E. Schoepf GmbH
Email address: email@example.com
Managing director: Florian Krug
Link to impress: https://www.e-schoepf.de/impressum.html
Contact Data Protection Officer: Wolfgang Böhm dataProtection@boehm-dud.de
Nature of the processed data
- Inventory data (e.g., master data of persons, names or addresses).
- Contact data (e.g., email, telephone numbers).
- Content data (e.g., text input, photographs, videos).
- Usage data (e.g., visited websites, interest in contents, access times).
- Meta/Communication data (e.g., device information, IP addresses).
Categories of data subjects
Visitors and users of the online offering (hereinafter we designate the data subjects as “users”).
Purpose of processing
- Making available the online offering, its functions and contents.
- Responding to contact enquiries and communication with users.
- Security measures.
- Range measurement/Marketing
“Personal data” means any information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. Cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” means any operation or set or operations which is performed on personal data. The term has a broad meaning and includes practically every use of data.
“Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Applicable legal foundation
The legal foundation for obtaining consent is Art. 6 (1) lit. a and Art. 7 GDPR;
The legal foundation of processing for the performance of our services and implementation of contractual measures as well as responding to enquiries is Art. 6 (1) lit. b GDPR;
The legal foundation of processing for compliance with legal obligations is Art. 6 (1) lit. c GDPR;
In the event that the processing of personal data is necessary in the vital interests of the data subject or another natural person, Art. 6 (1) lit. d GDPR serves as the legal foundation.
The legal foundation for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller is Art. 6 (1) lit. e GDPR.
The legal foundation of processing for the purpose of our legitimate interests is Art. 6 (1) lit. f GDPR.
The processing of data for a purpose other than that for which it has been collected is controlled by the requirements of Art 6 (4) GDPR.
The processing of special categories of data (corresponding to Art. 9 (1) GDPR) is controlled by the requirements of Art. 9 (2) GDPR.
In accordance with statutory requirements and in consideration of the state of technology, the costs of implementation and the nature, scope, circumstances and purposes of the processing as well as the varied degrees of probability and the seriousness of the risk to the rights and freedoms of natural persons, we take suitable technical and organisation measures in order to assure a level of protection appropriate to the risk.
Included in the measures are, in particular, the securing of the confidentiality, integrity and availability of data by control of physical access to the data, as well as of access, input, disclosure, securing availability and separation of the data. In addition, we have established a process which assures an awareness of the rights of data subjects, the erasure of data and a reaction to endangerment of data. Furthermore, we take into consideration the protection of personal data in the development and selection of hardware and software as well as procedures in accordance with the principle of data protection through technology design and data protection friendly pre-settings.
Cooperation with processors, joint controllers and third parties
If we disclose or transfer or otherwise provide access to data to other persons and companies (processors, joint controller or third parties) in connection with our processing, this is done only on the basis of statutory permission (e.g. if the transfer of data to third parties, such as a payment service provider, is necessary for contract performance), users have consented, a legal obligation which provides for the transfer or on the basis of our legitimate interests (e.g. upon use of agents, web hosts, etc.).
If we disclose, transfer or otherwise grant access to data to other companies of our Group, this is done in particular for administrative purposes as a legitimate interest and in addition, on the basis of statutory requirements.
Transfers to third countries
If we process data in a third country (i.e. outside of the European Union (EU), the European Economic Area (EEA) or the Swiss Confederation) or this occurs in connection with the use of third party services or disclosure or transfer of data to other persons or companies, this is done only if it is for performance of our (pre)contractual obligations, on the basis of your consent, due to a legal obligation or on the basis of our legitimate interests. Subject to statutory or contractual authorisation, we process or have data processed in a third country only in compliance with statutory requirements. This means that the processing is performed, for example, on the basis of special guaranties, such as the officially recognised finding of the EU of a corresponding data protection level (e.g. for the USA through the “Privacy Shield”) or observance of officially recognised special contractual obligations.
Because we use offers from Google (Google Maps) in our online offering, the information produced via the use of this online offering is, as a rule, transmitted and stored on a server of Google in the USA. Thus a transfer of data to a third country takes place. This takes into consideration that corresponding suitable/appropriate guaranties are available and enforceable and effective legal remedies are available to you.
Further information is found in the section “Google Maps”.
Rights of data subjects
You have the right to request a confirmation on whether the concerned data are processed and to information on this data as well as to further information and copies of the data in accordance with statutory requirements.
In accordance with statutory requirements you have the right to demand the completion of data concerning you or to rectification of inaccurate data concerning you.
In accordance with statutory requirements, you have the right to demand the erasure of data concerning you without undue delay or alternatively, in accordance with statutory requirements, to demand a restriction of the processing of data.
In accordance with statutory requirements, you have the right to receive data concerning you which you have provided to us and to demand its transfer to other controllers.
In addition, in accordance with statutory requirements, you have the right to lodge a complaint with the competent supervisory authority.
Right of revocation
You have the right to revoke consent effective for the future.
Right of objection
At any time you can object to the future processing of data concerning you in accordance with statutory requirements. In particular, the objection can be directed toward processing for the purpose of direct marketing.
Cookies and the right of revocation in direct marketing
“Cookies” designate small files that are stored on computers. Varied information can be stored within the Cookies. A Cookie serves primarily to store information on a user (or on the device on which the Cookie is stored) during or after his or her visit within an online offering. Temporary Cookies or “Session-Cookies” or “Transient Cookies” designate Cookies that will be erased after a user leaves an online offering and closes his or her browser. Such a Cookie can, for example, store the content of a shopping cart in an online shop or a login status. Cookies are designated “permanent” or “persistent” which remain stored even after closing the browser. Thus the login status can be stored if the user calls on it after several days. Such a Cookie can also store the interests of the user which are used for range measurement or marketing purposes. “Third-Party-Cookie” designates Cookies that are offered by providers other than the controller who operates the online offering (otherwise, if it is only their Cookies they are called “First-Party Cookies”).
This online offering uses:
Session Cookies (one-off utilisation)
Service life: until closing of this online offering
If users do not wish Cookies to be stored on their computer, they are requested to deactivate the corresponding option in the system settings of their browser. Stored Cookies can be erased in the system settings of the browser. The exclusion of Cookies can lead to functional impairments in this online offering.
Erasure of data
If the data are not erased because they are required for other and statutory permissible purposes, the processing is restricted. This means that the data are blocked and not processed for other purposes. For example, this applies to data that must be retained for commercial or tax reasons.
In addition, we process
- contract data (e.g., object of contract, term, customer category).
- payment data (e.g., bank data, payment history)
of our customers, stakeholders and business partners for the purposes of performance of contractual services, service and customer care, marketing, advertising and market research.
We process the data of our business partners and stakeholders as well as other principals, customers, clients or contract partners (together designated as “contract partners”) in accordance with Art. 6 (1) lit. b. GDPR, in order to provide them with our contractual or precontractual services. The herein processed data, the nature, the scope, the purpose and the necessity of their processing is determined by the underlying contractual relationship.
Included in the data to be processed are the master data of our contract partner (e.g., names and addresses), contact data (e.g. email addresses and telephone numbers) as well as contract data (e.g., the services used, contract content, contractual communication, names of contact persons) and payment data (e.g., bank data, payment history).
We fundamentally do not process special categories of personal data except when they are components of an engaged or contractual processing.
We process data which are necessary to establish and perform the contractual services and refer to the necessity of your information if this is not evident for the contract partner. A disclosure to external persons or companies occurs only if necessary in connection with a contract. In the course of processing the data provided to us in connection with an order, we act in accordance with the instructions of the principal as well as the statutory requirements.
In connection with the use of our online services, we can store the IP address and the time of the respective user activity. The storage is done on the basis of our legitimate interests, as well as the interests of the user in protection from misuse and other unauthorised use. In general, this data is not transferred to third parties except if necessary to enforce our rights in accordance with Art. 6 (1) lit. f. GDPR or a statutory obligation exists in accordance with Art. 6 (1) lit. c. GDPR.
The erasure of data is done if the data are no longer necessary for performance of contractual or statutory duties of care as well as for dealing with any guarantee and comparable obligations, wherein the necessity of retention of the data is reviewed every three years; otherwise the statutory retention obligations are applicable.
Administration, financial bookkeeping, office organisation, contact administration
We process data in connection with administrative tasks as well as the organisation of our operations, financial bookkeeping and compliance with statutory obligations such as archiving. Herein we process the same data which we process in connection with the performance of our contractual services. The processing foundations are Art. 6 (1) lit. c. DSGVO, Art. 6 (1) lit. f. DSGVO. The processing concerns customers, stakeholders, business partners and website visitors. The purpose of and our interest in processing lies in administration, financial bookkeeping, office organisation, archiving of data, and also in tasks that serve the preservation of our business activities, the performance of our tasks and the performance our services. The erasure of data in regard to contractual services and contractual communication corresponds to those of these named tasks of processing activities.
Herein we disclose or transfer data to fiscal authorities, advisors such as tax advisors or auditors as well as other charge centres and payment service providers.
In addition, on the basis of our economic interests we store information on suppliers, organisers and other business partners, e.g. for the purpose of later initiating contact. As a rule, we permanently store this preponderantly company related data.
Economic analyses and market research
In order to profitably operate our business, to recognise market tendencies and the wishes of contract partners and users, we analyse the data provided to us on business transactions, contracts and enquiries, etc. Thereby we process inventory data, communication data, contract data, payment data, usage data and meta data on the basis of Art. 6 (1) 1 lit. f. GDPR, wherein data subjects, contract partners, stakeholders, customers, visitors and users belong to our data subjects.
The analyses are done for the purpose of economic evaluations, as well as for marketing and market research. Thereby we can take into consideration the profiles of registered users with information on, for example, their use of services. The analyses serve to increase user friendliness, the optimisation of our offering and operational efficiency. The analyses serve us alone and are not disclosed externally to the extent that it does not involve anonymous analyses with summarised values.
To the extent these analyses or profiles relate to persons, they are erased or anonymised upon cancellation by the user, otherwise after two years as of the contract conclusion. Otherwise, if possible, the entire economic analyses and general tendency determinations are prepared anonymously.
Users can create a user account. In connection with the registration, the users are informed of the required information and processed on the basis of Art. 6 (1) lit. b GDPR for the purpose of preparation of user accounts. Included in the processed data are, in particular, the login information (name, password as well as email addresses). The data entered in connection with the registration are used for the purpose of the usage of the user account and its purpose.
The user can be informed per email of information relevant to their user account such as technical changes. If they have cancelled their user account, their data will be erased with regard to the user account, subject to a statutory retention obligation. It is the responsibility of users to secure their data upon successful cancellation prior to the end of the contract. We are entitled to permanently erase all data of the user stored during term of the contract.
In connection with the usage of our registration and log-in functions as well as the usage of user accounts, we store the IP address and the time of the respective user acts. The storage is done on the basis of legitimate interests, as well as on the basis of the interests of the user in protection from misuse and other unauthorised use. Fundamentally there is no disclosure of this data to third parties unless it is necessary for the enforcement of our claims or a statutory obligation exists as per Art. 6 (1) lit. c. GDPR. The IP addresses are anonymised or erased at the latest after 7 days.
Upon contact initiation with us (e.g. per contact form, email, telephone or via social media) the information of the user for processing the contact enquiry and its development in accordance with Art. 6 (1) lit. b. (in connection with contractual/pre-contractual relationships), Art. 6 (1) lit. f. (other enquiries) GDPR is processed. The information of the user can be stored in a Customer-Relationship-Management System ("CRM System") or comparable enquiry organisation.
We erase the enquiries if they are no longer required. We review the necessity every two years; in addition the statutory archiving obligations are applicable.
Collection of access data and log files
On the basis of our legitimate interests within the meaning of Art. 6 (1) 1 lit. f. GDPR, we or our hosting provider collect data upon each access to the server on which this service is located (so-called server log files).
Amongst others, log files store the IP address, the browser used, time and date and the system used by a site visitor. We store only pseudonymised IP addresses of visitors to the website. At the web server level this occurs in that by default, instead of the actual IP address of the visitor e.g. 126.96.36.199 an IP address 123.123.123.XXX is stored in the log file, wherein XXX is a random value between 1 and 254. The creation of a personal connection is no longer possible.
For security reasons (e.g. to investigate misuse or fraudulent acts), log file information (Apachelog) are stored for a maximum duration of 2 months and thereafter erased. Data whose continued retention is necessary for evidential purposes are excluded from erasure until the final clarification of the respective incident.
Integration of services and contents of third parties
On the basis of our legitimate interests (i.e. interest in an analysis, optimisation and economic operation of our online offering within the meaning of Art. 6 (1) lit. f. GDPR) we employ content or service offers of third party providers within our online offering in order to integrate their content and services, such as videos or typefaces (hereinafter together designated “content”).
This requires that the third-party provider of this content recognise the IP address of the users because they cannot send the content to their browser without the IP address. Thus the IP address is necessary for the presentation of this content. We make an effort to use only such content whose respective provider uses the IP address solely for delivery of content. In addition, third party providers can use so-called Pixel-Tags (invisible graphics, also designated as "Web Beacons") for statistical or marketing purposes. Information such as visitor traffic on the pages of this website can be evaluated through the "Pixel-Tags". In addition, the pseudonymous information can be stored in Cookies on the device of the user and, amongst others, contain technical information on the browser and operating system, referring websites, visiting times and additional information on the use of our online offering, as well as being connected with such information from other sources.