Data Protection
Foreword
We, K+R GmbH (hereinafter referred to jointly as “the Organization”, “we” or “us”), take the protection of your personal data seriously and hereby wish to inform you about data protection within our Organization.
In compliance with the EU General Data Protection Regulation ((EU) Regulation 2016/679; hereinafter referred to as “GDPR”), we have an obligation to protect the personal data of individuals whose data we process (we shall also hereinafter refer to you, the data subject, as “Customer”, “User”, “you”, “your” or “Data Subject”). Insofar as we decide alone or jointly with others on the purposes and means of data processing, we have a fundamental obligation to provide you with transparent information about the nature, scope, purpose, duration and legal basis of the processing of your personal data (see Art. 13 and 14 GDPR).
This declaration (hereinafter referred to as “Privacy Notice”) describes how we handle and process your personal data.
A. GENERAL PROVISIONS
1. DEFINITIONS
In alignment with Art. 4 GDPR, this Privacy Notice is based on the following definitions:
“Personal Data” (Art. 4 No. 1 GDPR) means any information relating to an identified or identifiable natural person (“Data Subject”). A person is identifiable if they can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, an online identifier, location data or by means of information relating to their physical, physiological, genetic, psychological, economic, cultural or social identity. Identifiability can also occur through the linking or combining of such information or with other additional knowledge. The origin, form or medium of the information is of no consequence (photos, video or audio recordings can also contain personal data).
“Processing” (Art. 4 No. 2 GDPR) means any operation performed on personal data, regardless of whether it is carried out by automated means (i.e., technology-based). This includes, in particular, the collection (i.e., procurement), recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data, and the change in the original objective or purpose underlying the data processing.
“Controller” (Art. 4 No. 7 GDPR) means the natural or legal person, public authority, agency or other body which determines the purposes and means of the processing of the personal data, either alone or jointly with others.
“Third Party” (Art. 4 No. 10 GDPR) means any natural or legal person, public authority, agency or other body other than the Data Subject, the Controller, the Processor and persons who, under the direct authority of the Controller or Processor, are authorized to process personal data; this also includes other legal persons within or affiliated with the Group.
“Processor” (Art. 4 No. 8 GDPR) means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller, particularly in accordance with the Controller’s instructions (e.g., IT service providers). A Processor is not a Third Party within the meaning of data protection law.
“Consent” (Art. 4 No. 11 GDPR) of the Data Subject means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes in the form of a statement or clear affirmative action, with which the Data Subject indicates that he or she agrees to the processing of his or her personal data.
2. NAME AND ADDRESS OF THE CONTROLLER
We are acting as the Controller in charge of the processing of your personal data within the meaning of Art. 4 No. 7 GDPR:
K+R GmbH
Hauptstraße 81-85
65760 Eschborn, Germany
Tel.: +49 (0) 619693063-0
Fax: +49 (0) 619693063-45
Email: info[at]krgroup.de
Further information about our organization can be found in the legal notice on our website https://www.krgroup.de/impressum.
3. CONTACT DETAILS OF THE DATA PROTECTION OFFICER
Our company Data Protection Officer is at your disposal at all times to answer any questions you may have and to act as your contact person for data protection matters. Their contact details are:
advokIT Datenschutz
Weißmann Datenschutz GmbH
Schirmerstraße 30
50823 Cologne, Germany
Postal address:
Riemenschneiderstraße 4
55543 Bad Kreuznach, Germany
Datenschutz[at]advokit.de
4. LEGAL BASIS OF DATA PROCESSING
The processing of personal data is in principle prohibited by law and is permitted only if it falls under one of the following circumstances:
Art. 6 para. 1 (1) (a) GDPR (“Consent”): The Data Subject has freely given an informed, specific and unambiguous indication in the form of a statement or other clear affirmative action of their agreement to the processing
of his or her personal data
for one or more specific purposes;
Art. 6 para. 1 (1) (b) GDPR: Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
Art. 6 para. 1 (1) (c) GDPR: Processing is necessary for compliance with a legal obligation to which the Controller is subject (e.g., legal obligation to retain data);
Art. 6 para. 1 (1) (d) GDPR: Processing is necessary in order to protect the vital interests of the Data Subject or of another natural person;
Art. 6 para. 1 (1) (e) GDPR: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller, or
Art. 6 para. 1, (1) (f) GDPR (“Legitimate Interests”): Processing is necessary for the purposes of the legitimate interests (in particular legal or economic interests) pursued by the Data Controller or by a Third Party, except where such interests are overridden by the interests or rights of the Data Subject (in particular where the Data Subject is a child).
The applicable legal bases for the processing operations that we perform are given below. A processing operation may be governed by several legal bases.
General information on the legal bases of data processing on this website
If you have consented to data processing, we will process your personal data on the basis of Art. 6 para. 1 (a) GDPR or Art. 9 para 2 (a) GDPR insofar as special data categories as per Art. 9 para. 1 GDPR are processed. Furthermore, data processing is carried out on the basis of Art. 49 para. 1 (a) GDPR if express consent is granted to transfer personal data to third countries. If you have consented to the placing of cookies or to access to information on your end device (e.g., via device fingerprinting), data processing is also carried out on the basis of Section 25 para. 1 of the German Telecommunications-Telemedia Data Protection Act [TTDSG]. Consent may be withdrawn at any time. If your data is required for the performance of a contract or the implementation of pre-contractual measures, we will process your data on the basis of Art. 6 para. 1 (b) GDPR. We also process your data if this is necessary to fulfil a legal obligation on the basis of Art. 6 para. 1 (c) GDPR. Data processing may also be carried out on the basis of our legitimate interest in accordance with Art. 6 para. 1 (f) GDPR. The following sections of this Privacy Notice provide information on the legal bases applicable in specific cases.
5. DATA ERASURE AND STORAGE PERIOD
For the processing operations we undertake, we will outline below how long data is stored and when it is erased or restricted for further processing. Unless a specific storage period is specified, your personal data will be erased or restricted as soon as the purpose or legal basis for storage no longer applies. As a rule, your data will be stored only on our servers in the European Economic Area (EEA), subject to any disclosure in accordance with the provisions set out in A. (7) and A. (8) of this Privacy Notice.
However, data may be stored for longer than the specified period in the event of an (impending) legal dispute with you or other legal proceedings, or if storage is provided for under statutory provisions by which we are bound as the Controller (e.g., Section 257 German Commercial Code [HGB], Section 147 German Fiscal Code [AO]). If the storage period stipulated in the statutory provisions expires, the personal data will be restricted or erased, unless its continued storage is required to ensure our compliance with a legal obligation to which we are subject and a valid legal basis exists.
6. DATA SECURITY
We use appropriate technical and organizational security measures in order to protect your data against accidental or intentional manipulation, partial or complete loss or destruction, or unauthorized third party access (e.g., Transport Layer Security (TSL) encryption for our website), taking into account state of the art, implementation costs and the nature, scope, context and purpose of the processing, plus the existing risks of a data breach (including its likelihood and consequences) for the Data Subject. Our security measures undergo continuous improvement in line with technological developments.
7. COOPERATION WITH PROCESSORS
We work with external domestic and foreign service providers to carry out our business transactions (e.g., for the areas of IT, logistics, telecommunications and marketing). They act only on our instruction and are contractually obliged to comply with the provisions of data protection law within the meaning of Art. 28 GDPR.
If your personal data is transferred to our subsidiaries by us, or to us by our subsidiaries (e.g., for advertising or promotional purposes), this is done on the basis of existing contracts governing the processing performed by Processors.
8. CONDITIONS FOR THE TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES
Your personal data may be transferred or disclosed to third-party organizations as part of our business dealings. These organizations may also be based in third countries outside the EEA. This kind of processing is carried out strictly to fulfil contractual and business obligations and to maintain your business relationship with us. Information about the specific details of how and why your data may be transferred is provided in the corresponding sections below.
The European Commission recognizes that certain third countries ensure a level of data protection comparable to the standards set by the EEA through what are known as adequacy decisions (a list of these countries, along with a copy of the adequacy decisions, is available on the European Commission's official website). However, other third countries to which personal data may be transferred may not offer a consistently high level of data protection due to insufficient statutory provisions. Where this is the case, we will ensure that safeguards are in place to ensure an adequate level of data protection. Such safeguards can be ensured through binding company regulations, the European Commission’s standard contractual clauses for the protection of personal data, certificates or recognized codes of conduct.
9. NO AUTOMATED DECISION-MAKING (INCLUDING PROFILING)
We do not intend to use personal data that we obtain from you for automated decision-making (including profiling) processing.
10. NO OBLIGATION TO PROVIDE PERSONAL DATA
We do not make the conclusion of contracts with us dependent on your prior provision of personal data. As a customer, you are under no legal or contractual obligation to provide us with your personal data. However, we may not be able to offer specific services, or may be able to offer them only on a limited basis, if you do not provide the necessary data. We will inform you separately if this is likely to be the case in exceptional circumstances in connection with our products presented below.
11. LEGAL OBLIGATION TO TRANSMIT CERTAIN DATA
We may be bound by a specific statutory or legal obligation to provide lawfully processed personal data to third parties, in particular to public bodies (Art. 6 para. 1 (1) (c) GDPR).
12. YOUR RIGHTS
You may assert your rights as a Data Subject with regard to your processed personal data at any time using the contact details provided under A. (2) of this Privacy Notice. As a Data Subject, you have the right:
to request information about your data that we process in accordance with Art. 15 GDPR; in particular, you have the right to request information about: the purpose of the processing, the data category, the categories of recipients to whom your data has been or will be disclosed, the envisaged storage period, the existence of a right to rectification, erasure, restriction of processing or to object, the existence of a right of to lodge a complaint, the origin of your data if it was not collected by us, the existence of automated decision-making including profiling and, if applicable, meaningful information on its details;
to request the immediate rectification of inaccurate data or the completion of your data stored by us in accordance with Art. 16 GDPR;
to request the erasure of your data stored by us, unless the processing is necessary in order to exercise the right of freedom of expression and information, to comply with a legal obligation, for reasons of public interest or to assert, exercise or defend legal claims, in accordance with Art. 17 GDPR;
to request the restriction of processing of your data if you contest the accuracy of the data or if the processing is unlawful, in accordance with Art. 18 GDPR;
to receive your data that you have provided to us in a structured, commonly used and machine-readable format or to have it transmitted to another Controller (“data portability”), in accordance with Art. 20 GDPR;
to assert the right to object to the collection of data in special cases and to processing for direct marketing purposes (Art. 21 GDPR), provided the processing is carried out on the basis of Art. 6 para. 1 (1) (e) or (f) GDPR. This is the case in particular if the processing is not necessary for the performance of a contract with you. Unless your objection relates to direct marketing, we ask that you explain the reasons why we should not process your data in our customary manner when exercising your objection. In the event of a justified objection, we will review the situation and either cease or alter the data processing or explain to you our compelling legitimate grounds upon which we may continue the processing;
to withdraw your consent (i.e., your freely given, informed and unambiguous indication in the form of a statement or clear affirmative action of your agreement to the processing of the personal data in question for one or more specific purposes) at any time, if you have given such consent, in accordance with Art. 7 (3) GDPR. As a result, we are not permitted to process the personal data that is the object of your consent in the future;
to lodge a complaint with a data protection supervisory authority about the processing of your personal data within our organization in accordance with Art. 77 GDPR.
13. CHANGES TO THIS PRIVACY NOTICE
We regularly review our Privacy Notice to determine whether it needs to be amended or supplemented to maintain its compliancy with the latest developments in data protection legislation or due to technological and organizational changes. In particular, you will be notified of any changes to our Privacy Notice via our website. This Privacy Notice is effective as of September 2023.
B. VISITING THE WEBSITE(S)
Your personal data may be processed when you visit our website. We may collect, store and process the following categories of personal data when you use our website(s):
1. DATA PROCESSING, PURPOSE AND LEGAL BASIS
SERVER LOG FILES (“LOG DATA”)
When you visit our website(s), a log record (known as a server log file) is temporarily stored and anonymized on our web server. It includes:
the page from which the page was requested (referrer URL)
the name and URL of the requested page
the date and time of the request
the description of the type, language and version of the web browser used
the IP address of the requesting computer, which is truncated to prevent the identification of the person
the volume of data transferred
the operating system
the message indicating whether the request was successful (access status / http status code)
the GMT time zone difference
The log data is processed for statistical purposes and to improve the quality of our website, in particular the stability and security of the connection (the legal basis for which is Art. 6 para. 1 (1) (f) GDPR)). The stored information is erased after seven days, unless there is justified suspicion of unlawful use requiring further verifications. We are not able to identify you using the stored information. Therefore, Articles 15 through 22 GDPR do not apply in accordance with Article 11 para. 2 GDPR, unless you provide further information that allows you to be identified.
INQUIRY BY EMAIL, TELEPHONE OR FAX
If you contact us by email, telephone or fax, we will store and process your inquiry and all personal data (name, inquiry) contained therein for the purpose of processing your request.
This data is processed on the basis of Art. 6 para. 1 (b) GDPR if your inquiry is related to the performance of a contract or is necessary for the performance of pre-contractual measures. In all other cases, data is processed on the basis of our legitimate interest regarding the effective processing of the inquiries sent to us (Art. 6 para. 1 (f) GDPR) or on your consent (Art. 6 para. 1 (a) GDPR) insofar as this was requested.
CONTACT FORM DATA
If you send us an inquiry via the contact form, we will store your details contained on the contact form, including the contact details that you have provided, in order to process the inquiry and in the event of follow-up questions. We will not share this data without your consent.
This data is processed on the basis of Art. 6 para. 1 (b) GDPR if your inquiry is related to the performance of a contract or is necessary for the performance of pre-contractual measures. In all other cases, data is processed on the basis of our legitimate interest regarding the effective processing of the inquiries sent to us (Art. 6 para. 1 (f) GDPR) or on your consent (Art. 6 para. 1 (a) GDPR) insofar as this was requested.
2. DURATION OF DATA PROCESSING
Your data will be processed until you request its erasure or withdraw your consent to its storage, or for as long as is necessary to achieve the processing purposes outlined above; the legal bases stated for the processing purposes apply for this. Please refer to the relevant sections of this notice and the cookie notice with regard to the use and storage period of cookies.
The third parties commissioned by us will store your data on their system for as long as is necessary to allow them to provide services for us in accordance with the respective order.
3. TRANSFER OF PERSONAL DATA TO THIRD PARTIES; LEGAL BASIS
The following categories of recipients, who are generally Processors, may have access to your personal data:
service providers involved in the operation of our website and the processing of data stored or transmitted by the systems (e.g., for data center services, payment processing, IT security). The legal basis for such transfers is Art. 6 para. 1 (1) (b) or (f) GDPR where they do not constitute Processors;
government agencies / public authorities, insofar as this is necessary for compliance with a legal obligation. The legal basis for such transfers is Art. 6 para. 1 (1) (c) GDPR;
parties engaged to carry out our business operations (e.g., auditors, banks, insurance companies, legal advisors or supervisory authorities). The legal basis for such transfers is Art. 6 para. 1 (1) (b) or (f) GDPR.
Furthermore, we will pass on your personal data to third parties only if you have given specific consent for this in accordance with Art. 6 para. 1 (1) (a) GDPR, or if this is necessary on the basis of our contract with you in accordance with Art. 6 para. 1 (b) GDPR. The use of cookies, plugins and other services on our website.
4. GENERAL PROVISIONS: COOKIES AND SIMILAR TECHNOLOGIES
“Cookies” and similar tracking technologies may be used on our website. Cookies are small text files that are stored on your hard drive and linked to the browser you are using through a unique string of characters. They allow the entity that placed the cookie to receive specific information. Cookies cannot run programs or transfer viruses to your computer, and so cannot cause any damage to your computer. Their purpose is to enhance your overall user experience on the internet, making it more user-friendly and effective.
Cookies may contain data that enable the recognition of the device being used. However, some cookies contain only information about specific settings that do not constitute personal data. Importantly, cookies cannot identify a user directly.
A distinction is made between session cookies, which are deleted as soon as you close your browser, and persistent cookies, which remain stored even after you end your session. Additionally, cookies can be categorized based on their functions:
Strictly necessary or essential cookies (technical cookies): These cookies are crucial for being able to navigate the website, using basic functions and maintaining the website’s security. They do not collect information about you for marketing purposes nor do they track the sites that you have visited.
Functional cookies: These cookies collect user data to provide convenient website functions, such as enabling video playback.
Analytical cookies (performance cookies): These cookies collect information on how you interact with our website, which pages you visit and, for example, whether you encounter any errors when using the website. They do not collect any information that could identify you – all the information collected is anonymous and is used strictly to improve our website and to gain insights into our users’ interests.
Marketing cookies (advertising cookies, targeting cookies): These cookies are used to provide website users with targeted marketing and advertising on the website and offers from third parties, and to measure the effectiveness of these offers. Advertising and targeting cookies are stored for a maximum of 13 months.
If consent has been requested for the placing of cookies and similar technologies, the processing is carried out exclusively on the basis of this consent (Art. 6 para. 1 (a) GDPR and Section 25 para. 1 TTDSG). You may withdraw your consent at any time. If no consent has been requested or a different legal basis is specified, the processing is based on our legitimate interest regarding the placing of cookies to ensure the technical error-free functionality and optimized provision of our services.
You can configure your browser to notify you when cookies are placed, to allow cookies only on an individual basis, to reject cookies either for specific situations or altogether, and to enable the automatic deletion of cookies when you close your browser. Please note that disabling cookies may restrict the functionality of this website.
If third-party cookies or cookies for analytical purposes are used, we will inform you separately of this in this Privacy Notice and seek your consent where applicable.
5. WEBFLOW
The provider is Webflow, Inc, 398 11th Street, 2nd Floor, San Francisco, CA 94103, USA (hereinafter referred to as “Webflow”). Webflow records various log files, including your IP addresses, whenever you visit our website.
Webflow is a tool used to create and host websites. Webflow places cookies or other tracking technologies that are essential for displaying the page, to provide certain website functions, and to maintain the website’s security (strictly necessary cookies).
For further details, please refer to Webflow’s privacy policy: https://webflow.com/legal/eu-privacy-policy.
The legal basis for using Webflow is Art. 6 para. 1 (f) GDPR. We have a legitimate interest in ensuring that our website is displayed as reliably as possible. If your corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 (a) GDRP and Section 25 para. 1 TDDDG, provided that the consent covers the placing of cookies or access to information on the user's end device (e.g., device fingerprinting) within the meaning of TDDDG. Consent may be withdrawn at any time.
Data transfers to the USA are conducted in accordance with the standard contractual clauses of the EU Commission. Further details can be found here: https://webflow.com/legal/eu-privacy-policy.
The company holds certification under the EU-US Data Privacy Framework (DPF). The DPF is an agreement between the European Union and the USA aimed at ensuring that data processing the U.S. performs complies with European data protection standards. All companies certified under the DPF agree to comply with these data protection standards. Further information on this matter can be obtained from the provider via the following link: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt0000000TT9jAAG&status=Active.
Data processing agreement
We have entered into a data processing agreement governing the use of the service described above. This is a contract stipulated under data protection law that ensures that the personal data of our website visitors is processed only upon our instruction and in compliance with the GDPR.
6. GOOGLE CLOUD CDN (LOADED BY WIX.COM)
We use the content delivery network Google Cloud CDN. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.
Google offers a globally distributed content delivery network. This technology routes the information transfer between your browser and our website through Google’s network. Consequently, we can improve the global accessibility and performance of our website.
Our use of Google Cloud CDN is based on our legitimate interest in providing a website that is as error-free and reliably available as possible (Art. 6 para. (1) (f) GDPR).
Data transfers to the USA are conducted in accordance with the standard contractual clauses of the EU Commission. Further details can be found here: https://cloud.google.com/terms/eu-model-contract-clause.
Further information on Google Cloud CDN is available here: https://cloud.google.com/cdn/docs/overview.
The company holds certification under the EU-US Data Privacy Framework (DPF). The DPF is an agreement between the European Union and the USA aimed at ensuring that data processing the U.S. performs complies with European data protection standards. All companies certified under the DPF agree to comply with these data protection standards. Further information on this matter can be obtained from the provider via the following link: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt000000001L5AAI&status=Active
Data processing agreement
We have entered into a data processing agreement governing the use of the service described above. This is a contract stipulated under data protection law that ensures that the personal data of our website visitors is processed only upon our instruction and in compliance with the GDPR.
7. AMAZON CLOUDFRONT CDN (LOADED BY WIX.COM)
We use the content delivery network Amazon CloudFront CDN. The provider is Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855, Luxembourg (hereinafter referred to as “Amazon”).
Amazon CloudFront CDN is a globally distributed content delivery network. This technology routes the information transfer between your browser and our website through the content delivery network. Consequently, we can improve the global accessibility and performance of our website.
Our use of Amazon CloudFront CDN is based on our legitimate interest in providing a website that is as error-free and reliably available as possible (Art. 6 para. (1) (f) GDPR).
Data transfers to the USA are conducted in accordance with the standard contractual clauses of the EU Commission. Further details can be found here: https://aws.amazon.com/de/blogs/security/aws-gdpr-data-processing-addendum/.
Further information on Amazon CloudFront CDN is available here:
https://d1.awsstatic.com/legal/privacypolicy/AWS_Privacy_Notice__German_Translation.pdf.
The company holds certification under the EU-US Data Privacy Framework (DPF). The DPF is an agreement between the European Union and the USA aimed at ensuring that data processing the U.S. performs complies with European data protection standards. All companies certified under the DPF agree to comply with these data protection standards. Further information on this matter can be obtained from the provider via the following link: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt0000000TOWQAA4&status=Active
Data processing agreement
We have entered into a data processing agreement governing the use of the service described above. This is a contract stipulated under data protection law that ensures that the personal data of our website visitors is processed only upon our instruction and in compliance with the GDPR.
C. OUR SOCIAL MEDIA SITES
THIS PRIVACY NOTICE APPLIES TO THE FOLLOWING SOCIAL MEDIA SITES
https://www.instagram.com/kr_erleben
DATA PROCESSING THROUGH SOCIAL NETWORKS
We maintain publicly accessible profiles in social networks. The individual social networks that we use are listed below.
Social networks such as Facebook and X etc. can typically perform comprehensive analyses of your user behavior when you visit their website or any site that features integrated social media content (e.g., like buttons or advertising banners). Visiting our social media profiles triggers various processing activities that fall under data protection and privacy. Specifically:
If you are logged into your social media account and visit our social media profile, the social media platform’s operator can link this visit to your user account. Additionally, your personal data may still also be collected even if you are not logged in or do not have an account with the corresponding social media platform. In this case,
data is collected via the cookies placed on your end device or by tracking your IP address.
The data gathered in this manner enables the social media platform operators to create user profiles that remember your preferences and interests. This allows them to display targeted advertising based on your interests both on and outside of the social media platform itself. If you have an account with the respective social network, targeted advertising can be displayed across all devices on which you are currently or were previously logged in.
Please also note that we are not able to track and trace all processing activities on social media platforms. Depending on the provider, it may therefore be that additional data processing activities are carried out by the operators of social media platforms. For more information, please refer to the terms of use and the privacy notices of the respective social media platforms.
LEGAL BASIS
Our social media platforms aim to ensure our widespread presence on the internet. This constitutes a legitimate interest within the meaning of Art. 6 para. 1 (f) GDPR. The analytical processes initiated by social networks may be based on other legal bases, which must be specified by the operators of those social networks (e.g., consent within the meaning of Art. 6 para. 1 (a) GDPR).
CONTROLLER AND ASSERTION OF RIGHTS
When you visit our social media profiles (e.g., Facebook), we are jointly responsible with the social media platform’s operator for the data processing activities triggered by this visit. As a rule, you may assert your rights (right to access, rectification, erasure, restriction of processing, data portability, and lodging complaints) both against us and against the operator of the respective social media platform (e.g., against Facebook).
Please note that we do not have complete control over the data processing practices of social media platforms, despite our joint responsibility with their operators. Our ability to influence these practices is largely determined by the policies of the respective provider.
DURATION OF STORAGE
The data that we collect directly through our social media presence will be erased from our systems as soon as you request its erasure, withdraw your consent to its storage, or when the purpose for which the data is stored no longer applies. Any placed cookies will remain on your end device until you delete them. This does not affect mandatory statutory provisions, in particular retention periods.
We have no influence over the storage duration of your data that is stored by social network operators for their own purposes. Please obtain all further information on this directly from the social network operators (e.g., from their privacy notice as given below).
YOUR RIGHTS
You have the right at all times to obtain information about the origin, recipient and purpose of your stored personal data free of charge. You also have the right to object, the right to data portability, and the right to lodge a complaint with the competent supervisory authority. Furthermore, you may request the rectification, locking, erasure and, under certain circumstances, the restriction of processing of your personal data.
INSTAGRAM
Our website integrates functions provided by Instagram. These functions are provided by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
When the social media element is active, a direct connection is established between your end device and the Instagram server. This provides Instagram with information about your visit to our website.
If you are logged into your Instagram account, you can link the content of our website to your Instagram profile by clicking the Instagram button. This allows Instagram to associate your visit to our website with your user account. We wish to point out that, as the provider of our website’s pages, we do not know what the content of the data transmitted is or how it is used by Instagram.
Our use of the above service is based on Art. 6 para. 1 (a) GDPR and Section 25 TTDSG, provided consent has been obtained. Consent may be withdrawn at any time. If consent has not been obtained, use of the service is based on our legitimate interest in obtaining optimum social media visibility.
Where personal data is collected on our website using the tool described above and forwarded to Facebook or Instagram, we are jointly responsible with Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, for the data processing (Art. 26 GDPR) of this personal data. This joint responsibility is limited strictly to the collection of data and its transfer to Facebook or Instagram. It does not cover the processing carried out by Facebook or Instagram after the transfer. Our joint obligations are set out in a joint processing agreement, which you can view at: https://www.facebook.com/legal/controller_addendum. Under this agreement, we are responsible for providing privacy information covering our use of Facebook or Instagram tools and for ensuring their privacy-compliant implementation on our website. Facebook is responsible for the data security of its Facebook and Instagram products. Rights of Data Subjects (e.g., requests for information) concerning the data processed by Facebook or Instagram can be asserted by contacting Facebook directly. If you choose to assert your rights as a Data Subject with us, we are obligated to notify Facebook.
Data transfers to the USA are conducted in accordance with the standard contractual clauses of the EU Commission. Further details can be found here: https://www.facebook.com/legal/EU_data_transfer_addendum, https://help.instagram.com/519522125107875 and https://de-de.facebook.com/help/566994660333381.
Further information is available in the Instagram privacy notice: https://instagram.com/about/legal/privacy/.
The company holds certification under the EU-US Data Privacy Framework (DPF). The DPF is an agreement between the European Union and the USA aimed at ensuring that data processing the U.S. performs complies with European data protection standards. All companies certified under the DPF agree to comply with these data protection standards. Further information on this matter can be obtained from the provider via the following link: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt0000000GnywAAC&status=Active