Data protection notice
W. Neudorff GmbH KG (hereinafter also referred to as “Controller”) takes the protection of personal data very seriously and complies with the relevant data protection provisions, in particular the regulations of the EU General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG). Below are the specific details of what data we process regarding the use of our website.
I. General Information
1. Scope of data processing
We collect and the use personal data of our users categorically only to the extent as this is required to provide a functional website as well as the contents of our website and our services. We only collect and use the personal data of our users, if the processing of the data is permitted by virtue of statutory provisions or following the consent of the user.
2. Legal basis for data processing
To the extent that we obtain the consent of the user for the processing of personal data on our website, Art. 6 (1) (a) GDPR is the legal basis for the processing of personal data.
The legal basis for the processing of personal data required for the performance of a contract where the contracting party is the user is Art 6 (1) b GDPR. This also applies to processing operations that are required to fulfil a quasi-contractual legal obligation or pre-contractual measures.
Where the processing of personal data is required for the compliance with a legal obligation which we are subject to, Art. 6 (1) (c) GDPR is the legal basis for the processing.
If the processing is required for the protection of a legitimate interest of our company or of a third party and if the interests, fundamental rights and freedoms of the data subject do not override the first-mentioned interest, Art. 6 (1) (f)GDPR provides the legal basis for the data protection (so-called balancing of interests).
In addition, there are other legal bases for the processing of personal data, which we are specifically listing below, insofar as they are relevant.
3. Storage period
The personal data of the users is deleted or locked, as soon as the purpose of the storage no longer exists. For log files, the storage period is 30 days. The data can also be stored where this has been intended by the European or national legislature in EU regulations, laws or other provisions governing our company. The data can also be locked or deleted when a storage period specified by one of the above-mentioned standards expires, unless there is a requirement for the continued storage of the data to conclude or perform a contract.
4. Disclosure of personal data
If we pass on personal details, we do so exclusively to service providers and partner companies who are supporting us to achieve the above-mentioned purposes. These companies are only permitted to use your personal details as so-called processors to fulfil their tasks on our behalf and are obligated to comply with the appropriate data protection regulations. The processors used by us are:
- Web service provider
- Hosting provider
- Distribution partner
Apart from these circumstances, however, your personal details will not be passed to third parties.
5. Place of data processing
The personal data stored by you is processed in the countries of the European Economic Area as well as in countries outside the Agreement on the European Economic Area. The fact that the required appropriate level of data protection is ensured, may in particular result from a so-called “Adequacy Decision” by the European Commission, the so-called “EU Standard Contractual Terms” or - in the case of recipients in the USA - from the compliance with the principles of the so-called “EU-US Privacy Shield”.
II. Processing of Personal Dataon the Website
1. Availability of the website and creation of log files
a) Description of data processing
Each time our website is called up, our system automatically captures data and information from the computer system of the calling computer.
At the same time, the following data is collected :
- Information about the browser type and the version used
- The user’s operating system
- The internet service provider of the user
- The user’s IP address
- Date and time of the access
- Websites from which the user’s system was directed to our website
- websites, which are called up by the user’s system via our website
The data is also stored in the log files of our system. This data is not stored together with other personal data of the user.
b) Legal basis for the data processing
The legal basis for the temporary storage of the data is Art 6 (1) f GDPR.
c) Purpose of data processing
The temporary storage of the IP address by the system is required to enable the delivery of the website to the computer of the user. For this, the IP address of the user must be stored for the duration of the session.
Our legitimate interest in processing the data also lies in these objectives, in accordance with Art. 6 (1) (f) GDPR.
d) Duration of storage
The data is deleted as soon as it is no longer required to achieve the purpose of being collected. If the data was captured for the availability of the website, the data is deleted after 30 days.
e) Option to object and eliminate
The capture of the data for the availability of the website and the storage of the data in logfiles is mandatory for the operation of the website. The user does therefore not have the option to object.
2. Contact form and e-mail contact
a) Description of data processing
Our website contains a contact form, which can be used to contact us by electronic means. If a user chooses this option, the data entered in the input screen is transmitted to us and stored. The mandatory fields are:
- E-mail address
The user has further the option to provide further optional information in the input screen.
Alternatively, we can be contacted by e-mail. In this case, the personal data of the user transmitted with the e-mail is stored.
The data is not passed on to third parties in this connection. The data is used solely for the processing of the conversation.
b) Legal basis for the data processing
The legal basis for the processing of the data is Art. 6 (1) (f) GDPR. If the purpose of the e-mail is the conclusion of a contract of a quasi-contract legal obligation, an additional legal basis for the processing is Art. 6 (1) (b) GDPR.
c) Purpose of data processing
The processing of the personal data from the input screen serves merely for the processing of the contact. If contact is established, therein also lies the required legitimate interest in the processing of the data.
d) Duration of storage
The data is deleted as soon as it is no longer required to achieve the purpose of being collected. Regarding the personal data form the input screen of the contact form and those which were sent by e-mail, this is the case when the respective conversation with the user has ended. The conversation has ended when, due to the circumstances, it can be assumed that the matter has been completed.
e) Option to object and eliminate
3. c) Competitions, promotions
a) Description of data processing
We occasionally organise competitions/promotions on our website. If a user chooses this option, the data entered in the input screen for the competition is transmitted to us and stored. Such data usually consists of:
- First name and last name
- E-mail address
- if appropriate, further details, which are identified as mandatory or optional
b) Legal basis for the data processing
The legal basis for the processing of the data is Art. 6 (1) (b) GDPR.
c) Purpose of data processing
The processing of the personal data from the input screen serves merely for the running of the competition or the promotion.
d) Duration of storage
The data is deleted as soon as it is no longer required to achieve the purpose of being collected. This is often the case with competitions, when the winners have been determined and the prizes have been dispatched. Further details about the competition can be found in the respective terms and conditions of participations.
e) Option to object and eliminate
1. Description of data processing
a) Cookies that are required for technical reasons
• Log-in information
b) Cookies that are not required for technical reasons, third-party cookies
We are also using cookies on our website, which are not necessary for technical reasons, but which enable us in particular to analyse the surfing behaviour of the users. The following data can be transmitted this manner:
• Use of the website functions
The following cookies, which are not required for technical reasons, are so-called third-party cookies:
• Frequency at which pages are viewed (Matomo)
• Frequency at which pages are viewed (Google Analytics)
• Measuring of advertising success (Google Conversion Tracking)
c) Information on changing the browser setting
The majority of browsers are set up so that you accept cookies automatically. The user can prevent the storage of cookies on his computer with the appropriate browser settings, whereby the range of functions of our website may, however, be restricted.
2. Legal basis for the data processing
The legal basis for the processing of personal data is Art. 6 (1) (a) GDPR, if the user has given his consent to this effect.
3. Purpose of data processing
Cookies that are not required for technical reasons and third-party cookies are used to improve the quality of our website and its contents. By way of analysis cookies we learn how the website is being used and we therefore can continuously optimise our online offering.
The user data collected by cookies on our website are not used to create user profiles.
Our legitimate interest in the processing of the personal data in accordance with Art. 6 (1) (f) GDPR lies also in the above-mentioned purposes.
4. e) Period of storage, Option to object and eliminate
IV. Links to Social Networks, Social Plugins
a) Social plugins
Our online offering is complemented by the official presence of Neudorff in the following social networks:
- Facebook (Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA)
- Instagram (Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA)
- Google+ (Google Inc., Amphitheatre Parkway, Mountain View, CA 94043, USA)
- YouTube (a service provided by Google Inc., 901 Cherry Avenue, San Bruno, CA 94066, USA)
- Twitter (Twitter, Inc., 1355 Market Street, San Francisco, CA 94103, USA)
- WhatsApp (WhatsApp Ireland Ltd. , 4 Grand Canal Square, Dublin 2, IR)
Visitors to our website can access these sites via links. The links are indicated on our website by the respective logo of the relevant social network.
- Facebook: www.facebook.com/about/privacy
- Instagram: www.instagram.com/about/legal/privacy/
- Google+: www.google.com/intl/de/policies/privacy/
- YouTube: www.youtube.com/t/privacy
- Twitter: https://twitter.com/de/privacy
- WhatsApp: https://www.whatsapp.com/legal/#privacy-policy
b) Integration of YouTube Videos
On our website, we use the service provider YouTube for the integration of videos. YouTube is a service provided by Google Inc. with headquarters in 901 Cherry Avenue, San Bruno, CA 94066, USA. We use integrated YouTube videos in the so-called enhanced data protection mode, i.e. YouTube does not store any data about the users of our website unless the users view the video. If the YouTube video is clicked, this may trigger further data processing operations (e.g. the storing of cookies by YouTube) over which Neudorff does not have any influence. To find out more information concerning the purpose and extent of the collection and use of data by YouTube as well as your rights and setting options for protection as a YouTube customer, please refer to the YouTube data protection notice (www.youtube.com/t/privacy)
Use of Google Maps
Our website uses Google Maps of Google Inc., Amphitheatre Parkway, Mountain View, CA 94043, USA to display maps. When our website is called up, your browser establishes a direct connection with the Google servers. Please note that Neudorff does not have any information about the actual extent and content of the processing of data by Google. It has to be assumed that at least the IP address will be collected and used. For further information about the extent of the processing of your personal data by Google as well as setting options for the protection of your privacy, please refer to the Google data protection notice ( www.google.com/intl/de_de/policies/privacy/ ).
VI. Analysis tools and marketing
Our website uses the web analysis tool “Matomo” (formerly Piwik). The analysis of the user behaviour is important, as the demand of contents can be analysed in this way and the online-offering can be optimised.
Our legitimate interest in processing the data also lies in these objectives.
The legal basis for the processing of personal data with the use of web analysis tools in the present form is Art. 6 (1) (f) GDPR.
The user data collected within the scope of Matomo are not used to create user profiles.
Supplementary notes on the use of Matomo
If you do not wish usage information from your visit to be stored and evaluated, then you can stop this process of storage and use at any time by a mouse click. This will store a so-called opt-out cookie in your browser, which will prevent Matomo from collecting any usage information. Please be aware that deleting your cookies will also delete the opt-out cookie. In this event you will have reactivate it.
Preventing data gathering by Matomo
2. Google Analytics
This website uses functions of the web analysis service Google Analytics. It is operated by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
Google Analytics uses so-called "cookies". These are text files stored on your computer that enable an analysis of your activity on the website. The information generated by the cookie about your usage of this website is usually sent to one of Google's servers in the USA and stored there.
The storage of Google Analytics cookies and use of this analytical tool are based on Article 6 (1) (f) GDPR. The website operator has a legitimate interest in analysing user behaviour for the optimisation of its website as well as its advertising.
We have activated the IP anonymisation function on this website. As a result, your IP address will be truncated by Google within member states of the European Union or other parties to the Agreement on the European Economic Area prior to transmission to the United States. Your full IP address will be transmitted to a Google server in the USA and truncated there only in exceptional cases. Google will use this information on behalf of this website’s operator to evaluate your use of this website, to create reports about the website activities, and to provide additional services connected with the website and internet use to the website operator. The IP address transmitted from your browser by Google Analytics is not combined with other Google data.
You can prevent the storage of cookies storage by selecting the appropriate settings in your browser; however, we would like to point out that in such cases you might not be able to use all of the functions of this website to their full extent. In addition, you may prevent the transmission of the data created by the cookie in relation to your use of this website (including your IP address) to Google, and the processing of such data by Google, by downloading and installing the browser plug-in available under the following link: https://tools.google.com/dlpage/gaoptout?hl=de.
Objection to data capture
You can prevent the capture of your data by Google Analytics by clicking on the following link. This will install an opt-out cookie that will prevent your data being captured when you visit this website in the future: Disabling Google Analytics.
We have concluded an agreement with Google for contract processing and fully implement the rigorous regulations of German data protection authorities in the use of Google Analytics.
Demographic features in Google Analytics
This website uses the Google Analytics “demographics feature” function. As a result, reports can be produced that contain statements on the age, gender and interests of web page visitors. These data originate from interest-based advertising by Google as well as visitor data of third-party providers. Such data cannot be matched to a specific person. You can deactivate this function at any time via the advert settings in your Google account, or generally disallow the collection of your data by Google Analytics as outlined in the “Objection to Data Collection” section.
User and event data stored at Google which are linked to cookies, user IDs or advertising IDs (e.g. DoubleClick cookies, Android advertising IDs), are anonymised or deleted after 14 months. You can find details on this on the following link: https://support.google.com/analytics/answer/7667196?hl=de
3. Google Analytics Remarketing
Our websites use Google Analytics Remarketing functions in conjunction with the cross-device functions of Google AdWords and Google DoubleClick. It is operated by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
This feature allows the linking of advertising target markets created with Google Analytics Remarketing to the cross-device functions of Google AdWords and Google DoubleClick. In this way, interest-based, personalised advertising messages that have been customised based on your prior usage and web-surfing activities on an end device (e.g. mobile phone) may also be displayed on your other end devices (e.g. tablet or PC).
If you have provided your consent, Google will link your web and app browsing history to your Google account for this purpose. In this way, the same personalised advertising messages may appear on any device you sign in to with your Google Account.
To support this feature, Google Analytics collects users’ Google-authenticated IDs which are temporarily linked to our Google Analytics data in order to define and create target markets for cross-device advertising.
You may permanently opt out of cross-device Remarketing/Targeting by turning off personalised advertising in your Google Account; to do so, follow this link: https://www.google.com/settings/ads/onweb/.
The pooling of the collected data in your Google account is based solely on your consent which you may submit to Google or revoke (Article 6 (1) (a) GDPR). For data collection operations that are not collated in your Google account (i.e. because you do not have a Google account or have objected to such collation), the collection of data is based on Art. 6 (1) (f) GDPR. The legitimate interest arises from the fact that the website operator has an interest in the anonymous analysis of its website visitors for advertising purposes.
4. Google AdWords and Google Conversion-Tracking
This website uses Google AdWords. AdWords is an online advertising program of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States (“Google”).
We use “conversion tracking” as part of Google AdWords. When you click on an ad run by Google, a conversion tracking cookie is placed. Cookies are small text files that the internet browser stores on the user’s computer. These cookies expire after 30 days and are not used to personally identify users. If the user visits certain pages of this website and the cookie has not yet expired, Google and we can recognize that the user has clicked on the ad and been redirected to this page.
Each Google AdWords customer receives a different cookie. The cookies cannot be tracked through the websites of AdWords clients. The information gathered using conversion cookies helps to generate conversion statistics for AdWords clients who have opted for conversion tracking. Clients are informed of the total number of users that click on their advertisement and have been redirected to a page with a conversion tracking tag. They do not, however, obtain any information that can be used to identify users personally. If you do not want to participate in tracking, you may easily opt-out of this use by disabling the Google Conversion Tracking cookie via your internet browser under user preferences. You will not be included in the conversion tracking statistics.
The storage of “conversion cookies" and use of this tracking tool are based on Article 6 (1) (f) GDPR. The website operator has a legitimate interest in analysing user behaviour for the optimisation of its website as well as its advertising.
You can set your browser such that you are informed when cookies are added to your system and to only allow cookies in specific cases. You can also choose to not accept cookies either in specific circumstances or in general, and you can enable the automatic deletion of cookies when you close your browser. The functionality of this website may be restricted if cookies are deactivated.
5. ConsumerFlow Analytics
Our website uses the features of ConsumerFlow, a statistics and analysis service for websites. This service is provided by make better GmbH, Roeckstraße 15, 23568 Lübeck, Germany.
These features allow to collect, evaluate and store anonymised user data for marketing, market research and optimization purposes.
The data collected as part of the ConsumerFlow service will not be used to personally identify the website visitor without the specific consent of the person concerned.
All information generated by cookies through the ConsumerFlow service and concerning your website usage is stored on a server owned by make better GmbH in Germany in a detached database.
Above mentioned cookies remain on your device for a maximum of 6 months or until you delete them.
The storage of cookies and the use of this analysis tool are based on Art. 6 para. 1 lit. f DSGVO. make better GmbH as website operator has a legitimate interest in the anonymous analysis of user behavior in order to optimize both our website and our advertising.
The storage of cookies can be prevented by corresponding settings in your browser software ("Do not track"). Likewise, you can prevent the future storage and processing of your data by contradicting the collection of your anonymized visitor data under the URL apps.make-better.de/consumerflow/opt-out.
An opt-out cookie for this website is stored on your device. Please do not delete this cookie as long as your objection agains data collection remains.
A data processing agreement between us and make better GmbH has been concluded. All data proctection measurements required by the german data protection authorities are fully met and implemented when using ConsumerFlow.
VII. Rights of data subjects
If your personal data is processed, you are a data subject within the meaning of the DSGVO, und you have the following rights against the Controller:
1. Right of access
You have the right to obtain confirmation from the controller as to whether or not personal data concerning you is being processed by us.
If this is the case, you can request the following information from the Controller:
- The purposes of the processing of your personal data;
- the categories of personal data that is being processed;
- the recipients or categories of recipient to whom the personal data concerning you has been or will be disclosed;
- the envisaged period for which the personal data concerning you will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request from the controller rectification or erasure of personal data concerning you or restriction of processing or to object to such processing;
- the existence of the right to lodge a complaint with a supervisory authority;
- all available information as to the source of the data, where the personal data is not collected from the data subject;
- the existence of automated decision-making, including profiling, in accordance with Art. 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
You have the right to request information on whether personal data concerning you is transferred to a third country or to an international organisation. In this context, you can request to be informed about the appropriate safeguards in accordance with Art. 46 GDPR in connection with the transfer.
2. Right to rectification
You have the right to obtain from the controller the rectification and/or completion, if the processed personal data concerning you is inaccurate or incomplete. The Controller shall carry out the correction immediately.
3. Right to restriction of processing
You can request the restriction of processing the personal data concerning you when one of the following applies:
- you are contesting the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;
- the processing is unlawful, and you oppose the erasure of the personal data and request the restriction of their use instead;
- the controller no longer requires the personal data for the purposes of the processing, but they you required the personal data for the establishment, exercise or defence of legal claims, or
- you have objected to the processing in accordance with Art. 21(1) GDPR and it has not yet been determined whether the legitimate grounds of the controller override your grounds.
Where processing of the personal data concerning you, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.
If the restriction of processing was restricted under the above-mentioned conditions, you shall be informed by the controller before the restriction is lifted.
4. Right to erasure
a) Duty of erasure
You have the right to request from the controller the immediate erasure of personal data concerning you and the controller shall has the obligation to immediately erase such data if one of the following grounds applies:
- The personal data concerning you are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
- You withdraw your consent on which the processing was based according to Art. 6 (1) (a), or Article 9 (2) (a) GDPR, and there is no other legal ground for the processing.
- You object to the processing in accordance with Art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing in accordance with Art. 21 (2) GDPR.
- The personal data concerning you has been unlawfully processed.
- The personal data concerning you has to be erased for compliance with a legal obligation in accordance with EU law or the law of a Member State to which the controller is subject.
- The personal data concerning you has been collected in relation to the offer of information society services in accordance with Art. 8 (1) GDPR.
b) Information to third parties
If the controller has made the personal data concerning you public and is obliged in accordance with Art. 17 (1) GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you as the data subject have requested the erasure by such controllers of any links to, or copy or replication of, such personal data.
c) Exceptions to the duty of erasure
The right to erasure does not exist where the processing is required
- for exercising the right to freedom of expression and information;
- for compliance with a legal obligation which requires processing by EU law or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- for reasons of public interest in the area of public health in accordance with Art. 9 (2) (h) and (i) as well as Art. 9 (3) GDPR;
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89 (1) GDPR insofar as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
- or the establishment, exercise or defence of legal claims.
5. Right to Notification
If you have asserted the right to rectifications, erasure or restriction of processing against the controller, the latter is obliged to notify all recipients to whom the personal data has been disclosed, of the rectification or erasure of the data or restriction of processing, unless this proves impossible or involves disproportionate effort.
You have the right to be informed by the controller about those recipients.
6. Right to data portability
You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format. You also have the right to transmit such data to another controller without hindrance from the controller to which the personal data has been provided, if
- The processing is based on consent in accordance with Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR or on a contract in accordance with Art. 6 (1) (b) GDPR and
- the processing is carried out by automated means.
In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. This shall not adversely affect the rights and freedoms of others.
The right to data portability does not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
7. Right to object
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Art. 6 (1) (e) or (f) GDPR, including profiling based on these provisions.
The controller shall no longer process the personal data unless the controller can demonstrate compelling legitimate grounds worthy of protection for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims.
If the personal data concerning you are processed for the purpose of direct advertisement, you have the right to object at any time to the processing of the personal data concerning you for such purposes; this also applies to profiling, where it is connected to such direct advertisement.
If you object to the processing for direct marketing purposes, the personal data concerning you shall no longer be processed for these purposes.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you have the option to exercise your right to object by automated means using technical specifications.
8. Right to withdraw the consent pursuant to data protection law
You have the right to withdraw your consent pursuant to data protection law at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
9. Automated individual decision-making including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply, if the decision
- is necessary for entering into, or the performance of, a contract between you and the controller,
- is permitted by EU law or Member State law to which the controller is subject, and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests, or
- is based on your explicit consent.
However, these decisions must not be based on special categories of personal data in accordance with Article 9 (1), unless Article 9 (2) (a) or (g) applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.
With regard to the cases referred to in points (1) and (3) , the data controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.
10. Right of lodge a complaint with a Supervisory Authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes this Regulation.
The supervisory authority with which the complaint has been lodged will inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy in accordance with Art. 78 GDPR.
VIII. External links
Controller within the meaning of the GDPR and other national data protection laws of EU Member States as well as of other data protection provisions is:
W. Neudorff GmbH KG
An der Mühle 3
The full legal notice can be found here: https://www.neudorff.de/en/informationen/disclosure.html
XI. Contact details of the Data Protection Officer
The contact details of the Data Protection Officer for the Controller are:
Thomas Werning, firstname.lastname@example.org
As of: July 2019