Privacy Policy
I. Introduction and Definitions
1. GENERAL
When operating our website with the URL www.goki.eu (hereinafter referred to as “website”), we process personal data. We treat this data confidentially and process it in accordance with the applicable laws – in particular the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and the German Telecommunications–Digital Services Data Protection Act (TDDDG). With this privacy policy, we would like to inform you which personal data we collect from you, for which purposes and on which legal basis we use it, and, where applicable, to whom we disclose it. In addition, we will explain which rights you have to protect and enforce your data protection.
2. TERMS
Our privacy policy contains technical terms that are used in the GDPR and the BDSG. For your better understanding, we would like to explain these terms in simple words in advance:
2.1 Personal data
“Personal data” means any information relating to an identified or identifiable person (Art. 4 No. 1 GDPR). Information relating to an identified person can be, for example, the name or email address. However, data is also personal if the identity is not immediately apparent but can be determined by combining your own or third‑party information and thus finding out who the person is. A person can be identified, for example, by providing their address or bank details, date of birth or username, their IP addresses and/or location data. All information that in any way allows a conclusion to be drawn about a person is relevant here.
2.2 Processing
“Processing” as defined by Art. 4 No. 2 GDPR means any operation performed on personal data. This particularly includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.
II. Controller and Data Protection Officer
3. CONTROLLER
The controller responsible for data processing is:
Company: Gollnest & Kiesel GmbH & Co. KG (“we”)
Legal representative: Gerhard Gollnest (Managing Director)
Address: Hauptstraße 13-16, 21514 Güster
Phone: +49 4158 8822-0
Fax: +49 4158 8822-55
Email: info@goki.eu
4. DATA PROTECTION OFFICER
We have appointed an external data protection officer for our company. You can reach him at:
Name: Reinher Karl
Address: HABEWI GmbH & Co. KG, Palmaille 96, 22767 Hamburg
Phone: 040/ 46008966
Fax: 040/ 46008977
Email: datenschutz@habewi.de
III. Scope of Processing
5. SCOPE OF PROCESSING: WEBSITE
In the context of the website, we process the personal data from you that are listed in detail in Section IV below. We only process data that you actively provide on the website (e.g. by filling in forms) or that you automatically make available when using our services. Your data is processed exclusively by us and is generally not sold, rented or disclosed to third parties. If we use the assistance of external service providers to process your personal data, this is done as part of so‑called order processing, in which we, as the client, have the right to issue instructions to our contractors. For the operation of our website, we use external service providers for hosting as well as for maintenance, support and further development. We host our website with the external provider DSISoft GmbH (address: Friedrich-Wilhelm-Straße 51, 38100 Braunschweig) at the data center location Braunschweig, Germany. If additional external service providers are used for individual processing operations listed in Section IV, they will be named there. As a rule, we do not transfer data to third countries and do not plan to do so. We will inform you about exceptions to this principle in the processing operations described below. Any data transfer to third countries then takes place on the basis of the so‑called EU‑US Data Privacy Framework (https://www.dataprivacyframework.gov/) or the so‑called EU Standard Contractual Clauses.
IV. Processing in Detail
PROVISION OF THE WEBSITE AND SERVER LOG FILES
6.1 Description of processing
Every time the website is accessed, we automatically collect information that your browser transmits to our server. This includes the following data:
IP address
Browser software used, including its version and language
Operating system
Website from which visitors have reached the website (so‑called referrer)
Subpages accessed on the website
Date and time of the website access
Internet service provider
Country and place from which a user visits the website
This information is also stored in the so‑called log files of our system. The temporary storage of your IP address by the system is necessary in order to deliver our website to a user’s end device. For this purpose, the user’s IP address must remain stored for the duration of the session. Your IP address is also recorded in the log files for security reasons, in order to defend against attacks on our website (in particular so‑called DDoS attacks) and for fraud prevention.
6.2 Purpose
Processing is carried out to enable access to the website and to ensure its stability and security. In addition, processing serves the statistical evaluation and improvement of our online offering.
6.3 Legal basis
Processing is necessary for the protection of the overriding legitimate interests of the controller (Art. 6 para. 1 lit. f GDPR). Our legitimate interest lies in the purpose specified in Section 6.2.
6.4 Storage period
The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of collection of data for the provision of the website, this is the case when the respective session has ended. Log files are deleted after 14 days.
REGISTRATION AND CUSTOMER ACCOUNT
7.1 Description of processing
As part of your purchase in our online shop, you can set up a free, ongoing customer account with us. In your customer account, you can view and manage your orders and shop faster and more conveniently in the future, as you will not have to re‑enter your personal data for subsequent purchases. Setting up a customer account is of course not mandatory. You can also shop as a guest.
To obtain a customer account, registration is required, for example in the course of your first purchase. Registration takes place by filling out the registration form on our website and submitting it to us electronically. For registration, you must provide your first name, last name, address, freely chosen username, freely chosen password and email address, as well as gender / form of address: Mr or Ms / telephone number. By clicking the “Register” button, you transmit the form to us. You will then receive an automatic welcome email. This contains a link to confirm your email address. Your customer account on our website will only be activated after successful verification of your email address by clicking on the confirmation link.
In your customer account, in addition to the information provided during registration, your billing and delivery addresses as well as your preferred method of payment or means of payment are stored. As a registered user (B2B), you receive free access in the B2B area to the display of availability and B2B or special prices and more product information. In the case of end customers, discounts may also be available, for example for kindergartens.
7.2 Purpose
Processing is carried out in order to provide you with a free, ongoing customer account in our online shop.
7.3 Legal basis
Processing with regard to the creation and management of the ongoing customer account (and the storage of the means of payment) is carried out on the basis of a free user contract for the use of our online shop (Art. 6 para. 1 lit. b GDPR). If we obtain consent as part of registration, processing is carried out on the basis of this consent in accordance with Art. 6 para. 1 lit. a GDPR. Your consent is voluntary.
7.4 Storage period and withdrawal of consent
As a rule, we process your personal data in connection with your customer account until the termination of your user contract; if we requested your consent as part of registration, until you withdraw your consent. You may withdraw your consent at any time with effect for the future. A simple declaration is sufficient for this (by post to Gollnest & Kiesel GmbH & Co. KG, Hauptstraße 13-16, 21514 Güster, by fax to +49 4158 8822-55 or by email to info@goki.eu). Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of the consent before its withdrawal. In the event of withdrawal, however, we will delete your customer account in our online shop.
After termination of your user contract or withdrawal of your consent, we will automatically delete your customer account in our online shop. You can also do this yourself by selecting the “Delete customer account” function in the settings of your customer account. In addition, as a logged‑in user, you can edit and remove your own details and information at any time.
PURCHASE
8.1 Description of processing
You can shop on our website as a guest or as a registered user (see Section 7). As part of your order process, we process your personal data. The mandatory fields marked with an asterisk “*” in our online shop must be filled in by you. Otherwise, we will not be able to conclude a purchase contract with you and send you the desired goods. All other information is voluntary.
When shopping on our website, you can also select one of the payment methods offered (PayPal, PayPal and PayPal Express, credit card via PayPal Plus, direct debit via PayPal Plus, purchase on account via PayPal Plus and advance payment) to settle the purchase price. Upon completion of your order, the data required for payment will be transmitted to the respective payment service provider. If you shop on our website as a registered user, you can store your billing and delivery addresses as well as your preferred method of payment in your user profile for a faster and more convenient ordering process.
In addition, for the processing of delivery, your first name, last name and address will be transmitted to DHL as the shipping service provider. If, as part of the order process, you have given your consent by ticking the corresponding box, we will also pass on your email address to DHL so that you can be informed directly by the shipping service provider via email about the current status of your shipment.
8.2 Purpose
Processing is carried out for the conclusion and execution of purchase contracts and to inform you via email about the current status of your shipment.
8.3 Legal basis
Processing is necessary for the conclusion and performance of purchase contracts (Art. 6 para. 1 lit. b GDPR). This also includes the transfer of the data required for processing payments to the respective payment service provider and the transmission of the data required for the delivery of goods shipments to the shipping service provider DHL. The transmission of your email address for the sending of DHL shipment notification emails is based on consent (Art. 6 para. 1 lit. b GDPR).
8.4 Storage period and withdrawal of consent
Due to commercial and tax law requirements, we are obliged to store your address, payment and order data for a period of ten years. However, after two years we restrict processing. This means that your data will then only be stored separately for the purpose of complying with statutory retention periods and will be deleted without undue delay after these periods have expired. Consent to the transfer of your email address for the sending of DHL shipment notification emails is voluntary and can be withdrawn by you at any time with effect for the future by means of a simple declaration (by email to [info@goki.eu](mailto:info@goki.eu), by post to: Gollnest & Kiesel GmbH & Co. KG, Hauptstraße 13-16, 21514 Güster, or by fax to +49 4158 8822-55).
8.5 Recipients
For the processing of your payment, personal data is transmitted to one of the following external payment service providers selected by you in the course of your purchase:
– PayPal: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg. PayPal reserves the right, where applicable, to transmit personal data to credit reference agencies for identity and credit checks. Further information on data protection at PayPal can be found at www.paypal.com/de/webapps/mpp/ua/privacy-full?locale.x=de_DE.
– PayPal and PayPal Express: PayPal and PayPal Express are services provided by PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg. In order to be able to pay via PayPal or PayPal Express, you must have a PayPal account. PayPal reserves the right, where applicable, to transmit personal data to credit reference agencies for identity and credit checks. Further information on data protection at PayPal can be found at www.paypal.com/de/webapps/mpp/ua/privacy-full?locale.x=de_DE.
– Credit card, direct debit, purchase on account via PayPal Plus: PayPal Plus is a service provided by PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg. In order to be able to pay via PayPal or PayPal Express, you must have a PayPal account. If you select one of the payment methods “credit card via PayPal Plus”, “direct debit via PayPal Plus” or “purchase on account via PayPal Plus”, PayPal will carry out a credit check. Mathematical and statistical procedures are used to calculate a rating regarding the probability of a payment default (so‑called scoring value). PayPal bases its decision on the provision of the respective payment methods on the calculated scoring value. The calculation of a scoring value is carried out using recognised scientific methods. Reference is also made to PayPal’s privacy policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full. Information on identity checks at PayPal and on data exchange with credit reference agencies (credit reports) can be found here: https://www.paypal.com/de/webapps/mpp/ua/creditchk.
– Advance payment: No data is transferred to third‑party companies.
For the execution and handling of the delivery of goods, we will transmit the data required for this purpose to the shipping service provider DHL (DHL Paket GmbH, Sträßchenweg 10, 53113 Bonn). If the corresponding consent has been given, we will also transmit your email address to DHL for the purpose of sending DHL shipment notification emails.
9. COOKIES AND OTHER TRACKING TECHNOLOGIES
9.1 Description of processing
Our website uses cookies. Cookies are small text files that are stored on the user’s end device when visiting a website. Cookies contain information that enables the recognition of an end device and, where applicable, certain functions of a website. We distinguish between our own cookies and external, so‑called third‑party cookies. On our site, so‑called “session cookies” and “persistent cookies” are used. “Session cookies” are automatically deleted when you end your internet session and close your browser. Persistent cookies remain stored on your end device for a longer period of time. In addition to cookies, we also use other tracking technologies such as pixels or so‑called fingerprinting.
Insofar as cookies are technically required for the operation of our site, your consent is not needed for this. All other cookies and tracking technologies that are not technically required are only set after you have actively consented to the use of cookies/tracking technologies via our consent tool. We use an in‑house development as a consent tool to obtain and document consent. The consent tool stores your selection itself in a cookie on your end device. This means that you do not have to make a decision about cookies again when you visit our website in the future. You can see which cookies are used on our website for which purpose, how long they are stored on your end device and which consents you may already have given in the settings of the consent tool.
9.2 Purpose
We use cookies/tracking technologies to make our website more user‑friendly and to provide the functions described in Section 9.1.
9.3 Legal basis
Processing with regard to technically required cookies and the use of the consent tool is necessary for the protection of the overriding legitimate interests of the controller (Art. 6 para. 1 lit. f GDPR in conjunction with Section 25 para. 2 TDDDG). Our legitimate interest lies in the purpose specified in Section 9.2.
For processing in connection with all other – i.e. not technically required – cookies/tracking technologies, the legal basis is consent (Art. 6 para. 1 lit. a GDPR in conjunction with Section 25 para. 1 TDDDG). Such consent is voluntary.
9.4 Storage period, withdrawal of consent
Cookies are automatically deleted at the end of a session or upon expiry of the specified storage period. Since cookies are stored on your end device, you as the user have full control over the use of cookies. By changing the settings in your internet browser, you can deactivate or restrict the transmission of cookies. Cookies that have already been stored can be deleted. This can also be done automatically. If cookies/tracking technologies for our website are deactivated, deleted or restricted, some functions of our website may not be available or may only be available to a limited extent. Any consent you may have given to the use of cookies can be withdrawn at any time with effect for the future in the settings of the consent tool.
9.5 Recipients
When cookies/tracking technologies are used, data may be transmitted to the respective providers of these third‑party services. In this context, data may also be transferred to third countries outside the European Union or the European Economic Area. We provide information about the recipients of data and any transfer to third countries in the settings of the consent tool and in the corresponding section on the respective third‑party service in this privacy policy.
10. CONTACT FORM AND CONTACT BY EMAIL
10.1 Description of processing
We provide a contact form on our website for getting in touch with us. In this form, you are asked to enter your email address, your name and a message to us. When you click the “Send” button, the data is transmitted to us using SSL encryption (see Section 19). The contact form can only be submitted if you confirm, by ticking the corresponding checkbox, that you have taken note of this privacy policy. You can also contact us via the email addresses provided on the website. In this case, the personal data transmitted with the email is processed by us.
10.2 Purpose
By providing a contact form on our website, we want to offer you a convenient way to get in touch with us. The data transmitted with and in the contact form or your email is used solely for the purpose of processing and responding to your enquiry.
10.3 Legal basis
Processing is necessary for the protection of the overriding legitimate interests of the controller (Art. 6 para. 1 lit. f GDPR). Our legitimate interest lies in the purpose specified in Section 10.2. If email contact is aimed at the conclusion or performance of a contract, data processing is carried out for the performance of the contract (Art. 6 para. 1 lit. b GDPR).
10.4 Storage period
We delete the data as soon as it is no longer required to achieve the purpose for which it was collected. This is usually the case when the respective communication with you has ended. Communication is deemed to have ended when it can be inferred from the circumstances that the matter in question has been conclusively clarified. If statutory retention periods prevent deletion, deletion will take place without undue delay after expiry of the statutory retention period.
11. NEWSLETTER
11.1 Description of processing
We send out a newsletter at irregular intervals. With the newsletter, we inform you about new developments, trade fairs and promotions and, where applicable, price offers. You will only receive our newsletter if you actively subscribe to our mailing list. You can subscribe by completing and submitting a newsletter registration form on our website. You can also subscribe to it in the course of placing an order in our online shop.
For newsletter registration, only your email address is required. All other information (such as your first and last name) is voluntary and serves solely to personalise the emails. To carry out and verify newsletter registrations, we use the so‑called double opt‑in procedure. Registration takes place in several steps. First, you enter your details for the newsletter on our website. You will then receive an email from us at the email address you provided. In this email, we ask you to confirm that you have in fact subscribed to the newsletter and wish to receive it. Confirmation is given by clicking a confirmation link contained in the email. Only after successful confirmation will we add you to our newsletter mailing list and send you emails in the future.
As part of the double opt‑in procedure, we store the date, time and your IP addresses both at the time of registration and at the time of confirmation. If you purchase goods or services on our website and provide your email address in the process, we may subsequently use this email address to send you what is known as an existing-customer newsletter. In such a case, the newsletter will only contain direct advertising for our own similar goods or services.
11.2 Purpose
Processing is carried out in order to offer the newsletter function and to send newsletter emails to subscribers and existing customers. The collection and storage of date, time and IP addresses during newsletter registration serves to document the consent given and to protect against the misuse of email addresses.
11.3 Legal basis
Processing of our subscriber newsletter is based on consent in accordance with Art. 6 para. 1 lit. a GDPR. Your consent is voluntary. The collection and storage of date, time and IP addresses during newsletter registration is necessary to safeguard the overriding legitimate interests of the controller (Art. 6 para. 1 lit. f GDPR). Our legitimate interest lies in the purpose specified in Section 11.2.
Processing of our existing-customer newsletter is based on Art. 6 para. 1 lit. f GDPR to safeguard the overriding interests of the controller. Our legitimate interest lies in direct advertising to existing customers. This is permissible within the scope of Section 7 para. 3 UWG as observed by us.
11.4 Storage period and withdrawal of consent
If you do not confirm your newsletter registration within 24 hours of receiving the corresponding registration email, your data will be deleted automatically. We otherwise process your personal data for the duration of your newsletter subscription. You can end your subscription to our newsletter at any time by withdrawing your consent. You may also object at any time to the use of your email address for sending our existing-customer newsletter. A simple declaration is sufficient for this (by email to info@goki.eu or by post to Gollnest & Kiesel GmbH & Co. KG, Hauptstraße 13-16, 21514 Güster). Unsubscribing from the newsletter is also possible by clicking the unsubscribe link in each newsletter email. Once you withdraw your consent, you will no longer receive newsletters and your personal data will be removed from our active mailing list.
11.5 Recipients and transfer to third countries
To manage our newsletter mailing list and to send the emails, we use the services of the newsletter provider Mailchimp. This is done within the framework of order processing. Mailchimp is a service offered by The Rocket Science Group, LLC, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA (hereinafter referred to as “Mailchimp”). When you register for the newsletter, the data provided during the registration process is transmitted to Mailchimp and processed on Mailchimp servers in the USA. Further information on data protection at Mailchimp can be found in the provider’s privacy policy at mailchimp.com/legal/privacy/.
12. SOCIAL NETWORKS
12.1 Description of processing
Our website does not use so‑called social media plugins. The logos of Facebook, Instagram, Pinterest and YouTube displayed on our website are merely linked to the respective profiles of our company on the social networks. No data is transmitted to the social networks by embedding the logos. If you click on one of the logos, you will simply be redirected to the external website of the respective social network.
However, our profiles within the social networks do constitute data processing. If you are logged in to the respective social network when you visit such a profile, this information will be assigned to your user account there. If you interact with our profile, for example by commenting on, “sharing”, “liking” or “retweeting” a post, this information will also be stored in your user account. As a rule, we can also view your interactions with our profile.
On the social networks Facebook and Instagram, we can obtain statistical data on the use of our Facebook page or our Instagram profile via the so‑called “Insights” function. These statistics are provided by Facebook or Instagram. The “Insights” function cannot be disabled. We cannot choose to enable or disable this function. It is available to all Facebook fan page operators and all operators of an Instagram business account, regardless of whether or not you use the Insights function.
Via Facebook Insights, we receive, for a selectable period and in anonymised form, the following data regarding fans, subscribers, reached persons and interacting persons: total number of page views, “likes” including origin, page activities, post interactions, reach, post reach (subdivided into organic, viral and paid interactions), comments, shared content, replies as well as demographic evaluations such as country of origin, gender and age. With the Insights statistics, it is not possible for us to identify subscribers and fans of our page and to view their profiles.
In addition, via Instagram Insights we receive anonymised data on the development and reach of our Instagram profile and the posts, stories and videos we publish there. We also receive statistical information in Instagram Insights on the place of origin, gender and age of the subscribers to our Instagram profile.
The social networks with which you interact store your data as usage profiles using pseudonyms and use them for advertising purposes and market research. For example, you may be shown advertising within the social network and on other third‑party websites that corresponds to your presumed interests. Cookies are generally used for this purpose, which are placed on your end device by the social network. You have the right to object to the creation of these user profiles, and you must contact the social networks directly to exercise this right.
12.2 Purpose
We maintain profiles on the aforementioned social networks for the purposes of public relations and corporate communication with customers and interested parties. We use the “Insights” function of Facebook and Instagram to evaluate the reach of our posts on the social network and to make them more attractive for our visitors in the future.
12.3 Legal basis
The legal basis for data processing in connection with our profiles on social networks is the protection of our overriding legitimate interests (Art. 6 para. 1 lit. f GDPR). Our legitimate interest lies in the purpose specified in Section 12.2. Where you are asked for consent by the respective operator of a social network, the legal basis is Art. 6 para. 1 lit. a GDPR. Data processing in relation to our presence on Facebook and Instagram is otherwise carried out on the basis of joint controllership in accordance with Art. 26 GDPR.
12.4 Recipients and transfer to third countries
The respective social networks are operated by the companies listed below. Further information on data protection regarding our profiles on the social networks can be found in the linked privacy policies.
– Facebook: Meta Platforms, Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA, and Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. Privacy policies: www.facebook.com/policy.php; www.facebook.com/help/186325668085084, www.facebook.com/about/privacy/your-info-on-other#applications and www.facebook.com/about/privacy/your-info#everyoneinfo.
– Instagram: Meta Platforms, Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA, and Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. Privacy policy: help.instagram.com/155833707900388/.
– YouTube: YouTube LLC, 901 Cherry Avenue, San Bruno, CA 94066, USA. YouTube is represented by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy policies of YouTube/Google: www.google.com/policies/privacy/partners/?hl=de.
– Pinterest: Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland. Data may be transferred to and processed by the group company Pinterest Inc., 808 Brannan Street, San Francisco, California, 94103, USA. Further information on data protection at Pinterest can be found at policy.pinterest.com/de/privacy-policy. The social networks also process your personal data in the USA.
13. GOOGLE ANALYTICS
13.1 Description of processing
Our website uses “Google Analytics”, a web analytics service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter “Google”). Google Analytics uses cookies (see Section 9), which enable an analysis of your use of our services. We use Google Analytics in the version “Universal Analytics” provided, which allows this analysis across devices by assigning data to a pseudonymous user ID.
The information generated by the cookies is usually transferred to a Google server in the USA and stored there. However, we use Google Analytics exclusively with IP anonymisation. This means that your IP address is shortened by Google beforehand within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. The IP address transmitted by your browser in the context of Google Analytics will not be merged with other Google data.
The statistics created by Google Analytics record, in particular, how many users visit our website, from which country or place the access is made, which subpages are accessed and via which links or search terms visitors arrive at our website. The terms of use of Google Analytics can be found at www.google.com/analytics/terms/de.html. An overview of data protection at Google Analytics is available at www.google.com/intl/de/analytics/learn/privacy.html. Google’s privacy policy can be viewed at www.google.de/intl/de/policies/privacy.
13.2 Purpose
Processing is carried out in order to be able to evaluate the use of our website. The information obtained in this way serves to improve and design our online presence to meet demand.
13.3 Legal basis
Processing is based on consent in accordance with Art. 6 para. 1 lit. a GDPR. We obtain this via the consent tool (see Section 9.1). Such consent is voluntary.
13.4 Storage period and right to object, withdrawal of consent
We have explained the storage period and your control and setting options for cookies in Section 9.4. You can withdraw the consent you have given in relation to Google Analytics at any time with effect for the future in the settings of the consent tool. Alternatively, you can object to data processing by Google Analytics at any time by downloading and installing the browser add‑on offered by Google at tools.google.com/dlpage/gaoptout?hl=de. The analysis data processed and stored with Google Analytics is automatically deleted by us after 14 months.
13.5 Recipients and transfer to third countries
According to the German data protection supervisory authorities (Data Protection Conference), Google Analytics operates in joint controllership of data processing for us. Against this background, we have also concluded the “Google Measurement Controller-Controller Data Protection Terms” with Google. Google also processes your personal data in the USA.
14. FONT REPLACEMENT
When displaying our website, the standard fonts on your end device are replaced by fonts. This is done in order to present the text on our website in a more legible and aesthetically pleasing way. For font replacement, we have chosen a data protection‑friendly solution. We do not integrate external services such as Google Fonts or Adobe Fonts. Instead, we store the fonts to be used locally on our server. The advantage of this is that when our site is accessed, your browser does not send a request to external font replacement services and therefore no data – in particular your IP address in connection with the address of our website – is transmitted to third parties.
15. YOUTUBE
15.1 Description of processing
Our website uses services from “YouTube”, a video platform operated by YouTube LLC, 901 Cherry Avenue, San Bruno, CA 94066, USA (hereinafter “YouTube”). YouTube is represented by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
We use YouTube by embedding individual videos from the platform on our website as so‑called iframes, so that they can be played directly on our website. The videos are embedded using the “extended data protection mode” offered by YouTube, which means that no personal data about you is transmitted to Google as long as you do not play the videos. It is only when you play a video that data is transmitted to Google, over which we have no control.
If you play an embedded video on a subpage of our website, Google is informed which subpage you have visited and which video you have viewed. Your IP address may also be transmitted to Google. If you are logged in as a YouTube or Google user at this time, Google assigns this information to your user account. Google stores your data as usage profiles and uses it for advertising purposes, market research and/or the demand‑oriented design of Google websites. You have the right to object to the creation of these user profiles, and you must contact Google directly to exercise this right. Further information on data protection at Google can be found at www.google.com/intl/de-DE/policies/privacy/.
15.2 Purpose
Processing is carried out in order to display videos to you on our website.
15.3 Legal basis
Processing is based on consent in accordance with Art. 6 para. 1 lit. a GDPR. We obtain this via the consent tool “Other” (see Section 9.1) or via a content blocker at the point on our website where a YouTube video is to be displayed. Such consent is voluntary.
15.4 Withdrawal of consent
You may withdraw your consent to the display of YouTube videos on our website at any time with effect for the future in the settings of the consent tool.
15.5 Recipients and transfer to third countries
By embedding YouTube, personal data may be transmitted to YouTube LLC and/or Google. Google also processes your personal data in the USA.
16. META PIXEL
16.1 Description of processing
Our website uses the remarketing service “Meta Pixel” (formerly “Facebook Pixel”), which is operated by Meta Platforms, Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA, and Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland (“Meta”).
Via Meta Pixel, we are able to display advertising on the social networks Facebook and Instagram that is precisely targeted at those Facebook/Instagram users who have shown an interest in our offer – for example by previously visiting our website. With the help of Meta Pixel, we can also track and evaluate the effectiveness and reach of our advertising on Facebook/Instagram by recording whether Facebook/Instagram users interact with our ads on the two social networks by clicking on the ads and being redirected to our website.
When you visit our website, a connection is therefore established to Meta’s servers and Meta Pixel is embedded in our website. In addition, Meta may store a cookie on your end device (see Section 9 above). If you are logged in to Facebook or Instagram, or log in to Facebook or Instagram at a later time, your visit to our website will be associated with your respective user account.
The data collected about you via Meta Pixel is anonymous to us. It does not provide us with any conclusions about your identity. However, Meta can make a connection to your user profile. Data processing by Meta is carried out in accordance with the company’s data policy, which can be accessed for Facebook at www.facebook.com/policy.php and for Instagram at privacycenter.instagram.com/policy/?entry_point=ig_help_center_data_policy_redirect.
16.2 Purpose
Processing is carried out in order to conduct targeted online advertising for our own offers on Facebook and Instagram and to be able to evaluate its effectiveness and reach.
16.3 Legal basis
Processing is based on consent in accordance with Art. 6 para. 1 lit. a GDPR. We obtain this via the consent tool “Other” (see Section 9.1). Such consent is voluntary.
16.4 Storage period and right to object, withdrawal of consent
We have explained the storage period and your control and setting options for cookies/tracking pixels in Section 9. You can withdraw the consent you have given with regard to data collection by Meta Pixel and the use of your data to display Facebook ads at any time with effect for the future in the settings of the consent tool. www.facebook.com/settings?tab=ads
You can also object to data collection by Meta Pixel and the use of your data to display Facebook/Instagram ads to Meta at any time. Within the settings of your Facebook account at [www.facebook.com/settings?tab=ads, you can decide which types of ads are shown to you on Facebook. This setting is applied across devices.
16.5 Recipients and transfer to third countries
By integrating Meta Pixel, personal data may be transmitted to Meta. Meta also processes your personal data in the USA.
17. TRUSTED SHOPS
17.1 Description of processing
To display our Trusted Shops trustmark and the Trusted Shops products for buyers after an order, the Trusted Shops trustbadge is integrated on our website. The trustbadge is a service offered by Trusted Shops GmbH, Subbelrather Str. 15C, 50823 Cologne, Germany.
When you visit the homepage of our website, a connection is established to the Trusted Shops servers and the trustbadge is loaded from the Trusted Shops servers and displayed within our website. When the trustbadge is accessed, the Trusted Shops server automatically stores a so‑called log file, which contains, for example, your IP address, date and time of access, amount of data transferred and the requesting provider (access data), and documents the access. According to Trusted Shops, this access data is not evaluated. Further personal data is transmitted to Trusted Shops only if you have consented to this, decide to use Trusted Shops products after completing an order or have already registered to use them. In this case, the contractual agreement concluded between you and Trusted Shops applies.
17.2 Purpose
Processing is carried out in order to promote our offer in an optimal way by using the Trusted Shops trustmark.
17.3 Legal basis
Processing is necessary to safeguard the overriding legitimate interests of the controller (Art. 6 para. 1 lit. f GDPR). Our legitimate interest lies in the purpose specified in Section 17.2.
17.4 Storage period
According to Trusted Shops, the data processed in connection with the trustbadge is automatically overwritten no later than seven days after the end of your visit to the website.
17.5 Recipients
By integrating the trustbadge, personal data may be transmitted to Trusted Shops GmbH, Subbelrather Str. 15C, 50823 Cologne, Germany.
18. GOOGLE TAG MANAGER
Our website uses “Google Tag Manager”, a service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter “Google”). No personal data is collected and no cookies are set via Google Tag Manager. This service only enables us to integrate and manage tags on our website. Tags are small code elements on our website that help us, using other tools, to measure, for example, traffic and visitor behaviour, record the impact of online advertising and social channels, use remarketing and audience targeting, and test and optimise the website.
As a precaution, integration of Google Tag Manager is nonetheless based on consent in accordance with Art. 6 para. 1 lit. a GDPR, which is obtained via the consent tool “In‑house development” (see Section 9.1) and can also be withdrawn there. Further information on Google Tag Manager can be found at www.google.com/intl/de/tagmanager/use-policy.html.
19. PROCESSING OF APPLICATION DATA
19.1 Description of processing
We process the data you provide in connection with your application in order to assess your suitability for the position (or any other open positions in our company, where applicable) and to conduct the application process. This generally comprises your basic personal details (such as name, address and contact details), information on your professional qualifications and education, information on professional training, skills and abilities, as well as other information that you disclose to us in connection with your application. This is usually done by means of your cover letter, CV, references, correspondence, and information you provide by telephone or in person.
We wish to assess all applicants solely on the basis of their qualification and therefore ask you to refrain from providing “special categories of personal data” within the meaning of Art. 9 GDPR in your application as far as possible (for example a photo revealing ethnic origin, information about a severe disability, etc.). If your application contains such information, we ask that you send us a corresponding declaration of consent, otherwise your application cannot be considered.
If your application is successful, we will transfer your data to your personnel file and use it to carry out and terminate your employment relationship. If we are currently unable to offer you employment, we will continue to process your data even after sending the rejection in order to defend ourselves against possible legal claims, in particular due to alleged discrimination in the application process. If you are not selected for the advertised position, we will – provided we have your consent – include your data in our applicant pool.
19.2 Purpose
Processing is carried out to conduct the application process, to decide on the establishment of an employment relationship with us and to document compliance with legal requirements in the application process.
19.3 Legal basis
Data processing in connection with the application process is based on Section 26 para. 1 sentence 1 BDSG and Art. 6 para. 1 sentence 1 lit. b GDPR. If your application is successful, further data processing is carried out on the basis of Art. 6 para. 1 sentence 1 lit. b GDPR in conjunction with Art. 88 para. 1 GDPR in conjunction with Section 26 para. 1 BDSG for the purpose of establishing, implementing and terminating the employment relationship. If you have given your consent, for example to the inclusion of your data in our applicant pool, data processing is based on Art. 6 para. 1 sentence 1 lit. a GDPR. The legal basis for data processing after a rejection is, moreover, Art. 6 para. 1 sentence 1 lit. f GDPR. Our legitimate interest lies in defending against legal claims.
19.4 Storage period
If your application is successful, your data will become part of your personnel file and will be deleted in accordance with the regulations applicable to personnel files. If we are currently unable to offer you employment, we will continue to process your data for up to six months after sending the rejection. If we include your data in our applicant pool after completion of the application process, we will delete it in the event of a subsequent establishment of an employment relationship or, otherwise, two years after inclusion in the applicant pool.
19.5 Recipients, transfer of data to third parties and transfer to third countries
After receipt of your application, your applicant data is reviewed by the HR department. Suitable applications are then forwarded internally to the department managers responsible for the respective open position. The next steps are then coordinated. Within the company, only those persons have access to your data who require it for the proper conduct of our application process. Data is not transferred to third parties. Likewise, data is not transferred to third countries, nor is such transfer planned.
V. Security measures
20. Security measures
To protect your personal data from unauthorised access, we have equipped our website with an SSL or TLS certificate. SSL stands for “Secure Sockets Layer” and TLS for “Transport Layer Security” and encrypts the communication of data between a website and the user’s end device. You can recognise active SSL or TLS encryption by the small padlock icon displayed on the far left of the browser’s address bar.
VI. Your rights
21. Rights of data subjects
With regard to the data processing described above by our company, you have the following rights as a data subject:
21.1 Right of access (Art. 15 GDPR)
You have the right to obtain from us confirmation as to whether or not we are processing personal data concerning you. If this is the case, you have the right, under the conditions set out in Art. 15 GDPR, to obtain access to this personal data and the information listed in detail in Art. 15 GDPR.
21.2 Rectification (Art. 16 GDPR)
You have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you and, where applicable, the completion of incomplete personal data.
21.3 Erasure (Art. 17 GDPR)
You have the right to obtain from us the erasure of personal data concerning you without undue delay where one of the grounds listed in detail in Art. 17 GDPR applies, for example if your data is no longer necessary for the purposes we pursue.
21.4 Restriction of processing (Art. 18 GDPR)
You have the right to obtain from us restriction of processing where one of the conditions listed in Art. 18 GDPR applies, for example if you contest the accuracy of your personal data, processing will be restricted for a period enabling us to verify the accuracy of your data.
21.5 Data portability (Art. 20 GDPR)
Under the conditions set out in Art. 20 GDPR, you have the right to receive the data concerning you in a structured, commonly used and machine‑readable format.
21.6 Withdrawal of consent (Art. 7 para. 3 GDPR)
Where processing is based on consent, you have the right to withdraw your consent at any time. Withdrawal takes effect from the time it is asserted. In other words, it applies to the future. Processing does not become unlawful retroactively as a result of the withdrawal of consent.
21.7 Complaint (Art. 77 GDPR)
If you believe that the processing of personal data concerning you infringes the GDPR, you have the right to lodge a complaint with a supervisory authority. You may exercise this right before a supervisory authority in the EU member state of your habitual residence, your place of work or the place of the alleged infringement.
21.8 Prohibition of automated decisions/profiling (Art. 22 GDPR)
Decisions which produce legal effects concerning you or similarly significantly affect you may not be based solely on automated processing of personal data, including profiling. We inform you that we do not use automated decision‑making, including profiling, in relation to your personal data.
21.9 Right to object (Art. 21 GDPR)
Where we process your personal data on the basis of Art. 6 para. 1 lit. f GDPR (for the protection of overriding legitimate interests), you have the right, under the conditions set out in Art. 21 GDPR, to object to such processing. However, this applies only if there are reasons arising from your particular situation. After an objection, we will no longer process your personal data, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms. We are also not obliged to stop processing if it serves the establishment, exercise or defence of legal claims. In any case – including regardless of a particular situation – you have the right to object at any time to the processing of your personal data for direct marketing purposes.
Status: November 2025