Data Privacy Statement

 

This Data Privacy Statement explains the nature, scope and purpose of the processing of personal data (hereinafter “Data”) within our website and its associated web pages, functions and content as well as within our external online profiles, including our social media profiles on Facebook, Twitter and Instagram (hereinafter collectively referred to as “Online Offering”). In regard to the terms and concepts used within this Data Privacy Statement, e.g “personal data” or the “processing” of this personal data, we request you to refer to the definitions in Art. 4 of the EU General Data Protection Regulation (GDPR).

Data controller for the content of this website:
Ole Fahnick
Telephone: 06221-7356767
Email: info@drummersblog.de

Types of Data We Process:
Contact data
Content data
Contractual data
Payment data
Usage data
Meta/Communication data

Processing of Special Categories of Data (Art. 9 (1) GDPR):
We do not process any special categories of data.

Categories of Data Subjects Affected by this Data Processing:
Prospective visitors to and users of our Online Offering
Current visitors to and users of our Online Offering
Data subjects are hereinafter collectively referred to as “Users”.

Purpose of Processing:
Provision of the Online Offering and its content and functions.
Marketing, advertising and market research.
Performance of contractual services and provision of customer care
Responding to contact requests and communicating with Users.

As at: 25 May 2018

1. Legal Basis
Pursuant to the provisions of Art. 13 EU GDPR, we are required to disclose the legal basis underlying our data processing practices. Insofar as this legal basis is not specifically referred to within the privacy statement, the following applies: The legal basis for obtaining permissions is Art. 6 (1) lit. a and Art. 7 GDPR; the legal basis for the processing of data for providing our services, implementing contractual measures and answering queries is Art. 6 (1) lit. b GDPR; the legal basis for the processing of data for fulfilling our contractual obligations is Art. 6 (1) lit. c GDPR and the legal basis for the processing of data for securing our legitimate interests is Art. 6 (1) lit. f GDPR. In the event that vital interests of the data subject or another natural person necessitate the processing of personal data, Art. 6 (1) lit. d GDPR applies as the legal basis.

2. Changes and Updates to the Data Privacy Statement
We ask you to check back regularly for changes to the content of this Privacy Statement. We will adjust the Privacy Statement whenever changes to our data processing practices require it. We will notify you as soon as your involvement (e.g. your consent) is required as a result of these changes, or when personal notification becomes necessary for other reasons.

3. Security Measures
In accordance with the provisions of Art. 32 GDPR, we pursue appropriate technical and organisational measures to guarantee a level of protection commensurate to the nature and extent of the risk, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of data processing, as well as the probability and severity of the risk to the rights and freedoms of natural persons. Measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling not only physical access to the data, but also the retrieval, input, disclosure, availability and separation of data. Further to this, we have established procedures to protect the exercise of data subject rights, the right to data deletion and the response to data threats. We also take the protection of personal data into account when developing and/or selecting hardware, software and procedures in accordance with the principle of data protection by design and default (Art. 25 GDPR). Our security measures include the encrypted transfer of data between your browser and our server.

4. Cooperation with Contracted Data Processors and Third Parties
4.1. Insofar as we disclose, transfer or otherwise grant access to data to other persons and companies (contracted data processors or third parties) within the scope of our data processing, this will occur on the basis of legal authorisation (e.g. when a transfer of the data to third parties such as payment providers is required for the performance of a contract pursuant to Art. 6 (1) lit. b GDPR), on the basis of your consent, where we have a legal obligation to do so or on the basis of our legitimate interests (e.g. in the engagement of agents, web hosting providers, etc.)
4.2. Insofar as we engage third parties to process data on the basis of a “data processing agreement”, this will occur on the basis of Art. 28 GDPR.

5. Transfers to Third Countries
Insofar as we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or disclose or transmit data to third parties in the context of our engagement of third party services, this will occur only for the purpose of fulfilling (pre-)contractual obligations, on the basis of your consent, where we have a legal obligation to do so or on the basis of our legitimate interests. Subject to legal or contractual authorisation, we will process or have the data processed in a third country only if the special conditions of Art. 44 ff. GDPR are fulfilled. This might, for example, include the processing of data on the basis of special guarantees, such as an established level of data protection that corresponds to that required by the EU (e.g. “Privacy Shield” for the USA) or the observation of officially recognised special contractual obligations (so-called “standard contractual clauses”).

6. Rights of Data Subjects
6.1. In accordance with Art. 15 GDPR, you have the right to ask for confirmation as to whether particular data is being processed and to receive information about this data; you also have the right to receive further information and a copy of the data.
6.2. In accordance with Art. 16 GDPR, you have the right to have incomplete personal data completed or to obtain rectification of inaccurate personal data about your person.
6.3. In accordance with Art. 17 GDPR, you have the right to request that data about you is deleted immediately or, alternatively, to request that the processing of this data is restricted in accordance with Art. 18 GDPR.
6.4. You have the right to request to receive, in a structured, commonly-used and machine-readable format, the data which concerns you and has been provided by you to us, and to request that this data be transmitted to another data controller.
6.5. In accordance with Art. 77 GDPR, you also have the right submit a complain to the relevant supervisory authority.

7. Right of Revocation
In accordance with Art. 7 (3) GDPR, you have the right to withdraw your consent for the processing of data at any time with future effect.

8. Right to Object
In accordance with Art. 21 GDPR, you can object to the future processing of your data at any time. This objection may, in particular, be made against processing for direct advertising purposes.

9. Cookies and Right to Object to Direct Advertising
We make use of temporary and permanent cookies, which are small text files that are stored on Users’ devices. The cookies are used partially for security purposes, for the operation of our Online Offering (e.g. for displaying the website) or to save a User’s decision when they are asked to confirm the use of cookies via the cookie banner. In addition, we and/or our technology partners use cookies for measuring our advertising reach and for other marketing purposes, which you can read about in the various sections of this Data Privacy Statement. The US website http://www.aboutads.info/choices/ and the EU website http://www.youronlinechoices.com/ explain how you can object in general to the use of cookies for online marketing purposes, particularly for the use of tracking. The storage of cookies can also be prevented by deactivating the relevant setting in your browser. Please note that if you choose to do so, you may not be able to use all features of our Online Offering.

10. Deletion of Data
The data processed by us is deleted or its processing restricted according to the provisions of Art. 17 und 18 GDPR. Insofar as nothing to the contrary has been explicitly specified in this Data Privacy Statement, data stored by us is deleted as soon as it is no longer needed for its intended purpose and if its deletion does not contravene statutory retention requirements. Insofar as the the data is not deleted on account of being needed for other, legally permissible purposes, its processing will be restricted. This means that the data will be blocked and not processed for any other purposes. Among other things, this applies to data that is required to be retained for reasons under commercial and tax law.
10.1. Germany: In accordance with statutory requirements, data falling under § 257 (1) of the German Commercial Code (trading books, inventories, opening balance sheets, annual accounts, business correspondence, accounting records, etc.) will be stored for 6 years, while data falling under § 147 (1) of the German Fiscal Code (accounts, records, management reports, accounting records, commercial and business correspondence, documents relevant for taxation, etc.) will be stored for 10 years.
10.2. Austria: In accordance with statutory requirements, data falling under § 132 (1) of the Austrian Federal Fiscal Code (accounting documents, receipts and invoices, accounts, supporting documents, commercial documents, statements of income and expenditure) will be stored for 7 years, while data pertaining to real property will be stored for 22 years. Data pertaining to the provision of electronically rendered, telecommunication, radio and TV services to non-commercial entities in EU countries for which the EU VAT Mini One Stop Shop (MOSS) scheme has been invoked will be stored for 10 years.

11. Provision of Contractual Services
11.1. We process existing personal data (e.g., names, addresses and contact information of users) and contractual data (e.g., services used, names of contacts, payment information) for the purpose of fulfilling our contractual obligations and services in accordance with Art. 6 (1) lit b. GDPR. The fields marked as mandatory in online forms are required for the conclusion of a contract.
11.2. Users have the option of creating a user account. This serves, in particular, to enable them to view their orders. Mandatory information about the creation of a user account will be disclosed to users as part of the registration process. These user accounts are not public and cannot be indexed by search engines. If a User has cancelled their user account, any data held in relation to the user account will be deleted, unless it is required to be retained for commercial or tax law reasons in accordance with Art. 6 (1) lit. c GDPR. In the case of cancellation, it is the responsibility of Users to back up their data prior to the end of the contract. We are entitled to permanently delete all user data stored during the term of the contract.
11.3. Whenever a User registers for, signs into or uses our online services, we store the IP address and the time of the respective user action. This storage takes place on the basis of our and the User’s legitimate interests in preventing misuse and other unauthorised use. No transfer of this data to third parties takes place, unless it is necessary for the assertion of claims or a legal obligation exists in accordance with. Art. 6 (1) lit. c GDPR.
11.4. We process usage data (e.g. visited pages of our Online Offering, interest in our products) and content data (e.g. entries in contact forms or user profiles) for advertising purposes in the form of a user profile to enable us to (e.g.) display product information to a User based on their previously used services.
11.5. Deletion takes place following the expiry of the statutory warranty period and other comparable obligations. Every three years, a review is carried out as to whether certain data is still required to be stored. Where statutory archiving obligations exist, data will be deleted after the expiry of the retention periods set forth under commercial law (6 years) and tax law (10 years). Information held in connection with the customer account will remain in place until its deletion.

12. Establishment of Contact
12.1. When a User establishes contact with us (via contact form or email), the User’s details are processed in accordance with Art. 6 (1) lit. b GDPR for the purpose of handling the contact request.
12.2. The User’s details may be stored in our customer relationship management system (“CRM System”) or in a similar system for the management of inquiries.
12.3 We delete contact requests and inquiries at such time as they are no longer required. Every three years, a review is carried out as to whether certain data is still required to be stored. Inquiries from customers who hold a customer account are stored permanently and will only be deleted if the customer account details are also deleted. Where statutory archiving obligations exist, data will be deleted after the expiry of the retention periods set forth under commercial law (6 years) and tax law (10 years).

13. Comments and Posts
13.1. If Users upload comments or other posts, their IP addresses are stored for 7 days on the basis of our legitimate interests within the meaning of Art. 6 (1) lit. f. GDPR
13.2. This is for our own security, in case a User includes illegal content in their comment or post (offensive statements, prohibited political propaganda, etc.). In this case, we ourselves can be prosecuted for the comment or post and have a legitimate interest in the identity of the author.

14. Akismet Anti-Spam Check
Our Online Offering uses the “Akismet” service provided by Automattic, Inc. 132 Hawthorne Street San Francisco, CA 94107, USA. This use is based on our legitimate interests within the meaning of Art. 6 (1) lit. f) GDPR. This service helps to distinguish the comments of real people from spam comments. All comment information is sent to a server in the US, where it is analysed and stored for four days for comparison purposes. If a comment has been classified as spam, the data will be stored beyond that period. This information includes the name entered, the email address, the IP address, the comment content, the referrer, details of the browser used, the computer system and the time of the post.
Automattic is certified under the Privacy Shield agreement, which means that it offers a guarantee of adherence to European data privacy law (https://www.privacyshield.gov/participant?id=a2zt0000000CbqcAAC&status=Active).
For more information about the collection and use of data by Akismet, please refer to the Automattic Privacy Notice: https://automattic.com/privacy/.
Users are welcome to use pseudonyms or to decline the option of entering their name or email address. Furthermore, it is possible for them to completely prevent the transfer of data by refraining from using our commenting system. This would be a shame; however, unfortunately, we do not currently see any equally effective alternatives.

15. Collection of Access Data and Log Files
15.1. On the basis of our legitimate interests within the meaning of Art. 6 (1) lit. f GDPR, we collect data about every instance of access to the server on which this service is located (“server log files”). Access data includes the name of the webpage being accessed, the file, the date and time of access, the volume of data transmitted, the notification of successful access, the browser type and version, the User’s operating system, the referring URL (previously visited webpage), the IP address and the provider issuing the request.
15.2. Log file information is stored for a maximum of seven days for security purposes (e.g. to clarify any issues relating to misuse or fraud prevention) and will then be deleted. Data whose further storage is required for evidentiary purposes will be exempt from deletion until such time as the respective incident has been brought to a conclusion.

16. Online Profiles on Social Media Websites
16.1. On the basis of our legitimate interests within the meaning of Art. 6 (1) lit. f GDPR), we maintain online profiles within social networks and platforms. This allows us to communicate with customers, prospective customers and users and to tell them about our services. When you access these networks and platforms, the terms and conditions and the data processing guidelines of their respective operators apply.
16.2. Unless otherwise stated in this Privacy Statement, we process Users’ data in all instances in which they communicate with us within social networks and platforms, e.g. by writing posts on our online profiles or sending us messages.

17. Cookies & Tracking of Advertising Reach
17.1. Cookies are a form of information that is transmitted to the web browsers of Users by our web server or by the web servers of third parties and stored there in order to be accessed at a later date. Cookies can take the form of small files or other means of storing information.
17.2. We use “session cookies”, which are are stored only for the duration of a User’s current visit to our website (e.g. to enable the storage of their login status or the contents of their shopping cart and thus to allow our Online Offering to be used for its intended purpose). A session cookie stores a randomly generated unique identification number known as a “session ID”. In addition, a cookie contains information about its origin and storage period. These cookies can not save any other data. Session cookies will be deleted once a User have finished using our Online Offering and logged out of or closed the browser.
17.3. The use of cookies in the context of the pseudonymous tracking of advertising reach is described in the various sections of this Data Privacy Statement.
17.4. If you do not wish cookies to be stored on your computer, you can disable the relevant option in your browser settings. Stored cookies can also be deleted in the browser settings. The blocking of cookies can lead to functional restrictions in this Online Offering.
17.5. You may object to the use of cookies for measurement of advertising reach and promotional purposes via the opt-out page of the Network Advertising Initiative’s website (http://optout.networkadvertising.org/), the US website (http://www.aboutads.info/choices) or the EU website (http://www.youronlinechoices.com/uk/your-ad-choices/).

18. Google Analytics
18.1. On the basis of our legitimate interests (e.g. in the interest of the analysis, optimisation and commercial operation of our Online Offering within the meaning of Art. 6 (1) lit. f GDPR), we use Google Analytics, a web analytics service from Google LLC (“Google”). Google uses cookies. Cookie-generated information about your use of our Online Offering is generally transmitted to a Google server in the USA and stored there.
18.2. Google is certified under the Privacy Shield agreement, which means that it offers a guarantee of adherence to European data privacy law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
18.3. Google uses this information on our behalf to evaluate the use of our Online Offering by Users, to compile reports on activity within this Online Offering and to provide us with other services related to the use of this Online Offering and internet usage. As part of this process, pseudonymous usage profiles can be created for Users on the basis of the processed data.
18.4. We use Google Analytics to ensure that adverts delivered by the advertising services of Google and its partners are displayed only to users who have shown an interest in our Online Offering or who have exhibited some or all of the user characteristics (e.g. an interest in specific topics or products, as determined by their visited websites) Web pages) submitted to Google by us (“remarketing” or “Google Analytics Audiences”). We also use Remarketing Audiences to ensure that our ads are in line with the potential interest of users and are not perceived as annoying.
18.5. We only use Google Analytics with IP anonymisation. This means that the IP addresses of users are truncated by Google within Member States of the European Union or other Contracting States to the Agreement on the European Economic Area. Only in exceptional cases will a full IP address be sent to a Google server in the US and truncated there.
18.6. The IP address transmitted by the User’s browser will not be held in connection with other data provided by Google. Users can prevent the storage of cookies by adjusting their browser software accordingly. Users may also prevent Google from collecting and processing cookie-generated data related to their use of the Online Offering offer by downloading and installing the browser plug-in available under the following link: https://tools.google.com/dlpage/gaoptout?hl=en
18.7. Further information on the use of data by Google and your options for controlling and objecting to this use of data is provided by Google under the following links: https://policies.google.com/technologies/partner-sites?hl=en (“How Google uses information from sites or apps that use our services”), https://policies.google.com/technologies/ads (“How Google uses cookies in advertising”) and https://adssettings.google.com/authenticated (“Control the information Google uses to show you ads”).
18.8. In all other cases, personal data is anonymised or deleted after a period of 14 months.

19. Google (Re-)Marketing Services
19.1. On the basis of our legitimate interests (e.g. in the interest of the analysis, optimisation and commercial operation of our Online Offering within the meaning of Art. 6 (1) lit. f GDPR), we use the marketing and remarketing services (“Google Marketing Services”) of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, (“Google“).
19.2. Google is certified under the Privacy Shield agreement, which means that it offers a guarantee of adherence to European data privacy law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
19.3. Google Marketing Services allows us to better target advertisements for and on our website such that we only present users with ads that potentially match their interests. If a user is shown ads for products they’ve displayed interest in on other websites, this is called “remarketing”. For this purpose, a Google code is executed directly by Google whenever our website or other websites on which Google Marketing Services are used are accessed, and (re-)marketing tags (invisible graphics or code, also called “web beacons”) are incorporated into the website. These beacons cause an individual cookie (a small file) to be saved on the user’s device (similar technologies can sometimes be used instead of cookies). The cookies can be set by different domains, including google.com, doubleclick.net, invitemedia.com, admeld.com, googlesyndication.com or googleadservices.com. The file records which web pages the user has visited, what content they are interested in and which offers they have clicked. It also records technical information about the browser and operating system, IP address, referring web page, time of visit and other information about the use of the Online Offering. Within the framework of our use of Google Analytics, the IP address is generally truncated within Member States of the European Union or other Contracting States to the Agreement on the European Economic Area; only in exceptional cases will it be transmitted to a Google server in the US and truncated there. The IP address will never be linked with data about the user that is stored by other Google products and services; however, Google may link the other above-mentioned information with similar information from other sources. When the user then goes on to visit other websites, they will be shown ads that are tailored to their interests.
19.4. Within the framework of Google Marketing Services, user data is processed in a pseudonymised form. This means that Google does not store and process (e.g.) the name or email addresses of users, but rather processes the relevant data in pseudonymous user profiles in connection with the respective cookie. From Google’s perspective, therefore, ads are not managed for and displayed to a specifically identifiable person, but rather to the cookie owner, regardless of who this cookie owner is. This does not apply if a user has expressly given their consent for Google to process the data in a non-pseudonymised form. Information collected about users through Google Marketing Services is transmitted to Google and stored on Google’s servers in the United States.
19.5. One of the Google Marketing Services we use is the online advertising program “Google AdWords”. Each AdWords customer receives a different “conversion cookie”, which means that cookies cannot be tracked across the websites of different AdWords advertisers. The information collected through the cookie is used to generate conversion statistics for AdWords advertisers who have chosen to carry out conversion tracking. Advertisers see the total number of users who clicked on their ad and were redirected to a page containing a conversion tracking tag, but do not receive any information that personally identifies users.
19.6. We may choose to integrate third-party ads on the basis of Google’s “DoubleClick” marketing service. DoubleClick uses cookies that enable Google and its partner websites to deliver ads based on users’ visits to this website or other websites on the internet.
19.7. We may choose to integrate third-party ads on the basis of Google’s “AdSense” marketing service. AdSense uses cookies that enable Google and its partner websites to deliver ads based on users’ visits to this website or other websites on the Internet.
19.8. We may make use of the service “Google Optimizer”. Google Optimizer enables us to use A/B testing to understand how various changes (e.g. changes to the input text fields, design, etc.) can affect our website. Cookies are stored on users’ devices for this purpose. User data will be processed in a pseudonymous fashion.
19.9. In addition, we may use the “Google Tag Manager” to integrate and manage the Google Analytics and Google Marketing Services on our website.
19.10. For more information about how Google uses data for marketing purposes, please visit the overview page at https://policies.google.com/technologies/ads. Google’s Privacy Policy can be accessed at https://policies.google.com/privacy.
19.11. If you wish to opt-out of interest-based advertising via Google Marketing Services, you can take advantage of Google’s authorisation and opt-out options: https://adssettings.google.com/authenticated.

20. Facebook, Custom Audiences and Facebook Marketing Services
20.1. On the basis of our legitimate interests (e.g. in the interest of the analysis, optimisation and commercial operation of our Online Offering within the meaning of Art. 6 (1) lit. f GDPR), we use the “Facebook pixel” provided by the social network Facebook. This is operated by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, or, if you are resident in the EU, by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”).
20.2. Facebook is certified under the Privacy Shield agreement, which means that it offers a guarantee of adherence to European data privacy law (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).
20.3. The Facebook pixel enables Facebook to identify visitors to our Online Offering as a target audience for displaying ads ( “Facebook ads”). Accordingly, we use the Facebook pixel to enable us to display our Facebook ads only to those Facebook users who have demonstrated an interest in our Online Offering or exhibit the specific characteristics (e.g interests in specific topics or products, as determined by the websites they visit) that we have transmitted to Facebook (“Custom Audiences”). In addition, we use the Facebook pixel to ensure that our Facebook ads correspond to the potential interests of the respective user and are not perceived as bothersome or annoying. Finally, we use the Facebook pixel to review the effectiveness of Facebook ads for statistical and market research purposes, which we do by monitoring whether users have been referred to our website by clicking on a Facebook ad (“conversion”).

21. Facebook Social Plugins
21.1. On the basis of our legitimate interests (e.g. in the interest of the analysis, optimisation and commercial operation of our Online Offering within the meaning of Art. 6 (1) lit. f GDPR), we use social plugins (“plugins”) from the social network facebook.com, which is operated by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, or, if you are located in the EU, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”). These plugins may take the form of interactive elements or content (e.g. videos, graphics or texts) and can be identified by means of the Facebook logo (white “f” on a blue tile), the word “Like”, a “thumbs-up” symbol or the supplementary text “Facebook Social Plugin”. A list of Facebook social plugins and what they look like can be viewed here: https://developers.facebook.com/docs/plugins/.
21.2. Facebook is certified under the Privacy Shield agreement, which means that it offers a guarantee of adherence to European data privacy law (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).
21.3. When a user accesses a function of this Online Offering containing such a plugin, their device establishes a direct connection to Facebook’s servers. The content of the plugin is transmitted directly from Facebook to the user’s device and is integrated into the Online Offering by the device. As part of this process, the processed data can then be used to create a user profile for the user. As such, we have no influence on the scope of the data collected by Facebook using the plugin and can only provide information to our users according to the best of our knowledge.
21.4. As a result of the plugin, Facebook receives the information that a user has accessed that particular page of the Online Offering. If the user is logged into Facebook at the time, Facebook can assign their visit to their user account. If a user interacts with the plugins – for example, by pressing the Like button or leaving a comment – the information is transmitted directly from their device to Facebook and stored there. If the user is not a member of Facebook, there is still the possibility that Facebook will discover and store their IP address. According to information provided by Facebook, IP addresses are only stored in Germany in an anonymised form.
21.5. Information regarding the purpose and scope of data collection and the further processing and use of the data by Facebook can be found in Facebook’s Privacy Policy, as can the rights and options of the user for protecting their privacy: https://www.facebook.com/about/privacy/.
21.6. If a user is a member of Facebook and does not wish Facebook to collect data about them via our Online Offering and link it to their user data on Facebook, they must log out of Facebook and delete their cookies before visiting our Online Offering. Other settings and objections related to the use of data for advertising purposes can be adjusted within the Facebook profile settings:
https://www.facebook.com/settingstab=ads or, alternatively, via US site http://www.aboutads.info/choices/ or the EU site http://www.youronlinechoices.com/. These settings are platform-independent, which means that they are applied across all devices, including desktop computers and mobile devices. The information collected by Facebook can include the websites the users searches for, what information they are interested in and which offers they have clicked. It also records technical information about the browser, operating system, referring website, time of visit and other details about the use of the Online Offering.

22. Jetpack (WordPress Stats)
22.1. On the basis of our legitimate interests (e.g. in the interest of the analysis, optimisation and commercial operation of our Online Offering within the meaning of Art. 6 (1) lit. f GDPR), we use the plugin Jetpack (specifically, the sub-function “Wordpress Stats”), which includes a tool for the statistical evaluation of visitor access. It is operated by Automattic, Inc. 132 Hawthorne Street San Francisco, CA 94107, USA. Jetpack uses “cookies”: text files that are stored on the user’s computer and enable us to conduct analyses of user behaviour.
22.2. Automattic is certified under the Privacy Shield agreement, which means that it offers a guarantee of adherence to European data privacy law (https://www.privacyshield.gov/participant?id=a2zt0000000CbqcAAC&status=Active).
22.3. Cookie-generated information about visitors’ use of this Online Offering is transferred to a server in the USA and stored there. The processed data can be used to create user profiles, which are used solely for analysis purposes, not for advertising. Further information can be found in the Automattic Privacy Policy: https://automattic.com/privacy/ and on the Jetpack cookie information page: https://jetpack.com/support/cookies/.

23. Criteo
23.1. On the basis of our legitimate interests (e.g. in the interest of the analysis, optimisation and commercial operation of our Online Offering within the meaning of Art. 6 (1) lit. f GDPR), we use the services of the provider Criteo GmbH, Gewürzmühlstr. 11, 80538 Munich, Germany.
23.2. Criteo services allow us to better target advertisements for and on our website such that we only present users with ads that potentially match their interests. If a user is shown ads for products they’ve displayed interest in on other websites, this is called “remarketing”. For this purpose, a Criteo code is executed directly by Criteo whenever our website or other websites on which Criteo is used are accessed, and (re-)marketing tags (invisible graphics or code, also called “web beacons”) are incorporated into the website. These beacons cause an individual cookie (a small file) to be saved on the user’s device (note that similar technologies can sometimes be used instead of cookies). The cookies can be set by different domains, including google.com, doubleclick.net, invitemedia.com, admeld.com, googlesyndication.com or googleadservices.com. The file records which web pages the user has visited, what content they are interested in and which offers they have clicked. It also records technical information about the browser and operating system, referring web page, time of visit and other information on the use of the Online Offering. Criteo may also link the other above-mentioned information with similar information from other sources. When the user then goes on to visit other websites, they will be shown ads that are tailored to their interests.
23.3. Further information and ways of objecting to the collection of data by Criteo can be found in the Criteo Privacy Policy: http://www.criteo.com/de/privacy/.

24. Amazon Partner Programme
24.1. On the basis of our legitimate interests (e.g. in the interest of the analysis, optimisation and commercial operation of our Online Offering within the meaning of Art. 6 (1) lit. f GDPR), we participate in the partner program of Amazon EU, which was designed as a medium for websites to earn advertising fees by placing adverts and links to Amazon.de. Amazon uses cookies to track the origin of orders. Among other things, this allows Amazon to see that you have clicked the partner link on this website.
24.2. Further information on the use of data by Amazon can be found in the Amazon Privacy Policy: http://www.amazon.de/gp/help/customer/display.html/ref=footer_privacy?ie=UTF8&nodeId=3312401.

25. Newsletter
25.1. The following section contains information about the contents of our newsletter and the associated signup, delivery and statistical evaluation processes. It also contains information about your right to object. By subscribing to our newsletter, you agree to the receive it and to the processes described.
25.2. Content of the newsletter: We send newsletters, emails and other electronic communications containing advertising information (hereinafter “newsletter/s”) only with the consent of the recipient or on the basis of legal authorisation. Insofar as the contents of the newsletter are described in detail as part of the signup process, they are to be assumed as the basis for granting consent. Our newsletters also contain information about our products, offers, campaigns and our company.
25.3. Double opt-in and logging: Signup for our newsletter takes place as part of a so-called “double opt-in procedure”. This means that after registration, you will receive an email asking you to confirm your registration. This confirmation is necessary to prevent people registering with a third party email address. The signup procedure for the newsletter will be logged in order to prove that it occurred according to legal requirements. This includes storage of the signup and confirmation time and the IP address. Similarly, we will also log changes to any data concerning you that is stored with the delivery service provider.
25.4. Delivery service provider: The newsletter is dispatched by “MailChimp”, a newsletter sending platform from the US provider Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA. The data privacy regulations of the platform can be viewed here: https://mailchimp.com/legal/privacy/. Rocket Science Group LLC d/b/a MailChimp is certified under the Privacy Shield agreement, which means that it offers a guarantee of adherence to European data privacy law (https://www.privacyshield.gov/participantid=a2zt0000000TO6hAAG&status=Active).
25.5. Furthermore, according to information supplied by the delivery service provider, it may transmit this data in pseudonymised form (that is, without assigning it to a particular user) for the purpose of optimising or improving its own services, e.g. for optimising the sending and presentation of the newsletter or for statistical purposes, to determine which countries the recipients come from. However, the delivery service provider does not use the data of newsletter recipients to contact them directly or to pass this data on to third parties.
25.6. Registration data: An email address is sufficient to register for the newsletter.
25.7. Performance measurement – Our newsletters contain what are known as “web beacons”: pixel-sized files that are retrieved by the delivery service provider’s server when the newsletter is opened. Some technical information is collected as part of this process, including information about your browser, operating system, IP address and the time of retrieval. This information is used to improve the technical performance of services based on technical data or on the audience and their reading habits, the latter of which can be determined based on the location of retrieval (determined using the IP address) or the access time. The purpose of these statistical evaluations are determine (e.g.) if the newsletters are opened, when they are opened and which links are clicked. For technical reasons, this information can be assigned to individual newsletter recipients; however, neither us nor the delivery service provider have any interest in monitoring individual users. Rather, the evaluations help us to recognise the reading habits of our users and to adapt our content to them, or to send different content according to their interests.
25.8. Germany: The sending of the newsletter and the measurement of newsletter performance occur based on the recipient’s consent pursuant to Art. 6 para. 1 lit. a, Art. 7 General Data Protection Regulation in conjunction with § 7 para. 2 no. 3 UWG (German Act Against Unfair Competition) and on the basis of legal authorisation pursuant to § 7 para. 3 UWG.
25.9. Austria: The sending of the newsletter and the measurement of newsletter performance occur on the basis of the recipient’s consent pursuant to Art. 6 para. 1 lit. a, Art. 7 General Data Protection Regulation in conjunction with § 107 para. 2 TKG (Austrian Telecommunications Act) and on the basis of legal authorisation pursuant to § 107 para. 2 & 3 TKG.
25.10. The logging of the signup process is based on our legitimate interests in accordance with. Art. 6 para. 1 lit. f General Data Protection Regulation and serves as proof of consent to the receipt of the newsletter.
25.11. Cancellation/Revocation – Newsletter recipients may cancel the receipt of the newsletter at any time (revoke their consent). An unsubscribe link is located at the end of each newsletter. Unsubscribing also revokes the user’s consent for performance measurement. Unfortunately, it is not possible to issue a separate revocation of consent for performance measurement; to do this, the entire newsletter subscription must be cancelled. Unsubscribing from the newsletter will also cause the user’s personal data to be deleted, unless its retention is legally required or justified, in which case the processing of this data will be limited only to exceptional circumstances. In particular, we may choose to store email addresses for up to three years prior to deletion based on our legitimate interest in being able to provide evidence of prior consent. The processing of this data will be limited to the purpose of any possible defence against legal claims. An individual request for deletion may be made at any time, provided that the former existence of consent is confirmed along with it.

26. Integration of the Services and Content of Third Parties
26.1. On the basis of our legitimate interests (e.g. in the interest of the analysis, optimisation and commercial operation of our Online Offering within the meaning of Art. 6 (1) lit. f GDPR), we integrate the content and service offerings of third party providers (e.g. videos and fonts, hereinafter collectively referred to as “content”) into our Online Offering. This requires that the third-party providers of this content have access to the IP addresses of our users, since otherwise, they would not be able to send this content to their browsers. We endeavour only to use content whereby the respective provider uses the IP address solely for the delivery of this content. Third parties may also use “pixel tags” (invisible graphics, also referred to as “web beacons”) for statistical or marketing purposes. These pixel tags can be used to evaluate information such as visitor traffic on this website. The pseudonymous information may also be stored in cookies on the user’s device and may contain information including but not limited to technical information about the browser and operating system, referring web page, time of visit and other information regarding the use of our Online Offering; it may also be linked with similar information from other sources.
26.2. The following provides an overview of third-party providers, their content and links to their data privacy policies. These policies contain further information on the processing of data and ways in which the user can object to this processing (“opt-out”), some of which have already been covered here:

• If our customers use the payment services of third party providers (e.g. PayPal or immediate transfer), the terms and conditions and privacy policies of the respective third party providers (which can be accessed via the respective websites or transaction applications) apply.
• External fonts by Google, LLC., https://www.google.com/fonts (“Google Fonts”). The integration of Google fonts occurs via a server call to Google (usually in the US). Data privacy policy: https://policies.google.com/privacy; opt-out: https://adssettings.google.com/authenticated.
• Maps are provided by the service “Google Maps”, operated by the third-party provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data privacy policy: https://www.google.com/policies/privacy/, opt-out: https://www.google.com/settings/ads/.
• Videos on the “YouTube” platform are provided by the third-party provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data privacy policy: https://policies.google.com/privacy, opt-out: https://adssettings.google.com/authenticated.
• Functions of the Google+ service may be integrated into our Online Offering. These functions is provided by the third party provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. If you are logged in to your Google+ account, you can link the content of our web pages to your Google+ profile by clicking the Google+ button. This allows Google to link your visit to our website with your user account. Please note that as the provider of the website, we are not aware of the content of the transmitted data and its use by Google+. Data privacy policy: https://policies.google.com/privacy, opt-out: https://adssettings.google.com/authenticated.
• Functions of the Instagram service may be integrated into our Online Offering. These functions is provided by Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA. If you are logged in to your Instagram account, you can link the content of our web pages to your Instagram profile by clicking the Instagram button. This allows Instagram to link your visit to our website with your user account. Please note that as the provider of the website, we are not aware of the content of the transmitted data and its use by Instagram.
Data privacy policy: http://instagram.com/about/legal/privacy/.
• Functions of the Twitter service and platform (hereinafter “Twitter”) may be integrated into our Online Offering. Twitter is provided by Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. Functions include the displaying of Twitter posts within our Online Offering, the linking of our Online Offering to our profile on Twitter and the ability to interact with Twitter posts and features. It also includes the ability to measure whether users are reaching our Online Offering via the adverts we post on Twitter (“conversion tracking”). Twitter is certified under the Privacy Shield agreement, which means that it offers a guarantee of adherence to European data privacy law (https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status=Active). Data privacy policy: https://twitter.com/de/privacy, opt-out: https://twitter.com/personalization.
• Web analytics and optimisation using the Hotjar service, operated by the third-party provider Hotjar Ltd, Level 2, St Julian’s Business Center, 3, Elia Zammit Street, St Julian’s STJ 1000, Malta, Europe. Hotjar allows the tracing of activity on websites where Hotjar has been activated (“heat maps”). For example, website operators can see how far users are scrolling, which buttons users click and how often they click them. Technical data such as selected language, system, screen resolution and browser type are also recorded. This can facilitate the creation of user profiles, at least on a temporary basis (during their visit to the website). Furthermore, it is also possible to use Hotjar to obtain feedback directly from users of the website. This allows us to obtain valuable information to make our website faster and more customer-friendly. Data privacy policy: https://www.hotjar.com/privacy, opt-out: https://www.hotjar.com/opt-out.
• Code for the JavaScript framework “jQuery” has been provided by the third-party provider jQuery Foundation, https://jquery.org.