Data Privacy

I. Name and address of controller

The controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws of the Member States as well as other data protection regulations is the company:

Dr. Spiller GmbH
Voglinger Straße 11
83313 Siegsdorf
Germany
Phone: +49 8662 4984-0
Fax: +49 8662 4984-7000
E-Mail: info@dr-spiller.com
Website: www.dr-spiller.com

 

II. Name and address of data protection officer

The data protection officer of the controller is:

Lukas W. Mempel
LS-IP Loth & Spuhler Intellectual Property Law
Partnerschaft von Rechtsanwälten mbB
Garmischer Straße 35
81373 Munich
Germany
Phone: +49 89 48 90 250
Fax: +49 89 48 90 2510
E-Mail: info@ls-ip.com
Website: www.ls-ip.com

 

III. General information on data processing

1. Extent of processing of personal data

We collect, store and use personal data of visitors to our website (users) and customers only to the extent necessary to provide a functional website as well as our contents and services. The collection and use of personal data of our users, customers and business partners takes place regularly only after their respective consent. An exception applies in those cases where prior consent cannot be obtained for factual reasons and the processing of the data is permitted by legal provisions. If you have given us your explicit consent, your personal data will be stored beyond the business transaction and used for personal information about our products or campaigns as well as for internal evaluations and analyses (internal evaluation of order processes, mailing of advertising).

 

2. Legal basis for the processing of personal data

Insofar as we obtain the consent of the data subject for the processing of personal data, Art. 6 (1) lit. a GDPR serves as the legal basis for the processing of personal data.

In the processing of personal data necessary for the performance of a contract to which the data subject is a contracting party, Art. 6 (1) lit. b GDPR serves as legal basis. This also applies to processing operations that are necessary in order to carry out pre-contractual measures.

Insofar as the processing of personal data is necessary for the compliance with a legal obligation to which our company is subject, Art. 6 (1) lit. c GDPR serves as legal basis.

In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 (1) lit. d GDPR serves as legal basis.

If the processing is necessary for the protection of a legitimate interest pursued by our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not override the interest mentioned first, Art. 6 (1) lit. f GDPR serves as legal basis for the processing.

 

3. Data deletion and storage period

The personal data of the data subject will be deleted or blocked as soon as the purpose of storage ceases to apply. Furthermore, data may be stored if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which the controller is subject. The data will also be blocked or deleted if a storage period prescribed by the aforementioned legal provisions expires, unless there is a need for further storage of the data for the conclusion or performance of a contract.

 

4. SSL encryption

Our website uses SSL encryption for security reasons and to protect the transmission of confidential contents, such as orders or requests that you send to us as the website operator. You can recognize an encrypted connection by the fact that the address line of the browser changes from “http://” to “https://” and by the lock symbol in your browser line.

When the SSL encryption is activated, the data that you transmit to us cannot be read by third parties.

 

IV. Provision of the website and creation of log files

1. Description and extent of data processing

Every time you access our website, our system automatically collects data and information from the computer system of the accessing computer.

The following data are collected:

  1. IP address of the user
  2. date and time of access

The data are also stored in the log files of our system. These data are not stored together with other personal data of the user.

We use carefully selected external service providers for the provision of our website and the associated processing of your personal data. These service providers are currently the company Profihost AG (host provider of the website), the company Waldohr e.U. (IT support) and the company elio GmbH (system administration website).

These service providers may process the personal data exclusively on our instructions for the purposes specified by us on the basis of an agreement on commissioned data processing pursuant to Art. 28 GDPR and have been obliged to comply with the applicable data protection regulations.

Any other use of the data is not permitted. The data will be processed exclusively in the territory of the Federal Republic of Germany, in a Member State of the European Union or in a Contracting State to the Agreement on the European Economic Area.

 

2. Legal basis for data processing

The legal basis for the temporary storage of the data and log files is Art. 6 (1) lit. f GDPR.

 

3. Purpose of data processing

The temporary storage of the IP address by the system is necessary to enable the website to be delivered to the user’s computer. For this purpose, the IP address of the user must remain stored for the duration of the session.

The data are stored in log files to ensure the functionality of the website. In addition, we use the data to optimize the website and to ensure the security of our information technology systems. The data are not analysed for marketing purposes in this context.

Our legitimate interest in the data processing pursuant to Art. 6 (1) lit. f GDPR also resides in these purposes.

 

4. Storage period

The data will be deleted as soon as they are no longer needed to achieve the purpose for which they were collected. If the data are collected for the provision of the website, this is the case when the respective session has ended.

If the data are stored in log files, this is the case after one month at the latest. Further storage is possible. In this case, the IP addresses of the users are deleted or alienated so that an assignment of the accessing client is no longer possible.

 

5. Possibility of objection and removal

The collection of the data for the provision of the website and the storage of the data in log files is absolutely necessary for the operation of the website. Consequently, there is no possibility of objection on the part of the user.

 

V. Use of cookies

1. Description and extent of data processing

If you have explicitly consented to the use of cookies, cookies will be used on our website. Cookies are text files that are stored in the Internet browser or by the Internet browser on the user’s computer system. If a user accesses a website, a cookie may be stored on the user’s operating system. This cookie contains a characteristic character string that allows a clear identification of the browser when the website is accessed again.

We use cookies to make our website more user-friendly. Some elements of our website require that the accessing browser can be identified even after a change of page.

The following data are stored and transmitted in the cookies:

  1. general browser identification
  2. IP address

When accessing our website, the user is informed about the use of cookies and his or her consent to the processing of the personal data used in this context is obtained. In this context, reference is also made to the present Data Privacy Statement.

 

2. Legal basis for data processing

The legal basis for the processing of personal data by using technically necessary cookies is Art. 6 (1) lit. f GDPR.

 

3. Purpose of data processing

The purpose of the use of cookies is to facilitate the use of websites for users. Some functions of our website cannot be offered without the use of cookies. For these it is necessary that the browser is recognized even after a change of page.

The user data collected through cookies are not used for the creation of user profiles.

Our legitimate interest in the processing of the personal data pursuant to Art. 6 (1) lit. f GDPR also resides in these purposes.

 

4. Storage period, possibility of objection and removal

You can avoid the use of cookies by not consenting to the use of cookies.

Cookies are stored on the user’s computer and transmitted by the latter to our website. Therefore, you as user have full control over the use of cookies. By changing the settings in your Internet browser, you can deactivate or restrict the transmission of cookies. Cookies that are already stored can be deleted at any time. This can also take place automatically. If cookies are deactivated for our website, it may no longer be possible to use all functions of the website to their full extent.

In addition, you can prevent cookies from being stored by means of an appropriate setting in your browser software; however, please note that if you do this you may not be able to use all functions of this website in their entirety. You can also prevent the collection and transmission of the data generated by the cookie and relating to your use of the website (including your IP address) to Google as well as the processing of these data by Google by downloading and installing the browser plugin available under the following link: https://tools.google.com/dlpage/gaoptout?hl=de.

 

VI. Newsletter

1. Description and extent of data processing

If you register on our website as a business customer and provide your email address, we may subsequently use this address for the mailing of a newsletter. In such a case, only direct advertising for similar goods or services of our company will be sent through the newsletter.

In the course of the registration process, your consent will be obtained for the processing of the data and reference will be made to this Data Privacy Statement.

In connection with the data processing for the mailing of newsletters, the following persons and/or companies have access to the data: the company Profihost AG (host provider of the website), the company Waldohr e.U. (IT support), the company elio GmbH (system administration website), the commercial agent Anton Schmidkunz (in case of registrations from Bavaria) and the company Dr. Spiller Ges. mbH (in case of registrations from Austria or Switzerland).

The data are only used for the mailing of the newsletter.

 

2. Legal basis for data processing

The legal basis for the processing of the data after registration for the newsletter by the business customer is Art. 6 (1) lit. a GDPR if the business customer has given his or her consent.

 

3. Purpose of data processing

The collection of the e-mail address of the business customer serves to deliver the newsletter.

 

4. Storage period

The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. The e-mail address of the business customer will therefore be stored for as long as the subscription to the newsletter is active.

 

5. Possibility of objection and removal

The subscription to the newsletter can be terminated by the business customer concerned at any time. For this purpose, an appropriate link is provided in each newsletter.

 

VII. Registration

1. Description and extent of data processing

On our website we offer the possibility to register as a business customer by providing personal data. The data are entered into an input mask and are transmitted to us and stored.

 

a. Registration as business customer

In the case of registration as a business customer, the following data are collected in the course of the registration process:

  1. surname, first name
  2. company
  3. address
  4. phone number
  5. fax number
  6. e-mail address
  7. VAT identification number

At the time of registration, the following data are stored additionally:

  1. IP address
  2. date and time of registration

In the course of the registration process, the consent of the business customer to the processing of these data is obtained.

 

b. Transmission of personal data

In the context of the registration process and the associated processing of your personal data, we use carefully selected external service providers. These service providers are currently the company Profihost AG (host provider of the website), the company Waldohr e.U. (IT support), the company elio GmbH (system administration website), the commercial agent Anton Schmidkunz (in case of registrations from Bavaria) and the company Dr. Spiller Ges. mbH (in case of registrations from Austria or Switzerland).

These service providers may process the personal data exclusively on our instructions for the purposes specified by us on the basis of an agreement on commissioned data processing pursuant to Art. 28 GDPR and have been obliged to comply with the applicable data protection regulations.

Any other use of the data is not permitted. The data will be processed exclusively in the territory of the Federal Republic of Germany, in a Member State of the European Union or in a Contracting State to the Agreement on the European Economic Area.

If we receive an inquiry regarding sales outlets of Dr. Spiller products, you agree that we may pass on the following data to the person making the inquiry:

  1. surname, first name
  2. company
  3. address
  4. phone number
  5. fax number
  6. e-mail address
  7. Website

 

2. Legal basis for data processing

The legal basis for the processing of the data is Art. 6 (1) lit. a GDPR if the business customer has given his or her consent.

 

3. Purpose of data processing

A registration of the business customer serves primarily the authentication as a Dr. Spiller customer. After the successful verification, specific contents and services (download portal, advertising media, trainings, online shops etc.) are made available to the business customer on our website.

A registration of the business customer is necessary for the performance of a contract with the business customer or in order to carry out pre-contractual measures.

Business customers can order products on our website. These products will be sent to the business customer after our acceptance of the offer. The collection of surname, first name, company and address is required to process the respective order.

The phone number, fax number and e-mail address are collected to be able to contact the business customer, e.g. for queries or to answer questions of the business customer.

Regarding business customers, the collection of the VAT identification number pursuant to Section 14a (1) UStG [Value Added Tax Act] is required.

 

4. Storage period

The data collected in the course of the registration process are deleted when the registration on our website is removed or changed.

 

5. Possibility of objection and removal

As a business customer you have the possibility to cancel the registration at any time. You can change the data stored about you at any time in the “My Account” section, or delete your account. With the confirmation of your e-mail address and password your account on our website will be deleted.

If the data are required for the performance of a contract or in order to carry out pre-contractual measures, advance deletion of the data is only possible to the extent that contractual or statutory obligations do not prevent deletion.

 

VIII. Ordering and conclusion of contract after completed registration

1. Description and extent of data processing

Once you have registered as a business customer on our website, it is possible to order and purchase products through our online shop.

The following additional data are collected and stored when an order is entered and processed:

  1. products,
  2. price
  3. order date,
  4. order time,
  5. invoice date,
  6. delivery date,
  7. payment method with any bank details (direct debit, PayPal)
  8. type of device.

We use carefully selected external service providers for the entering and processing of an order and the associated processing of your personal data. For orders from Germany, these service providers are currently the company DBH Logistics (shipping), the company UPS (shipping), the tax consulting firm Walter Kramp (tax-related processing), the accounting firm Marlene Loichinger (accounting), the company Profihost AG (host provider of the website), the company Waldohr e.U. (IT support), the company elio GmbH (system administration website), Mr. Forster (system administrator EAP-System), the commercial agent Anton Schmidkunz (in case of registrations from Bavaria) and the company Dr. Spiller Ges. mbH (in case of registrations from Austria or Switzerland).

These service providers may process the personal data exclusively on our instructions for the purposes specified by us on the basis of an agreement on commissioned data processing pursuant to Art. 28 GDPR and have been obliged to comply with the applicable data protection regulations.

Any other use of the data is not permitted. The data will be processed exclusively in the territory of the Federal Republic of Germany, in a Member State of the European Union or in a Contracting State to the Agreement on the European Economic Area.

 

2. Legal basis for data processing

The legal basis for the processing of the data is Art. 6 (1) lit. a GDPR if the business customer has given his or her consent.

If the data are processed for the performance of a contract, with the business customer as contracting party, or in order to carry out pre-contractual measures, the additional legal basis for the processing of the data is Art. 6 (1) lit. b GDPR.

 

3. Purpose of data processing

The products are dispatched to the business customer after our acceptance of the order. The collection of surname, first name, company and address is required to process the respective order.

The phone number, fax number and e-mail address are collected to be able to contact the business customer, e.g. for queries or to answer questions of the business customer.

Regarding business customers, the collection of the VAT identification number pursuant to Section 14a (1) UStG [Value Added Tax Act] is required.

 

4. Storage period

The data of a specific order (products, price, order date and order time, invoice date, delivery date) are deleted ten years after full processing of the order.

The customer data (surname, first name, company, address, phone number, fax number, e-mail address, VAT identification number and all other data stored at the time of registration) will be deleted ten years after full processing of the last order.

 

IX. Use of Google reCAPTCHA

1. Description and extent of data processing

We also use Google reCAPTCHA on our website. The provider of this program is Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

Google reCAPTCHA is used to check whether the data entry on our website is done by a person or by an automated program. For this purpose, Google reCAPTCHA analyses the behaviour of the visitor to the website on the basis of various characteristics. This analysis starts automatically when the website visitor accesses the website. For analysis purposes, Google reCAPTCHA evaluates various information (e.g. IP address, the time the website visitor stays on the website or the mouse movements made by the user). The data collected in the course of the analysis are transmitted to Google.

The reCAPTCHA analyses run completely in the background. Visitors to the website are not informed that an analysis is taking place.

 

2. Legal basis for data processing

The data processing takes place on the basis of Art. 6 (1) lit. f GDPR. The website operator has a legitimate interest in protecting its websites from abusive automated spying and SPAM.

 

3. Purpose of data processing

The purpose of the data processing is to protect our website from abusive automated spying and SPAM.

 

4. Further information

Further information on Google reCAPTCHA and the privacy statement of Google can be found under the following links: https://www.google.com/intl/de/policies/privacy/ and https://www.google.com/recaptcha/intro/android.html.

 

X. Use of Google Analytics

1. Description and extent of data processing

If you have explicitly consented to the use of Google Analytics, this website uses functions of the web analysis service Google Analytics. This service is provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

Google Analytics uses text files, known as "cookies", which are stored on your computer and allow an analysis of your use of the website. The information generated by the cookie concerning your use of this website is, as a rule, transmitted to a Google server in the United State and stored there.

We have activated the IP anonymisation function on this website. This will cause your IP address to be shortened by Google within Member States of the European Union or in other Contracting States to the Agreement on the European Economic Area before being transmitted to the USA. The full IP address will only be transmitted to a Google server in the USA and stored there in exceptional cases. Upon request of the operator of this website, Google will use this information to analyse your use of the website, to compile reports on the website activities and to provide further services related to the use of the website and Internet in relation to the website operator. The IP address transmitted by your browser in the context of Google Analytics will not be collated with other Google data.

More information on the handling of user data at Google Analytics can be found in the privacy statement of Google: https://support.google.com/analytics/answer/6004245?hl=de.

We concluded an agreement on commissioned data processing with Google and fully implement the strict requirements of the German data protection authorities in connection with the use of Google Analytics.

 

2. Legal basis for data processing

Google Analytics cookies are stored with your consent on the basis of Art. 6 (1) lit. a GDPR.

 

3. Purpose of data processing

The purpose of data processing is to optimize both our website and our advertising.

 

4. Possibility of objection and removal

You can avoid the use of Google Analytics by not giving your consent to the use of Google Analytics.

In addition, you can prevent cookies from being stored by means of an appropriate setting in your browser software; however, please note that if you do this you may not be able to use all functions of this website in their entirety. You can also prevent the collection and transmission of the data generated by the cookie and relating to your use of the website (including your IP address) to Google as well as the processing of these data by Google by downloading and installing the browser plugin available under the following link: https://tools.google.com/dlpage/gaoptout?hl=de.

You can prevent the collection of your data by Google Analytics by clicking on the link below. An opt-out cookie is set which prevents the collection of your data on future visits to this website: deactivate Google Analytics

 

XI. Use of Google Web Fonts

1. Description and extent of data processing

Our website uses so-called Web Fonts provided by Google to uniformly display fonts. When you access a page, your browser loads the required Web Fonts into your browser cache to display texts and fonts correctly.

For this purpose, the browser you are using must establish a connection to the servers of Google. As a result, Google becomes aware that our website has been accessed via your IP address.

If your browser does not support Web Fonts, a default font is used by your computer.

 

2. Legal basis for data processing

The use of Google Web Fonts takes place in the interest of a uniform and appealing presentation of our online offers. This constitutes a justified interest within the meaning of Art. 6 (1) lit. f GDPR.

 

3. Purpose of data processing

The purpose of data processing is to present our online offers in a uniform and appealing manner.

 

4. Further information

Further information on Google Web Fonts can be found under https://developers.google.com/fonts/faq and in the privacy statement of Google: https://www.google.com/policies/privacy/.

 

XII. Use of Social Media Plugins

1. Description and extent of data processing

If you have in each case explicitly consented to their use, our website uses the following plugins:

  1. YouTube; operator of the website is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA;
  2. Google+, operator of the website is Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA;
  3. Facebook, operator of the website is Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland;
  4. Instagram, operator of the website is Instagram LLC, 1601 Willow Rd, Menlo Park, CA 94025, USA;
  5. Twitter, operator of the website is Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland;
  6. Pinterest, operator of the website is Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland;
  7. XING, operator of the website is XING SE, Dammtorstraße 30, 20354 Hamburg, Germany;
  8. LinkedIn, operator of the website is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland.

When you visit our website and explicitly consent to the transmission of your personal data, a connection is established to the servers of the aforementioned websites. The respective server is informed which of our web pages you have visited.

When you are logged into your respective YouTube, Google+, Facebook, Instagram, Twitter, Pinterest, XING and/or LinkedIn Account, you enable the operator of the respective website to assign your surfing behaviour directly to your personal profile.

 

2. Legal basis for data processing

The use of YouTube, Google+, Facebook, Instagram, Twitter, Pinterest, XING and LinkedIn takes place with your consent on the basis of Art. 6 (1) lit. a GDPR.

 

3. Purpose of data processing

The use of YouTube, Google+, Facebook, Instagram, Twitter, Pinterest, XING and LinkedIn takes place in the interest of an appealing presentation of our online offers.

 

4. Further information

Further information on the handling of user data can be found in the following privacy statements:

  1. YouTube: https://policies.google.com/privacy?hl=de&gl=de data policy Google
  2. Google+: https://policies.google.com/privacy?hl=de&gl=de data policy Google
  3. Facebook: https://www.facebook.com/privacy/explanation
  4. Instagram: https://help.instagram.com/519522125107875?helpref=page_content
  5. Twitter: https://twitter.com/de/privacy#update
  6. Pinterest: https://policy.pinterest.com/de/privacy-policy
  7. XING: https://privacy.xing.com/de/datenschutzerklaerung
  8. LinkedIn: https://www.linkedin.com/legal/privacy-policy?_l=de_DE

 

5. Purpose of data processing

The purpose of data processing is to optimize both our website and our advertising.

 

6. Possibility of objection and removal

You can prevent that the respective operator of the aforementioned websites assigns your surfing behaviour directly to your personal profile by not consenting to the transmission of these data.

When you are logged into your respective YouTube, Google+, Facebook, Instagram, Twitter, Pinterest, XING and/or LinkedIn Account, you enable the operator of the respective website to assign your surfing behaviour directly to your personal profile. You can also prevent this by logging out of your respective YouTube, Google+, Facebook, Instagram, Twitter, Pinterest, XING and/or LinkedIn Account.

 

XIII. Contacting, ordering and/or other initiation of business by e-mail, letter or telephone

1. Description and extent of data processingh4>

As an alternative to registering on our website, you can also contact us and/or place an order by e-mail, letter or telephone. In this case, your personal data transmitted by e-mail, letter or telephone will be stored. The same applies in the event that we obtain goods and/or services from you.

We use carefully selected external service providers for the entering and handling of an order and a contract with which we obtain goods and/or services from you and the associated processing of your personal data. These service providers are currently the company DBH Logistics (identity check for sanctions lists), the company UPS (shipping), the tax consulting firm Walter Kramp (tax-related processing), the accounting firm Marlene Loichinger (accounting), Mr. Forster (system administrator EAP-System), the commercial agent Anton Schmidkunz (in case of first contact or customer orders from Bavaria) and the company Dr. Spiller Ges. mbH (in case of orders from Austria or Switzerland).

These service providers may process the personal data exclusively on our instructions for the purposes specified by us on the basis of an agreement on commissioned data processing pursuant to Art. 28 GDPR and have been obliged to comply with the applicable data protection regulations.

Any other use of the data is not permitted. The data will be processed exclusively in the territory of the Federal Republic of Germany, in a Member State of the European Union or in a Contracting State to the Agreement on the European Economic Area.

 

2. Legal basis for data processing

The legal basis for the processing of the data is Art. 6 (1) lit. a GDPR if the data subject has given his or her consent.

The legal basis for the processing of the data transmitted by e-mail, letter or telephone in the course of establishing contact is Art. 6 (1) lit. f GDPR. If an order is concerned or the e-mail, letter or telephone call aims at the conclusion of a contract, the additional legal basis for the processing is Art. 6 (1) lit. b GDPR.

 

3. Purpose of data processing

The processing of the personal data from the e-mail, the letter or the telephone call serves us solely to process the establishment of contact. This constitutes also the necessary legitimate interest in the processing of the data.

If an order is placed, it is necessary to collect surname, first name, company and address to process the order in question.

The collection of phone number, fax number and e-mail address is necessary to be able to contact you, e.g. for queries or to answer questions.

Regarding business customers, the collection of the VAT identification number pursuant to Section 14a (1) UStG is required.

The collection of the birthday takes place for the clear determination of the respective person and for making an inquiry about the legal capacity. In addition, the birthday is collected in order to be able to send birthday wishes to the respective person.

 

4. Storage period

The data collected in case of a pure contacting (without order) will be deleted when the respective conversation is terminated. The conversation is terminated when it can be inferred from the circumstances that the facts in question have been finally clarified.

The data of a specific order (products, price, order date and order time, invoice date, delivery date) are deleted ten years after full processing of the order.

The customer data (surname, first name, company, address, phone number, fax number, e-mail address, VAT identification number and all other data stored at the time of registration) will be deleted ten years after full processing of the last order.

The business partner data (surname, first name, company, address, phone number, fax number, e-mail address, VAT identification number and all other data stored at the time of registration) will be deleted ten years after full processing of the last order.

 

5. Possibility of objection and removal

You have the possibility to revoke your consent to the processing of personal data at any time. If you have contacted us by e-mail, letter or telephone, you can object to the storage of your personal data at any time. In such a case, the conversation cannot be continued.

The revocation of the consent and the objection to storage can be addressed by e-mail, letter or telephone to the contact details indicated under item I. of the present Data Privacy Statement.

All personal data stored in the course of contacting and/or ordering will be deleted in this case.

XIV. Use of the messenger service Threema Work

1. Description and extent of data processing

In order to communicate with our business partners, we use inter alia the messenger service Threema Work. The provider of this messenger service is the company Threema GmbH, Churerstraße 82, 8808 Pfäffikon SZ, Switzerland. By consenting to the present Data Privacy Statement, you consent to the use of the messenger service Threema Work and the processing of personal data as described below.

We collect and store the e-mail address and the Threema ID of the business customer for the communication via the messenger service Threema Work. In addition, the personal data of the business customer transmitted in the course of this communication are stored.

In the context of this communication, Threema Work is granted access to the data that are the subject of the communication.

 

2. Legal basis for data processing

The legal basis for the processing of personal data within the scope of the communication with our business customers via the messenger service Threema Work is Art. 6 (1) lit. a GDPR if the business customer has given his or her consent.

 

3. Purpose of data processing

The processing of personal data serves us solely to establish contact with you or to answer your questions.

 

4. Storage period

The personal data transmitted in the course of a communication will be deleted when the respective conversation with the business customer is terminated. The conversation is terminated when it can be inferred from the circumstances that the facts in question have been finally clarified.

The e-mail address and the Threema ID of the business customer will be deleted ten years after full processing of the last order.

 

5. Further information

Further information on Threema Work and the privacy statement of Threema GmbH can be found under the following links:

  1. https://work.threema.ch/de/nutzungsbedingungen
  2. https://work.threema.ch/de/datenschutzerklaerung

 

6. Possibility of objection and removal

As a business customer you have the possibility to revoke the consent to the use of Threema Work and the associated processing of personal data at any time.

The revocation of the consent can be addressed via Threema Work, e-mail, letter or telephone to the contact details indicated under item I. of the present Data Privacy Statement.

All personal data stored in the course of the communication via Threema Work will be deleted by us in this case.

 

XV. Rights of the data subject

If your personal data are processed, you are a data subject within the meaning of the GDPR and you have the following rights in relation to the controller:

 

1. Right of access

You shall have the right to obtain from the controller confirmation as to whether personal data relating to you are being processed by us.

If this is the case, you shall have the right to obtain from the controller access to the following information:

  1. the purposes for which the personal data are processed;
  2. the categories of personal data that are processed;
  3. the recipients or categories of recipient to whom the personal data relating to you have been or will be disclosed;
  4. the envisaged period for which the personal data relating to you will be stored, or, if specific information is not possible, the criteria used to determine that period;
  5. the existence of the right to rectification or erasure of the personal data relating to you, the right to restriction of processing by the controller or the right to object to such processing;
  6. the right to lodge a complaint with a supervisory authority;
  7. any available information as to the source of the data where the personal data are not collected from the data subject;
  8. the existence of automated decision-making, including profiling, according to Art. 22 (1) and (4) GDPR and – at least in those cases – meaningful information about the logic involved as well as the significance and the envisaged consequences of such processing for the data subject.

You shall have the right to obtain information as to whether the personal data concerning you are transferred to a third country or to an international organisation. In this context you can request to be informed of the appropriate safeguards pursuant to Art. 46 GDPR relating to the transfer.

 

2. Right to rectification

You shall have the right to obtain from the controller rectification and/or completion if the processed personal data concerning you are inaccurate or incomplete. The controller has to make the rectification without undue delay.

 

3. Right to restriction of processing

Under the following conditions, you may request that the processing of personal data relating to you be restricted:

  1. you contest the accuracy of the personal data relating to you for a period enabling the controller to verify the accuracy of the personal data;
  2. the processing is unlawful and you oppose the erasure of the personal data and request the restriction of the use of the personal data instead;
  3. the controller no longer needs the personal data for the purposes of processing, but they are required by you for the establishment, exercise or defence of legal claims, or
  4. you have objected to processing pursuant to Art. 21 (1) GDPR and it has not yet been determined whether the legitimate grounds of the controller override your grounds.

In case the processing of the personal data relating to you has been restricted, such data may – with the exception of storage – only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

If the processing was restricted according to the aforementioned conditions, you will be informed by the controller before the restriction of processing is lifted.

 

4. Right to erasure

a. Obligation to erase

You shall have the right to request from the controller the erasure of personal data relating to you without undue delay and the controller has the obligation to erase such data without undue delay if one of the following grounds applies:

  1. the personal data relating to you are no longer necessary for the purposes for which they were collected or otherwise processed;
  2. you withdraw consent on which the processing is based according to Art. 6 (1) lit. a or Art. 9 (2) lit. a GDPR and there is no other legal ground for the processing;
  3. you object to the processing according to Art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing according to Art. 21 (2) GDPR;
  4. the personal data relating to you have been unlawfully processed;
  5. the personal data relating to you have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
  6. the personal data relating to you have been collected in relation to the offer of information society services referred to in Art. 8 (1) GDPR.

 

b. Information to third parties

If the controller has made the personal data concerning you public and is obliged pursuant to Art. 17 (1) GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you as the data subject have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

 

c. Exception

The right to erasure does not exist to the extent that processing is necessary

  1. for exercising the right of freedom of expression and information;
  2. for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  3. for reasons of public interest in the area of public health in accordance with Art. 9 (2) lit. h and i as well as Art. 9 (3) GDPR;
  4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89 (1) GDPR insofar as the right referred to in paragraph a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
  5. for the establishment, exercise or defence of legal claims.

 

5. Right to notification

If you have asserted the right to rectification, erasure or restriction of processing in relation to the controller, the latter is obligated to communicate said rectification or erasure of the data or restriction of processing to each recipient to whom the personal data relating to you have been disclosed, unless this proves impossible or involves disproportionate effort.

You shall have the right in relation to the controller to be informed about these recipients.

 

6. Right to data portability

You shall have the right to receive the personal data relating to you, which you have provided to the controller, in a structured, commonly used and machine-readable format. In addition, you shall have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where

  1. the processing is based on consent pursuant to Art. 6 (1) lit. a GDPR or Art. 9 (2) lit. a GDPR or on a contract pursuant to Art. 6 (1) lit. b GDPR; and
  2. the processing is carried out by automated means.

In exercising this right, you shall also have the right to have the personal data relating to you transmitted directly from one controller to another, where technically feasible. The rights and freedoms of others must not be adversely affected hereby.

The right to data portability shall not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

 

7. Right to object

You shall have the right to object, on grounds relating to your particular situation, at any time to processing of personal data relating to you which is based on Art. 6 (1) lit. e or f GDPR; this also applies to profiling based on those provisions.

The controller shall no longer process the personal data concerning you, unless the controller demonstrates compelling legitimate grounds for the processing, which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims.

If personal data concerning you are processed for direct marketing purposes, you shall have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.

If you object to processing for direct marketing purposes, the personal data concerning you shall no longer be processed for such purposes.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.

 

8. Right to revocation of declaration of consent under data protection law

You shall have the right to revoke your declaration of consent under data protection law at any time. The revocation of consent shall not affect the lawfulness of the processing carried out on the basis of the consent until revocation.

9. Automated individual decision-making, including profiling

You shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision

  1. is necessary for entering into, or performance of, a contract between you and the controller,
  2. is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
  3. is based on your explicit consent.

However, these decisions must not be based on special categories of personal data referred to in Art. 9 (1) GDPR, unless Art. 9 (2) lit. a or g GDPR applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.

In the cases referred to in (1) and (3), the controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.

 

10. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.

The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 GDPR.

Version 1.0, May 2018