Protecting your data

Data protection policy

In this data protection policy we inform you about the personal data that we process when you visit our website, and the rights you have. We therefore request that you read the following in-formation carefully.

Personal data are all information related to an identified or identifiable natural person. They include your name, your address and communications data or your email address.

Process means any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alter-ation, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making availa-ble, alignment or combination, restriction, erasure or destruction.

Data subject is every identified or identifiable natural person whose personal data are processed by the controller.

Controller means the natural or legal person, public authority, agency or other body which, alone or joint-ly with others, determines the purposes and means of the processing of personal data.

User means all categories of persons affected by the data processing. They include our business part-ners and other visitors to our website.

For the terms used we also refer to the definitions in Art. 4 of the General Data Protection Reg-ulation (GDPR). Terms such as “user” are gender-neutral.

1. Name and address of the controller

Concardis GmbH

Helfmann-Park 7

65760 Eschborn, Germany

Phone: +49 69 7922-0

Fax: +49 69 7922-4500

Email: service@concardis.com,

Representatives of the controller are the managing directors Mark Freese, Jens Mahlke and Lu-ca Zanotti.

2. Data protection officer

You can contact our data protection officer by email at datenschutzbeauftrag-ter@concardis.com or by writing to our postal address for the attention of “The Data Protection Officer”.

3. Processing of personal data

3.1. Visiting our website

3.1.1. Scope of data processing

When you visit our website, your browser sends certain data to our webserver for technical rea-sons. This concerns the following data (known as server logfiles):

  • IP-address
  • Date and time of server request
  • Time zone difference to Greenwich Mean Time (GMT)
  • Subject of request (specific page)
  • Operating system and access status / HTTP status code
  • Data volume transmitted
  • Website from which the request comes (“Referrer URL”)
  • Browser, language and version of browser software

3.1.2. Purpose of data processing

These data must be stored in log files to guarantee the website’s functionality. In addition, we use the data to optimize our website and to ensure the security of our information technology systems.

3.1.3. Legal basis for processing

We collect these data on the basis of our legitimate interest within the meaning of Art. 6 (1)f GDPR in order to display our website and ensure its security.

3.1.4. Duration of storage

Information in the logfiles is stored for security reasons (e.g. to investigate misuse or fraudu-lent activity) for a maximum of seven days and is then deleted. Data that must be retained as evidence is not deleted until the incident has been definitively clarified.

3.1.5. Objection and removal right

For technical reasons the collection of data is absolutely necessary for the provision of the website and their storage in logfiles is absolutely necessary for its operation. There is therefore no option for users to object.

3.2. Contact Forms

3.2.1. Scope of data processing

Contact forms are available on our website, which you are welcome to use to communicate electronically with us. When you make use of this opportunity, the data entered in the input mask are sent to us and processed. They consist of your title, first name, surname, business partner number, telephone number, email address, preferred means of contact and message text.

3.2.2. Purpose of data processing

We use the personal data from the input mask to process the contact request. The data are used to process the conversation, to respond to the request and to provide the required infor-mation.

Other data processed during the transfer process (e.g. date, time, IP-address) serve to prevent misuse of the contact form and ensure the security of our IT systems.

3.2.3. Legal basis for processing

When the contact form is used, the sender’s data are used to process the contact request in accordance with Art 6 (1)b GDPR.

3.2.4. Recipients of processing

When you contact us, your personal data are processed by the internal company functions re-sponsible for the respective request. We use a logistics provider to process the order as part of data processing by a processor in accordance with Art. 28 GDPR.

3.2.5. Duration of storage

When the contact request is an enquiry, the data are deleted as soon as they are no longer re-quired for the purpose for which they were collected. For the personal data from the input mask in the contact form and those sent by email, this is the case when the conversation with the user comes to an end. The conversation comes to an end when the circumstances suggest that the matter has been definitively clarified.

If you contact us as part of a contractual relationship or in the course of pre-contractual activities (e.g. to request an offer), the data are processed to execute the contract. The data stored by us are deleted as soon as they are no longer necessary for the purpose for which they were collected and there are no statutory record-keeping obligations that require them to be retained. Record-keeping obligations do exist under commercial and tax law, however. Data (e.g. accounting documents) are retained for 6 years in accordance with Section 257 para. 1 German Commer-cial Code (HGB) and for 10 years in accordance with Section 147 para. 1 Tax Code (AO) (e.g. accounting documents, commercial correspondence, tax-relevant documents).

3.2.6. Objection and removal right

You have the option of revoking your consent to the processing of your personal data. In this case the conversation cannot be continued. Please send your revocation of consent to ser-vice@concardis.com. In this case, all the personal data stored when you contacted us will be deleted, to the extent that no record-keeping obligations prevent us from doing so. Data pro-cessed in connection with an order or request for an offer are subject to record-keeping obliga-tions under commercial and tax law. There is therefore no option for users to object.

3.3. Portal for advertising material

3.3.1. Scope of data processing

You can order supplies and consumables (e.g. acceptance stickers for your business or im-printer payment slips) from our advertising material portal. If you are a new customer you must register before using the portal for the first time. This means we process the following data: ti-tle, business partner number*, first name*, surname*, email address*, password*. The fields marked * are obligatory.

3.3.2. Purpose of data processing

We process these data in order to provide you with supplies and consumables as part of our contract.

3.3.3. Legal basis for processing

The data are processed to provide contractual services. The legal basis for this processing is Art. 6(1)(b) GDPR.

3.3.4. Recipients of processing

The data are processed by our responsible internal function. This is the Customer Service de-partment.

3.3.5. Duration of storage

The data are processed to execute a contract. The data stored by us are deleted as soon as they are no longer necessary for the purpose for which they were collected and there are no statuto-ry record-keeping obligations that require them to be retained. Record-keeping obligations do exist under commercial and tax law, however. Data (e.g. accounting documents) are retained for 6 years in accordance with Section 257 para. 1 German Commercial Code (HGB) and for 10 years in accordance with Section 147 para. 1 Tax Code (AO) (e.g. accounting documents, commercial correspondence, tax-relevant documents).

3.3.6. Objection and removal right

Data processed in connection with an order for advertising material are subject to record-keeping obligations under commercial and tax law. There is therefore no option for users to ob-ject.

3.4. Paymentletter

3.4.1. Scope of data processing

You can subscribe to a Paymentletter on our website. If you decide to do so, we process the following data: title, business partner number, first name, surname, email address, sector. For registration it is sufficient for you to tell us your name and email address.

We only send payment letters with the consent of recipients. This entails the use of a double opt-in procedure. After subscribing for the payment letter you receive an email in which you have to confirm your subscription. We use this procedure so that no one can subscribe using someone else’s email address. We log subscriptions to the payment letter to document the subscription process in line with the statutory requirements. The data include the date, time and IP address at the time of subscription.

The Paymentletter contain a “web beacon”, i.e. a pixel-sized file that is retrieved by the server of our mailing service provider when the Paymentletter is opened. When it is retrieved, tech-nical information about the browser and the IT system used are collected, as are the IP-address and the time of retrieval. This information is used to improve services using technical data or target groups and their reading patterns by means of retrieval locations (which can be deter-mined with the help of the IP-address) or access times. The analytical data gathered also in-cludes whether the Paymentletter is opened, when it is opened and which links are clicked. For technical reasons we are able to attribute this information to individual subscribers. Neither we nor our service providers intend to observe individual recipients of the payment letter, however. The analysis rather helps us to identify the reading patterns of our subscribers and adapt our contents to them or to send different contents depending on their interests.

3.4.2. Purpose of data processing

We send payment letters for advertising purposes, in order to inform our subscribers about products, offers and promotions from our company.

3.4.3. Recipients of data processing

Your data are processed by our Marketing department when you subscribe for the Paymentletter.

The payment letter is distributed by an external provider, Campaign Monitor, which is operated by Campaign Monitor Pty Ltd, 404/3-5 Stapleton Ave, Sutherland NSW 2232, Sydney, Australia.

Campaign Monitor offers extensive analytical options relating to how the payment letter is opened and used. These analyses are group-based and are not used by us to analyse individ-ual recipients of the payment letter. Further information about Campaign Monitor and data pro-tection at the provider Campaign Monitor can be found at  https://www.campaignmonitor.com/policies/.

By its own account, Campaign Monitor can use these data in pseudonymised form, i.e. without attribution to a user, in order to optimise or improve its own services, e.g. for the technical op-timisation of mailing and layout of the payment letter or for statistical purposes, to determine which countries the recipients come from. The mailing service provider does not used the data of our subscribers to write to them itself, however, or to pass them on to third parties.

3.4.4. Legal basis for processing

We send payment letters with the consent of recipients. The legal basis for this is Art. 6(1)(a) GDPR.

The use of the mailing service provider Campaign Monitor, the statistical data gathering and analysis and the logging of the subscription process take place on the basis of our legitimate interests pursuant to Art. 6(1)(f) GDPR, which consist of operating a user-friendly, cost-effective and secure payment letter system.

3.4.5. Duration of storage

We store the personal data given when you subscribe to the payment letter until you revoke your consent.

3.4.6. Objection and removal right

If you no longer want to receive our payment letter you can cancel the subscription at any time and so revoke your consent. At the end of the payment letter you will find a cancellation link. Alternatively you can send an email to Paymentletter@concardis.com. When you cancel your subscription to the newsletter, your personal data will be deleted.

3.5. Cookies

3.5.1. Scope of data processing

Our website uses cookies. Cookies are small text files that are stored on your computer when you visit our website. Cookies do no harm to your computer and contain no malware, such as viruses. Cookies contain a unique string of characters that uniquely identifies the user’s brows-er when the user returns to the website. Some elements of our website make it necessary for the browser to be identified after changing pages. This website uses transient and persistent cookies.

a) Transient cookies are deleted automatically when you close the browser. They particularly include the session cookies. These store a session ID, with which various requests by your browser can be attributed to a joint session. When you return to our website, your computer can be recognised. The session cookies are deleted when you log out or close the browser.

b) Persistent cookies are deleted automatically after a defined period, which can vary from one cookie to another. You can delete the cookies at any time in the security settings of your browser.

3.5.2. Purpose of data processing

We use cookies to make our website attractive and user-friendly, to improve it and to expedite enquiries. Some elements of our website make it necessary for the browser to be identified af-ter changing pages. For these it is necessary to recognise the browser after the page has been changed. They include our bookmark function for downloading information brochures, for in-stance.

3.5.3. Legal basis for data processing

The legal basis for the processing of personal data using the technically necessary cookies is Art. 6(1)(f) GDPR.

3.5.4. Duration of storage

Session cookies are deleted as soon as the browser is closed.

Persistent cookies are deleted automatically after a defined period.

3.5.5. Objection and removal right

You as the user have full control over the use of cookies. You can alter the settings in your in-ternet browser so that cookies are not stored at all or are deleted automatically at the end of your session. To do this, select the option “accept no cookies” in your browser settings. In Mi-crosoft Internet-Explorer you select  "Extras > Internet options > Data protection > Setting"; In Firefox you select "Extras > Settings > Data protection > Cookies"); If you use another internet browser, please use its help function to find instructions on how to prevent and delete cookies.

You should be aware, however, that in this case you may not be able to use all the functions of our website.

3.6. Google Analytics

3.6.1. Scope of data processing

On our website we use Google Analytics, a web analytics service from Google Inc., 1600 Am-phitheatre Parkway, Mountain View, CA 94043, United States (“Google”).

Google analyses your use of our website on our behalf. To do this we use cookies and other methods. What cookies are and how they can be deleted is described in the chapter “Cookies” above.

The information collected by Google about your use of our website (e.g. the pages you visit) are sent to a Google server in the USA, stored there, analysed and the results sent to us in anonymised form.

On our website we use the IP-anonymisation offered by Google. This means that Google will abbreviate the IP address prior to sending within the member states of the European Union or other signatories of the treaty creating the European Economic Area. Only in exceptional cas-es will the full IP address be sent to a Google server in the USA and be abbreviated there.

Google is certified in the EU-US Privacy Shield, which guarantees a reasonable level of data protection for data stored with Google in the USA.

3.6.2. Purpose of data processing

Google uses this information on our behalf to analyse the use of our website and to compile reports on activities within our website. This enables us to improve your online experience and make our website more user-friendly.

3.6.3. Legal basis for processing

Our legitimate interest in data processing by Google Analytics lies in the purposes described above. The legal basis for this processing is Art. 6(1)(f) GDPR.

3.6.4. Duration of storage

Sessions and campaigns are deleted at the end of a defined period. The default setting is for sessions to be ended after 30 minutes without activity and campaigns after six months. The time limit for campaign storage may be up to 26 months.

3.6.5. Objection and removal right

The IP address communicated by your browser will not be merged with other data from Google. You can prevent cookies being stored by setting your browser software accordingly, as described in the chapter “Cookies” above. Besides taking this step, you can prevent the da-ta generated by the cookie related to your use of this website (including your IP address) from being sent to and processed by Google by downloading and installing the browser plug-in available here: https://tools.google.com/dlpage/gaoptout?hl=de.

If you want to prevent your data from being collected in future by Google Analytics when you visit our website via various devices (especially mobile devices such as smartphones or tab-lets), you must opt out on all the systems you use. This opt-out cookie will be set when you click on the link below:

Deactivate Google Analytics

Please note that this opt-out cookie only prevents web analytics for as long as it has not been deleted. Further information on Google Analytics can be found in Google Analytics Terms of Use, in den Security and Data Protection Principles of Google Analytics and in the Google Da-ta Protection Policy.

3.7. Google AdWords

3.7.1. Scope of data processing

We use Google AdWords to attract attention to our products and services on external websites by means of advertising. These adverts are supplied by Google using “ad servers”. They entail the use of ad server cookies, which measure certain parameters, such the number of times the adverts are displayed and clicked by users. When you come to our website via a Google ad-vert, Google AdWords stores a cookie on your computer. We have described above what cookies are and how they can be deleted. These cookies enable Google to recognise your in-ternet browser. If a user visits certain pages on the website of an AdWords customer and the cookie stored on their computer has not yet expired, Google and the customer can see that the user has clicked on the advert and was referred to this page. A different cookie is assigned to each AdWords customer. Cookies can therefore not be tracked across the websites of Ad-Words customers. We do not collect or process any personal data in the advertising activities mentioned. We only receive statistical analyses from Google. We can use these analyses to identify which of our advertising activities are particularly effective. We do not receive any fur-ther data from the use of advertising material; in particular we cannot identify users on the ba-sis of this information.

Your browser uses the marketing tools that we deploy to establish a direct connection to the Google servers. We have no control over the scope and further use of the data that Google collects by means of this tool and so inform you to the best of our knowledge: By the use of AdWords conversion, Google is informed that you have retrieved the corresponding section of our website or have clicked on one of our adverts. Insofar as you are registered with a Google service, Google can attribute the visit to your account. Even if you are not registered with Google or have not logged in, there is a possibility that the provider finds out and stores your IP-address.

3.7.2. Purpose of data processing

We can determine how successful the individual advertising activities are in relation to the data from advertising campaigns. Our interest is to show you advertising that interests you, to make our website more interesting for you and to enable the fair calculation of advertising costs.

3.7.3. Legal basis for processing

The data processing serves our legitimate interest in targeting our adverts. The legal basis for this processing is Art. 6(1)(f) GDPR.

3.7.4. Duration of storage

These cookies generally expire after 30 days and are not intended to identify you personally. The metrics stored with this cookie are generally the unique cookie ID, the frequency of ad im-pressions, the last impression (relevant for post-view conversations) and opt-out information.

3.7.5. Objection and removal right

There are various ways for you to avoid taking part in this tracking method: a) by setting your browser software accordingly; denying third-party cookies means that you do not receive any adverts from third-party advertisers; b) by deactivating cookies for conversion tracking by setting your browser so that cookies from the domain “www.googleadservices.com” are blocked, https://www.google.de/settings/ads, whereby this setting is deleted when you delete your cookies; c) by deactivating the interest-based adverts from those advertisers who are part of the self-regulation campaign “About Ads” www.aboutads.info/choices, whereby this setting is deleted when you delete your cookies; d) by permanently deactivating it in your Firefox, Internet Explorer or Google Chrome browser under the link http://www.google.com/settings/ads/plugin.

You can find further information about data protection at Google here: www.google.com/intl/de/policies/privacy and services.google.com/sitestats/de.htm l. Alternatively you can visit the website of the Network Advertising Initiative (NAI) at www.networkadvertising.org. Google complies with the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.

3.8. Google Remarketing

3.8.1. Scope of data processing

In addition to Adwords Conversion we use the application Google Remarketing (“Google-Marketing-Services”) from Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, (“Google”).

This is a procedure with which we can address you again. This application enables our adverts to be shown to you after you have visited our website, in the course of your further internet use. This takes place by means of cookies stored in your browser, which track and analyse your usage patterns when you visit various websites. What cookies are and how they can be deleted is described above. With the help of these cookies we can analyse user behaviour dur-ing visits to our website and then use it for targeted product recommendations and interest-based advertising.

So Google can determine your last visit to our website. By Google’s own account, the data gathered in the course of remarketing is not merged with your personal data which may be stored by Google. In particular, Google uses pseudonymisation for its remarketing.

For these purposes, Google directly executes a code when our website and other websites on which Google marketing services operate are retrieved and (re)marketing tabs (invisible graphics or code, also known as web beacons) are embedded in the website. They store an in-dividual cookie, i.e. a small file, on the user’s device. Similar technologies may also be used instead of cookies. This file records which websites the user visits, which contents they are in-terested in and which offers they click on, as well as technical information about the browser and operating system, referrer websites, visiting times and other information on the use of the online offering. The users’ IP-address is also tracked, whereby we notify users that Google An-alytics abbreviates the IP-address within the member states of the European Union or other signatories of the treaty creating the European Economic Area and only in exceptional cases sends them in full to a Google server in the USA, where they are then abbreviated. The IP-address is not merged with the user’s data within other Google products and services. Google may connect the preceding information with information from other sources. If you visit a web-site in the Google advertising network after visiting our website, you may be shown adverts with contents from our website.

Google is certified under the Privacy Shield and so guarantees to comply with European data protection legislation (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).

3.8.2. Purpose of data processing

Google uses this information on our behalf in order to guide previous users of our website back to our website and to approach them with interest-based advertising.

3.8.3. Legal basis for processing

The basis for the processing of the data is the currency of the legitimate interests of Concardis (i.e., interest in the analysis, optimisation and economic operation of our online services within the meaning of Art. 6(1)(f) of the GDPR).

3.8.4. Duration of storage

Sessions and campaigns are deleted at the end of a defined period. The default setting is for sessions to be ended after 30 minutes without activity and campaigns after six months. The time limit for campaign storage may be up to 26 months.

3.8.5. Objection and removal right

If you do not want browser cookies to be used at all, you can adjust your browser settings so that cookies are not accepted. Please note that, in this case, you may not be able to use our website, or may only be able to use certain functions. How to deactivate cookies in your browser is described in the chapter Cookies.

Further information on the use of data for marketing purposes by Google is available from the website: https://www.google.com/policies/technologies/ads; Google’s data protection policy is available from  https://www.google.com/policies/privacy.

If you wish to object to interest-based advertising by Google Marketing Services, you can use the settings and opt-out options offered by Google: http://www.google.com/ads/preferences.

4. Data security

We take technical, contractual and organisational measures to ensure the state-of-the-art securi-ty of data processing. We ensure that the provisions of data protection legislation, particularly the General Data Protection Regulation, are adhered to and that the data processed by us are protected against destruction, loss, alteration and unauthorised access. These security measures also include the encrypted transmission of data between your browser and our serv-ers. Please note that for transfers via the internet, the SSL encryption is only activated when the key symbol appears in the lower menu bar of your browser window and the address begins with . The SSL technology (Secure Sockets Layer) uses encryption to protect the data being transferred from illegal third-party access. If this option is not available you can decide not to send us certain data via the internet.

All the information you send us is stored and processed on our servers in the Federal Republic of Germany.

5. Collaboration with processors and third parties

Data are only transferred to third parties within the framework of statutory provisions. We only transfer user data to third parties when necessary, e.g. for contractual purposes pursuant to Art. 6(1)(b) or on the basis of our legitimate interest in the economical and effective operation of our business pursuant to Art. 6(1)(f) GDPR.

To provide our services we use processors as defined in Art. 28 GDPR, particularly for the op-eration, maintenance and hosting of the website and IT systems. We have taken the appropriate legal precautions and corresponding technical and organisational measures to ensure the pro-tection of personal data in accordance with applicable statutory provisions.

6. Transfers to third countries

When we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or this occurs in connection with third-party services, it only takes place to perform our (pre-)contractual obligations, with your consent, on the basis of a legal obliga-tion or in our legitimate interests. In these cases we process the data subject to the conditions of Art. 44 et seq. GDPR, i.e. on the basis of special guarantees, such as the Privacy Shield or standard contractual clauses.

7. Social Media Plug-Ins

We embed external services and contents in our website. Via the plug-in we give you the op-portunity to interact with social networks and other users, so that we can improve our offering and make it more interesting for you as a user. The legal basis for the use of these plug-ins is Art. 6(1) sentence 1(f) GDPR.

When we use such services or display third-party contents, communication data such as data, time and IP-address are exchanged between you and the respective provider. This particularly entails your IP-address, which is required to display contents in your browser.

It may be that the provider of the respective services or contents process your data for their own, additional purposes. Since we have no influence over the data collected by third parties and their processing by them, we cannot provide any binding information on the purpose and scope of their processing of your data. For further information about the purpose and scope of data collection and processing, you should therefore consult the data protection policies of the providers responsible under data protection law for the services and contents embedded by us. Here you will also find further references to data processing and opt-out options.

We use the following social media plug-ins: Facebook, Google +, Twitter, XING, LinkedIn and Youtube. You can identify the provider of the plug-in by means of the mark on the box over its first letter or its logo. We give you the opportunity to communicate directly with the provider of the plug-in via the button. When you click on the marked field and so activate it, the plug-in provider receives information that you have retrieved the corresponding webpage of our online offering.

By activating the plug-in, your personal data are sent to the plug-in provider and stored there (for US providers in the USA). Since the plug-in provider mainly uses cookies to gather data, we advise you to delete all cookies via the security settings of your browser before you click on the greyed-out box.

We neither have control over the data collected and the data processing, nor do we know the full extent of data collection, the purposes of processing or the retention periods. We also have no information about deleting the data collected by the plug-in provider.

The plug-in provider stores the data collected about you as a user profile and uses this for the purposes of advertising, market research and/or for the design of its website. Such use takes place particularly (also for users who are not logged in) to present interest-based advertising and to inform other users of the social network about your activities on our website. You have the right to object to the compilation of this user profile, whereby you must address the respec-tive plug-in provider to exercise it.

Data are transferred regardless of whether you have an account with the plug-in provider or are logged in there. If you are logged in with the plug-in provider, the data gathered from our web-site is ascribed directly to your account with the plug-in provider. When you click the active but-ton and link the page for example, the plug-in provider stores this information in your user ac-count and shares it with your public contacts. We recommend that you log out regularly after using a social network, but especially before activating the button, since this enables you to avoid the data being added to your profile with the plug-in provider.

Further information about the purpose and scope of data collection and processing by the plug-in provider can be found in the data protection policies of these providers, links to which are provided below. There you will also find further information about your rights and optional settings to protect your privacy.

Addresses of the respective plug-in providers and URL with data protection policies:

Plug-ins from the social network Facebook are integrated in our pages (Facebook Ireland Limited, Hanover Reach, 5–7 Hanover Quay, Dublin 2, Ireland). The Facebook plug-ins can be recognised by the Facebook logo or the ‘Like’ button (‘Gefällt mir’) on our site. An over-view of Facebook plug-ins can be found here: http://developers.facebook.com/docs/plugins/ .

When you visit one of our pages that has this plug-in, your browser establishes a direct connection with the Facebook servers. The content of the plug-in is sent directly by Face-book to your browser, which embeds it in the website. This sends Facebook the information that you have visited that particular page of our website. If you are logged in to Facebook, it can assign your visit to your Facebook account. If you interact with the plug-ins – by click-ing on the ‘Like’ button or by posting a comment, for example – your browser will send this information directly to Facebook where it will be stored. As this communication takes place directly, we are not aware of the data that is sent. For information about the purpose and ex-tent of data collection, further processing and use of the data by Facebook as well as your rights and optional settings to protect your privacy, please refer to Facebook’s data protec-tion policy at http://de-de.facebook.com/privacy/explanation.php .

8. Your rights

When we process your personal data you are a data subject within the meaning of the General Data Protection Regulation (GDPR) and have the following rights to your personal data:

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object (Art. 21 GDPR)
  • Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

9. Changes to the data protection policy

We reserve the right to amend the data protection policy to adapt it to changes in the law or if services and data processing should change. This only applies to statements on data pro-cessing, however. To the extent that the consent of users is required or elements of the data protection policy include provisions from the contract with users, these changes will only take place with the agreement of the users.

Please consult the data protection policy on a regular basis.

Data protection information

 

 

 

For card payments (direct debit/girocard/credit cards) we work with Concardis GmbH (Concardis), Helfmann Park 7, D-65760 Eschborn, represented by its managing directors Mark Freese, Jens Mahlke and Luca Zanotti.

In this context, card data are transferred to the above company in addition to the purchase amount and date. All payment data, as well as data on any chargebacks, are only stored for as long as necessary to process the payment (including processing of any chargebacks and collection of the receivable) and to combat fraud. Data are generally deleted no later than 13 months after collection.

Data may be stored for longer if and for as long as necessary to comply with statutory regulations or to prosecute a concrete case of fraud. The legal basis for data processing is Art. 6 para. 1 f) General Data Protection Regulation. You can request information about your data, ask for it to be rectified or deleted and for processing to be restricted and/or you can withhold your consent to the processing of your data.

If you have any questions about data processing by Concardis or to exercise your aforementioned rights, you can write to the data protection officer at the address provided above or by email to Datenschutzbeauftragter@concardis.com. Furthermore, you have the right to complain to a supervisory authority (in Germany to the state data protection officer).

You are advised that you have no statutory or contractual obligation to provide your payment data. If you do not wish to provide your payment data you can choose another payment method (e.g. cash).