Privacy Policy
This privacy policy informs you about the nature, scope, and purpose of the processing of personal data (hereinafter referred to as "data") within our online offering and its related websites, features, and content, as well as external online presences, such as our social media profiles (collectively referred to as "online offering"). With regard to the terminology used, such as "processing" or "controller," we refer to the definitions in Article 4 of the General Data Protection Regulation (GDPR).
Controller
Irene Galli
Ruschstr. 6
79235 Vogtsburg
fewoirene@kaiserstuhl.com
Impressum: [Imprint](http://kaiserstuhl.com/fewoirene/imprint.html)
Types of Processed Data:
- Inventory data (e.g., names, addresses).
- Contact data (e.g., email, phone numbers).
- Content data (e.g., text input, photographs, videos).
- Usage data (e.g., visited websites, interest in content, access times).
- Meta/communication data (e.g., device information, IP addresses).
Categories of Data Subjects
Visitors and users of the online offering (hereinafter collectively referred to as "users").
Purpose of Processing
- Providing the online offering, its features, and content.
- Responding to contact requests and communicating with users.
- Security measures. - Reach measurement/marketing.
Terminology Used
"Personal data" refers to all information relating to an identified or identifiable natural person (hereinafter "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. "Processing" refers to any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The term is broad and encompasses virtually any handling of data. "Pseudonymization" refers to the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. "Profiling" refers to any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements. "Controller" refers to the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. "Processor" refers to a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
Legal Basis for Processing
In accordance with Article 13 GDPR, we inform you of the legal bases of our data processing. If the legal basis is not specified in the privacy policy, the following applies: the legal basis for obtaining consent is Article 6(1)(a) and Article 7 GDPR, the legal basis for processing for the performance of our services and carrying out contractual measures as well as responding to inquiries is Article 6(1)(b) GDPR, the legal basis for processing to fulfill our legal obligations is Article 6(1)(c) GDPR, and the legal basis for processing to protect our legitimate interests is Article 6(1)(f) GDPR. In the case that vital interests of the data subject or another natural person make the processing of personal data necessary, Article 6(1)(d) GDPR serves as the legal basis. ## Security Measures We take appropriate technical and organizational measures in accordance with Article 32 GDPR, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, to ensure a level of security appropriate to the risk. These measures include ensuring the confidentiality, integrity, and availability of data by controlling physical access to the data, as well as access, input, transfer, ensuring availability, and their separation. We have also established procedures to ensure the exercise of data subject rights, data deletion, and response to data vulnerability. Furthermore, we consider the protection of personal data already during the development or selection of hardware, software, and procedures, according to the principle of data protection by design and by default (Article 25 GDPR). ## Cooperation with Processors and Third Parties If, in the course of our processing, we disclose data to other persons and companies (processors or third parties), transmit it to them, or otherwise grant them access to the data, this will only be done on the basis of a legal permission (e.g., if a transmission of the data to third parties, such as payment service providers, is necessary for the performance of a contract as per Article 6(1)(b) GDPR), you have given your consent, a legal obligation provides for this, or on the basis of our legitimate interests (e.g., when using agents, web hosts, etc.). If we commission third parties to process data on the basis of a so-called "data processing agreement," this is done on the basis of Article 28 GDPR. ## Transfers to Third Countries If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of using third-party services or disclosure, or transfer of data to third parties, this will only happen if it is done to fulfill our (pre)contractual obligations, based on your consent, due to a legal obligation, or on the basis of our legitimate interests. Subject to legal or contractual permissions, we process or have the data processed in a third country only if the special requirements of Article 44 ff. GDPR are met. This means that the processing is carried out, for example, on the basis of special guarantees, such as the officially recognized determination of a level of data protection equivalent to that in the EU (e.g., for the USA through the "Privacy Shield") or compliance with officially recognized special contractual obligations (so-called "standard contractual clauses"). ## Rights of Data Subjects You have the right to request confirmation as to whether data concerning you is being processed and to request information about this data as well as further information and a copy of the data in accordance with Article 15 GDPR. You have the right, in accordance with Article 16 GDPR, to request the completion of the data concerning you or the correction of incorrect data concerning you. You have the right, in accordance with Article 17 GDPR, to request that relevant data be deleted immediately, or alternatively, in accordance with Article 18 GDPR, to request a restriction of the processing of the data. You have the right to request that the data concerning you, which you have provided to us, be received in accordance with Article 20 GDPR and to request its transmission to other controllers. You also have the right to lodge a complaint with the competent supervisory authority in accordance with Article 77 GDPR. ## Right to Withdraw Consent You have the right to withdraw consent granted in accordance with Article 7(3) GDPR with effect for the future. ## Right to Object You can object to the future processing of data concerning you in accordance with Article 21 GDPR at any time. The objection can be made in particular against processing for direct marketing purposes. ## Cookies and Right to Object to Direct Marketing Cookies are small files that are stored on users' computers. Different information can be stored within the cookies. A cookie is primarily used to store information about a user (or the device on which the cookie is stored) during or after their visit within an online offering. Temporary cookies, or "session cookies" or "transient cookies," are cookies that are deleted after a user leaves an online offering and closes their browser. In such a cookie, the content of a shopping cart in an online store or a login status can be stored. "Permanent" or "persistent" cookies are cookies that remain stored even after the browser is closed. For example, the login status can be saved if users visit it after several days. Similarly, the interests of the users can be stored in such a cookie, which are used for reach measurement or marketing purposes. "Third-party cookies" are cookies offered by providers other than the controller operating the online offering (otherwise, if it is only their cookies, they are referred to as "first-party cookies"). We may use temporary and permanent cookies and explain this within our privacy policy. If users do not want cookies to be stored on their computer, they are asked to disable the corresponding option in the system settings of their browser. Stored cookies can be deleted in the system settings of the browser. The exclusion of cookies can lead to functional restrictions of this online offering. A general objection to the use of cookies used for online marketing purposes can be declared for a variety of services, especially in the case of tracking, via the US-American website [http://www.aboutads.info/choices/](http://www.aboutads.info/choices/) or the EU website [http://www.youronlinechoices.com/](http://www.youronlinechoices.com/). Furthermore, the storage of cookies can be achieved by disabling them in the settings of the browser. Please note that not all functions of this online offering may be used in this case. ## Deletion of Data The data processed by us will be deleted or restricted in their processing in accordance with Articles 17 and 18 GDPR. Unless expressly stated within the scope of this privacy policy, the data stored by us will be deleted as soon as they are no longer required for their purpose and the deletion does not conflict with any statutory retention obligations. If the data are not deleted because they are required for other and legally permissible purposes, their processing will be restricted. This means that the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons. According to legal requirements in Germany, the retention period is 10 years in accordance with §§ 147(1) AO, 257(1) Nos. 1 and 4, (4) HGB (books, records, management reports, booking documents, trade books, for taxation relevant documents, etc.) and 6 years in accordance with § 257(1) Nos. 2 and 3, (4) HGB (commercial letters). According to legal requirements in Austria, the retention period is particularly 7 years in accordance with § 132(1) BAO (accounting documents, receipts/invoices, accounts, vouchers, business papers, statement of income and expenses, etc.), 22 years in connection with real estate, and 10 years for documents related to electronically supplied services, telecommunications, broadcasting, and television services provided to non-entrepreneurs in EU member states and for which the Mini-One-Stop-Shop (MOSS) is used. ## Business-Related Processing We process - Contract data (e.g., subject matter of the contract, term, customer category). - Payment data (e.g., bank details, payment history) from our customers, prospects, and business partners for the purpose of providing contractual services, service, and customer care, marketing, advertising, and market research. ## Hosting The hosting services we use serve to provide the following services: infrastructure and platform services, computing capacity, storage space, and database services, security services as well as technical maintenance services, which we use for the purpose of operating this online offering. Here we, or our hosting provider, process inventory data, contact data, content data, contract data, usage data, meta, and communication data from customers, prospects, and visitors of this online offering based on our legitimate interests in an efficient and secure provision of this online offering according to Article 6(1)(f) GDPR in conjunction with Article 28 GDPR (conclusion of data processing agreement). ## Collection of Access Data and Log Files We, or our hosting provider, collect data on the basis of our legitimate interests in the sense of Article 6(1)(f) GDPR about each access to the server on which this service is located (so-called server log files). The access data includes the name of the retrieved website, file, date and time of retrieval, amount of data transferred, notification of successful retrieval, browser type and version, the user's operating system, referrer URL (the previously visited page), IP address, and the requesting provider. Log file information is stored for security reasons (e.g., to investigate abuse or fraud) for a maximum of 7 days and then deleted. Data whose further retention is required for evidence purposes is exempt from deletion until the final clarification of the respective incident. ## Administration, Financial Accounting, Office Organization, Contact Management We process data in the context of administrative tasks as well as organization of our business, financial accounting, and compliance with legal obligations, such as archiving. Here we process the same data that we process in the course of providing our contractual services. The processing bases are Article 6(1)(c) GDPR, Article 6(1)(f) GDPR. Data subjects are customers, prospects, business partners, and website visitors. The purpose and our interest in processing lie in the administration, financial accounting, office organization, data archiving, tasks that serve the maintenance of our business activities, the performance of our tasks, and the provision of our services. The deletion of data with regard to contractual services and contractual communication corresponds to the information provided in these processing activities. We disclose or transmit data to the tax authorities, consultants, such as tax advisors or auditors, as well as other fee offices and payment service providers. Furthermore, we store information on suppliers, event organizers, and other business partners on the basis of our business interests, e.g., for the purpose of later contact. These predominantly business-related data are stored permanently. ## Contacting Us When contacting us (e.g., via contact form, email, phone, or social media), the user's information is processed to handle the contact request and its processing in accordance with Article 6(1)(b) GDPR. The user's information may be stored in a Customer Relationship Management System ("CRM System") or comparable inquiry organization. We delete the inquiries if they are no longer necessary. We review the necessity every two years; furthermore, the statutory archiving obligations apply. ## Newsletter With the following information, we inform you about the contents of our newsletter as well as the registration, dispatch, and statistical evaluation procedure and your rights of objection. By subscribing to our newsletter, you agree to receive it and the procedures described. **Content of the newsletter:** We send newsletters, emails, and other electronic notifications with promotional information (hereinafter "newsletter") only with the consent of the recipients or a legal permission. If the contents of the newsletter are specifically described in the context of a registration, they are decisive for the user's consent. Otherwise, our newsletters contain information about our services and us. **Double-Opt-In and logging:** The registration for our newsletter is done in a so-called double-opt-in procedure. This means that after registration, you will receive an email asking you to confirm your registration. This confirmation is necessary so that no one can register with external email addresses. The registrations for the newsletter are logged to be able to prove the registration process according to the legal requirements. This includes the storage of the registration and confirmation time, as well as the IP address. Likewise, the changes of your data stored with the email service provider are logged. **Registration data:** To subscribe to the newsletter, it is sufficient to provide your email address. Optionally, we ask you to provide a name for personal address in the newsletter. **The dispatch of the newsletter and the associated performance measurement is based on the consent of the recipients in accordance with Article 6(1)(a), Article 7 GDPR in conjunction with § 7(2) No. 3 UWG or based on the legal permission in accordance with § 7(3) UWG.** **The logging of the registration process is based on our legitimate interests in accordance with Article 6(1)(f) GDPR. Our interest is directed towards the use of a user-friendly and secure newsletter system that serves our business interests as well as meets the expectations of the users and allows us to prove consent.** **Cancellation/Revocation:** You can cancel the receipt of our newsletter at any time, i.e., revoke your consents. A link to cancel the newsletter can be found at the end of each newsletter. We may store the unsubscribed email addresses for up to three years based on our legitimate interests before we delete them to provide proof of previously given consent. The processing of these data is limited to the purpose of a possible defense against claims. An individual deletion request is possible at any time, provided that the former existence of a consent is confirmed at the same time. ## Online Presences in Social Media We maintain online presences within social networks and platforms to communicate with the customers, prospects, and users active there and to inform them about our services. When calling up the respective networks and platforms, the terms and conditions and the data processing guidelines of their respective operators apply. Unless otherwise stated in our privacy policy, we process users' data if they communicate with us within social networks and platforms, e.g., post contributions on our online presences or send us messages. ## Integration of Third-Party Services and Content We use content or service offerings from third-party providers within our online offering based on our legitimate interests (i.e., interest in the analysis, optimization, and economic operation of our online offering within the meaning of Article 6(1)(f) GDPR) to integrate their content and services, such as videos or fonts (hereinafter uniformly referred to as "content"). This always presupposes that the third-party providers of this content perceive the IP address of the users, as they could not send the content to their browser without the IP address. The IP address is thus required for the display of this content. We strive to use only such content whose respective providers use the IP address solely for the delivery of the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. Through the "pixel tags," information such as visitor traffic on the pages of this website can be evaluated. The pseudonymous information may also be stored in cookies on the users' device and may include, among other things, technical information about the browser and operating system, referring websites, visit time, and other details about the use of our online offering, as well as be linked to such information from other sources. ## Google Maps We integrate the maps of the service "Google Maps" of the provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The processed data may include, in particular, IP addresses and location data of the users, which, however, are not collected without their consent (usually executed as part of the settings of their mobile devices). The data can be processed in the USA. [Privacy Policy](https://www.google.com/policies/privacy/), [Opt-Out](https://adssettings.google.com/authenticated). ## Use of Facebook Social Plugins We use social plugins ("plugins") of the social network facebook.com, which is operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Facebook"), on the basis of our legitimate interests (i.e., interest in the analysis, optimization, and economic operation of our online offering within the meaning of Article 6(1)(f) GDPR). The plugins can display interaction elements or content (e.g., videos, graphics, or text posts) and are recognizable by one of the Facebook logos (white "f" on a blue tile, the terms "Like", "Gefällt mir" or a "thumbs up" sign) or are marked with the addition "Facebook Social Plugin". The list and the appearance of the Facebook Social Plugins can be viewed [here](https://developers.facebook.com/docs/plugins/). Facebook is certified under the Privacy Shield agreement and thus offers a guarantee of compliance with European data protection law ([Privacy Shield](https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active)). When a user calls up a function of this online offering that contains such a plugin, their device establishes a direct connection with the Facebook servers. The content of the plugin is transmitted by Facebook directly to the user's device and integrated into the online offering. User profiles can be created from the processed data. We have no influence on the extent of the data that Facebook collects with the help of this plugin and therefore inform users according to our knowledge. By integrating the plugins, Facebook receives the information that a user has accessed the corresponding page of the online offering. If the user is logged into Facebook, Facebook can assign the visit to their Facebook account. When users interact with the plugins, for example, by pressing the Like button or leaving a comment, the corresponding information is transmitted directly from your device to Facebook and stored there. If a user is not a member of Facebook, there is still the possibility that Facebook will find out and store their IP address. According to Facebook, only an anonymized IP address is stored in Germany. Purpose and scope of the data collection and the further processing and use of the data by Facebook, as well as the related rights and setting options for protecting the privacy of users, can be found in the [privacy policy of Facebook](https://www.facebook.com/about/privacy/). If a user is a Facebook member and does not want Facebook to collect data about them via this online offering and link it to their member data stored with Facebook, they must log out of Facebook and delete their cookies before using our online offering. Further settings and objections to the use of data for advertising purposes are possible within the Facebook profile settings: [Facebook Profile Settings](https://www.facebook.com/settings?tab=ads) or via the US-American website [http://www.aboutads.info/choices/](http://www.aboutads.info/choices/) or the EU website [http://www.youronlinechoices.com/](http://www.youronlinechoices.com/). The settings are platform-independent, i.e., they are adopted for all devices, such as desktop computers or mobile devices. ## Use of Google Analytics We use Google Analytics to analyze website usage. The resulting data is used to optimize our website and advertising measures. Google Analytics is a web analytics service provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, United States). Google processes the data on website usage on our behalf and is contractually committed to measures to ensure the confidentiality of the processed data. During your website visit, the following data, among others, are recorded: - Pages viewed - Orders including sales and ordered products - The achievement of "website goals" (e.g., contact requests and newsletter sign-ups) - Your behavior on the pages (e.g., clicks, scroll behavior, and length of stay) - Your approximate location (country and city) - Your IP address (in shortened form, so that no clear assignment is possible) - Technical information such as browser, Internet provider, terminal device, and screen resolution - Source of origin of your visit (i.e., via which website or advertising material you came to us) These data are transferred to a Google server in the USA. Google observes the data protection provisions of the "EU-US Privacy Shield" agreement. Google Analytics stores cookies in your web browser for a period of two years since your last visit. These cookies contain a randomly generated user ID, which allows you to be recognized during future website visits. The recorded data is stored together with the randomly generated user ID, which enables the evaluation of pseudonymous user profiles. These user-related data are automatically deleted after 14 months. Other data remain in aggregated form indefinitely. If you do not agree with the collection, you can prevent it by installing the browser add-on to disable Google Analytics. Generated with [Privacy Policy Generator](https://datenschutz-generator.de/) by RA Dr. Thomas Schwenke
