Introduction
Status: 23rd November 2023
Table of contents
– Introduction
– Person responsible for data protection
– Contact Data Protection Officer
– Overview of processing operations
– Relevant legal basis
– Security measures
– Transfer of personal data
– Data processing in third countries
– Deletion of data
– Providers and services used in the course of business
– Provision of the online offer and web hosting
– Special information on applications (apps)
– Purchase of applications via app stores
– Registration, login and user account
– Community functions
– Contact and enquiry management
– Push messages
– Profiling, business and marketing analysis
– Newsletter and electronic notifications
– Sweepstakes and competitions
– Surveys and polls
– Amendments and updates to the privacy policy
– Rights of data subjects – Definitions
Responsible
Sportstech Brands Holding GmbH Karl-Liebknecht-Straße 7 10178 Berlin Germany
Persons authorised to represent the company:
Managing Director Ali Ahmad E-mail address: [email protected]
Contact Data Protection Officer
Trusted Shops GmbH Subbelrather Str. 15c 50823 Köln Germany
E-mail address: [email protected]
Overview of processing operations
The following overview summarises the types of data processed and the purposes of their processing and refers to the data subjects.
Types of data processed
– Inventory data.
– Payment data.
– Location data.
– Contact data.
– Content data.
– Contract data.
– Usage data.
– Training/and fitness data.
– Meta/communication data.
– Location history and movement profiles.
Categories of data subjects
– Customers.
– Prospects.
– Communication partners.
– Users.
– Sweepstake and competition participants.
– Business and contractual partners.
– Participants.
Purposes of processing
– Provision of contractual services and customer service.
– Contact requests and communication.
– Security measures.
– Direct marketing.
– Reach measurement.
– Office and organisational procedures.
– Managing and responding to enquiries.
– Conducting sweepstakes and contests.
– Feedback.
– Marketing.
– Provision of our online services and user experience.
– Information technology infrastructure.
Relevant legal basis
Below you will find an overview of the legal basis of the GDPR on the basis of which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or domicile. Should more specific legal bases be relevant in individual cases, we will inform you of these in the data protection declaration.
– Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR) – The data subject has given his/her consent to the processing of personal data relating to him/her for a specific purpose or GDPR.
– Performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is party or for the performance of pre-contractual measures carried out at the data subject’s request.
– Legitimate interests (Art. 6 (1) p. 1 lit. f) GDPR) – Processing is necessary for the purposes of the legitimate interests of the controller or a third party, unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data.
In addition to the data protection regulations of the General Data Protection Regulation, national regulations on data protection apply in Germany. These include, in particular, the Act on Protection against Misuse of Personal Data in Data Processing (Federal Data Protection Act – BDSG). In particular, the BDSG contains special regulations on the right to information, the right to erasure, the right to object, the processing of special categories of personal data, the processing for other purposes and the transmission and automated decision-making in individual cases, including profiling. Furthermore, it regulates data processing for purposes of the employment relationship (Section 26 BDSG), in particular with regard to the establishment, implementation or termination of employment relationships as well as the consent of employees. Furthermore, data protection laws of the individual federal states may apply.
Security measures
We take appropriate technical and organisational measures in accordance with the legal requirements, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons, in order to ensure a level of protection appropriate to the risk.
The measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as access to, input of, disclosure of, assurance of availability of and segregation of the data. We also have procedures in place to ensure the exercise of data subjects’ rights, the deletion of data and responses to data compromise. Furthermore, we already take the protection of personal data into account in the development or selection of hardware, software and procedures in accordance with the principle of data protection, through technology design and through data protection-friendly default settings.
SSL encryption (https): In order to protect your data transmitted via our online offer, we use SSL encryption. You can recognise such encrypted connections by the prefix https:// in the address line of your browser.
Transmission of personal data
In the course of our processing of personal data, it may happen that the data is transmitted to other bodies, companies, legally independent organisational units or persons or that it is disclosed to them. The recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In such cases, we comply with the legal requirements and, in particular, conclude appropriate contracts or agreements that serve to protect your data with the recipients of your data.
Data transfer within the organisation: We may transfer personal data to other bodies within our organisation or grant them access to this data. Where this transfer is for administrative purposes, the transfer of data is based on our legitimate business and operational interests or is made where it is necessary for the performance of our contract-related obligations or where we have obtained the consent of the data subjects or legal permission.
Data processing in third countries
If we process data in a third country (i.e., outside the European Union (EU), the European Economic Area (EEA)) or the processing takes place in the context of using third-party services or disclosing or transferring data to other persons, entities or companies, this will only be done in accordance with legal requirements.
Subject to express consent or contractually or legally required transfer, we only process or have data processed in third countries with a recognised level of data protection, contractual obligation through so-called standard protection clauses of the EU Commission, in the presence of certifications or binding internal data protection regulations (Art. 44 to 49 GDPR, information page of the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_de).
Deletion of data
The data processed by us will be deleted in accordance with the legal requirements as soon as their consents permitted for processing are revoked or other permissions cease to apply (e.g. if the purpose of processing this data has ceased to apply or it is not necessary for the purpose). If the data are not deleted because they are required for other and legally permissible purposes, their processing is limited to these purposes. I.e. the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for reasons of commercial or tax law or whose storage is necessary for the assertion, exercise or defence of legal claims or for the protection of the rights of another natural or legal person.
Within the framework of our data protection notices, we may provide users with further information on the deletion as well as on the retention of data that applies specifically to the respective processing operations.
Providers and services used in the course of business
In the course of our business activities, we use additional services, platforms, interfaces or plug-ins from third-party providers (“services” for short) in compliance with the legal requirements. Their use is based on our interests in the proper, lawful and economic management of our business operations and our internal organisation.
– Types of data processed: inventory data (e.g. names, addresses); payment data (e.g. bank details, invoices, payment history); contact data (e.g. e-mail, telephone numbers); content data (e.g. entries in online forms); contract data (e.g. subject matter of contract, term, customer category).
– Data subjects: Customers; prospective customers; users (e.g. website visitors, users of online services); business and contractual partners.
– Purposes of processing: provision of contractual services and customer service; office and organisational procedures.
– Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR).
Provision of the offer
We process users’ data in order to provide them with our online services. For this purpose, we process the user’s IP address, which is necessary to transmit the content and functions of our online services to the user’s browser or terminal device.
– Types of data processed: Usage data (e.g. websites visited, interest in content, access times); meta/communication data (e.g. device information, IP addresses); content data (e.g. entries in online forms).
– Data subjects: Users (e.g. website visitors, users of online services); business and contractual partners.
– Purposes of processing: Provision of our online offer and user-friendliness; information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.).); security measures.
– Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR).
Further information on processing processes, procedures and services:
– Provision of online offer on rented storage space: for the provision of our online offer, we use storage space, computing capacity and software that we rent or otherwise obtain from a corresponding server provider (also referred to as “web hoster”); legal basis: legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR).
– Collection of access data and log files: Access to our online offer is logged in the form of so-called “server log files”. The server log files may include the address and name of the web pages and files accessed, the date and time of access, the volume of data transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider. The server log files may be used on the one hand for security purposes, e.g. to avoid overloading the servers (especially in the case of abusive attacks, so-called DDoS attacks) and on the other hand to ensure the utilisation of the servers and their stability; Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR); Deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymised. Data whose further storage is necessary for evidentiary purposes is exempt from deletion until the final clarification of the respective incident.
– Amazon Web Services (AWS): Services in the field of providing information technology infrastructure and related services (e.g. storage space and/or computing capacity); service provider: Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855, Luxembourg; Legal basis: Legitimate Interests (Art. 6 para. 1 p. 1 lit. f) GDPR); Website: https://aws.amazon.com/de/; Privacy policy: https://aws.amazon.com/de/privacy/; Order processing contract:
https://aws.amazon.com/de/compliance/GDPR-center/; Standard contractual clauses (ensuring level of data protection for processing in third countries): Inclusion in the order processing contract.
Special notes on applications (apps)
We process the data of the users of our app insofar as this is necessary to provide the app and its functionalities to the users, to monitor its security and to further develop it. We may also contact users in compliance with the legal requirements, provided that the communication is necessary for the purposes of administration or use of the application. In all other respects, we refer to the data protection information in this data protection declaration with regard to the processing of users’ data.
Legal basis: The processing of data required for the provision of the functionalities of the application serves the fulfilment of contractual obligations. This also applies if the provision of the functions requires user authorisation (e.g. release of device functions). If the processing of data is not necessary for the provision of the functionalities of the application, but serves the security of the application or our business interests (e.g. collection of data for purposes of optimising the application or security purposes), it is carried out on the basis of our legitimate interests. Where users are explicitly asked for their consent to the processing of their data, the processing of the data covered by the consent is based on the consent.
– Types of data processed:
When you log in to our app for the first time, we process the data you provide to create your user profile. Necessary for this are your name (nickname), your email address/password. In addition, we process data from you if you provide it to us voluntarily in order to keep an up-to-date record of your training and fitness goals. This information includes, but is not limited to, height, gender and weight and, for workouts, telematics data such as your pulse, calories burned and workout history. We need this information to provide you with the core function of our app, which is to allow you to participate in live workouts, motivate you to workout and provide you with workout and nutrition recommendations where applicable. In addition, we also process location data so that our trainers can address you personally in shoutouts, if necessary, to increase your motivation.
Further data processed by us: Meta/communication data (e.g. device information, IP addresses); location data (information about the geographical position of a device or person); location history and movement profiles (collection of location data and changes in position over a period of time).
Purposes of processing: provision of contractual services and customer service. Insofar as location data is accessed, this is done on the basis of your consent pursuant to Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time in the settings of your profile. In addition, you can also delete other information such as height and weight etc. in your settings. However, please note that if you delete this data, we may no longer be able to provide you with the functions of this website, or only partially.
Legal basis: Consent (Art. 6 para. 1 p. 1 lit. a) GDPR); Contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 p. 1 lit. b) GDPR); Legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR).
Deletion of data: You can delete your user profile at any time. Insofar as your account is not deleted, we store the data within the framework of the legal provisions.
Further information on processing, procedures and services:
– Storage of a universal and unique identifier (UUID): The application stores a so-called Universally Unique Identifier (UUID) for the purpose of analysing the use and functionality of the application as well as storing the user’s settings. This identifier is generated when this application is installed (but is
not linked to the device, so it is not a device identifier in this sense), remains stored between the start of the application and its updates, and is deleted when users remove the application from their device.
– Device permissions to access functions and data: The use of our application or its functionalities may require users to have permissions to access certain functions of the devices used or the data stored on or accessible through the devices. By default, these permissions must be granted by the users and can be revoked at any time in the settings of the respective devices. The exact procedure for controlling app permissions may depend on the users’ device and software. Users can contact us if they need clarification. Please note that denial or revocation of the respective permissions may affect the functionality of our app.
– Location history and movement profiles: Based on the location data collected as part of the use of our application, a location history is created which shows the geographical movements of the devices used over a period of time (and may allow an inference to the movement profile of the users). The location history is only used to provide the respective functionality of our application, according to its description to the users, or its typical and expected functionality.
Purchase of applications via app stores
Our application is obtained via special online platforms operated by other service providers (so-called “app stores”). In this context, the data protection notices of the respective app stores apply in addition to our data protection notices. This applies in particular with regard to the procedures used on the platforms for reach measurement and interest-based marketing as well as any obligation to pay costs.
– Types of data processed: inventory data (e.g. names, addresses); payment data (e.g. bank details, invoices, payment history); contact data (e.g. e-mail, telephone numbers); contract data (e.g. subject matter of contract, term, customer category); usage data (e.g. websites visited, interest in content, access times); meta/communication data (e.g. device information, IP addresses); content data (e.g. entries in online forms).
– Data subjects: Customers; users (e.g. website visitors, users of online services).
– Purposes of processing: provision of contractual services and customer service; marketing.
– Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR).
Further information on processing processes, procedures and services:
– Apple App Store: app and software sales platform; service providers: Apple Inc, Infinite Loop, Cupertino, CA 95014, USA; Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR); Website: https://www.apple.com/de/ios/app-store/; Privacy policy: https://www.apple.com/legal/privacy/de-ww/.
– Google Play: App and software sales platform; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR); Website: https://play.google.com/store/apps?hl=de; Privacy policy: https://policies.google.com/privacy.
Registration, login and user account
Users can create a user account. As part of the registration process, users are provided with the required mandatory data and this data is processed for the purpose of providing the user account on the
basis of contractual obligation fulfilment. The processed data includes in particular the login information (user name, password and an e-mail address).
Within the scope of the use of our registration and login functions as well as the use of the user account, we store the IP address and the time of the respective user action. The storage is based on our legitimate interests as well as those of the users in protection against misuse and other unauthorised use. This data is only passed on for the purpose of authentication. Other disclosure to third parties will not take place, unless it is necessary for the pursuit of our claims or there is a legal obligation to do so.
Users may be informed by e-mail about events relevant to their user account, such as technical changes.
– Types of data processed: inventory data (e.g. names, addresses); contact data (e.g. e-mail, telephone numbers); content data (e.g. entries in online forms); meta/communication data (e.g. device information, IP addresses).
– Data subjects: Users (e.g. website visitors, users of online services).
– Purposes of processing: provision of contractual services and customer service; security measures; managing and responding to enquiries; providing our online offer and user-friendliness.
– Legal basis: Contract performance and pre-contractual enquiries (Art. 6 para. 1 p. 1 lit. b) GDPR); Legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR).
Further notes on processing processes, procedures and services:
– Registration with pseudonyms: Users are allowed to use pseudonyms as user names instead of plain names; Legal basis: Contract performance and pre-contractual requests (Art. 6 para. 1 p. 1 lit. b) GDPR).
– User profiles are public: User profiles are publicly visible and accessible; legal basis: contract performance and pre-contractual enquiries (Art. 6 para. 1 p. 1 lit. b) GDPR).
– Deletion of data after termination: If users have terminated their user account, their data with regard to the user account will be deleted, subject to legal permission, obligation or consent of the users; legal basis: contract performance and pre-contractual enquiries (Art. 6 para. 1 p. 1 lit. b) GDPR).
– No obligation to retain data: It is the users’ responsibility to save their data in the event of termination before the end of the contract. We are entitled to irretrievably delete all user data stored during the term of the contract; legal basis: fulfilment of contract and pre-contractual enquiries (Art. 6 para. 1 p. 1 lit. b) GDPR).
– Telnyx: 2FA-Software; Service provider: Telnyx LLC, 515 N State St, Chicago United States; Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR); Website: https://telnyx.com/; Privacy policy: https://telnyx.com/company/data-privacy.
Community functions
The community functions provided by us allow users to enter into conversations or other exchanges with each other. In this regard, we ask you to note that the use of the community functions is only permitted in compliance with the applicable legal situation, our terms and guidelines and the rights of other users and third parties.
– Types of data processed: Usage data (e.g. web pages visited, interest in content, access times); meta/communication data (e.g. device information, IP addresses).
– Data subjects: Users (e.g. website visitors, users of online services).
– Purposes of processing: provision of contractual services and customer service; security measures.
– Legal basis: Contract performance and pre-contractual enquiries (Art. 6 para. 1 p. 1 lit. b) GDPR).
Further information on processing processes, procedures and services:
– User contributions are public: user-created contributions and content are publicly visible and accessible; legal basis: contract performance and pre-contractual requests (Art. 6 para. 1 p. 1 lit. b) GDPR).
– Protection of own data: Users themselves decide what data they disclose about themselves within our online offer. For example, when users provide personal information or participate in conversations. We ask users to protect their data and to publish personal data only with caution and only to the extent necessary. In particular, we ask users to take special care to protect their access data and to use secure passwords (i.e. especially character combinations that are as long and random as possible); legal basis: contract performance and pre-contractual enquiries (Art. 6 para. 1 p. 1 lit. b) GDPR).
Contact and enquiry management
When contacting us (e.g. via contact form, email, telephone or via social media) as well as in the context of existing user and business relationships, the information of the inquiring persons is processed insofar as this is necessary to answer the contact enquiries and any requested measures.
The response to the contact enquiries as well as the management of contact and enquiry data in the context of contractual or pre-contractual relationships is carried out in order to fulfil our contractual obligations or to respond to (pre)contractual enquiries and, moreover, on the basis of the legitimate interests in responding to the enquiries and maintaining user or business relationships.
For the organization and processing of inquiries, personal data is collected according to the scope of its provision, but in any case, surname, first name and e-mail address, transmitted to the provider, stored there and read out.
When you contact us (e.g. via contact form or email), personal data is processed exclusively for the purpose of processing and responding to your request and only to the extent necessary for this purpose.
Your data will be deleted when it can be inferred from the circumstances that the matter in question has been conclusively clarified and provided that there are no statutory retention obligations to the contrary.
– Types of data processed: contact data (e.g. e-mail, telephone numbers); content data (e.g. entries in online forms); usage data (e.g. websites visited, interest in content, access times); meta/communication data (e.g. device information, IP addresses).
– Data subjects: Communication partners.
– Purposes of processing: provision of contractual services and customer service; contact requests and communication; managing and responding to requests; feedback (e.g. collecting feedback via online form); providing our online offer and user experience.
– Legal basis: Contract performance and pre-contractual enquiries (Art. 6 para. 1 p. 1 lit. b) GDPR); Legitimate interests in the efficient organization of our customer service, the fastest possible response to your request and the optimization of our service offering (Art. 6 para. 1 p. 1 lit. f) GDPR).
Push messages
With the consent of users, we may send users so-called “push notifications”. These are messages that are displayed on the screens, end devices or in browsers of the users, even if our online service is not being actively used at the time.
To sign up for the push messages, users must confirm their browser or device’s request to receive the push messages. This consent process is documented and stored. The storage is necessary to recognise whether users have consented to receive the push messages and to be able to prove the consent. For these purposes, a pseudonymous identifier of the browser (so-called “push token”) or the device ID of an end device is stored.
On the one hand, the push messages may be necessary for the fulfilment of contractual obligations (e.g. technical and organisational information relevant to the use of our online offer) and are otherwise sent on the basis of user consent, unless specifically mentioned below. Users can change the receipt of push messages at any time using the notification settings of their respective browsers, or terminal devices.
– Types of data processed: Usage data (e.g. websites visited, interest in content, access times); meta/communication data (e.g. device information, IP addresses).
– Data subjects: Communication partners.
– Purposes of processing: provision of our online offer and user-friendliness.
– Legal basis: consent (Art. 6 para. 1 p. 1 lit. a) GDPR); contract performance and pre-contractual enquiries (Art. 6 para. 1 p. 1 lit. b) GDPR).
Further information on processing operations, procedures and services:
Zendesk International Ltd: Customer service software; Service provider: Zendesk International Ltd., 55 Charlemont Place, Saint Kevin’s, Dublin D02 F985, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f) DSGVO); Website: https://www.zendesk.de/; Privacy policy: https://www.zendesk.de/company/agreements-and-terms/privacy-notice /; Data processing agreement: Provided by the service provider.
Profiling, business and marketing analysis
We process your personal data for business and marketing analysis purposes, to make improvements to the product, to analyze whether and how the membership content is used, and to improve and ensure the services so that the membership meets members’ needs over time.
– Types of data processed: inventory data (e.g. names, addresses); payment data (e.g. bank details, invoices, payment history); contact data (e.g. e-mail, telephone numbers); contract data (e.g. subject matter of contract, term, customer category); usage data (e.g. websites visited, interest in content, access times); meta/communication data (e.g. device information, IP addresses); content data (e.g. entries in online forms).
– Data subjects: Participant, Customers.
– Purposes of processing: Profiling, business and marketing analysis.
– Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR).
– Option to object: you can object to the use of your data for profiling, business and marketing analyses at any time
Further information on processing operations, procedures and services:
Amplitude Inc: Market analysis service; Service provider: Amplitude Inc., 201 3rd Street Suite 200, San Francisco, California 94103; Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR); Website: https://amplitude.com/. Privacy policy: https://amplitude.com/amplitude-security-and-privacy; Data processing agreement: Provided by the service provider, https://amplitude.com/dpa.
Newsletter and electronic notifications
We send newsletters, e-mails and other electronic notifications (hereinafter “newsletters”) only with the consent of the recipients or with legal permission. If the contents of a newsletter are specifically described in the course of registration, they are decisive for the consent of the user. Apart from that, our newsletters contain information about our services and us.
In order to subscribe to our newsletters, it is generally sufficient to provide your e-mail address. However, we may ask you to provide a name, for the purpose of personal address in the newsletter, or further details, if these are necessary for the purposes of the newsletter.
Double opt-in procedure: The registration for our newsletter is always carried out in a so-called double opt-in procedure. This means that after registration you will receive an e-mail in which you are asked to confirm your registration. This confirmation is necessary so that no one can register with other people’s e-mail addresses. The registrations for the newsletter are logged in order to be able to prove the registration process in accordance with the legal requirements. This includes the storage of the registration and confirmation time as well as the IP address. Changes to your data stored with the dispatch service provider are also logged.
Deletion and restriction of processing: We may store unsubscribed email addresses for up to three years based on our legitimate interests before deleting them in order to be able to prove consent previously given. The processing of this data will be limited to the purpose of a possible defence against claims. An individual deletion request is possible at any time, provided that the former existence of consent is confirmed at the same time. In the case of obligations to permanently observe objections, we reserve the right to store the e-mail address in a block list (so-called “block list”) for this purpose alone.
The logging of the registration process takes place on the basis of our legitimate interests for the purpose of proving its proper course. Insofar as we commission a service provider with the dispatch of e-mails, this is done on the basis of our legitimate interests in an efficient and secure dispatch system.
Contents:
Information about us, our services, promotions and offers.
– Types of data processed: inventory data (e.g. names, addresses); contact data (e.g. e-mail, telephone numbers); meta/communication data (e.g. device information, IP addresses); usage data (e.g. websites visited, interest in content, access times).
– Data subjects: Communication partners.
– Purposes of processing: direct marketing (e.g. by email or post); reach measurement (e.g. access statistics, recognition of returning visitors).
– Legal basis: Consent (Art. 6 para. 1 p. 1 lit. a) GDPR).
– Option to object (opt-out): You can cancel receipt of our newsletter at any time, i.e. revoke your consent or object to further receipt. You will find a link to cancel the newsletter either at the end of
each newsletter or you can use one of the contact options given above, preferably e-mail, for this purpose.
Further information on processing, procedures and services:
– SendinBlue: email marketing platform; service provider: SendinBlue SAS, 55, rue d’Amsterdam, 75008 Paris, France; Legal basis: Consent (Art. 6 para. 1 p. 1 lit. a) GDPR); Website: https://de.sendinblue.com/; Privacy policy: https://www.sendinblue.com/legal/privacypolicy/; data processing agreement: Provided by the service provider.
Sweepstakes and competitions
We process personal data of participants in sweepstakes and competitions only in compliance with the relevant data protection provisions, insofar as the processing is contractually necessary for the provision, implementation and handling of the sweepstakes, the participants have consented to the processing or the processing serves our legitimate interests (e.g. in the security of the sweepstakes or the protection of our interests against abuse through possible recording of IP addresses when submitting sweepstakes entries).
If entries from participants are published as part of the prize draws (e.g. as part of a vote or presentation of the prize draw entries or the winners or reporting on the prize draw), we point out that the names of the participants may also be published in this context. Participants may object to this at any time.
If the competition takes place within an online platform or a social network (e.g. Facebook or Instagram, hereinafter referred to as “online platform”), the usage and data protection provisions of the respective platforms shall also apply. In these cases, we would like to point out that we are responsible for the information provided by the participants within the scope of the competition and that enquiries with regard to the competition should be addressed to us.
The participants’ data will be deleted as soon as the competition or contest has ended and the data is no longer required to inform the winners or because queries regarding the competition are to be expected. In principle, participants’ data will be deleted no later than 6 months after the end of the competition. Winners’ data may be retained for longer, e.g. in order to be able to answer queries about the prizes or to fulfil the prize obligations; in this case, the retention period depends on the type of prize and is up to three years in the case of goods or services, for example, in order to be able to process warranty claims. Furthermore, the participants’ data may be stored for a longer period, e.g. in the form of reporting on the competition in online and offline media.
If data was also collected for other purposes within the scope of the competition, its processing and the retention period will be governed by the data protection information on this use (e.g. in the case of registration for the newsletter within the scope of a competition).
– Types of data processed: inventory data (e.g. names, addresses); content data (e.g. entries in online forms); meta/communication data (e.g. device information, IP addresses).
– Data subjects: Sweepstakes and contest participants.
– Purposes of processing: implementation of sweepstakes and contests.
– Legal basis: Contract performance and pre-contractual enquiries (Art. 6 para. 1 p. 1 lit. b) GDPR).
Surveys and polls
We conduct surveys and interviews in order to collect information for the purpose of the survey or interview communicated in each case. The surveys and questionnaires we conduct (hereinafter “surveys”) are evaluated anonymously. Personal data is only processed insofar as this is necessary for the provision and technical implementation of the surveys (e.g. processing of the IP address in order to display the survey in the user’s browser or to enable the survey to be resumed with the aid of a cookie).
– Types of data processed: contact data (e.g. e-mail, telephone numbers); content data (e.g. entries in online forms); usage data (e.g. websites visited, interest in content, access times); meta/communication data (e.g. device information, IP addresses).
– Data subjects: Communication partners; participants.
– Purposes of processing: Feedback (e.g. collecting feedback via online form).
– Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f) GDPR).
Amendment and updating of the data protection declaration
We ask you to regularly inform yourself about the content of our data protection declaration. We adapt the data protection declaration as soon as the changes in the data processing carried out by us make this necessary. We will inform you as soon as the changes require an act of cooperation on your part (e.g. consent) or other individual notification.
Where we provide addresses and contact details of companies and organisations in this privacy statement, please note that the addresses may change over time and please check the details before contacting us.
Rights of data subjects
As a data subject, you have various rights under the GDPR, in particular as set out in Articles 15 to 21 of the GDPR:
– Right to object: you have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Art. 6(1)(e) or (f) GDPR; this also applies to profiling based on these provisions. If the personal data concerning you is processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling insofar as it is related to such direct marketing.
– Right to withdraw consent: You have the right to revoke any consent given at any time.
– Right to information: You have the right to request confirmation as to whether data in question is being processed and to information about this data as well as further information and a copy of the data in accordance with the legal requirements.
– Right to rectification: You have the right, in accordance with the law, to request that data concerning you be completed or that inaccurate data concerning you be rectified.
– Right to erasure and restriction of processing: You have the right, in accordance with the law, to request that data concerning you be erased without delay or, alternatively, to request restriction of the processing of the data in accordance with the law.
– Right to data portability: You have the right to receive data relating to you that you have provided to us in a structured, common and machine-readable format, or to request that it be transferred to another controller, in accordance with the law.
– Complaint to supervisory authority: In accordance with the law and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, in particular a supervisory authority in the Member State where you usually reside, the supervisory authority of your place of work or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.
Definitions
This section provides you with an overview of the terms used in this privacy notice. Many of the terms are taken from the law and defined primarily in Article 4 of the GDPR. The legal definitions are binding. The following explanations, on the other hand, are primarily intended to help you understand them. The terms are sorted alphabetically.
– Personal data: “Personal data” means any information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
– Reach measurement: Reach measurement (also known as web analytics) is used to evaluate the flow of visitors to an online offering and may include visitors’ behaviour or interests in certain information, such as the content of web pages. With the help of reach analysis, website owners can see, for example, at what time visitors visit their website and what content they are interested in. This enables them, for example, to better adapt the content of the website to the needs of their visitors. For reach analysis purposes, pseudonymous cookies and web beacons are often used to recognise returning visitors and thus obtain more precise analyses of the use of an online offer.
– Location data: Location data is generated when a mobile device (or another device with the technical requirements of location determination) connects to a radio cell, a WLAN or similar technical means and functions of location determination. Location data is used to indicate the geographically determinable position on earth at which the respective device is located. Location data can be used, for example, to display map functions or other information dependent on a location.
– Location history and movement profiles: Location history (also referred to as “movement profile”) is the collection of location data over a period of time. Location history allows conclusions to be drawn about the geographical movements (i.e. changes in position) of devices or their users.
– Controller: A “controller” is the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data.
– Processing: “Processing” means any operation or set of operations which is performed upon personal data, whether or not by automatic means. The term is broad and encompasses virtually any handling of data, be it collection, analysis, storage, transmission or erasure.
