Protecting your privacy is very important to us. We carry out all data processing procedures (such as collection, processing and transmission) in accordance with European and German data protection law.
This Policy provides an overview of what data is requested by our website, in what way this data is used and transferred, how you can request information about the data provided to us and what security measures we use to protect your data.
1. Who is your contact (controller) for data protection issues?
The controller in terms of data protection law for all data processing procedures which take place via our website is:
Kümmel & Co. GmbH
Telephone +49 9321 38 78 40
Fax: +49 9321 38 78 33
Data Protection Officer:
Data Protection Officer c/o Kümmel & Co. GmbH, Lochweg 19, 97318 Kitzingen, Germany
Please send any questions regarding data protection and asserting your rights (see below) to the above address for the attention of the Data Protection Officer.
2. What data do we require from you in order to use our website? What data is collected and stored during use?
Personal data is all information which relates to an identifiable or non-identifiable natural person (“data subject”), such as your name, address, telephone number, date of birth, bank details and IP address.
We only collect and use the personal data of our users to the extent this is required to provide a functional website and the content and services of our website. Personal data of our users is only collected and used with the user’s consent. An exception is made in cases where it is not possible to obtain prior consent for factual reasons and the data processing is permitted by law.
The following data is logged solely for internal system-related and statistical purposes (usage data) when using our website:
- Information about the browser type and the version used
- The user's operating system
- The user's IP address
- Date and time of the request
- The website visited before our website
- The websites that the user's system visited before our website
The data is stored in our system as log files. This data is not stored together with other personal data of the user.
The legal basis for the temporary storage of data and log files is Article 6 (1) (f) General Data Protection Regulation (GDPR).
It is necessary for the system to temporarily store the IP address to enable the website to be displayed on the user's computer. To do so the user’s IP address must remain stored for the duration of the session.
Log files are stored to ensure the functionality of the website. In addition the data serves to optimise the website and ensures the security of our IT systems. The data is not evaluated for marketing purposes.
These purposes also form the basis of our legitimate interest for data processing in accordance with Article 6 (1) (f) GDPR.
Data is erased when it is no longer required to fulfil the purpose for which it was collected. If data has been collected to display the website this is the case at the end of the respective session.
If data has been stored in log files it is erased after seven days at the latest. Further storage is possible. In this case the user’s IP address is erased or distorted so that assigning the re-questing client is no longer possible.
Collecting data to display the website and storing data in log files is absolutely necessary to operate the website. The user may not object to such processing.
Users are able to provide personal data in order to register on our website. Data is entered in the entry fields and transmitted to and stored by us. This data is not forwarded to third parties. The following data is processed as part of the registration process:First name and surname
- Email address
- Telephone number (optional)
- Company and department (if the invoice address differs from the delivery address)
The following data is stored when you register:
- Date and time of registration
- The user's IP address
The legal basis for the processing of data with the user’s consent is Article 6 (1) (a) GDPR.
If registration is carried out for the performance of a contract entered into with the user or to take steps prior to entering into a contract the additional legal basis for processing is Article 6 (1) (b) GDPR.
Registration by a user is necessary for the performance of a contract entered into with the user or to take steps prior to entering into a contract.
Data is erased when it is no longer required to fulfil the purpose for which it was collected.
For the registration process to perform a contract or to take steps prior to entering into a con-tract, this is the case when the data is no longer required for the performance of the contract. After the conclusion of the contract it may be necessary to store the personal data of the con-tractual partner in order to comply with contractual or legal obligations.
Users may de-register at any time by sending an email to email@example.com requesting this. You may make changes to the data saved about yourself at any time.
If data is necessary for the performance of a contract or to take steps prior to entering into a contract it is only possible to erase data prematurely if there are no contractual or legal obliga-tions which oppose such an erasure.
3. How and for what purpose is my data used and, if applicable, disclosed to third parties?
Your personal data provided by yourself is used to answer your queries, process your orders in our online shop and for the technical administration of our website.
Your personal data is only disclosed, sold or otherwise transferred to third parties if such dis-closure is required for the purpose of processing the contract, for accounting purposes or to collect payment, (for example shipping companies and payment providers) or you have given your express consent. In addition we are entitled to disclose personal data for debt collection purposes and reserve the right to exchange data with credit information agencies (e.g. Schufa); this is only carried out if the legal requirements for such an action have been met.
The legal basis for the disclosure of data to third parties for the purpose of processing the contract or for accounting purposes is Article 6 (1) (b) GDPR.
Payment processing by Payone
To process payments in our online shop we use the payment system of an external payment provider, PAYONE GmbH, Fraunhoferstraße 2-4, 24118 Kiel, Germany (hereinafter referred to as “PAYONE”). If you wish to pay by credit card or PayPal, a technical interface will auto-matically establish a connection to the online payment system of PAYONE. The payment details entered by you are transmitted over an encrypted connection to PAYONE solely for the purpose of processing the payment and are stored and processed there. Data is likewise solely processed for the aforementioned purpose of processing the payment for your order where the payment details must be forwarded from PAYONE, if applicable, to the bank specified by you in your order to initiate and authorise the payment transaction. If you select PayPal as the method of payment you are routed directly to PayPal by PAYONE via a technical interface where you then authorise the payment transaction yourself by entering your PayPal access data.
Payment by immediate bank transfer
We are able to offer payment by immediate bank transfer (the “SOFORT” option) in conjunction with SOFORT GmbH, Theresienhöhe 12, 80339 Munich, Germany. During your order the personal data you provided as part of the order will be transmitted to SOFORT GmbH via a technical interface for the purpose of processing the payment. After the offer has been sub-mitted you will automatically be forwarded to SOFORT GmbH’s payment page. The further processing of the transaction with your bank will take place via SOFORT GmbH. SOFORT GmbH is acting as a technical service provider here, who encrypts and transmits the data you entered on the secure payment page to your bank. Further information about data protection relating to immediate bank transfers can be found on the website of SOFORT GmbH here.
Disclosure prescribed by law
Please note that in individual cases we are permitted to disclose data upon request by the responsible public bodies provided it is required for the purpose of law enforcement, hazard prevention by the police authorities of the state, to fulfil the statutory tasks of federal and state authorities in defence of the constitution, the Federal Intelligence Agency or military counter intelligence, or to enforce intellectual property rights.
4. What security measures have been taken to protect your data?
We have implemented many security measures in order to adequately protect your personal data to a reasonable extent.
Our web pages use the industry-standard SSL encryption technology when collecting and transferring data. Personal data transferred as part of the order process is transferred using SSL encryption which can be recognised by the padlock symbol in your browser and the prefix “https://” on the web address.
Your password to access our website must never be shared with third parties and it should be changed regularly. Furthermore you should not choose the same password to access our website that you use to access other password protected websites (email account, online banking etc.). When you leave our website you should log out and close your browser in order to avoid unauthorised users gaining access to your user account.
We cannot guarantee the complete security of data sent by email.
5. When using our website a cookie will be placed on your computer. What does this mean?
Only a session ID will be saved in the cookie, which does not contain any data of the user. Therefore it is not possible to assign this data to the user. The data is not stored together with other personal data of the user.
You can decide yourself whether to accept cookies. By changing your browser settings you have the choice to accept cookies, to be notified when cookies are placed or to reject cookies (this can normally be found under “Options” or “Settings” in the browser’s menu).
The user data collected by the technically necessary cookies is not used to create user pro-files.
These purposes also form the basis of our legitimate interest for processing personal data in accordance with Article 6 (1) (f) GDPR.
6. Use of services for marketing and analysis purposes
We do not use any services for marketing and analysis purposes in addition to the technically necessary session cookies.
7. Rights of the data subject
If your personal data is processed you are a data subject in terms of the General Data Protec-tion Regulation and you have the following rights against the controller:
Access, rectification, restriction of processing and erasure
You have the right to access your personal data saved by us free of charge at any time, to be informed of the origin and recipients, and the purpose for which your data is processed via our website. In addition you have the right to require the rectification, erasure and restriction of processing of your personal data if the legal requirements for such an action have been met.
Right to data portability
You have the right to receive the personal data concerning yourself that you have provided to us as the controller in a structured, commonly used and machine-readable format. We can comply with this right by providing you with a csv export of your processed customer data.
Right to information
If you have exercised your right to rectification, erasure or restriction of processing against the controller, the controller is obligated to inform all recipients to whom your personal data was disclosed of this rectification, erasure or restriction of processing, unless this proves impossible or would involve disproportionate expenditure.
You have the right to be informed of these recipients by the controller.
Right of withdrawal
You have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data which is carried out on the basis of Article 6 (1) (e) or (f) GDPR.
The controller will no longer process your personal data, unless the controller can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
If your personal data is processed for the purposes of direct marketing you have the right to object at any time to the processing of your personal data for the purpose of such marketing.
If you object to processing for the purpose of direct marketing your personal data will no longer be processed for this purpose.
Withdrawing declarations of consent made under data protection law
You also may withdraw your consent for the future by contacting us using the contact details below.
Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual resi-dence, place of work or place of the alleged infringement if you consider that the processing of your personal data infringes the EU General Data Protection Regulation.
The supervisory authority with which the complaint has been lodged will inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 GDPR.
As at May 2018