Am Etzberg 7
Link to the masthead: www.schaeflein.de/en/masthead.html
Contact to the Data Protection Officer: firstname.lastname@example.org
Types of data processed
Categories of data subjects
In general, we refer in the following to users of as well as visitors to our online range as “users”.
Purpose of processing
The purpose of processing is to make our online range, its functions and content available, to answer contact enquiries and to communicate with customers. Furthermore, it is necessary for security reasons and to measure our coverage/marketing.
The terms we use
“Personal data”: refers to identified or identifiable natural persons (hereinafter also described as “data subjects”). A natural person in this sense is identifiable who can be identified directly or indirectly, in particular by allocation to an identifier, e.g. a name, an identification number, specific location data, an online ID (cookies), or one or more special characteristics, which are an expression of the genetic, psychological, economic, cultural, physical physiological or social identity of these natural persons.
“Processing” is any procedure carried out with and without the help of automated processes. This also includes every series of operations which is associated with personal data. This aspect is therefore very far-reaching and covers almost every type of data handling.
Natural or legal persons, public authorities, facilities or other bodies which alone or together with others decide on the intentions and means of processing personal data are described as “responsible persons“.
Relevant legal basis
According to the provisions of Article 32 GDPR, we take suitable technical and organisational measures in order to ensure an appropriate security level, taking into account the current state of the art of technology, the implementation costs and the type, scope, circumstances and the purpose of processing as well as the different likelihood of their occurrence and the severity of risk for the rights and freedoms of natural persons.
These measures include in particular those which safeguard confidentiality, integrity and availability of data by controlling physical access to data, as well as measures which concern access, data entry, further transmission, safeguarding of availability and the separation of data, respectively. Furthermore, we have set up procedures which ensure that the rights of individuals affected, the deletion of data and reaction to its endangerment are perceived. Furthermore, we take the protection of personal data already into account during the development phase and/or the selection of hardware, software as well as procedures, according to data privacy principles which use the appropriate technical design and default privacy settings (Article 25 GDPR).
Cooperation with data processors and third parties
If we reveal data to others in connection with our processing, such as persons or companies, i.e. contract processors or third parties, or we permit the transfer of data to these persons or companies or otherwise allow access to the data, this shall only take place in connection with a legal permit, such as for example if a transfer of data to third parties is necessary, i.e. as for example in the case of a payment service provider, in accordance with Article 6 para 1 lit. b GDPR, if you have given your consent, a legal obligation requires this or because of our legitimate interests, for example, when using agents, webhosts, etc.
If we commission third parties with data processing on the basis of a so-called “contract processing agreement”, this shall take place according to Article 28 GDPR.
Transfers to third world countries
If we process data in a third world country, i.e. outside of the European Union (EU) or the European Economic Area (EEA) or if this is the case in the context of third party use or disclosure and/or transfer of data to third parties, this shall only take place in order to fulfil our (pre)contractual obligations if you have given your consent, a legal obligation requires this or on the basis of our legitimate interests. We only have data processed in a third world country if the special conditions of Article 44 ff. GDPR are satisfied subject to legal or contractual permits. This means, for example, that processing is carried out based on specific guarantees, such as one of the officially recognised levels of data protection in the EU (e.g. through the “Privacy Shield” for the USS), or is carried out observing the officially recognised special contractual obligations (“standard contractual clauses”).
Rights of data subjects
Article 15 GDPR states that you have the right to ask for confirmation as to whether the data in question is being processed and that you will receive information about this data, further information and copies of the data.
According to Article 16 GDPR, you have the right to demand the completion of the data that concerns you or the rectification of data that is not correct.
According to Article 17 GDPR, you have the right to have the data in question deleted immediately or, as an alternative, to request a restriction of data processing under Article 18 GDPR.
According to Article 20 GDPR, you are entitled to receive and request the relevant data that you have provided to us.
In addition, you have the right according to Article 77 GDPR to lodge a complaint with the competent supervisory authority.
Right to withdraw
According to Article 7 para. 3 GDPR, you have the right to withdraw your consent, which may have already been granted, also with effect for the future.
Right of appeal
According to Article 21 GDPR, you have the right to appeal against the dissemination of your data in the future. In particular, this may take place by objecting to processing for the purposes of direct marketing.
Cookies and the right to appeal to direct advertising
Small data files which are stored on the user’s PC are called “cookies”. These allow the storage of various types of information. Cookies are used to store information about a user and/or the device on which the cookie is stored during the visit to the website. If cookies are deleted after a visitor leaves the website and closes his browser, they are called temporary cookies and/or “session cookies” or “transient cookies”. Such cookies can, for example, store the shopping cart content of an online shop or a login status. On the other hand, “permanent” and/or “persistent” cookies are those which remain stored after the browser has been closed if the user visits the site again after several days. In addition, cookies make it possible to store the interests of the user, which can be used for measurement of coverage and/or for marketing purposes. So-called “third party cookies” are those which are provided by providers other than the persons responsible for operating the online offer. If this refers only to their cookies, they are called “first-party cookies”.
If users do not wish that cookies are stored on their computers, they will be asked to deactivate the corresponding option in their browser system settings. It is also possible to delete the stored cookies in the system settings of the browser. It should be noted that the deactivation of cookies may lead to functional limitations of the online offer.
Deletion of data
Legal requirements for data retention in Germany:
6 years in accordance with Article 257 para. 1 HGB:
10 years in accordance with Article 147 para. 1 AO:
Legal requirements for data retention in Austria:
7 years in accordance with Article 132 para. 1 HGB:
22 years in connection with property and 10 years for documents in connection with electronically provided services, telecommunications, broadcasting and television services, which were provided to non-entrepreneurs in the EU Member States and for which the Mini- One-Stop-Shop (MOSS) is used.
We also process the following data:
We use hosting services for the following:
According to Article 6 para. 1 lit. f GDPR in connection with Article 28 GDPR (conclusion of a contract processing agreement), we or our hosting provider process usage data, content data, contract data, contact information, inventory data, metadata and communications data of interested parties, customers and guests of our online services in an effective and secure manner for the provision of our online offer based on our legitimate interests.
Collection of access data and log files
We and/or our hosting provider collect data about any type of access to the server on which this service can be found (server log files) based on our legitimate interests. This is done in accordance with Article 6 para. 1 lit. f. GDPR. This includes the name of the website visited, the date and time of the call, the file, the amount of data transferred to it, the message about a successful call up, the user’s operating system, the previously visited website, the browser type version, the requesting provider and the IP address. For security reasons, such as for the investigation of abuse or fraud, log file information is stored for a maximum of seven days and then deleted. In doing so, certain data, which must be stored for evidential purposes are excluded from deletion up to the final clarification of the incident.
Provision of contractual services
Inventory data, such as names and addresses, as well as the contact information of users, contract data, such as the services used, names of contact persons, payment information, are processed by us. This takes place in order to fulfil our contractual obligations and services in accordance with Article 6 para. 1 lit. b. GDPR. All entries marked in the online forms are required for concluding the contract.
If you use our online services, we store the IP address and the time of the respective user action. This is due to our legitimate interests as well as that of the users, as they are protected from abuse and other unauthorised use. The disclosure of the data to third parties does not occur unless this is necessary for the pursuance of our claims or there is a legal obligation in accordance with Article 6 para. 1 lit. c GDPR.
Usage data, for example, such as the visited websites of our online offer or the interest in our products, and content data, such as entries in a contact form or the user profile, are processed by us in a user profile for advertising purposes, so that product information, for example, can be faded in for the user on the basis of his previously used services.
In this case, the deletion of data takes place after expiration of the legal warranty period and comparable obligations. In addition, a check is made every three years of whether storage is still required. In the case of legal archiving requirements, deletion takes place after they have expired. Until then, these details remain in the customer account.
Administration, financial accounting, office organisation, contact management
We process data in connection with administrative tasks and the organisation of our company as well as with financial accounting and compliance with legal obligations, such as archiving. In doing so, the same data are processed which we processed in association with our contractual services. The bases for this are Article 6. Para. 1 lit. c. GDPR and Article 6 para. 1 lit. f. GDPR. The following individuals are affected by processing: customers, interested parties, business partners and visitors to our homepage. Processing is used for the administration, financial accounting, office organisation, archiving of data, i.e. tasks that serve the maintenance of our business activities, performance of our tasks and the provision of our services. Data deletion in terms of contractual performance and contractual communication is consistent with the information provided in these processing activities. In doing so, we transfer or submit data to the tax authorities or consultants, such as a tax accountant or auditor, as well as other fee-collecting agents and payment service providers. In addition, details concerning suppliers, promoters, and other business partners are processed, for example, due to later contact being made based on our business interests. We generally store such predominantly company-related data on a permanent basis.
Business analysis and market research
In order to conduct our business economically, to identify market trends as well as to establish customer and user preferences, we examine the data which is available to us based on business transactions, contracts, enquiries, etc. We process inventory data, communications data, contract data, payment data, usage data and metadata according to Article 6 para. 1 lit. f. GDPR. These include customers, interested parties, business partners, visitors and users of our online offer.
In this respect, the investigations serve the purpose of making business assessments, marketing and market research. In this way, it is possible for us to take into account the profiles of registered users with details, for example, about their purchasing transactions. These investigations serve to increase user-friendliness, the optimisation of our offer as well as the economic efficiency of our business. In addition, they serve us alone and are not disclosed externally, in case this does not involve an anonymous analysis with summarised values.
In the event that these investigations involve personal analyses or profiles, these will either be deleted or anonymised by us upon termination of the users, otherwise after two years from the conclusion of the contract. Furthermore, we will create the overall business analysis and determine the general tendency anonymously, if possible.
Applicant data will be processed by us exclusively for the intended purpose and as part of our application procedure under the legal requirements. According to Article 6 para. 1 lit. b GDPR and Article 6 para. 1 lit. f GDPR, data about job applicants is processed to fulfil our (pre)contractual duties as part of the application process, provided that data processing will be necessary for us in the context of legal proceedings, for example. In Germany, Article 26 BDSG applies as a matter of principle.
A prerequisite for the application process is that applicants provide us with their application data. The application data needed is marked in the case that we offer an on-line form for the application. Otherwise, the required data is specified in the job advertisements. This generally includes personal information, postal and contact addresses as well as the application documents of the applicant, such as the covering letter, CV and certificates. It is also possible that applicants will voluntarily provide us with additional information.
If special categories of personal data pursuant to Article 9 para. 1 GDPR are voluntarily communicated in the context of the application process, processing is also carried out in accordance with Article 9 para. 2 lit. GDPR, such as health data, for example, disablement or ethnic origin. If particular categories of personal data are required as part of the application process for applicants in accordance with Article 9 para. 1 GDPR, their processing also takes place pursuant to Article 9 para. 2 lit. a GDPR, for example, in the case of health data, if this is required to perform the job in question.
If available, it is possible for applicants to submit their applications online using the online form on our website. The data will be transmitted to us encrypted according to technical standards. It is also possible for applicants to send us their applications by email. It should be noted, however, that emails are generally not sent in encrypted form and applicants must therefore provide encryption themselves. Therefore, it is not possible for us to take responsibility for the transmission of the respective application between the sender and the recipient, and/or our server. That is why we recommend that you choose the online form or the postal route to send your application, which is still available to our applicants.
It is possible for us to process all the data provided to us by applicants in the event of a successful application for employment purposes. If an application for a position is not successful, the applicant data will be deleted by us. If an applicant withdraws his/her application, which is possible at any time, the data shall also be deleted.
The deletion of data, assuming a justified withdrawal by the applicant, shall take place after an expiry period of six months. This serves to enable us to answer potential follow-up questions regarding the respective application, as well as to fulfil our obligation to provide evidence under the Equal Opportunities Act. All invoices for possible reimbursements of travel expenses are archived in accordance with fiscal provisions.
You can contact us, for example, using the contact form, by email, telephone or social media, in accordance with Article 6 para. 1 lit. b GDPR; we use the information about the user to process contact enquiries and their handling. In doing so, it is possible to save the information about users in a Customer Relationship Management System (“CRM System”). Once the information is no longer necessary, we will delete it and re-check the necessity every two years. The legal archiving requirements shall apply.
In the following we provide you with information about the content of our Newsletter, the registration, dispatch and the statistical evaluation procedures as well as the right to object. By signing up for our Newsletter, you declare your willingness to receive our Newsletter and are in agreement with the previously described procedure.
The content of our Newsletter: We only send Newsletters, emails and other promotional electronic forms of notification to recipients, from whom we have previously received their consent or where the statutory permission has been granted. If the content of the Newsletter should be specifically revised as part of a registration, this shall be decisive for the consent of the user. Furthermore, our Newsletter provides information about our services and ourselves.
Double opt-in and logging: Our Newsletter registration is carried out in a so-called double opt-in procedure. This means that you will receive an email after the registration for our Newsletter, in which you will be asked to confirm this once again. This procedure is necessary so that nobody is able to register with a third-party email address. In order to verify that this registration has fulfilled the legal requirements, all Newsletter entries are logged. This includes the storage of the points in time of registration and confirmation as well as the IP address. In addition, changes to your stored data are logged with the shipping service provider.
Registration data: If you sign up for our Newsletter, all we need is your email address. In order to be able to address you personally, we ask you to provide your name optionally.
Germany: The dispatch of our Newsletter and the associated measurement of success are made on the basis of consent granted by the recipient pursuant to Article 6 para. 1 lit. a, Article 7 GDPR in connection with Article 7 para. 2 No. 3 UWG and/or on the basis of the statutory permission pursuant to Article 7 para. 3 UWG.
The registration process for our Newsletter is logged on the basis of our legitimate interests according to Article 6 para. 1 lit. f GDPR. In this respect, our attention is focussed on a user-friendly as well as secure Newsletter system, which on the one hand serves our business interests and on the other also corresponds to the expectations of our users and grants us verification of approved consent.
Giving notice/right to object: You may terminate and/or revoke your given consent to our Newsletter at any time. At the end of our Newsletter you will always find a link with which it is possible to cancel the Newsletter. In order to be able to verify consent which has since lapsed, we are permitted to store the deleted email address up to three years on the basis of our legitimate interests. The processing of this data is limited according to its purpose as a possible defence against claims. If the former existence has been confirmed by the recipient, it is also possible to carry out an individual deletion request.
Newsletter dispatch service provider: The dispatch of the Newsletter is performed using the dispatch service provider Newsletter2Go GmbH, Köpenicker Str. 126, 10179 Berlin, Germany. You can view the data protection provision of the dispatch service provider here: https://www.newsletter2go.co.uk/data-protection/. The dispatch service provider is used on the basis of our legitimate interests acc. to Article 6 Abs. 1 lit. f. GDPR and an order processing agreement pursuant Art. 28 para. 3 p. 1 GDPR.
The dispatch service provider is able to use the data of the recipient in pseudonymised form, i.e. without allocation to a user, for the optimisation or improvement of his own services, e.g. for technical optimisation of dispatch and to present the Newsletter or for statistical purposes. The dispatch service provider, however, does not use the data about Newsletter recipients in order to write to them directly or to pass on the data to third parties.
Newsletter measurement of success: Our Newsletters contain a so-called „web-beacon“, i.e. a pixel-sized file, which either is recalled upon opening by our server or by the server of the dispatch service provider. In doing so, technical information is compiled, such as that about the browser and the system, for example, as well as the IP address and the point in time the information was recalled. This is used for the technical optimisation of services with the help of the technical data or used by the target groups and their reading behaviour, based on the retrieval locations (determined by the IP address) or access times. Further statistical analysis includes the determination whether the Newsletter was opened, when it was mostly opened and which links were clicked in the Newsletter. Although this can be assigned to the respective recipient, it is neither our aspiration nor that of the service provider to observe individual recipients. On the contrary, it is our objective to use these evaluations to improve our Newsletter, in that we are able to recognise the reading habits of recipients and adapt the content of our Newsletter accordingly or send specific content.
The personal data of users are deleted or anonymised after 14 months.
Google Tag Manager
Google Tag Manager is a solution that allows us to manage so-called website tags through a single interface (including the integration of Google Analytics, for example, and other Google marketing services into our online offering). The tag manager itself (which implements the tags) does not process any personal data of users. With regard to the processing of personal data of users, reference is made to the following information about Google services. Usage Policy: https://www.google.com/intl/de/tagmanager/use-policy.html.
Online presence in social media
We maintain our online presence within social networks and platforms in order to communicate with active customers, interested parties and users and to inform them about our services, respectively.
We wish to point out that the data of users may be processed outside the areas of the European Union. This can lead to risks for the user as, for example, the assertion of rights of the user could be hampered. With regard to US providers who are certified under the Privacy Shield, we wish to point out that they are obliged to the comply with the data privacy standards of the EU.
Furthermore, the data of users is normally processed for market research and promotional purposes. In this way, user profiles can be created, e.g. from the usage behaviour and the associated interests of the user which result. The user profiles can then be used in order e.g. to place advertisements within and outside the platforms, which presumably correspond to the interests of users. For this purpose, cookies are stored as a rule on the computers of users, in which the usage characteristics and the interests of these users are saved. Furthermore, data can also be stored in the user profiles independently of the equipment used by the user (in particular if the user is a member of the respective platform and is logged into it).
The processing of personal data of the user is carried out on the basis of our legitimate interests in having effective information about the user and communication with the user pursuant to Article 6 para. 1 lit. f. GDPR. In case users are requested to give their consent to data processing by the respective providers (i.e. by declaring their consent, for example, by checking a box or activating a button), the legal basis of processing shall be Article 6 para. 1 lit. a., Article 7 GDPR.
For a detailed presentation of the respective processing and the possibilities to object (opt-out), we refer to the following details linked to the provider.
Also, in the case of inquiries for information and the assertion of user rights, we wish to point out that these can be asserted most effectively through the providers. Only providers have the respective access to the data of users and are able to take the corresponding measures directly and provide information. If you should nevertheless require help, please contact us.
– Facebook (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) – Data Privacy Statement: https://www.facebook.com/about/privacy/, Opt-Out: https://www.facebook.com/settings?tab=ads and http://www.youronlinechoices.com, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active.
– Xing (XING AG, Dammtorstrasse 29-32, 20354 Hamburg, Germany) – Data Privacy Statement / Opt-Out: https://privacy.xing.com/en/privacy-policy.
Integration of services and content of third parties
On the basis of our legitimate interests, in other words to investigate, improve and operate our online range economically in accordance with Article 6 para. 1 lit. f. GDPR, we use third-party content or service offerings within our online range to provide content and services, such as the inclusion of videos or fonts, which are collectively referred to hereafter as “content”. It is always assumed that third-party providers of content are aware of the IP address of the users, because it is not possible to send this content to their browser without an IP address. Thus, the IP address is necessary for presenting content. We always strive to use only content whose providers use the IP addresses solely for content provision. It is possible that third parties may use so-called pixel tags, i.e. invisible graphics, also referred to as web beacons, for statistical or marketing purposes. Through these pixel tags, it is possible to evaluate information, such as for example, visitor traffic to individual pages of this website. It is possible to save this pseudonymous information in cookies on the end device of the user. In addition, this may include, but is not limited to technical information about the browser and the operating system, referring websites, visiting times, and other information regarding the use of our online offer, as well as such information which is linked from other sources.