Privacy Statement
Thank you for your interest in our company and welcome to our privacy policy. The use of our internet pages is basically possible without providing any personal data. However, if you wish to make use of the services of Vonmählen GmbH, it may be necessary to process personal data. Below we give you an overview of data processing on our Retail Portal, as well as all other services we offer. We would like to give you a transparent insight into how we manage your personal data.1 Name and Address of Responsible Persons
As we continually develop our website and implement new technologies to improve our service to you, we may need to make changes to this privacy statement. Therefore, we encourage you to review this privacy statement from time to time. The person responsible within the scope of the fundamental data protection regulation, other national data protection laws of the member states as well as other provisions of data protection law is the data protection authority:
Vor dem Bardowicker Tore 49
21339 Lüneburg
Germany
Phone: +49 4131 220 95 0
E-Mail: cobranding@vonmaehlen.com
Website: www.b2b.vonmaehlen.com
Questions about privacy policy at Vonmählen GmbH can be directed to our data protection officer at any time:
Phone: +49 4131 220 95 77
E-Mail: datenschutz@vonmaehlen.com
2 Your Information
2.1 What information does we use?
Vonmählen offers you various services and possibilities to get in contact with us through our website. Depending on which channel you choose, i.e. through our online shop, our Retail Portal, by telephone or e-mail, we will receive data from you through these various sources. In addition to the information you provide yourself, technical device and access data can also be read, which we automatically record when you access our site. If the processing of personal data is necessary and there is no legal basis for such processing, we will always obtain your consent. If we obtain the consent of the person concerned for the processing of personal data, Art. 6 Para. 1 lit. a EU Data Protection Basic Regulation (GDPR) is used as the legal basis. However, we process personal information of our users only to the extent necessary to provide a functioning website with our content and services. The processing of personal data of our users takes place regularly only with their consent. Exceptions apply in cases where prior consent cannot be acquired for factual reasons and the processing of the data is authorized by law. It is important to us to protect your personal data that has been entrusted to us from unintentional use or unauthorized disclosure. “Personal Information” means any personal information that relates to all information that can identify you or any other person. For example, this includes your name, date of birth, your (e-mail) address, IP address or your order number.2.1.1 Personal Data
Your personal data is profile or log-in data, which is demographic information about you or your company. This includes the name of your company, your company’s adress, your company headquarters, your first and last name, your title, contact details, your age and place of residence. If you contact us via the enquiry form, by e-mail or by telephone, we will record your contact data. Depending on how you contact us, the data collected may include the company name, your first and last name, postal address, telephone number or e-mail address. We also record the content of your message and, if necessary, forward it internally to the responsible department. The data is stored and used exclusively for the purpose of answering your request or for contacting you and the associated technical administration. It will not be forwarded to third parties.2.1.2 Device and Access Data
The use of online and mobile services generates technical data which we process and use. This data includes the following points:- General device information, such as device type, operating system version, IP address and operating system used by your device, configuration settings, browser type, date and time of access to each page of our Retail Portal.
- When you interact with our services, we also receive data that we can analyze to determine what content you are interested in. On this basis we can optimize our Retail Portal. This data are not stored together with other personal data of the user. The data will be deleted after a maximum of 14 days.
2.2 What does we use your data for?
Vonmählen processes your data in compliance with all legal regulations. Your data will be processed by us to the extent necessary for the performance of the contract and for the purpose of providing and performing other services requested by you, as described in this Privacy Policy. The purpose of the data processing is within the scope of the contract agreed with you (including our general terms and conditions) or the service requested by you. This includes, for example, the availability of our services, the execution of sales contracts or customer service and the execution of promotions and competitions. In addition, the temporary storage of the IP address by the system is necessary to enable delivery of the website to your PC. To do this, your IP address must remain stored for the duration of the session. These purposes also include our legitimate interest in data processing pursuant to Art. 6 para. 1 lit. f GDPR. If we make use of the services of third parties for the implementation and execution of processing, the provisions of the Federal Data Protection Act and the GDPR are observed:2.2.1 Use of payment service providers
For payment processing, we share your personal data with the following service providers:2.2.1.1 Mollie
If you choose a payment method from the payment service provider Mollie, the payment will be processed via the payment service provider, Mollie B.V. – Keizersgracht 313 – 1016 EE Amsterdam, to whom we pass on the information you provided during the ordering process, together with information about your order (name, address, account number, bank code, any credit card number and check digit, invoice amount, currency and transaction number). The transfer of your data takes place exclusively for the purpose of payment processing according to Art. 6 para. 1 lit. b DSGVO with the payment service provider Mollie. You can find more information on Mollie’s data protection at: https://www.mollie.com/de/privacy2.2.1.2 Paypal
When paying via PayPal, credit card via PayPal, direct debit via PayPal or – if offered – “purchase on account” via PayPal, we pass on your payment data to PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter “PayPal”) as part of the payment processing. PayPal reserves the right to conduct a credit check for the payment methods credit card via PayPal, direct debit via PayPal or – if offered – “purchase on account” via PayPal. PayPal uses the result of the credit check with regard to the statistical probability of non-payment for the purpose of deciding on the provision of the respective payment method. The credit report may contain probability values (so-called score values). Insofar as score values are included in the result of the credit report, they have their basis in a scientifically recognized mathematical-statistical procedure. Among other things, address data is included in the calculation of the score values. For further information on data protection law, including information on the credit agencies used, please refer to PayPal’s data protection declaration: https://www.paypal.com/de/webapps/mpp/ua/privacy-full.
2.2.2 Forwarding to the shipping service provider
2.3 Where does Vonmählen store your data?
Some of the servers used for hosting services are located in the data centers in Frankfurt. Space in the data center have been rented by Digital Ocean LLC, New York. Digital Ocean operates a cloud platform for virtual servers there, which we use as our hosting platform. In addition, DigitalOcean is subject to the EU-US Privacy Shield Agreement. Further information can be found at: https://www.digitalocean.com/legal/gdpr-faq/.2.4 When does Vonmählen delete your data?
We will only store your personal data for as long as is necessary for the purposes stated in this data protection declaration. This is done primarily to fulfill our contractual and legal obligations, but also for other purposes if necessary, such as when the law allows us to further store for certain purposes. In the case of collecting data for the provision of the website, this is the case when your respective session has ended. To the extent that commercial and tax retention periods have to be observed, the duration of the storage of certain data can be up to 10 years. Your data, in particular your IP address, will not be stored in log files. If you deactivate your customer account with us, we will delete any of your stored data, or if it is not possible or not necessary to completely delete your data for legal reasons, the relevant data will be prevented from being processed further. The data shall also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless it is necessary for further storage of the data for the conclusion or performance of a contract. It is imperative to collect and save data in order to operate the website. Therefore, there can be no objection to this processing.3 Registration
We set up password-protected personal access for users who register for a customer account. If you do not log out again after logging in with your login data, you will usually remain logged in automatically until you close your browser. We use a so-called “session cookie” for this purpose. This function allows you to use your customer account for the entire duration of your session without having to log in again each time.3.1 Scope of Data Processing
You will be given the option in our Retail Portal to register by providing personal data. This data is entered into an entry form and transmitted to us and stored. During the registration process, the following data will be collected:Anrede
Vor- und Nachname
Firmenname
E-Mail-Adresse
At the time of registration, the date and time of registration are also stored. As part of the registration process, your consent to the process this data will be requested. If you have given your consent, the legal basis for processing the data is Art. 6 Para. 1 lit. a GDPR.
3.2 Purpose of Data Processing
Registering or providing data on your part is necessary to fulfill a contract, as we require information because regarding your billing or delivery address. In addition, your e-mail address is necessary for sending the order confirmation and the delivery confirmation.3.3 Duration of Storage, Revocation and Deletion
Data will be deleted as soon as they are no longer required for the purpose for which they were collected. During the registration process, data is used to fulfil a contract or to carry out pre-contractual measures if the data is no longer required for the performance of the contract. Even after the contract has been concluded, it may be necessary to store your personal data in order to comply with contractual or legal obligations. As a user you have the right to cancel the user registration at any time. The data stored about you can be changed or deleted at any time in our online shop under your profile.4 Newsletter
4.1 Scope of Data Processing
You can subscribe to a free newsletter on our website. When you subscribe to the newsletter, your e-mail will be sent to us from the entry form. In addition, the date and time will be collected when you register. If you purchase products on our website and enter your e-mail address, this may subsequently be used by us to send you a newsletter. Should this be the case, the newsletter will only be used to promote our own products. Your Data will be passed on to Mailchimp in connection with data processing for the purpose of sending newsletters. The data will be used exclusively for the mailing of the newsletter. The legal basis for the processing of your data after registration for the newsletter is Art. 6 Para. 1 lit. a GDPR. The legal basis for sending of the newsletter as a result of the sale of goods or services is § 7 Abs. 3 UWG.4.2 Purpose of Data Processing
The collection of your e-mail address is used to send the newsletter. The collection of other personal data as part of the registration process serves to prevent misuse of the services or the email address used. Our newsletters also contain so-called tracking pixels. A pixel-code is a miniature graphic embedded in emails sent in HTML format in order to enable log file recording and analysis. This allows us to evaluate the success of our online marketing campaigns. The embedded pixel-code tells us if and when you opened an email and which links in the email you viewed. Such personal data collected via the tracking pixels contained in the newsletters will be stored and evaluated by the person responsible for the analyzing data to improve the performance of the newsletter and to adapt the content of future newsletters to better fit your interests. This personal data will not be passed on to third parties.4.3 How do I log in?
We use the so-called double opt-in procedure when you register for the Vonmählen newsletter, i.e. we activate this service for you only after your express consent and confirm your e-mail address.. To do this, you will receive a notification email from us asking you to click on a link in that email to confirm that you are the owner of the email address provided. We will not take this step if you have already confirmed to us for another purpose that you are the owner of this e-mail address.4.4 Mailing of the newsletter by Mailchimp
Our newsletter is sent by “Mailchimp”, the mail service provider of the US Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA. The email addresses of our newsletter recipients, as well as the other data described in this notice, are stored on Mailchimp’s servers in the United States. Mailchimp uses this information to send and evaluate the newsletter on our behalf. Furthermore, according to its own information, Mailchimp may use this data to optimize or improve its own services, e.g. for the technical optimization of the sending and viewing of the newsletter or for economic purposes in order to determine from which countries the recipients come. However, Mailchimp does not use the data of our newsletter recipients to contact them or pass them on to third parties. In order to protect your data in the USA, we have established a Data Processing Agreement with Mailchimp on the basis of the standard contractual clauses of the European Commission to allow the transfer of your personal data to Mailchimp. In addition, Mailchimp participates in and has certified compliance with the US-EU Privacy Shield Agreement. You can view Mailchimp’s privacy policy here: https://mailchimp.com/legal/privacy/.4.5 Duration of Storage, Revocation and Deletion
If you do not want to receive our newsletter later, you can unsubscribe at any time. For this purpose you will find a link in each newsletter with the purpose to unsubscribe from the double opt-in procedure. Unsubscribing from the newsletter will automatically be considered as a revocation. This also enables the revocation to the consent of the storage of personal data collected during the registration process. Your data will be deleted as soon as it is no longer needed to achieve the purpose for which it was collected. Your email address will be stored as long as the newsletter subscription is active. All other personal information collected as part of the registration process will be deleted after a maximum period of seven days.5 Contact Forms and Email Contact
5.1 Scope of Data Processing
There is a contact form on our website which you can use to contact us electronically. If you make use of this possibility, the data entered in the entry form will be transmitted to us and stored. This includes:- Salutation
- Company Name
- First name and last name
- Email address
- Phone number
5.2 Purpose of Data Processing
The processing of the personal data from the entry form serves us solely to facilitate contact. If you contact us by e-mail, this is also the necessary legitimate interest in the processing of the data. The other personal data processed during the sending process serve to prevent misuse of the contact form and to ensure the security of our information technology systems.5.3 Duration of Storage, Revocation and Deletion
The data will be deleted as soon as they are no longer necessary to achieve their intended purpose. The personal data from the entry form of the contact form and those sent by e-mail are deleted when the respective conversation with the user has ended. The conversation is terminated when it can be inferred from the circumstances that the relevant facts have been conclusively clarified. If the conversation is a relevant matter for conducting business, the storage period of 6 years specified by law applies. The additional personal data collected during the sending process will be deleted after a period of seven days at the latest. It is possible to revoke your consent to processing your personal data at any time. If you contact us by e-mail, you can object to the storage of your personal data at any time. In such a case, communication cannot be continued. In this case, all personal data stored in the course of establishing contact will be deleted.6 Your Rights
If personal data is processed by you, you are the data subject within the meaning of the GDPR and you are entitled to the following rights in respect of Vonmählen GmbH:6.1 Right to Information
You may request confirmation from the person responsible as to whether personal data concerning you will be processed by us. In the event of similar use, you can ask the person responsible for the following information:(1) Purposes for which the personal data are processed;
(2) The categories of personal data that will be processed;
(3) The recipients or categories of recipients to whom the personal information about you has been or will be disclosed to; and
(4) The planned duration of the storage of personal data concerning you or, if it is not possible to provide specific information in this regard, relevant information to determine the storage period;
(5) There is a right to correct or delete personal data concerning you, a right to limit the processing carried out by the responsible person or a right to object to such processing;
(6) The right to challenge decisions to a regulatory authority. You have the right to request information as to whether the personal data concerning you will be disclosed to a third country or to an international organisation. Furthermore, you may request to be informed of the appropriate guarantees pursuant to Art. 46 GDPR in connection with the transfer.
6.2 Right to Amendment
You have the right to have your personal data corrected and/or completed by the responsible person if it is incorrect or incomplete. The person in charge must carry out the amendment immediately.6.3 Right to limitation of processing
Under the following conditions, you may request that the processing of your personal data be restricted:(1) If you dispute the accuracy of the personal data concerning you for a period of time that allows the responsible person to verify the accuracy of the personal data;
(2) The processing is unlawful and you refuse the deletion of the personal data and instead request the restriction of the use of the personal data;
(3) the person responsible no longer needs the personal data for the purposes of processing, but you need them to assert, exercise or defend legal claims,
(4) If you have filed an appeal against the processing in accordance with Art. 21 para. 1 GDPR and it has not yet been confirmed whether the legitimate reasons of the person responsible outweigh your reasons. If the processing of personal data concerning you has been restricted, such data may be processed only with your consent or for the purpose of asserting, exercising or defending a right or protecting the rights of another individual or legal entity or for reasons of an important public interest of the Union or of a Member State, with the exception of their storage. If the limitation of the processing has been restricted in accordance with the above conditions, you will be informed by the person responsible before the restriction is withdrawn.
6.4 The Right to Delete
6.4.1 Obligation to Delete
You may request the data controller to delete the personal data concerning you immediately and the data controller is obliged to delete this data immediately if one of the following reasons applies:(1) The personal data concerning you are no longer necessary for the purposes for which they were collected or processed in any other way.
(2) You revoke your consent on which the processing was based pursuant to Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a GDPR and there is no other legal basis for the processing.
(3) You object to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate reasons for the processing, or you object to the processing pursuant to Art. 21 GDPR.
(4) The personal data concerning you has been processed unlawfully.
(5) It is necessary to delete personal data concerning you in order to fulfil a legal obligation under Union law or the law of the Member States to which the data controller is subject.
(6) The personal data relating to you has been collected in relation to information society services offered in accordance with Art. 8 Para. 1 GDPR.
6.4.2 Information to Third Parties
If the person responsible has made the personal data concerning you public and is obliged to delete them pursuant to Art. 17 para. 1 GDPR, he shall take appropriate measures, also of a technical nature, taking into account the available technology and the implementation costs, to inform the persons responsible for data processing who process the personal data that you, as the person concerned, have requested them to delete all links to this personal data or copies or replications of this personal data.6.4.3 Exceptions
This right to delete does not exist if the processing is necessary.(1) to exercise freedom of expression and information;
(2) to fulfil a legal obligation required by the law of the Union or of the Member States to which the controller is subject or to perform a task carried out in the public interest or in the exercise of official authority vested in the controller;
(3) for public interest reasons in the field of public health according to Art. 9 para. 2 lit. h and i as well as Art. 9 para. 3 GDPR;
(4) for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes according to Art. 89 para. 1 GDPR, as far as the law mentioned under section a) probably makes the realisation of the objectives of this processing impossible or seriously impairs it, or
(5) to assert, exercise or defend legal claims.
6.5 Right to Information
If you have exercised the right to correct, cancel or limit the processing, the data controller is obliged to inform all recipients to whom the personal data concerning you have been disclosed of this correction, cancellation or limitation of the processing, unless this proves impossible or involves a disproportionate effort. You have the right to be informed of such recipients by the person responsible.6.6 Right to Data Transferability
You have the right to receive the personal data concerning you that you have provided to the person responsible in a structured, common and machine-readable format. In addition, you have the right to communicate this data to another data controller without being hindered by the controller to whom the personal data was provided, provided that(1) such processing is based on consent pursuant to Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR or on a contract pursuant to Art. 6 para. 1 lit. b GDPR, and
(2) processing is carried out using automated procedures. In exercising this right, you also have the right to request that the personal data concerning you be transmitted directly by one responsible person to another responsible person, as far as this is technically feasible. Freedoms and rights of other persons must not be affected by this. The right to data transfer does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
6.7 Right of Objection
You have the right to object at any time to the processing of personal data concerning you in accordance with Art. 6 para. 1 lit. e or f GDPR for reasons arising from their specific situation. The controller will no longer process the personal data concerning you unless he can prove compelling reasons for processing that outweigh your interests, rights and freedoms or the processing serves to assert, exercise or defend legal claims. If the personal data concerning you is processed in order to conduct direct advertising, you have the right to object at any time to the processing of the personal data concerning you for the purpose of such advertising, insofar as it is connected with such direct advertising. If you object to the processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes. You have the possibility to exercise your right of withdrawal in connection with the use of Information Society services – regardless of the regulation 2002/58/EC – through automated procedures using technical specifications.6.8 Right to Revoke Consent from the Data Protection Declaration
You have the right to revoke your data protection consent at any time. The revocation of your consent does not affect the legality of the processing that took place on the basis of your consent until you revoke your consent.6.9 Automated decision in individual cases
you have the right not to be subject to a decision based solely on automated processing which creates legal effects for you or significantly affects you in a similar manner. This does not apply if the decision:(1) is necessary to conclude or fulfil a contract between you and the person responsible,
(2) is authorized by the laws of the Union or of the Member States to which the person responsible is subject and those laws contain adequate measures to safeguard your rights and freedoms and your legitimate interests, or
(3) with your express consent. However, these decisions may not be based on special categories of personal data under Art. 9 para. 1 GDPR, unless Art. 9 para. 2 lit. a or g GDPR applies and appropriate measures have been taken to protect the rights and freedoms as well as your legitimate interests. In the cases referred to in (1) and (3), the person responsible shall take reasonable steps to protect the rights and freedoms and your rightful interests, including but not limited to the right of the person responsible to intervene, to present his or her point of view, and to challenge the decision.