Data Protection Statement
This data protection statement informs you about the type, scope and purpose of processing personal data (hereinafter in brief “Data”) as part of our online services, and the websites, functions and content as well as external online websites associated with such services (hereinafter jointly referred to as the “Online Services”). In respect of the terms used such as “processing” or “Controller”, reference is made to the definitions set out in Article 4 of the General Data Protection Regulation.
Controller
Kustan GmbH
An der Landwehr 3
D-45883 Gelsenkirchen
represented by the managing directors
Peter Brambrink / Chris Langguth / Jürgen Saddey
(https://www.kustan.de/impressum-deutsch)
Types of processed data:
- Existing data (e.g. names and addresses).
- Contact data (e.g. e-mail and telephone numbers).
- Content data (e.g. text entries, photographs and videos).
- Use data (e.g. visited websites, interest in content and access times).
- Meta/communication data (e.g. device information and IP addresses).
Categories of data subjects
Visitors to and users of the online services (hereinafter we also describe the data subjects jointly as “Users”).
Purpose of processing
- Rendering the online service, its functions and content.
- Replying to contact enquiries and communication with Users.
- Security measures.
- Scope measurement/marketing
Applied terms
“Personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether by automated means or not. The term has a wide scope and covers practically any handling of data.
“Controller" describes the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Authoritative legal bases
In accordance with Article 13 GDPR, we are hereby informing you of the legal bases of our data processing. The following applies where the legal basis is not stated in the data protection statement: the legal basis for obtaining consent is Article 6(1) Letter A and Article 7 GDPR. The legal basis for the processing to perform our services and adopt contractual measures and reply to enquiries is Article 6(1) Letter B GDPR .The legal basis for the processing to honour our legal obligations is Article 6(1) Letter C GDPR and the legal basis for the processing to safeguard our justified interests is Article 6(1) Letter F DGPR. In the event that vital interests of the data subject or another natural person necessitate the processing of personal data, Article 6(1) Letter D GDPR serves as the legal basis.
Collaboration with processors and third parties
Where we disclose data as part of our processing, to other persons and companies (processors or third parties), forward such data to these parties or otherwise grant these parties access to such data, this shall only apply on the basis of statutory permission (e.g. if we forward the data to third parties such as to a payment provider, it is required in accordance with Article 6(1) Letter B GDPR, you have consented to such action, a legal obligation specifies such action or based on our justified interests (e.g. in the case of use of authorised representatives or web hosts etc.).
Where we commission third parties with the task of processing data based on a so-called "processing contract”, this applies based on Article 28 GDPR.
Forwarding to third countries
Where we process in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA), or this applies as part of the utilisation of third party services or the disclosure or forwarding of data to third parties, this shall only apply in respect of us honouring our (pre)contractual obligations, based on your consent, based on a legal obligation or based on our justified interests. Subject to statutory or contractual permission, we shall process the data in a third country, or make arrangements to have the data processed in a third country, only if the preconditions set out in Article 44 et seq. DGPR are met. This means the processing applies, for example, on the basis of special guarantees such as the officially recognised determination of a data protection level that corresponds to the EU (e.g. for the USA by way of the “Privacy Shield” or compliance with officially acknowledged, special contractual obligations (so-called “standard contractual clauses”).
Rights of the data subjects
You are entitled to request confirmation whether or not respective data are processed and obtain information about such data and obtain additional information and copies of the data in accordance with Article 15 GDPR.
In accordance with Article 16 DGPR, you are entitled to request the completion of the data that apply to you or the correction of the incorrect data about you that is stored.
In accordance with Article 17 GDPR, you are entitled to request that the respective data are deleted without delay or alternatively in accordance with Article 18 GDPR you are entitled to request a restriction of the processing of such data.
You are entitled to request that you receive the data stored about you that you have made available to us in accordance with Article 20 DGPR and request the forwarding of such data to other controllers.
Furthermore, in accordance with Article 77 GDPR you are entitled to lodge a complaint with the relevant supervisory authority.
Cancellation right
You are entitled to cancel the consent in accordance with Article 7(3) GDPR with effect for the future.
Right to object
In accordance with Article 21 DGPR, you may at any time object to the future processing of the data that apply to you. An objection may, in particular, be made against the processing for purposes of direct advertising.
Cookies and right to object in the case of direct advertising
“Cookies” are described as small files that are stored on the computer of a user. Different details may be stored within the Cookies. A Cookie is primarily aimed at storing the details about a user (or the device on which the Cookie is stored) during or after the user's visit as part of an online service. Cookies that are deleted after a user leaves an online service and closes their browser are described as Temporary Cookies or Session Cookies or Transient Cookies. The content of a shopping basket in an online shop or a log-in status may be stored in such a Cookie. Cookies that remain stored once a browser is closed are described as Permanent or Persistent Cookies. For example, the login-in status can be stored if the users search for these after several days. Similarly, the interests of the users that are used for the scope measurement or marketing purposes can be stored in such a Cookie. Cookies that are operated by suppliers other than the processor operating the online service are described as Third Party Cookies (otherwise if the Cookies are only its Cookies, then they are called First Party Cookies).
We may use Temporary and Permanent Cookies, and clarify this as part of our Data Protection Statement.
If the users do not want to have Cookies stored on their computer, they are requested to deactivate the corresponding option in the browser system settings. Stored Cookies can be deleted in the browser system settings. Excluding Cookies may result in the restricted function of this online service.
A general objection to the use of the Cookies used for the purposes of online marketing may be lodged in the case of a variety of services, above all in the event of tracking, via the US American side http://www.aboutads.info/choices/ or the EU side http://www.youronlinechoices.com/. Furthermore, the storage of Cookies can turned off in the browser settings. Please note that as a result it may be the case that not all functions of this online service can be used.
Deleting data
In accordance with Article 17 and 18 GDPR, the data we process shall be deleted or the processing of such data shall be restricted. Where not expressly stated as part of this Data Protection Statement, the data we store shall be deleted as soon as they are no longer required for their intended purpose and the deletion of such does not conflict with any statutory storage obligations. Where the data are not deleted because they are required for other, and legally permitted, purposes, the processing of such data shall be restricted. This means that the data shall be blocked and not processed for other purposes. This applies, for example, to data that need to be stored for commercial or tax law reasons.
According to statutory requirements in Germany, the storage applies, in particular, for 6 years in accordance with Section 257(1) HGB (German Commercial Code) (commercial books, inventories, opening balance sheets, annual financial statements, commercial letters and booking vouchers etc.) and for 10 years in accordance with Section 147(1) AO (German Tax Code) (books, records, management reports, booking vouchers, commercial and business letters and documents relevant to taxation etc.).
Hosting
The hosting services that we utilise are aimed at rendering the following services: infrastructure and platform services, computer capacity, storage capacity and database services, security services and technical maintenance services, which we use for the purpose of rendering the online service.
In this respect we process, or our hosting supplier processes, existing data, contact data, content data, contractual data, use data, meta and communication data of customers, interested parties and visitors to this online service based on our justified interests in the efficient and secure rendering of this online service in accordance with Article 6(1) Letter F GDPR in conjunction with Article 28 GDPR (entering into an order processing contract).
Collecting access data and logfiles
We, or our hosting supplier, collect data on any access to the server on which our service is located (so-called server logfiles) based on our justified interests within the meaning of Article 6(1) Letter F GDPR. The access data include the name of the visited website, file, date and time of the visit, transferred data quantity, report on the successful visit, browser type including the version, the user's operating system, referrer URL (the page previously visited), IP address and the enquiring provider.
Logfile information is stored for security reasons (e.g. to clarify misuse or fraud) for a maximum period of 7 days and is then deleted. Data that need to be stored to furnish proof are excluded from the deletion up until the ultimate clarification of the respective incident.
Administration, financial accounting, office organisation and contact administration
We process data as part of administrative tasks and the organisation of our business enterprise, financial accounting and honouring statutory obligations such as archiving. In this respect we process the same data that we process as part of rendering our services as per agreement. The processing bases are Article 6(1) Letter C. GDPR, Article 6(1) Letter F. GDPR. Customers, interested parties, business partners and website visitors are affected by the processing. The purpose of and our interest in processing are based on the administration, financial accounting, office organisation and archiving of data, i.e. tasks aimed at maintaining our business activities, performing our tasks and rendering our services. The deletion of the data in respect of the contractual services and the contractual communication comply with the tasks stated in the case of these processing activities.
In this respect, we disclose or forward data to the financial accounts department and advisers such as tax consultants or auditors and additional fee sections and payment service providers.
Furthermore, we store details about suppliers, organisers and other business partners on the basis of our economic interests, e.g. for the purpose of subsequently establishing contact. As a general rule we permanently store such data that are largely corporate data.
Economic analyses and market research
To operate our business economically, identify market tendencies and customer and user wishes, we analyse the data available to us in respect of business procedures, contracts and enquiries etc. In that respect we process existing data, communication data, contractual data, payment data, usage data and meta data on the basis of Article 6(1) Letter F GDPR, whereby the data subjects include interested parties, business partners, visitors and users of the online service.
The analyses are conducted for the purpose of economic evaluations, marketing and market research. In that respect, we may take into consideration the profiles of the registered users including details, e.g. regarding their purchasing procedures. The analyses are aimed at increasing the user-friendliness, optimising our service and efficiency. The analyses are conducted solely for us and provided they are not randomised analyses containing summarised values, are not disclosed externally.
Provided these analyses or profiles are related to persons, they are deleted or rendered anonymous upon termination by the user, otherwise after two years from the entering into of the contract. In other respects, the overall economic analyses and general tendency provisions are, where possible, issued on an anonymous basis.
Register function
Users have the option to set up a user account. The required mandatory details are stated to the users as part of the registration. The data entered as part of the registration are used for the purpose of using the service. The users may be informed by e-mail about information that is relevant to the service or registration, such as amending the service scope or technical circumstances. If users have cancelled their user account, their data are deleted in respect of the user account subject to the storage of such data if such action is required for commercial or tax law reasons in accordance with Article 6(1) Letter C GDPR. It is incumbent upon the users to secure their data in the case of termination prior to the end of the contract. We are entitled to irretrievably delete all the user’s data stored during the term of contract.
The IP address and the time of the respective user action are stored as part of utilising our registration functions as well as the use of the user account. Storage applies on the basis of our justified interests, and protecting the user against misuse and other unauthorised use. As a matter of principle, such data are not forwarded to third parties apart from when such action is required to pursue our claims or a statutory obligation applies in that respect in accordance with Article 6(1) Letter C GDPR. The IP addresses shall be rendered anonymous, or deleted after 7 days at the latest.
Establishing contact
In the case of establishing contact with us (e.g. via the contact form, e-mail, telephone or via Social Media), the user's details shall be processed to process the enquiry and manage it in accordance with Article 6(1) Letter B GDPR. Users’ details may be stored in a Customer Relationship Management System (CRM System) or comparable enquiry organisation.
We delete the enquiries provided they are no longer required. We shall review the necessity every two years. Furthermore, the statutory archiving obligations apply.
Google Maps
We incorporate the maps of the service “Google Maps” of the supplier Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data protection statement https://www.google.com/policies/privacy/, Opt-Out: https://adssettings.google.com/authenticated.