPR (processing for the performance of a contract). You may revoke your consent to data processing at any time. A revocation shall not affect the validity of past data processing operations.
If our users decide to pay via PayPal, they can find further information including information relevant to data protection law at https://www.paypal.com/myaccount/privacy/privacyhub.
D. SSL/TLS Encryption
We use SSL/TLS encryption on our website for security reasons and to protect the transmission of confidential content, such as incoming orders or requests, and especially in relation to account and credit card information for payment processing. You can identify an encrypted connection by the fact that the address line in the browser changes from “http://” to “https://” and by the lock symbol in your browser line. When the SSL/TLS encryption is activated, the data you transfer to us cannot be read by third parties.
E Validity and Changes to This Data Privacy Statement
This data privacy statement is currently valid and is dated May 2018. This data privacy statement may need to be amended due to the further processing of our website and offers or due to amended legal or official requirements. You can view and print the latest data privacy statement on our website at any time.