Privacy Policy
www.zimtundgruen.com
We are pleased
that you are visiting our website and thank you for your interest.
In the following
we inform you about the handling of your personal data when using our website.
Personal data is all data with which you can be personally identified.
The person
responsible for data processing on this website within the meaning of the
General Data Protection Regulation (GDPR) is R. Elena Hindrichs, Am Mühlenberg 35,
Telephone : +49 1627782047, e-mail: info@zimtundgruen.com . The person
responsible for the processing of personal data is the natural or legal person
who alone or jointly with others decides on the purposes and means of the
processing of personal data.
For security
reasons and to protect the transmission of personal data and other confidential
content (e.g. orders or inquiries to the person responsible), this website uses
SSL Encryption enabled (Let's Encrypt). You can recognize an encrypted
connection by the character string "https://" and the lock symbol in
your browser line.
As the
controller, the zimt&grün GmBh has implemented numerous technical and
organizational measures to ensure the most complete protection of personal data
processed through this website.
If you only use
our website for informational purposes, i.e. if you do not register or
otherwise provide us with information, we only collect data that your browser
transmits to our server (so-called "server log files"). When you
visit our website, we collect the following data that is technically necessary
for us to display the website to you: our visited website; Date and time at the
time of access; Amount of data sent in bytes; Source/reference from which you
came to the page; Browser used; Operating system used; IP address used (if
necessary: in anonymous form)
The processing
takes place in accordance with Article 6 Paragraph 1 Letter f GDPR on the basis
of our legitimate interest in improving the stability and functionality of our
website.
The data will
not be passed on or used in any other way. However, we reserve the right to
subsequently check the server log files if there are concrete indications of
illegal use.
1.
Definitions
The data
protection declaration of the zimt&grün GmBh is based on the terms used by
the European legislator for the adoption of the General Data Protection
Regulation (GDPR). Our data protection declaration should be legible and
understandable for the general public, as well as our customers and business
partners. To ensure this, we would like to first explain the terminology used.
In this data
protection declaration, we use, inter alia, the following terms:
a)Personal
data: Personal data means any information relating
to an identified or identifiable natural person (“data subject”). An
identifiable natural person is one who can be identified, directly or
indirectly, in particular by reference to an identifier such as a name, an
identification number, location data, an online identifier or to one or more
factors specific to the physical, physiological, genetic, mental, economic, cultural
or social identity of that natural person.
b)Data
subject: Data subject is any identified or
identifiable natural person, whose personal data is processed by the controller
responsible for the processing.
c)Processing: Processing is any operation or set of operations which is performed
on personal data or on sets of personal data, whether or not by automated
means, such as collection, recording, organisation, structuring, storage,
adaptation or alteration, retrieval, consultation, use, disclosure by transmission,
dissemination or otherwise making available, alignment or combination,
restriction, erasure or destruction.
d)Restriction
of processing: Restriction of processing is the
marking of stored personal data with the aim of limiting their processing in
the future.
e)Profiling: Profiling means any form of automated processing of personal data
consisting of the use of personal data to evaluate certain personal aspects
relating to a natural person, in particular to analyse or predict aspects
concerning that natural person's performance at work, economic situation,
health, personal preferences, interests, reliability, behaviour, location or
movements.
f)Pseudonymisation: Pseudonymisation is the processing of personal data in such a
manner that the personal data can no longer be attributed to a specific data
subject without the use of additional information, provided that such
additional information is kept separately and is subject to technical and
organisational measures to ensure that the personal data are not attributed to
an identified or identifiable natural person.
g)Controller
or controller responsible for the processing: Controller
or controller responsible for the processing is the natural or legal person,
public authority, agency or other body which, alone or jointly with others,
determines the purposes and means of the processing of personal data; where the
purposes and means of such processing are determined by Union or Member State
law, the controller or the specific criteria for its nomination may be provided
for by Union or Member State law.
h)Processor: Processor is a natural or legal person, public authority, agency or
other body which processes personal data on behalf of the controller.
i) Recipient: Recipient is a natural or legal person, public authority, agency or
another body, to which the personal data are disclosed, whether a third party
or not. However, public authorities which may receive personal data in the
framework of a particular inquiry in accordance with Union or Member State law
shall not be regarded as recipients; the processing of those data by those
public authorities shall be in compliance with the applicable data protection
rules according to the purposes of the processing.
j)Third party: Third party is a natural or legal person, public authority, agency
or body other than the data subject, controller, processor and persons who,
under the direct authority of the controller or processor, are authorised to
process personal data.
k)Consent: Consent of the data subject is any freely given, specific, informed
and unambiguous indication of the data subject's wishes by which he or she, by
a statement or by a clear affirmative action, signifies agreement to the
processing of personal data relating to him or her.
2. Name and
Address of the controller
Controller for
the purposes of the General Data Protection Regulation (GDPR), other data
protection laws applicable in Member states of the European Union and other
provisions related to data protection is:
zimt&grün GmBh Am Muehlenberg 35, 33619 Bielefeld, Deutschland, Mobile Phone:
+49 162 7782047
E-mail: info@zimtundgruen.com Website: www.zimtundgruen.com
3. Cookies
In order to make
visiting our website attractive and to enable the use of certain functions, we
use so-called cookies on various pages.
This is Installed on the website
but not in front of page, it's possible to navigate and click through the
website ignoring the cookie consent tool.
These are small
text files that are stored on your end device. Some of the cookies we use are
deleted after the end of the browser session, i.e., after closing your browser
(so-called session cookies). Other cookies remain on your end device and enable
your browser to be recognized the next time you visit (so-called persistent
cookies). If cookies are set, they collect and process certain user information
such as browser and location data as well as IP address values to an individual
extent. Persistent cookies are automatically deleted after a specified period,
which can vary depending on the cookie. The duration of the respective cookie
storage can be found in the overview of the cookie settings in your web
browser.
In some cases,
cookies are used to simplify the ordering process by saving settings (e.g.
remembering the contents of a virtual shopping cart for a later visit to the
website). If individual cookies used by us also process personal data, the
processing takes place in accordance with Article 6 (1) (b) GDPR either for the
execution of the contract, in accordance with Article 6 (1) (a) GDPR in the
event that consent has been given or in accordance with Art. 6 (1) (f) GDPR to
protect our legitimate interests in the best possible functionality of the
website and a customer-friendly and effective design of the site visit.
Please note that
you can set your browser so that you are informed about the setting of cookies
and can decide individually whether to accept them or exclude the acceptance of
cookies for certain cases or in general. Each browser differs in the way it
manages cookie settings. This is described in the help menu of each browser,
which explains how you can change your cookie settings. These can be found for the
respective browsers under the following links:
Internet Explorer:
https://support.microsoft.com/de-de/help/17442/windows-internet-explorer-delete-manage-cookies
Firefox:
https://support.mozilla.org/de/kb/cookies-allow-and-reject
Chrome:
https://support.google.com/chrome/answer/95647?hl=de&hlrm=en
Safari:
https://support.apple.com/de-de/guide/safari/sfri11471/mac
Opera: https://help.opera.com/de/latest/web-preferences/#cookies
4.) Hosting
Hosted by Open Cart
We use the shop
system of the service provider OpenCart which
it s Primary Office : Unit 16, 26/F, Tuen Mun Central Square, 22 Hoi
Wing Road, Tuen Mun, Hong Kong +852 2499, for the purpose of hosting and
displaying the online shop on the basis of a processing on our behalf.
5. ) Registration
on our website
The data subject
has the possibility to register on the website of the controller with the
indication of personal data. Which personal data are transmitted to the
controller is determined by the respective input mask used for the
registration. The personal data entered by the data subject are collected and
stored exclusively for internal use by the controller, and for his own
purposes. The controller may request transfer to one or more processors (e.g.,
a parcel service) that also uses personal data for an internal purpose which is
attributable to the controller.
By registering
on the website of the controller, the IP address—assigned by the Internet
service provider (ISP) and used by the data subject—date, and time of the
registration are also stored. The storage of this data takes place against the
background that this is the only way to prevent the misuse of our services,
and, if necessary, to make it possible to investigate committed offenses.
Insofar, the storage of this data is necessary to secure the controller. This
data is not passed on to third parties unless there is a statutory obligation
to pass on the data, or if the transfer serves the aim of criminal prosecution.
The registration
of the data subject, with the voluntary indication of personal data, is
intended to enable the controller to offer the data subject contents or
services that may only be offered to registered users due to the nature of the
matter in question. Registered persons are free to change the personal data
specified during the registration at any time, or to have them completely
deleted from the data stock of the controller.
The data
controller shall, at any time, provide information upon request to each data
subject as to what personal data are stored about the data subject. In addition,
the data controller shall correct or erase personal data at the request or
indication of the data subject, insofar as there are no statutory storage
obligations. The entirety of the controller’s employees are available to the
data subject in this respect as contact persons.
6.)
Subscription to our newsletters
On the website
of the zimt&grün GmBh, users are given the opportunity to subscribe to our
enterprise's newsletter. The input mask used for this purpose determines what
personal data are transmitted, as well as when the newsletter is ordered from
the controller.
zimt&grün
GmBh informs its customers and business partners regularly by means of a
newsletter about enterprise offers. The enterprise's newsletter may only be
received by the data subject if (1) the data subject has a valid e-mail address
and (2) the data subject registers for the newsletter shipping. A confirmation
e-mail will be sent to the e-mail address registered by a data subject for the
first time for newsletter shipping, for legal reasons, in the double opt-in
procedure. This confirmation e-mail is used to prove whether the owner of the
e-mail address as the data subject is authorized to receive the newsletter.
During the
registration for the newsletter, we also store the IP address of the computer
system assigned by the Internet service provider (ISP) and used by the data
subject at the time of the registration, as well as the date and time of the
registration. The collection of this data is necessary in order to understand
the (possible) misuse of the e-mail address of a data subject at a later date,
and it therefore serves the aim of the legal protection of the controller.
The personal
data collected as part of a registration for the newsletter will only be used
to send our newsletter. In addition, subscribers to the newsletter may be
informed by e-mail, as long as this is necessary for the operation of the
newsletter service or a registration in question, as this could be the case in
the event of modifications to the newsletter offer, or in the event of a change
in technical circumstances. There will be no transfer of personal data
collected by the newsletter service to third parties. The subscription to our
newsletter may be terminated by the data subject at any time. The consent to
the storage of personal data, which the data subject has given for shipping the
newsletter, may be revoked at any time. For the purpose of revocation of
consent, a corresponding link is found in each newsletter. It is also possible
to unsubscribe from the newsletter at any time directly on the website of the
controller, or to communicate this to the controller in a different way.
7.)
Newsletter-Tracking
The newsletter
of the zimt&grün GmBh contains so-called tracking pixels. A tracking pixel
is a miniature graphic embedded in such e-mails, which are sent in HTML format
to enable log file recording and analysis. This allows a statistical analysis
of the success or failure of online marketing campaigns. Based on the embedded
tracking pixel, the zimt&grün GmBh may see if and when an e-mail was opened
by a data subject, and which links in the e-mail were called up by data
subjects.
Such personal
data collected in the tracking pixels contained in the newsletters are stored
and analyzed by the controller in order to optimize the shipping of the
newsletter, as well as to adapt the content of future newsletters even better
to the interests of the data subject. These personal data will not be passed on
to third parties. Data subjects are at any time entitled to revoke the
respective separate declaration of consent issued by means of the double-opt-in
procedure. After a revocation, these personal data will be deleted by the
controller. The zimt&grün GmBh automatically regards a withdrawal from the
receipt of the newsletter as a revocation.
8.) Comments
function in the blog on the website
The
zimt&grün GmBh offers users the possibility to leave individual comments on
individual blog contributions on a blog, which is on the website of the
controller. A blog is a web-based, publicly-accessible portal, through which
one or more people called bloggers or web-bloggers may post articles or write
down thoughts in so-called blogposts. Blogposts may usually be commented by
third parties.
If a data
subject leaves a comment on the blog published on this website, the comments
made by the data subject are also stored and published, as well as information
on the date of the commentary and on the user's (pseudonym) chosen by the data
subject. In addition, the IP address assigned by the Internet service provider
(ISP) to the data subject is also logged. This storage of the IP address takes
place for security reasons, and in case the data subject violates the rights of
third parties, or posts illegal content through a given comment. The storage of
these personal data is, therefore, in the own interest of the data controller,
so that he can exculpate in the event of an infringement. This collected
personal data will not be passed to third parties, unless such a transfer is
required by law or serves the aim of the defense of the data controller.
9. )Routine
erasure and blocking of personal data
The data
controller shall process and store the personal data of the data subject only
for the period necessary to achieve the purpose of storage, or as far as this
is granted by the European legislator or other legislators in laws or
regulations to which the controller is subject to.
If the storage
purpose is not applicable, or if a storage period prescribed by the European
legislator or another competent legislator expires, the personal data are
routinely blocked or erased in accordance with legal requirements.
10.) Use of
payment service providers (payment services)
10.1 Paypal
When paying via
PayPal, credit card via PayPal, direct debit via PayPal or - if offered -
"purchase on account" or "payment by instalments" via
PayPal, we pass on your payment data to PayPal (Europe) S.a.r.l. et Cie,
S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter
"PayPal"), further. The transfer takes place in accordance with Art.
6 Paragraph 1 lit. b GDPR and only to the extent that this is necessary for
payment processing.
PayPal reserves
the right to carry out a credit check for the payment methods credit card via
PayPal, direct debit via PayPal or - if offered - "purchase on
account" or "payment in instalments" via PayPal. For this
purpose, your payment data may be passed on to credit agencies in accordance
with Article 6 (1) (f) GDPR on the basis of PayPal's legitimate interest in determining
your solvency. PayPal uses the result of the credit check in relation to the
statistical probability of payment default for the purpose of deciding whether
to provide the respective payment method. The credit report can contain
probability values (so-called score values). As far as score values are
included in the result of the credit report, they are based on a scientifically
recognized mathematical-statistical process. Among other things, but not
exclusively, address data is included in the calculation of the score values.
Further data protection information, including information on the credit
agencies used, can be found in PayPal's data protection declaration:
https://www.paypal.com/de/webapps/mpp/ua/privacy-full
You can object
to this processing of your data at any time by sending a message to PayPal.
However, PayPal may still be entitled to process your personal data if this is
necessary for contractual payment processing.
10.2 RIGHT
AWAY /SOFORT BANKING
If you select
the "SOFORT" payment method, payment is processed via the payment
service provider Mollie B.V. Keizersgracht 126, 1015 CW Amsterdam, the
Netherlands (hereinafter "SOFORT"), to whom we pass on the
information you provided during the ordering process together with the
information about your order in accordance with Art. 6 Paragraph 1 lit. b GDPR.
Your data will only be passed on for the purpose of payment processing with the
payment service provider SOFORT and only to the extent that it is necessary for
this. You can find more information about protection regulations at the
following Internet address: https://www.klarna.com/sofort/datenschutz
10.3 GIROPAY
We use as
well the online payment provider giropay
on our website. The service provider is the german company paydirekt GmbH,
Stephanstrasse 14-16, 60313 Frankfurt am Main, Germany.
The payment
works as following: customer chooses his
bank from the list of participating banks. After choosing the bank, the
customer can log in to the online banking environment. In the online banking
environment, the customer checks the pre-filled payment details. If all details
are correct, the customer authorizes the payment. After the authorization, the
customer receives a confirmation, and the product is sent.
You can learn
more about the data processed through the use of giropay in the privacy policy
at: https://www.giropay.de/rechtliches/datenschutzerklaerung/
10.4 BANK
TRANSFER
The payment can
be done as well via bank transfer. The instructions for the payment will be
displayed when you confirm your order. You will need the following information
to complete the bank transfer:
-The amount to
be paid.
-The bank
details of our payment processor.
-Your unique
payment reference number.
Note: Your
unique payment reference number is mandatory. Without it, zimt&grün will
not be able to process your order. These instructions will also be sent to your
primary email address. What happens if I
don't pay for my bank transfer? Nothing. Your order will still have a status of
Pending. Your bank account will not be debited, and your account status will
not be affected in any way.
11. On-line
Marketing
Facebook pixel
for creating custom audiences with advanced data matching (with cookie consent
tool)
Within our
online offer, the so-called "Facebook Pixel" of the social network
Facebook is used in the mode of extended data comparison, which is operated by
Meta Platforms Ireland Limited, 4 Grand Canal Quare, Dublin 2, Ireland
("Facebook").
On the basis of
their express consent, if a user clicks on an advertisement placed by us on
Facebook, the URL of our linked page will be appended by Facebook Pixel. After
forwarding, this URL parameter is then written to the user's browser via
cookie, which our linked page sets itself. In addition, specific customer data
such as the e-mail address, which we collect on our website linked to the
Facebook ad for transactions such as purchases, account logins or
registrations, is recorded by this cookie (extended data comparison). The
cookie is then read by the Facebook pixel and enables the data, including specific
customer data, to be forwarded to Facebook.
With the help of
the Facebook pixel with extended data comparison, Facebook is able to precisely
determine the visitors of our online offer as a target group for the display of
advertisements (so-called "Facebook Ads"). Accordingly, we use the
Facebook pixel with extended data synchronization in order to only display the
Facebook ads we have placed to those Facebook users who have also shown an
interest in our online offer or who have certain characteristics (e.g.
interests in certain topics or products). are determined based on the websites
visited), which we transmit to Facebook (so-called “Custom Audiences”). With
the help of the Facebook pixel with extended data comparison, we also want to
ensure that our Facebook ads correspond to the potential interest of the user
and are not annoying. This allows us to further evaluate the effectiveness of
Facebook ads for statistical and market research purposes by understanding
whether users were redirected to our website after clicking on a Facebook ad
(so-called "conversion"). Compared to the standard version of
Facebook Pixel, the advanced data matching feature helps us to better measure
the effectiveness of our advertising campaigns by recording more attributed conversions.
All transmitted
data is stored and processed by Facebook so that a connection to the respective
user profile is possible and Facebook can use the data for its own advertising
purposes in accordance with the Facebook data usage guidelines (https://www.facebook.com/about/privacy/).
The data can enable Facebook and its partners to place advertisements on and
outside of Facebook.
These processing
operations only take place if you have given your express consent in accordance
with Article 6 (1) (a) GDPR.
Consent to the
use of the Facebook pixel may only be given by users who are older than 16
years of age. If you are younger, we ask that you ask your legal guardian for
permission.
The information
generated by Facebook is usually transmitted to a Facebook server and stored
there. This can also result in transmission to the servers of Meta Platforms
Inc. in the USA. You can revoke your consent at any time with effect for the
future. To exercise your revocation, remove the tick next to the setting for
the “Facebook Pixel” in the “Cookie Consent Tool” integrated on the website.
12. Rights of
the data subject
a) Right of
confirmation
Each data
subject shall have the right granted by the European legislator to obtain from
the controller the confirmation as to whether or not personal data concerning
him or her are being processed. If a data subject wishes to avail himself of
this right of confirmation, he or she may, at any time, contact any employee of
the controller.
b) Right of
access
Each data
subject shall have the right granted by the European legislator to obtain from
the controller free information about his or her personal data stored at any
time and a copy of this information. Furthermore, the European directives and
regulations grant the data subject access to the following information: the
purposes of the processing; the categories of personal data concerned; the
recipients or categories of recipients to whom the personal data have been or
will be disclosed, in particular recipients in third countries or international
organisations; where possible, the envisaged period for which the personal data
will be stored, or, if not possible, the criteria used to determine that
period; the existence of the right to request from the controller rectification
or erasure of personal data, or restriction of processing of personal data
concerning the data subject, or to object to such processing; the existence of
the right to lodge a complaint with a supervisory authority; where the personal
data are not collected from the data subject, any available information as to
their source; the existence of automated decision-making, including profiling,
referred to in Article 22(1) and (4) of the GDPR and, at least in those cases,
meaningful information about the logic involved, as well as the significance
and envisaged consequences of such processing for the data subject.
Furthermore, the
data subject shall have a right to obtain information as to whether personal
data are transferred to a third country or to an international organisation.
Where this is the case, the data subject shall have the right to be informed of
the appropriate safeguards relating to the transfer.
If a data
subject wishes to avail himself of this right of access, he or she may, at any
time, contact any employee of the controller.
c) Right to
rectification
Each data
subject shall have the right granted by the European legislator to obtain from
the controller without undue delay the rectification of inaccurate personal
data concerning him or her. Taking into account the purposes of the processing,
the data subject shall have the right to have incomplete personal data
completed, including by means of providing a supplementary statement.
If a data
subject wishes to exercise this right to rectification, he or she may, at any
time, contact any employee of the controller.
d) Right to
erasure (Right to be forgotten)
Each data
subject shall have the right granted by the European legislator to obtain from
the controller the erasure of personal data concerning him or her without undue
delay, and the controller shall have the obligation to erase personal data
without undue delay where one of the following grounds applies, as long as the
processing is not necessary:
The personal
data are no longer necessary in relation to the purposes for which they were
collected or otherwise processed.
The data subject
withdraws consent to which the processing is based according to point (a) of
Article 6(1) of the GDPR, or point (a) of Article 9(2) of the GDPR, and where
there is no other legal ground for the processing.
The data subject
objects to the processing pursuant to Article 21(1) of the GDPR and there are
no overriding legitimate grounds for the processing, or the data subject
objects to the processing pursuant to Article 21(2) of the GDPR.
The personal
data have been unlawfully processed.
The personal
data must be erased for compliance with a legal obligation in Union or Member
State law to which the controller is subject.
The personal
data have been collected in relation to the offer of information society
services referred to in Article 8(1) of the GDPR.
If one of the
aforementioned reasons applies, and a data subject wishes to request the
erasure of personal data stored by the zimt&grün GmBh, he or she may, at any
time, contact any employee of the controller. An employee of zimt&grün GmBh
shall promptly ensure that the erasure request is complied with immediately.
Where the
controller has made personal data public and is obliged pursuant to Article
17(1) to erase the personal data, the controller, taking account of available
technology and the cost of implementation, shall take reasonable steps,
including technical measures, to inform other controllers processing the
personal data that the data subject has requested erasure by such controllers
of any links to, or copy or replication of, those personal data, as far as
processing is not required. An employees of the zimt&grün GmBh will arrange
the necessary measures in individual cases.
e) Right of
restriction of processing
Each data
subject shall have the right granted by the European legislator to obtain from
the controller restriction of processing where one of the following applies:
The accuracy of
the personal data is contested by the data subject, for a period enabling the
controller to verify the accuracy of the personal data.
The processing
is unlawful and the data subject opposes the erasure of the personal data and
requests instead the restriction of their use instead.
The controller
no longer needs the personal data for the purposes of the processing, but they
are required by the data subject for the establishment, exercise or defence of
legal claims.
The data subject
has objected to processing pursuant to Article 21(1) of the GDPR pending the
verification whether the legitimate grounds of the controller override those of
the data subject.
If one of the
aforementioned conditions is met, and a data subject wishes to request the
restriction of the processing of personal data stored by the zimt&grün
GmBh, he or she may at any time contact any employee of the controller. The
employee of the zimt&grün GmBh will arrange the restriction of the
processing.
f) Right to
data portability
Each data
subject shall have the right granted by the European legislator, to receive the
personal data concerning him or her, which was provided to a controller, in a
structured, commonly used and machine-readable format. He or she shall have the
right to transmit those data to another controller without hindrance from the
controller to which the personal data have been provided, as long as the
processing is based on consent pursuant to point (a) of Article 6(1) of the
GDPR or point (a) of Article 9(2) of the GDPR, or on a contract pursuant to
point (b) of Article 6(1) of the GDPR, and the processing is carried out by
automated means, as long as the processing is not necessary for the performance
of a task carried out in the public interest or in the exercise of official
authority vested in the controller.
Furthermore, in
exercising his or her right to data portability pursuant to Article 20(1) of
the GDPR, the data subject shall have the right to have personal data
transmitted directly from one controller to another, where technically feasible
and when doing so does not adversely affect the rights and freedoms of others.
In order to
assert the right to data portability, the data subject may at any time contact
any employee of the zimt&grün GmBh.
g) Right to
object
Each data
subject shall have the right granted by the European legislator to object, on
grounds relating to his or her particular situation, at any time, to processing
of personal data concerning him or her, which is based on point (e) or (f) of
Article 6(1) of the GDPR. This also applies to profiling based on these
provisions.
zimt&grün
GmBh shall no longer process the personal data in the event of the objection,
unless we can demonstrate compelling legitimate grounds for the processing
which override the interests, rights and freedoms of the data subject, or for
the establishment, exercise or defence of legal claims.
If the
zimt&grün GmBh processes personal data for direct marketing purposes, the
data subject shall have the right to object at any time to processing of
personal data concerning him or her for such marketing. This applies to
profiling to the extent that it is related to such direct marketing. If the
data subject objects to the zimt&grün GmBh to the processing for direct
marketing purposes, the zimt&grün GmBh will no longer process the personal
data for these purposes.
In addition, the
data subject has the right, on grounds relating to his or her particular
situation, to object to processing of personal data concerning him or her by
the zimt&grün GmBh for scientific or historical research purposes, or for
statistical purposes pursuant to Article 89(1) of the GDPR, unless the
processing is necessary for the performance of a task carried out for reasons
of public interest.
In order to exercise the right to object, the data subject may contact any employee of the zimt&grün GmBh. In addition, the data subject is free in the context of the use of information society services, and notwithstanding Directive 2002/58/EC, to use his or her right to object by automated means using technical specifications.
h) Automated
individual decision-making, including profiling
Each data
subject shall have the right granted by the European legislator not to be
subject to a decision based solely on automated processing, including
profiling, which produces legal effects concerning him or her, or similarly
significantly affects him or her, as long as the decision (1) is not is
necessary for entering into, or the performance of, a contract between the data
subject and a data controller, or (2) is not authorised by Union or Member
State law to which the controller is subject and which also lays down suitable
measures to safeguard the data subject's rights and freedoms and legitimate
interests, or (3) is not based on the data subject's explicit consent.
If the decision
(1) is necessary for entering into, or the performance of, a contract between
the data subject and a data controller, or (2) it is based on the data
subject's explicit consent, the zimt&grün GmBh shall implement suitable
measures to safeguard the data subject's rights and freedoms and legitimate
interests, at least the right to obtain human intervention on the part of the
controller, to express his or her point of view and contest the decision.
If the data
subject wishes to exercise the rights concerning automated individual
decision-making, he or she may, at any time, contact any employee of the
zimt&grün GmBh.
i) Right to
withdraw data protection consent
Each data
subject shall have the right granted by the European legislator to withdraw his
or her consent to processing of his or her personal data at any time.
If the data
subject wishes to exercise the right to withdraw the consent, he or she may, at
any time, contact any employee of the zimt&grün GmBh.
13. Data
protection provisions about the application and use of Facebook
On this website,
the controller has integrated components of the enterprise Facebook. Facebook
is a social network.
A social network
is a place for social meetings on the Internet, an online community, which
usually allows users to communicate with each other and interact in a virtual
space. A social network may serve as a platform for the exchange of opinions
and experiences, or enable the Internet community to provide personal or
business-related information. Facebook allows social network users to include
the creation of private profiles, upload photos, and network through friend
requests.
The operating
company of Facebook is Facebook, Inc., 1 Hacker Way, Menlo Park, CA 94025,
United States. If a person lives outside of the United States or Canada, the
controller is the Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal
Harbour, Dublin 2, Ireland.
With each
call-up to one of the individual pages of this Internet website, which is
operated by the controller and into which a Facebook component (Facebook
plug-ins) was integrated, the web browser on the information technology system
of the data subject is automatically prompted to download display of the
corresponding Facebook component from Facebook through the Facebook component.
An overview of all the Facebook Plug-ins may be accessed under
https://developers.facebook.com/docs/plugins/. During the course of this
technical procedure, Facebook is made aware of what specific sub-site of our
website was visited by the data subject.
If the data
subject is logged in at the same time on Facebook, Facebook detects with every
call-up to our website by the data subject—and for the entire duration of their
stay on our Internet site—which specific sub-site of our Internet page was
visited by the data subject. This information is collected through the Facebook
component and associated with the respective Facebook account of the data
subject. If the data subject clicks on one of the Facebook buttons integrated
into our website, e.g. the "Like" button, or if the data subject submits
a comment, then Facebook matches this information with the personal Facebook
user account of the data subject and stores the personal data.
Facebook always
receives, through the Facebook component, information about a visit to our
website by the data subject, whenever the data subject is logged in at the same
time on Facebook during the time of the call-up to our website. This occurs
regardless of whether the data subject clicks on the Facebook component or not.
If such a transmission of information to Facebook is not desirable for the data
subject, then he or she may prevent this by logging off from their Facebook
account before a call-up to our website is made.
The data
protection guideline published by Facebook, which is available at
https://facebook.com/about/privacy/, provides information about the collection,
processing and use of personal data by Facebook. In addition, it is explained
there what setting options Facebook offers to protect the privacy of the data
subject. In addition, different configuration options are made available to
allow the elimination of data transmission to Facebook. These applications may
be used by the data subject to eliminate a data transmission to Facebook.
14. Data
protection provisions about the application and use of Google Analytics (with
anonymization function)
On this website,
the controller has integrated the component of Google Analytics (with the
anonymizer function). Google Analytics is a web analytics service. Web
analytics is the collection, gathering, and analysis of data about the behavior
of visitors to websites. A web analysis service collects, inter alia, data
about the website from which a person has come (the so-called referrer), which
sub-pages were visited, or how often and for what duration a sub-page was
viewed. Web analytics are mainly used for the optimization of a website and in
order to carry out a cost-benefit analysis of Internet advertising.
The operator of
the Google Analytics component is Google Ireland Limited, Gordon House, Barrow
Street, Dublin, D04 E5W5, Ireland.
For the web
analytics through Google Analytics the controller uses the application
"_gat. _anonymizeIp". By means of this application the IP address of
the Internet connection of the data subject is abridged by Google and
anonymised when accessing our websites from a Member State of the European
Union or another Contracting State to the Agreement on the European Economic Area.
The purpose of
the Google Analytics component is to analyze the traffic on our website. Google
uses the collected data and information, inter alia, to evaluate the use of our
website and to provide online reports, which show the activities on our websites,
and to provide other services concerning the use of our Internet site for us.
Google Analytics
places a cookie on the information technology system of the data subject. The
definition of cookies is explained above. With the setting of the cookie, Google
is enabled to analyze the use of our website. With each call-up to one of the
individual pages of this Internet site, which is operated by the controller and
into which a Google Analytics component was integrated, the Internet browser on
the information technology system of the data subject will automatically submit
data through the Google Analytics component for the purpose of online
advertising and the settlement of commissions to Google. During the course of
this technical procedure, the enterprise Google gains knowledge of personal
information, such as the IP address of the data subject, which serves Google,
inter alia, to understand the origin of visitors and clicks, and subsequently
create commission settlements.
The cookie is
used to store personal information, such as the access time, the location from
which the access was made, and the frequency of visits of our website by the
data subject. With each visit to our Internet site, such personal data,
including the IP address of the Internet access used by the data subject, will
be transmitted to Google in the United States of America. These personal data
are stored by Google in the United States of America. Google may pass these
personal data collected through the technical procedure to third parties.
The data subject
may, as stated above, prevent the setting of cookies through our website at any
time by means of a corresponding adjustment of the web browser used and thus
permanently deny the setting of cookies. Such an adjustment to the Internet browser
used would also prevent Google Analytics from setting a cookie on the
information technology system of the data subject. In addition, cookies already
in use by Google Analytics may be deleted at any time via a web browser or
other software programs.
In addition, the
data subject has the possibility of objecting to a collection of data that are
generated by Google Analytics, which is related to the use of this website, as
well as the processing of this data by Google and the chance to preclude any
such. For this purpose, the data subject must download a browser add-on under
the link https://tools.google.com/dlpage/gaoptout and install it. This browser
add-on tells Google Analytics through a JavaScript, that any data and
information about the visits of Internet pages may not be transmitted to Google
Analytics. The installation of the browser add-ons is considered an objection
by Google. If the information technology system of the data subject is later
deleted, formatted, or newly installed, then the data subject must reinstall
the browser add-ons to disable Google Analytics. If the browser add-on was
uninstalled by the data subject or any other person who is attributable to
their sphere of competence, or is disabled, it is possible to execute the
reinstallation or reactivation of the browser add-ons.
Further
information and the applicable data protection provisions of Google may be
retrieved under https://www.google.com/intl/en/policies/privacy/ and under
http://www.google.com/analytics/terms/us.html. Google Analytics is further
explained under the following Link https://www.google.com/analytics/.
15. Data
protection provisions about the application and use of Instagram
On this website,
the controller has integrated components of the service Instagram. Instagram is
a service that may be qualified as an audio visual platform, which allows users
to share photos and videos, as well as disseminate such data in other social
networks. The operating company of the services offered by Instagram is
Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2
Ireland.
With each
call-up to one of the individual pages of this Internet site, which is operated
by the controller and on which an Instagram component (Insta button) was
integrated, the Internet browser on the information technology system of the
data subject is automatically prompted to the download of a display of the
corresponding Instagram component of Instagram. During the course of this
technical procedure, Instagram becomes aware of what specific sub-page of our
website was visited by the data subject.
If the data
subject is logged in at the same time on Instagram, Instagram detects with
every call-up to our website by the data subject—and for the entire duration of
their stay on our Internet site—which specific sub-page of our Internet page
was visited by the data subject. This information is collected through the
Instagram component and is associated with the respective Instagram account of
the data subject. If the data subject clicks on one of the Instagram buttons
integrated on our website, then Instagram matches this information with the
personal Instagram user account of the data subject and stores the personal
data.
Instagram
receives information via the Instagram component that the data subject has
visited our website provided that the data subject is logged in at Instagram at
the time of the call to our website. This occurs regardless of whether the
person clicks on the Instagram button or not. If such a transmission of
information to Instagram is not desirable for the data subject, then he or she
can prevent this by logging off from their Instagram account before a call-up
to our website is made.
Further
information and the applicable data protection provisions of Instagram may be
retrieved under https://help.instagram.com/155833707900388 and
https://www.instagram.com/about/legal/privacy/.
16. Use of Google Analytics
We use Google Analytics to analyze website usage. The data
obtained from this is used to optimize our website as well as advertising
measures.
Google Analytics is provided to us by Google Ireland Limited
(Gordon House, Barrow Street, Dublin 4, Ireland). Google processes website
usage data on our behalf and is contractually committed to measures to ensure
the security and confidentiality of the processed data.
During your website visit, the following data is recorded,
among others:
-Pages viewed
-Orders including sales and products ordered
-The achievement of "website goals" (for example,
contact requests and newsletter sign-ups)
-Your behavior on the pages (for example, dwell time, clicks,
scrolling behavior)
-Your approximate location (country and city)
-Your IP address (in shortened form, so that no clear
assignment is possible)
-Technical information such as browser, Internet provider,
terminal device and screen resolution
-Source of origin of your visit (i.e. via which website or
advertising medium you came to us)
-No personal data such as name, address or contact details
are ever transferred to Google Analytics.
This data is transferred to Google servers in the USA. We would like to point out that the same level of protection under data protection law cannot be guaranteed in the USA as within the EU.
Google Analytics stores cookies in your web browser for a
period of two years since your last visit. These cookies contain a randomly
generated user ID with which you can be recognized during future website
visits.
The recorded data is stored together with the randomly
generated user ID, which enables the evaluation of pseudonymous user profiles.
This user-related data is automatically deleted after 14 months. Other data
remains stored in aggregated form indefinitely.
If you do not agree with the collection, you can prevent it with the one-time installation of the browser add-on to disable Google Analytics or by rejecting cookies via our cookie settings dialog.
Use of Google Remarketing
We also use the remarketing function of Google. This allows
us to play personalized advertising to you on suitable advertising spaces on
other websites based on what interests you have shown on our website. For more
information, please see Google's privacy policy: https://policies.google.com/technologies/ads?hl=de.
You can prevent interest-based advertising by installing this browser plugin.
17. Legal
basis for the processing
Art. 6(1) lit. a
GDPR serves as the legal basis for processing operations for which we obtain
consent for a specific processing purpose. If the processing of personal data
is necessary for the performance of a contract to which the data subject is
party, as is the case, for example, when processing operations are necessary
for the supply of goods or to provide any other service, the processing is
based on Article 6(1) lit. b GDPR. The same applies to such processing
operations which are necessary for carrying out pre-contractual measures, for
example in the case of inquiries concerning our products or services. Is our
company subject to a legal obligation by which processing of personal data is
required, such as for the fulfillment of tax obligations, the processing is
based on Art. 6(1) lit. c GDPR. In rare cases, the processing of personal data
may be necessary to protect the vital interests of the data subject or of
another natural person. This would be the case, for example, if a visitor were
injured in our company and his name, age, health insurance data or other vital
information would have to be passed on to a doctor, hospital or other third
party. Then the processing would be based on Art. 6(1) lit. d GDPR. Finally,
processing operations could be based on Article 6(1) lit. f GDPR. This legal
basis is used for processing operations which are not covered by any of the
abovementioned legal grounds, if processing is necessary for the purposes of
the legitimate interests pursued by our company or by a third party, except
where such interests are overridden by the interests or fundamental rights and
freedoms of the data subject which require protection of personal data. Such
processing operations are particularly permissible because they have been
specifically mentioned by the European legislator. He considered that a
legitimate interest could be assumed if the data subject is a client of the
controller (Recital 47 Sentence 2 GDPR).
18. The
legitimate interests pursued by the controller or by a third party
Where the
processing of personal data is based on Article 6(1) lit. f GDPR our legitimate
interest is to carry out our business in favour of the well-being of all our
employees and the shareholders.
19. Period
for which the personal data will be stored
The criteria
used to determine the period of storage of personal data is the respective
statutory retention period. After expiration of that period, the corresponding
data is routinely deleted, as long as it is no longer necessary for the fulfilment
of the contract or the initiation of a contract.
20. Provision
of personal data as statutory or contractual requirement; Requirement necessary to enter into a contract; Obligation of the
data subject to provide the personal data; possible consequences of failure to
provide such data
We clarify that
the provision of personal data is partly required by law (e.g. tax regulations)
or can also result from contractual provisions (e.g. information on the
contractual partner). Sometimes it may be necessary to conclude a contract that
the data subject provides us with personal data, which must subsequently be
processed by us. The data subject is, for example, obliged to provide us with
personal data when our company signs a contract with him or her. The
non-provision of the personal data would have the consequence that the contract
with the data subject could not be concluded. Before personal data is provided by
the data subject, the data subject must contact any employee. The employee
clarifies to the data subject whether the provision of the personal data is
required by law or contract or is necessary for the conclusion of the contract,
whether there is an obligation to provide the personal data and the
consequences of non-provision of the personal data.