RESPONSIBLE PARTY FOR THE DATA PROTECTION DECLARATION
Name/Co.: ALUKON KG
Street and no.: Münchberger Straße 31
Postal code, City, Country: 95176 Konradsreuth, Germany
Commercial register/No.: HRA 3906
Managing director: represented by Klaus Braun
Telephone number: +49 (9292) 950-0
DATA PROTECTION OFFICER
Nemesis Consulting GmbH
DATA PROTECTION DECLARATION
- General information for data processing and legal bases
- This data protection declaration provides information about the type, extent and purpose of processing personal data within our online offer and its associated websites, functions and content (in the following collectively referred to as “online offer” or “website”). The data protection declaration applies independently of the used domains, systems, platforms and devices (e.g. desktop or mobile) on which the online offer is executed.
- We refer to the definitions in Section 4 of the General Data Protection Regulation (GDPR) in regard to used terms such as “personal data” or “processing” of this data.
- Personal user data processed within the context of the online offer includes inventory data (e.g. names and addresses of customers), contractual data (e.g. utilised services, names of case workers, payment information), usage data (e.g. visited websites of our online offer, interest in our products) and content data (e.g. entries in the contact form).
- The term “user” encompasses all categories of persons affected by the data processing including our business partners, customers, interested parties and other visitors to our online offer. Terms such as “user” are stated in a gender-neutral manner.
- We only process personal user data in adherence to pertinent data protection regulations. This means that user data is only processed based on a lawful authorisation, i.e. specifically if data processing for the provision of our contractual services (e.g. order processing) and online services is required or legally stipulated, user consent has been granted, or on the basis of our legitimate interests (i.e. our interest in analysis, optimisation and economic operation and security of our online offer within the meaning of Section 6 (1) lit. f. of the GDPR) and specifically for reach measurement, creation of profiles for advertising and marketing purposes and acquisition of access data and usage of third-party supplier services.
- We want to point out that Section 6 (1) lit. a. and Section 7 of the GDPR provide the legal basis for granting consent, Section 6 (1) lit. b. of the GDPR provides the basis for processing in fulfilment of our services and execution of contractual measures, Section 6 (1) lit. c. of the GDPR provides the basis for processing in fulfilment of our legal obligations, and Section 6 (1) lit. f. GDPR is the basis for processing in regard to preserving our legitimate interests.
- Security measures
- We implement state-of-the-art organisational, contractual and technical security measures in order to ensure that the provisions of data protection laws are observed and in order to protect data processed by us against accidental or wilful manipulation, loss, destruction or unauthorised access.
- These security measures especially include encrypted data transmission between your browser and our server.
- Forwarding data to third parties and third-party suppliers
- Data is only forwarded to third parties within the context of the legal specifications. We only forward user data to third parties if this is required for contractual purposes e.g. based on Section 6 (1) lit. b) of the GDPR or based on legitimate interests in the economic and effective operation of our business according to Section 6 (1) lit. f. of the GDPR.
- When using subcontractors for the provision of our services, we implement suitable legal precautionary measures as well as technical and organisational measures in order to protect personal data according to the pertinent legal stipulations.
- It is to be assumed that data transfers to host countries of third-party suppliers are performed insofar as content, tools or other means from other providers (in the following collectively referred to as “third-party supplier”) are used within the context of this data protection declaration and the stated places of business of these providers are located in a third country. Third countries are countries in which the GDPR is not a directly applicable law, i.e. principally countries outside of the EU or the European Economic Area. Data transmission to third countries is performed only if an appropriate data protection level, user consent or another lawful authorisation exists.
- Provision of contractual services
- We process inventory data (e.g. names and addresses as well as user contact data), contractual data (e.g. utilised services, names of contact persons, payment information) for the purpose of fulfilling our contractual obligations and services according to Section 6 (1) lit b. of the GDPR.
- Users can optionally create a user account in which, most importantly, they can view their orders. Required mandatory information is reported to users within the context of registration. User accounts are not public and cannot be indexed by search engines. User data in the user account is deleted if a user cancels his account unless data retention is required due to commercial-law or tax-law regulations according to Section 6 (1) lit. c of the GDPR. It is the responsibility of users to secure their data prior to the end of the contract if the account is cancelled. We are authorised to irretrievably delete all user data stored during the contractual period.
- We store the IP address and the time of the respective user action within the context of registration and renewed registrations as well as in case of utilisation of our online services. Storage is performed based on our legitimate interests as well as in order to protect users against improper and other unauthorised usage. No forwarding of data to third parties takes place unless this is required for pursuing our claims or a legal obligation exists according to Section 6 (1) lit c. of the GDPR.
- We process usage data (e.g. visited websites of our online offer, interest in our products) and content data (e.g. entries in the contact form or user profile) for advertising purposes in a user profile in order to, e.g., show the user product notices based on the user’s previously utilised services.
- Contact initiation
- When establishing contact with us (via the contact form or e-mail), the user’s information is used for the contact request and subsequent processing of the request according to Section 6 (1) lit b. of the GDPR.
- User information can be saved in our Customer Relationship Management System (“CRM System”) or a comparable query organisation.
- Comments and contributions
- The user’s IP address is stored for 7 days based on our legitimate interests within the meaning of Section 6 (1) lit. f. of the GDPR if the user submit comments or other contributions.
- This practice ensures our security in case users post illicit content as comments and contributions (insults, prohibited political propaganda etc.) as we can be prosecuted for such comments or contributions and are therefore interested in identifying the specific author.
- Acquisition of access data and log files
- We acquire data based on our legitimate interests within the meaning of Section 6 (1) lit. f. of the GDPR in regard to every access instance on the server where this service is located (so-called server log files). Access data includes the name of the accessed website, file, date and time of accessing, transmitted data volume, notification about successful accessing, browser type and version, the user’s operating system, referrer URL (previously visited site), IP address and the requesting provider.
- For security reasons (e.g. for investigating abuse or defraudation), log file information is stored for a maximum period of seven days and then deleted. Data whose further storage is required for verification purposes is exempted from deletion until the incident has been fully clarified.
- Cookies & reach measurement
- Cookies consist of information that is transmitted by our web server or third-party web servers to the user’s web browser and stored there for later access. Cookies may consist of small files or other types of information storage.
- We use “session cookies” that are only filed for the duration of the current visit to our online presence (e.g. in order to ensure storage of your login status or the functionality of the shopping cart and thus the usage of our online offer in general). A randomly generated unique identification number, a so-called session ID, is filed within the session cookie. Cookies also contain information about their origin and storage period. No other data can be stored by these cookies. Session cookies are deleted once you are no longer using our online offer and you, e.g., log out or close the browser.
- Within the context of this data protection declaration, users are informed about the usage of cookies in the context of pseudonymised reach measurement.
- Users are asked to deactivate the respective option in their browser's system settings if they do not want cookies to be stored on their computer. Saved cookies can be deleted in the browser’s system settings. Excluding the usage of cookies can lead to functional limitations within our online offer.
- You can also object to the usage of cookies for reach measurement and advertisement purposes via the deactivation page of the Network Advertising Initiative (http://optout.networkadvertising.org/) and additionally via the US-American website (http://www.aboutads.info/choices) or the European website (http://www.youronlinechoices.com/uk/your-ad-choices/). Please observe the requirements for the usage of Google Analytics: IP anonymisation must be activated support.google.com/analytics/answer/2905384; 2.), and the “Supplement for data processing” must be accepted in the administration area of Google Analytics.
- Google Analytics
- Google is certified under the Privacy Shield Framework, which guarantees observance of the European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
- Google will use this information on our behalf in order to evaluate the usage of our online offer by users and compile reports about activities within this online offer while providing other services for us that are associated with the usage of the online offer and the Internet. Pseudonymised usage profiles of users can be created from the processed data.
- We use Google Analytics in order to display advertisements placed by the advertising services of Google and its partners only to users who also expressed an interest in our online offer or who exhibit certain characteristics (e.g. interest in certain topics or products determined based on visited websites), which we transmit to Google (so-called “remarketing” or “Google Analytics audiences”). By means of remarketing audiences, we also want to ensure that our advertisements correspond to the potential interest of users and are not bothersome.
- We only use Google Analytics with activated IP anonymisation, which means that Google abbreviates the IP addresses of users within member states of the European Union or in other member states of the Agreement on the European Economic Area. The full IP address is only transmitted to a Google server in the US in exceptional cases and abbreviated there.
- The IP address transmitted by the user’s browser is not combined with other Google data. Users can prevent the storage of cookies with a respective setting in their browser software. Moreover, users can also prevent the data generated by the cookie in regard to the usage of the online offer from being acquired and processed by Google if they download and install the following browser plug-in, which is available under the following link: tools.google.com/dlpage/gaoptout;
- You can prevent the acquisition of your data by Google Analytics by clicking on the following link. An opt-out cookie is placed that prevents the acquisition of your data during future visits to the website: Deactivate Google Analytics
- Further information regarding data usage by Google, setting options and objection options is available on Google websites: www.google.com/intl/de/policies/privacy/partners (“Data usage by Google for your website or app usage”), www.google.com/policies/technologies/ads (“Data usage for advertising purposes”), www.google.de/settings/ads (“Managing information used by Google in order to display advertisements”).
- Google re/marketing services
- We use marketing and remarketing services (in short “Google marketing services”) of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, (“Google”) based on our legitimate interests (i.e. interest in analysis, optimisation and economic operation of our online offer within the meaning of Section 6 (1) lit. f. of the GDPR).
- Google is certified under the Privacy Shield Framework, which guarantees observance of the European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
- Google marketing services allow the more targeted display of advertisements for and on our website in order to show users only those advertisements that potentially match their interests. “Remarketing” refers to selectively displaying, e.g., product advertisements to users who expressed interest in these on other websites. For this purpose, a code is directly executed by Google and so-called (re)marketing tags (invisible graphics or codes, also referred to as “web beacons”) are integrated in the website when users access our and other websites on which Google marketing services have been activated. By means of these tags, an individual cookie, i.e. a small file, is stored (comparable technologies may also be used instead of cookies) on the user’s device. Cookies can be placed by various domains including google.com, doubleclick.net, invitemedia.com, admeld.com, googlesyndication.com or googleadservices.com. The file notes the websites that the user has visited, the content in which he expressed interest and offers he has clicked on as well as technical information about the browser, operating system, referring websites, visit times and other information in regard to the usage of the online offer. The IP addresses of users are also acquired, but we want to point out that the IP address is abbreviated within member states of the European Union or other members states of the Agreement for the European Economic Area within the context of Google Analytics and only transmitted as a whole in exceptional cases to a Google server in the US and abbreviated there. The IP address is not combined with the user’s data within other Google offers. Google may also combine the aforementioned information with similar information from other sources. Advertisements customised to the user’s interests can then be displayed when he subsequently visits other websites.
- User data is processed in a pseudonymised manner within the context of Google marketing services. I.e. Google does not save and process, e.g., the name or e-mail address of users, but processes relevant cookie-related data within the pseudonymised user profile. I.e. from the viewpoint of Google, advertisements are not managed and displayed for a specifically identifiable person but for the cookie holder independently of who this cookie holder is. This does not apply if a user expressly allows Google to process data without pseudonymisation. Information collected by Google marketing services about the user is transmitted to Google and stored on Google’s servers in the US.
- The online advertisement programme “Google AdWords” is one of the Google marketing services used by us. Each AdWords customer receives a different “conversion cookie” within the context of Google AdWords. Thus, cookies cannot be tracked via the websites of AdWords customers. The information obtained by cookies is acquired for generating conversion statistics for AdWords customers who have opted for conversion tracking. AdWords customers are notified of the total number of users who clicked on their advertisement and were redirected to a site that has a conversion tracking tag. However, they do not receive information by which users can be personally identified.
- We are also able to use the service “Google Optimizer”. Google Optimizer allows us to track the effects of various changes to a website within the context of so-called “A/B testing” (e.g. changes to the entry fields, design etc.). Cookies are placed on user devices for test purposes. Only pseudonymised user data is processed.
- Furthermore, we are also able to use the “Google Tag Manager” in order to integrate and manage Google analysis and marketing services in our website.
- Further information regarding data usage for marketing purposes by Google is available on the following overview page: www.google.com/policies/technologies/ads. The data protection declaration of Google is available at www.google.com/policies/privacy.
- You can use the setting options and opt-out options provided by Google if you want to object to interest-based advertisements by Google marketing services: www.google.com/ads/preferences. .
- The following notices explain the content of our newsletter as well as the registration, mailing and statistical evaluation procedure and your rights of objection. By subscribing to the newsletter, you consent to receiving our newsletter and to the described procedures.
- Content of the newsletter: We only send newsletters, e-mails and other electronic notifications with advertising information (in the following referred to as “newsletter”) based on the consent of the recipient or a lawful authorisation. Insofar as this content is specifically described within the context of registration for the newsletter, the content forms the basis for the user’s consent. Furthermore, our newsletter also contains information about our products, offers, campaigns and our company.
- Double opt-in and logging: Users subscribe to our newsletter in a so-called double-opt-in procedure, which means that the user receives an e-mail after registration asking for confirmation of the registration. This confirmation is necessary to prevent people from registering with another person’s e-mail address. Registration for the newsletter is logged in order to verify the registration process according to legal requirements, which includes storage of the registration and confirmation time and the user’s IP address. Changes to your data that is stored for the mailing service provider are also logged.
- Moreover, the mailing service provider can also use this information in pseudonymised form, i.e. without allocation to a user, in order to optimise and improve his own service, e.g. for technically optimising the mailing and display of the newsletter or for statistical purposes in order to determine the countries in which recipients are located. However, the mailing service provider will not use the data of newsletter recipients in order to establish contact with these persons or pass this data on to third parties.
- Registration data: When you register for the newsletter, you are only required to provide your e-mail address. We also ask you to state your name, optionally, so that we can personally address you in the newsletter.
- Statistical acquisition and analyses – the newsletters contain a so-called “web beacon”, i.e. a pixel-sized file, which is accessed by the server of the mailing service provider when the newsletter is opened. Initially, technical information, e.g. about the user’s browser, system, IP address and the time of accessing, is acquired within the context of accessing. This information is used in order to technically improve services based on technical data or target groups and your reading behaviour in accordance with access locations (determined by means of the IP address) or access times. Statistical ascertainments also determine whether the newsletter was opened, when it was opened and which links the reader clicked on. Although this information can be traced to individual newsletter recipients due to technical reasons, it is neither our desire nor that of the mailing service provider to monitor individual users. We merely perform evaluations in order to determine the reading habits of our users and adapt our content to suit them, or to send out different content depending on the interests of our users.
- Usage of the mailing service provider, performance of statistical ascertainments, analyses and logging of the registration procedure are performed based on our legitimate interests according to Section 6 (1) lit f. of the GDPR. Our interest is geared toward providing a user-friendly and secure newsletter system that both serves our commercial interests and meets the users’ expectations.
- Cancellation/Revocation - You can cancel your newsletter subscription at any time, i.e. revoke your consent. Your consent to the mailing of the newsletter by the mailing service provider and to the statistical analyses will be revoked at the same time. Unfortunately, a separate revocation for mailing by the mailing service provider or for statistical evaluation is not possible. A link for cancelling the newsletter is provided at the end of each newsletter. Personal user data is deleted if the user has only registered for the newsletter and this registration is cancelled.
- Integration of services and third-party content
- We use third-party content and service offers within our online offer based on our legitimate interests (i.e. interest in analysis, optimisation and economic operation of our online offer within the meaning of Section 6 (1) lit. f. of the GDPR) in order to integrate third-party content and services such as videos or fonts (in the following referred to as “content”). This always implies that third-party content suppliers can determine the user’s IP address since they would otherwise not be able to send content to the user’s browser. Access to the IP address is required in order to display content. We strive to only use content whose providers merely use the IP addresses for content delivery. Furthermore, third-party suppliers can also use so-called pixel tags (invisible graphics also referred to as “web beacons”) for statistical or marketing purposes. Information such as visitor traffic on the pages of this website can be evaluated with the “pixel tags”. Pseudonymised information can also be stored in cookies on the user’s device and may, among other things, contain technical information about the user’s browser and operating system, referring websites, visit times as well as other information about usage of our online offer and may also be combined with information from other sources.
- The following illustration provides an overview of third-party suppliers and their content in addition to links to their data protection declarations, which contain further notices on data processing and objection options (so-called opt-outs), some of which have already been stated here:
- If our customers use third-party payment services (e.g. PayPal or instant transfer), then the business terms and conditions and data protection notices of the respective third-party suppliers, which can be viewed within the respective websites or transaction applications, shall apply.
- External fonts by Google, Inc., www.google.com/fonts (“Google Fonts”). Google fonts are integrated by accessing the server of Google (usually in the US). Data protection declaration: www.google.com/policies/privacy/, opt-out: www.google.com/settings/ads/.
- Maps from the “Google Maps” service are provided by the third-party supplier Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data protection declaration: www.google.com/policies/privacy/, opt-out: www.google.com/settings/ads/.
- Videos from the platform “YouTube” of the third-party supplier Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data protection declaration: www.google.com/policies/privacy/, opt-out: www.google.com/settings/ads/.
- Functions of the service Google+ are integrated within our online offer. These functions are provided by the third-party supplier Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. You can link the content of our pages to your Google+ profile by clicking the Google+ button while logged into your Google+ account. Google can thereby allocate your visit to our pages to your user account. We would like to point out that we as the site provider have no knowledge of the content of transmitted data or its usage by Google+. Data protection declaration: www.google.com/policies/privacy/, opt-out: www.google.com/settings/ads/.
- Functions of the service Instagram are integrated within our online offer. These functions are offered by Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA. You can link the content of our pages to your Instagram profile by clicking the Instagram button while logged into your Instagram account. Instagram can thereby allocate your visit to our pages to your user account. We would like to point out that we as the provider of the pages have no knowledge of the content of the transmitted data or its usage by Instagram. Data protection declaration: instagram.com/about/legal/privacy/.
- Our online offers use the functions of the network LinkedIn. The LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA is the provider. A connection is established to the servers of LinkedIn every time the user accesses one of our sites that has LinkedIn functions. LinkedIn is informed that you visited our Internet pages with your respective IP address. LinkedIn can allocate your visit to our Internet page to you and your user account if you click on the “Recommend button” of LinkedIn while you are logged into your LinkedIn account. We would like to point out that we as the site provider have no knowledge of the content of transmitted data or its usage by LinkedIn. Data protection declaration: www.linkedin.com/legal/privacy-policy, opt-out: www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
- We use social plug-ins of the social network Pinterest, operated by Pinterest Inc., 635 High Street, Palo Alto, CA, 94301, USA (“Pinterest”). Your browser establishes a direct connection to the servers of Pinterest when you access a page that has such a plug-in. The plug-in transmits log data to the server of Pinterest in the US. This log data may contain your IP address, addresses of visited websites with Pinterest functions, your browser type and settings, the date and time of the request, and your manner of use of Pinterest and cookies. Data protection declaration: about.pinterest.com/de/privacy-policy.
- Functions of the service Twitter are integrated within our online offer. These functions are provided by the third-party supplier Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. When you use Twitter and the function “Retweet”, the websites you visited are associated with your Twitter account and announced to other users.. Data is also transmitted to Twitter in the process. We would like to point out that we as the site provider have no knowledge of the content of transmitted data or its usage by Twitter. Data protection declaration of Twitter: twitter.com/privacy. You can change your data protection settings for Twitter in the account settings at twitter.com/account/settins.
- We use social plug-ins of the social network Tumblr, operated by Tumblr, Inc. located at 35 East 21st Street, 10E, New York, NY 10010, USA (“Tumblr”). Your browser establishes a direct connection to the servers of Tumblr when you access a page that has such a plug-in. The plug-in transmits log data to the server of Tumblr in the US. This log data may contain your IP address, addresses of visited websites with Tumblr functions, your browser type and settings, the date and time of the request, and your manner of use of Tumblr and cookies. Data protection declaration: www.tumblr.com/policy/en/privacy.
- We use the functions of the network XING. XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany is the provider. A connection is established to the servers of Xing every time the user accesses our sites that have Xing functions. As far as we know, personal data is not stored. Specifically, IP addresses are not stored, and usage behaviour is not assessed. Data protection declaration: www.xing.com/app/share;
- Web analysis and optimisation by means of the service Hotjar of the third-party supplier Hotjar Ltd., Level 2, St Julians Business Centre, 3, Elia Zammit Street, St Julians STJ 1000, Malta, Europe. Hotjar can track movements on websites on which Hotjar is used (so-called heat maps), which makes it possible to detect how far users scroll, for example, as well as which buttons they click on and how many times. Furthermore, technical data such as the selected language, system, screen resolution and browser type is recorded. Profiles of the users can thereby be created at least temporarily during visits to our websites. Hotjar also makes it possible to directly receive feedback from website users. We thereby obtain valuable information in order to make our websites faster and more customer-friendly. Data protection declaration: www.hotjar.com/privacy. Opt-out: www.hotjar.com/opt-out.
- User rights
- Users have the right to receive information, free of charge, about the personal data that we have stored about them.
- Furthermore, users also have the right to correction of incorrect data, restriction of processing, and deletion of personal data, if applicable, and may assert their rights in regard to data portability and submit a complaint to the competent supervisory authority if illicit data processing is suspected.
- Users can also revoke consents, always with effect for the future.
- Deletion of data
- Data stored by us is deleted as soon as it is no longer required for the intended purpose and no legal retention obligations oppose the deletion. If user data is not deleted because it is required for other and legally permissible purposes, then the processing of this data will be restricted. I.e. the data is blocked and not used for other purposes. This applies, for example, to user data that must be stored for commercial-law or tax-law related purposes.
- According to legal specifications, data is retained for 6 years in accordance with Section 257 (1) of the Commercial Code (trading books, inventories, opening balances, annual accounts, commercial correspondence, accounting vouchers etc.) and for 10 years according to Section 147 (1) of the Tax Code (books, records, management reports, accounting vouchers, commercial and business correspondence, taxation documentation etc.).
- Right of objection
- Users can object to the prospective processing of their personal data at any time according to legal specifications. Objections can be submitted, in particular, against processing for the purposes of direct advertising.
- Changes to the data protection declaration
- We reserve the right to change the data protection declaration in order to adapt it to changed legal situations or to any changes to the service and data processing. However, this only applies in regard to declarations for data processing. If user consent is required or if parts of the data protection declaration contain regulations for the contractual relationship with users, then changes will be made only with the user’s consent.
- Users are asked to regularly check the content of the data protection declaration.